A practical setup procedure for Cisco Catalyst 9000-series Layer 3 switches running IOS-XE — focused on the C9300 and C9500. Covers the day-zero steps that most setup guides skip: Plug-and-Play disable, Smart Licensing registration, management VRF isolation, SVI routing, HSRP gateway redundancy, access-port hardening, and stack configuration.
Audience: network engineers and IT directors deploying or refreshing Catalyst 9000 infrastructure in enterprise campus environments. Assumes familiarity with IOS-XE CLI, VLAN concepts, and basic routing.
Which Catalyst model are you actually deploying?
Cisco’s enterprise L3 switch lineup splits into four roles. Picking the right model is the first decision and the one that’s hardest to undo.
| Model family | Role | Typical use | L3 throughput |
|---|---|---|---|
| Catalyst 9200 / 9200L | Access with limited L3 | Branch, small campus access | Up to 80 Gbps |
| Catalyst 9300 / 9300X | Stackable access / small distribution | Most common enterprise L3 access | 400-1000 Gbps |
| Catalyst 9400 | Modular chassis | Aggregation, dense access | Up to 9 Tbps |
| Catalyst 9500 | Fixed core / aggregation | Distribution / core | Up to 4 Tbps |
| Catalyst 9600 | Modular core | Campus core / very large distribution | Up to 25.6 Tbps |
| Nexus 9300 / 9500 | Data center fabric | DC top-of-rack, spine-leaf | NX-OS — different procedure |
A typical three-tier campus uses the 9200 at access, 9300 at distribution, and 9500 at the core (Figure 01).
Figure 01 · Three-tier campus topology
Legacy 3850, 3650, and 4500-X are still in production but hit End-of-Software-Support in 2025-2026 — new deployments should default to C9000.
Before unboxing — decisions to lock down
Five questions, all answered on paper before the switch leaves the box:
1. What’s the role and physical location? Top-of-rack? Distribution? Campus core? The role determines uplink architecture (LACP to two upstream cores? StackWise Virtual pair?) and whether you need to peer with anything via OSPF/BGP.
2. What’s the management plan? Out-of-band management network is the right answer for any production Catalyst. The C9300 has a dedicated GigabitEthernet0/0 management port physically isolated from the data-plane ports — use it. In-band management on the SVI works but loses you access the moment you fat-finger an ACL.
3. What’s the IP plan? Management IP, every SVI subnet, every routed port, every BGP/OSPF peer. Document in NetBox, phpIPAM, or whatever your IPAM of record is. Spreadsheets get stale.
4. What software version? Cisco publishes a Suggested Release per platform on the release-tracking page. As of late 2025, that’s IOS-XE 17.9.x or 17.12.x on the C9300 — not 17.15 (too new, bug curve still ascending) and not 17.3 (too old, security patches stopping).
5. Are you using Cisco DNA Center / Catalyst Center? If yes, the switch can self-onboard via Plug and Play. If no, you’ll be doing this by hand — and you’ll want to disable PnP before the first boot.
Physical setup and first power-on
Rack, ground (rack ground bonding to the chassis ground lug, not just the chassis screw), cable: dual PSUs to dual circuits, console cable to your laptop, uplinks unplugged for now. Console settings: 9600 8N1, no flow control. The C9300X and newer C9500 ship with both RJ-45 serial and USB-C console — same settings, different device path.
The C9300 boot sequence: ROMMON loader (~10s) → IOS-XE bootloader (~30s) → Linux kernel and IOSd (~90s) → “Press RETURN to get started” — but if PnP is enabled (the default), it will attempt DHCP and DNS-based PnP discovery for 5-10 minutes before giving up. Press RETURN to skip.
Factory-reset a refurb/return-from-stock unit before anything else:
Switch# write erase Switch# delete /force flash:vlan.dat Switch# factory-reset all secure 1-pass Switch# reload
Disable PnP if you’re not using Catalyst Center
First command on a non-DNA-managed switch. Skip it and every reboot hangs 10 min on PnP discovery.
Disable the zero-touch profile and the startup-VLAN trigger
Switch# configure terminal Switch(config)# pnp profile pnp-zero-touch Switch(config-pnp-init)# no transport http Switch(config-pnp-init)# exit Switch(config)# no pnp startup-vlan Switch(config)# end Switch# write memory
On newer code (IOS-XE 17.6+): pnpa service discovery stop from privileged-exec mode achieves the same in one command.
Set hostname, time, admin user
Hostname, NTP, domain
Switch(config)# hostname dc1-distr-c9300-01 dc1-distr-c9300-01(config)# clock timezone EST -5 0 dc1-distr-c9300-01(config)# ntp server 10.0.0.10 prefer dc1-distr-c9300-01(config)# ntp server 10.0.0.11 dc1-distr-c9300-01(config)# ntp source GigabitEthernet0/0 dc1-distr-c9300-01(config)# ip domain name corp.example.com
Strong admin user, disable defaults
dc1-distr-c9300-01(config)# username netadmin privilege 15 algorithm-type scrypt secret <STRONG_PASSWORD> dc1-distr-c9300-01(config)# no username admin dc1-distr-c9300-01(config)# no username cisco dc1-distr-c9300-01(config)# enable algorithm-type scrypt secret <STRONG_ENABLE_PASSWORD> dc1-distr-c9300-01(config)# service password-encryption
Scrypt (secret 9) is the strongest password hash IOS-XE supports. Default admin and cisco accounts ship enabled on some refurb units — always disable.
Smart Licensing — the step that breaks most fresh deployments
IOS-XE 16.10+ requires Smart Licensing. IOS-XE 17.3.2+ uses Smart Licensing Using Policy (SLUP). Both grant a 90-day eval period. After 90 days without registration: feature throttling, persistent CLI warnings, logged enforcement events that auditors will ask about.
Register during initial deployment, not after the 90-day timer expires. Re-registration after enforcement triggers requires Cisco TAC intervention on some platforms. The CSSM token install is a 30-second step; the recovery if you miss the window is hours.
Three deployment paths: direct CSSM (internet-connected), on-prem SSM (your local appliance syncs to Cisco), or air-gapped reservation (SLR/PLR — manual code exchange).
dc1-distr-c9300-01(config)# license smart transport smart dc1-distr-c9300-01(config)# license smart url default dc1-distr-c9300-01# license smart trust idtoken <TOKEN_FROM_CSSM> all
Verify with show license summary, show license status, show license usage. Status should read REGISTERED and AUTHORIZED — not EVAL.
Configure management VLAN and SSH
Use the dedicated management interface (GigabitEthernet0/0) for OOB. It’s in a separate VRF (Mgmt-vrf) by default and isolated from the data plane.
dc1-distr-c9300-01(config)# interface GigabitEthernet0/0 dc1-distr-c9300-01(config-if)# description OOB-MGMT dc1-distr-c9300-01(config-if)# vrf forwarding Mgmt-vrf dc1-distr-c9300-01(config-if)# ip address 10.99.99.10 255.255.255.0 dc1-distr-c9300-01(config-if)# no shutdown dc1-distr-c9300-01(config)# ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.99.99.1 dc1-distr-c9300-01(config)# ip ssh version 2 dc1-distr-c9300-01(config)# crypto key generate rsa modulus 2048 label SSH-KEY dc1-distr-c9300-01(config)# line vty 0 15 dc1-distr-c9300-01(config-line)# transport input ssh dc1-distr-c9300-01(config-line)# login local dc1-distr-c9300-01(config-line)# access-class MGMT-ACL in vrf-also dc1-distr-c9300-01(config)# ip access-list standard MGMT-ACL dc1-distr-c9300-01(config-std-nacl)# permit 10.0.0.0 0.255.255.255 dc1-distr-c9300-01(config-std-nacl)# deny any log
vrf forwarding Mgmt-vrf isolates management traffic from the data plane. crypto key generate rsa with explicit label is required or SSH fails silently. access-class ... vrf-also matches both default and management VRF; without vrf-also, Mgmt-vrf bypasses the ACL entirely.
Configure Layer 3 routing
Enable IP routing globally:
dc1-distr-c9300-01(config)# ip routing dc1-distr-c9300-01(config)# ipv6 unicast-routing
Create VLANs and their SVIs. The SVI is a virtual L3 interface bound to a VLAN — its IP becomes the gateway for hosts in that VLAN (Figure 02 shows the routing flow).
dc1-distr-c9300-01(config)# vlan 10 dc1-distr-c9300-01(config-vlan)# name USERS dc1-distr-c9300-01(config)# interface Vlan10 dc1-distr-c9300-01(config-if)# ip address 10.10.10.1 255.255.255.0 dc1-distr-c9300-01(config-if)# ip helper-address 10.0.0.50 dc1-distr-c9300-01(config-if)# no shutdown
Figure 02 · SVI inter-VLAN routing flow
Internally, the switch performs five decision stages in hardware ASIC at wire speed (Figure 03):
Figure 03 · VLAN → SVI → routing-table data path
RFC 1812 defines the host-routing behavior the SVI implements. The L3 switch is a high-speed hardware router with embedded L2 ports.
ip helper-address forwards DHCP broadcasts to your DHCP server — without it, users in the VLAN never receive a DHCP lease. The relay rewrites the broadcast as a unicast packet routed to the configured helper IP (Figure 07 shows the flow).
Choose a routing protocol. OSPF is the most common for new Cisco campus deployments:
dc1-distr-c9300-01(config)# router ospf 1 dc1-distr-c9300-01(config-router)# router-id 10.99.99.10 dc1-distr-c9300-01(config-router)# passive-interface default dc1-distr-c9300-01(config-router)# no passive-interface TenGigabitEthernet1/1/1 dc1-distr-c9300-01(config-router)# no passive-interface TenGigabitEthernet1/1/2 dc1-distr-c9300-01(config-router)# network 10.0.0.0 0.255.255.255 area 0 dc1-distr-c9300-01(config-router)# auto-cost reference-bandwidth 100000 dc1-distr-c9300-01(config-router)# bfd all-interfaces
Default OSPF hello/dead intervals give 40-second failover. Bidirectional Forwarding Detection (BFD) drops detection to sub-second by sending lightweight 50ms hello packets. Production campus cores should always enable BFD on OSPF interfaces.
OSPF area design on a 9500 core
A two-9500 core typically runs all routers in OSPF area 0 (the backbone area), with the distribution switches as additional area 0 members. For larger campuses, distribution switches can run their own areas with the cores as ABRs — but that’s only worth the complexity above ~20 routers per area. Figure 04 shows the simple two-core layout.
Figure 04 · OSPF area 0 design — two cores, four distribution switches
Gateway redundancy with HSRP
A single L3 switch as the default gateway for hundreds of users is a single point of failure. Hot Standby Router Protocol (HSRP, Cisco proprietary) and Virtual Router Redundancy Protocol (VRRP, RFC 5798) both solve this by presenting a virtual IP that two physical switches share (Figure 05).
Use HSRP for all-Cisco environments (simpler config, slightly faster HSRPv2 convergence). Use VRRP for mixed-vendor (standards-based). Functionally equivalent for the common case.
# core-01 (active) dc1-core-c9500-01(config-if)# standby version 2 dc1-core-c9500-01(config-if)# standby 10 ip 10.10.10.1 dc1-core-c9500-01(config-if)# standby 10 priority 110 dc1-core-c9500-01(config-if)# standby 10 preempt dc1-core-c9500-01(config-if)# standby 10 authentication md5 key-string <HSRP_KEY> # core-02 (standby) dc1-core-c9500-02(config-if)# standby version 2 dc1-core-c9500-02(config-if)# standby 10 ip 10.10.10.1 dc1-core-c9500-02(config-if)# standby 10 priority 100 dc1-core-c9500-02(config-if)# standby 10 preempt
Figure 05 · HSRP gateway redundancy
Hosts in VLAN 10 set their default gateway to 10.10.10.1 (the virtual IP). preempt ensures the higher-priority router takes ownership back when it returns.
Cisco-specific hardening & LACP uplinks
The Catalyst defaults are tuned for “deploy fast in a lab” — production needs more. Apply the Cisco IOS-XE Hardening Guide in full; this section is the highest-impact subset, mapped to NIST SP 800-53 Rev 5 control families AC-3, AC-17, AU-2, SC-7, SC-8.
Disable services running by default
dc1-distr-c9300-01(config)# no ip http server dc1-distr-c9300-01(config)# no ip http secure-server dc1-distr-c9300-01(config)# no service pad dc1-distr-c9300-01(config)# no service finger dc1-distr-c9300-01(config)# no service tcp-small-servers dc1-distr-c9300-01(config)# no service udp-small-servers
LACP port-channel uplinks
Inter-switch uplinks should always use LACP for both throughput and resilience (Figure 06).
Figure 06 · LACP port-channel uplink
dc1-distr-c9300-01(config)# interface range TenGigabitEthernet1/1/1 - 2 dc1-distr-c9300-01(config-if-range)# channel-group 1 mode active dc1-distr-c9300-01(config)# interface Port-channel1 dc1-distr-c9300-01(config-if)# switchport mode trunk dc1-distr-c9300-01(config-if)# switchport trunk allowed vlan 10,20,99
DHCP snooping and Dynamic ARP Inspection
These prevent rogue DHCP servers and ARP-spoofing attacks. Trust only the uplinks. Figure 07 shows the DHCP relay packet flow.
Figure 07 · DHCP relay (ip helper-address) flow
ip helper-address. The SVI catches the client’s broadcast DISCOVER, rewrites it as a unicast packet to the configured helper address, and routes it to the DHCP server in a different VLAN.dc1-distr-c9300-01(config)# ip dhcp snooping dc1-distr-c9300-01(config)# ip dhcp snooping vlan 10,20 dc1-distr-c9300-01(config)# ip arp inspection vlan 10,20 dc1-distr-c9300-01(config)# interface Port-channel1 dc1-distr-c9300-01(config-if)# ip dhcp snooping trust dc1-distr-c9300-01(config-if)# ip arp inspection trust
SNMPv3, TACACS+, remote syslog
Never SNMPv2c in production (cleartext community). Centralize auth via TACACS+ with local fallback. Ship logs to remote syslog from day one — the logs that matter during an incident are the ones from before the incident.
Stack configuration (Catalyst 9300)
The C9300 stacks up to 8 units via StackWise-480 (480 Gbps backplane). The newer C9300X family upgrades to StackWise-1T (1 Tbps). Either way, the stack appears as a single logical switch with a single management IP and config (Figure 08).
Figure 08 · StackWise ring topology
Do not mix IOS-XE versions across stack members. A stack with mismatched versions enters version-mismatch mode and one or more members drop offline until versions converge via auto-upgrade. Always pre-stage matching versions or schedule a maintenance window long enough to absorb the auto-upgrade reload.
Verify, save, document
The Cisco-specific verification commands you actually need:
dc1-distr-c9300-01# show version dc1-distr-c9300-01# show inventory dc1-distr-c9300-01# show interfaces status dc1-distr-c9300-01# show ip route dc1-distr-c9300-01# show ip ospf neighbor dc1-distr-c9300-01# show etherchannel summary dc1-distr-c9300-01# show standby brief dc1-distr-c9300-01# show ip dhcp snooping dc1-distr-c9300-01# show license summary dc1-distr-c9300-01# show switch dc1-distr-c9300-01# write memory
Document everything in your IPAM/CMDB: device name, model, serial, IOS-XE version, Smart Licensing status, rack location, uplinks, purchase date, SMARTnet expiration. Set up automated config backups via Oxidized or RANCID from day one.
Common day-one mistakes specific to Cisco IOS-XE
- Skipping Smart Licensing registration. Day 91 brings throttling. Configure CSSM transport on day 1.
- Leaving PnP enabled on a non-DNA shop. Every reboot hangs 10 min on PnP discovery.
- Forgetting
crypto key generate rsabefore SSH. No keys = silent SSH failures. - Mixing IOS-XE versions in a stack. Members go offline mid-day.
- TACACS without
localfallback. TACACS goes down → driving to the data center. - Forgetting
vrf-alsoon VTY access-class. Mgmt-vrf bypasses the ACL entirely. - Default-allowing all VLANs on trunk ports. Every broadcast crosses every link.
- Skipping
passive-interface defaulton OSPF. Hello packets leak to user SVIs. - No automated config backup. Switch dies, six hours rebuilding from memory.
Lifecycle — SMARTnet and what comes after
A Catalyst 9300 goes through four commercial stages: Active production with SMARTnet → End of Sale (EoS) → End of Software Maintenance (EoSWM) → End of Support (EoSL).
The Catalyst 9300 first shipped in 2017. Models from the original launch are entering EoS / EoSWM in 2026-2028. Hardware itself is mechanically reliable for another 5-7 years past these dates — the constraint is vendor support, not hardware failure.
For organizations running Catalyst hardware past Cisco’s EoSL, post-SMARTnet Cisco maintenance provides TAC-equivalent engineering support, spare parts inventory, and SLA-backed response without forcing a hardware refresh. Cisco hardware lifecycle planning helps decide which switches to refresh, which to maintain, and which to consolidate. See also multi-vendor consolidation for organizations standardizing across Cisco, Juniper, HPE, and other platforms.
When to call WUC
This guide covers routine Catalyst 9000 deployment. Escalate to WUC if any of the following apply:
- The switch is going into a regulated environment (PCI-DSS, HIPAA, SOX, FedRAMP, CJIS) and the change is outside your existing change-control window.
- You’re refreshing from an older platform (3850 / 3650 / 4500-X) and need parallel-path migration with rollback windows defined for each phase.
- The deployment is part of a multi-site rollout where configuration consistency across 10+ switches matters.
- You inherited an existing Catalyst estate with no documentation and need a baseline audit of every switch.
- Your Catalyst hardware is past Cisco’s End-of-Software-Support and you need TAC-equivalent engineering coverage.
- You’re consolidating from multiple OEM contracts (Cisco + Juniper + HPE) into a single multi-vendor support engagement.
WUC engineers run multi-OEM enterprise infrastructure — Cisco Catalyst and Nexus, Juniper EX, HPE Aruba, plus the storage and server platforms most enterprise networks touch — under tiered SLAs with peer-reviewed change documentation. See Network Maintenance and Multi-Vendor Consolidation for engagement models.