Solved: Switch/Router initial configuration checklist

johnprosso · ‎07-13-2015

Hi,

Wondering if anyone has seen a cheat sheet/checklist when initally configuring a new switch or router. For instance:

Confiure hostname
configure correct passwords
configure NTP
SNMP servers

etc., etc.

Thank you,

John

allen mert · ‎07-13-2015

Hi John,

Here are some basic commands for configuring Switch/Routers:

Router/Switch Hostname:

Router1>enable

Router1#configure terminal

Router1(config)# hostname JohnsRouter

Configuring passwords:

SW1(config)# enable secret cisco    ! MD5 hash
SW1(config)# enable password notcisco    ! Clear text

Securing console port:

SW1(config)# line con 0
SW1(config-line)# password cisco
SW1(config-line)# login

Securing terminal lines:

SW1(config)# line vty 0 4
SW1(config-line)# password cisco
SW1(config-line)# login

Encrypting passwords:

1	`SW1(config)# service password-encryption`

Configuring banners:

SW1(config)# banner motd $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
UNAUTHORIZED ACCESS IS PROHIBITED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$

Giving the switch an IP address:

SW1(config)# interface vlan 1
SW1(config-if)# ip address 172.16.1.11 255.255.255.0    ! or DHCP
SW1(config-if)# no shutdown

Setting the default gateway:

1	`SW1(config)# ip default-gateway 172.16.1.1`

Saving configuration:

SW1# copy running-config startup-config
Destination filename [startup-config]?    ! Press enter to confirm file name.
Building configuration…
[OK]
 
! Short for write memory.
SW1# wr
Building configuration…
[OK]

Working environment:

name lookup, history, exec-timeout and logging behavior…, also valid for line con 0.

SW1(config)# no ip domain-lookup
SW1(config)# line vty 0 4
SW1(config-line)# history size 15
SW1(config-line)# exec-timeout 10 30
SW1(config-line)# logging synchronous

Configuring switch to use SSH:

Configure DNS domain name:

1	`SW1(config)# ip domain-name example.com`

Configure a username and password:

1	`SW1(config)# username admin password cisco`

Generate encryption keys:

The size of the key modulus in the range of 360 to 2048

SW1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024

Define SSH version to use:

1	`SW1(config)# ip ssh version 2`

Enable vty lines to use SSH:

SW1(config)# line vty 0 4
SW1(config-line)# login local
! You can set vty lines to use only telnet or only ssh or both as in the example.
SW1(config-line)# transport input telnet ssh

Aliases:

Used to create shortcuts for long commands.

SW1(config)# alias exec c configure terminal
SW1(config)# alias exec s show ip interface brief
SW1(config)# alias exec sr show running-config

Description, speed and duplex:

SW1(config)# interface fastEthernet 0/1
SW1(config-if)# description LINK TO INTERNET ROUTER
SW1(config-if)# speed 100    ! Options: 10, 100, auto
! The range keyword used to set a group of interfaces at once.
SW1(config)# interface range fastEthernet 0/5 – 10
SW1(config-if-range)# duplex full (options: half, full, auto)

Router Interface Config:

Router1>enable

Router1#configure terminal

Router1(config)#interface FastEthernet0/0

Router1(config-if)#description Private LAN

Router1(config-if)#speed 100

Router1(config-if)#duplex full

Router1(config-if)#ip address 192.168.1.1 255.255.255.0 **can be Any IP

Router1(config-if)#no shutdown

Please rate if you find helpful..

Thanks,

Allen

View solution in original post

Tiago Marques · ‎07-14-2015

for line vty recommend

access-list 30 remark === ACL VTY MGMT ===
access-list 30 permit XX.XX.XX.XX XX.XX.XX.XX

line con 0
exec-timeout 5 0
privilege level 15
login authentication NOTACACS
stopbits 1
line vty 0 4
exec-timeout 5 0
access-class 30 in
transport input ssh
line vty 5 15
access-class 30 in
transport input ssh

for access switch, for exemplo PC+phone:

switchport access vlan x
switchport mode access
switchport voice vlan y
switchport port-security maximum 2
switchport port-security
switchport port-security violation shutdown
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard loop

Please rate if you find helpful..
Thanks,
TM

View solution in original post

allen mert · ‎07-13-2015

Hi John,

Here are some basic commands for configuring Switch/Routers:

Router/Switch Hostname:

Router1>enable

Router1#configure terminal

Router1(config)# hostname JohnsRouter

Configuring passwords:

SW1(config)# enable secret cisco    ! MD5 hash
SW1(config)# enable password notcisco    ! Clear text

Securing console port:

SW1(config)# line con 0
SW1(config-line)# password cisco
SW1(config-line)# login

Securing terminal lines:

SW1(config)# line vty 0 4
SW1(config-line)# password cisco
SW1(config-line)# login

Encrypting passwords:

1	`SW1(config)# service password-encryption`

Configuring banners:

SW1(config)# banner motd $
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
UNAUTHORIZED ACCESS IS PROHIBITED
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
$

Giving the switch an IP address:

SW1(config)# interface vlan 1
SW1(config-if)# ip address 172.16.1.11 255.255.255.0    ! or DHCP
SW1(config-if)# no shutdown

Setting the default gateway:

1	`SW1(config)# ip default-gateway 172.16.1.1`

Saving configuration:

SW1# copy running-config startup-config
Destination filename [startup-config]?    ! Press enter to confirm file name.
Building configuration…
[OK]
 
! Short for write memory.
SW1# wr
Building configuration…
[OK]

Working environment:

name lookup, history, exec-timeout and logging behavior…, also valid for line con 0.

SW1(config)# no ip domain-lookup
SW1(config)# line vty 0 4
SW1(config-line)# history size 15
SW1(config-line)# exec-timeout 10 30
SW1(config-line)# logging synchronous

Configuring switch to use SSH:

Configure DNS domain name:

1	`SW1(config)# ip domain-name example.com`

Configure a username and password:

1	`SW1(config)# username admin password cisco`

Generate encryption keys:

The size of the key modulus in the range of 360 to 2048

SW1(config)# crypto key generate rsa
How many bits in the modulus [512]: 1024

Define SSH version to use:

1	`SW1(config)# ip ssh version 2`

Enable vty lines to use SSH:

SW1(config)# line vty 0 4
SW1(config-line)# login local
! You can set vty lines to use only telnet or only ssh or both as in the example.
SW1(config-line)# transport input telnet ssh

Aliases:

Used to create shortcuts for long commands.

SW1(config)# alias exec c configure terminal
SW1(config)# alias exec s show ip interface brief
SW1(config)# alias exec sr show running-config

Description, speed and duplex:

SW1(config)# interface fastEthernet 0/1
SW1(config-if)# description LINK TO INTERNET ROUTER
SW1(config-if)# speed 100    ! Options: 10, 100, auto
! The range keyword used to set a group of interfaces at once.
SW1(config)# interface range fastEthernet 0/5 – 10
SW1(config-if-range)# duplex full (options: half, full, auto)

Router Interface Config:

Router1>enable

Router1#configure terminal

Router1(config)#interface FastEthernet0/0

Router1(config-if)#description Private LAN

Router1(config-if)#speed 100

Router1(config-if)#duplex full

Router1(config-if)#ip address 192.168.1.1 255.255.255.0 **can be Any IP

Router1(config-if)#no shutdown

Please rate if you find helpful..

Thanks,

Allen

Tiago Marques · ‎07-14-2015

for line vty recommend

access-list 30 remark === ACL VTY MGMT ===
access-list 30 permit XX.XX.XX.XX XX.XX.XX.XX

line con 0
exec-timeout 5 0
privilege level 15
login authentication NOTACACS
stopbits 1
line vty 0 4
exec-timeout 5 0
access-class 30 in
transport input ssh
line vty 5 15
access-class 30 in
transport input ssh

for access switch, for exemplo PC+phone:

switchport access vlan x
switchport mode access
switchport voice vlan y
switchport port-security maximum 2
switchport port-security
switchport port-security violation shutdown
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
storm-control broadcast level 20.00
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard loop

Please rate if you find helpful..
Thanks,
TM

johnprosso · ‎07-14-2015

I appreciate the information.

rosaho · ‎08-12-2015

This discussion has been reposted from Additional Communities to the Other Network Infrastructure Subjects community.

allen mert · ‎07-13-2015

In addition for NTP, and logging:

Router(config)#logging buffered 512000
Router(config)#service timestamps debug datetime msec localtime show-timezone year
Router(config)#service timestamps log datetime msec localtime show-timezone year
Router(config)#clock timezone PDT -8
Router(config)#clock summer-time PDT recurring
Router(config)#service sequence-numbers
Router(config)#ntp server 209.151.225.100

SNMP:

Enabling SNMP

enable privilege mode
config terminal
snmp-server community {password} RO - sets a community string with Read Only privilege.
or no snmp-server community {password} - removes a community string.

Please rate if you find helpful..

Thanks,

Allen