Cisco is famous for their quality of the network equipments and I have been in interested in their hardware since 2006 when I moved down to Oslo to study at Noroff. I remember that, I’ve seen the Cisco brand everywhere, in the movie with phones, at school in the distribution rooms and datacenters with their switches.
I do have CCNA certification, which is expired though, but I’m going to go the Cisco road again and try to get at least the CCNP R&S by the end of next year, 2020.
In this blog, I’ll configure a switch with the most default configuration through the console port and try to explain why.
Hardware
- Model: WS-C3560-8PC
- IOS Version: 12.2(53)SE2
- Software filename: c3560-ipservices k9-mz.122-53.SE2.bin
Wizard or do it manually ?
When you bootup your switch, it will ask you if you want to start the wizard, this wizard is going through all the relevant configuration that is set by Cisco. I’ll not use it, since it takes me more time to go through them all, also the functions I’m not going to use, and less control of what configuration will be set.
The first thing you need to do, is to set the hostname, set our login and enable password, or else we will be unable to login later if our connection timeouts.
Router> enable
# login into privilege mode
Router# configure terminal
# accessing the configuration mode
Router(config)# hostname bedroomswitch
# entering the name of your switch
bedroomswitch(config)# enable password thisenablespass
bedroomswitch(config)# line con 0
bedroomswitch(config-line)# password 0 consolepassword
Then you need to open up for ssh and stop the telnet, to secure your switch, we will also add an access-list to restrict few users.
Lets continue, still in configuration mode..
bedroomswitch(config)# username localuser privilige 15 password 0 somerandompassword
# adding username and password with highest priviliges
bedroomswitch(config)# ip domain-name local.lan
# set your domain for the requirement when rendering ssh-key
bedroomswitch(config)# no ip domain-lookup
# disable domain lookups
bedroomswitch(config)# crypto key gen rsa modulus 2048
# generating your key with 2048 bits, it is recommended to set this highest possible
bedroomswitch(config)# ip ssh version 2
# use SSH version 2.0 rather than version 1.99
bedroomswitch(config)# ip access-list standard MGMT-VTY
# creates access-list to allow ssh-connections
bedroomswitch(config-std-nacl)# permit 10.0.0.0 0.0.0.255
# allow all locally to connect
bedroomswitch(config)# line vty 0 4
bedroomswitch(line)# transport input ssh
# allow ssh, but no telnet
bedroomswitch(line)# login local
# adding to allow login from 'localuser' we added earlier
bedroomswitch(config)# line vty 5 15
# also do the same for the other lines
bedroomswitch(line)# transport input ssh
bedroomswitch(line)# login local
To be able to connect to our switch, we need to setup an ip-address and setup our GigabitEthernet port to link up to the network. As VLAN1 is default, we will be using VLAN2 to increase security against “default settings”.
bedroomswitch(config)# vlan 2
# creates the VLAN in database
bedroomswitch(config-vlan)# interface vlan 2
# creates the interface vlan and start configuring
bedroomswitch(config-if)# ip address 10.0.0.2 255.255.255.0
bedroomswitch(config-if)# ip helper-address 10.0.0.1
# forwarding our DHCP-requests to gateway
bedroomswitch(config-if)# interface GigabithEthernet0/1
# starts to configure the port
bedroomswitch(config-if)# switchport access vlan 2
# set port to VLAN2
bedroomswitch(config-if)# switchport mode access
# set port to access port
bedroomswitch(config-if)# ip route 0.0.0.0 0.0.0.0 vlan 2 10.0.0.1
# adding the default gateway to 10.0.0.1
Now you need to setup the port you like to use for this network, we are going to set 1 till 3 as part of this network and disable the rest for security measurement.
bedroomswitch(config)# interface range fa0/1-3
bedroomswitch(config-if-range)# switchport mode access
bedroomswitch(config-if-range)# switchport access vlan 2
bedroomswitch(config-if-range)# interface range fa0/4-8
bedroomswitch(config-if-range)# shutdown
Security
When the switch/router is new, the password is displayed in plain-text. You can use the service password-encryption to encrypt all password. It is tools everywhere online to decrypt those password, but by setting this on, if someone is inside, it will easily delay them.
Under configuration mode, use service password-encryption.
You may also like to turn off our web interface, since it is default enabled.
no ip http server
no ip http secure-server
Extra
NTP
You can setup NTP to get your log in sync with the correct time, or it will only use a time from 1970. You can also setup multiple servers if you like to. Since I live in Oslo, I will take some address from no.pool.ntp.org. Also setting this up to correct timezone is also relevant. This should all be done from configuration mode.
ntp server 192.36.143.130
ntp server 193.150.22.36
ntp server 162.159.200.123
ntp server 139.112.153.37
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
clock timezone utc 1
MOTD
Always secure your rights by adding message of the day.
banner login &
Access for authorized users only. Please enter your username and password.
&
banner motd &
***********************************************************
This is a private switch
Access for authorized personell only
***********************************************************
&
VTP
I always turn off VTP, as it could be advertising VLANs to other switch and overwrite them if we are the switch master.
vtp mode transparent
Some word
I really do hope you like my mini-guide on how to setup a Cisco Switch. I’ll try to provide more of this when I’m on my road to the CCNP certification.