When connectivity within a network springs to mind, most of us will think of routers first. And while this isn’t wrong, switches are crucial in letting all of the devices on a network communicate with each other successfully.
Switches are used to take incoming and outgoing traffic and send it onwards until it reaches its destination. Cisco is among the most famous switch vendors out there, and today we’ll be looking at how you can properly configure your Cisco switches using PuTTY and the command line.
Before you start configuring your Cisco switches, you’ll need to know your hardware a bit better. Downloading PuTTY through your command line is the first step to this.
Now, you’ll want to see what exact hardware you’re using before you start configuring it. You’ll need to know the exact model of your Cisco switch before you start working with it. Make sure to check up on the physical state of your device thoroughly and that none of its cables have suffered any damage. Turn on the router to ensure that the indicators haven’t sustained any harm either.
Once you’ve found out the model of your switch and ensured the device is working correctly, it’s time to start configuring your switches. Again, we will use the command-line interface combined with PuTTY serving as our SSH/Telnet client. PuTTY is optional here, as you can accomplish similar things with most of its alternatives, so don’t worry if it isn’t available for you.
Connecting The Switch To PuTTY
To get us started with configuring the Cisco switch, you’ll need to connect it to PuTTY. This can be done by following these steps:
- First, connect your switch with PuTTY using a 9-pin serial cable
- Next, open up PuTTY, and this will show you the PuTTY Configuration Window
- Next, navigate to “Connection Type Settings” and look for the Serial option
- Next, navigate to the “Category list” section on your left side and pick the Serial option
- Once the option controlling local serial lines popup appears, you should input the com port that you’ve connected your network to in that Serial line to connect to a particular box
- Input the DTS(digital transmission speed) of your switch. The most common switches are the 300 and 500 series, and for those switches, the DTS is 115200
- Type “8” into the “Data bits” box
- Type “1” in the “stops bits” box
- Press the Parity drop-down menu
- Click on “None”
- Next, enter the “Flow Control” menu
- Click on “None”
- Save your changes and start up the PuTTY Command-line interface
For putty to keep these settings saved until the next session, you should:
- Click on “Session” from the list on your left
- Navigate to the “Saved Session” box and type in a name for these settings, such as WebServerTalk
- Press “Save”
- Now the “Open” button will open up the command line interface and show you the following message:
Getting Into Privileged EXEC Mode And Setting Up A Hostname For Your Switch
First, you’ll need to enter the “enable” command to get into privileged EXEC mode. You don’t need a password for this yet, as the default configuration doesn’t have one.
Next, you’ll need to get into Global Configuration Mode and type in this:
Switch# configure terminal Switch(config)#1
This will let you give the switch a hostname, making it a lot easier to locate in a network.
Give The Switch A Password
When you’ve got a hostname for your switch, you’ll need to make a new password to stay in control over who has access to the EXEC mode. To create a new administrator password, you’ll need to type in:
access-switch1(config)# enable secret W3BS3RV3RTALK
Be careful about what password you choose; make sure it’s secure and not easily guessed.
Set Up Console Access And Telnet Passwords
Next, you’ll want to set up the passwords for console and Telnet access. Setting up passwords for this is crucial because it makes your switches more secure. If a malicious agent can tamper with your switches without any authorization, that puts you at a high risk of cyberattack. You can use these commands to set up the passwords:
access-switch1(config)# line vty 0 15 access-switch1(config-line)# password W3BS3RV3RTALK access-switch1(config-line)# login access-switch1(config-line)# exit access-switch1(config)#
access-switch1(config)# line console 0 access-switch1(config-line)# password W3BS3RV3RTALK access-switch1(config-line)# login access-switch1(config-line)# exit access-switch1(config)#
Deciding What IPs Will Have Telnet Access
We need to select the IPs that will be allowed access to Telnet; then, we’ll need to add them using PuTTY’s command-line interfaces. To pick the IPs, you’ll need to type in the following command and replace the [IP Here] with the IPs you want to permit to:
access-switch1(config)# ip access-list standard TELNET-ACCESS access-switch1(config-std-nacl)# permit [IP Here] access-switch1(config-std-nacl)# permit [IP Here]
access-switch1(config-std-nacl)# exitIt’s also possible to set up your network’s ACLs(access control list) so that they correspond to VTY(virtual terminal) lines. An ACL is used to make sure the admin is the only one that can reach the router through Telnet. All you need to do to do that is type in the following:
access-switch1(config)# line vty 0 15 access-switch1(config-line)# access-class TELNET-ACCESS in access-switch1(config-line)# exit access-switch1(config)#
Setting Up Network Management Infrastructure
Now, we’ll be looking to configure the network management IP. Since switches don’t come with an IP address, that means it’s impossible to connect to a default switch using Telnet or SSH. The way we remedy this issue is by picking a VLAN to set up on the switch. This makes a virtual interface containing an IP. We do this by typing the following:
access-switch1(config)# interface vlan1 access-switch1(config-if)# ip address [IP Here] access-switch1(config-if)# exit access-switch1(config)#
Now our new IP management address can be found in VLAN1. This can be used by other devices to connect to the switch.
Pick A Default Gateway For Your Switch
Next, you’ll need to pick a default gateway for your switch. That is the address of a router you want your switch to be communicating with. Without a default gateway, VLAN1 won’t be able to transmit traffic to any other network. To pick a default gateway, run the command below:
access-switch1(config)# ip default-gateway [IP Here]
Disable All Unused Open Ports
If you’ve got any unused open ports on your switch, it’s a commonly accepted practice to disable them. Unsecured open ports are one of the easiest ways that cybercriminals have of entering your network. By closing the ports, you’ll drop the number of entry points that an attacker has in your network. All you need to do is enter a range of ports that you want to close(replace x and y with the ports you’re looking to close)
As a best practice, it is good to disable any unused open ports on the switch. Cyber-criminals often use unsecured ports as a way to breach a network. Closing these ports down reduces the number of entry points into your network and makes your switch more secure. Enter the range of ports you want to complete by entering the following command (you would change 0/25-48 to the ports that you want to complete):
access-switch1(config)# interface range fe 0/x-y access-switch1(config-if-range)# shutdown access-switch1(config-if-range)# exit access-switch1(config)#
Saving Your Settings
When you’re done configuring your router, you’ll need to save your system configs. This is done so that your configs stay the same when you start the next session. All you need to do is run the following command:
access-switch1(config)# exit access-switch1# wr
Every time you want to close your command-line interface, keep in mind that you should be saving your settings beforehand.
You Can Set Up NetFlow To Manage Your Switch
Although this is optional, you can configure NetFlow or a similar network traffic analyzer to manage the switch. Cisco switches follow the NetFlow communication protocol. With that being said, you’ll need to configure NetFlow, after which it’s only three simple steps away.
Before we begin, you’ll need to enter the Global Configuration Mode by entering the command:
Switch# configure terminal
Make A Flow Record
The first step to configuring NetFlow is to make a flow record. This can be done by running the command:
#flow record WebServerTalkrecord
Once you’ve entered that command, you’ll need to set the IPv4 source address and destination address dos interface input and protocol. You’ll also need to set up the transport destination port and interface output.
Switch# match ipv4 source address Switch# match ipv4 destination address Switch# match ipv4 protocol Switch# match transport source-port Switch# match transport destination-port Switch# match ipv4 tos Switch# match interface input Switch# collect interface output
To finish up configuring your flow record and set a definition for the kind of data you’re collecting, you’ll need to run these commands:
Switch# collect interface output Switch# collect counter bytes Switch# collect counter packets Switch# collect timestamp sys-uptime first Switch# collect timestamp sys-uptime last
2. Make The Flow Exporter
Next, you’ll need to make a flow exporter store the information you’re looking to export to an external network analyzer. First, you’ll want to name the flow exporter using the following command:
Switch# flow exporter WebServerTalkexport
Now you’ll enter the IP of your external network analyzer
Switch# destination [IP Here]
Configuring the interface, you’ll want to export the packets using:
Switch# destination source gigabitEthernet 0/2
Configure the port used to listen to the packets
Switch# transport UDP 2055
Pick the kind of protocol data you’re looking to export with:
Switch# export-protocol netflow-v9
To ensure there’s no gaps in when the flow data is sent, use:
Switch# template data timeout 59
3. Make A Flow Monitor
When you’ve got the flow exporter configured, you’ll need to make the flow monitor using the command:
Switch# flow monitor WebServerTalkmonitor
Now we associate the monitor with the flow record and exporter
Switch# record WebServerTalkrecord Switch# exporter WebServerTalkexport
So that you ensure that flow info is normalized and collected without delay, enter the commands:
Switch# cache timeout active 59 Switch# cache timeout inactive 14
Put in the exit command:
Next, you’ll need to put in all of the interfaces collecting NetFlow Data. Presuming an ethernet interface, enter this command:
Switch# interface gigabitEthernet 0/1
You can use another command to configure NetFlow so that the input command collects data in both directions:
Switch# ip flow monitor WebServerTalkmonitor input
In case you’re looking to collect data on just one interface, you’ll need to use the specific input and output commands like:
Switch# ip flow monitor WebServerTalkmonitor input Switch# ip flow monitor WebServerTalkmonitor output
Next, you’ll need to exit configuration mode by inserting:
Finally, save your settings, and you’re done!
Security of Your Cisco Switch
Although doing simple things such as setting up passwords and making ACLs with who can and can’t access a switch helps you stay secure, incorrect or even just incomplete configurations are famously weak to attackers.
Once you’ve configured your Cisco switch, you’ll need to commit to monitoring its status often. If a switch starts facing serious performance issues, then those issues will likely cascade onto your users.
As a rule of thumb, it’s a great idea to use a network monitoring tool or network analyzer to help you stay on top of how your switches are performing without needing to keep on-premises. Simply taking some time to configure switches with strong passwords can be enough to give you some peace of mind.
Remember that you generally don’t need to configure Cisco switches, as they come out of the box ready. However, sometimes, you might want to change some parameters or optimize how well the switch works with that in mind.
Configuring your Cisco switches can seem like a laborious and menial task; however, it is anything but. Simply having the proper security on your switches can make a massive difference in the effectiveness of your cybersecurity measures.
Having a monitoring tool can also help immensely. For example, many attackers will target switches first, so if you see an attack going on there, you might be able to get the jump on them and avoid taking any severe losses from the attack.
Outside of cybersecurity, properly configured switches can help your network operate more efficiently. This, in turn, saves you money. In addition, this seemingly small task can have a positive butterfly effect across your whole network.
What is your favorite vendor for switches?
Do you think there are enough benefits for manually configuring switches?
Let us know in the comments below!