Looking for Help or a Guide for Writing Basic Config File

rjkmd · ‎07-15-2025

Good Afternoon All,

Looking for kind of a step by step guide. My org recently purchased 3 9300L switches. Two of them are 24p's and the other is a 48p. I am assuming I can write one file then make small tweaks due to the port capacity. These switches are for a lan evironment. They are very basic as its internal lab with no external connectivity. In fact there will be no services such as dns, dhcp, telnet. The only thing I will probably leave active is ssh for putty. I do need to secure them though still according to DOD Standards. These switches in fact only exist for centralized management purposes. Also would like to know once the initial configuration is done is there a web ui I can use for any further changes.

I'm normally a Systems guy and while I do know networking I do not know IOS. I am planning on using I think its CISCO IOSXE 17.15. Which that's another story because next I need to look up how to do that upgrade. Currently its like 17.09.

Enes Simnica · ‎07-15-2025

hello man. Congrats on the new gear and welcome to the world of Cisco IOS XE. yes u can definitely write one base configuration and just make minor tweaks for the 24-port and 48-port switches.

Since u're planning to run a very stripped-down environment (no DNS, DHCP, or Telnet, and only SSH for management), your config will mostly focus on basic access, management IP, SSH setup, and locking down unnecessary services. The fact that these switches are mainly for centralized management simplifies the approach even more.

Here’s a basic example of how your config might look:

hostname LAB-SW1

username admin privilege *******

ip domain-name lab.local
crypto key generate rsa modulus 2048
ip ssh version 2

interface Vlan1
 ip address 192.168.1.10 255.255.255.0
 no shutdown

ip default-gateway 192.168.1.1

line vty 0 4
 transport input ssh
 login local
 exec-timeout 10 0

no ip http server
no ip http secure-server

banner motd ^C
UNAUTHORIZED ACCESS IS PROHIBITED
^C

wr

and u can use the same base config for all three switches—just update the hostname and IP for each. Once they're installed, it's a good idea to shut down any unused ports to tighten security (for example int range G1/0/2 - 1/0/48).

To upgrade to IOS XE 17.15, download the .bin file from Cisco, upload it via USB, TFTP, or SCP, and set it as the boot image. Simple and quick.

To set a new image as the boot file:

no boot system
boot system switch all flash:cat9k_lite_iosxe.17.15.x.SPA.bin
end
wr
reload

and G, most secure environments especially under DOD standards, leave the Web UI disabled. SSH offers better control, and if you're comfortable with PuTTY, it's all you need. Even in a lab, it's smart to follow basic DOD practices: use strong passwords, set exec timeouts, stick to SSH-only access, disable unused services, and log activity. For more detailed hardening, DISA provides STIGs for Cisco IOS. THats why before going live, it’s best to test everything in EVE-NG. Uu can build and tweak your configs safely there before touching production hardware.

check these links; https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-9/release_notes/ol-17-9-9300/upgrading_the_switch_software.htmlhttps://software.cisco.com/download/home/286312239/type/286289047/release/17.15.1

https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-17-15-1/model.html

https://software.cisco.com/download/home/286312239/type/286289047/release/17.15.1

hope it helps G

-Enes

more Cisco?!
more Gym?!

rjkmd · ‎07-15-2025

Also looking at your cfg file. The line below is setting the management vlan correct?
Changing the vlan is just a matter of changing the number isn't it?

interface Vlan1

Also if I wanted to run the management vlan to and ports to separate vlans how much would that complicate things.

And yes I am going to watch that video.

Thanks for everything.

rjkmd · ‎07-15-2025

I believe setting up the two separate vlans would require trunking and not sure how that complicates matters.

Enes Simnica · ‎07-15-2025

also G, this video shows all u need to know for ur situation: https://www.youtube.com/watch?v=27HVYSQqh70

enjoy!

more Cisco?!
more Gym?!

Enes Simnica · ‎07-15-2025

Hello @rjkmd Yep, u're right, int vlan1 is the default management VLAN. Changing it is as simple as using a different number, like:

int Vlan10 ip add 192.168.10.2 255.255.255.0 no shut

Then assign ports to that VLAN:

interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10

Separating management and user/data VLANs is a good idea and adds only a bit of setup—mainly VLAN assignments and basic routing if needed.

And yeah, that’d be awesome to lab out in EVE-NG first u’ll learn a ton doing it that way!

more Cisco?!
more Gym?!

wajidhassan · ‎07-15-2025

Hey @rjkmd ! Here’s a quick way to get your Cisco 9300L switches set up:

Connect to the switch and go into config mode with:

enable

configure terminal

2. Give your switch a name:

hostname Switch1

3. Set up the domain and create SSH keys:

ip domain-name yourdomain.local

crypto key generate rsa modulus 2048

4. Add a user and turn on SSH access:

username admin privilege 15 secret YourStrongPassword

ip ssh version 2

line vty 0 15

transport input ssh

login local

5. Turn off stuff you don’t need and set timeouts:

no ip http server

no ip http secure-server

no cdp run

line console 0

exec-timeout 5 0

line vty 0 15

exec-timeout 5 0

6. Set your ports (example for 24 ports):

interface range Gi1/0/1-24

switchport mode access

switchport access vlan 10

spanning-tree portfast

7. Save your changes:

write memory

You can use the same config for your 48-port switch, just change the port ranges. There’s no easy web interface built-in, so stick with SSH or look into Cisco DNA Center if you want a GUI.

For upgrading IOS XE, you’ll need to grab the new image from Cisco and update via USB or TFTP.

Hope that helps!

rjkmd · ‎07-15-2025

Can I do something like this, lol, don't laugh if there's errors. Tried to take what the two of you did plus what I was reading and come up with something for what I'd like to do. Where you see XXX is the number of the vlan. Essentially two of the switches will be in one lab. The 48p and the 24p. I am assuming I am going to have trunk them. This is what I came up with. Also can I do this in text file and use it as cfg file. Looking at using the 48p as the main switch. Ideally there would be 2 vlans. One for management and one for all the workstations.

enable

configure terminal

hostname xxxxxxx

username admin privilege *******

ip domain-name xxxxxxxx
crypto key generate rsa modulus 2048
ip ssh version 2

username admin privilege 15 secret yourstrongpassword

interface VlanXXX
ip address 192.168.X.X 255.255.255.0
no shutdown

ip default-gateway 192.168.X.X

line vty 0 4
transport input ssh
login local

no ip http server
no ip http secure-server
no cdp run
line console 0
exec-timeout 5 0
line vty 0 15
exec-timeout 5 0

banner motd ^C
UNAUTHORIZED ACCESS IS PROHIBITED
^C

switch(config)# clock timezone EST -5 0
switch(config)# clock summer-time EDT recurring
switch(config)# ntp 192.x.x.x

switchname#config
switchname (config) #vlan database
switchname (config-vlan) #vlan xxx

switchname#conf t
switchname (config) #int gi/03-48
switchname (config-if) #switchport mode access
switchname (config-if) #switchport access vlan xxx
switchname (config-if) #spanning-tree portfast

switchname#config
switchname (config-if) #int gi2
switchname (config-if) #switchport mode trunk
switchname (config-if) #switchport trunk allowed vlan xxx
switchname (config-if) #no shut
switchname (config-if) #end

write memory

Also can I ask for an explanation of the what the vty line is and the significance of 15?

made one more change to add time variables.