Table of Contents Link to heading
- Connecting to the Switch Console
- Initial Configuration Setup
- VLAN Configuration
- Configure IP Address for Management
- Enable Secure Shell (SSH) for Secure Remote Management
- Configure Spanning Tree Protocol (STP) to Prevent Loops
- Configuring Quality of Service (QoS) for Traffic Prioritisation
- Configuring Access Control Lists (ACLs) for Security
- Enabling DHCP Snooping for Security
- Configuring Port Security to Prevent Unauthorised Access
- Enabling Link Aggregation for High Availability
- Configuring Simple Network Management Protocol (SNMP) for Network Monitoring
- Implementing Network Time Protocol (NTP) for Synchronisation
- Setting Up Syslog for Centralised Logging
- Configuring NetFlow for Traffic Analysis
- Applying Advanced Security Features
- Multicast Routing: Efficient Streaming & Broadcast Traffic
- Configuring Redundancy with Hot Standby Router Protocol (HSRP)
- Configuring Private VLANs for Enhanced Security
- Configuring Storm Control to Prevent Broadcast Floods
- Configuring 802.1X Port-Based Authentication
- Configuring Virtual Router Redundancy Protocol (VRRP) for Redundant Gateways
- Saving Configuration and Verifying Setup
- Final Steps: Review & Documentation
When setting up a new network switch, it’s crucial to configure it properly for security, management, and performance. This guide provides step-by-step CLI commands, including verification steps after each configuration.
Connecting to the Switch Console Link to heading
Step-by-Step Process Link to heading
- Use a console cable (RJ45-to-DB9 or USB-to-Serial) to connect your PC/Laptop to the switch’s console port.
- Open a terminal emulator (e.g., PuTTY, Tera Term, SecureCRT) and set the following parameters:
Baud rate: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None - Click Connect or press Enter after opening the terminal.
Access the Switch CLI Link to heading
- Press
Enterto enter User EXEC mode (>prompt). - Type
enableto enter Privileged EXEC mode (#prompt appears).
Verify Console Connection Link to heading
show version
show running-config
Ensure the switch responds and displays its current configuration.
Initial Configuration Setup Link to heading
Set a Hostname Link to heading
configure terminal
hostname MySwitch
exit
Verify Hostname Link to heading
show running-config | include hostname
Ensure the hostname is correctly set.
Secure Console Access Link to heading
configure terminal
line console 0
password Cisco123
login
exit
Verify Console Security Link to heading
show running-config | section line console
Ensure the password is applied.
Secure VTY Lines (Remote Access via SSH/Telnet) Link to heading
configure terminal
line vty 0 4
password RemotePass
login
exit
Verify VTY Security Link to heading
show running-config | section line vty
Ensure remote access security is configured.
Create a Strong Enable Password Link to heading
configure terminal
enable secret SuperSecurePassword
exit
Verify Enable Password Link to heading
show running-config | include enable secret
Ensure the password is encrypted.
Disable Unused Ports (Security Best Practice) Link to heading
configure terminal
interface range GigabitEthernet0/2 - 0/24
shutdown
exit
Verify Port Shutdown Link to heading
show interfaces status
Ensure unused ports are administratively down.
VLAN Configuration Link to heading
Creating VLANs and Assigning Ports Link to heading
configure terminal
vlan 10
name Management_VLAN
vlan 20
name Sales_VLAN
exit
Verify VLAN Creation Link to heading
show vlan brief
Ensure VLANs exist and are correctly named.
Assign VLANs to Specific Ports Link to heading
configure terminal
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
exit
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 20
exit
Verify VLAN Assignment Link to heading
show interfaces GigabitEthernet0/1 switchport
show interfaces GigabitEthernet0/2 switchport
Ensure ports are correctly assigned to VLANs.
Configure the Trunk Port (For Inter-VLAN Communication) Link to heading
configure terminal
interface GigabitEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 10,20
exit
Verify Trunk Configuration Link to heading
show interfaces GigabitEthernet0/24 trunk
Ensure the trunk allows correct VLANs.
Configure IP Address for Management Link to heading
Assign an IP to the VLAN Interface Link to heading
configure terminal
interface vlan 10
ip address 192.168.1.1 255.255.255.0
no shutdown
exit
Verify IP Assignment Link to heading
show ip interface brief
Ensure VLAN 10 has the correct IP address.
Configure Default Gateway Link to heading
configure terminal
ip default-gateway 192.168.1.254
exit
Verify Default Gateway Link to heading
show ip route
Ensure the default gateway is set.
Enable Secure Shell (SSH) for Secure Remote Management Link to heading
Generate RSA Keys for SSH Link to heading
configure terminal
crypto key generate rsa
exit
Verify RSA Key Generation Link to heading
show crypto key mypubkey rsa
Ensure keys exist for SSH.
Set SSH Version Link to heading
configure terminal
ip ssh version 2
exit
Verify SSH Version Link to heading
show ip ssh
Ensure SSH v2 is enabled.
Define a Local Username for SSH Authentication Link to heading
configure terminal
username admin secret SecureAdminPassword
exit
Verify Local User Link to heading
show running-config | include username
Ensure admin user exists.
Apply SSH Access to VTY Lines Link to heading
configure terminal
line vty 0 4
transport input ssh
login local
exit
Verify SSH Access Link to heading
show running-config | section line vty
Ensure only SSH is allowed.
Configure Spanning Tree Protocol (STP) to Prevent Loops Link to heading
Enable Rapid Spanning Tree Protocol (RSTP) Link to heading
configure terminal
spanning-tree mode rapid-pvst
exit
Verify STP Mode Link to heading
show spanning-tree summary
Ensure RSTP is active.
Set Root Bridge Priority Link to heading
configure terminal
spanning-tree vlan 10 priority 4096
spanning-tree vlan 20 priority 8192
exit
Verify Root Bridge Priority Link to heading
show spanning-tree vlan 10
show spanning-tree vlan 20
Ensure correct priority settings.
Enable PortFast on Edge Ports (Prevent Slow Booting) Link to heading
interface GigabitEthernet0/5
spanning-tree portfast
exit
Verify PortFast Link to heading
show running-config | include spanning-tree portfast
Ensure PortFast is enabled on the correct ports.
Configuring Quality of Service (QoS) for Traffic Prioritisation Link to heading
QoS ensures critical network traffic like voice, video, and business applications get priority over regular traffic.
Enable QoS Globally Link to heading
mls qos
Configure Interface Trust Levels Link to heading
Assign trust levels to ports that handle priority traffic (e.g., VoIP).
interface GigabitEthernet0/1
mls qos trust dscp
exit
Set Up Traffic Classification & Prioritisation Link to heading
Create access lists to classify important traffic.
access-list 101 permit ip any any dscp ef
class-map match-any VOIP_TRAFFIC
match access-group 101
exit
policy-map QOS_POLICY
class VOIP_TRAFFIC
priority percent 30
exit
interface GigabitEthernet0/1
service-policy input QOS_POLICY
exit
For a detailed guide on QoS for VoIP, check out this Cisco resource.
Configuring Access Control Lists (ACLs) for Security Link to heading
ACLs filter traffic to protect the network from unauthorised access.
Example: Block Traffic from a Specific IP Range Link to heading
access-list 102 deny ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip any any
exit
interface vlan 10
ip access-group 102 in
exit
Example: Restrict SSH Access to Trusted IPs Link to heading
access-list 110 permit tcp 192.168.1.100 0.0.0.255 any eq 22
access-list 110 deny ip any any
exit
line vty 0 4
access-class 110 in
exit
Enabling DHCP Snooping for Security Link to heading
Prevent unauthorised DHCP servers from distributing IP addresses.
Enable DHCP Snooping Globally Link to heading
ip dhcp snooping
Apply DHCP Snooping to VLANs Link to heading
ip dhcp snooping vlan 10
ip dhcp snooping vlan 20
Trust Only Uplink Ports (Block Rogue DHCP Servers) Link to heading
interface GigabitEthernet0/24
ip dhcp snooping trust
exit
Configuring Port Security to Prevent Unauthorised Access Link to heading
Port Security limits the number of MAC addresses per port, preventing rogue devices.
Example: Allow Only One MAC Per Port Link to heading
interface GigabitEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation restrict
exit
Example: Sticky MAC Address Binding Link to heading
This ensures only known MAC addresses can connect in the future.
interface GigabitEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
exit
Enabling Link Aggregation for High Availability Link to heading
Combine multiple links into a single logical connection for redundancy and bandwidth efficiency.
Configure EtherChannel (LACP Mode) Link to heading
interface Port-channel1
switchport mode trunk
exit
interface range GigabitEthernet0/10 - 0/12
channel-group 1 mode active
exit
Configuring Simple Network Management Protocol (SNMP) for Network Monitoring Link to heading
Enable SNMP to monitor the network’s health and security.
Enable SNMP Link to heading
snmp-server community PublicString RO
snmp-server community PrivateString RW
snmp-server location DataCenter
snmp-server contact admin@company.com
Verify SNMP Configuration Link to heading
show snmp community
show snmp location
Implementing Network Time Protocol (NTP) for Synchronisation Link to heading
Configure NTP to Sync Time Link to heading
ntp server 192.168.1.100
clock timezone UTC 0
service timestamps debug datetime msec
service timestamps log datetime msec
Verify NTP Link to heading
show ntp status
show clock
Setting Up Syslog for Centralised Logging Link to heading
Enable Syslog Link to heading
logging host 192.168.1.200
logging trap warnings
logging source-interface Vlan10
Verify Syslog Settings Link to heading
show logging
show running-config | include logging
Configuring NetFlow for Traffic Analysis Link to heading
Enable NetFlow Link to heading
ip flow-export destination 192.168.1.150 9996
ip flow-export version 9
ip flow-cache timeout active 5
Verify NetFlow Link to heading
show ip flow export
show ip cache flow
Applying Advanced Security Features Link to heading
Enable MAC Address Filtering (Higher Security) Link to heading
mac address-table static 00e0.abcd.1234 vlan 10 interface GigabitEthernet0/1
mac address-table static 00e0.abcd.5678 vlan 20 interface GigabitEthernet0/2
Enable IP Source Guard (Prevent IP Spoofing) Link to heading
interface GigabitEthernet0/3
ip verify source
exit
Enable Dynamic ARP Inspection (Mitigate ARP Attacks) Link to heading
ip arp inspection vlan 10
ip arp inspection vlan 20
Verify Security Features Link to heading
show mac address-table static
show ip verify source
show ip arp inspection
Multicast Routing: Efficient Streaming & Broadcast Traffic Link to heading
Enable IGMP Snooping to Optimise Multicast Traffic Link to heading
ip igmp snooping
Configure PIM Sparse Mode for Multicast Routing Link to heading
ip multicast-routing
interface vlan 50
ip pim sparse-mode
exit
Set Up a Rendezvous Point (RP) for Multicast Traffic Link to heading
ip pim rp-address 192.168.1.1
Verify Multicast Configuration Link to heading
show ip pim neighbor
show ip igmp groups
For more details on multicast routing, check out this Meraki guide.
Configuring Redundancy with Hot Standby Router Protocol (HSRP) Link to heading
HSRP ensures high availability by allowing one switch to act as a backup in case the primary fails.
Enable HSRP on VLAN Interfaces Link to heading
interface vlan 10
ip address 192.168.1.1 255.255.255.0
standby 1 ip 192.168.1.254
standby 1 priority 110
standby 1 preempt
exit
Verify HSRP Status Link to heading
show standby
Configuring Private VLANs for Enhanced Security Link to heading
Private VLANs restrict communication between devices within the same VLAN.
Create Primary & Secondary VLANs Link to heading
vlan 100
name Primary_VLAN
vlan 101
name Isolated_VLAN
vlan 102
name Community_VLAN
exit
Assign VLAN Roles Link to heading
interface GigabitEthernet0/5
switchport mode private-vlan host
switchport private-vlan host-association 100 101
exit
Verify Private VLAN Configuration Link to heading
show vlan private-vlan
Configuring Storm Control to Prevent Broadcast Floods Link to heading
Storm control limits excessive broadcast, multicast, and unknown unicast traffic.
Enable Storm Control on Interfaces Link to heading
interface GigabitEthernet0/3
storm-control broadcast level 50.00
storm-control multicast level 50.00
storm-control action shutdown
exit
Verify Storm Control Settings Link to heading
show storm-control
Configuring 802.1X Port-Based Authentication Link to heading
802.1X ensures only authorised devices can connect to the network.
Enable 802.1X Globally Link to heading
dot1x system-auth-control
Configure Authentication on Interfaces Link to heading
interface GigabitEthernet0/4
dot1x port-control auto
dot1x reauthentication
exit
Verify 802.1X Status Link to heading
show dot1x interface
Configuring Virtual Router Redundancy Protocol (VRRP) for Redundant Gateways Link to heading
VRRP provides redundant default gateways for network resilience.
Enable VRRP on VLAN Interfaces Link to heading
interface vlan 20
ip address 192.168.2.1 255.255.255.0
vrrp 1 ip 192.168.2.254
vrrp 1 priority 120
exit
Verify VRRP Status Link to heading
show vrrp
Saving Configuration and Verifying Setup Link to heading
Save Configuration to Startup-Config Link to heading
write memory
or
copy running-config startup-config
Verify Configuration Save Link to heading
show startup-config
Ensure settings persist after reboot.
Final Steps: Review & Documentation Link to heading
Backup Configuration to a Server
copy startup-config tftp://192.168.1.250/config-backup.cfgTest Connectivity & Security
ping 192.168.1.254 traceroute 8.8.8.8Document All Settings for Future Reference
- Ensure all configurations are logged for troubleshooting.
- Create a network topology diagram to visualise VLANs and connections.