CISCO SWITCH BEST PRACTICES GUIDE

Table of Contents (After Clicking Link Hit HOME to Return to TOC)

1) Add Hostname .................................................................................................................................................................... 2

2) Add Username and Password ............................................................................................................................................. 2
3) Create Secret Password ...................................................................................................................................................... 2
4) Encrypt Password................................................................................................................................................................ 2
5) Add Local Login and SSH to Line and Console Ports ........................................................................................................... 2
6) Disable AUX Port ................................................................................................................................................................. 3
7) Disable VTP ......................................................................................................................................................................... 3
8) Disable http/s Server .......................................................................................................................................................... 3
9) Enable Keepalives for TCP ................................................................................................................................................... 3
10) IOS Configuration Lock...................................................................................................................................................... 3
11) Reserve Memory for Console Access................................................................................................................................ 3
12) Add VLANS ........................................................................................................................................................................ 3
13) Add DHCP Snooping .......................................................................................................................................................... 4
Add to VLANS ...................................................................................................................................................................... 4
Add to Interfaces (Trunks and DHCP Server) ...................................................................................................................... 4
Remove Option 82 .............................................................................................................................................................. 4
14) Default Interface Configuration ........................................................................................................................................ 4
15) Interface Range for Programming Multiple Identical Ports.............................................................................................. 4
16) Configure Access/Edge Port .............................................................................................................................................. 4
17) Add QOS at Interface Level ............................................................................................................................................... 4
18) Configure Voice Port ......................................................................................................................................................... 5
19) Configure Trunk Port with VLAN Pruning (802.1Q) .......................................................................................................... 5
20) Configure Etherchannel Trunk with LACP and VLAN Pruning (802.1Q) ........................................................................... 5
Configure Ports on Both Switches for Etherchannel .......................................................................................................... 5
Configure Etherchannel Trunk ............................................................................................................................................ 5
Review ................................................................................................................................................................................. 5
21) Add L3 Interface to VLAN (IP and Subnet Mask) .............................................................................................................. 5
22) Enable InterVLAN Routing ................................................................................................................................................ 6
23) Add Default Gateway L2 Switch........................................................................................................................................ 6
24) Add Default Route L3 Switch ............................................................................................................................................ 6
25) Add Banner ....................................................................................................................................................................... 6
26) Add DNS Servers ............................................................................................................................................................... 6
27) Add SSH ............................................................................................................................................................................. 6
28) Add NTP servers ................................................................................................................................................................ 7
29) Enable Logging .................................................................................................................................................................. 7
30) Don't Log Console and Monitor ........................................................................................................................................ 7
31) Backup Config to TFTP ...................................................................................................................................................... 7
32) Restore Config from TFTP ................................................................................................................................................. 7
33) Setting an Alias for Config Mode ...................................................................................................................................... 7
34) SFP Commands ................................................................................................................................................................. 7
35) Troubleshooting Cisco PoE with built-in TDR features ..................................................................................................... 8

-ALL Commands are from Global Configuration Mode Unless Otherwise Specified-

1) Add Hostname

hostname <switch>

2) Add Username and Password

aaa new-model
username <username> privilege 15 secret <password>
aaa local authentication attempts max-fail 3
aaa authentication login default local

3) Create Secret Password

enable secret <password>

4) Encrypt Password

service password-encryption

5) Add Local Login and SSH to Line and Console Ports

line vty 0 15
exec-timeout 3
transport input ssh
 login authentication default

line con 0
exec-timeout 3
login authentication default

6) Disable AUX Port

line aux 0
transport input none
transport output none
no exec
exec-timeout 0 1
no password

7) Disable VTP

vtp mode transparent

8) Disable http/s Server

no ip http server
no ip http secure-server

9) Enable Keepalives for TCP

service tcp-keepalives-in
service tcp-keepalives-out

10) IOS Configuration Lock

configuration mode exclusive auto

11) Reserve Memory for Console Access

memory reserve console 4096

12) Add VLANS

 vlan <number>
name <VLAN name>

13) Add DHCP Snooping

ip dhcp snooping
Add to VLANS
ip dhcp snoop vlan <VLAN’s comma separated>
Add to Interfaces (Trunks and DHCP Server)
ip dhcp server trust

Remove Option 82
no ip dhcp snooping information option

14) Default Interface Configuration

default interface <interface>

15) Interface Range for Programming Multiple Identical Ports

interface range <interface number-number>

ex. interface range gigabitEthernet 1/0/1-48

16) Configure Access/Edge Port

description <VLAN name>

switchport mode access
switchport access vlan <number>
spanning-tree portfast
spanning-tree guard root
storm-control broadcast level 20
storm-control multicast level 20
storm-control action trap

17) Add QOS at Interface Level

auto qos voip cisco-phone

18) Configure Voice Port

description <VLAN name>

switchport access <untagged VLAN>
switchport mode access
switchport voice vlan <VOICE VLAN number>
auto qos trust
spanning-tree portfast

19) Configure Trunk Port with VLAN Pruning (802.1Q)

description Trunk to <define switch and port>

switchport mode trunk
switchport trunk allowed vlan <VLAN’s comma separated)
switchport nonegotiate
ip dhcp snooping trust

20) Configure Etherchannel Trunk with LACP and VLAN Pruning (802.1Q)

Configure Ports on Both Switches for Etherchannel

interface range <interface number-number>

channel-group <number> mode active
channel-protocol lacp
Configure Etherchannel Trunk

interface port-channel <number>

switchport mode trunk
switchport trunk allowed vlan <VLAN’s comma separated)
switchport nonegotiate
ip dhcp snooping trust
Review

show interfaces trunk

21) Add L3 Interface to VLAN (IP and Subnet Mask)

int vlan <number>

ip address <ip-address> <subnet mask>
no shut
22) Enable InterVLAN Routing

ip routing

23) Add Default Gateway L2 Switch

ip default-gateway <ip-address>

24) Add Default Route L3 Switch

ip route 0.0.0.0 0.0.0.0 <ip-address>

25) Add Banner

banner motd #
****************************************************************************
PROPERTY OF “COMPANY”
Anytown, USA

USE OF THIS “COMPANY” SYSTEM, AUTHORIZED OR UNAUTHORIZED,

CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE
MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE
COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL
OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING FOR THESE PURPOSE
****************************************************************************
#

26) Add DNS Servers

ip name-server <ip-address>
ip name-server <ip-address>

27) Add SSH

ip domain-name <domain name>

crypto key generate rsa 1024
ip ssh time-out 60
ip ssh authentication-retries 2
28) Add NTP servers

ntp server <ip-address>

ntp server <ip-address>

29) Enable Logging

logging buffered 16384 6

30) Don't Log Console and Monitor

no logging console
no logging monitor

31) Backup Config to TFTP

copy running-config tftp:

prompted for TFTP server
prompted for filename

32) Restore Config from TFTP

copy tftp: running-config

prompted for TFTP server
prompted for filename
destination filename

33) Setting an Alias for Config Mode

alias exec c configure terminal

34) SFP Commands

sh inv
sh interface
sh controller
sh diag
sh hard
35) Troubleshooting Cisco PoE with built-in TDR features

From #
test cable-diagnostics tdr interface gigabitEthernet 0/16
sh cable-diagnostics tdr interface g0/16