Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Catalyst 2960 Configuration

Posted on 2011-09-05
Medium Priority
Last Modified: 2012-06-21
Hi All,
Hopefully some easy points for Cisco experts ;)
I'm configuring my first Catalyst 2960-S, the switch will be used in a small branch office (less than 10 users). I need some feedback to check that what I've done is correct and that I haven't missed anything. Here are the steps that I've completed to configure the switch and some questions I have..

Cisco Catalyst 2960-S Configuration

Switch details
Cisco WS-C2960S-24TS-L
LAN Base image
Product ID: WS-C2960S-24TS-L
Software: 12.2(55)SE3

Connect to switch USB console port using Hyper Terminal

Enter initial configuration dialog

Enter basic management setup

Host name

Set enable secret password
Set enable password
Set virtual terminal (telnet) password

Configure SNMP
Set SNMP Community string (public)

Make all 3 passwords & snmp community different
Update password listing

Enter interface name used to connect to the management network from the above interface summary
Is vlan1 is used for switch management? All ports are in vlan 1?

Configuring interface vlan1: Configure IP on this interface?
IP address for this interface
Subnet mask for this interface
Update ip address listing

Enable as a cluster command switch

2 Save this configuration to nvram and exit

Web Management Interface
Connect switch to LAN
Login to switch web management interface e.g.
use the enable secret password and leave the username blank
How do you change the web username?

Check for IOS software updates
Web Interface - Software Upgrade
Updated software to IOS Software-12.2.58-SE2
What about IOS release 15? should I use that rather than 12.x?


Set the Date & Time
set the time zone
configure terminal
clock timezone UTC +12
Setting the System Clock
from enable mode
clock set 15:10:00 06 September 2011

Set the Agent Contact and Location Information
configure terminal
snmp-server contact My Company IT Department
snmp-server location SomeOffice

Configure telnet username & password
Configure terminal
username Admin password ******
line vty 0 15
login local
Test telnet

How do I correctly set the enable, telnet & web usernames & passwords?
Question by:dee_nz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Expert Comment

ID: 36486694
Everything seems to be OK, I would just change SNMP community string to something different than default "public".

Author Comment

ID: 36487134
Yes I have set the community string to something else - it is not public. I didnt make that clear in my question.
Can you please also answer these questions for me?
Is vlan1 used for switch management? Are all ports are in vlan 1?
What about IOS release 15? should I use that rather than 12.x?
How do I correctly set the enable secret, telnet & web usernames & passwords?
LVL 18

Accepted Solution

fgasimzade earned 1200 total points
ID: 36487554
You can use any vlan for switch management, vlan1 as well. There is no specific requirements for this.

If you have only one vlan in your network, then yes, all ports should be in vlan 1

Higher release means newer version of IOS. You can check differences between IOS in Cisco Feature Navigator on cisco.com

To set enable secret, telnet to the switch and issue

conf t
enable secret password

For telnet:

conf t
line vty 0 15
password password

To create a username and password issue
conf t
username username privilege 15 password password

If you want to use this combination for telnet

conf t
line vty 0 15
login local

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 400 total points
ID: 36487937
You seem to be looking for best security practices(?) so I will write this from that perspective.

All ports are in VLAN 1 by default, however it is not a good security practice to have VLAN1 as a management VLAN. Infact the management VLAN, in a perfect world, should be completely seperate from the rest of the network. This is ofcourse depending on your company's security policies and how strict they are.

Telnet is never a good management tool to use as everything is sent in clear text. instead, disable telnet and enable SSH. To do that issue the following commands.

conf t
ip domain-name domain.com
username NAME secret PASSWORD

crypto key generate rsa
How many bits in the modulus [512]: 1024 (I would recommend 1024 but the default is fine also)
line vty 0 15
login local
transport input none
transport input ssh

to set the password for the SDM do issue the following in global configuration mode:
ip http authentication localthis will use the local database for authentication when using the SDM, ASDM, CCP (the name varies but is basically the same thing, a GUI to configure the device). If you want to use a different username and password all you need to do is create a new user in the local database of the switch.

Other things to consider:
configure port security, enable BPDU guard, configure all non-trunk ports as access ports, shutdown all unused ports, use ACL to restrict access to SSH.
There are a few other things too to consider but I would say these are among the main ones to start with.
LVL 17

Assisted Solution

StrifeJester earned 200 total points
ID: 36488725
Also though if this has LAN base image he may not have a choice as to where management goes.  You could diable the IP address and only use console access to it but with a lot of these switches and without doing router on a stick then you are forced to use the default vlan or change it to a different number which is what I do.  Leave all of the ports in VLAN 1 except for the ones you are using and then use something like vlan107 for you access.  That way anything that randomly gets plugged in is isolated.

If the 2960-S supports Layer 3 services I apologize and you can disregard, I haven't had my coffee yet.

But the not using the default vlan is still a good idea no matter what.
LVL 42

Assisted Solution

kevinhsieh earned 200 total points
ID: 36489736
I would look through the configuration for any line that says "password 7 xxxxxxxxxxx". The password 'encryption' is easily reversable and isn't secure. Any line with "secret" is secure. You should be able to use the remove from the configuration all lines that include password, such as by running "no enable password" through the CLI.

Author Comment

ID: 36520157
Hi All,
Thanks for your comments. I have been reading the manual :) and have now got the basic switch config done, thanks for pointing me in the right direction. Also appreciate your feedback about some of the security options so will have a look at that too.

Author Closing Comment

ID: 36520164
Thanks for your help :)

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question