Physical connection
To communicate with the switch, we must first connect to it in some way. We have two options:
- Console port - This is a special port on the switch with an RJ45 connector, which we connect to the COM port on the PC using a rollover cable.
- Ethernet port - We can connect to a properly configured switch (IP address set for the VLAN, no communication and access restrictions) through any network port on the switch. For initial configuration, we can use Express Setup (the switch sets a specific IP). A standard straight-through cable is used for the connection.
Communication Methods
We can communicate with the switch using several methods:
- Web interface - Some configuration and monitoring can be done through the built-in interface. The IOS with this interface must be installed (usually yes) and enabled (usually yes). Depending on the IOS version, we can use HTTP or HTTPS.
- Telnet, SSH, console - These methods allow us to use the Command Line Interface (CLI), offering a wide range of command-line commands. Console access is enabled by default, while telnet and SSH must be configured. For SSH, we need an IOS version with encryption support. A program like Putty is required for this type of connection.
- Cisco Network Assistant (CNA) - or other specialized applications. For switch management, we can use specialized applications that utilize various protocols to control the switch. CNA is a decent graphical application (available for free download from Cisco) that simplifies many settings and can work with a group of devices simultaneously.
- SNMP - Using the SNMP protocol, we can automate many functions, read and set values. There are also many applications that use this protocol.
Security - Authentication
Access to the switch must, of course, be secured. The basic two security options are:
- Use authentication - For all communication methods, we can set a password (and usually a user). The simplest way is to set only a password, which is stored in the switch configuration. It can be stored unencrypted (
password
) or using an MD5 hash (secret
). Ideally, we can use AAA (Authentication Authorization Accounting). - Restrict access - Depends on the connection method:
- Console port - Physical access to the switch is required to use this method, and the switch should be in a secure area with restricted access.
- Ethernet port - In this case, access is possible from the entire network (from the part where the switch is reachable), so it is good to allow certain protocols only to a special VLAN (management) or only from a specific address. This can be achieved through configuration or using an Access Control List (ACL).
Configuration of Individual Features
Access via Console
Console access is enabled by default without authentication. It is often used for initial configuration. If we want to secure access to the switch this way, we can set a password. However, if someone has physical access to the device (to use console access), this password usually won't stop them. They can perform password recovery (which can be disabled in newer IOS versions) or reset the configuration and have full access to the switch.
SWITCH(config)#line console 0 // switch to console configuration SWITCH(config-console)#password c // set password
Note: For routers, we also need to enable password checking with the login
command. This applies to all accesses through line
.
Access via Telnet Protocol
For remote access, the Virtual terminal line (VTY) is used. Telnet access is active when we set an IP address for the switch. However, until we set a password for the telnet session, it is not possible to connect. In the settings, we determine how many simultaneous connections are allowed, up to a maximum of 16 (depending on the model).
SWITCH(config)#line vty 0 1 // configure telnet connections with ID 0 to 1 SWITCH(config-line)#password c // password (here c) for telnet access
Lines that we do not want to use are better turned off:
SWITCH(config)#line vty 2 15 // connections 2 to 15 SWITCH(config-line)#transport input none // no input
Passwords for lines can only be entered unencrypted. To better secure their storage in the configuration, we can set a service that stores all passwords using an MD5 hash.
SWITCH(config)#service password-encryption
Access using the SSH protocol
Telnet has the disadvantage that all data (including passwords) is sent unencrypted, making it possible to intercept. It is more suitable to use an encrypted solution, such as SSH. However, to use SSH, we need an IOS version that includes encryption. Then we need to create a user, set SSH parameters, and configure access. Remote access using SSH is set similarly to telnet, only we choose a different input.
SWITCH(config)#aaa new-model // enable AAA SWITCH(config)#username cisco secret Password // create a user with a password stored using MD5 hash SWITCH(config)#ip ssh time-out 60 // SSH parameters - session timeout SWITCH(config)#ip ssh authentication-retries 2 // SSH parameters - number of login attempts SWITCH(config)#ip ssh version 2 // SSH parameters - version SWITCH(config)#ip domain name company.local // domain name for certificate creation SWITCH(config)#crypto key generate rsa // if not already done, generate a key SWITCH(config)#line vty 0 1 // configure line with ID 0 to 1 SWITCH(config-line)# transport input ssh // input is SSH
Access to privileged mode
In the default configuration, after connecting to the CLI, we can switch to privileged mode by entering the enabled
command. Since we can change the switch configuration in this mode, it is recommended to secure this access with a password. The password can be set so that it is stored in the configuration as plain text or only as an MD5 hash.
SWITCH(config)#enable password c // password (here c) stored as plain text SWITCH(config)#enable secret c // password (here c) stored using MD5 hash SWITCH(config)#no enable secret // remove password
Web interface
After setting the IP address and having an IOS version with a web interface, it is automatically enabled.
SWITCH(config)#ip http server // enable web server SWITCH(config)#no ip http server // disable web server
If we have an IOS version with encryption (crypto), access via HTTPS is automatically used.
SWITCH#show ip http server status // display settings SWITCH(config)#ip http secure-server // enable HTTPS server
SNMP
By default, SNMP is disabled. SNMP is enabled by setting community strings (something like a password for SNMP, used in SNMPv1 and SNMPv2c, SNMPv3 uses accounts).
SWITCH(config)#snmp-server community password ro // set community string for reading SWITCH(config)#snmp-server contact Company // set contact SWITCH(config)#snmp-server location server room // set location SWITCH(config)#no snmp-server // disable SNMP
These are just basic SNMP settings. We can, of course, create traps and set many other parameters. To create users in SNMPv3 or to set the SNMP version, use the snmp-server group
and snmp-server user
commands.
ked chcem sa napajat iba cez ssh nahodou nestaci, mi len crypto vygenerovat kluc a velkost spravit username<konto>
a domenu, a tak telnet transportovat na ssh: sonia(config-line)transport input telnet ?
respond to [1]_knight: ssh* kurnik :D>
mam otazku mam 3650
fa0/1 je LAN subnet z ktereho potrebuji pristoupit telnetem pres port fa0/7 na kterem je aplikovan ACL in
fa0/7 za nim jsou dva Aironety
ale vubec nechapu nastaveni ACL jakmile ho nastavim na portu fa0/7
a to permit tcp any any eq telnet
tak to proste nepomuze
zkusil jsem i :
permit tcp any any eq telnet
permit tcp any any eq telnet established
a nic
to samy se SNMP
muze mi nekdo poradit jak na to?
jak proste, kdyz mam na in aplikovan ACL tak se z druhy strany dostanu na ty prvky?
nevim jestli jsem to popsal srozumitelne.
Napsal bych to do fora, ale zaboha se nemuzu registrovat, neprijde mi overovaci email :(
Dekuju
pardon spatnej clanek :(
respond to [3]Michal: A zkoušel jsi
permit tcp any eq telnet any
Ahoj
jsem uplna lama co se týč cisca... tvé články jsou perfektní! bez toho bych se nikam nedostal. no konfiguruji si svuj prvni catalyst 2950 a potřebuji se přihlašovat přes telnet nebo ssh. ale nějak se mě to nedaří. ssh jse mě nepodařilo nakonf, vůbec, tady to začalo protestovat )#ip ssh time-out 60 do te doby dobre. a přes telnet se to nastavilo bez zadrhele ale když to spustim přes putty, spustím a požádá mě to o heslo nastavil jsem si tam na zkoušku heslo jedno písmeno a to pismeno c. Proběhne přihlášení a svítí namě nově nastavený hostname.když zadam enable tak mě to napíše No password set! co mám špatně? dík moc
enable secret heslo
respond to [7]Petr: jj dík zabralo to
nechybí ti u ssh ještě "login local" ? bez toho, se tam přihlásí kdokoli, i bez hesla....teda aspoň u mě jinak super článek
Mám v síti několik switchů (C3750X, C2960) a myslím, že mi vše jede podle mých představ (asi 10x VLAN, Radius ..). Přístup mám přes SSH. Pro přehled soužívám Cisco Network Assistant a najednou se mi přestaly zobrazovat některé switche a nepřipojím se ten switch ze svého PC, kde běží CNA a ani pomocí SSH. Switche jsou funkční, jenom je nemůžu spravovat. Z jiného PC se připojím i CNA je na jiném PC funkční, není tam přístupný pro změnu jiný switch. Stává se to tak co 4 - 6 měséců. Pomůže restart nepřístupného switche, ale to není dobré řešení. Nic mě nenapadá, čím to je. Poraďte mi, někdo, prosím.