Catalyst 2960 Configuration

Hi All,
Hopefully some easy points for Cisco experts ;)
I'm configuring my first Catalyst 2960-S, the switch will be used in a small branch office (less than 10 users). I need some feedback to check that what I've done is correct and that I haven't missed anything. Here are the steps that I've completed to configure the switch and some questions I have..

Cisco Catalyst 2960-S Configuration

Switch details
Cisco WS-C2960S-24TS-L
LAN Base image
Product ID: WS-C2960S-24TS-L
Software: 12.2(55)SE3

Connect to switch USB console port using Hyper Terminal

Enter initial configuration dialog

Enter basic management setup

Host name

Set enable secret password
Set enable password
Set virtual terminal (telnet) password

Configure SNMP
Set SNMP Community string (public)

Make all 3 passwords & snmp community different
Update password listing

Enter interface name used to connect to the management network from the above interface summary
Is vlan1 is used for switch management? All ports are in vlan 1?

Configuring interface vlan1: Configure IP on this interface?
IP address for this interface
Subnet mask for this interface
Update ip address listing

Enable as a cluster command switch

2 Save this configuration to nvram and exit

Web Management Interface
Connect switch to LAN
Login to switch web management interface e.g.
use the enable secret password and leave the username blank
How do you change the web username?

Check for IOS software updates
Web Interface - Software Upgrade
Updated software to IOS Software-12.2.58-SE2
What about IOS release 15? should I use that rather than 12.x?


Set the Date & Time
set the time zone
configure terminal
clock timezone UTC +12
Setting the System Clock
from enable mode
clock set 15:10:00 06 September 2011

Set the Agent Contact and Location Information
configure terminal
snmp-server contact My Company IT Department
snmp-server location SomeOffice

Configure telnet username & password
Configure terminal
username Admin password ******
line vty 0 15
login local
Test telnet

How do I correctly set the enable, telnet & web usernames & passwords?
Who is Participating?
fgasimzadeConnect With a Mentor Commented:
You can use any vlan for switch management, vlan1 as well. There is no specific requirements for this.

If you have only one vlan in your network, then yes, all ports should be in vlan 1

Higher release means newer version of IOS. You can check differences between IOS in Cisco Feature Navigator on

To set enable secret, telnet to the switch and issue

conf t
enable secret password

For telnet:

conf t
line vty 0 15
password password

To create a username and password issue
conf t
username username privilege 15 password password

If you want to use this combination for telnet

conf t
line vty 0 15
login local

Everything seems to be OK, I would just change SNMP community string to something different than default "public".
dee_nzAuthor Commented:
Yes I have set the community string to something else - it is not public. I didnt make that clear in my question.
Can you please also answer these questions for me?
Is vlan1 used for switch management? Are all ports are in vlan 1?
What about IOS release 15? should I use that rather than 12.x?
How do I correctly set the enable secret, telnet & web usernames & passwords?
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

Marius GunnerudConnect With a Mentor Senior Systems EngineerCommented:
You seem to be looking for best security practices(?) so I will write this from that perspective.

All ports are in VLAN 1 by default, however it is not a good security practice to have VLAN1 as a management VLAN. Infact the management VLAN, in a perfect world, should be completely seperate from the rest of the network. This is ofcourse depending on your company's security policies and how strict they are.

Telnet is never a good management tool to use as everything is sent in clear text. instead, disable telnet and enable SSH. To do that issue the following commands.

conf t
ip domain-name
username NAME secret PASSWORD

crypto key generate rsa
How many bits in the modulus [512]: 1024 (I would recommend 1024 but the default is fine also)
line vty 0 15
login local
transport input none
transport input ssh

to set the password for the SDM do issue the following in global configuration mode:
ip http authentication localthis will use the local database for authentication when using the SDM, ASDM, CCP (the name varies but is basically the same thing, a GUI to configure the device). If you want to use a different username and password all you need to do is create a new user in the local database of the switch.

Other things to consider:
configure port security, enable BPDU guard, configure all non-trunk ports as access ports, shutdown all unused ports, use ACL to restrict access to SSH.
There are a few other things too to consider but I would say these are among the main ones to start with.
Justin EllenbeckerConnect With a Mentor IT DirectorCommented:
Also though if this has LAN base image he may not have a choice as to where management goes.  You could diable the IP address and only use console access to it but with a lot of these switches and without doing router on a stick then you are forced to use the default vlan or change it to a different number which is what I do.  Leave all of the ports in VLAN 1 except for the ones you are using and then use something like vlan107 for you access.  That way anything that randomly gets plugged in is isolated.

If the 2960-S supports Layer 3 services I apologize and you can disregard, I haven't had my coffee yet.

But the not using the default vlan is still a good idea no matter what.
kevinhsiehConnect With a Mentor Commented:
I would look through the configuration for any line that says "password 7 xxxxxxxxxxx". The password 'encryption' is easily reversable and isn't secure. Any line with "secret" is secure. You should be able to use the remove from the configuration all lines that include password, such as by running "no enable password" through the CLI.
dee_nzAuthor Commented:
Hi All,
Thanks for your comments. I have been reading the manual :) and have now got the basic switch config done, thanks for pointing me in the right direction. Also appreciate your feedback about some of the security options so will have a look at that too.
dee_nzAuthor Commented:
Thanks for your help :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.