0

Configuring a catalyst switch By admin 26 August 2008 at 5:32 pm and have

Configuring a Web Interface:

Switches have web-based config tools that require an onboard HTTP server:
Web browser GUI.
Security Device Manager (SDM).
IP Phone and Telephony apps.
HTTP services ? security hole ? optional authentication.
If many users access HTTP services you may require a separate authentication server.
AAA and TACACS can be used to validate user credentials, (robust).
A less complex method allows use of the enable password.
A local authentication method requires the user to use a login username and password specified in the config.

S1(config)#ip http server ? turns on the server (on by default).
S1(config)#ip http authentication enable.

This requires only the enable password for authentication.
May also specify aaa or tacacs authentication.
These require a separate server or aaa services.
Userids and password combos are used for a variety of security purposes.

S1(config)#username ____ password ____.

The MAC Address Table:

Determines how to forward traffic between ports.
Includes dynamic and static MAC addresses.
MAC address table = CAM table = SAT = bridge table.
Content Addressable Memory.
Source Address Table.
Dynamic addresses are source MAC addresses learned and aged out when not used.
Default max age = 300 seconds.
Setting age too short can cause premature removal.
When a switch rcvs a frame for an unknown dest,it floods it to all ports in the same LAN/VLAN.
This unnecessary flooding can impact performance.
Setting too long an age can fill table with unused addresses ? also causes flooding.
Dynamic addresses are learned from the source MAC address of each frame rcved on each port.
As PCs are added/removed, the switch updates the table.
An admin can assign static MAC addresses to certain ports.
These are not aged out.
They provide the admin complete control over net access.

S1(config)#mac-address-table static MAC vlan # interface id.

E.G.
To remove a static mapping prefix the command with no.
The max size of the table varies by model.
E.G. 2960 <= 8,192 MAC addresses.

Config a Switch for Operation in a Network:

Backing up the Config.

S1# copy running-config startup-config.

To keep multiple startup-config files use:

S1# copy startup-config flash:filename.

Allows for rollbacks.
Restoring the configuration.

S1#copy flash:filename startup-config.
S1#reload.

The system prompts to save the config. In this particular case you need to answer “no”.

NOTE: copy startup-config running-config does not entirely overwrite the running config. it only adds to existing config.

Back up Config Files to a TFTP Server:

It is a good practice to B/U configs on the network for archiving.
Use TFTP to B/U configs over the network.
The IOS has a built-in TFTP client.
1. Verify TFTP server is running.
2. From the switch ping the TFTP server.
3. Upload the config:
S1#copy system:running-config tftp. OR
S1#copy startup-config tftp.
Answer prompts for tftp IP address and filename, etc

Restoring from TFTP:

1. Copy the config file to the TFTP server directory.
2. Verify that the TFTP server is running on your network.
3. From the switch ping the TFTP server.
4. Download the config file.

S1#copy tftp system:running-config. OR
S1#copy tftp nvram:startup-config.

Answer prompts for tftp IP address and filename, etc.

Configure Basic Security on a Switch:

Physical security: do not let users access console port!
Secure the Console.
Set a password on line console 0 and use login command.
If you want to Remove Console Password.

S1(config-line)#no password.
S1(config-line)#no login.

If no password and login still enabled ? NO access!

Secure the vty Ports:

Vty ports allow you to access the device remotely.
You do not need physical access to access the vty ports, so it is very important to secure the vty ports.
There can be 16 vty ports available – permits more then one admin to manage the switch.

S1(config)#line vty 0 15.
S1(config-line)#password Password.
S1(config-line)#login.

If no enable password has been set, the switch will deny vty access, even if the above config are correctly set.

Config EXEC Mode Passwords:

One problem with the enable password is that it is stored in readable text in the config files.
As a result, Cisco introduced enable secret (md5).
If the secret is configured, it is used instead of the enable password.
Config Encrypted Passwords.
By default all passwords except enable secret, are stored in clear text.
Service password-encryption enables password encryption, (global config line).
The encryption standard used is type 7 (very weak).

Enable Password Recovery (2950):

Disconnect/Reconnect pwr cord.
Press the Mode button while System LED is still flashing. Hold until the LED turns solid green and release. (15 sec).
Type: flash_int ? Initializes the file system.
Type: load_helper ? Loads any helper files.
Type: dir flash:
Type: rename flash:config.text flash:config.text.old.
Type: boot.
Type: #rename flash:config.text.old flash:config.text.
Type: #copy flash:config.text system:running-config.
Set new password(s).
Type: #copy running-config startup-config command.

Config Basic Security on a Switch:

Telnet and SSH.
Telnet is the original access method ? insecure.
SSH is preferred but much more complex.
Communication btwn the SSH client and server is encrypted.
Cisco devices currently supporting both SSHv1 and SSHv2.
SSHv2 recommended when possible – better encryption. (not supported in Cisco Clients).
Much more powerful then version 1.

Config Telnet:

Telnet is the default transport for vty lines.
Do not need to specify it before initial configuration.
However, if you have switched to SSH and want to go back to Telnet, it does require the following command:

S1(config-line)#transport input telnet. OR
S1(config-line)#transport input all.

“All” permits SSH and Telnet access.

Config SSH:

SSH is subject to export restrictions. A cryptographic image must be installed on your switch.
SSH requires an SSH server and SSH client.
To connect with a PC requires a PC client like PuTTy.
To connect from one switch to another requires that SSH be running on both switches.
Switches currently only support SSHv1 for the client.
SSH supports (Data Encryption Standard) DES (56b) and 3(triple)DES (168b).
To implement SSH, you need to generate RSA public and private keys (i.e. asymmetric encryption).
Asymmetric encryption (private and public keys).
Before config SSH, generate RSA keys:
1. Configure a hostname.
2. Configure a host domain ?

S1(config)#ip domain-name name.

3. Enable SSH server for local and remote authentication and generate an RSA key pair using:

S1(config)#crypto key generate rsa.

Prompts for modulus len (1024 is current sweet spot).
4. From enable check status with: show ip ssh or show ssh.

NOTE: delete RSA key pairs with crypto key zeroize rsa. The SSH server is automatically disabled.

Config the SSH Server:
1. (Optional) Configure version with ip ssh version [1 | 2].
Otherwise selects the latest version supported.
2. Configure the SSH control parameters:
Time-out values (do not worry about these details).
3. Display the SSH status using: show ip ssh or show ssh.
4. Back up your configs!
To prevent non-SSH connections (Telnet), add:

S1(config-line)#transport input ssh.

Tags: wan, switch, cisco, router, vtp, study


Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • bodytext
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Furl
  • Live
  • Reddit
  • StumbleUpon
  • Technorati

Previous Post
Next Post


Comments:

(0) comments | Add your comments