Catalyst 2960 Configuration

Posted on 2011-09-05
Medium Priority
Last Modified: 2012-06-21
Hi All,
Hopefully some easy points for Cisco experts ;)
I'm configuring my first Catalyst 2960-S, the switch will be used in a small branch office (less than 10 users). I need some feedback to check that what I've done is correct and that I haven't missed anything. Here are the steps that I've completed to configure the switch and some questions I have..

Cisco Catalyst 2960-S Configuration

Switch details
Cisco WS-C2960S-24TS-L
LAN Base image
Product ID: WS-C2960S-24TS-L
Software: 12.2(55)SE3

Connect to switch USB console port using Hyper Terminal

Enter initial configuration dialog

Enter basic management setup

Host name

Set enable secret password
Set enable password
Set virtual terminal (telnet) password

Configure SNMP
Set SNMP Community string (public)

Make all 3 passwords & snmp community different
Update password listing

Enter interface name used to connect to the management network from the above interface summary
Is vlan1 is used for switch management? All ports are in vlan 1?

Configuring interface vlan1: Configure IP on this interface?
IP address for this interface
Subnet mask for this interface
Update ip address listing

Enable as a cluster command switch

2 Save this configuration to nvram and exit

Web Management Interface
Connect switch to LAN
Login to switch web management interface e.g.
use the enable secret password and leave the username blank
How do you change the web username?

Check for IOS software updates
Web Interface - Software Upgrade
Updated software to IOS Software-12.2.58-SE2
What about IOS release 15? should I use that rather than 12.x?


Set the Date & Time
set the time zone
configure terminal
clock timezone UTC +12
Setting the System Clock
from enable mode
clock set 15:10:00 06 September 2011

Set the Agent Contact and Location Information
configure terminal
snmp-server contact My Company IT Department
snmp-server location SomeOffice

Configure telnet username & password
Configure terminal
username Admin password ******
line vty 0 15
login local
Test telnet

How do I correctly set the enable, telnet & web usernames & passwords?
Question by:dee_nz
LVL 18

Expert Comment

ID: 36486694
Everything seems to be OK, I would just change SNMP community string to something different than default "public".

Author Comment

ID: 36487134
Yes I have set the community string to something else - it is not public. I didnt make that clear in my question.
Can you please also answer these questions for me?
Is vlan1 used for switch management? Are all ports are in vlan 1?
What about IOS release 15? should I use that rather than 12.x?
How do I correctly set the enable secret, telnet & web usernames & passwords?
LVL 18

Accepted Solution

fgasimzade earned 1200 total points
ID: 36487554
You can use any vlan for switch management, vlan1 as well. There is no specific requirements for this.

If you have only one vlan in your network, then yes, all ports should be in vlan 1

Higher release means newer version of IOS. You can check differences between IOS in Cisco Feature Navigator on cisco.com

To set enable secret, telnet to the switch and issue

conf t
enable secret password

For telnet:

conf t
line vty 0 15
password password

To create a username and password issue
conf t
username username privilege 15 password password

If you want to use this combination for telnet

conf t
line vty 0 15
login local

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 400 total points
ID: 36487937
You seem to be looking for best security practices(?) so I will write this from that perspective.

All ports are in VLAN 1 by default, however it is not a good security practice to have VLAN1 as a management VLAN. Infact the management VLAN, in a perfect world, should be completely seperate from the rest of the network. This is ofcourse depending on your company's security policies and how strict they are.

Telnet is never a good management tool to use as everything is sent in clear text. instead, disable telnet and enable SSH. To do that issue the following commands.

conf t
ip domain-name domain.com
username NAME secret PASSWORD

crypto key generate rsa
How many bits in the modulus [512]: 1024 (I would recommend 1024 but the default is fine also)
line vty 0 15
login local
transport input none
transport input ssh

to set the password for the SDM do issue the following in global configuration mode:
ip http authentication localthis will use the local database for authentication when using the SDM, ASDM, CCP (the name varies but is basically the same thing, a GUI to configure the device). If you want to use a different username and password all you need to do is create a new user in the local database of the switch.

Other things to consider:
configure port security, enable BPDU guard, configure all non-trunk ports as access ports, shutdown all unused ports, use ACL to restrict access to SSH.
There are a few other things too to consider but I would say these are among the main ones to start with.
LVL 17

Assisted Solution

StrifeJester earned 200 total points
ID: 36488725
Also though if this has LAN base image he may not have a choice as to where management goes.  You could diable the IP address and only use console access to it but with a lot of these switches and without doing router on a stick then you are forced to use the default vlan or change it to a different number which is what I do.  Leave all of the ports in VLAN 1 except for the ones you are using and then use something like vlan107 for you access.  That way anything that randomly gets plugged in is isolated.

If the 2960-S supports Layer 3 services I apologize and you can disregard, I haven't had my coffee yet.

But the not using the default vlan is still a good idea no matter what.
LVL 42

Assisted Solution

kevinhsieh earned 200 total points
ID: 36489736
I would look through the configuration for any line that says "password 7 xxxxxxxxxxx". The password 'encryption' is easily reversable and isn't secure. Any line with "secret" is secure. You should be able to use the remove from the configuration all lines that include password, such as by running "no enable password" through the CLI.

Author Comment

ID: 36520157
Hi All,
Thanks for your comments. I have been reading the manual :) and have now got the basic switch config done, thanks for pointing me in the right direction. Also appreciate your feedback about some of the security options so will have a look at that too.

Author Closing Comment

ID: 36520164
Thanks for your help :)

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question