17.9 C
Karachi
Monday, January 30, 2023

CCNA 200-301 – Cisco Switch Basic Configuration

In this article, we will see how to do basic configuration on a brand new Cisco Switch using a command-line interface (CLI).

Setting up the Lab Environment

For demonstration, we have set up a small lab in Cisco Packet Tracer that includes a Hub and Cisco Switch 2960.

ccna-basic-device-configuration-switch
Basic Device Configuration Cisco Switch

Cisco Switch CLI

Cisco IOS defines an interface for humans called CLI. The switch CLI can be accessed through three methods – Console, Telnet, and SSH. The console is the physical port built specially to allow access to the CLI. On the other hand, Telnet and SSH use the IP Network to reach the switch CLI.

ccna-200-301-cli-access-options
CLI Access Options

User and Privileged Modes

Cisco devices have different CLI levels where users can execute different commands. The first level is User Exec Mode also called User Mode where you can only execute basic commands i.e system status commands. Secondly, we have privileged EXEC mode or Enable mode, which is more powerful.

ccna-user-mode-privileged-mode-cisco-switch
User Mode and Privileged Mode

In enable mode, you can use some more advanced commands and also enter into configuration mode.

ccna-cli-configuration-mode-versus-exec-modes
CLI Configuration Mode Versus EXEC Mode

Configuring IP Address of All PCs

First of all, we need to configure the IP Address of all PCs shown in the diagram above. We have chosen network address 192.168.1.0, so the IP address will be assigned accordingly.

Click on PC0>Desktop>IP Configuration, input IP Address and Subnet Mask, and repeat the same for PC1, PC2, PC3, and Laptop1.

Configuring Hostname on Cisco Switch

Click on Switch0>CLI and write the following commands. Enter command one per line and press Enter move to the next command.

In switch CLI, the symbol “>” followed by the hostname means that the user is in User Mode. While the symbol “#” followed by the hostname means that the user is in Enable Mode.

Switch>enable
Switch#configure terminal
Switch(config)#hostname GULRAIZ
GULRAIZ(config)#exit
GULRAIZ#

After running the above commands successfully, we will note that the hostname has been changed from default “Switch” to “GULRAIZ“.

packet-tracer-hostname-cisco-switch
Cisco Switch Hostname

Setting up Logon Banner on Cisco Switch

A banner is a message that is presented to a user who is using the Cisco switch.

GULRAIZ#configure terminal
GULRAIZ(config)#banner motd %
Enter TEXT message.  End with the character '%'.
***********************************************
GULRAIZGULSHAN.COM
***********************************************
%
GULRAIZ(config)#exit
GULRAIZ#

We demonstrate how to set Message Of The Day (MOTD) that displays a message when a user connects with the switch.

packet-tracer-banner
Switch Banner

Securing User/Privileged Mode using Passoword

By default, Cisco switches allow full access from the console but no access via Telnet or SSH. That means a console user can move into user mode then enable with no password required.

In production, secure access through console or remote via Telnet/SSH is required. We can set console password, telnet password (vty password), and enable password.

ccna-simple-password-security-configuration
Simple Password Security Configuration

Setting up Console Password on Cisco Switch

The switch we are configuring has only one console port i.e console 0.

GULRAIZ#configure terminal
GULRAIZ(config)#line console 0
GULRAIZ(config-line)#password gulraiz
GULRAIZ(config-line)#login
GULRAIZ(config-line)#exit
GULRAIZ(config)#exit
GULRAIZ#

Once you set up a console password, you will need to input a password to move into the console now.

ccna-console-password-verification
Console Password Verification

Setting up VTY Password on Cisco Switch

The switch in this example has 16 vty lines that can be configured for telneting/SSH. By (vty 0 15), we mean vty lines numbered 0 through 15.

GULRAIZ#configure terminal
GULRAIZ(config)#line vty 0 15
GULRAIZ(config-line)#password gulshan
GULRAIZ(config-line)#login
GULRAIZ(config-line)#exit
GULRAIZ(config)#exit
GULRAIZ#

Setting up Enable Password on Cisco Switch

GULRAIZ#configure terminal
GULRAIZ(config)#enable password cisco
GULRAIZ(config)#exit
GULRAIZ#
ccna-200-301-enable-password
Enable Password

Now when we see the configuration file by issuing a command “show running-config”, we see that the enable password is a clear text. Alternatively, we can set a secret, that will encrypt the password phrase.

Setting up Enable Secret on Cisco Switch

If you have already set enable password then the enable secret phrase should be different from the enable password phrase.

GULRAIZ#configure terminal
GULRAIZ(config)#enable secret cisco123
GULRAIZ(config)#exit
GULRAIZ#

Now you can see that the secret phrase is showing as encrypted text in the running-configuration file. Also, note that the secret has precedence over the password which means you will need to provide the secret to accessing enable mode i.e cisco123.

ccna-200-301-enable-secret
Enable Secret

Encrypting Enable/Console Password

We can also encrypt the enable and console password by using

GULRAIZ#configure terminal
GULRAIZ(config)#service password-encryption
GULRAIZ(config)#exit
GULRAIZ#

Now you can see that enable and console password has been encrypted too.

Allowing Only One Virtual Connection

There are 16 virtual or vty lines at our disposal which means 16 people can start telnet/SSH sessions simultaneously. What if we want that only person can telnet/SSH while blocking the rest of the vty lines from telneting? Yes, we can do this.

Below we demonstrate that we allow only vty line 0 for remote connection and block vty lines from 1 through 15. In other words, only one person can establish a remote connection with a switch at a time.

GULRAIZ#configure terminal
GULRAIZ(config)#line vty 0
GULRAIZ(config-line)#password gulshan
GULRAIZ(config-line)#login
GULRAIZ(config-line)#exit
GULRAIZ(config)#line vty 1 15
GULRAIZ(config-line)#no password
GULRAIZ(config-line)#login
GULRAIZ(config-line)#exit
GULRAIZ(config)#exit
GULRAIZ#

Setting Up Management IP to Cisco Switch for Telneting/SSH

Until now we have configured a vty password for remote connections like telnet/SSH. But, we can not actually start any remote session with the switch unless we set a management IP.

As we know that switch is a layer2 device, so we can not assign any IP to any physical port of the switch. But we can assign an IP address to the virtual interface (VLAN) of the switch that comes configured with the switch.

By issuing the “show ip interface brief” command in enable mode, we can see a virtual port “Vlan1” which is where we assign management IP.

ccna-show-ip-interface-brief
Show IP Interface Brief Command

Assigning IP to Cisco Switch VLAN

GULRAIZ#configure terminal
GULRAIZ(config)#interface vlan 1
GULRAIZ(config-if)#ip address 192.168.1.100 255.255.255.0
GULRAIZ(config-if)#no shutdown
GULRAIZ(config-if)#exit
GULRAIZ(config)#exit
GULRAIZ#exit

Now we can see that management IP has been assigned to the Vlan1 Interface of the switch and the switch is ready for remote connection or telnet.

ccna-show-ip-interface-brief-management-ip
Switch VLAN and Management IP

Telnetting to Cisco Switch

Suppose we want to start a telnet session from PC0 to Switch. First of all, we will verify the connection by pinging from PC to switch; if we get a reply, all is set go.

ccna-200-301-pinging-from-pc-to-management-ip-switch
Pinging from PC to Switch (Management IP)

As we get a reply from the switch, now we will start the telnet session.

ccna-200-301-telnet
Telnet from PC to Switch

After providing that we set earlier i.e gulshan, we will log in to switch CLI as shown below.

Configuring SSH to Cisco Switch

We need to set the following to configure SSH on the switch.

1) Hostname

2) Domain Name

3) Secure Key

4) SSH version 2

5) Create User

6) Allow SSH

GULRAIZ#configure terminal
GULRAIZ(config)#ip domain-name gulraizgulshan.com
GULRAIZ(config)#crypto key generate rsa
How many bits in the modulus [512]: 1024
GULRAIZ(config)#ip ssh version 2
GULRAIZ(config)#username admin password admin
GULRAIZ(config)#line vty 0 15
GULRAIZ(config-line)#login local
GULRAIZ(config-line)#transport input ssh
GULRAIZ(config-line)#exit
GULRAIZ(config)#exit
GULRAIZ#

Starting up SSH Session to Cisco Switch

To verify the configuration, you can start the SSH session by issuing the following command:

ssh -l admin 192.168.100

Save and verify configuration file to NVRAM

The command shown below will save all running configurations to the start-up configuration. By doing this, all configurations retain while you reboot the device.

GULRAIZ#copy running-config startup-config
GULRAIZ#

Erase NVRAM/Start-up configuration

GULRAIZ#erase startup-config

OR

GULRAIZ#write erase
Gulraeez Gulshan
Gulraeez Gulshan
I am an engineer, programmer, tech-savvy professional, and very passionate about the latest technologies for the modern web, mobile, cloud-native, machine learning, and network automation. I have a bachelor's degree in Electronics Engineering and a Master's degree in Computer Science and Information Technology from a renowned university in Pakistan. I have not limited myself to a certain set of skills in this era where technology is in a state of flux; I have experience working with an extensive range of technologies and learning daily to update my skills and adapt to the latest technologies

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles