martedì 25 giugno 2013

(M3) 2.4.3 Configure Telnet and Ssh


- DOC - Configuring Switch-Based Authentication

 TELNET

 (config)#line vty 0 15
(config-line)#transport input telnet  or (config-line)#transport input all

SSH

 (config)#line vty 0 15
(config-line)#transport input ssh  or (config-line)#transport input all

Setting Up the Switch to Run SSH



Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

hostname hostname

Configure a hostname for your switch.

Step 3 

ip domain-namedomain_name

Configure a host domain for your switch.

Step 4 

crypto key generate rsa

Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair.

We recommend that a minimum modulus size of 1024 bits.

When you generate RSA keys, you are prompted to enter a modulus length. A longer modulus length might be more secure, but it takes longer to generate and to use.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show ip ssh

or

show ssh

Show the version and configuration information for your SSH server.

Show the status of the SSH server on the switch.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

Configuring the SSH Server


Beginning in privileged EXEC mode, follow these steps to configure the SSH server:


Command

Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip ssh version [1 | 2]

(Optional) Configure the switch to run SSH Version 1 or SSH Version 2.

1—Configure the switch to run SSH Version 1.

2—Configure the switch to run SSH Version 2.

If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 3 

ip ssh {timeout seconds |authentication-retriesnumber}

Configure the SSH control parameters:

Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the switch uses the default time-out values of the CLI-based sessions.

By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.

Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5.

Repeat this step when configuring both parameters.

Step 4 

line vty line_number[ending_line_number]

transport input ssh

(Optional) Configure the virtual terminal line settings.

Enter line configuration mode to configure the virtual terminal line settings. For line_number and ending_line_number, specify a pair of lines. The range is 0 to 15.

Specify that the switch prevent non-SSH Telnet connections. This limits the router to only SSH connections.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show ip ssh

or

show ssh

Show the version and configuration information for your SSH server.

Show the status of the SSH server connections on the switch.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command.

Displaying the SSH Configuration and Status


To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 9-5:

Table 9-5 Commands for Displaying the SSH Server Configuration and Status 

Command

Purpose

show ip ssh

Shows the version and configuration information for the SSH server.

show ssh

Shows the status of the SSH server.



Pubblicato da alle

Resetting Switches to Factory Defaults

1. Type in “write erase” to erase the NVRAM filesystem:
Switch#wr erase
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
Switch#
2. When that’s finished, type in “reload” and do NOT save the config:
Switch#reload
*Mar  2 05:51:10.245: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvrameload
Proceed with reload? [confirm]

*Mar  2 05:51:14.062: %SYS-5-RELOAD: Reload requested by console. Reload reason: Reload command
Using driver version 1 for media type 1
Base ethernet MAC Address: 18:ef:63:70:d6:00
Xmodem file system is available.
The password-recovery mechanism is enabled.
Initializing Flash...
mifs[2]: 0 files, 1 directories
mifs[2]: Total bytes     :    3870720
mifs[2]: Bytes used      :       1024
mifs[2]: Bytes available :    3869696
mifs[2]: mifs fsck took 0 seconds.
mifs[3]: 416 files, 8 directories
mifs[3]: Total bytes     :   27998208
mifs[3]: Bytes used      :   13362176
mifs[3]: Bytes available :   14636032
mifs[3]: mifs fsck took 6 seconds.
...done Initializing Flash.
done.
Loading "flash:/c3750-ipbasek9-mz.122-50.SE1/c3750-ipbasek9-mz.122-50.SE1.bin"...@@@@@@@@@
Reset VLAN Information
1. Type in “show vlan” to see if there are any VLANs configured:
Switch#sh vlan br

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
10   HR                               active
50   PRINTERS                         active
99   VOIP                             active
100  IT                               active
999  Remote-Span                      active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Switch#
2. Next type in “dir flash:” to verify the vlan.dat file
Switch#dir flash:
Directory of flash:/

2  -rwx         756   Mar 1 1993 04:47:02 +00:00  vlan.dat
!--- This vlan.dat file stores user-configured VLANs.
3  drwx         512   Mar 1 1993 00:12:38 +00:00  c3750-ipbasek9-mz.122-50.SE1

27998208 bytes total (14636032 bytes free)
Switch#
3. Delete the “vlan.dat” file
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
Switch#
4. Reload once again
Switch#reload
Proceed with reload? [confirm]

*Mar  1 00:24:17.621: %SYS-5-RELOAD: Reload requested by console. Reload reason: Reload command
5. Now just confirm that the VLANs are gone and we are back to a factory default setting
Switch#sh vlan
*Mar  1 00:02:02.272: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively downbr

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Switch#
If you can not get into the switch, reset it pressing the MODE button:
Follow these steps to return your switch to the factory default settings:
1.Press and hold the Mode button.

The switch LEDs begin blinking after about 2 seconds. If the switch is not configured, the LEDs above the mode button turn green. You can omit this step and run Express Setup to configure the switch.
2.Continue holding down the Mode button. The LEDs stop blinking after an additional 8 seconds, and then the switch reboots.
The switch now behaves like an unconfigured switch. You can configure the switch by using Express Setup as described in the switch getting started guide that is included with the switch.
Pubblicato da alle

martedì 2 aprile 2013

(M3) Course 1.1







CDP
The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection in some cases, simplifying configuration and connectivity. CDP messages are not encrypted.

By default, most Cisco routers and switches have CDP enabled. CDP information is sent in periodic broadcasts that are updated locally in each device's CDP database. Because CDP is a Layer 2 protocol, it is not propagated by routers.

CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN. 
When this information is available to an attacker, they can use it to find exploits to attack your network, typically in the form of a Denial of Service (DoS) attack.


http://icon.clnchina.com.cn/attachment/2/6/7/17762_RouterVulnerabilities.pdf








Pubblicato da alle

(M1-M3) COURSE Start


- MODULE 1 -

NETWORK REPRESENTATIONS

Network Interface Card - A NIC, or LAN adapter, provides the physical connection to the network at the PC or other host device. The media connecting the PC to the networking device plugs directly into the NIC.

Physical Port - A connector or outlet on a networking device where the media is connected to a host or other networking device.

Interface - Specialized ports on an internetworking device that connect to individual networks. Because routers are used to interconnect networks, the ports on a router are referred to network interfaces.



NETWORK TOOL

traceroute <destination network name or end device address>
(Unix and similar systems)
or
tracert <destination network name or end device address>
(MS Windows systems)


TYPES of PHYSICAL MEDIA



CONFIGURATION FILES


A Cisco network device contains two configuration files:
The running configuration file - used during the current operation of the device
The startup configuration file - used as the backup configuration and is loaded when the device is started

A configuration file may also be stored remotely on a server as a backup.







  • Interface mode - to configure one of the network interfaces (Fa0/0, S0/0/0,..)
interface serial 0/0/0
  • Line mode - to configure one of the lines (physical or virtual) (console, AUX, VTY,..) 
line console 0
  • Router mode - to configure the parameters for one of the routing protocols
#router rip
VTY Password
The vty lines allow access to a router via Telnet.
By default, many Cisco devices support five VTY lines that are numbered 0 to 4.
Encrypting Password Display
Another useful command prevents passwords from showing up as plain text when viewing the configuration files.
This is the service password-encryption command.


http://www.cisco.com/en/US/docs/ios/12_1/configfun/command/reference/frd2005.html#wp1018142


The following example reloads the software on the router in 10 minutes:

Router# reload in 10


Router# Reload scheduled for 11:57:08 PDT Fri Apr 21 1996 (in 10 minutes)


Proceed with reload? [confirm]


Router#

The following example reloads the software on the router at 1:00 p.m. today:

Router# reload at 13:00


Router# Reload scheduled for 13:00:00 PDT Fri Apr 21 1996 (in 1 hour and 2 minutes)


Proceed with reload? [confirm]


Router#

The following example reloads the software on the router on April 20 at 2:00 a.m.:

Router# reload at 02:00 apr 20


Router# Reload scheduled for 02:00:00 PDT Sat Apr 20 1996 (in 38 hours and 9 minutes)


Proceed with reload? [confirm]


Router#

The following example cancels a pending reload:

Router# reload cancel


%Reload cancelled.
 
 

 
 
VERIFY CONNECTIVITY

IOS Ping Indicators

A ping from the IOS will yield to one of several indications for each ICMP echo that was sent. The most common indicators are:
! - indicates receipt of an ICMP echo reply
. - indicates a timed out while waiting for a reply
U - an ICMP unreachable message was received 
 
 
 
User EXEC Mode
enable - Enter Privileged EXEC mode

Privileged EXEC Mode
copy running-config startup-config - Copy the active configuration to NVRAM.
copy startup-config running-config - Copy the configuration in NVRAM to RAM.
erase startup-configuration - Erase the configuration located in NVRAM.
ping ip_address - Ping to that address.
tracerouteip_address - Trace each hop to that address.
show interfaces - Display statistics for all interfaces on a device.
show clock - Show the time set in the router.
show version - Display currently loaded IOS version, hardware, and device information.
show arp - Display the ARP table of the device.
show startup-config - Display the saved configuration located in NVRAM.
show running-config - Display the contents of the currently running configuration file.
show ip interface - Display IP statistics for interface(s) on a router.
configure terminal - Enter terminal configuration mode.
Terminal Configuration Mode
hostname hostname - Assign a host name to device.
enable passwordpassword - Set an unencrypted enable password.
enable secret password - Set a strongly encrypted enable password.
service password-encryption - Encrypt display of all passwords except secret.
banner motd# message # - Sets a message-of-the-day banner.
line console 0 - Enter console line configuration mode.
line vty 0 4 - Enter virtual terminal (Telnet) line configuration mode.
interface Interface_name - Enter interface configuration mode.

Line Configuration Mode
login - Enable password checking at login.
password password - Set line password.

Interface Configuration Mode
ip addressip_address netmask - Set interface IP address and subnet mask.
description description - Set interface description.
clock rate value - Set clock rate for DCE device.
no shutdown - Set interface to up.
shutdown - Administratively set interface to down.
 
Cisco Router and Switch IOS Password Recovery 


http://www.cisco.com/warp/public/474/pswdrec_1700.pdf


http://www.cisco.com/warp/public/474/pswdrec_2900xl.pdf 


 


 



- MODULE 3-



NETWORK MODEL


The typical hierarchical design model is broken up in to three layers: 


    

  1. access : The access layer can include routers, switches, bridges, hubs, and wireless access points.The main purpose of the access layer is to provide a means of connecting devices to the network and controlling which devices are allowed to communicate on the network.
    2. 

  2. distribution : The distribution layer controls the flow of network traffic using policies and delineates broadcast domains by performing routing functions between virtual LANs (VLANs) defined at the access layer. VLANs allow you to segment the traffic on a switch into separate subnetworks. For example, in a university you might separate traffic according to faculty, students, and guests. Distribution layer switches are typically high-performance devices that have high availability and redundancy to ensure reliability. 
    3. 

  3. core : The core layer of the hierarchical design is the high-speed backbone of the internetwork. The core layer is critical for interconnectivity between distribution layer devices, so it is important for the core to be highly available and redundant. The core area can also connect to Internet resources. The core aggregates the traffic from all the distribution layer devices, so it must be capable of forwarding large amounts of data quickly. 
    4. 


An example of a three-layer hierarchical network design is displayed in the figure.


































ANALYSIS TOOLS





Traffic flow analysis is the process of measuring the bandwidth usage on a network and analyzing the data for the purpose of performance tuning, capacity planning, and making hardware improvement decisions. Traffic flow analysis is done using traffic flow analysis software.



Many traffic flow analysis tools that automatically record traffic flow data to a database and perform a trend analysis are available. In larger networks, software collection solutions are the only effective method for performing traffic flow analysis.

The figure displays sample output from Solarwinds Orion 8.1 NetFlow Analysis, which monitors traffic flow on a network. While the software is collecting data, you can see just how every interface is performing at any given point in time on the network. Using the included charts, you can identify traffic flow problems visually. This is much easier than having to interpret the numbers in a column of traffic flow data.



For a list of some commercial traffic flow collection and analysis tools, visit

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/index.shtml

For a list of some freeware traffic flow collection and analysis tools, visit

http://www.cisco.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index.shtml







 SWITCH FEATURES 



Two other characteristics you want to consider when selecting a switch are:


    

  1. Power over Ethernet (PoE) 
    2. 

  2. Layer 3 functionality
    3. 








Access layer : switches facilitate the connection of end node devices to the network. 

For this reason, they need to support features such as port security, VLANs, Fast Ethernet/Gigabit Ethernet, PoE, and link aggregation.





Distribution layer:  switches provides the inter-VLAN routing functions so that one VLAN can communicate with another on the network.

This routing typically takes place at the distribution layer because distribution layer switches have higher processing capabilities than the access layer switches.

Distribution layer switches alleviate the core switches from needing to perform that task since the core is busy handling the forwarding of very high volumes of traffic.

Because inter-VLAN routing is performed at the distribution layer, the switches at this layer need to support Layer 3 functions.







Core layer: is the high-speed backbone of the network and requires switches that can handle very high forwarding rates.

The required forwarding rate is largely dependent on the number of devices participating in the network. You determine your necessary forwarding rate by conducting and examining various traffic flow reports and user communities analyses.

Based on your results, you can identify an appropriate switch to support the network. Take care to evaluate your needs for the present and near future.

If you choose an inadequate switch to run in the core of the network, you face potential bottleneck issues in the core, slowing down all communications on the network.

























































 





















CISCO CATALYST SWITCH:


    

  • auto option sets autonegotiation of duplex mode.With autonegotiation enabled, the two ports communicate to decide the best mode of operation.
    • 

  • full option sets full-duplex mode
    • 

  • half option sets half-duplex mode
    • 


Additionally:


    

  • mdix auto When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. Therefore, you can use either a crossover or a straight-through cable for connections to a copper 10/100/1000 port on the switch, regardless of the type of device on the other end of the connection.

    The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.
    • 


















































































































SWITCH SECUTIRY PASSWORD
















































Pubblicato da



alle






































        

      









Iscriviti a:
Post (Atom)