Table of Contents
Cisco 3750 switch setup
Following on from Cisco 3750 switch setup - Part 1 - Upgrade IOS
Switch config
All these commands have to be run in enable mode.
I have 3750-1 which has 48 ports adjacent to my house patch panel and 3750-2 with 24 ports in my server rack. They are connected with a cat6 tie line connected to the gi1/0/1 port on each switch. This requires the use of a sfp to rj45 module.
The objective is to secure the switch with ssh only access (no telnet) and also force logins to the serial console with a password (although enable access via serial console requires a password). The router will require a user name to log in with, due to ssh only access. http and https access should be disabled, this is an old switch and image, and it only supports ssl v3 not TLS, so it is safest to just disable browser access. SSH access should be restricted to v2 only as v1 is broken.
ssh v2 access
3750-1(config)#ip ssh version 2 3750-1(config)#exit 3750-1#sh ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 3750-1#
Disable the web server.
no ip http server no ip http secure-server
Network and Serial Port access control
This forces logins on the local serial interface (login local
) and forces network access to use ssh (transport input ssh
).
line con 0 login local password 7 070623445353454 line vty 0 4 password 7 070623445353454 login local transport input ssh line vty 5 15 password 7 070623445353454 login local transport input ssh !
Banner
Login banners probably won't deter anyone, but they do provide an indication that usage is restricted, this is an example with the config:-
user@study:~$ ssh -l admin 3750-2.domain.com +-------------------------------------------------------+ | This is a private system and | | is only for the use of authorized personnel. | | | +-------------------------------------------------------+ Password: Welcome to 3750-2 Session established to 3750-2 on line 1 3750-2>en Password: 3750-2#
This is the config to generate this, but the config appears in a different order to the displayed text….
banner exec ^C Session established to $(hostname) on line $(line)^C banner login ^C +-------------------------------------------------------+ | This is a private system and | | is only for the use of authorized personnel. | | | +-------------------------------------------------------+ ^C banner motd ^C Welcome to $(hostname)^C !
So the order is:-
- banner login - shown before password challenge
- banner motd - shown immediately after a sucessful login
- banner exec
Port Configuraton
Trunk uplink
The first section for GigabitEthernet1/0/1
is a link to an upstream switch,
the second is for a trunk link to a server running the vlan driver on top of the bonding driver, as you can see the config is the same.
interface GigabitEthernet1/0/1 description uplink to 3750-1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/2 description uplink to Optiplex eth0 switchport trunk encapsulation dot1q switchport mode trunk
Access port
Spanning tree portfase disables the listening and learning phase of the port negoition, and goes directly to the forwarding state. This is to prevent dhcp requests timing out whilst the 50s duration setup of the port completes.
The first example sets the port to vlan 1 (the default), the second forces it to a vlan 2 or upwards.
interface FastEthernet1/0/1 description SGI Origin 200 spanning-tree portfast no mdix auto interface FastEthernet1/0/12 description WeatherCam on DMZ switchport access vlan 5 switchport mode access spanning-tree portfast no mdix auto
Access port with voip link to ip phone
interface FastEthernet1/0/22 description VOIP port POE for 7960 switchport mode access switchport voice vlan 7 spanning-tree portfast
- BPDU guard - errdisable state when a BPDU received - problems for virtual machine running on users workstations in bridging mode.