Cisco Catalyst 3750 Series Switch Configuration
A quick reference guide for configuring the Cisco Catalyst 3750 Series Switch, covering essential commands, user setup, SSH configuration, and troubleshooting tips.
Official documentation
Command aliases
| Command | Alias |
|---|---|
| configure terminal | conf t |
| show | sho |
| show running-config | sho ru |
Factory reset switch
Press and hold the āMODEā button for ~10 seconds.
Lights should start blinking after 3 seconds, and stop blinking 7 seconds later. Release button once they stop blinking.
Create a maximum privilege user
1
2
3
4
5
6
7
8
! Turn on privileged commands if your shell is 'Host>' rather than 'Host#'.
Host> enable
! Enter configuration mode
Host# configure terminal
! Create user 'admin' and define privilege level '15' and plaintext secret 'insecure'
Host(config)# username admin privilege 15 secret 0 insecure
Test running-config changes
Show running config. We use do to access the upper-menu command show. If you exit the āconfigā mode/menu with exit, you no longer need to use do.
1
Host(config)# do show running-config
Try logging in on another session with your new user. You should go directly into privileged mode with #:
1
2
3
4
5
Host(config)# exit
Host# exit
$ ssh admin@10.20.200.1
Password: insecure
Host#
Changes currently wonāt persist upon a power-cycle or reload as they are not yet in the non-volatile āstartup-configā:
1
Host(config)# do show startup-config
Undo any running-config mistakes
To disable a setting, use no. To reset a setting to factory defaults, use default. For example, to remove the admin user:
1
Host(config)# default username admin
Alternatively, to reset the running-config back to its startup by completely overwriting it with the contents of config.txt, which contains the āstartup-configā. List the directory with dir, and read the files present with more.
1
2
Host(config)# exit
Host# configure replace config.txt
Donāt use copy startup-config running-config as this performs a merge, where running-config options will be overwritten only if they exist in startup-config. This is a copy paste, not a replace.
Write changes to startup-config
Write ārunning-configā to non-volatile memory:
1
Host(config)# do write
Finalise your changes
The password for the āadminā user will currently be in the config in plaintext. To hash the stored password in the config, power cycle the switch:
1
Host(config)# do reload
Setup SSH
Source: Configuring Switch-Based Authentication
1
2
3
4
5
6
hostname# configure terminal
hostname(config)# hostname Switch ! Should already have a hostname by default
Switch(config)# ip domain name Cisco
Switch(config)# crypto key generate rsa general-keys modulus 2048
Switch(config)# line vty 0 4 ! select virtual terminal lines 0-4
Switch(config-line)# login local ! Disable tacacs authentication so local passwords/secrets work
Hardening
Prevent telnet connections on vty 0-4. Only allow ssh:
1
Switch(config-line)# transport input ssh
Prevent telnet and ssh connections on vty 5-15
1
2
3
4
Switch(config-line)# exit ! exit vty conf 0-4
Switch(config)# line vty 5 15
Switch(config-line)# transport input none
Switch(config-line)# end ! return to privileged exec mode
Save changes to startup-config
1
Switch# write ! save to startup-config
Deprecated cryptology
OpenSSH has deprecated the algorithms and ciphers which this switch tries to use. To resolve this without changing any OpenSSH configuration files, I use these command line arguments:
1
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa -oCiphers=+aes256-cbc cisco@10.20.200.1
Change switch IP
Source: Assigning the Switch IP Address and Default Gateway
1
2
3
4
5
6
7
8
Switch# configure terminal
Switch(config)# interface Vlan1
! Static
Switch(config-if)# ip address 10.20.30.40 255.255.255.0
! DHCP
Switch(config-if)# ip address dhcp
Clear err-disabled
Check interface status
1
2
3
4
5
Switch# show interfaces status
...
Gi1/0/50 err-disabled 1 auto auto unknown
Gi1/0/51 err-disabled 1 auto auto unknown
Gi1/0/52 err-disabled 1 auto auto unknown
Clear error and restart interface
1
2
3
4
5
Switch# clear errdisable interface gigabitEthernet 1/0/52 vlan 1
Switch# configure terminal
Switch(config)# interface GigabitEthernet 1/0/52
Switch(config-if)# shutdown ! interface down
Switch(config-if)# no shutdown ! interface up
Check interface status
1
2
3
4
5
6
Switch(config-if)# end
Switch# show interfaces status
...
Gi1/0/50 err-disabled 1 auto auto unknown
Gi1/0/51 err-disabled 1 auto auto unknown
Gi1/0/52 notconnect 1 auto auto unknown