Wolfgang Hottgenroth
94995a401d
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
178 lines
2.5 KiB
Markdown
178 lines
2.5 KiB
Markdown
<!--
|
|
title: Administring a Cisco Switch
|
|
date: 2025-04-17
|
|
-->
|
|
|
|
# Administring a Cisco Switch - Basics for the Homelab Usage
|
|
|
|
## Connecting to the Switch
|
|
|
|
Only quite old ssh parameters are supported:
|
|
|
|
```
|
|
ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa admin@192.168.2.1
|
|
```
|
|
|
|
## Saving the Configuration
|
|
|
|
Never forget, otherwise after reboot changes are gone!
|
|
|
|
```
|
|
write memory
|
|
```
|
|
|
|
|
|
## Configure VLANs
|
|
|
|
Allow VLAN-IDs greater then 1005:
|
|
|
|
```
|
|
configure terminal
|
|
vtp mode transparent
|
|
exit
|
|
```
|
|
|
|
|
|
```
|
|
configure terminal
|
|
vlan 1001
|
|
name vlan1001
|
|
exit
|
|
exit
|
|
```
|
|
|
|
The first `exit` leaves the VLAN, the second `exit` leaves the config session.
|
|
|
|
If the VLAN should be used for management purposes additionally an interface for this VLAN is required with an IP address:
|
|
|
|
```
|
|
configure terminal
|
|
vlan 2000
|
|
name vlan2000
|
|
exit
|
|
|
|
interface vlan 2000
|
|
ip address dhcp
|
|
exit
|
|
|
|
exit
|
|
```
|
|
|
|
or
|
|
|
|
```
|
|
configure terminal
|
|
vlan 2000
|
|
name vlan2000
|
|
exit
|
|
|
|
interface vlan 2000
|
|
ip address 192.168.88.3 255.255.255.0
|
|
exit
|
|
|
|
ip default-gateway 192.168.88.1
|
|
|
|
exit
|
|
```
|
|
|
|
Check your work:
|
|
|
|
```
|
|
show vlan
|
|
```
|
|
|
|
|
|
## Configure Interfaces
|
|
|
|
To check your work use
|
|
|
|
```
|
|
show interfaces status
|
|
```
|
|
|
|
|
|
### Access Ports
|
|
|
|
```
|
|
configure terminal
|
|
interface GigabitEthernet1/0/1
|
|
switchport mode access
|
|
switchport access vlan 1001
|
|
spanning-tree portfast
|
|
no shutdown
|
|
exit
|
|
exit
|
|
```
|
|
|
|
### Trunk Ports
|
|
|
|
```
|
|
configure terminal
|
|
interface GigabitEthernet1/0/23
|
|
switchport mode trunk
|
|
switchport trunk allowed vlan 1012,3001,3002,3003,3004
|
|
switchport trunk native vlan 1012
|
|
no shutdown
|
|
exit
|
|
exit
|
|
```
|
|
|
|
`allowed` connects the port to the VLAN for tagged communication.
|
|
|
|
`native` makes the VLAN untagged on that port.
|
|
|
|
|
|
### SSH access and hardening measures
|
|
|
|
First of all, the switch needs to know about time and requires a name:
|
|
|
|
About time:
|
|
```
|
|
configure terminal
|
|
ntp server de.pool.ntp.org
|
|
clock timezone Etc/Utc
|
|
exit
|
|
```
|
|
|
|
About names:
|
|
```
|
|
configure terminal
|
|
hostname switch01
|
|
ip domain-name mynetwork.intern
|
|
exit
|
|
```
|
|
|
|
An user is required:
|
|
```
|
|
configure terminal
|
|
username admin password geheim123
|
|
exit
|
|
```
|
|
|
|
A host key must be generated:
|
|
```
|
|
crypto key generate rsa
|
|
```
|
|
This command will ask for the key length. Select 2048 bits.
|
|
|
|
Set the SSH version:
|
|
```
|
|
ip ssh version 2
|
|
```
|
|
|
|
Configure the virtual terminals accordingly:
|
|
```
|
|
configure terminal
|
|
line vty 0 15
|
|
transport input ssh
|
|
login local
|
|
exit
|
|
```
|
|
|
|
As mentioned about, the switches support only quite old SSH protocols, so to access it use on the client side:
|
|
```
|
|
ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 -oHostKeyAlgorithms=+ssh-rsa admin@192.168.2.1
|
|
```
|
|
|
|
|