Basic Cisco switch configuration

All switches are OSI Layer 2 devices that care only about MAC addresses.
The modern switches are manageable and support extra features than normal old fashion switches.
This features include the support of TCP/IP applications like ping, telnet, trace route etc.
For example, if you want to telnet or ping a switch, the switch must have an IP configured.


1) Resetting Catalyst Switches to Factory Defaults
Cat2950# write erase
Erasing the nvram filesystem will remove all files! Continue? [confirm]y[OK]
Erase of nvram: complete
Cat2950# reload

2) Reset VLAN Information
To reset the VLAN information to the factory defaults, delete the vlan.dat file from the Flash or NVRAM and reload the switch.
On the 6500/6000 series switches running Cisco IOS Software, the vlan.dat file is stored in const_nvram
erase const_nvram:
On the 4500/4000 series switches running Cisco IOS Software, the vlan.dat file is stored in cat4000_flash:
erase cat4000_flash:
On the 2940, 2950/2955, 2970, 3550, 3550, 3560, 3570, and 2900XL/3500XL fixed configuration switches, the vlan.dat file is stored in flash:.
delete flash:vlan.dat

  DefaultSwitch Information 


Default Setting

IP address and subnet mask

No IP address or subnet mask are defined.

Default gateway

No default gateway is defined.

Enable secret password

No password is defined.

Host name

The factory-assigned default host name is Switch.

Telnet password

No password is defined.

Cluster command switch functionality


Cluster name

No cluster name is defined.


1) Configuring hostname or Switch name
Switch1(config)#hostname Switch2011

2) Configure password encryption
Switch2011(config)#service password-encryption

3) Configure the privileged EXEC password
Switch2011#configure terminal
Switch2011(config)#enable secret m3gapassw0rd

4) Configuring Telnet line (VTY's) and console passwords with user LOGIN requirement:
Switch2011#config t
Switch2011(config)#enable secret cisco
Switch2011(config)#line vty 0 15
Switch2011(config-line)#password cisco
Switch2011(config)#line con 0
Switch2011(config-line)#password cisco

5) View and Configure the speed or the duplex of the interface
Switch2011# show interface gigabitEthernet 1/0/3
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
Switch2011(config)# interface gigabitEthernet 1/0/3
Switch2011(config-if)# speed 100
Switch2011(config-if)# duplex half

If you want to be able to manage your switch remotely over the network, your switch needs an IP address.
On a router we configure the IP address on the physical interface,
however on a switch the physical interfaces are running at Layer 2 and hence don’t have IP addresses configured on them.

If your switch has multiple VLANs configured, and you want to be able to manage the switch from each VLAN, the switch requires an IP address on a VLAN interface (logical interface of the switch) in each VLAN.

1) To be able to manage your switch — even if all ports are left in default VLAN 1 — you still need to configure an IP address on the “vlan 1" switch interface, which is, of course, in VLAN 1.
Switch2011# conf t
Switch2011(config)# interface vlan 1
Switch2011(config-if)# ip address
Switch2011(config-if)# no shut
Switch2011(config-if)# exit

2) Defines a default-gateway for this switch.
Switch doesn’t have to have a default gateway configured.
However, if you want to be able to communicate with your switch from another subnet,
you need to configure a default gateway on the switch so it knows how to get to its local LAN switch.
Switch2011(config)# ip default-gateway


View  Switch MAC max capacity
SW01-SC#sh mac address-table  aging-time
Global Aging Time:  300
Vlan    Aging Time
----    ----------
 ALL      300
SW01-SC#sh mac address-table  count
Mac Entries for Vlan 1:
Dynamic Address Count  : 2
Static  Address Count  : 0
Total Mac Addresses    : 2

Total Mac Address Space Available: 8188

1) Configure Port Security
Before any other port security commands can be configured on the interface, port security must be enabled.
SW1(config-if)#interface fa0/11
SW1(config-if)#switchport port-security

2) Configure the maximum number of MAC addresses
To configure the port to learn only one MAC address, set the maximum to 1:
SW1(config-if)#switchport port-security maximum 1

3) Configure the port to add the MAC address to the running configuration.
The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.
SW1(config-if)#switchport port-security mac-address sticky

4) Configure the port to automatically shut down if port security is violated
If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.
SW1(config-if)#switchport port-security violation shutdown

SW1#show mac-address-table
    Mac Address Table
    Vlan Mac Address Type Ports
    ---- ----------- -------- -----
    20 0060.5c4b.cd22 STATIC Fa0/11
SW1#show port-security interface fa0/11
    Port Security : Enabled
    Port Status : Secure-shutdown
    Violation Mode : Shutdown
    Aging Time : 0 mins
    Aging Type : Absolute
    SecureStatic Address Aging : Disabled
    Maximum MAC Addresses : 1
    Total MAC Addresses : 1
    Configured MAC Addresses : 1
    Sticky MAC Addresses : 0
    Last Source Address:Vlan : 00E0.F7B0.086E:20
    Security Violation Count : 1

5) How To Secure Unused Ports
Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access.
Disabling an unused port stops traffic from flowing through the port(s)

Disable interface Fa0/10 on SW1.
    SW1(config)#interface fa0/10

Disable interfaces Fa0/1 to Fa0/24 on SW1
    SW1(config)#interface range fa0/1-24
Troubleshoot port-security violation

Test with macof tool:
switch(config-if)# switchport port-security violation { protect | restrict | shutdown }
restrict  - no new MAC learned, NO syslog notification
protect  - no new MAC learned, syslog notification
shutdown  - no new MAC learned, syslog notification, shutdown port
Check Switch
SW01-SC#sh port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
      Fa0/1              5            0              13864         Shutdown
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024
Protect mode output:
01:27:14: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aad5.402a.ffdc on port FastEthernet0/1.
01:27:19: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 686d.4b40.2a90 on port FastEthernet0/1.
shutdown mode output: 
SW01-SC#show interfaces status err-disabled
Port      Name               Status       Reason
Fa0/1                        err-disabled psecure-violation
Recovery port:
SW01-SC(config)#errdisable recovery cause psecure-violation
SW01-SC(config)#do show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Disabled
bpduguard            Disabled
security-violatio    Disabled
channel-misconfig    Disabled
vmps                 Disabled
pagp-flap            Disabled
dtp-flap             Disabled
link-flap            Disabled
psecure-violation    Enabled
gbic-invalid         Disabled
dhcp-rate-limit      Disabled
unicast-flood        Disabled
loopback             Disabled

Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface    Errdisable reason    Time left(sec)
---------    -----------------    --------------
           Fa0/1     psecure-violation   231

To recover a port that is in an Errdisable state, manual intervention is required, and the administrator must access the switch and configure the specific port with 'shutdown' followed by the 'no shutdown' command.
int fa0/1
no shutdown

1) Configure and test the MOTD (message-of-the-day) banner
2) PortFast
Almost 100% of Cisco switches will have a 50 second delay on a port before it goes live. What this means, is that when you plug a new device into a switch such as a PC, there will be a 50 second delay before the port will become active and the PC will be able to send and receive data. This is due to the fact the switch is running through the spanning tree process and trying to confirm that you have not just caused a loop on the network by plugging in the new device.

 If you are certain that you will not be causing loops on your network by plugging certain types of devices into your switch,
 you can force the switch to go live immediately, rather than waiting the 50 second default value.
Switch2011# conf t
Switch2011(config)# interface fastethernet 0/10
Switch2011(config-if)# switchport mode access
Switch2011(config-if)# switchport access vlan 10
Switch2011(config-if)# spanning-tree portfast


No comments :

Post a Comment