F How to Configure Cisco Catalyst 9300X Switch from Scratch - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / C9300 / Cisco / switching / How to Configure Cisco Catalyst 9300X Switch from Scratch

How to Configure Cisco Catalyst 9300X Switch from Scratch

May 28, 2026 , ,

How to Configure Cisco Catalyst 9300X Switch from Scratch

How to Configure Cisco Catalyst 9300X Switch from Scratch

Introduction to Cisco Catalyst 9300X Switch

The Cisco Catalyst 9300X is Cisco's next-generation fixed-core enterprise switching platform, purpose-built for high-density, high-performance campus networks. As the successor to the Catalyst 3850 and original 9300 series, the 9300X introduces support for QSFP28 uplinks, multi-gigabit PoE++, advanced ASIC-based programmability, and full Cisco IOS-XE feature parity — making it a cornerstone of modern enterprise access and distribution layer deployments.

Whether you are deploying the Catalyst 9300X as an access layer switch, distribution switch, or part of a stacked deployment, this comprehensive guide will walk you through every step of the configuration — from the very first boot to a fully operational enterprise switch.

Key Advantage: The Cisco Catalyst 9300X runs Cisco IOS-XE and supports Cisco DNA Center integration, Software-Defined Access (SD-Access), advanced telemetry with YANG/NETCONF/RESTCONF, and hardware-based MACsec encryption — all from a single platform.

Cisco Catalyst 9300X Key Features and Models

Model Ports Uplinks PoE Support
C9300X-24Y 24 x 25G SFP28 4 x 100G QSFP28 No
C9300X-48TX 48 x 10G RJ45 4 x 25G SFP28 No
C9300X-48HX 48 x mGig + 8 x 25G 4 x 100G QSFP28 PoE++ (90W)
C9300X-48UX 48 x mGig (2.5G/5G/10G) 4 x 25G SFP28 PoE++ (90W)

Prerequisites Before You Begin

Before starting the configuration, ensure the following are ready:

  • Cisco Catalyst 9300X switch powered on and physically racked
  • Console cable (RJ45 to USB) or terminal emulator software (PuTTY, SecureCRT)
  • Console settings: 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control
  • IP addressing plan (management IP, subnet, default gateway)
  • VLAN design document (access VLANs, trunk VLANs, native VLAN)
  • NTP server IP address
  • SNMP community strings or SNMP v3 credentials
  • AAA/RADIUS server details (if using 802.1X)
  • Cisco Smart License account or DNA license token
  • TFTP or SCP server for configuration backup

Step 1 — Initial Boot and Day Zero Setup

When the Cisco Catalyst 9300X boots for the first time, it launches an initial configuration dialog. You can either complete the wizard or skip it and configure manually. For full control, it is recommended to skip the wizard and configure manually.

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started!

Switch> enable
Switch# configure terminal
Switch(config)#

Note: If the switch boots with an existing configuration, run write erase followed by reload to start from a clean state. Always confirm before erasing in a production environment.

Step 2 — Configure Hostname and Basic System Settings

Start with the foundational system settings including hostname, domain name, enable secret, password encryption, and system banners. These are the building blocks of every secure Cisco switch configuration.

! Enter Global Configuration Mode
Switch# configure terminal

! Set the Hostname
Switch(config)# hostname C9300X-SW1

! Set the IP Domain Name (required for SSH)
C9300X-SW1(config)# ip domain-name thenetworkdna.local

! Set Enable Secret (strongly encrypted)
C9300X-SW1(config)# enable secret Cisco@SecureEnable123

! Enable Password Encryption for all plain-text passwords
C9300X-SW1(config)# service password-encryption

! Disable IP Domain Lookup to prevent DNS lookup delays
C9300X-SW1(config)# no ip domain-lookup

! Set System Contact and Location (for SNMP)
C9300X-SW1(config)# snmp-server contact netadmin@netlabpro.local
C9300X-SW1(config)# snmp-server location "Server Room - Rack 3 - Unit 5"

! Configure Login Banner
C9300X-SW1(config)# banner motd ^
*************************************************************
*   AUTHORIZED ACCESS ONLY - C9300X Enterprise Switch      *
*   Unauthorized access is strictly prohibited             *
*   All sessions are monitored and recorded                *
*************************************************************
^

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 3 — Create Local User Accounts

Create local user accounts with privilege levels for secure access. Always use privilege 15 for administrative accounts and lower privileges for read-only users. Use algorithm-type scrypt or sha256 for strong password hashing on IOS-XE.

! Create Admin User with full privilege
C9300X-SW1(config)# username admin privilege 15 secret Cisco@Admin2024

! Create Read-Only Monitoring User
C9300X-SW1(config)# username monitor privilege 5 secret Cisco@Monitor2024

! Create Network Operations User
C9300X-SW1(config)# username netops privilege 10 secret Cisco@NetOps2024

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 4 — Configure SSH Version 2 for Secure Remote Access

Always use SSH version 2 for remote management. Telnet transmits data in plain text and must be disabled on all enterprise switches. Configure VTY lines to accept only SSH connections.

! Generate RSA Keys for SSH (minimum 2048 bits recommended)
C9300X-SW1(config)# crypto key generate rsa modulus 2048

! Enable SSH Version 2 Only
C9300X-SW1(config)# ip ssh version 2
C9300X-SW1(config)# ip ssh time-out 60
C9300X-SW1(config)# ip ssh authentication-retries 3
C9300X-SW1(config)# ip ssh source-interface Vlan10

! Configure Console Line
C9300X-SW1(config)# line console 0
C9300X-SW1(config-line)# login local
C9300X-SW1(config-line)# logging synchronous
C9300X-SW1(config-line)# exec-timeout 10 0
C9300X-SW1(config-line)# exit

! Configure VTY Lines (SSH Only - No Telnet)
C9300X-SW1(config)# line vty 0 15
C9300X-SW1(config-line)# login local
C9300X-SW1(config-line)# transport input ssh
C9300X-SW1(config-line)# exec-timeout 15 0
C9300X-SW1(config-line)# logging synchronous
C9300X-SW1(config-line)# exit

C9300X-SW1(config)# end
C9300X-SW1# write memory

Security Tip: Use transport input ssh on all VTY lines to completely disable Telnet access. This is a critical security hardening step for any enterprise Cisco switch deployment.

Step 5 — Configure Management VLAN and SVI

Create a dedicated Management VLAN and assign an IP address to the Switched Virtual Interface (SVI). This IP address will be used for SSH access, SNMP polling, Syslog, and NTP communication.

! Create Management VLAN
C9300X-SW1(config)# vlan 10
C9300X-SW1(config-vlan)# name MANAGEMENT
C9300X-SW1(config-vlan)# exit

! Configure Management SVI with IP Address
C9300X-SW1(config)# interface Vlan10
C9300X-SW1(config-if)# description MANAGEMENT-SVI
C9300X-SW1(config-if)# ip address 192.168.10.10 255.255.255.0
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

! Configure Default Gateway for Management Traffic
C9300X-SW1(config)# ip default-gateway 192.168.10.1

! Verify SVI is up
C9300X-SW1# show interfaces Vlan10

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 6 — Configure NTP for Time Synchronization

Accurate time is essential on enterprise switches for accurate log timestamps, certificate validation, AAA accounting, and security correlation. Configure NTP to synchronize with a reliable time source.

! Configure NTP Servers
C9300X-SW1(config)# ntp server 216.239.35.0 prefer
C9300X-SW1(config)# ntp server 216.239.35.4
C9300X-SW1(config)# ntp source Vlan10

! Set Timezone
C9300X-SW1(config)# clock timezone EST -5 0
C9300X-SW1(config)# clock summer-time EDT recurring

! Enable Timestamps on Logs
C9300X-SW1(config)# service timestamps log datetime msec localtime 
show-timezone
C9300X-SW1(config)# service timestamps debug datetime msec localtime 
show-timezone

! Verify NTP Synchronization
C9300X-SW1# show ntp status
C9300X-SW1# show ntp associations

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 7 — Create and Name All VLANs

Define all required VLANs with meaningful names as per your network design. A well-organized VLAN structure is fundamental for network segmentation, security, and traffic management on the Cisco Catalyst 9300X.

! Create and Name VLANs
C9300X-SW1(config)# vlan 10
C9300X-SW1(config-vlan)# name MANAGEMENT
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 20
C9300X-SW1(config-vlan)# name DATA-USERS
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 30
C9300X-SW1(config-vlan)# name VOICE-PHONES
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 40
C9300X-SW1(config-vlan)# name WIRELESS-CLIENTS
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 50
C9300X-SW1(config-vlan)# name SERVERS
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 60
C9300X-SW1(config-vlan)# name SECURITY-CAMERAS
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 99
C9300X-SW1(config-vlan)# name NATIVE-VLAN
C9300X-SW1(config-vlan)# exit

C9300X-SW1(config)# vlan 999
C9300X-SW1(config-vlan)# name BLACKHOLE-UNUSED
C9300X-SW1(config-vlan)# exit

! Verify VLAN database
C9300X-SW1# show vlan brief

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 8 — Configure Trunk Ports (Uplink to Distribution or Core)

Trunk ports carry multiple VLANs between switches, routers, and wireless controllers. Configure uplink ports as 802.1Q trunks with explicit VLAN allowlists and a non-default native VLAN for security.

! Configure Uplink Trunk Port to Distribution Switch
C9300X-SW1(config)# interface TwentyFiveGigE1/0/1
C9300X-SW1(config-if)# description UPLINK-TO-DIST-SW1
C9300X-SW1(config-if)# switchport mode trunk
C9300X-SW1(config-if)# switchport trunk encapsulation dot1q
C9300X-SW1(config-if)# switchport trunk native vlan 99
C9300X-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,99
C9300X-SW1(config-if)# switchport nonegotiate
C9300X-SW1(config-if)# spanning-tree portfast trunk
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

! Configure Second Uplink Trunk Port (Redundant)
C9300X-SW1(config)# interface TwentyFiveGigE1/0/2
C9300X-SW1(config-if)# description UPLINK-TO-DIST-SW2-REDUNDANT
C9300X-SW1(config-if)# switchport mode trunk
C9300X-SW1(config-if)# switchport trunk encapsulation dot1q
C9300X-SW1(config-if)# switchport trunk native vlan 99
C9300X-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,99
C9300X-SW1(config-if)# switchport nonegotiate
C9300X-SW1(config-if)# spanning-tree portfast trunk
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 9 — Configure Access Ports for End Devices

Access ports connect end devices such as PCs, printers, IP phones, and cameras to the switch. Configure access ports with the appropriate VLAN, PortFast, BPDU Guard, and port security features.

Standard Data Access Port:

! Configure Access Port for Data Users (VLAN 20)
C9300X-SW1(config)# interface range GigabitEthernet1/0/1 - 12
C9300X-SW1(config-if-range)# description ACCESS-DATA-USERS
C9300X-SW1(config-if-range)# switchport mode access
C9300X-SW1(config-if-range)# switchport access vlan 20
C9300X-SW1(config-if-range)# switchport nonegotiate
C9300X-SW1(config-if-range)# spanning-tree portfast
C9300X-SW1(config-if-range)# spanning-tree bpduguard enable
C9300X-SW1(config-if-range)# no shutdown
C9300X-SW1(config-if-range)# exit

Voice and Data Access Port (IP Phone + PC):

! Configure Voice + Data Port (IP Phone with PC behind it)
C9300X-SW1(config)# interface range GigabitEthernet1/0/13 - 24
C9300X-SW1(config-if-range)# description ACCESS-VOICE-AND-DATA
C9300X-SW1(config-if-range)# switchport mode access
C9300X-SW1(config-if-range)# switchport access vlan 20
C9300X-SW1(config-if-range)# switchport voice vlan 30
C9300X-SW1(config-if-range)# switchport nonegotiate
C9300X-SW1(config-if-range)# spanning-tree portfast
C9300X-SW1(config-if-range)# spanning-tree bpduguard enable
C9300X-SW1(config-if-range)# mls qos trust cos
C9300X-SW1(config-if-range)# no shutdown
C9300X-SW1(config-if-range)# exit

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 10 — Configure EtherChannel (LACP Port-Channel)

Configure EtherChannel with LACP on the uplink ports for bandwidth aggregation and link redundancy. The Cisco Catalyst 9300X supports up to 8 active links per EtherChannel bundle.

! Configure EtherChannel on Uplink Ports (LACP Active)
C9300X-SW1(config)# interface range TwentyFiveGigE1/0/1 - 2
C9300X-SW1(config-if-range)# description ETHERCHANNEL-UPLINK-TO-DIST
C9300X-SW1(config-if-range)# switchport mode trunk
C9300X-SW1(config-if-range)# switchport trunk encapsulation dot1q
C9300X-SW1(config-if-range)# switchport trunk native vlan 99
C9300X-SW1(config-if-range)# switchport trunk allowed vlan 10,20,30,40,50,60,99
C9300X-SW1(config-if-range)# channel-protocol lacp
C9300X-SW1(config-if-range)# channel-group 1 mode active
C9300X-SW1(config-if-range)# no shutdown
C9300X-SW1(config-if-range)# exit

! Configure Port-Channel Interface
C9300X-SW1(config)# interface Port-channel1
C9300X-SW1(config-if)# description PO1-LACP-UPLINK-TO-DISTRIBUTION
C9300X-SW1(config-if)# switchport mode trunk
C9300X-SW1(config-if)# switchport trunk encapsulation dot1q
C9300X-SW1(config-if)# switchport trunk native vlan 99
C9300X-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,60,99
C9300X-SW1(config-if)# exit

! Configure Load Balancing Method
C9300X-SW1(config)# port-channel load-balance src-dst-ip

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 11 — Configure Spanning Tree Protocol (STP)

The Cisco Catalyst 9300X supports Rapid PVST+ (default) and MST (Multiple Spanning Tree). Configure the switch as the STP root bridge for appropriate VLANs at the distribution or access layer.

! Set Spanning Tree Mode to Rapid PVST+
C9300X-SW1(config)# spanning-tree mode rapid-pvst

! Set this switch as STP Root for VLANs 10, 20, 30
C9300X-SW1(config)# spanning-tree vlan 10,20,30 root primary

! Set this switch as STP Secondary Root for VLANs 40, 50, 60
C9300X-SW1(config)# spanning-tree vlan 40,50,60 root secondary

! Enable Portfast by default on all access ports
C9300X-SW1(config)# spanning-tree portfast default

! Enable BPDU Guard globally on all portfast enabled ports
C9300X-SW1(config)# spanning-tree portfast bpduguard default

! Enable Loop Guard globally
C9300X-SW1(config)# spanning-tree loopguard default

! Enable Root Guard on specific interfaces facing access layer
C9300X-SW1(config)# interface range GigabitEthernet1/0/1 - 24
C9300X-SW1(config-if-range)# spanning-tree guard root
C9300X-SW1(config-if-range)# exit

! Verify STP Status
C9300X-SW1# show spanning-tree summary
C9300X-SW1# show spanning-tree vlan 10

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 12 — Configure Inter-VLAN Routing (Layer 3 Switch)

The Cisco Catalyst 9300X is a Layer 3 multilayer switch capable of routing traffic between VLANs without an external router. Enable IP routing and configure SVIs for each VLAN that requires inter-VLAN communication.

! Enable IP Routing on the Switch
C9300X-SW1(config)# ip routing

! Configure SVI for Each VLAN (Default Gateways for clients)
C9300X-SW1(config)# interface Vlan10
C9300X-SW1(config-if)# description MANAGEMENT-GATEWAY
C9300X-SW1(config-if)# ip address 192.168.10.1 255.255.255.0
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

C9300X-SW1(config)# interface Vlan20
C9300X-SW1(config-if)# description DATA-USERS-GATEWAY
C9300X-SW1(config-if)# ip address 192.168.20.1 255.255.255.0
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

C9300X-SW1(config)# interface Vlan30
C9300X-SW1(config-if)# description VOICE-PHONES-GATEWAY
C9300X-SW1(config-if)# ip address 192.168.30.1 255.255.255.0
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

C9300X-SW1(config)# interface Vlan40
C9300X-SW1(config-if)# description WIRELESS-CLIENTS-GATEWAY
C9300X-SW1(config-if)# ip address 192.168.40.1 255.255.255.0
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

C9300X-SW1(config)# interface Vlan50
C9300X-SW1(config-if)# description SERVERS-GATEWAY
C9300X-SW1(config-if)# ip address 192.168.50.1 255.255.255.0
C9300X-SW1(config-if)# no shutdown
C9300X-SW1(config-if)# exit

! Configure Static Default Route
C9300X-SW1(config)# ip route 0.0.0.0 0.0.0.0 192.168.10.254

! Verify Routing Table
C9300X-SW1# show ip route

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 13 — Configure DHCP Snooping and Dynamic ARP Inspection

DHCP Snooping prevents rogue DHCP servers on the network. Dynamic ARP Inspection (DAI) protects against ARP spoofing and poisoning attacks. Both are critical security features on the Cisco Catalyst 9300X.

! Enable DHCP Snooping Globally
C9300X-SW1(config)# ip dhcp snooping
C9300X-SW1(config)# ip dhcp snooping vlan 20,30,40,50,60
C9300X-SW1(config)# no ip dhcp snooping information option

! Set Uplink as DHCP Trusted Port
C9300X-SW1(config)# interface Port-channel1
C9300X-SW1(config-if)# ip dhcp snooping trust
C9300X-SW1(config-if)# exit

! Enable Dynamic ARP Inspection (DAI)
C9300X-SW1(config)# ip arp inspection vlan 20,30,40,50,60

! Set Uplink as ARP Trusted Port
C9300X-SW1(config)# interface Port-channel1
C9300X-SW1(config-if)# ip arp inspection trust
C9300X-SW1(config-if)# exit

! Enable IP Source Guard on Access Ports
C9300X-SW1(config)# interface range GigabitEthernet1/0/1 - 24
C9300X-SW1(config-if-range)# ip verify source
C9300X-SW1(config-if-range)# exit

! Verify DHCP Snooping and DAI
C9300X-SW1# show ip dhcp snooping
C9300X-SW1# show ip arp inspection

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 14 — Configure Port Security

Port Security limits the number of MAC addresses on an access port and prevents unauthorized devices from connecting. Configure port security on all access-facing interfaces of the Cisco Catalyst 9300X.

! Enable Port Security on Access Ports
C9300X-SW1(config)# interface range GigabitEthernet1/0/1 - 24
C9300X-SW1(config-if-range)# switchport port-security
C9300X-SW1(config-if-range)# switchport port-security maximum 2
C9300X-SW1(config-if-range)# switchport port-security mac-address sticky
C9300X-SW1(config-if-range)# switchport port-security violation restrict
C9300X-SW1(config-if-range)# exit

! Verify Port Security Status
C9300X-SW1# show port-security
C9300X-SW1# show port-security interface GigabitEthernet1/0/1

C9300X-SW1(config)# end
C9300X-SW1# write memory

Note: Port security violation modes: protect (drops frames silently), restrict (drops and logs), shutdown (err-disables the port). Use restrict for visibility without disrupting the user, or shutdown for maximum security enforcement.

Step 15 — Configure SNMP for Network Monitoring

Configure SNMP version 3 for secure network monitoring. SNMPv3 provides authentication and encryption, making it the recommended version for enterprise environments. Configure traps to send alerts to your NMS.

! Configure SNMPv3 Group and User
C9300X-SW1(config)# snmp-server group SNMP-ADMIN v3 priv
C9300X-SW1(config)# snmp-server user snmpadmin SNMP-ADMIN v3 auth 
sha Cisco@Auth123 priv aes 128 Cisco@Priv123

! Configure SNMP Trap Receiver (NMS Server)
C9300X-SW1(config)# snmp-server host 192.168.10.100 version 3 
priv snmpadmin
C9300X-SW1(config)# snmp-server enable traps

! Configure SNMP System Information
C9300X-SW1(config)# snmp-server contact netadmin@netlabpro.local
C9300X-SW1(config)# snmp-server location "Building A - Floor 2 - 
IDF Closet"

! Configure SNMPv2c for legacy compatibility (if needed)
C9300X-SW1(config)# snmp-server community NetLabRO ro
C9300X-SW1(config)# snmp-server community NetLabRW rw

! Verify SNMP Configuration
C9300X-SW1# show snmp
C9300X-SW1# show snmp user

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 16 — Configure Syslog for Centralized Logging

Send all switch logs to a centralized Syslog server for monitoring, auditing, and security event correlation. Configure appropriate log levels to capture relevant events without overwhelming the log server.

! Configure Syslog Server
C9300X-SW1(config)# logging host 192.168.10.100
C9300X-SW1(config)# logging trap informational
C9300X-SW1(config)# logging source-interface Vlan10
C9300X-SW1(config)# logging buffered 100000 informational
C9300X-SW1(config)# logging console warnings
C9300X-SW1(config)# logging monitor informational

! Configure Archive for Config Change Logging
C9300X-SW1(config)# archive
C9300X-SW1(config-archive)# log config
C9300X-SW1(config-archive-log-cfg)# logging enable
C9300X-SW1(config-archive-log-cfg)# logging size 500
C9300X-SW1(config-archive-log-cfg)# notify syslog contenttype plaintext
C9300X-SW1(config-archive-log-cfg)# exit
C9300X-SW1(config-archive)# exit

! Verify Logging Status
C9300X-SW1# show logging

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 17 — Configure AAA and RADIUS Authentication

Configure AAA (Authentication, Authorization, Accounting) with a RADIUS server for centralized access control. This allows network administrators to log in using their domain credentials instead of local accounts.

! Enable AAA New Model
C9300X-SW1(config)# aaa new-model

! Configure RADIUS Server
C9300X-SW1(config)# radius server CORP-RADIUS
C9300X-SW1(config-radius-server)# address ipv4 192.168.10.200 auth-port 
1812 acct-port 1813
C9300X-SW1(config-radius-server)# key Cisco@RadiusKey2024
C9300X-SW1(config-radius-server)# exit

! Create AAA Server Group
C9300X-SW1(config)# aaa group server radius RADIUS-GROUP
C9300X-SW1(config-sg-radius)# server name CORP-RADIUS
C9300X-SW1(config-sg-radius)# exit

! Configure AAA Authentication (RADIUS then Local fallback)
C9300X-SW1(config)# aaa authentication login default group RADIUS-GROUP 
local
C9300X-SW1(config)# aaa authentication enable default group RADIUS-GROUP 
enable

! Configure AAA Authorization
C9300X-SW1(config)# aaa authorization exec default group RADIUS-GROUP local
C9300X-SW1(config)# aaa authorization commands 15 default group 
RADIUS-GROUP local

! Configure AAA Accounting
C9300X-SW1(config)# aaa accounting exec default start-stop group 
RADIUS-GROUP
C9300X-SW1(config)# aaa accounting commands 15 default start-stop group 
RADIUS-GROUP

C9300X-SW1(config)# end
C9300X-SW1# write memory

Step 18 — Configure StackWise (Switch Stacking)

The Cisco Catalyst 9300X supports Cisco StackWise-480 technology, allowing up to 8 switches to operate as a single logical unit. Stacking provides simplified management, high availability, and combined forwarding capacity.

! Verify Stack Members (after physical stacking cable connection)
C9300X-SW1# show switch

! Set Stack Member Priority (higher priority = preferred active switch)
C9300X-SW1# switch 1 priority 15
C9300X-SW1# switch 2 priority 10
C9300X-SW1# switch 3 priority 5

! Renumber a Stack Member
C9300X-SW1# switch 3 renumber 4

! Set Stack Member Description
C9300X-SW1(config)# switch 1 provision C9300X-48HX

! Verify Stack Topology and Ring Status
C9300X-SW1# show switch stack-ring speed
C9300X-SW1# show switch detail
C9300X-SW1# show switch neighbors

! Verify Stack Port Status
C9300X-SW1# show switch stack-ports summary

Stacking Tip: Always connect StackWise cables in a ring topology for maximum redundancy. If one cable fails, traffic continues through the ring in the opposite direction with no disruption to the network.

Step 19 — Configure Cisco Smart Licensing

The Cisco Catalyst 9300X uses Cisco Smart Licensing. Configure the switch to register with Cisco CSSM (Cisco Smart Software Manager) or a local Smart License Satellite server to activate the required license tier (Network Essentials or Network Advantage).

! Check Current License Status
C9300X-SW1# show license summary
C9300X-SW1# show license status

! Configure Smart License Call-Home for CSSM
C9300X-SW1(config)# license smart transport callhome

! Configure Call-Home for Smart Licensing
C9300X-SW1(config)# service call-home
C9300X-SW1(config)# call-home
C9300X-SW1(config-call-home)# contact-email-addr 
netadmin@thenetworkdna.local
C9300X-SW1(config-call-home)# profile CiscoTAC-1
C9300X-SW1(config-call-home-profile)# active
C9300X-SW1(config-call-home-profile)# destination transport-method http
C9300X-SW1(config-call-home-profile)# exit
C9300X-SW1(config-call-home)# exit

! Register with CSSM using Token
C9300X-SW1# license smart register idtoken YOUR-SMART-LICENSE-TOKEN-HERE

! Set the Required License Level
C9300X-SW1(config)# license boot level network-advantage

! Verify License After Registration
C9300X-SW1# show license summary
C9300X-SW1# show license usage

Step 20 — Save Configuration and Backup

Always save the running configuration to NVRAM and create an external backup on a TFTP or SCP server. This ensures you can quickly recover from any configuration issues or hardware failures.

! Save Running Configuration to NVRAM
C9300X-SW1# write memory
! or
C9300X-SW1# copy running-config startup-config

! Backup Configuration to TFTP Server
C9300X-SW1# copy running-config tftp:
  Address or name of remote host []? 192.168.10.100
  Destination filename [C9300X-SW1-confg]? C9300X-SW1-backup-2024.cfg

! Backup Configuration to SCP Server (more secure)
C9300X-SW1# copy running-config scp:
  Address or name of remote host []? 192.168.10.100
  Destination username [admin]? backupuser
  Destination filename [C9300X-SW1-confg]? C9300X-SW1-backup-2024.cfg

! Verify Startup Configuration
C9300X-SW1# show startup-config

! Check Flash Contents
C9300X-SW1# dir flash:

Essential Verification Commands for Cisco Catalyst 9300X

Use these essential show commands to verify the complete configuration and health of your Cisco Catalyst 9300X switch after initial setup.

System and Hardware Verification:

! Show system hardware and IOS-XE version
C9300X-SW1# show version

! Show all interfaces and status
C9300X-SW1# show interfaces status

! Show specific interface details
C9300X-SW1# show interfaces GigabitEthernet1/0/1

! Show inventory (hardware components)
C9300X-SW1# show inventory

! Show environment (temperature, power, fans)
C9300X-SW1# show environment all

! Show power inline status (PoE)
C9300X-SW1# show power inline

VLAN and Switching Verification:

! Show VLAN database
C9300X-SW1# show vlan brief

! Show trunk ports
C9300X-SW1# show interfaces trunk

! Show MAC address table
C9300X-SW1# show mac address-table

! Show EtherChannel status
C9300X-SW1# show etherchannel summary

! Show Spanning Tree status
C9300X-SW1# show spanning-tree summary
C9300X-SW1# show spanning-tree vlan 20

Layer 3 and Routing Verification:

! Show IP routing table
C9300X-SW1# show ip route

! Show IP interface brief (all SVIs)
C9300X-SW1# show ip interface brief

! Show ARP table
C9300X-SW1# show ip arp

! Ping test to verify Layer 3 connectivity
C9300X-SW1# ping 192.168.20.1 source Vlan10

Security Verification:

! Show DHCP snooping bindings
C9300X-SW1# show ip dhcp snooping binding

! Show DAI statistics
C9300X-SW1# show ip arp inspection statistics

! Show port security
C9300X-SW1# show port-security

! Show SSH sessions
C9300X-SW1# show ssh

! Show login users
C9300X-SW1# show users

Common Troubleshooting on Cisco Catalyst 9300X

Problem Likely Cause Fix
Cannot SSH to switch RSA keys not generated or wrong transport Run crypto key generate rsa modulus 2048 and check transport input ssh on VTY
VLAN not passing on trunk VLAN not in allowed VLAN list or not created Run show interfaces trunk and verify VLAN is created and allowed
Inter-VLAN routing not working IP routing disabled or SVI down Enable ip routing and check SVI is up with show ip interface brief
Port in err-disabled state BPDU Guard or Port Security violation triggered Run show interfaces and shutdown then no shutdown to recover
NTP not synchronizing NTP server unreachable or wrong source interface Verify reachability to NTP server and check ntp source interface
EtherChannel not forming Mismatched VLAN or speed on member ports Check show etherchannel summary and ensure all member port configs match
Smart License not registering No internet access or wrong token Verify HTTP connectivity to tools.cisco.com and check license token validity

Cisco Catalyst 9300X Best Practices

  1. Always use SSH version 2 and disable Telnet on all VTY lines
  2. Use algorithm-type scrypt for all local user password hashing
  3. Assign a dedicated management VLAN separate from user data VLANs
  4. Enable DHCP Snooping and DAI on all user-facing VLANs
  5. Configure BPDU Guard on all access ports facing end devices
  6. Use a non-default native VLAN (such as VLAN 99) on all trunk ports
  7. Configure EtherChannel with LACP on all uplink port pairs for redundancy
  8. Set Rapid PVST+ as the STP mode and define root bridge priorities explicitly
  9. Use SNMPv3 with AuthPriv security level for all monitoring
  10. Regularly backup the configuration to a centralized TFTP or SCP server
  11. Keep IOS-XE software updated to the latest recommended release
  12. Enable archive log config to track all configuration changes

Frequently Asked Questions — Cisco Catalyst 9300X

Q: What OS does the Cisco Catalyst 9300X run?

A: The Cisco Catalyst 9300X runs Cisco IOS-XE, the same operating system used across Cisco's enterprise router and switch portfolio. It supports model-driven programmability via NETCONF, RESTCONF, and gRPC.

Q: How many switches can be stacked with the Cisco Catalyst 9300X?

A: The Cisco Catalyst 9300X supports StackWise-480 technology, allowing up to 8 switches to be stacked together as a single logical unit, providing up to 480 Gbps of stack bandwidth.

Q: Does the Cisco Catalyst 9300X support SD-Access?

A: Yes. The Cisco Catalyst 9300X fully supports Cisco Software-Defined Access (SD-Access) when managed by Cisco DNA Center. It can function as an access layer fabric node in an SD-Access deployment.

Q: What license is needed for advanced features on the 9300X?

A: The Network Advantage license unlocks all advanced features including SD-Access, advanced security, and full telemetry. Network Essentials covers basic enterprise switching features. DNA licenses (DNA Essentials or DNA Advantage) are required for DNA Center management.

Q: What is the difference between Catalyst 9300 and 9300X?

A: The Catalyst 9300X adds support for 100G QSFP28 uplinks, multi-gigabit PoE++ (90W), hardware-based MACsec on all ports, and a more powerful ASIC compared to the standard 9300. It is designed for high-density, high-performance environments.

Configuration Summary — Cisco Catalyst 9300X Quick Reference

Cisco Catalyst 9300X Configuration Cheat Sheet

  • Step 1: Initial Boot — Skip wizard, enter configure terminal
  • Step 2: Hostname, domain, enable secret, password encryption, banner
  • Step 3: Local users — username admin privilege 15 algorithm-type scrypt
  • Step 4: SSH v2 — crypto key generate rsa modulus 2048, transport input ssh
  • Step 5: Management VLAN 10 SVI with IP address and default gateway
  • Step 6: NTP — ntp server [IP] prefer, clock timezone, timestamps
  • Step 7: VLANs — vlan [id], name [name] for all required VLANs
  • Step 8: Trunk ports — switchport mode trunk, allowed vlan list, native vlan 99
  • Step 9: Access ports — access vlan, voice vlan, portfast, bpduguard
  • Step 10: EtherChannel — LACP active, port-channel trunk configuration
  • Step 11: STP — rapid-pvst, root primary/secondary, portfast default
  • Step 12: IP routing — ip routing, SVIs for each VLAN, static default route
  • Step 13: DHCP Snooping and DAI on user VLANs
  • Step 14: Port Security — maximum 2, sticky, violation restrict
  • Step 15: SNMPv3 — group, user, trap receiver configuration
  • Step 16: Syslog — logging host, archive log config
  • Step 17: AAA — RADIUS server, authentication, authorization, accounting
  • Step 18: StackWise — priority, renumber, verify with show switch
  • Step 19: Smart Licensing — register with CSSM token
  • Step 20: Save — write memory, backup to TFTP or SCP

Conclusion

The Cisco Catalyst 9300X is one of the most capable and feature-rich enterprise access switches available today. With its powerful IOS-XE foundation, StackWise-480 stacking, 100G uplinks, multi-gigabit PoE++, and seamless integration with Cisco DNA Center and SD-Access, it is purpose-built for the demands of modern enterprise networks.

By following this step-by-step configuration guide — from initial boot through VLANs, trunk ports, Layer 3 routing, security hardening, and licensing — you now have a fully operational, secure, and enterprise-ready Cisco Catalyst 9300X switch deployment. Always follow Cisco security best practices, maintain regular configuration backups, and keep your IOS-XE software current for the best performance and security posture.

Found this guide helpful?

Share it with your network engineering team and leave a comment below with your Cisco Catalyst 9300X questions, tips, or configuration experiences!

Tags and Keywords: Cisco Catalyst 9300X Configuration, C9300X Setup from Scratch, Cisco 9300X Switch Configuration, Cisco IOS-XE Switch Setup, Cisco Catalyst 9300X VLAN Configuration, 9300X Trunk Port Setup, Cisco 9300X EtherChannel, StackWise 480 Configuration, Cisco 9300X Layer 3 Switch, Inter-VLAN Routing 9300X, Cisco 9300X SSH Configuration, DHCP Snooping 9300X, Cisco 9300X Smart License, CCNP Enterprise Switch, Cisco DNA Center 9300X, SD-Access Access Layer, Cisco 9300X Port Security, Cisco 9300X STP Configuration, Cisco 9300X AAA RADIUS, Enterprise Switch Configuration Guide