[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1010
  • Last Modified:

telnet ssh - cisco switch query

hi

qns1. ive configured my cisco 2950 switch with the folloiwng but wish to know how to make secure the below as ive only added the below & believe im missing some other commands:

line con 0
password cisco
login local - not sure if i should add this as above 'line con 0' allows login already

line vty 0 4
password cisco
transport input telnet
tranport input telnet ssh - no accespted
login local - added but not sure if needed as i can already telnet in successful

line vty 5 15 - never really understood why i see both 'line vty 5 15 & 0 4'

currently my cisco switch is plugged into my master dc win 2003 domain platform & i can login & telnet  as normal
0
mikey250
Asked:
mikey250
  • 8
  • 4
  • 4
3 Solutions
 
max_the_kingCommented:
Hi,
The command, login (under console), tells the switch to look under the console line
configuration for the password. The command, password, sets the actual password.

The command, login (under vty), tells the switch to look under the vty line
configuration for the password. The command, password, sets the actual password.

The above password may be different.

The VTY (“virtual tty”) line is not a physical connection, but a virtual connection. You use
this line to Telnet or SSH into the switch.
As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode.

hope this helps
max
0
 
mikey250Author Commented:
hi i apprecaite response too query, but you have mis-understood!!! :(

this below command lets me login anyway without 'login':

line con 0
password cisco

how do i configure 'ssh' on cisco switch ?
0
 
max_the_kingCommented:
hi,
it lets you login but it ignores the password you have set under the 'line' (console and vty): it uses global configuration password.

to configure ssh, you need to generate a rsa key (its alghoritm uses the hostname you have set):

conf t
hostname switchname
crypto key generate rsa
.... will ask you for modulus (can leave default by pressing enter or rather choose 768

then, under vty line configuration:
tranport input ssh

please note that you have to choose either telnet or ssh (it won't allow both)

hope this clarify
max
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
mikey250Author Commented:
hi i did:

config t

hostname LAN-A

? - crypto key not in list - so my ios does not allow it appears, although i though i had to add a 'domain name'!!
0
 
max_the_kingCommented:
hi,
yes, you need to add the domain name

ip domain-name yourdomainname

then reissue
the crypto key command

max
0
 
mikey250Author Commented:
hi i forgot to say yes i already added:

config t

ip domain-name xxxx.local

but either way 'crypto' not in 'ios' it seems:

config t
? - no crypto...

line vty 0 4
transport ?
input
output
preferred

or
line vty 0 4
transport input ?
all
none
telnet

oh well!! :(

just for info i am using an isa 2006 server, separated via 2 nics ie /internal/external, but this would not make a difference!!
0
 
Don JohnstonInstructorCommented:
What version/feature set are you running (show version). You may be running an IOS that doesn't support SSH.

If you want the console and vty lines to use the password assigned to those lines, use the "login" command under those lines.

line console 0
 password cisco
 login
!
line vty 0 4
 password cisco
 login

Open in new window

0
 
mikey250Author Commented:
hi don,  yes it dows work as ive tested ie without 'enable password cisco1' for eg, im prompted to logon, so i assume this is correct!!!

if i add as you suggest, it then prompts for 2 passwords ie: the enable password & the line con 0 or line vty 0 4 password - successfully!

thanks for your input!!
0
 
Don JohnstonInstructorCommented:
I don't follow what you're trying to do.

And the reason the vty lines are broken out as 0-4 and 5-15 is that the early platforms only had 5 vty lines (0-4). To maintain backward compatibility, the separate the 16 lines into the two sets.
0
 
mikey250Author Commented:
its ok  now i was just trying to undersand when specifically i should add:

login local

&

how to configure 'ssh' on switch, but it appears my switch has not got the right version! ie:2950-i6q412-mz-121-22.ea6
0
 
Don JohnstonInstructorCommented:
Okay...

Login local is when you want to authenticate using the local database (username xxxx password yyy).

And your presumption is correct. Your image does not support SSH.
0
 
mikey250Author Commented:
hi don,

ok so 'login local' used to authenticate 'username & password' - ok

ssh - ok
0
 
mikey250Author Commented:
although i appreciate all responses from experts.  i decided the points should be allocated to the 'donjohnston', as this was exactly what i was trying to clarify!!
0
 
max_the_kingCommented:
hi,
glad you solved your problem, although I really cannot see any difference with my response ...

have a good day
max
0
 
Don JohnstonInstructorCommented:
Yeah, I'd have to agree with Max.
0
 
mikey250Author Commented:
hi don & max ok i obviously assumed wrong!!!  im not sure how to re-allocate points if this can be done ?

from  my point of view the 'wording from don' was the part that i was trying to register in my mind but yes i do agree in hine sight both should have had points!!

apologies!!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now