← Cisco Examples // Lab Guide · Cisco IOS 15.x

Cisco 1921 +
2960L Setup

A complete, step-by-step build for pairing a Cisco 1921 ISR with a Catalyst WS-C2960L-24PS-LL PoE+ switch. From unboxing and console cable to a working routed network with DHCP, NAT, and VLANs.

~ 45–60 min
11 steps
Console + CLI
IOS 15.x / Lan Lite

Target Topology

ISP / WAN
DHCP or static
───► Gi0/0
Cisco 1921
192.168.10.1 /24
───► Gi0/1 → Gi0/1
2960L-24PS
192.168.10.2 /24
───► Access ports
Endpoints
PCs · APs · Phones
Progress 0 / 11 complete
01

Gather Your Gear

Both Devices

Before you power anything on, make sure you have everything on hand. A missing console cable will end your evening fast.

  • Cisco 1921 ISR router + power cable
  • Catalyst WS-C2960L-24PS-LL switch + power cable
  • RJ45-to-USB console cable (light blue Cisco cable or FTDI equivalent)
  • Two Cat5e/Cat6 patch cables (one WAN, one switch uplink)
  • Laptop with PuTTY (Windows) or screen/minicom (Linux/Mac)
  • Pen and paper for IPs and passwords (seriously)
i
Heads up: The 1921 reached end-of-support in 2022. It's excellent for labs and isolated networks, but don't put it on a production internet edge if security matters.
02

Connect the Console Cable

Both Devices

Plug the RJ45 end into the CONSOLE port on the device and the USB end into your laptop. Find the COM port (Windows: Device Manager → Ports) or device node (Linux: ls /dev/ttyUSB*).

Open a serial terminal with these settings:

SettingValue
Baud rate9600
Data bits8
ParityNone
Stop bits1
Flow controlNone
# Connect via screen sudo screen /dev/ttyUSB0 9600 # Or with minicom sudo minicom -D /dev/ttyUSB0 -b 9600

Power on the device. You'll see boot messages, then a prompt like Router> or Switch>. If you see "Would you like to enter the initial configuration dialog?" — answer no. We'll configure everything manually.

03

Router: Basic Identity & Security

Cisco 1921

Enter privileged EXEC mode, then global config mode. Set the hostname, domain name, and encrypt passwords.

Router> enable Router# configure terminal Router(config)# hostname R1 R1(config)# ip domain-name lab.local R1(config)# service password-encryption R1(config)# enable secret StrongEnablePass! R1(config)# banner motd #Authorized access only.#
!
Tip: Use enable secret, never enable password. Secret is hashed; password is reversible.
04

Router: Configure the LAN Interface

Cisco 1921

Gi0/1 faces the switch. Give it the gateway IP for your LAN subnet.

R1(config)# interface GigabitEthernet0/1 R1(config-if)# description LAN to 2960L Gi0/1 R1(config-if)# ip address 192.168.10.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit
05

Router: Configure the WAN Interface

Cisco 1921

Gi0/0 is your uplink to the ISP. Choose DHCP (most home/SMB modems) or static. Pick one block below.

R1(config)# interface GigabitEthernet0/0 R1(config-if)# description WAN to ISP R1(config-if)# ip address dhcp R1(config-if)# no shutdown R1(config-if)# exit
R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip address 203.0.113.10 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# exit R1(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1
06

Router: NAT & DHCP Server

Cisco 1921

NAT lets your private LAN share the public WAN IP. DHCP gives your devices IP addresses automatically.

! Mark interfaces as inside/outside R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip nat outside R1(config-if)# exit R1(config)# interface GigabitEthernet0/1 R1(config-if)# ip nat inside R1(config-if)# exit ! Permit the LAN and enable PAT R1(config)# access-list 10 permit 192.168.10.0 0.0.0.255 R1(config)# ip nat inside source list 10 interface GigabitEthernet0/0 overload
R1(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.10 R1(config)# ip dhcp pool LAN_POOL R1(dhcp-config)# network 192.168.10.0 255.255.255.0 R1(dhcp-config)# default-router 192.168.10.1 R1(dhcp-config)# dns-server 1.1.1.1 8.8.8.8 R1(dhcp-config)# lease 7 R1(dhcp-config)# exit
!
Why exclude .1–.10? It reserves low addresses for static assignments (the router itself, the switch, printers, etc.) so DHCP hands out .11+ to clients.
07

Router: SSH Access

Cisco 1921

So you don't have to stay chained to the console cable.

R1(config)# username admin privilege 15 secret AdminPass! R1(config)# crypto key generate rsa modulus 2048 R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# transport input ssh R1(config-line)# login local R1(config-line)# exec-timeout 10 0 R1(config-line)# exit R1(config)# end R1# write memory
08

Switch: Basic Identity & Management VLAN

2960L-24PS

Move the console cable to the 2960L. Same serial settings as before. The switch is Layer 2 — it doesn't route, but it needs a management IP in your LAN subnet so you can reach it remotely.

Switch> enable Switch# configure terminal Switch(config)# hostname SW1 SW1(config)# ip domain-name lab.local SW1(config)# service password-encryption SW1(config)# enable secret StrongEnablePass! SW1(config)# no ip domain-lookup
SW1(config)# interface vlan 1 SW1(config-if)# ip address 192.168.10.2 255.255.255.0 SW1(config-if)# no shutdown SW1(config-if)# exit SW1(config)# ip default-gateway 192.168.10.1
Security note: In production, move management off VLAN 1 — create a dedicated management VLAN (e.g., VLAN 99) and shut VLAN 1. For a first lab build, VLAN 1 is fine.
09

Switch: Uplink & Access Ports

2960L-24PS

Gi0/1 connects to the router. Remaining ports will be access ports for endpoints. Portfast helps workstations get a link fast (skips STP listening/learning).

! Uplink to router SW1(config)# interface GigabitEthernet0/1 SW1(config-if)# description Uplink to R1 Gi0/1 SW1(config-if)# switchport mode access SW1(config-if)# switchport access vlan 1 SW1(config-if)# exit ! Access ports for endpoints (Gi0/2 - Gi0/24) SW1(config)# interface range GigabitEthernet0/2 - 24 SW1(config-if-range)# switchport mode access SW1(config-if-range)# switchport access vlan 1 SW1(config-if-range)# spanning-tree portfast SW1(config-if-range)# spanning-tree bpduguard enable SW1(config-if-range)# exit
!
PoE: PoE is on by default on the PS model. Check with show power inline. You have 370W of budget to split across phones, APs, cameras.
10

Switch: SSH & Save

2960L-24PS
SW1(config)# username admin privilege 15 secret AdminPass! SW1(config)# crypto key generate rsa modulus 2048 SW1(config)# ip ssh version 2 SW1(config)# line vty 0 15 SW1(config-line)# transport input ssh SW1(config-line)# login local SW1(config-line)# exit SW1(config)# end SW1# write memory

Now cable it up:

  • Router Gi0/0 → your ISP modem / uplink
  • Router Gi0/1 → Switch Gi0/1
  • A laptop or PC → any port Gi0/2–Gi0/24
11

Verify Everything Works

Both Devices

Run through these commands and checks. Your client PC should pull a DHCP lease in the .11–.254 range and reach the internet.

! On the router R1# show ip interface brief R1# show ip route R1# show ip dhcp binding R1# show ip nat translations R1# ping 8.8.8.8 ! On the switch SW1# show interfaces status SW1# show vlan brief SW1# show power inline SW1# ping 192.168.10.1 ! On your client PC $ ipconfig (or ip a / ifconfig) $ ping 192.168.10.1 $ ping google.com
  • Client PC gets IP in 192.168.10.11+ range
  • Client can ping 192.168.10.1 (router)
  • Client can ping 192.168.10.2 (switch)
  • Client can ping 8.8.8.8 (internet)
  • Client can resolve DNS (ping google.com works)
  • SSH works: ssh admin@192.168.10.1 and ssh admin@192.168.10.2
Done! You have a working router + switch pair. Next steps: add VLANs (router-on-a-stick with sub-interfaces on Gi0/1), set up ACLs, or configure a site-to-site IPsec VPN.