Completed
Day4_Lab1
═══════════════════════════════════════════════════════════════════
RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY
═══════════════════════════════════════════════════════════════════ ═══════════════════════════════════════════════════════════════════
RED IRISH GLOBAL SERVICES
Defense Information Capacity Development Program (DICDP)
Communications and Information Systems (CIS) Track — Foundation Level
Foundation Networking Course | Day 03 Command Reference — Basic Switch Configuration
Document ID: DICDP-CIS-FNC-D03-CMDREF-v1
Issued: [date]
Controlled by: Program Director, DICDP, Red Irish Global Services
Redirect requests: ops@redirish.global
Distribution: RESTRICTED — Program participants only
═══════════════════════════════════════════════════════════════════
Restricted Distribution Statement
This material is the intellectual property of Red Irish Global Services. Distribution is authorized only to participants enrolled in the Defense Information Capacity Development Program (DICDP). Reproduction, transmission, posting to public networks or social media, sharing with non-participants, or use as the basis for derivative training materials, in whole or in part, requires prior written authorization from Red Irish Global Services. Other requests shall be referred to: ops@redirish.global
Basic Switch Configuration — Step-by-Step Command Reference
This reference covers every command required to configure a Cisco Catalyst 2960 switch from a blank CLI. Follow the steps in order. Each step shows the exact commands to enter, the prompt that appears, and a one-line explanation of what the command does.
Topology
PC1 192.168.10.10/24 ── Fa0/1 ──┐
PC2 192.168.10.20/24 ── Fa0/2 ──┤ VLAN 10 — USERS
│
Admin PC 192.168.99.10/24 ─ Fa0/3 ┤ VLAN 99 — MANAGEMENT
│
SW-ACCESS-01
Address Plan
Device | Interface | IP Address | Subnet Mask | VLAN |
|---|---|---|---|---|
SW-ACCESS-01 | Vlan99 (SVI) | 192.168.99.2 | 255.255.255.0 | 99 |
PC1 | NIC | 192.168.10.10 | 255.255.255.0 | 10 |
PC2 | NIC | 192.168.10.20 | 255.255.255.0 | 10 |
Admin PC | NIC | 192.168.99.10 | 255.255.255.0 | 99 |
Default Gateway | — | 192.168.99.1 | — | — |
IOS Mode Quick Reference
Mode | Prompt | Purpose | Enter | Exit |
|---|---|---|---|---|
User EXEC | Switch> | Basic monitoring and ping only. No configuration. | Default on login | exit |
Privileged EXEC | Switch# | Full show commands, save config, enter configuration. | enable | disable |
Global Configuration | Switch(config)# | Configure the whole device — hostname, VLANs, security. | configure terminal | end or Ctrl+Z |
Interface Configuration | Switch(config-if)# | Configure one specific port or SVI. | interface <name> from global config | exit |
VLAN Configuration | Switch(config-vlan)# | Create VLANs and assign names. | vlan <id> from global config | exit |
Line Configuration | Switch(config-line)# | Configure console and VTY (remote access) lines. | line console 0 or line vty 0 15 | exit |
The point: the prompt tells you exactly where you are. If you are unsure, read the prompt before typing any command.
Step 1 — Enter Privileged EXEC Mode
Switch> enable
Switch#
enable — moves from User EXEC to Privileged EXEC. You now have access to all show commands and can enter configuration mode.
Step 2 — Enter Global Configuration Mode
Switch# configure terminal
Switch(config)#
configure terminal — enters the mode where all device-wide configuration commands are accepted. Shortcut: conf t.
Step 3 — Set the Hostname
Switch(config)# hostname SW-ACCESS-01
SW-ACCESS-01(config)#
hostname <name> — assigns a name to the switch. The name appears in every prompt and in management tools. Set this before generating SSH keys — the hostname is part of the key name.
Step 4 — Set the Enable Secret and Enable Password Encryption
SW-ACCESS-01(config)# enable secret Str0ng@Pass1
SW-ACCESS-01(config)# service password-encryption
enable secret <password> — protects Privileged EXEC mode with an MD5-hashed password. Anyone who types enable will be prompted for this.
service password-encryption — applies a reversible type-7 cipher to all plaintext line passwords stored in the configuration. Always use enable secret, not enable password — the secret uses a stronger hash.
Step 5 — Secure the Console Line
SW-ACCESS-01(config)# line console 0
SW-ACCESS-01(config-line)# password Str0ng@Pass1
SW-ACCESS-01(config-line)# login
SW-ACCESS-01(config-line)# exec-timeout 5 0
SW-ACCESS-01(config-line)# exit
Command | What it does |
|---|---|
line console 0 | Enters Line Configuration mode for the physical console port. There is always only one, numbered 0. |
password <password> | Sets the password required at the console login prompt. |
login | Activates the password check. Without this, the password is set but never asked for. |
exec-timeout 5 0 | Disconnects idle console sessions after 5 minutes. Prevents unattended authenticated sessions. |
exit | Returns to Global Configuration mode. |
Step 6 — Configure SSH and Secure the VTY Lines
Part A — SSH prerequisites (must be done before restricting VTY to SSH):
SW-ACCESS-01(config)# ip domain-name dicdp.local
SW-ACCESS-01(config)# crypto key generate rsa modulus 2048
SW-ACCESS-01(config)# ip ssh version 2
Command | What it does |
|---|---|
ip domain-name <name> | Sets the DNS domain. Required before RSA key generation — the switch names the key pair using hostname + domain name. |
crypto key generate rsa modulus 2048 | Generates the RSA key pair that SSH uses to encrypt remote sessions. 2048 bits is the minimum recommended size. This command is interactive — wait for the confirmation message. |
ip ssh version 2 | Forces SSH version 2 only. SSH version 1 has known vulnerabilities and must not be used. |
Part B — VTY lines:
SW-ACCESS-01(config)# line vty 0 15
SW-ACCESS-01(config-line)# password Str0ng@Pass1
SW-ACCESS-01(config-line)# login
SW-ACCESS-01(config-line)# transport input ssh
SW-ACCESS-01(config-line)# exec-timeout 5 0
SW-ACCESS-01(config-line)# exit
Command | What it does |
|---|---|
line vty 0 15 | Enters Line Configuration mode for all 16 virtual terminal lines simultaneously. |
password <password> | Sets the password for remote SSH login. |
login | Activates the password check on these lines. |
transport input ssh | Blocks Telnet. SSH only. Telnet sends passwords in cleartext — never allow it on a production network. |
exec-timeout 5 0 | Disconnects idle SSH sessions after 5 minutes. |
Step 7 — Set the Login Banner
SW-ACCESS-01(config)# banner motd #
******************************************************************
AUTHORIZED ACCESS ONLY
This system is the property of Red Irish Global Services.
Unauthorized access is prohibited and will be prosecuted.
Disconnect immediately if you are not an authorized user.
******************************************************************
#
banner motd #<text># — displays this message to every user who connects, before the login prompt. The # is the delimiter marking the start and end of the banner text. Required in most jurisdictions as a prerequisite for prosecuting unauthorized access.
Step 8 — Create the VLANs
SW-ACCESS-01(config)# vlan 10
SW-ACCESS-01(config-vlan)# name USERS
SW-ACCESS-01(config-vlan)# exit
SW-ACCESS-01(config)# vlan 99
SW-ACCESS-01(config-vlan)# name MANAGEMENT
SW-ACCESS-01(config-vlan)# exit
Command | What it does |
|---|---|
vlan <id> | Creates the VLAN (if it does not exist) and enters VLAN Configuration mode. |
name <name> | Assigns a human-readable label. Appears in show vlan brief output. |
exit | Returns to Global Configuration mode. VLANs must be created before ports can be assigned to them. |
The point: VLAN 10 carries user traffic. VLAN 99 carries only management traffic to and from the switch itself. They are intentionally separate — a user PC on VLAN 10 cannot directly reach the switch management interface on VLAN 99.
Step 9 — Assign Access Ports to VLANs
Fa0/1 — PC1 — VLAN 10:
SW-ACCESS-01(config)# interface fastethernet 0/1
SW-ACCESS-01(config-if)# switchport mode access
SW-ACCESS-01(config-if)# switchport access vlan 10
SW-ACCESS-01(config-if)# no shutdown
SW-ACCESS-01(config-if)# exit
Fa0/2 — PC2 — VLAN 10:
SW-ACCESS-01(config)# interface fastethernet 0/2
SW-ACCESS-01(config-if)# switchport mode access
SW-ACCESS-01(config-if)# switchport access vlan 10
SW-ACCESS-01(config-if)# no shutdown
SW-ACCESS-01(config-if)# exit
Fa0/3 — Admin PC — VLAN 99:
SW-ACCESS-01(config)# interface fastethernet 0/3
SW-ACCESS-01(config-if)# switchport mode access
SW-ACCESS-01(config-if)# switchport access vlan 99
SW-ACCESS-01(config-if)# no shutdown
SW-ACCESS-01(config-if)# exit
Command | What it does |
|---|---|
interface fastethernet 0/<n> | Enters Interface Configuration mode for the specified port. |
switchport mode access | Explicitly sets the port as an access port. Never leave ports in auto-negotiation mode — it is a VLAN hopping attack surface. |
switchport access vlan <id> | Assigns this port to the specified VLAN. Frames arriving on this port are associated with that VLAN internally. |
no shutdown | Enables the port administratively. |
Step 10 — Configure the Management SVI and Default Gateway
SW-ACCESS-01(config)# interface vlan 99
SW-ACCESS-01(config-if)# ip address 192.168.99.2 255.255.255.0
SW-ACCESS-01(config-if)# no shutdown
SW-ACCESS-01(config-if)# exit
SW-ACCESS-01(config)# ip default-gateway 192.168.99.1
Command | What it does |
|---|---|
interface vlan 99 | Creates the SVI (Switched Virtual Interface) for VLAN 99. This is the only place a Layer 2 switch receives an IP address — not on physical ports. |
ip address <ip> <mask> | Assigns the management IP address. Administrators SSH to this address. |
no shutdown | Brings the SVI up. The SVI will only reach up/up status when at least one active device is connected to a port in VLAN 99. |
ip default-gateway <ip> | Tells the switch where to send traffic destined outside the local subnet. Without this, the switch cannot be managed from any other subnet. |
Step 11 — Exit and Save
SW-ACCESS-01(config)# end
SW-ACCESS-01# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Command | What it does |
|---|---|
end | Exits all configuration modes and returns directly to Privileged EXEC. Equivalent to Ctrl+Z. |
copy running-config startup-config | Writes the active configuration from RAM to NVRAM. Without this, all configuration is lost on reboot. Press Enter when prompted for the filename. |
The point: the running configuration exists only in RAM. The startup configuration is what the switch loads on boot. They are the same only after you run this command. Always save before rebooting or powering down.
Verification Commands
Run these after completing all configuration steps. Do not assume the configuration is correct — confirm it.
show vlan brief
SW-ACCESS-01# show vlan brief VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
...Fa0/24
10 USERS active Fa0/1, Fa0/2
99 MANAGEMENT active Fa0/3
Confirm: VLAN 10 shows Fa0/1 and Fa0/2. VLAN 99 shows Fa0/3. VLAN 1 shows all remaining ports — these should be shut down and moved to a dark VLAN in production. Trunk ports never appear in this output.
show ip interface brief
SW-ACCESS-01# show ip interface brief Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset up up
FastEthernet0/3 unassigned YES unset up up
Vlan99 192.168.99.2 YES manual up up
Confirm: physical ports show unassigned — correct, Layer 2 ports carry no IP. Vlan99 shows 192.168.99.2 with both Status and Protocol up. If Protocol shows down, no active device is connected to Fa0/3.
show running-config
SW-ACCESS-01# show running-config
Shows the full active configuration in RAM. Use this to confirm any specific setting. Filter to a section:
SW-ACCESS-01# show running-config | section vlan
SW-ACCESS-01# show running-config | section line
SW-ACCESS-01# show running-config interface fastethernet 0/1
show startup-config
SW-ACCESS-01# show startup-config
Shows the configuration saved in NVRAM — what the switch will load on next boot. After copy running-config startup-config, this should match show running-config.
show ip ssh
SW-ACCESS-01# show ip ssh SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Confirm: SSH version 2.0 and status Enabled. If SSH is disabled, the RSA keys were not generated — run ip domain-name then crypto key generate rsa modulus 2048 and retry.
Test connectivity — ping from PC1 to PC2
Open the command prompt on PC1 and run:
ping 192.168.10.20
Expected result:
Reply from 192.168.10.20: bytes=32 time<1ms TTL=128
Reply from 192.168.10.20: bytes=32 time<1ms TTL=128
Reply from 192.168.10.20: bytes=32 time<1ms TTL=128
Reply from 192.168.10.20: bytes=32 time<1ms TTL=128
Four replies with zero packet loss confirms both PCs are in VLAN 10 and the switch is forwarding correctly.
Test management access — SSH from Admin PC to switch
From Admin PC (192.168.99.10), open an SSH client and connect to 192.168.99.2. You should see the banner, then the login prompt. Enter the VTY password and confirm you reach SW-ACCESS-01>.
Complete Configuration — All Commands in Sequence
enable
configure terminal
hostname SW-ACCESS-01
enable secret Str0ng@Pass1
service password-encryption
line console 0
password Str0ng@Pass1
login
exec-timeout 5 0
exit
ip domain-name dicdp.local
line vty 0 15
password Str0ng@Pass1
login
transport input ssh
exec-timeout 5 0
exit
banner motd #
******************************************************************
AUTHORIZED ACCESS ONLY
Unauthorized access is prohibited and will be prosecuted.
******************************************************************
#
vlan 10
name USERS
exit
vlan 99
name MANAGEMENT
exit
interface fastethernet 0/1
switchport mode access
switchport access vlan 10
no shutdown
exit
interface fastethernet 0/2
switchport mode access
switchport access vlan 10
no shutdown
exit
interface fastethernet 0/3
switchport mode access
switchport access vlan 99
no shutdown
exit
interface vlan 99
ip address 192.168.99.2 255.255.255.0
no shutdown
exit
ip default-gateway 192.168.99.1
end
Then from Privileged EXEC:
crypto key generate rsa modulus 2048
ip ssh version 2
copy running-config startup-config
The point: crypto key generate rsa is interactive — it cannot be pasted with the rest of the block. Run it separately after the paste completes, then run ip ssh version 2 and save.
Command Quick Reference
Command | Mode | What it does |
|---|---|---|
enable | User EXEC | Enter Privileged EXEC mode |
configure terminal | Privileged EXEC | Enter Global Configuration mode |
hostname <name> | Global config | Set the switch hostname |
enable secret <pw> | Global config | Set MD5-hashed privileged mode password |
service password-encryption | Global config | Apply type-7 cipher to all plaintext passwords |
line console 0 | Global config | Enter console line config |
line vty 0 15 | Global config | Enter VTY lines config (remote access) |
password <pw> | Line config | Set line password |
login | Line config | Activate the password check |
exec-timeout <min> <sec> | Line config | Auto-disconnect idle sessions |
transport input ssh | Line config | Restrict remote access to SSH only |
ip domain-name <name> | Global config | Set domain name (required before RSA key generation) |
crypto key generate rsa modulus 2048 | Global config | Generate RSA key pair for SSH |
ip ssh version 2 | Global config | Force SSH version 2 only |
banner motd #<text># | Global config | Set pre-login warning message |
vlan <id> | Global config | Create VLAN and enter VLAN config mode |
name <name> | VLAN config | Assign name to VLAN |
interface fastethernet 0/<n> | Global config | Enter interface config for a port |
interface vlan <id> | Global config | Enter SVI config |
switchport mode access | Interface config | Set port as access port |
switchport access vlan <id> | Interface config | Assign port to VLAN |
no shutdown | Interface config | Enable the interface |
ip address <ip> <mask> | Interface config | Assign IP to SVI |
ip default-gateway <ip> | Global config | Set gateway for off-subnet management |
end | Any config mode | Return to Privileged EXEC immediately |
exit | Any mode | Go up one level in the mode hierarchy |
copy running-config startup-config | Privileged EXEC | Save configuration to NVRAM |
show running-config | Privileged EXEC | Display active configuration in RAM |
show startup-config | Privileged EXEC | Display saved configuration in NVRAM |
show vlan brief | Privileged EXEC | Display VLANs and port assignments |
show ip interface brief | Privileged EXEC | Display interface IP and status |
show ip ssh | Privileged EXEC | Display SSH version and status |
Document History
Version | Date | Changes |
|---|---|---|
v1.0 | [date] | Initial creation. Step-by-step command reference for basic Cisco 2960 switch configuration: all six IOS modes, 11 configuration steps (hostname, enable secret, password encryption, console security, SSH prerequisites, VTY security, banner, VLAN creation, access port assignment, management SVI with dedicated VLAN 99, default gateway, save), verification commands with accurate expected output, complete configuration block, and command quick reference table. Incorporates all corrections from validation of the source guide: security configuration added (enable secret, console password, VTY password, SSH, banner), dedicated management VLAN 99 separated from user VLAN 10, show command expected outputs corrected to match actual IOS format, no shutdown added to physical ports, ip default-gateway added, Line Configuration mode included. |
═══════════════════════════════════════════════════════════════════ Red Irish Global Services | DICDP | CIS Track | FNC DICDP-CIS-FNC-D03-CMDREF-v1 | Issued: [date] ═══════════════════════════════════════════════════════════════════
═══════════════════════════════════════════════════════════════════ RESTRICTED DISTRIBUTION — DICDP PROGRAM PARTICIPANTS ONLY ═══════════════════════════════════════════════════════════════════
There are no comments for now.