mikey250
asked on
telnet ssh - cisco switch query
hi
qns1. ive configured my cisco 2950 switch with the folloiwng but wish to know how to make secure the below as ive only added the below & believe im missing some other commands:
line con 0
password cisco
login local - not sure if i should add this as above 'line con 0' allows login already
line vty 0 4
password cisco
transport input telnet
tranport input telnet ssh - no accespted
login local - added but not sure if needed as i can already telnet in successful
line vty 5 15 - never really understood why i see both 'line vty 5 15 & 0 4'
currently my cisco switch is plugged into my master dc win 2003 domain platform & i can login & telnet as normal
qns1. ive configured my cisco 2950 switch with the folloiwng but wish to know how to make secure the below as ive only added the below & believe im missing some other commands:
line con 0
password cisco
login local - not sure if i should add this as above 'line con 0' allows login already
line vty 0 4
password cisco
transport input telnet
tranport input telnet ssh - no accespted
login local - added but not sure if needed as i can already telnet in successful
line vty 5 15 - never really understood why i see both 'line vty 5 15 & 0 4'
currently my cisco switch is plugged into my master dc win 2003 domain platform & i can login & telnet as normal
ASKER
hi i apprecaite response too query, but you have mis-understood!!! :(
this below command lets me login anyway without 'login':
line con 0
password cisco
how do i configure 'ssh' on cisco switch ?
this below command lets me login anyway without 'login':
line con 0
password cisco
how do i configure 'ssh' on cisco switch ?
hi,
it lets you login but it ignores the password you have set under the 'line' (console and vty): it uses global configuration password.
to configure ssh, you need to generate a rsa key (its alghoritm uses the hostname you have set):
conf t
hostname switchname
crypto key generate rsa
.... will ask you for modulus (can leave default by pressing enter or rather choose 768
then, under vty line configuration:
tranport input ssh
please note that you have to choose either telnet or ssh (it won't allow both)
hope this clarify
max
it lets you login but it ignores the password you have set under the 'line' (console and vty): it uses global configuration password.
to configure ssh, you need to generate a rsa key (its alghoritm uses the hostname you have set):
conf t
hostname switchname
crypto key generate rsa
.... will ask you for modulus (can leave default by pressing enter or rather choose 768
then, under vty line configuration:
tranport input ssh
please note that you have to choose either telnet or ssh (it won't allow both)
hope this clarify
max
ASKER
hi i did:
config t
hostname LAN-A
? - crypto key not in list - so my ios does not allow it appears, although i though i had to add a 'domain name'!!
config t
hostname LAN-A
? - crypto key not in list - so my ios does not allow it appears, although i though i had to add a 'domain name'!!
hi,
yes, you need to add the domain name
ip domain-name yourdomainname
then reissue
the crypto key command
max
yes, you need to add the domain name
ip domain-name yourdomainname
then reissue
the crypto key command
max
ASKER
hi i forgot to say yes i already added:
config t
ip domain-name xxxx.local
but either way 'crypto' not in 'ios' it seems:
config t
? - no crypto...
line vty 0 4
transport ?
input
output
preferred
or
line vty 0 4
transport input ?
all
none
telnet
oh well!! :(
just for info i am using an isa 2006 server, separated via 2 nics ie /internal/external, but this would not make a difference!!
config t
ip domain-name xxxx.local
but either way 'crypto' not in 'ios' it seems:
config t
? - no crypto...
line vty 0 4
transport ?
input
output
preferred
or
line vty 0 4
transport input ?
all
none
telnet
oh well!! :(
just for info i am using an isa 2006 server, separated via 2 nics ie /internal/external, but this would not make a difference!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi don, yes it dows work as ive tested ie without 'enable password cisco1' for eg, im prompted to logon, so i assume this is correct!!!
if i add as you suggest, it then prompts for 2 passwords ie: the enable password & the line con 0 or line vty 0 4 password - successfully!
thanks for your input!!
if i add as you suggest, it then prompts for 2 passwords ie: the enable password & the line con 0 or line vty 0 4 password - successfully!
thanks for your input!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
its ok now i was just trying to undersand when specifically i should add:
login local
&
how to configure 'ssh' on switch, but it appears my switch has not got the right version! ie:2950-i6q412-mz-121-22.e a6
login local
&
how to configure 'ssh' on switch, but it appears my switch has not got the right version! ie:2950-i6q412-mz-121-22.e
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi don,
ok so 'login local' used to authenticate 'username & password' - ok
ssh - ok
ok so 'login local' used to authenticate 'username & password' - ok
ssh - ok
ASKER
although i appreciate all responses from experts. i decided the points should be allocated to the 'donjohnston', as this was exactly what i was trying to clarify!!
hi,
glad you solved your problem, although I really cannot see any difference with my response ...
have a good day
max
glad you solved your problem, although I really cannot see any difference with my response ...
have a good day
max
Yeah, I'd have to agree with Max.
ASKER
hi don & max ok i obviously assumed wrong!!! im not sure how to re-allocate points if this can be done ?
from my point of view the 'wording from don' was the part that i was trying to register in my mind but yes i do agree in hine sight both should have had points!!
apologies!!
from my point of view the 'wording from don' was the part that i was trying to register in my mind but yes i do agree in hine sight both should have had points!!
apologies!!
The command, login (under console), tells the switch to look under the console line
configuration for the password. The command, password, sets the actual password.
The command, login (under vty), tells the switch to look under the vty line
configuration for the password. The command, password, sets the actual password.
The above password may be different.
The VTY (“virtual tty”) line is not a physical connection, but a virtual connection. You use
this line to Telnet or SSH into the switch.
As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode.
hope this helps
max