So you took my previous advice and decided to ditch Ubiquiti and go (back) to Cisco like me. Good for you. If you’ve never touched Cisco gear before, let me make this perfectly clear: it is a different world. You can royally screw up your network. You will get really annoyed with some things. It is completely different than what you’re used to. Hopefully this part of a multi-part series will help you out.
Selecting your hardware
The first step in any process is selecting your hardware. However, when it comes to Cisco, there are a lot of different models, a lot of different sub-models, and a lot of different model numbers.
Note: these are the more popular models and fairly recently EOL. Cisco makes other models like the Catalyst 4948, 9000 series, etc. A lot of those are either too old or too new.
Catalyst 3000 Models
Any Cisco Catalyst switch that has a model number starting with 3, such as 3750, 3560, etc. are layer 3 switches. If you’ve never heard this term before, it might be confusing. This means that the switch is capable of doing routing. At one job, we had a network core made up of two layer 3 switches. These switches handled our inter-VLAN routing. If anything needed to go to the Internet, it went over a VLAN to our firewalls. At another place, we used layer 3 switches as routers in our branch offices. The ports would be configured as standard access ports, and then the main uplink to our WAN would handle routing. These switches won’t do BGP, but some simple OSPF and inter-VLAN static routes, they’re golden for that.
Catalyst 2000 Models
Any Cisco Catalyst switch that has a model number starting with 2, such as 2960, are layer 2 switches. These are your typical switches. They don’t have any routing capabilities, they just switch. So if you use VLANs, these switches require a router or layer 3 device (such as a layer 3 switch… or OPNsense/pfSense device).
Personally, I like the 2690S. This is a gigabit switch and comes in 8, 24, and 48 port varieties including PoE+. I have a PoE+ model (WS-C2960S-48LPS-L).
Speaking of… model numbers! Let’s dissect the model number I gave: WS-C2960S-48LPS-L.
WS = Workgroup Switch
C2960S = Catalyst 2960S
48LPS = 48 Ports, Full PoE, SPF
L = LAN Base IOS
I have seen on eBay where sellers claim to have a Cisco Catalyst 2960S PoE, but they provide a model number like WS-C2960S-48TS-L. The important part is the 48TS part. This means 48 ports, gigabit ethernet, SPF module slots. No PoE. Either they don’t know or don’t care. Also, a PoE switch will be heavier and longer than its non-PoE counterpart.
Nexus
These are data center switches. Unless you’re going after your CCNP Data Center, you do not need these switches in your house. They are power hungry and loud and do not speak the same language as the Catalyst switches.
Getting started with IOS
Now you found your switch (or switches), you might be wondering, how the heck do I configure this thing? Is there a web portal? Nope. There is a command line.
Things you need
You’re going to need a console cable (or more correctly, a rollover cable) aka “Cisco cable”. It looks like this:
If you do not have one of these (though if you bought the switch off eBay, it should have came with one), ask the IT person at work. Chances are, they have a box of 10 million of these things because they seem to multiply like rabbits, and are happy to part with one… or 20. If for whatever reason they can’t or won’t, you can acquire one cheaply online.
They also make a USB version that looks like this:
A word of warning though. These are hit and miss with me. Mine works fine on one system, but is not recognized on the other. I don’t know. So instead, I use…
…this adapter. This is a Prolific USB to Serial adapter. StarTech makes the best one and you can get it off Amazon. I’ve found it to be the least temperamental. It works on all my systems.
And of course, if your laptop or desktop is still rocking a serial port, you don’t even need the adapter! Win!
Besides the hardware, there is some software you need. If you have a Mac or Linux system, congratulations! You only need drivers for your Prolific USB adapter. It turns out, the UNIX terminal is far superior than what Windows users get.
If you’re on Windows, you’ll need a terminal emulator. There are a ton of different products. If you plan on a long career in network or systems administration, I suggest buying SecureCRT from Vandyke Software. It costs $99 for 1 year, less if you buy it in 2 or 3 years. It is scriptable, super customizable, and is industry standard. When I worked for an ISP, everyone in tech support to the field techs was issued a license for SecureCRT. SecureCRT also works on Linux and Mac so it’s a great way to keep everything the same.
Otherwise, the next best thing is PuTTY which is Windows-only. It is free and open source, so there’s that if money is a thing.
Connecting to the terminal
On Mac, connect your adapter (your driver is installed, right?), find your terminal and run the following:
macbook:user$ cd /devmacbook:user$ ls -ltr /dev/*usb*crw-rw-rw- 1 root wheel 9, 66 Apr 1 16:46 tty.usbmodem1a21
Connect to the serial console with the following:
macbook:user$ screen /dev/tty.usbmodem1a21 9600
With Linux, the process is similar. Open up your terminal and run the following:
root@usb-suse# cd /devroot@usb-suse /dev# ls -ltr *ACM*crw-r--r-- 1 root root 188, 0 Jan 14 18:02 ttyACM0
Now connect with:
root@usb-suse /dev# screen /dev/ttyACM0 9600
On Windows, we need to find our COM port the USB adapter is using (if your computer has a serial port, it’s going to usually be COM1). If you move your adapter between USB ports, it will change COM ports. To find your COM port, right click your Start menu and select Device Manager.
Expand “Ports (COM & LPT)” and look for your adapter.
In my case, you can see it’s COM4. If I change USB ports, it could be COM7 or COM3. So if connecting again doesn’t work, plug your adapter back into the original USB port you used or see what COM port it now is.
Now open PuTTY. In the configuration window, select Serial. Then replace “COM” with your COM port – in my case, I put in COM4. Make sure the speed is set to 9600 baud.
Connect your console cable to the console port on the switch. The console port is highlighted in blue and labeled “Console”. It’s location varies by model.
But again, make sure the port is labeled in blue – anything yellow won’t work! Like in this case:
Now press open. If your settings are correct, you’ll get a console! You may have to press enter to “wake” the terminal up.
We can now start configuring the switch!
Configuration 101
Note: if you’re asked for a password or don’t see a message asking you if you want to configure your switch with a default config, then you need to reset it which I’ll explain in the next post. Stay tuned!
At this point, you might see a message that asks if you want to do an initial configuration, type yes or no. I always select no. The wizard is annoying.
Your prompt will say:
Switch>
On this line, you need to enter the command enable
. This will take you to privilege exec mode. Cisco also lets you do shorthand on commands, so as you start to do more, you can type in en
and press enter.
Now your prompt will look like this:
Switch#
Now we can start configuring! The next command you need to enter is conf t
or configure terminal
. conf t
is the shorthand command as it is easier and faster to type!
Once again, the prompt changes.
Switch (config)#
This means we’re in global config mode and we can start setting things up.
I’m going to show you how I configure my switches. This may be different from someone else. Either way, this is the fun part about Cisco.
First thing first, the console is going to start interrupting your typing as things happen. To resolve this, type in line con 0
and press enter. Type in logging sync
which stands for logging synchronous
. This forces informational messages to not interrupt your typing.
The prompt is going to change yet again. It’s going to look like this:
Switch (config-line)#
To go back to config, type exit
and press enter.
Another command I like to run early is no ip domain-lookup
. If you type something wrong, IOS thinks you’re trying to resolve that name to an IP address.
Now lets set our hostname:
Switch (config)# hostname Switch1
It can be whatever you’d like. Once you press enter, you’ll see that the switch has a new name!
Let’s add a domain name. This doesn’t need to be real. It can be completely internal or a domain you own.
Switch1 (config)#ip domain-name example.com
Now let’s set a management IP address on VLAN1, which is the default VLAN. To configure the VLAN, type in int vlan1
. int
is short for interface. vlan1
is the interface of the VLAN. Give it an IP address on your network and don’t forget the subnet mask!
Switch1 (config-if)#ip address 192.168.1.100 255.255.255.0Switch1 (config-if)#no shut
no shut
stands for no shutdown and it means the interface is up and available. This command also works on physical interfaces as well.
Now we need to configure the default gateway. This is the IP address of your router.
Switch1 (config)#ip default-gateway 192.168.1.1
I like to add an administrative user. This will let me login to the switch to manage it.
Switch1 (config)#username admin privilege 15 password admin
In this case, the username is admin, privilege 15 means the privilege level. 15 is full admin and the password is admin (don’t do this! Select a secure password!).
Additionally, I like to set an enable password. This makes it so if someone were to get my login, they need the enable password to do anything.
Switch1 (config)#enable secret password
This will use the password “password” as the enable secret. Again, use something secure.
Next, modify line con 0
with login local
. This will ensure that you have to know the username and password to login to the switch with the console cable.
Let’s setup SSH. This will allow us to remotely access the switch.
Switch1 (console)#crypto key generate rsa general-keys modulus 2048
This command will generate a secure key. It will take a while.
Once that’s done, let’s enable SSH version 2 with ip ssh version 2
. To finish configuration of SSH, enter line vty 0 15
and then run the commands logging sync
and transport input ssh
.
Open a new PuTTY/terminal window and this time try to SSH to your switch IP. Does it work? Awesome!
Finally, let’s save our config. Exit until your prompt looks like this:
Switch1#
Type in copy run start
which is short for copy running-config startup-config
. Additionally, there is an old school command that was deprecated, but I think enough old school network white beards pushed Cisco hard enough that they have kept it. It’s simply wr
and it does the same thing as copy run start
.
In the next part, we’ll look at how to reset your switch, VLANs, and additional security!