To access Telnet or SSH
A switch needs a working IP configuration, as well as login security on the vty lines (password and/or username)
Enable password
used to protect enable mode
Parameters for usernames and passwords
login local line subcommand
username teresa password (or secret) giudice global config command
AAA server
Switch sends message to the AAA server asking whether the name and password are allowed and the AAA server replies; usually use either the RADIUS or TACACS+ protocol
Configuring SSH
- use login local line subcommand
- username teresa password(or secret) giudice global config command
- ip domain-name example.com to configure a DNS domain name
- Create encryption keys using the crypto key generate rsa global config command
- ip ssh version 2 global config command for enhanced security
Info about status of SSH on the switch
show ip ssh: status info about the SSH server itself
show ssh: shows info about each user currently connected into the switch
Controlling support of Telnet and SSH command
transport input {all|none|telnet|ssh} vty subcommand
service password-encryption
offers weak password encryption to all unencrypted passwords; usually start with 7
MOTD bammer
Shown before the login prompt; used for temporary messages that can change from time to time (banner motd # message #) global config command
Login banner
Shown before login prompt but after MOTD banner; used for permanent messages (banner login # message #) global config command
Exec banner
shown after login prompt
show history
lists commands currently held in the history buffer
history size
from console or vty line config mode, sets number of commands saved in the history buffer
terminal history size
from enable mode, set number of commands saved in the history buffer for this one terminal session
logging console
global config command that enables syslog messages
logging synchronous
console line subcommand that displays syslog messages only at more convenient times, such as after a show command
Configuring IPv4 on a switch
- interface vlan 1
- ip address ip-address mask
- no shutdown
- ip default-gateway 192.168.1.1 global config command
- ip name-server ip-address1 ip-address2
Enabling DHCP on a switch
- int vlan 1
- no shutdown
- ip address dhcp
show dhcp lease to view DHCP info
duplex and speed
interface subcommands used to statically configure the duplex and speed of port
Port security
identifies devices based on the source MAC address of Ethernet frames the devices send
switch port violation
occurs whenever a new source MAC address arrives at the port, pushing the number of allowed MAC addresses past the allowed maximum
sticky secure MAC addresses
Port security learns the MAC addresses off each port and stores those in the port security configuration (in the running-config file).
Configuration of port security
3-6 are optional
- make switch either a static access or trunk interface (switchport mode access (or trunk) if subcommand)
- enable port security (switchport port-security if subcom)
- switchport port-security maximum 5
- siwtchport port-security violation {protect|restrict|shutdown}
- switchport port-security mac-address
- switchport port-security mac-address sticky
Securing unused switch interfaces
Shutdown interface
make port a nontrunking interface
assign port to an unused VLAN via switchport access vlan 30
set native VLAN to an unused VLAN
-
Misc20
-
Application Layer24
-
Transport Layer21
-
Network Layer18
-
Subnetting21
-
Data Link Layer22
-
Ethernet31
-
Planning and Cabling Networks17
-
Configuring and Testing Network25
-
Physical Layer23
-
Port Numbers10
-
Switching44
-
Switch Part Deux35
-
Switching part 33
-
Ethernet LAN Fundamentals24
-
WAN Fundamentals17
-
IP Addressing and Routing12
