Initial configurations of a CISCO switch, before moving onto more specific and environmental configurations, should include naming the switch, securing the switch, setting the time and clock, and configuring some optimisations for general usage. Here is a general overview of the inital configuration that I apply to any CISCO switch (or router for that matter).
Naming the Switch
From Global Config mode:
(config)hostname SWITCH01
Securing the Switch
There are several areas where security should be considered on a CISCO device. Firstly the enable password should be set. Secondly the console and telnet ports should be set. Thirdly passwords should be encrypted. Finally, terminal sessions should be encrypted.
Configuring the Enable Secret
There are two methods for securing privileged mode. You can either set the ‘enable password’ or the ‘enable secret’. The difference between the two is that the ‘enable password’ is not encrypted where as the ‘enable secret’ is. For this reason it is advised to set the ‘enable secret’ and then dissable the ‘enable password’.
From Global Config mode:
(config)enable secret password
(config)no enable password
Securing the Line Ports
The line ports include the console and also vty ports designated for telnet and SSH sessions. CISCO switches allow multiple vty ports to be used concurrently leaving the potantial for multiple people to be logged into the same switch making changes at the same time. I feel this is bad practice however and configure only 2 ports to accept connections. The final command encrypts the passwords so they cannot be easily seen by viewing the running config.
From Global Config mode:
(config)line console 0
(config-line)password password
(config-line)exit
(config)line vty 0 1
(config-line)password password
(config-line)exit
(config)service password-encryption
Enabling SSH
Passwords only secure access to the switch but telnet sessions are notoriously unsecure as the data is sent in an unencrypted form and can easily be intercepted by packet sniffers. For this reason it is necessary to secure the telnet session by enabling SSH encryption on the remote vty ports.
From Global Config mode:
(config)username administrator password password
(config)ip domain-name dbtek.local
(config)crypto key generate rsa
When asked how many bits, use 1024 bits.
(config)ip ssh version 2 line vty 0 1
(config-line)transport input ssh
Setting the Date and Time
From Global Config mode:
(config)clock timezone GMT 0
(config)clock summer-time GMT recurring
(config)exit
#clock set 20:00:00 31 Aug 2011
Usage Optimisations
As you will no doubt find out, CISCO devices continually print status messages which can interfere with your typing and become a nuisance. The next two commands modify the status messages so they don’t interefe with entered commands and also increase the time allowed before the session times-out. The final command dissables the switch from trying to resolve DNS on any miss-typed commands.
From Global Config mode:
(config)line console 0
(config-line)logging synchronous
(config-line)exec-timeout 30 0
(config-line)exit
(config)line vty 0 1
(config-line)logging synchronous
(config-line)exec-timeout 30 0
(config)no ip domain-lookup
Useful Shortcuts
Finally, it is possible to configure shortcuts or aliases for commands that are used alot. Two of mine include one of the more popular show commands and also saving the switch config. You can set as many aliases as you see fit.
From Global Config mode:
(config)alias exec s show ip interface brief
(config)alias exec save copy running-config startup-config