====== Cisco 3750 switch setup ======

Following on from [[networking:cisco-3750-part1|Cisco 3750 switch setup - Part 1 - Upgrade IOS]]
===== Switch config =====

All these commands have to be run in enable mode.

I have 3750-1 which has 48 ports adjacent to my house patch panel and 3750-2 with 24 ports in my server rack. 
They are connected with a cat6 tie line connected to the gi1/0/1 port on each switch. This requires the use of a [[rb:sfp|sfp]] to rj45 module.

The objective is to secure the switch with ssh only access (no telnet) and also force logins to the serial console with a password (although enable access via serial console requires a password). 
The router will require a user name to log in with, due to ssh only access. http and https access should be disabled, this is an old switch and image, 
and it only supports ssl v3 not TLS, so it is safest to just disable browser access. SSH access should be restricted to v2 only as v1 is broken.    



===== ssh v2 access =====

<code>
3750-1(config)#ip ssh version 2
3750-1(config)#exit
3750-1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
3750-1#
</code>

Disable the web server.
<code>
no ip http server
no ip http secure-server
</code>

===== Network and Serial Port access control =====

This forces logins on the local serial interface (''login local'') and forces network access to use ssh (''transport input ssh'').
<code>
line con 0
 login local
 password 7 070623445353454
line vty 0 4
 password 7 070623445353454
 login local
 transport input ssh
line vty 5 15
 password 7 070623445353454
 login local
 transport input ssh
!
</code>


===== Banner =====

Login banners probably won't deter anyone, but they do provide an indication that usage is restricted, this is an example with the config:-

<code>
user@study:~$ ssh -l admin 3750-2.domain.com

+-------------------------------------------------------+
|             This is a private system and              |
|      is only for the use of authorized personnel.     |
|                                                       |
+-------------------------------------------------------+

Password: 

Welcome to 3750-2
Session established to 3750-2 on line 1
3750-2>en
Password: 
3750-2#
</code>

This is the config to generate this, but the config appears in a different order to the displayed text....

<code>
banner exec ^C
Session established to $(hostname) on line $(line)^C
banner login ^C
+-------------------------------------------------------+
|             This is a private system and              |
|      is only for the use of authorized personnel.     |
|                                                       |
+-------------------------------------------------------+

^C
banner motd ^C
Welcome to $(hostname)^C
!
</code>

So the order is:-
  - banner login - shown before password challenge
  - banner motd - shown immediately after a sucessful login
  - banner exec


===== Port Configuraton  =====

==== Trunk uplink ====

The first section for ''GigabitEthernet1/0/1'' is a link to an upstream switch, 
the second is for a trunk link to a server running the vlan driver on top of the bonding driver, as you can see the config is the same.


[[linux:ubuntunetwork#vlan_driver|Ubuntu Network Config]]

[[linux:ubuntu1804netplan#and_vlans|Ubuntu 18.04 Netplan]]

[[linux:centosnetwork#vlan_driver|Centos Networking]]


<code>
interface GigabitEthernet1/0/1
 description uplink to 3750-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 description uplink to Optiplex eth0
 switchport trunk encapsulation dot1q
 switchport mode trunk
</code>

==== Access port ====

Spanning tree portfase disables the listening and learning phase of the port negoition, and goes directly to the forwarding state.
This is to prevent dhcp requests timing out whilst the 50s duration setup of the port completes.

The first example sets the port to vlan 1 (the default), the second forces it to a vlan 2 or upwards.

<code>
interface FastEthernet1/0/1
 description SGI Origin 200
 spanning-tree portfast
no mdix auto
 

interface FastEthernet1/0/12
 description WeatherCam on DMZ
 switchport access vlan 5
 switchport mode access
 spanning-tree portfast
 no mdix auto
</code>

==== Access port with voip link to  ip phone====

[[voip:cisco7940-7960|Cisco 7940 & 7960 ip phones]]

<code>
interface FastEthernet1/0/22
 description VOIP port POE for 7960
 switchport mode access
 switchport voice vlan 7
 spanning-tree portfast
</code>


FIXME - BPDU guard  - errdisable state when a BPDU received - problems for virtual machine running on users workstations in bridging mode.