Chapter 8 – Configuring Basic Switch Management

Author

Securing the Switch CLI

  • everyone operates remotely, so we need SSH or Telnet enabled 
  • to telnet or SSH, switch needs to be configured with an IP address 

We will discuss

  • securing user mode and privileged mode with simple password 
  • securing user mode access with local usernames and passwords 
  • securing user mode access with external authentication servers 
  • securing remote access with SSH 

Securing user mode and privileged mode with simple password

  • by default, user mode and privileged mode are not secured at all 
  • securing user mode with telnet password (vty password) 
  • telnet password configured in vty line configuration mode 
  • securing user mode with console password (console password) 
  • console password configured in console line configuration mode 
  • enable password is used to enter enable mode 
  • shared password is used for console or telnet and other workers must share password with new workers, hence shared password. 
Enable Password Enable Mode 2 Console Password User Mode vty Password Figure 8-1 Simple Password Security Concepts
Console line console O login password hope enable User Mode (SWitCh>) line vty 0 15 login password love Telnet (vtY) secret faith Enable Mode (SWitCh#) Figure 8-2 Simple Password Security Configuration

Console password: 

# line console 0 
# login 
# password <password>
  • now, when we install console cable and want to enter user mode, we have to enter <password> as password, then it will bring us to user mode 

Telnet password

# line vty 0 15 
# login
# password <password>
  • now, when we want to login to switch via telnet, we would have to enter selic password, then it will bring us to the user mode 

Enable password 

# enable secret <password> 
  • if we would like to elevate to privilege mode, we would have to type <password> as password. 

Securing user mode access with local usernames and passwords

  • such username and password combo are used to enter user mode 
  • they do not replace the password to enter enable mode 
  • to migrate shared password to username/password, type following changes: 

Console username and password combo: 

# line console 0 
# login local
# username <username> secret <password>
# no password
  • # login local means use the local list of usernames for login
  • # no password to remove all remained shared passwords, just for good housekeeping) 

Telnet username and password combo

# line vty 0 15 
# login local
# username <username> secret <password>
# no password
  • # no password to remove all remained shared passwords, just for good housekeeping) 

Securing user mode access with external authentication servers

  • Problem with storing username/password combo on switches or routers is their change 
  • Instead of changing username/password on all devices, we have AAA (Authentication, authorization, and accounting) server that stores all combos 
  • The figure below explains what happens 
  • Every switch or router in a network would send a request to the AAA server asking if this combo is correct.  
  • The server responds and allows a switch to open CLI 
  • Notice that on a client-side, between client and switch, both use telnet or SSH, but on the other side, SW=AAA, they use RADIUS or TACACS+ protocols, both of which encrypt passwords during transmission 

Securing remote access with secure shell

  • Telnet plain text, SSH encrypted 
  • SSH works only with username/password combo.  
  • It cannot work with only password 
SW1# configure terminal 
SW1 (config)# hostname SW1
SW1 (config)# ip domain-name example.com
SW1 (config)# crypto key generate rsa
SW1 (config)# How many bits in the modulus: 1024
SW1 (config)# ip ssh version 2
SW1 (config)# line vty 0 15
SW1 (config-line)# login local
SW1 (config-line)# exit
SW1 (config)# username <username> secret <password> 
SW1 (config)# username melisa secret racunar (optional) 
  • Use at least 768 bit key to support SSH version 2) 
  • As we said, telnet and SSH work on the same vty lines. 
  • For the security reasons, we can disable telnet and leave SSH on 
  • To control which protocols switch controls on vty lines, we use transport input command 
  1. transport input all or transport input telnet ssh: – supports both telnet and ssh 
  2. transport input none: support neither 
  3. transport input telnet: support only telnet 
  4. transport input ssh: support only ssh 

NOTE: Cisco routers come with default transport input none. You will have to enter transport input all, telnet, or ssh, to enable this option 

#show ip ssh  
#show ssh  
  • # show ip ssh lists status information about the SSH server
  • # show ssh lists information about each SSH client currently connected into the switch

Enabling IPv4 for Remote Access

  • To allow telnet or SSH access to a switch, and to allow other IP based management protocols (SNMP) to function, the switch needs an IP address 
  • The IP address has nothing to do with Ethernet frames, it exists to support management traffic 
  • The switch needs IP just as a PC would have 
  • PC has CPU with OS running in it. It has NIC. OS has IP address associated with the NIC 
  • Switch uses same logic as PC, but switch needs to use virtual NIC.  
  • Virtual NIC is called switched virtual interface (SVI), or VLAN interface that acts as switch’s NIC 

Configuring IPv4 on a Switch

SW1# configure terminal 
SW1 (config)# interface vlan 1 
SW1 (config-if)# ip address 192.168.1.200 255.255.255.0 
SW1 (config-if)# no shutdown 
SW1 (config-if)# exit 
SW1 (config)# ip default-gateway 192.168.1.1 
SW1 (config)# ip name-server IP_ADDRESS_1 IP_ADDRESS_2 … 

OPTIONAL: Use this command to configure the switch to use DNS to resolve names into their IP address

Configuring a Switch to Learn Its IP address with DHCP

  • The switch can also use DHCP to dynamically learn IPv4 settings.  
  • To do so, tell the switch to use DHCP on that interface, and enable the interface 
  • Assuming that DHCP works on that network, switch will learn all its settings 

Verifying IPv4 on a switch

  • IPv4 config can be looked using show running-config command, show interfaces VLAN x, show DHCP lease. 
  • Switch does not store DHCP learned IP configuration in the running-config file. 

Cool commands for LAB

# no logging console - to disable syslog commands 
# logging console - to enable syslog commands 
# logging synchronous - tells IOS to sync syslog message with other commands 
- after 5 minutes of inactivity cisco logs out console or vty (telnet or ssh). 
# exec-timeout minutes seconds  
# exec-timeout 0 0 - never timeout 
#no ip domain-lookup - disables IOS attempt to resolve hostname into IP address 

Leave a Reply