EN 
11.09.2024 WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Cisco IOS 5 - komunikace se switchem

Cisco IOS 5 - communication with a switch

| Petr Bouška - Samuraj |
The next part of the Cisco IOS description is dedicated to summarizing the individual options for connecting to the switch so that it can be configured. This is not only a description of the options, but also information about configuring these properties and securing access.
displayed: 81 242x (81 225 CZ, 17 EN) | Comments [10]

Physical connection

To communicate with the switch, we must first connect to it in some way. We have two options:

  1. Console port - This is a special port on the switch with an RJ45 connector, which we connect to the COM port on the PC using a rollover cable.
  2. Ethernet port - We can connect to a properly configured switch (IP address set for the VLAN, no communication and access restrictions) through any network port on the switch. For initial configuration, we can use Express Setup (the switch sets a specific IP). A standard straight-through cable is used for the connection.

Communication Methods

We can communicate with the switch using several methods:

  1. Web interface - Some configuration and monitoring can be done through the built-in interface. The IOS with this interface must be installed (usually yes) and enabled (usually yes). Depending on the IOS version, we can use HTTP or HTTPS.
  2. Telnet, SSH, console - These methods allow us to use the Command Line Interface (CLI), offering a wide range of command-line commands. Console access is enabled by default, while telnet and SSH must be configured. For SSH, we need an IOS version with encryption support. A program like Putty is required for this type of connection.
  3. Cisco Network Assistant (CNA) - or other specialized applications. For switch management, we can use specialized applications that utilize various protocols to control the switch. CNA is a decent graphical application (available for free download from Cisco) that simplifies many settings and can work with a group of devices simultaneously.
  4. SNMP - Using the SNMP protocol, we can automate many functions, read and set values. There are also many applications that use this protocol.

Security - Authentication

Access to the switch must, of course, be secured. The basic two security options are:

  1. Use authentication - For all communication methods, we can set a password (and usually a user). The simplest way is to set only a password, which is stored in the switch configuration. It can be stored unencrypted (password) or using an MD5 hash (secret). Ideally, we can use AAA (Authentication Authorization Accounting).
  2. Restrict access - Depends on the connection method:
    1. Console port - Physical access to the switch is required to use this method, and the switch should be in a secure area with restricted access.
    2. Ethernet port - In this case, access is possible from the entire network (from the part where the switch is reachable), so it is good to allow certain protocols only to a special VLAN (management) or only from a specific address. This can be achieved through configuration or using an Access Control List (ACL).

Configuration of Individual Features

Access via Console

Console access is enabled by default without authentication. It is often used for initial configuration. If we want to secure access to the switch this way, we can set a password. However, if someone has physical access to the device (to use console access), this password usually won't stop them. They can perform password recovery (which can be disabled in newer IOS versions) or reset the configuration and have full access to the switch.

SWITCH(config)#line console 0 // switch to console configuration
SWITCH(config-console)#password c // set password

Note: For routers, we also need to enable password checking with the login command. This applies to all accesses through line.

Access via Telnet Protocol

For remote access, the Virtual terminal line (VTY) is used. Telnet access is active when we set an IP address for the switch. However, until we set a password for the telnet session, it is not possible to connect. In the settings, we determine how many simultaneous connections are allowed, up to a maximum of 16 (depending on the model).

SWITCH(config)#line vty 0 1 // configure telnet connections with ID 0 to 1
SWITCH(config-line)#password c // password (here c) for telnet access

Lines that we do not want to use are better turned off:

SWITCH(config)#line vty 2 15 // connections 2 to 15
SWITCH(config-line)#transport input none // no input

Passwords for lines can only be entered unencrypted. To better secure their storage in the configuration, we can set a service that stores all passwords using an MD5 hash.

SWITCH(config)#service password-encryption

Access using the SSH protocol

Telnet has the disadvantage that all data (including passwords) is sent unencrypted, making it possible to intercept. It is more suitable to use an encrypted solution, such as SSH. However, to use SSH, we need an IOS version that includes encryption. Then we need to create a user, set SSH parameters, and configure access. Remote access using SSH is set similarly to telnet, only we choose a different input.

SWITCH(config)#aaa new-model // enable AAA
SWITCH(config)#username cisco secret Password // create a user with a password stored using MD5 hash
SWITCH(config)#ip ssh time-out 60 // SSH parameters - session timeout
SWITCH(config)#ip ssh authentication-retries 2 // SSH parameters - number of login attempts
SWITCH(config)#ip ssh version 2 // SSH parameters - version
SWITCH(config)#ip domain name company.local // domain name for certificate creation
SWITCH(config)#crypto key generate rsa // if not already done, generate a key
SWITCH(config)#line vty 0 1 // configure line with ID 0 to 1
SWITCH(config-line)# transport input ssh // input is SSH

Access to privileged mode

In the default configuration, after connecting to the CLI, we can switch to privileged mode by entering the enabled command. Since we can change the switch configuration in this mode, it is recommended to secure this access with a password. The password can be set so that it is stored in the configuration as plain text or only as an MD5 hash.

SWITCH(config)#enable password c // password (here c) stored as plain text
SWITCH(config)#enable secret c // password (here c) stored using MD5 hash
SWITCH(config)#no enable secret // remove password

Web interface

After setting the IP address and having an IOS version with a web interface, it is automatically enabled.

SWITCH(config)#ip http server // enable web server
SWITCH(config)#no ip http server // disable web server

If we have an IOS version with encryption (crypto), access via HTTPS is automatically used.

SWITCH#show ip http server status // display settings
SWITCH(config)#ip http secure-server // enable HTTPS server

SNMP

By default, SNMP is disabled. SNMP is enabled by setting community strings (something like a password for SNMP, used in SNMPv1 and SNMPv2c, SNMPv3 uses accounts).

SWITCH(config)#snmp-server community password ro // set community string for reading
SWITCH(config)#snmp-server contact Company // set contact
SWITCH(config)#snmp-server location server room // set location
SWITCH(config)#no snmp-server // disable SNMP

These are just basic SNMP settings. We can, of course, create traps and set many other parameters. To create users in SNMPv3 or to set the SNMP version, use the snmp-server group and snmp-server user commands.

Author:

Related articles:

Cisco IOS

A large series about the operating system of Cisco's active elements. It contains some of the most read articles on this site. The articles describe the configuration of switches and routers, primarily with Cisco IOS. Things about ports, VLANs, STP, ACLs, QoS, etc.

If you want write something about this article use comments.

Comments
  1. [1] _knight

    ked chcem sa napajat iba cez ssh nahodou nestaci, mi len crypto vygenerovat kluc a velkost spravit username<konto>

    a domenu, a tak telnet transportovat na ssh: sonia(config-line)transport input telnet ?

    Sunday, 10.08.2008 21:39 | answer
  2. [2] _knight

    respond to [1]_knight: ssh* kurnik :D>

    Sunday, 10.08.2008 21:47 | answer
  3. [3] Michal

    mam otazku mam 3650

    fa0/1 je LAN subnet z ktereho potrebuji pristoupit telnetem pres port fa0/7 na kterem je aplikovan ACL in

    fa0/7 za nim jsou dva Aironety

    ale vubec nechapu nastaveni ACL jakmile ho nastavim na portu fa0/7

    a to permit tcp any any eq telnet

    tak to proste nepomuze

    zkusil jsem i :

    permit tcp any any eq telnet

    permit tcp any any eq telnet established

    a nic

    to samy se SNMP

    muze mi nekdo poradit jak na to?

    jak proste, kdyz mam na in aplikovan ACL tak se z druhy strany dostanu na ty prvky?

    nevim jestli jsem to popsal srozumitelne.

    Napsal bych to do fora, ale zaboha se nemuzu registrovat, neprijde mi overovaci email :(

    Dekuju

    Sunday, 23.05.2010 11:33 | answer
  4. [4] Michal

    pardon spatnej clanek :(

    Sunday, 23.05.2010 11:33 | answer
  5. [5] Samuraj

    respond to [3]Michal: A zkoušel jsi

    permit tcp any eq telnet any

    ;-)

    Sunday, 23.05.2010 12:47 | answer
  6. [6] Karel

    Ahoj

    jsem uplna lama co se týč cisca... tvé články jsou perfektní! bez toho bych se nikam nedostal. no konfiguruji si svuj prvni catalyst 2950 a potřebuji se přihlašovat přes telnet nebo ssh. ale nějak se mě to nedaří. ssh jse mě nepodařilo nakonf, vůbec, tady to začalo protestovat )#ip ssh time-out 60 do te doby dobre. a přes telnet se to nastavilo bez zadrhele ale když to spustim přes putty, spustím a požádá mě to o heslo nastavil jsem si tam na zkoušku heslo jedno písmeno a to pismeno c. Proběhne přihlášení a svítí namě nově nastavený hostname.když zadam enable tak mě to napíše No password set! co mám špatně? dík moc

    Monday, 07.03.2011 21:27 | answer
  7. [7] Petr

    enable secret heslo

    Wednesday, 09.03.2011 10:31 | answer
  8. [8] karel

    respond to [7]Petr: jj dík zabralo to

    Thursday, 10.03.2011 10:50 | answer
  9. [9] Tomas

    nechybí ti u ssh ještě "login local" ? bez toho, se tam přihlásí kdokoli, i bez hesla....teda aspoň u mě ;-) jinak super článek :-)

    Sunday, 04.01.2015 16:52 | answer
  10. [10] Miroslav Riška

    Mám v síti několik switchů (C3750X, C2960) a myslím, že mi vše jede podle mých představ (asi 10x VLAN, Radius ..). Přístup mám přes SSH. Pro přehled soužívám Cisco Network Assistant a najednou se mi přestaly zobrazovat některé switche a nepřipojím se ten switch ze svého PC, kde běží CNA a ani pomocí SSH. Switche jsou funkční, jenom je nemůžu spravovat. Z jiného PC se připojím i CNA je na jiném PC funkční, není tam přístupný pro změnu jiný switch. Stává se to tak co 4 - 6 měséců. Pomůže restart nepřístupného switche, ale to není dobré řešení. Nic mě nenapadá, čím to je. Poraďte mi, někdo, prosím.

    Wednesday, 12.10.2016 10:36 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)