Chapter 8 – Configuring Basic Switch Management

Securing the Switch CLI

  • everyone operates remotely, so we need SSH or Telnet enabled 
  • to telnet or SSH, switch needs to be configured with an IP address 

We will discuss

  • securing user mode and privileged mode with simple password 
  • securing user mode access with local usernames and passwords 
  • securing user mode access with external authentication servers 
  • securing remote access with SSH 

Securing user mode and privileged mode with simple password

  • by default, user mode and privileged mode are not secured at all 
  • securing user mode with telnet password (vty password) 
  • telnet password configured in vty line configuration mode 
  • securing user mode with console password (console password) 
  • console password configured in console line configuration mode 
  • enable password is used to enter enable mode 
  • shared password is used for console or telnet and other workers must share password with new workers, hence shared password. 
Enable Password 
Enable Mode 
Console Password 
User Mode 
vty Password 
Figure 8-1 Simple Password Security Concepts
line console O 
password hope 
User Mode 
line vty 0 15 
password love 
Enable Mode 
Figure 8-2 
Simple Password Security Configuration

Console password: 

# line console 0 
# login 
# password <password>
  • now, when we install console cable and want to enter user mode, we have to enter <password> as password, then it will bring us to user mode 

Telnet password

# line vty 0 15 
# login
# password <password>
  • now, when we want to login to switch via telnet, we would have to enter selic password, then it will bring us to the user mode 

Enable password

# enable secret <password> 
  • if we would like to elevate to privilege mode, we would have to type <password> as password. 

Securing user mode access with local usernames and passwords

  • such username and password combo are used to enter user mode 
  • they do not replace the password to enter enable mode 
  • to migrate shared password to username/password, type following changes: 

Console username and password combo: 

# line console 0 
# login local
# username <username> secret <password>
# no password
  • # login local means use the local list of usernames for login
  • # no password to remove all remained shared passwords, just for good housekeeping) 

Telnet username and password combo

# line vty 0 15 
# login local
# username <username> secret <password>
# no password
  • # no password to remove all remained shared passwords, just for good housekeeping) 

Securing user mode access with external authentication servers

  • Problem with storing username/password combo on switches or routers is their change 
  • Instead of changing username/password on all devices, we have AAA (Authentication, authorization, and accounting) server that stores all combos 
  • The figure below explains what happens 
  • Every switch or router in a network would send a request to the AAA server asking if this combo is correct.  
  • The server responds and allows a switch to open CLI 
  • Notice that on a client-side, between client and switch, both use telnet or SSH, but on the other side, SW=AAA, they use RADIUS or TACACS+ protocols, both of which encrypt passwords during transmission 

Securing remote access with secure shell

  • Telnet plain text, SSH encrypted 
  • SSH works only with username/password combo.  
  • It cannot work with only password 
SW1# configure terminal 
SW1 (config)# hostname SW1
SW1 (config)# ip domain-name
SW1 (config)# crypto key generate rsa
SW1 (config)# How many bits in the modulus: 1024
SW1 (config)# ip ssh version 2
SW1 (config)# line vty 0 15
SW1 (config-line)# login local
SW1 (config-line)# exit
SW1 (config)# username <username> secret <password> 
SW1 (config)# username melisa secret racunar (optional) 
  • Use at least 768 bit key to support SSH version 2) 
  • As we said, telnet and SSH work on the same vty lines. 
  • For the security reasons, we can disable telnet and leave SSH on 
  • To control which protocols switch controls on vty lines, we use transport input command 
  1. transport input all or transport input telnet ssh: – supports both telnet and ssh 
  2. transport input none: support neither 
  3. transport input telnet: support only telnet 
  4. transport input ssh: support only ssh 

NOTE: Cisco routers come with default transport input none. You will have to enter transport input all, telnet, or ssh, to enable this option 

#show ip ssh  
#show ssh  
  • # show ip ssh lists status information about the SSH server
  • # show ssh lists information about each SSH client currently connected into the switch

Enabling IPv4 for Remote Access

  • To allow telnet or SSH access to a switch, and to allow other IP based management protocols (SNMP) to function, the switch needs an IP address 
  • The IP address has nothing to do with Ethernet frames, it exists to support management traffic 
  • The switch needs IP just as a PC would have 
  • PC has CPU with OS running in it. It has NIC. OS has IP address associated with the NIC 
  • Switch uses same logic as PC, but switch needs to use virtual NIC.  
  • Virtual NIC is called switched virtual interface (SVI), or VLAN interface that acts as switch’s NIC 

Configuring IPv4 on a Switch

SW1# configure terminal 
SW1 (config)# interface vlan 1 
SW1 (config-if)# ip address 
SW1 (config-if)# no shutdown 
SW1 (config-if)# exit 
SW1 (config)# ip default-gateway 
SW1 (config)# ip name-server IP_ADDRESS_1 IP_ADDRESS_2 … 

OPTIONAL: Use this command to configure the switch to use DNS to resolve names into their IP address

Configuring a Switch to Learn Its IP address with DHCP

  • The switch can also use DHCP to dynamically learn IPv4 settings.  
  • To do so, tell the switch to use DHCP on that interface, and enable the interface 
  • Assuming that DHCP works on that network, switch will learn all its settings 

Verifying IPv4 on a switch

  • IPv4 config can be looked using show running-config command, show interfaces VLAN x, show DHCP lease. 
  • Switch does not store DHCP learned IP configuration in the running-config file. 

Cool commands for LAB

# no logging console - to disable syslog commands 
# logging console - to enable syslog commands 
# logging synchronous - tells IOS to sync syslog message with other commands 
- after 5 minutes of inactivity cisco logs out console or vty (telnet or ssh). 
# exec-timeout minutes seconds  
# exec-timeout 0 0 - never timeout 
#no ip domain-lookup - disables IOS attempt to resolve hostname into IP address 

Leave a Reply