Getting your Cisco out of the box and configuring it from scratch is fun, here is a few tips & tricks based on CCNA best practice from ICND1
Configuring your switch/router from the ground up, with some helpful features to make your life easier and secure.
we are going to be doing the following:
- Change the Hostname
- Configure your logon MOTD Banner
- Enable logging-synchronous
- Configure a console password
- Configure your VTY lines with a password for SSH/Telnet
- Activate your interfaces
- Enable No IP-Domain-Lookup
- Enable Service Password-Encryption
- Enable Secret
- Copy run start
this isn’t to say set up all your switches/routers this way, but it is a good place to start.
Change the hostname
Quite plain and simple but everyone has their own naming conventions to work with, usually you will find it something similar to the below:
UK-LDN-SW-01-P / which is Country-City-Device-DeviceNumber-Environment
Country= UK – United Kingdom
Device= SW – Switch
Device Number = 01 – Switch 01
Environment = P – Production, D – Development, S – Staging, T – Test.
Everyone has their own naming convention but I think it is important to have a good naming convention to help you locate your equipment too, also not a bad idea to label your equipment before its racked so you can locate it easier when its racked, you can do this with Dymo labels or any type of label equipment or if your really fancy you can include this in your asset tag, some companies even choose to incorporate their host names based on asset tag too. Its all personal preference.
- boot up your switch and load up into enable mode, see commands below:
Switch> en Switch#
2. once you are in enable mode, go to global configuration mode, see commands below:
Switch# conf t Switch (config)#hostname UK-SW01-T UK-SW01-T (config)#
That’s it! – it is so simple, and you can change it back using the same command, so don’t worry if you make a mistake.
Configure your logon MOTD Banner
A lot of companies have these set to lawfully protect them against hackers/intruders on their network infrastructure. There have been law cases where hackers have gone into a switch and are presented with a Welcome message welcoming them to information so to speak.
Below is my example:
You probably don’t need the fancy writing and just want to add a standard warning but some companies would have their company name normally, you can generate this using an ASCII generator just searching for them on google.
so let’s get started:
Switch> en Switch# conf t Switch (config)# banner motd & Enter TEXT message. End with the character '&'. If you are not authorized to be using this equipment, please disconnect immediately. & Switch (config) #end Switch#exit
Once you have exited to the startup of the switch you should see your MOTD banner:
You can do this with other characters such as ! but i always use & as it takes you to the basic text editor, just remember when your finished your line just type & to finish the banner, best to do it on a new line.
This option is optional really, but I find it really useful. This basically will allow the router/switch to start your typing on a new line and wont type over the Console message to say a configuration change has been made, see below:
As you can see in my really bad example above, I have renamed my device to “Jerry” upon exit i go to run a ‘show run’ command and I’m interrupted by the console message splitting my command onto the warning line itself, logging-synchronous will avoid that and push the command I have typed onto the row below, making it a little easier to type commands after you have configured a change.
To configure this we need to configure this command on the console port:
Jerry# conf t Jerry (config) #line console 0 Jerry (Config-line) # logging synchronous Jerry (Config-line) #end
And that’s it! – simple.
Configure a console password
Most people generally don’t bother with this, it just all depends how security conscious you are. General rule of thumb if you switches/routers are behind a secure door with CCTV then you can leave this be, some companies need it to pass security audits.
Switch# conf t Switch (Config) #line console 0 Switch (Config-line) #enable password switch123 Switch (Config-line) #end Switch# exit
When you exit out then go to enable mode and you will be prompted for the password you have just set:
The only problem being is when your password is stored its in clear text, I’ll show you in the next guide how to mask the clear text passwords, though usual methods are enable secret which has a much stronger encryption method known as hashing.
So we have our console port password protected which is great however if we had left our session open and someone really wanted to know the password, they could look through the running config and get it easily, this will mask the password from being clear text and replace it with a crackerjack encryption type which consists of numbers.
to enable it simply follow the command below:
Switch# conf t Switch (config) #service password-encryption Switch (config) #end Switch#
Once this is ran you have enabled it, go ahead and have a look and see if your password is now masked, run the command below:
If you look at my example below you will see next to enable password it is masked with numbers instead of being my clear text password:
Now for the next guide I’ll show you how to enable secret which has a stronger encryption method, so lets remove our password:
Switch#conf t Switch (Config) #line console 0 Switch (Config-line) #no enable password Switch (Config-line) #end Switch#exit
Once you have exited out from the switch you should then be able to go directly into enable mode without being prompted for a password.
This is the stronger encryption method that most people will want to use as it uses V7 encryption which is only hacked by brute force methods so is very secure.
As we have removed our password our switch is now pretty much un-secure assuming its sat on a rack out in the open for someone to come along with a console cable and login..
Let’s change that!
Switch#conf t Switch (config) #line console 0 Switch (config-line) #enable secret switch123 Switch (config-line) #end Switch#exit
Then when you login you should be presented with a password when using a console cable via console port:
This time the only difference is a higher encryption level, so if you do a sh run, see the output:
We know this is using the higher encryption method as the character string is longer and includes more symbols, it also states its ‘Enable Secret’ not ‘Enable Password’
Note: if you want to set a password on the entire switch then you can do:
Switch#conf t Switch (config) #enable secret *password here*
This will enable the secret for the switch but with some switches you need to also do:
Switch#conf t Switch (config) #enable login
Configure your VTY lines with a password for SSH/Telnet
Vty lines are important and must be set to enable you to SSH/Telnet into your device, lets set it up!
Switch#conf t Switch (config) #line vty 0 4 Switch (config-line) # enable secret cisco Switch (config-line) #end Switch#exit
After that your Switch is set to ssh/telnet on vty lines 0-4.
No IP domain-lookup
Some time during your typing of many commands you may make a mistake and accidentally submit it, this leaves you with a 255.255.255.255 broadcast searching for whatever you just typed which to you could make no sense what so ever, don’t fear you can amend this with the simple steps below:
Switch#conf t Switch (config) #no ip domain-lookup Switch (config) #end Switch#
That’s it.. if you typo now….no problem, makes things sooo much faster.
Copy run start
So we have configured our switch/router and now we want to save everything otherwise all we have just stored in NVRAM will be deleted upon reboot so we need to save it to flash.
So run the command below:
Switch# copy run start
Or you can run:
It really is that simple to save your stuff, and if you were to issue a reload command your configuration will still be intact!