Cisco 9300 Day-0 Configuration Guide: Username, Password, SSH & Security Best Practices

Deploying a Cisco Catalyst 9300 Series switch in an enterprise environment requires careful Day-0 planning. From initial console access to secure remote management, the first configuration sets the foundation for network security, manageability, and operational efficiency. Missteps during Day-0—especially regarding default credentials and SSH setup—can lead to security gaps or deployment delays.

This guide provides a production-ready workflow that combines practical commands, security best practices, and procurement considerations, helping network engineers, IT administrators, and enterprise teams deploy new switches efficiently.

Table of Contents

• Part 1: The Day-0 Imperative
• Part 2: Step 1 – Establishing Console Access
• Part 3: Step 2 – Securing Local and Privileged Access
• Part 4: Step 3 – Configuring Management Interface and SSH
• Part 5: Step 4 – Locking Down Remote Access
• Part 6: Step 5 – Verification and Deployment Checks
• Part 7: Procurement and Deployment Considerations
• Part 8: Conclusion and Best Practices
• Part 9: FAQ

Part 1: The Day-0 Imperative

The Cisco Catalyst 9300 runs on IOS XE and supports advanced features like hardware-anchored Secure Boot and MACsec encryption. Day-0 configuration ensures the switch moves from factory defaults to a secure, remotely manageable device ready for integration with centralized management platforms such as Cisco Catalyst Center, Meraki, or Cisco DNA Center.

Key objectives of Day-0:

• Remove default or blank credentials
• Configure secure privileged access
• Enable SSH for encrypted remote management
• Apply basic access restrictions (ACL or AAA)
• Prepare the switch for enterprise integration

Skipping these steps can leave the device vulnerable, delay deployment, and create operational headaches.

Part 2: Step 1 – Establishing Console Access

Initial configuration requires a direct console connection.

Connecting the cable:

• Cisco 9300 console port (RJ-45)
• RJ-45 to DB9 or USB-to-Serial adapter to PC
• Terminal emulator: PuTTY, SecureCRT, or TeraTerm

Terminal settings:

Default Credentials: A fresh 9300 usually ships with no password; press Enter when prompted. Never leave a production switch on default settings.

Part 3: Step 2 – Securing Local and Privileged Access

Once connected, proceed to Global Configuration Mode:

1. Set Hostname

Switch> enable
Switch# configure terminal
Switch(config)# hostname C9300-Branch-01

2. Configure Local User Account

C9300-Branch-01(config)# username admin privilege 15 secret Your$tr0ngP@ssw0rd!

3. Enable Secret (Privilege Mode Password)

C9300-Branch-01(config)# enable secret StrongEnable$ecret

4. Encrypt All Plain Text Passwords

C9300-Branch-01(config)# service password-encryption

These steps secure local access and prevent exposure of passwords in the configuration file.

Part 4: Step 3 – Configuring Management Interface and SSH

Remote access requires the switch to be reachable via IP.

1. Configure Management VLAN (SVI)

C9300-Branch-01(config)# interface vlan 10
C9300-Branch-01(config-if)# ip address 192.168.10.5 255.255.255.0
C9300-Branch-01(config-if)# no shutdown

2. Set Domain Name (Required for SSH)

C9300-Branch-01(config)# ip domain-name company.local

3. Generate RSA Key

C9300-Branch-01(config)# crypto key generate rsa modulus 2048

Minimum 2048-bit key recommended; avoids weak encryption issues.

Part 5: Step 4 – Locking Down Remote Access

1. Configure VTY Lines for SSH Only

C9300-Branch-01(config)# line vty 0 15
C9300-Branch-01(config-line)# transport input ssh
C9300-Branch-01(config-line)# login local
C9300-Branch-01(config-line)# exec-timeout 10 0

2. Secure Console Port

C9300-Branch-01(config)# line console 0
C9300-Branch-01(config-line)# login local
C9300-Branch-01(config-line)# logging synchronous

3. Optional ACL for Management Access

C9300-Branch-01(config)# access-list 10 permit 10.0.0.0 0.0.0.255
C9300-Branch-01(config)# line vty 0 15
C9300-Branch-01(config-line)# access-class 10 in

ACL ensures only authorized subnets can SSH into the switch.

Part 6: Step 5 – Verification and Deployment Checks

Verification commands and expected results:

Save Configuration

C9300-Branch-01# write memory

Part 7: Procurement and Deployment Considerations

When procuring new Cisco 9300 switches:

• Router-switch provides in-stock genuine hardware, fast quotation, global delivery, and flexible payment options.
• Validate Serial Numbers (S/N) to ensure warranty eligibility and avoid gray-market risk.
• Consider project timelines: Day-0 preparation ensures fast integration without rework.
• Align Day-0 security with enterprise AAA policies to minimize future operational risk.

Part 8: Conclusion and Best Practices

Day-0 configuration sets the foundation for a secure, reliable, and manageable Cisco 9300 deployment. By following these steps:

• Default credentials are removed
• Local accounts and privilege levels are secured
• SSH access is properly configured
• Management interfaces are ready and restricted
• Compliance with enterprise security standards is ensured

This workflow reduces deployment delays, prevents unauthorized access, and standardizes switches across sites.

Part 9: FAQ

Can I use Telnet instead of SSH?

No. Telnet is unencrypted. SSH v2 is required for secure enterprise deployments.

What if my RADIUS/TACACS+ server is unreachable?

Always configure a local fallback admin account to ensure Day-0 access.

Are default passwords set on Cisco 9300?

Fresh 9300 switches ship without passwords; pressing Enter accesses the CLI. Immediate password setup is essential.

Can I restrict management access by subnet?

Yes, use ACLs on VTY lines or integrate with AAA for centralized control.

How do I verify SSH is working?

Use show ip ssh, show run | section line vty, and attempt a remote SSH login from a trusted host.