Securing the Switch CLI
- everyone operates remotely, so we need SSH or Telnet enabled
- to telnet or SSH, switch needs to be configured with an IP address
We will discuss
- securing user mode and privileged mode with simple password
- securing user mode access with local usernames and passwords
- securing user mode access with external authentication servers
- securing remote access with SSH
Securing user mode and privileged mode with simple password
- by default, user mode and privileged mode are not secured at all
- securing user mode with telnet password (vty password)
- telnet password configured in vty line configuration mode
- securing user mode with console password (console password)
- console password configured in console line configuration mode
- enable password is used to enter enable mode
- shared password is used for console or telnet and other workers must share password with new workers, hence shared password.


Console password:
# line console 0 # login # password <password>
- now, when we install console cable and want to enter user mode, we have to enter <password> as password, then it will bring us to user mode
Telnet password
# line vty 0 15 # login # password <password>
- now, when we want to login to switch via telnet, we would have to enter selic password, then it will bring us to the user mode
Enable password
# enable secret <password>
- if we would like to elevate to privilege mode, we would have to type <password> as password.
Securing user mode access with local usernames and passwords
- such username and password combo are used to enter user mode
- they do not replace the password to enter enable mode
- to migrate shared password to username/password, type following changes:
Console username and password combo:
# line console 0 # login local # username <username> secret <password> # no password
- # login local means use the local list of usernames for login
- # no password to remove all remained shared passwords, just for good housekeeping)
Telnet username and password combo
# line vty 0 15 # login local # username <username> secret <password> # no password
- # no password to remove all remained shared passwords, just for good housekeeping)
Securing user mode access with external authentication servers
- Problem with storing username/password combo on switches or routers is their change
- Instead of changing username/password on all devices, we have AAA (Authentication, authorization, and accounting) server that stores all combos
- The figure below explains what happens
- Every switch or router in a network would send a request to the AAA server asking if this combo is correct.
- The server responds and allows a switch to open CLI
- Notice that on a client-side, between client and switch, both use telnet or SSH, but on the other side, SW=AAA, they use RADIUS or TACACS+ protocols, both of which encrypt passwords during transmission
Securing remote access with secure shell
- Telnet plain text, SSH encrypted
- SSH works only with username/password combo.
- It cannot work with only password
SW1# configure terminal SW1 (config)# hostname SW1 SW1 (config)# ip domain-name example.com SW1 (config)# crypto key generate rsa SW1 (config)# How many bits in the modulus: 1024 SW1 (config)# ip ssh version 2 SW1 (config)# line vty 0 15 SW1 (config-line)# login local SW1 (config-line)# exit SW1 (config)# username <username> secret <password> SW1 (config)# username melisa secret racunar (optional)
- Use at least 768 bit key to support SSH version 2)
- As we said, telnet and SSH work on the same vty lines.
- For the security reasons, we can disable telnet and leave SSH on
- To control which protocols switch controls on vty lines, we use transport input command
- transport input all or transport input telnet ssh: – supports both telnet and ssh
- transport input none: support neither
- transport input telnet: support only telnet
- transport input ssh: support only ssh
NOTE: Cisco routers come with default transport input none. You will have to enter transport input all, telnet, or ssh, to enable this option
#show ip ssh #show ssh
- # show ip ssh lists status information about the SSH server
- # show ssh lists information about each SSH client currently connected into the switch
Enabling IPv4 for Remote Access
- To allow telnet or SSH access to a switch, and to allow other IP based management protocols (SNMP) to function, the switch needs an IP address
- The IP address has nothing to do with Ethernet frames, it exists to support management traffic
- The switch needs IP just as a PC would have
- PC has CPU with OS running in it. It has NIC. OS has IP address associated with the NIC
- Switch uses same logic as PC, but switch needs to use virtual NIC.
- Virtual NIC is called switched virtual interface (SVI), or VLAN interface that acts as switch’s NIC
Configuring IPv4 on a Switch
SW1# configure terminal SW1 (config)# interface vlan 1 SW1 (config-if)# ip address 192.168.1.200 255.255.255.0 SW1 (config-if)# no shutdown SW1 (config-if)# exit SW1 (config)# ip default-gateway 192.168.1.1 SW1 (config)# ip name-server IP_ADDRESS_1 IP_ADDRESS_2 …
OPTIONAL: Use this command to configure the switch to use DNS to resolve names into their IP address
Configuring a Switch to Learn Its IP address with DHCP
- The switch can also use DHCP to dynamically learn IPv4 settings.
- To do so, tell the switch to use DHCP on that interface, and enable the interface
- Assuming that DHCP works on that network, switch will learn all its settings
Verifying IPv4 on a switch
- IPv4 config can be looked using show running-config command, show interfaces VLAN x, show DHCP lease.
- Switch does not store DHCP learned IP configuration in the running-config file.
Cool commands for LAB
# no logging console - to disable syslog commands # logging console - to enable syslog commands # logging synchronous - tells IOS to sync syslog message with other commands - after 5 minutes of inactivity cisco logs out console or vty (telnet or ssh). # exec-timeout minutes seconds # exec-timeout 0 0 - never timeout #no ip domain-lookup - disables IOS attempt to resolve hostname into IP address