Solved

Catalyst 2960 Configuration

Posted on 2011-09-05
8
3,163 Views
Last Modified: 2012-06-21
Hi All,
Hopefully some easy points for Cisco experts ;)
I'm configuring my first Catalyst 2960-S, the switch will be used in a small branch office (less than 10 users). I need some feedback to check that what I've done is correct and that I haven't missed anything. Here are the steps that I've completed to configure the switch and some questions I have..

Cisco Catalyst 2960-S Configuration

Switch details
Cisco WS-C2960S-24TS-L
LAN Base image
Host Name: MYSWITCH
Product ID: WS-C2960S-24TS-L
Software: 12.2(55)SE3

Configuration
Connect to switch USB console port using Hyper Terminal

Enter initial configuration dialog
Yes

Enter basic management setup
Yes

Host name
MYSWITCH

Set enable secret password
Set enable password
Set virtual terminal (telnet) password

Configure SNMP
Yes
Set SNMP Community string (public)

Make all 3 passwords & snmp community different
Update password listing

Enter interface name used to connect to the management network from the above interface summary
vlan1
Is vlan1 is used for switch management? All ports are in vlan 1?

Configuring interface vlan1: Configure IP on this interface?
yes
IP address for this interface 192.168.1.5
Subnet mask for this interface 255.255.255.0
Update ip address listing

Enable as a cluster command switch
No

2 Save this configuration to nvram and exit

Web Management Interface
Connect switch to LAN
Login to switch web management interface e.g. http://192.168.1.5
use the enable secret password and leave the username blank
How do you change the web username?

Check for IOS software updates
Web Interface - Software Upgrade
Updated software to IOS Software-12.2.58-SE2
What about IOS release 15? should I use that rather than 12.x?

Test SNMP

Set the Date & Time
set the time zone
configure terminal
clock timezone UTC +12
Setting the System Clock
from enable mode
clock set 15:10:00 06 September 2011

SNMP
Set the Agent Contact and Location Information
configure terminal
snmp-server contact My Company IT Department
snmp-server location SomeOffice

Configure telnet username & password
Configure terminal
username Admin password ******
line vty 0 15
login local
Test telnet

How do I correctly set the enable, telnet & web usernames & passwords?
0
Comment
Question by:dee_nz
8 Comments
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36486694
Everything seems to be OK, I would just change SNMP community string to something different than default "public".
0
 
LVL 4

Author Comment

by:dee_nz
ID: 36487134
Yes I have set the community string to something else - it is not public. I didnt make that clear in my question.
Can you please also answer these questions for me?
Is vlan1 used for switch management? Are all ports are in vlan 1?
What about IOS release 15? should I use that rather than 12.x?
How do I correctly set the enable secret, telnet & web usernames & passwords?
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 300 total points
ID: 36487554
You can use any vlan for switch management, vlan1 as well. There is no specific requirements for this.

If you have only one vlan in your network, then yes, all ports should be in vlan 1

Higher release means newer version of IOS. You can check differences between IOS in Cisco Feature Navigator on cisco.com

To set enable secret, telnet to the switch and issue

conf t
enable secret password

For telnet:

conf t
line vty 0 15
password password

To create a username and password issue
conf t
username username privilege 15 password password

If you want to use this combination for telnet

conf t
line vty 0 15
login local




0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 100 total points
ID: 36487937
You seem to be looking for best security practices(?) so I will write this from that perspective.

All ports are in VLAN 1 by default, however it is not a good security practice to have VLAN1 as a management VLAN. Infact the management VLAN, in a perfect world, should be completely seperate from the rest of the network. This is ofcourse depending on your company's security policies and how strict they are.

Telnet is never a good management tool to use as everything is sent in clear text. instead, disable telnet and enable SSH. To do that issue the following commands.

enable
conf t
ip domain-name domain.com
username NAME secret PASSWORD

crypto key generate rsa
How many bits in the modulus [512]: 1024 (I would recommend 1024 but the default is fine also)
line vty 0 15
login local
transport input none
transport input ssh

to set the password for the SDM do issue the following in global configuration mode:
ip http authentication localthis will use the local database for authentication when using the SDM, ASDM, CCP (the name varies but is basically the same thing, a GUI to configure the device). If you want to use a different username and password all you need to do is create a new user in the local database of the switch.

Other things to consider:
configure port security, enable BPDU guard, configure all non-trunk ports as access ports, shutdown all unused ports, use ACL to restrict access to SSH.
There are a few other things too to consider but I would say these are among the main ones to start with.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 17

Assisted Solution

by:StrifeJester
StrifeJester earned 50 total points
ID: 36488725
Also though if this has LAN base image he may not have a choice as to where management goes.  You could diable the IP address and only use console access to it but with a lot of these switches and without doing router on a stick then you are forced to use the default vlan or change it to a different number which is what I do.  Leave all of the ports in VLAN 1 except for the ones you are using and then use something like vlan107 for you access.  That way anything that randomly gets plugged in is isolated.

If the 2960-S supports Layer 3 services I apologize and you can disregard, I haven't had my coffee yet.

But the not using the default vlan is still a good idea no matter what.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 50 total points
ID: 36489736
I would look through the configuration for any line that says "password 7 xxxxxxxxxxx". The password 'encryption' is easily reversable and isn't secure. Any line with "secret" is secure. You should be able to use the remove from the configuration all lines that include password, such as by running "no enable password" through the CLI.
0
 
LVL 4

Author Comment

by:dee_nz
ID: 36520157
Hi All,
Thanks for your comments. I have been reading the manual :) and have now got the basic switch config done, thanks for pointing me in the right direction. Also appreciate your feedback about some of the security options so will have a look at that too.
Cheers
-D
0
 
LVL 4

Author Closing Comment

by:dee_nz
ID: 36520164
Thanks for your help :)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now