Cisco Switch Basic Configuration
在拿到一台新的 Cisco switch 的時候,需要做一些基本設定如 ssh, username, password 等等,這篇算是一個筆記,方便參考。
以下以Cisco 型號 WS-C2960G-24TC-L 的switch來示範(基本上算layer 2 switch)
Enter Express Setup Mode:
Press the MODE button for 3 seconds, and you’ll see the all LED lights turn green. If they are blinking, you should reset the switch by pressing MODE button for more than 7 seconds.
Then, the switch with default IP 10.0.0.1 will server as an DHCP server. It will assign 10.0.0.2 for your machine. You can telnet the switch by telnet 10.0.0.1
(or web interface http://10.0.0.1/, default account and password are cisco/cisco)
Basic setting:
enable
conf t
hostname HOST-test
enable secret ENABLE_PASSWORD
這裡說明一下password跟secret的差別,password在show run會以明文顯示,如果執行過service password-encryption會以一種低級的方式加密(容易被破解),用secret則是用md5 hash,相對安全
enable的密碼用來提昇權限(privilege 0 - 15), username的密碼用來登入(telnet/ssh)
interface vlan 1
ip address 10.0.0.1 255.255.255.0
Set up ssh:
ip domain-name example.com
ip ssh version 2
crypto key generate rsa general-keys modulus 1024
(Then you can ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 10.0.0.1)
username FOO privilege 15 secret PASSWORD
line vty 0 15
line console是用console線插入登入的模式, line vty是telnet/ssh
transport input ssh
login local
(用local端的帳號密碼檢查authentication )
aaa new-model
aaa authentication login default local
這兩行用來讓authentication時,檢查local的帳號密碼
Close unused web interface:
no ip http server
no ip http secure-server
Swtich get IP from dhcp:
interface Gi 0/20
ip address dhcp
show dhcp lease (check switch current IP)
你可以透過上面這個指令查看 switch 的 IP
bpdu guard setting
spanning-tree bpdufilter enable
spanning-tree bpduguard disable
cisco預設spanning tree protocal(stp)是打開的,為了防止破壞原有stp架構,你插上孔要跑stp時,bpdu guard會發現,接著導致自己的孔變blocked,所以須要把它關掉,讓它變成一般的switch
bpdufilter Don't send or receive BPDUs on this interface
bpduguard Don't accept BPDUs on this interface
後記:
因為弄console線很麻煩,又怕ssh設壞連不進去無法登入,通常會在某一個port設置特殊的vlan (ex.101),讓他在那個vlan上有static ip,接著只要電腦設定好同一個subnet,插上指定的port,便可以直接碰到switch