Cisco Switch Setup Guide Command List

Enter configuration console:

enable

configure terminal

This is important because if your console doesn't look like below none of the commands will work!

Switch(config)#

Save and Apply Settings

wr

Show Switch Configuration:

show run

Show Port List/Status:

Switch#show interface status Port Name Status Vlan Duplex Speed Type Fa0/1 connected 1 a-full a-100 10/100BaseTX Fa0/2 notconnect 1 auto auto 10/100BaseTX Fa0/3 notconnect 1 auto auto 10/100BaseTX Fa0/4 notconnect 1 auto auto 10/100BaseTX Fa0/5 notconnect 1 auto auto 10/100BaseTX Fa0/6 notconnect 1 auto auto 10/100BaseTX Fa0/7 notconnect 1 auto auto 10/100BaseTX Fa0/8 notconnect 1 auto auto 10/100BaseTX Fa0/9 notconnect 1 auto auto 10/100BaseTX Fa0/10 notconnect 1 auto auto 10/100BaseTX Fa0/11 notconnect 1 auto auto 10/100BaseTX Fa0/12 notconnect 1 auto auto 10/100BaseTX Fa0/13 notconnect 1 auto auto 10/100BaseTX Fa0/14 notconnect 1 auto auto 10/100BaseTX Fa0/15 notconnect 1 auto auto 10/100BaseTX Fa0/16 notconnect 1 auto auto 10/100BaseTX Fa0/17 notconnect 1 auto auto 10/100BaseTX Fa0/18 notconnect 1 auto auto 10/100BaseTX Fa0/19 notconnect 1 auto auto 10/100BaseTX Fa0/20 notconnect 1 auto auto 10/100BaseTX Fa0/21 notconnect 1 auto auto 10/100BaseTX Fa0/22 notconnect 1 auto auto 10/100BaseTX Fa0/23 notconnect 1 auto auto 10/100BaseTX Fa0/24 notconnect 1 auto auto 10/100BaseTX Gi0/1 connected 1 a-full a-1000 10/100/1000BaseTX Gi0/2 notconnect 1 auto auto Not Present

Show config of individual port or vlan

You could also have used "interface vlan 1" and you would get the config of the vlan.

Switch#show running-config interface gi0/1 Building configuration... Current configuration : 36 bytes ! interface GigabitEthernet0/1 end

Create VLAN:

Switch(config)#vlan 80 Switch(config-vlan)#name realtechtalk.com

Assign VLAN:

Switch(config)#int fa0/19 Switch(config-if)#switchport access vlan 80

Show all VLANs:

show vlan

VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0

Show Specific VLAN

show vlan id 1

Configure interfaces

100M Ethernet is normally known as fa0

So for port 1 you would use fa0/1

int fa0/1

int fastethernet0/1

1Gig Ethernet known as gigabitethernet or gi0

int gigabitethernet0/1

int gi0/1

You can configure vlans in the same way:

int vlan 1

Working with a range of ports (example of ports 1-12)

int range fa0/1-12

Enable Port(s)

int fa0/1

no shutdown

The no in front of shutdown means turn on the port (the opposite or !)

How to Assign ports to vlan

#how to assign ports to vlan in this case it is ports 1-24 and they are being assigned to vlan 1

Switch(config)#int range fa0/1-24 Switch(config-if-range)#switchport access vlan 1

Port Security

Maximum MAC addresses/devices

Where 8 below is the maximum number of MAC's

rtt(config)#int fa0/3 rtt(config-if)#switchport port-security maximum 8

To Disable MAC Limit

rtt(config-if)#no switchport port-security maximum

How To Disable Port Security On A Port

no switchport port-security no switchport port-security violation protect no switchport port-security mac-address sticky no switchport mode access

BPDU Guard

This can be the source of a lot of pain for end users and network admins. To understand this, first let's talk about STP (Spanning Tree Protocol) which is designed to prevent routing loops that would otherwise kill a network. A routing loop could be something as simple as an ethernet cable that has both ends plugged into the same switch.

STP works by exchanging BPDU (Bridge Protocol Data Units) which are multicast messages sent out and contain info like the source MAC, switch ID, originating switch port, switch port priority. It then uses an algorithm based on the BPDU information to create an STA (Spanning Tree Algorithm) at the layer 2 level and will shut down a port if it is creating a loop.

Now BPDU Guard in the world of Cisco just means that if it receives a BPDU it will shutdown the port in errdisable.

I say this is good in terms of keeping a network secure and running well, but a pain for end users who need to run a managed switch and for network admins who were unaware that BPDU was enabled.

Check a port's settings and you may see this:

rtt#show run int gi0/1 Building configuration... Current configuration : 335 bytes ! interface GigabitEthernet0/1 switchport access vlan 999 switchport mode access switchport port-security switchport port-security aging time 2 switchport port-security violation restrict switchport port-security aging type inactivity macro description cisco-desktop spanning-tree portfast spanning-tree bpduguard enable end

To disable bpduguard
rtt(config-if)#spanning-tree bpduguard disable

To enable bpduguard

rtt(config-if)#spanning-tree bpduguard enable

*Note you can also enable or disable BPDUguard globally by just being in conf t

#enable by default

rtt(config)#spanning-tree portfast bpduguard default

#disable by defaultrtt(config)#no spanning-tree portfast bpduguard default

How to assign IP to VLAN

Choose your interface eg vlan 777

Where below 10.25.20.2 is the IP and the netmask is 255.255.255.0

Switch(config-if)#ip address 10.25.20.2 255.255.255.0

Assign the default gateway:

Switch(config-if)#ip default-gateway 10.25.20.1

How To Set Administrative "enable" mode Password

Switch(config)#enable password realtechtalk.com

DHCP Server Creation for VLAN

Create VLAN and assign IP 10.25.2.2 and DFGW 10.25.2.1

switch(config-if)#int vlan 1800 switch(config-if)#ip address 10.25.2.2 255.255.255.0 switch(config-if)#ip default-gateway 10.25.2.1

#you could add Option 150 if this VLAN is for phones and you have a CUCM Server (specify the CUCM server IP)

switch(dhcp-config)#option 150 ip 10.25.2.8

Create DHCP Pool for VLAN 1800 range 10.25.2.0

#to match the DHCP Pool to the VLAN we mention vlan1800 as the name of the pool below.

switch(config)#ip dhcp pool vlan1800 switch(dhcp-config)#network 10.25.2.0 255.255.255.0 switch(dhcp-config)#dns-server 8.8.8.8 4.2.2.1 switch(dhcp-config)#default-router 10.25.2.1

Exclude Relevant Addresses

switch(config)#ip dhcp excluded-address 10.25.2.1 10.25.2.2

Enable SSH:

First we need to generate keys for the SSH server which takes a bit of time if you choose a decent key size

crypto key generate rsa

A key size of anything less than 4096 is useless but some older routers or switches may only support 2048. 4096 on a 2960G takes forever for example.

The name for the keys will be: rttkey Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 4096 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

From enable mode enable password encryption otherwise if someone sees your config, they will see your raw password in unencrypted form:

service password-encryption

Create username and password:

username rttuser password rttpassword  Enter line vty 0 4, enable SSH and tell it to authenticate as a local user (eg. the one created above)

line vty 0 4 (config-line)# transport input ssh (config-line)# login local (config-line)# password 7 (config-line)# exit

Troubleshooting

Why can't I ping or connect to my VLAN IP?

Make sure the VLAN that has the IP is assigned to a port
Make sure the IP address is correct and it has the appropriate default gateway if necessary
Make sure your client side machine has an IP on that subnet AND that you have a route to it through the right adapter (eg. in Linux ip route add 10.10.25.0/24 dev eth0)*Remember to specify the /24 or whatever mask you desire and the right device.
Is the port and VLAN in a noshut state?

Cannot Set VLAN on port due to VTP errors:

Switch(config-if)#switchport access vlan 1234
% Access VLAN does not exist. Creating vlan 1234
Switch(config-if)#
*Mar 1 00:17:02.688: %PM-2-VLAN_ADD: Failed to add VLAN 1234 - VTP error.

A quick and easy way is to turn off VTP as VTP can pose a risk to production environments due to its ability to automatically delete VLANs.

vtp mode off
Setting device to VTP Off mode for VLANS.

Tags:

cisco, listenter, configuration, console, enable, configure, terminal, doesn, commands, config, interface, vlan, duplex, fa, basetx, notconnect, auto, gi, vlans, ports, default, active, fddi, unsup, token, fddinet, trnet, mtu, ringno, bridgeno, stp, brdgmode, trans, enet, tr, fdnet, ieee, ibm, interfaces, ethernet, int, fastethernet, gigabitethernet, shutdown, assign, assigned, switchport, mode,