6 Configuring Basic Switch Management

# 6 Configuring Basic Switch Management ###### tags: `CCNA` ### Securing the Switch CLI By default, a Cisco Catalyst switch allows anyone to connect to the console port, access user mode, and then move on to enable and configuration modes without any kind of security. ### Securing User Mode and Privileged Mode with Simple Passwords Using default settings, a console user can move into user mode and then privileged mode with no passwords required; **however, default settings prevent remote users from accessing even user mode.** ![](https://i.imgur.com/zMzMkCh.png) **Console users must supply the console password**, as configured in console line configuration mode. **Telnet users must supply the Telnet password, also called the vty password**, so called because the configuration sits in vty line configuration mode. ![](https://i.imgur.com/MghM2V6.png) ![](https://i.imgur.com/2cOoUtq.png) ![](https://i.imgur.com/w5CuzlK.png) ![](https://i.imgur.com/riQQIll.png) vty 0 15 :question: ![](https://i.imgur.com/7E8un1j.png) **show running config** ![](https://i.imgur.com/u9Ccc8S.png) ![](https://i.imgur.com/ARa53TV.png) ![](https://i.imgur.com/VjUkV5u.png) ### Securing User Mode Access with Local Usernames and Passwords Cisco switches support two other login security methods that **both use per-user username/password pairs instead of a shared password with no username.** ![](https://i.imgur.com/Dbbb3g8.png) ![](https://i.imgur.com/qeYvpD0.png) :::info Example 6-4 does not show the password value as having been typed because Cisco switches do not display the typed password for security reasons. ::: ### Securing User Mode Access with External Authentication Servers ![](https://i.imgur.com/jot0f2w.png) Cisco switches allow exactly that option using an external server called an authentication, authorization, and accounting (AAA) server. **These servers hold the usernames/passwords. Typically, these servers allow users to do self-service and forced maintenance to their passwords.** Many production networks use AAA servers for their switches and routers today. ### Securing Remote Access with Secure Shell SSH encrypts all data transmitted between the SSH client and server, protecting the data and passwords. **SSH can use the same local login authentication method as Telnet, with the locally configured username and password.** (SSH cannot rely on authentication methods that do not include a username, like shared passwords.) ![](https://i.imgur.com/NrLVHze.png) ![](https://i.imgur.com/euAABde.png) ![](https://i.imgur.com/pLQiDjs.png) #### CLI command line - transport input all or transport input telnet ssh: Support both Telnet and SSH - transport input none: Support neither - transport input telnet: Support only Telnet - transport input ssh: Support only SSH ### Enabling IPv4 for Remote Access **Host and Switch IP Settings** ![](https://i.imgur.com/g3HXjib.png) In a Cisco switch, by default, all ports are assigned to VLAN 1. ![](https://i.imgur.com/e0x6mw1.png) **The reason a switch needs a default gateway setting** is the same reason that hosts need the same setting—because of how hosts think when sending IP packets. Specifically: - To send IP packets to hosts in the same subnet, send them directly - To send IP packets to hosts in a different subnet, send them to the local router; that is, the default gateway ![](https://i.imgur.com/b0IDH0I.png) However, to communicate with host A,on the far left of the figure, the switch must use Router R1 (the default gateway) to forward IP packets to host A. To make that work, the switch needs to configure a default gateway setting ### Configuring IPv4 on a Switch ![](https://i.imgur.com/ETA26Dx.png) ### Configuring a Switch to Learn Its IP Address with DHCP The switch can also use Dynamic Host Configuration Protocol (DHCP) to dynamically learn its IPv4 settings. ![](https://i.imgur.com/IB272Zh.png) ### Verifying IPv4 on a Switch ![](https://i.imgur.com/xUNphZ6.png) ### The logging synchronous, exec-timeout, and no ip domain-lookup Commands You could simply disable the feature that sends these messages to the console and then reenable the feature later using the no logging console and logging console global configuration commands. ==For example, when working from the console, if you want to temporarily not be bothered by log messages==, you can disable the display of these messages with the ==**no logging console**== global configuration command, and then when finished, enable them again. Finally, IOS has an interesting combination of features that can make you wait for a minute or so when you mistype a command. **First, IOS tries to use DNS name resolution on IP hostnames—a generally useful feature. If you mistype a command, however, IOS thinks you want to telnet to a host by that name.** With all default settings in the switch, the switch tries to resolve the hostname, cannot find a DNS server, and takes about a minute to time out and give you control of the CLI again. If you mistype a command, however, IOS thinks you want to telnet to a host by that name. With all default settings in the switch, the switch tries to resolve the hostname, cannot find a DNS server, and takes about a minute to time out and give you control of the CLI again. To avoid this problem, configure the ==**no ip domain-lookup**== global configuration command, which **disables IOS’s attempt to resolve the hostname into an IP address.**