Catalyst 2960 Configuration

Posted on 2011-09-05
Last Modified: 2012-06-21
Hi All,
Hopefully some easy points for Cisco experts ;)
I'm configuring my first Catalyst 2960-S, the switch will be used in a small branch office (less than 10 users). I need some feedback to check that what I've done is correct and that I haven't missed anything. Here are the steps that I've completed to configure the switch and some questions I have..

Cisco Catalyst 2960-S Configuration

Switch details
Cisco WS-C2960S-24TS-L
LAN Base image
Product ID: WS-C2960S-24TS-L
Software: 12.2(55)SE3

Connect to switch USB console port using Hyper Terminal

Enter initial configuration dialog

Enter basic management setup

Host name

Set enable secret password
Set enable password
Set virtual terminal (telnet) password

Configure SNMP
Set SNMP Community string (public)

Make all 3 passwords & snmp community different
Update password listing

Enter interface name used to connect to the management network from the above interface summary
Is vlan1 is used for switch management? All ports are in vlan 1?

Configuring interface vlan1: Configure IP on this interface?
IP address for this interface
Subnet mask for this interface
Update ip address listing

Enable as a cluster command switch

2 Save this configuration to nvram and exit

Web Management Interface
Connect switch to LAN
Login to switch web management interface e.g.
use the enable secret password and leave the username blank
How do you change the web username?

Check for IOS software updates
Web Interface - Software Upgrade
Updated software to IOS Software-12.2.58-SE2
What about IOS release 15? should I use that rather than 12.x?


Set the Date & Time
set the time zone
configure terminal
clock timezone UTC +12
Setting the System Clock
from enable mode
clock set 15:10:00 06 September 2011

Set the Agent Contact and Location Information
configure terminal
snmp-server contact My Company IT Department
snmp-server location SomeOffice

Configure telnet username & password
Configure terminal
username Admin password ******
line vty 0 15
login local
Test telnet

How do I correctly set the enable, telnet & web usernames & passwords?
Question by:dee_nz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 18

Expert Comment

ID: 36486694
Everything seems to be OK, I would just change SNMP community string to something different than default "public".

Author Comment

ID: 36487134
Yes I have set the community string to something else - it is not public. I didnt make that clear in my question.
Can you please also answer these questions for me?
Is vlan1 used for switch management? Are all ports are in vlan 1?
What about IOS release 15? should I use that rather than 12.x?
How do I correctly set the enable secret, telnet & web usernames & passwords?
LVL 18

Accepted Solution

fgasimzade earned 300 total points
ID: 36487554
You can use any vlan for switch management, vlan1 as well. There is no specific requirements for this.

If you have only one vlan in your network, then yes, all ports should be in vlan 1

Higher release means newer version of IOS. You can check differences between IOS in Cisco Feature Navigator on

To set enable secret, telnet to the switch and issue

conf t
enable secret password

For telnet:

conf t
line vty 0 15
password password

To create a username and password issue
conf t
username username privilege 15 password password

If you want to use this combination for telnet

conf t
line vty 0 15
login local

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

LVL 17

Assisted Solution

MAG03 earned 100 total points
ID: 36487937
You seem to be looking for best security practices(?) so I will write this from that perspective.

All ports are in VLAN 1 by default, however it is not a good security practice to have VLAN1 as a management VLAN. Infact the management VLAN, in a perfect world, should be completely seperate from the rest of the network. This is ofcourse depending on your company's security policies and how strict they are.

Telnet is never a good management tool to use as everything is sent in clear text. instead, disable telnet and enable SSH. To do that issue the following commands.

conf t
ip domain-name
username NAME secret PASSWORD

crypto key generate rsa
How many bits in the modulus [512]: 1024 (I would recommend 1024 but the default is fine also)
line vty 0 15
login local
transport input none
transport input ssh

to set the password for the SDM do issue the following in global configuration mode:
ip http authentication localthis will use the local database for authentication when using the SDM, ASDM, CCP (the name varies but is basically the same thing, a GUI to configure the device). If you want to use a different username and password all you need to do is create a new user in the local database of the switch.

Other things to consider:
configure port security, enable BPDU guard, configure all non-trunk ports as access ports, shutdown all unused ports, use ACL to restrict access to SSH.
There are a few other things too to consider but I would say these are among the main ones to start with.
LVL 17

Assisted Solution

StrifeJester earned 50 total points
ID: 36488725
Also though if this has LAN base image he may not have a choice as to where management goes.  You could diable the IP address and only use console access to it but with a lot of these switches and without doing router on a stick then you are forced to use the default vlan or change it to a different number which is what I do.  Leave all of the ports in VLAN 1 except for the ones you are using and then use something like vlan107 for you access.  That way anything that randomly gets plugged in is isolated.

If the 2960-S supports Layer 3 services I apologize and you can disregard, I haven't had my coffee yet.

But the not using the default vlan is still a good idea no matter what.
LVL 42

Assisted Solution

kevinhsieh earned 50 total points
ID: 36489736
I would look through the configuration for any line that says "password 7 xxxxxxxxxxx". The password 'encryption' is easily reversable and isn't secure. Any line with "secret" is secure. You should be able to use the remove from the configuration all lines that include password, such as by running "no enable password" through the CLI.

Author Comment

ID: 36520157
Hi All,
Thanks for your comments. I have been reading the manual :) and have now got the basic switch config done, thanks for pointing me in the right direction. Also appreciate your feedback about some of the security options so will have a look at that too.

Author Closing Comment

ID: 36520164
Thanks for your help :)

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question