rootlog.in
Networking Part of the CCNA Lab Series
networking ccna switch ssh cisco l2
Thu, June 12, 2025 ยท 2 min read

CCNA Lab 1: Switch Initial Configuration and Hostnames

Before you configure VLANs or trunking, every switch needs a proper identity and secure access. This is the foundation.

Console Access

Connect via console cable (9600 baud, 8-N-1):

screen /dev/ttyUSB0 9600

Or on Windows, use PuTTY serial connection at 9600.

Initial Configuration Dialogue

When you power on a new switch, it may prompt the initial configuration dialog. Always answer no and configure manually:

Would you like to enter the initial configuration dialog? [yes/no]: no

Global Settings

Enter global configuration mode:

enable
configure terminal

Set Hostname

hostname ACCESS-SW-1

Use a consistent naming convention: {role}-{location}-{number}. Examples:

  • ACCESS-SW-FLOOR1-01
  • DIST-SW-DC1-02
  • CORE-SW-MAIN-01

Legal banners are important for authorized access warnings:

banner motd ^
UNAUTHORIZED ACCESS PROHIBITED.
This device is for authorized personnel only.
All activity is monitored and logged.
^

Secure Passwords

enable secret MyStr0ng!Pass
service password-encryption
security passwords min-length 8

The enable secret command uses MD5 hashing. service password-encryption encrypts all plaintext passwords in the config (weak but better than nothing).

SSH Configuration

Disable Telnet, enable SSH:

ip domain-name rootlog.in
crypto key generate rsa modulus 2048
ip ssh version 2
ip ssh authentication-retries 3
ip ssh time-out 60
 
line vty 0 15
 transport input ssh
 login local
 exec-timeout 10 0

Create Local User

username admin privilege 15 secret StrongAdminPass!
username netop privilege 5 secret ReadOnlyPass!

Privilege levels: 15 = full access, 5 = read-mostly, 1 = view-only.

Save Configuration

copy running-config startup-config

Or the abbreviated version every engineer uses:

wr

Verification Commands

show running-config | section hostname
show ip ssh
show ssh
show users
show privilege

Common Pitfalls

  • Forgetting transport input ssh โ€” VTY lines default to all protocols including Telnet. Always restrict to SSH only.
  • Weak RSA key size โ€” Use 2048-bit minimum. 1024-bit is deprecated.
  • No exec-timeout โ€” Idle sessions stay open indefinitely. Always set a timeout.
  • enable password vs enable secret โ€” Never use enable password (plaintext). Always use enable secret (hashed).
  • Skipping domain name โ€” SSH key generation requires ip domain-name or it will fail.

Best Practice Checklist

  • Hostname follows naming convention
  • MOTD banner with legal notice
  • Enable secret with strong password
  • SSH v2 only, port 22
  • Local users with privilege levels
  • Exec timeout on VTY lines
  • service password-encryption enabled
  • logging synchronous on console and VTY
  • no ip domain-lookup (prevents accidental DNS hangs)
  • wr after every change

One-Liner Quick Config

hostname SW-1; enable secret cisco; ip domain-name lab.local; crypto key gen rsa mod 2048; ip ssh ver 2; username admin priv 15 secret pass; line vty 0 15; transport input ssh; login local; exec-timeout 10 0; end; wr

This configures a basic switch in under 30 seconds โ€” useful for lab environments.

Related Articles

CCNA Lab 1: Switch Initial Configuration and Hostnames

Step-by-step guide to configuring hostnames, banners, passwords, and SSH on Cisco switches โ€” the foundation every network engineer needs.

CCNA Lab 2: VLANs, Trunking, and Layer 2 Fundamentals

Configure VLANs, trunk ports, VTP, and troubleshoot common Layer 2 issues on Cisco switches. Practical lab scenarios included.

CCNA Lab 11: EtherChannel and Link Aggregation

Configure and troubleshoot EtherChannel on Cisco switches โ€” LACP, PAgP, load balancing, and common failure modes.