Category: cisco

Enabling SSH on Cisco Catalyst Switches

Enabling SSH on Cisco Catalyst Switches

There are several ways to configure or monitoring a Cisco Device: console line (which requires a local cable, hence physical address), vty lines (via telnet or ssh), SNMP, and http/https access.

Since traffic through Telnet protocol travels in clear (non-encrypted) text, it’s best to configure remote access through a secure (encrypted) channel.

Before you proceed, verify your Cisco Device supports encryption. To check whether your device allows encryption issue the following command:

show version

Look for the line System image file and verify whether your IOS version have a “k9” substring in the file name. This indicates the version supports encryption.

Configuration Steps

  • Set a hostname and a domain name
  • Enable password encryption and create required usernames and passwords
  • Generate an encryption key
  • Restrict vty lines to use ssh
  • Restrict vty lines to allow incoming ssh traffic only from certain IP addresses (optional)
  • Block IP addresses after a certain number of failed attempts (optional)
Set a hostname and a domain name

A hostname is already set but you should change it to something more descriptive for your environment. A domain is not set by default and you must set this value to match your business infrastructure.

Change to enable mode, if you’re not already on it.

switch>enable
Password: < type your password >

Set your hostname and domain-name according to your own network.

switch#configure terminal
switch(config)#
switch(config)# hostname myswitch01
switch(config)# ip domain-name mydomain.com
switch(config)#exit
Enable password encryption and create usernames and passwords

The service password-encryption allows for ahem.. the encryption of every password (enable, username passwords) on the device. Issue it if you haven’t before (you probably have, though). Also create the users who can access your device and with which privileges. In this example the user database is local.

switch(config)#service password-encryption
switch(config)# username name privilege privilege# secret passwordtype# password  
switch(config)#exit

where
name: the user name
privilege#: 15 for enable permissions; 1 for normal user permissions
passwordtype#:

  • 0 if you’re going to type an unencrypted password;
  • 5 if you’re going to type an already encrypted password.

password: the actual password

The following example creates the user khaxan with enable permissions

switch(config)# username khaxan privilege 15 secret 0 G3tDHck0uT0H$re
Generating a crypto key

The Cisco device must create an encryption key before ssh could be enabled.

switch(config)# crypto key generate rsa general-keys modulus modulus_size

You can choose a modulus size up to 2048. The longer the better so:

switch(config)# crypto key generate rsa general-keys modulus 2048

Wait a bit while the system creates the key.

Restricting vty lines to use only ssh (don’t allow telnet)

In configuration mode allow only incoming ssh connections with the command transport input ssh (by default lines don’t allow any connections), and indicate the authentication is taking place against the local database (the users you created before).

switch(config)# line vty 0 4
switch(config-line)# transport input ssh
switch(config-line)# login local
Restricting vty lines to only allow ssh from certain subnets (Optional)

If you want to add a bit of extra security, you can create a list of IP addresses which are allowed to connect via ssh to the Cisco device.

The following example creates the standard access list 1 to permit traffic from the subnet 10.10.10.0 with logging enabled.  A deny statement is implicit in the ACL so technically the second access-list line is not needed unless you want to log unauthorized connection attempts (Always check who’s trying to connect to your server!).

Apply that ACL to the vty lines accepting SSH.

switch(config)# access-list 1 permit 10.10.10.0 0.0.0.255 log
switch(config)# access-list 1 deny any log
switch(config-line)# line vty 0 4
switch(config-line)# access-class 1 in
Block IP addresses after a certain number of failed attempts (optional)

Also, if you want to prevent the casual attacker you can block their IP addresses for a period of time use the command login block-for; this will prevent brute force attacks to the device.

The example below blocks for 1 hour (3600 seconds) an IP address with 5 failed login attempts within 50 seconds.  Important: Choose carefully the proper times for your environment. If you select a very low fail-attempt-threshold like 2 failed login attempts within 60 seconds then you might be blocking yourself if you accidentally type a wrong password 2 times in 1 minute.

switch(config)# login block-for 3600 attempts 5 within 50

That’s it. You should be able to connect to your device via your favorite SSH client.

Advertisements

Configuring NTP client on a Cisco Catalyst Switch

NTP (Network Time Protocol) is a protocol used for clock synchronization among different devices. Enabling NTP in your network devices will cause that they all have the same time so operations flow smoothly and log analysis can be actually useful. I can’t stress enough how important it is.

So, let’s configure the NTP on a standard Cisco Catalyst Switch so the switch can synchronize to a NTP Server. The procedure below is a BASIC NTP configuration for a Cisco Catalyst switch but it can be used also in older routers (No ASR or Nexus, where the config is slightly different). We’ll discuss advanced NTP topics in further posts.

Before starting the configuration, you need a Time Server already up and running, which it can be your own server or a free public one. You can find a list of public ntp servers in this link:

Configuring the NTP association

switch#config terminal
switch(config)# ntp server ip_address_of_ntp_server

and optionally if you want logs about the NTP operation (e.g.,failed to reach the time server)

switch(config)# ntp logging
switch(config)#end

Save your changes

switch#copy running-config startup-config

Now, when you see your configuration you will notice something like this

switch#show running-config | incl ntp
ntp logging
ntp server x.x.x.x
ntp clock-period some_numeric_value    

The value is automatically calculated by the switch to compensate the time differences between the ntp client and the ntp server. Do not remove or modify this line.

Note: For redundancy, it’s best to specify more than one ntp server. In the scenario that the first NTP server fails our can’t be reached, your devices would get clock sync from the next server. To accomplish this, simply add another line like this.

switch(config)# ntp server ip_address_of_ntp_server1
switch(config)# ntp server ip_address_of_ntp_server2

And that’s it.

Verifying the NTP association is working

To verify your device it’s connected properly to the time server, use the following command:

switch#show ntp status

You should see an output like this:

Clock is synchronized, stratum number, reference is ip_address_of_ntp_server
and more information about the clock offset and the precision of the sync.

You’re all set! Good luck.