Configuring Cisco Switches

This weekend as part of my ongoing endeavor to get my home lab up and running, I tackled my first proper Cisco switch. Two Cisco Catalyst 3550 switches had been donated to my cause a few months back and I finally had the time to configure them today.

Cisco Catalyst 3550s

I was starting from square one with familiarizing myself with the 3550s’ CLI. The switches had previously been used in a retail store of some sort so there was the added fun of restoring each switch to factory settings. At the end of the day, my goal was to break up the 48 FastEthernet ports into several vlans in prep for being connected up to my home lab network.

Connecting to the Switch

One of the first things I realized I needed was a console cable. I had no idea what IP address the switch was currently set to, so attaching an ethernet cable and attempting to telnet in would do me no good. Since my MacBook supports limited ports, I used this USB to DB9 Cisco Console Cable shown below.

USB to DB9 Cisco Console Cable

Once my Mac and the switch were connected, I just had to find the associated usb device under /dev and run the following command:

screen /dev/tty.usbserial-AL00B2R5 9600

Note in the above the 9600 refers to the baud rate of the console port which can be found in the documentation for the switch.

Back to Factory Defaults

This successfully brought up a connection with the switch. Unfortunately, it became clear that there wasn’t much I could do without the password to allow me to edit the switch configuration. While I could attempt to recover the password, since I had no need to save the original switch config, I opted to restore it to factory defaults.

To do this, I simply unplugged the switch, held down the mode button on the front and plugged it in again. The only snag I ran into here, which admittedly took me a while to figure out, is that I needed to unplug the console cable before I turned the switch back on from both the switch and the Mac. Otherwise, when I tried to connect to the switch with the console cable, I’d either get a busy signal or a blank screen. Once this was sorted though, I successfully brought up the switch prompt.

I then followed Cisco’s instructions found here.

I used the following commands to initialize the flash file system:

switch: flash_init

switch: load_helper

I then found the original configuration file and renamed it:

switch: dir flash:

switch: rename flash:config.text config.old

Finally, I booted up the switch:

switch: boot

Initial Configuration

Upon reboot, it enters initial configuration mode. I hit “n” to abort this and got the default Switch prompt. I then entered “en” to enter “enable” mode or what I think of as admin mode and voila! No password required and I am now able to set up the switch as I like. For the start, I followed this tutorial I found on youtube. The poster, Jorge Almazan, included a good set of “recommended settings” which I will paraphrase in the following sections.

Configuring the Switch

Before diving into the details of the configuration, a quick overview of how the switch config if updated and saved.

In order to configure the switch you need to enter configuration mode. To enter configuration mode you run the following command:

configure terminal

To exit configuration mode, you enter:

end

All of the updates you are making to the configuration are only saved into the switch’s running configuration. If you rebooted the switch at any point, it would load the starting configuration and any updates you made to it’s running configuration would be lost. Therefore, you should frequently save your changes as you go with this command run in “enable” mode:

copy running-config startup-config

The following sections assume you are entering and leaving configuration mode appropriately and saving your configuration frequently along the way.

Security

There are a number of items you need to configure initially. First and foremost, are the logins and passwords. The first password you want to set is for “enable” mode, so basically your root password. You set this as follows:

enable secret <your password>

You also want to set a password on your switch’s console so that whenever someone logs into the switch they are prompted for a password. To configure the console’s settings you enter:

line console 0

Once run, the following commands you run are applied only to the console. Here we want to set the console’s password, require users to login and set a timeout period to automatically log the user out after a number of minutes and/or seconds.

password <your password>

login

exec-timeout 30 0

While inside the console’s configuration, there are also some additional settings you can make to improve your interface with the console. One I highly recommend prevents the command line from being split in two by log messages:

logging synchronous

To leave the console configuration mode, you run:

exit

As the line name implies, this password is only for the console reached via the console cable we are currently using. Normally, once the switch is configured, you’d be using either telnet or, preferably from a security standpoint, ssh to access the switch remotely over the network. The 3550s allow you to set access controls for remote users with virtual terminal lines, or “vty”. My 3550s support up to 16 simultaneous connections so the command to enter the vty configuration mode for all connections would be

line vty 0 15

With this command, you are now in vty’s configuration. All the settings applied to the console’s configuration should also be applied here.

Unfortunately, the default settings on the switch store these passwords in plain text. If you run

show running-config

in “enable mode”, you will see the passwords crystal clear listed in the configuration. To encrypt the passwords where they are stored, you will want to run

service password encryption

Now if you check the running config, a hash of the password is shown to mask it from prying eyes. Unfortunately, the hashing functions that these switches use are not strong and with minimal effort the passwords can be derived from the hash. I take a deeper look into the Catalyst’s weak hashing functions in this post.

Miscellaneous Settings

To set the login banner:

banner motd [

To set the hostname of the switch:

hostname <your switch's name>

VLANs

The default vlan used by all of the switch’s ports is vlan 1. I need to break the switch up into multiple vlans to support my network’s segregation.

First I need to create the new vlans:

vlan <vlan #>

name <name of vlan (for your reference)>

exit

I then need to assign each port to a vlan. I could do this for each port individually, but, fortunately, the 3550s allow you to assign a configure a range of interfaces at once. In the below commands x represents the first ethernet port in the range and y represents the last port. You can find the port numbers on the physical ports or get a list with the “show ip interface brief” command.

interface range fastethernet 0/x – y

switchport mode access

switchport access vlan <vlan #>

exit

To set an IP address range to your vlan, you have to add interfaces for each of your vlans. Once you create the interface, you then add your ip address of choice and the subnet mask to dictate the range of ip addresses that will be on that vlan.

interface vlan <vlan #>

ip address 10.0.0.1 255.255.255.0

With the ip address set for the vlan, you can connect a device to one of the ports, set the device’s IP address within that IP address range and then ping the switch on the IP address you set for the vlan that port is using.

All of this is just the tip of the iceberg as far as switch configuration goes and fully integrating these switches into my lab’s network. I look forward to posting additional updates as I learn more about these switches and how best to use them.

ABOUT LAURA KAPLAN

Throughout my 10 year career I have worked as a web developer, systems administrator, software engineer, security analyst and now cybersecurity engineer. I currently develop software applications to automate security vulnerability and compliance scanning and reporting for a multinational financial institution.