How to create a Base (secure) Configuration for a Cisco Switch.
The following steps show you how to properly identify Cisco devices based on their host name and banner commands.
Device identification is crucial. It is one of the first things you configure when you create a base configuration for your devices. It is important to keep in mind that you will be building a network with seven, eight, nine, or ten devices. In fact, hundreds of devices can be part of a network.
So, you can configure a hostname. The most common one is theme based and this seems kind of funny, but a lot of people do it. It works OK in small networks or networks that are managed by one person and one person alone. So, where people choose names like you know, favorite cars models or comic characters, or their favorite Marvel superhero.
They all become names of devices. But it’s not really repeatable. So simple functional and complex functional is what you’ll see in most environments. Simple functional is usually three or four things.
So, you will often have the location as one of the first starting things. What I recommend is just to use Device-Location-Number for example SW-TLV-1
To do that we will use is the hostname command. This command will help us to give our switch a name…
switch>enable (enable command to access privileged EXEC mode)
switch#configure terminal (to enter to configuration mode)
switch(config)#hostname SW-ISR-1 (give the switch a name)
SW-ISR-1(config)#In contrast, the log-in banner goes a little bit deeper. The reason is that it relates to legal requirements. A person can see a public facing router think, ‘Oh, it’s available,’ which implies that I can access your company’s router and read all of your intellectual property. Therefore, it pays to put a banner that is clear and concise on exactly what and or who is able to log on and manage that device.
Login banners provide a definitive warning to any possible intruders that may want to access your system that certain types of activity are illegal
To setup login banner we use this command banner motd (motd = message of the day)
SW-ISR-1(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
SW-ISR-1(config)# banner motd $Access for authorized users only.$The next most important thing is to protect your switch with a password.
Enable password are no longer used. They exist only for backwards compatibility.
The command will still be taken if you copy the configuration from an old router and paste it into a new router. This at least gives some protection to the privilege mode.
Therefore, it is best to avoid entering it in the first place. If you do, put in the command no enable password. This will remove it.
To protect our enable login use this command enable secret this will make sure your password is encrypted.
SW-ISR-1(config)#enable secret mypassword
Secure your SSH connections
Here’s one that I think is very interesting. line vty 0 space 4.
What does that mean?
It refers to a virtual terminal or virtual session. These are the ports that you can use to access your router via Telnet or SSH remotely. However, you will want to pay attention to a few things here. The first thing you will notice is that it says login.
The command login specifies that logins are required for this port. You can’t find that command in the line con 0 (Console port).
In other words, if you can find the command login you are not required to log in to use those ports. This login command prevents me from accessing those ports without a password.
What makes you think the reason is that you don’t see the login message in the console port? Give it some thought. The login command is under the vty line. In contrast, console ports do not require logins. Because of this, we can just jack into the console port and access the router’s user mode and to make our basic configuration.
There is a benefit to having the login command under the vty ports because it requires a login. But is there a password? There isn’t one. Under a vty line, no password has been entered. Hence, a login is required, but no password has been entered.
What does that accomplish? If someone tries to access your device remotely, the device will display the message, and I quote, “login required.” No password is set. And then it just disconnects. Because this is under the VTY line, it keeps people from getting into your device before you have had a chance to configure it properly.
Okay, what is this 0 4? These are the start and end ports. Cisco devices can handle up to five simultaneous SSH or Telnet sessions at a time.
So lets now configure the password for our vty lines.
SW-ISR-1(config)#line vty 0 4
SW-ISR-1(config-line)#password ciscoAs you may notice when you run the show running-config command this password is not encrypted
To ensure that your passwords are encrypted and nobody can steal your password by looking over your shoulder use this command:
SW-ISR-1(config)#service password-encryptionUse your local database for authentication
Remote access and security is our goal. Perhaps you are thinking, but Meni , remote access is already enabled. And that’s true. we’re using the password that is entered under the VTY lines.
However, there is only one password. It is more secure to use user accounts rather than just passwords if you want to become more secure. So what’s the deal? If you have just a password and you have multiple administrators, and one of them leaves or goes AWOL, you have to go in and change all the passwords on your devices. There’s a lot of change management involved.
So what can we do to resolved it is to create a local user.
To create user use this commands
SW-ISR-1>enable
Password:
SW-ISR-1#conf t
SW-ISR-1(config)#username admin secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
SW-ISR-1(config)#username admin secret mypassword
SW-ISR-1(config)#do show running-configBuilding configuration...Current configuration : 1272 bytes
!
version 15.0
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname SW-ISR-1
!
enable secret 5 $1$mERr$7sOd0mgRuXYhHwfWsV4QZ/
!
!
username admin secret 5 $1$mERr$7sOd0mgRuXYhHwfWsV4QZ/
So now after we created a new user how we make sure to tell the switch to use this new user account that we created in order to authenticate us instead of our password to we entered?
by replacing the login command to login local:
Login local simply mean, use the local database for authentication
SW-ISR-1(config)#line vty 0 4
SW-ISR-1(config-line)#login localNow for the extra security let’s limit the line vty connection to only use SSH!
We can do it by just typing this command transport input ssh.
SW-ISR-1(config)#line vty 0 4
SW-ISR-1(config-line)#transport ?
input Define which protocols to use when connecting to the
terminal server
output Define which protocols to use for outgoing connections
SW-ISR-1(config-line)#transport input ?
all All protocols
none No protocols
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocol
SW-ISR-1(config-line)#transport input sshTo connect to the Cisco device via SSH, we must create an ssh encryption keys.
When we are securing our devices with SSH, we need encryption keys in order to do so. I am happy to announce that you do not have to go out and purchase them.
You can get them from your router. The way you instruct it to do that is by going into global configuration mode, Type in crypto key generate. it will prompt you what kind of keys do you want? The SSH protocol uses RSA keys. You can’t get around this. You just got to remember this command. Crypto key generate.
SW-ISR-1(config)#ip domain name MYDOMAIN.com
SW-ISR-1(config)#crypto key generate ?
rsa Generate RSA keys
SW-ISR-1(config)#crypto key generate rsa
The name for the keys will be: SW-ISR-1.MYDOMAIN.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]Create Switch management vlan
We will need to create a network vlan management to enable us to assign the switch an IP address so that we can manage it and access it from the network.
Running the command show ip interface brief, we can see that we only have one vlan with vlan ID 1, and all the switch ports are associated with this vlan.
SW-ISR-1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual up up
FastEthernet0/2 unassigned YES manual down Vlan1 unassigned YES manual administratively down down
What is the difference between a protocol and a status? That’s the main difference between layer 1 and layer 2 of the OSI model.
The status is layer 1, also known as the physical layer. Our protocol is layer 2, the data link layer.
Let us create a new vlan interface and assign it a unique IP address. Use these commands to do so:
SW-ISR-1(config)#vlan 3
%LINK-5-CHANGED: Interface Vlan3, changed state to up
SW-ISR-1(config-vlan)# exit
SW-ISR-1(config)# interface vlan 3
SW-ISR-1(config-if)# description SW_Managment
SW-ISR-1(config-if)# no shutdown
SW-ISR-1(config-if)# ip address 192.168.3.1 255.255.255.0
SW-ISR-1(config-if)# exit
SW-ISR-1(config)#ip default-gateway 192.168.3.254Finale step in our basic configuration is to configure one ethernet switch port so that we can access the switch directly from our laptop using ethernet cable.
SW-ISR-1(config)#interface fastEthernet 0/2
SW-ISR-1(config-if)#switchport access vlan 3
SW-ISR-1(config-if)#no shutdownIn order to access the switch, all you need to do is connect the ethernet cable to the switch’s ports number 0/2 , provide your laptop with a static IP address in the range 192.168.3.2–250 with a subnet mask of 255.255.255.0, and you’re all set to connect using an SSH client like Putty.
Other useful commands:
- Cisco devices have a feature that makes them think you’re trying to Telnet to them if you type something on a blank line. Therefore, if that doesn’t match a command, it must be a device name that you’re trying to telnet to. Cisco routers translate that into an IP address. However, it realizes I don’t have a DNS server configured on me, so it uses domain name services instead.
SW-ISR-1#writte
Translating "writte"...domain server (255.255.255.255)
% Unknown command or computer name, or unable to find computer address* Disable this feature use this command* SW-ISR-1(config)#no ip domain-lookup
- By default, IOS displays syslog messages to the console users at any time, even during the typing of a command. Consider the following example:
SW-ISR-1(config-if)#ip address 192.168.0.100 255.2
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
55.255.0Notice how the command was interrupted and the syslog message was shown. To prevent this, the logging synchronous console line mode command is used:
SW-ISR-1(config)#ip address 192.168.0.100 255.2
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to upSW-ISR-1(config)#ip address 192.168.0.100 255.2
Now, the syslog message was shown, but the command was copied to the next line below the message.
You can enable it under the line vty configuration and line con 0 :
SW-ISR-1(config)#line vty 0 4
SW-ISR-1(config-line)#logging synchronousThrough reading this post, I hope you gain a better understanding of how to create a base configuration on Cisco switch.
I encourage you to check out my website to read more articles like this on a variety of topics related to information technology
Thank you
Meni Tasa
