Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rb:cisco-3750-part2 [12/02/2018 01:16] (current)
Line 1: Line 1:
 +====== Cisco 3750 switch setup ======
 +
 +===== Switch config =====
 +
 +All these commands have to be run in enable mode.
 +
 +I have 3750-1 which has 48 ports adjacent to my house patch panel and 3750-2 with 24 ports in my server rack. 
 +They are connected with a cat6 tie line connected to the gi1/0/1 port on each switch. This requires the use of a [[rb:​sfp|sfp]] to rj45 module.
 +
 +The objective is to secure the switch with ssh only access (no telnet) and also force logins to the serial console with a password (although enable access via serial console requires a password). ​
 +The router will require a user name to log in with, due to ssh only access. http and https access should be disabled, this is an old switch and image, ​
 +and it only supports ssl v3 not TLS, so it is safest to just disable browser access. SSH access should be restricted to v2 only as v1 is broken. ​   ​
 +
 +
 +
 +===== ssh v2 access =====
 +
 +<​code>​
 +3750-1(config)#​ip ssh version 2
 +3750-1(config)#​exit
 +3750-1#sh ip ssh
 +SSH Enabled - version 2.0
 +Authentication timeout: 120 secs; Authentication retries: 3
 +3750-1#
 +</​code>​
 +
 +Disable the web server.
 +<​code>​
 +no ip http server
 +no ip http secure-server
 +</​code>​
 +
 +===== Network and Serial Port access control =====
 +
 +This forces logins on the local serial interface (''​login local''​) and forces network access to use ssh (''​transport input ssh''​).
 +<​code>​
 +line con 0
 + login local
 + ​password 7 070623445353454
 +line vty 0 4
 + ​password 7 070623445353454
 + login local
 + ​transport input ssh
 +line vty 5 15
 + ​password 7 070623445353454
 + login local
 + ​transport input ssh
 +!
 +</​code>​
 +
 +
 +===== Banner =====
 +
 +Login banners probably won't deter anyone, but they do provide an indication that usage is restricted, this is an example with the config:-
 +
 +<​code>​
 +user@study:​~$ ssh -l admin 3750-2.domain.com
 +
 ++-------------------------------------------------------+
 +|             This is a private system and              |
 +|      is only for the use of authorized personnel. ​    |
 +|                                                       |
 ++-------------------------------------------------------+
 +
 +Password: ​
 +
 +Welcome to 3750-2
 +Session established to 3750-2 on line 1
 +3750-2>​en
 +Password: ​
 +3750-2#
 +</​code>​
 +
 +This is the config to generate this, but the config appears in a different order to the displayed text....
 +
 +<​code>​
 +banner exec ^C
 +Session established to $(hostname) on line $(line)^C
 +banner login ^C
 ++-------------------------------------------------------+
 +|             This is a private system and              |
 +|      is only for the use of authorized personnel. ​    |
 +|                                                       |
 ++-------------------------------------------------------+
 +
 +^C
 +banner motd ^C
 +Welcome to $(hostname)^C
 +!
 +</​code>​
 +
 +So the order is:-
 +  - banner login - shown before password challenge
 +  - banner motd - shown immediately after a sucessful login
 +  - banner exec
 +
 +
 +===== Port Configuraton ​ =====
 +
 +==== Trunk uplink ====
 +
 +The first section for ''​GigabitEthernet1/​0/​1''​ is a link to an upstream switch, ​
 +the second is for a trunk link to a server running the vlan driver on top of the bonding driver, as you can see the config is the same.
 +FIXME - link to bridging / vlan / bonding for Centos and Ubuntu.
 +
 +<​code>​
 +interface GigabitEthernet1/​0/​1
 + ​description uplink to 3750-1
 + ​switchport trunk encapsulation dot1q
 + ​switchport mode trunk
 +!
 +interface GigabitEthernet1/​0/​2
 + ​description uplink to Optiplex eth0
 + ​switchport trunk encapsulation dot1q
 + ​switchport mode trunk
 +</​code>​
 +
 +==== Access port ====
 +
 +Spanning tree portfase disables the listening and learning phase of the port negoition, and goes directly to the forwarding state.
 +This is to prevent dhcp requests timing out whilst the 50s duration setup of the port completes.
 +
 +The first example sets the port to vlan 1 (the default), the second forces it to a vlan 2 or upwards.
 +
 +<​code>​
 +interface FastEthernet1/​0/​1
 + ​description SGI Origin 200
 + ​spanning-tree portfast
 +no mdix auto
 + 
 +
 +interface FastEthernet1/​0/​12
 + ​description WeatherCam on DMZ
 + ​switchport access vlan 5
 + ​switchport mode access
 + ​spanning-tree portfast
 + no mdix auto
 +</​code>​
 +
 +FIXME - setup for telephone port.
 +
 +FIXME - BPDU guard  - errdisable state when a BPDU received - problems for virtual machine running on users workstations in bridging mode.
  

rb/cisco-3750-part2.txt ยท Last modified: 12/02/2018 01:16 (external edit)