Networking optimize

Five things you should know about configuring a Cisco IOS switch

Once you're ready to make the jump to a more sophisticated switch, what do you need to know? Let's answer some of the most frequently asked questions and explore the basic configuration of Cisco IOS switches.

Most switches used by small businesses and home offices typically require no configuration -- they're "plug and play." However, it's important to remember that plug and play doesn't always work. In addition, these switches certainly don't offer any troubleshooting, logging, security, or manageability.

So once you're ready to make the jump to a more sophisticated switch, what do you need to know? Let's answer some of the most frequently asked questions and explore the basic configuration of Cisco IOS switches.

#1: What's the default VLAN?

The default VLAN on all switches is VLAN 1. By default, all ports on the switch are VLAN 1. With all ports in VLAN 1, all ports can communicate. As soon as you change the VLAN assignment for a switch port to another VLAN, that switch port won't be able to communicate with the rest of the devices on other ports.

Figure A offers a look at the switch below in its default configuration. Notice how all ports are in VLAN 1.

Figure A

Figure A

#2: Why do I need to configure interface "vlan 1"?

If you want to be able to manage your switch remotely over the network, your switch needs an IP address. If your switch has multiple VLANs configured, and you want to be able to manage the switch from each VLAN, the switch requires an IP address on a VLAN interface in each VLAN.

To be able to manage your switch -- even if all ports are left in default VLAN 1 -- you still need to configure an IP address on the "vlan 1" switch interface, which is, of course, in VLAN 1. Figure B shows how this switch has its VLAN 1 interface configured with an IP address in VLAN 1.

Figure B

Figure B

#3: Why does my switch need a default gateway?

Actually, your switch doesn't have to have a default gateway configured. However, if you want to be able to communicate with your switch from another subnet, you need to configure a default gateway on the switch so it knows how to get to its local LAN switch.

Here's how to configure a default gateway on a switch:

Switch(config)# ip default-gateway 10.92.103.254

#4: How do I get switch ports up fast?

Cisco switches can do a lot of things besides just connect regular PCs to the network. That's why you should use the switch ports optimally -- they need a little extra configuration.

To bring up a switch port for use and tell the switch that there will always be "access devices" (such as PCs) on that switch port, use the following two commands:

Switch(config)# interface FastEthernet0/48

Switch(config-if)# switchport mode access

Switch(config-if)# no shutdown

Switch(config-if)# spanning-tree portfast

#5 How important are speed and duplex on switch ports?

Speed and duplex are very important on switch ports. That's not to say that speed and duplex aren't important on switch Ethernet ports (which they are).

However, switches are all about connecting a device to the LAN, and there are many devices that need connecting, so you're much more likely to run into speed and duplex issues on switch ports. There are always old and slow devices somewhere on the network that aren't quite compatible with your switch, and they don't quite negotiate the speed and duplex correctly.

Use this command to see what speed and duplex a switch port is currently running:

Switch# show interface gigabitEthernet 1/0/3

You'll see a line like this:

Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX

To change the speed or the duplex, use these commands:

Switch(config)# interface gigabitEthernet 1/0/3

Switch(config-if)# speed 100

Switch(config-if)# duplex half

Get more resources

Cisco switches are complex and can perform a wide variety of functions. To learn what else you can do with your Cisco switch, check out a few of my other Cisco switch articles:

Conclusion

Cisco switches are very powerful, and there's a lot to know about them. However, understanding the basics, like we covered in this article, can go a long way to comprehending the hows and whys of switch configuration.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

16 comments
pinatano
pinatano

Hi everyone, I just purchased a used 2950 48port switch which i would like to use to replace my linksys 16port hub and connect my lab up. my default internet router is a Cisco 881w and that works fine and I am able to browse the internet while connected to the linksys. The 881w provides DHCP. I did a basic config on the 2950 (see below) but what I want to do is simply use port 48 as the port connected to the 881w and it gets its DHCP addresses from the 881w to all the machines that will be connected to the switch. I only have 1 VLAN set up (the default) and some basic security. Can someone provide guidance here? thanks. Below is my current config: (Note I gave my the IP address of VLAN 1 10.10.10.200 since my 881w is 10.10.10.1 ) not sure if this is ok! ===================================================== 2950-48EI#sh running-config Building configuration... Current configuration : 2099 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname 2950-48EI ! enable secret 5 $1$rFsB$4Yk3nZt3m/rynXSJ.soAg/ enable password 7 0708205C5E081E54454359 ! ip subnet-zero no ip finger no ip domain-lookup ! ! ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface FastEthernet0/25 ! interface FastEthernet0/26 ! interface FastEthernet0/27 ! interface FastEthernet0/28 ! interface FastEthernet0/29 ! interface FastEthernet0/30 ! interface FastEthernet0/31 ! interface FastEthernet0/32 ! interface FastEthernet0/33 ! interface FastEthernet0/34 ! interface FastEthernet0/35 ! interface FastEthernet0/36 ! interface FastEthernet0/37 ! interface FastEthernet0/38 ! interface FastEthernet0/39 ! interface FastEthernet0/40 ! interface FastEthernet0/41 ! interface FastEthernet0/42 ! interface FastEthernet0/43 ! interface FastEthernet0/44 ! interface FastEthernet0/45 ! interface FastEthernet0/46 ! interface FastEthernet0/47 ! interface FastEthernet0/48 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 10.10.10.200 255.255.255.0 no ip route-cache ! ip default-gateway 10.10.10.1 ip http server ! line con 0 password 7 06255E324F41584B56 logging synchronous login transport input none line vty 0 4 password 7 0225554808095E731F logging synchronous login line vty 5 15 password 7 0225554808095E731F logging synchronous login ! end ============================================================

dezull
dezull

Hi. Can cisco switch assigned gateway to each port individually, or based on the ip address of host connected to a port? Because I want to isolate a few hosts, and VLAN is not suitable because I don't want to them to communicate among one another. Eg: 192.168.1.10 192.168.1.20 192.168.1.30 192.168.1.40 Say those four IPs are on the same vlan, but I want to isolate 192.168.1.10 and 192.168.1.30, so each of both would not communication with any other host?would putting each of them in a separate vlan alone is a good idea?

stephenmilhouse
stephenmilhouse

Excellent article. Extremely informative. Looking forward to reading more from you.

mark.ireland-spicer
mark.ireland-spicer

It is recommended (by Cisco) that vlan 1 should not be used, as this is the well known vlan and is the first one that will be tried if an attack is launched!

holowenko
holowenko

David: Please! I beg of you! Discuss some higher level material. I would really like to see things that are not in CCNA. I would really really like to see some tips, tricks, and hints for design ideas and wireless with Cisco products...Maybe some phone stuff to. I know that this topic is Cisco Routers but lets diversify...

wrojash
wrojash

Very good! kind example! I would like suggest to make a procedure to how configure a rate limit and explain each one command lines as was done here in "Five things you should know about configuring a Cisco IOS switch" Regards!

bpate
bpate

Another good piece of configuration that needs mentioning is the router on a stick which makes it possible for you to route in between VLAN's if you have a router with only one ethernet port. In this example I am plugging a 2610 router into a 3500xl switch. Configuration of router on a stick with IOS < 12.1(3) c2600(config)#int fastEthernet 0/0 c2600(config-if)#no shut !-- Note that the IP address for VLAN1 is configured on the main interface, !-- and no encapsulation for VLAN1 will be done under the sub-interface. c2600(config-if)#ip address 10.10.10.1 255.255.255.0 c2600(config-if)#exit !-- Configure dot1q encapsulation for VLAN 2 !-- on sub-interface fastEthernet 0/0.2. c2600(config)#int fastEthernet 0/0.2 c2600(config-subif)#encapsulation dot1Q 2 c2600(config-subif)# !-- Configuring L3 information on the sub-interface 0/0.2. c2600(config-subif)#ip address 10.10.11.1 255.255.255.0 c2600(config-subif)#exit Configuration of router on a stick with IOS => 12.1(3) c2600#configure terminal Enter configuration commands, one per line. End with CNTL/Z. !-- Select FastEthernet 0/0 for the trunk configuration. !-- No L2 or Layer 3 (L3) configuration is done here. c2600(config)#int fastEthernet 0/0 c2600(config-if)#no shut c2600(config-if)#exit !-- Enable trunking on the sub-interface FastEthernet 0/0.1. !-- Note that actual trunks are configured on the sub-interfaces. c2600(config-subif)#encapsulation dot1Q 1 native !-- Configure L3 information on the sub-interface 0/0.1. c2600(config-subif)#ip address 10.10.10.1 255.255.255.0 c2600(config-subif)#exit !-- Enable trunking on the sub-interface FastEthernet 0/0.2. !-- Note that actual trunks are configured on the sub-interfaces. c2600(config)#int fastEthernet 0/0.2 !-- Enter the trunking encapsulation as dot1q c2600(config-subif)#encapsulation dot1Q 2 !-- Configure L3 information on the sub-interface 0/0.2. c2600(config-subif)#ip address 10.10.11.1 255.255.255.0 c2600(config-subif)#exit HERE IS THE SWITCH CONFIG...we are plugged into F0/1 on the 3500XL !-- Set the IP address and default gateway for VLAN1 for management purposes. 3512xl#configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3512xl(config)#int vlan 1 3512xl(config-if)#ip address 10.10.10.2 255.255.255.0 3512xl(config-if)#exit 3512xl(config)#ip default-gateway 10.10.10.1 3512xl(config)#end !-- Set the VTP Mode. !-- In our example, we have set the mode to be transparent. !-- Depending on your network, set the VTP Mode accordingly. !-- For details on VTP, !-- refer to !-- Creating and Maintaining VLANs on Catalyst 2900XL and 3500XL Switches. 3512xl#vlan database 3512xl(vlan)#vtp transparent Setting device to VTP TRANSPARENT mode. !-- Adding VLAN2. VLAN1 already exists by default. 3512xl(vlan)#vlan 2 VLAN 2 added: Name: VLAN0002 3512xl(vlan)#exit APPLY completed. Exiting.... !-- Enable trunking on the interface fastEthernet 0/1. 3512xl#configure terminal Enter configuration commands, one per line. End with CNTL/Z. 3512xl(config)#int fastEthernet 0/1 3512xl(config-if)#switchport mode trunk !-- Enter the trunking encapsulation as dot1q 3512xl(config-if)#switchport trunk encapsulation dot1q !-- Note you may not be able to enter this command depending on what version of IOS your switch is running(it automatically defaults to dot1q for IOS => 12.1(3) !-- In case of 2940/2950 series switches, none of the above two commands are used, !-- 2940/2950 series switches only support 802.1q encapsulation which is configured automatically, !-- when trunking is enabled on the interface by using switchport mode trunk command. !-- In case of dot1q, you need to make sure that !-- the native VLAN matches across the link. !-- On 3512XL, by default, the native VLAN is 1. !-- Depending on your network needs, you may change !-- the native VLAN to be other than VLAN1, !-- but it is very important that you change the native VLAN !-- on the router accordingly. !-- You may change the native VLAN, if needed, by using the following command: !-- 3512xl(config-if)#switchport trunk native vlan !-- Allow all VLANs on the trunk. 3512xl(config-if)#switchport trunk allowed vlan all 3512xl(config-if)#exit !-- The following set of commands will place FastEthernet 0/2 !-- into VLAN2 and enable portfast on the interface. 3512xl(config)#int fastEthernet 0/2 3512xl(config-if)#switchport access vlan 2 3512xl(config-if)#spanning-tree portfast 3512xl(config-if)#exit !-- FastEthernet 0/3 is already in VLAN1 by default. !-- Enable portfast on the interface. 3512xl(config)#int fastEthernet 0/3 3512xl(config-if)#spanning-tree portfast Good Luck and email me with questions bpate@spacc.biz

ss1970
ss1970

not exactly rocket-science. newbie stuff

alexwell.nkosi
alexwell.nkosi

I have just set up my PC's (35) and I thought I would use dial-up networking but my service provider installed the Router and now would like to know how to configure the whole thing from the service provider telephone line to my switch/hub

nha4nguoi
nha4nguoi

Does it work with the firewall (asa) and switch? What happen if I have more than 2 vlans? Do need to create multiple sub-interface at the firewall right? Thanks, Dewei

al
al

For those of us who only now are moving into these types of switches - "Router on a STICK"? (Jeff Dunham must have been a network guy!)

kgardiner
kgardiner

Great post Pate, however, from a security point of view (because everthing defaults into it), VLAN 1 is a bad choice for any interface. It is best to leave interface VLAN1 unused and instead create a new VLAN interface. The same goes for the L2 VLAN; do not use it for any Production subnet.

jeff.uebele
jeff.uebele

It is newbie stuff. Which makes it all the more surprising that this is one of the poorer articles that David Davis has posted. #2) figure B is the same as figure A; #4) "spanning-tree portfast" is not something you want to put on all access ports. #5) configuring an interface with "speed 100" and "duplex half" is a poor configuration example. David, 99% of the time I enjoy and learn from your posts; this one reads like it was written by someone other than you.

lesko
lesko

you also used Dot1q for encapsulation, you may want to change the native vlan away from the default of vlan1 to something else so you dont accidentally put user traffic in this vlan. There were several articles a while back about vlan hopping http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html also most IOS for switches these days do some basic routing don't they ? or is it only true for the 3750s and the 3550s?