Cisco Catalyst 9300 — IOS-XE 17.x

Cisco Catalyst 9300 Configuration Generator

Generate a complete, production-ready IOS-XE configuration for your Catalyst 9300 in 30 seconds. Security hardening, VLAN configuration, and OOB management — all included automatically.

Generate my C9300 config →

What is the Cisco Catalyst 9300?

The Cisco Catalyst 9300 is Cisco's flagship stackable access switch for enterprise networks, designed to serve as the foundation of modern campus wiring closets. It runs IOS-XE and supports StackWise‑480, allowing up to eight switches to be stacked with up to 480 Gbps of stack bandwidth — making it straightforward to expand a stack without replacing existing hardware.

Available in 24 and 48 port configurations with PoE+, UPoE, and non-PoE variants, the 9300 line covers everything from standard data ports to high-power endpoints like Cisco IP phones, access points, and IP cameras. Uplinks are fixed TwentyFiveGigE (25G) SFP28 ports, providing high-speed connectivity to the distribution layer.

A key feature of the 9300 series is the dedicated out-of-band (OOB) management port — GigabitEthernet0/0 — which runs in an isolated Mgmt-vrf. This keeps management traffic completely separate from production traffic and is the correct way to configure management access on this platform. The 9300 is widely deployed in enterprise campus, manufacturing floors, healthcare, and branch office environments.

Supported Catalyst 9300 Models

Model Ports PoE Uplink Interface OOB Mgmt
C9300-48P 48 × 1G PoE+ TwentyFiveGigE1/1/1 Yes
C9300-48U 48 × 1G UPoE TwentyFiveGigE1/1/1 Yes
C9300-24P 24 × 1G PoE+ TwentyFiveGigE1/1/1 Yes
C9300L-48P 48 × 1G PoE+ TwentyFiveGigE1/1/1 Yes
C9300L-24P 24 × 1G PoE+ TwentyFiveGigE1/1/1 Yes

What netconfgen generates for your C9300

Complete interface configuration — all 48 or 24 access ports with the correct VLAN assignments, portfast, bpduguard, and storm-control, plus the uplink trunk.
OOB management via GigabitEthernet0/0 — in a dedicated Mgmt-vrf with static route, correctly isolated from production traffic.
Security hardening baseline — SSH v2 only, login brute-force protection, ARP inspection, storm-control, BPDU guard, and disabled unnecessary services.
BLACKHOLE VLAN 999 — all unused ports assigned to VLAN 999 and administratively shut down to prevent unauthorized access.
DHCP snooping per VLAN — scoped to your configured VLANs with the uplink marked as trusted and rate limiting on access ports.
Banner MOTD + archive config + login brute-force protectionlogin block-for, archive log config, and a standardized warning banner, every time.

Example — C9300-48P IOS-XE Configuration

The snippet below shows a representative extract of what netconfgen produces for a C9300-48P. Every secret and key is replaced with a <<<CHANGE_ME_*>>> placeholder so the config is safe to share and review before deployment.

SW-ACCESS-01 — Cisco Catalyst C9300-48P — IOS-XE 17.12
! Cisco Catalyst 9300-48P — IOS-XE 17.12
! Generated by netconfgen.com
!
hostname SW-ACCESS-01
!
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
login block-for 120 attempts 3 within 60
login on-failure log
login on-success log
!
vlan 10
 name PRODUCTION
vlan 20
 name VOICE
vlan 999
 name BLACKHOLE
!
interface GigabitEthernet0/0
 description OOB-MANAGEMENT
 vrf forwarding Mgmt-vrf
 ip address 10.10.99.10 255.255.255.0
 no shutdown
!
interface TwentyFiveGigE1/1/1
 description UPLINK-TO-CORE
 switchport mode trunk
 switchport trunk native vlan 99
 switchport trunk allowed vlan 10,20,99
 spanning-tree link-type point-to-point
 no shutdown
!
interface range GigabitEthernet1/0/1-48
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 spanning-tree bpduguard enable
 storm-control broadcast level 20.00
 ip dhcp snooping limit rate 15
 shutdown
!
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.10.99.1
!
end

Why use a config generator instead of a Word template?

Templates go stale
Your Word template from 2021 doesn't know about IOS-XE 17.12 best practices, BLACKHOLE VLANs, or the correct TwentyFiveGigE uplink syntax for the 9300. Every platform change creates a new opportunity for the template to be wrong.
Human error is inevitable
Copy-pasting VLAN IDs between projects, forgetting no ip domain-lookup, using the wrong management interface for the wrong model — these mistakes happen every day and often only surface in production.
Hardening is optional until it isn't
Security best practices should not depend on who is generating the config that day. netconfgen applies them automatically — every single time — regardless of whether the engineer is a senior or an intern at 11 pm on a Friday.

Frequently Asked Questions

Yes — netconfgen is free to try with no account required. Generate your first C9300 config now and see the complete result instantly. No sign-up, no credit card.

Yes. netconfgen supports IOS-XE 17.12.x (latest recommended), 17.9.x, 17.6.x, 17.3.x, and 16.12.x. Select your target version in the generator before generating the config.

The Catalyst 9300 has a dedicated out-of-band management port — GigabitEthernet0/0 — isolated in a dedicated Mgmt-vrf. This keeps management traffic completely separate from production traffic, which means you can reach the switch even if the data-plane VLANs have issues. netconfgen detects the 9300 model automatically and configures this interface correctly, including the VRF static default route.

BLACKHOLE VLAN 999 is a security best practice for Cisco switches. All unused access ports are assigned to this VLAN and administratively shut down, preventing unauthorized access even if a cable is plugged into an inactive port. The VLAN itself is not routed or trunked to any uplink. netconfgen creates VLAN 999 and assigns all unspecified ports to it automatically.

Ready to generate your C9300 configuration?

No account needed. Free to try. Production-ready in 30 seconds.

Generate my C9300 config now →