CatOS Configuration

madhu_g1985 · ‎05-27-2013

Hi All,

I am trying to Disable Telnet and enable SSH in Cat Os for 6500 .

Can some one help with a step by step instruction ? I have been searching for a while but did not get a convincing answer yet. Please help.

Thanks,

Sandeep Sharma · ‎05-27-2013

Hi

- To enable SSH on CATOS first you need to have the k9 or security image having the SSH feature available.

- Commands to enable SSH

sec-cat6000> (enable) set crypto key rsa 1024

- Command to verify crypto key enabled or not

sec-cat6000> (enable) show crypto key

- If you want to restrict IPs to access the device via SSH use the below command

sec-cat6000> set ip permit 172.18.124.0 255.255.255.0

sec-cat6000> (enable) set ip permit enable ssh >>>> Command to turn SSH permit list.

 
- Command to verify the  ssh permit list

  sec-cat6000> (enable) show ip permit

Hope this will help you.

Thanks & Regards

Sandeep

madhu_g1985 · ‎05-27-2013

Hi Sandeep,

Once you enable SSH , Dont we have to apply ssh as input under line vty ?

Or is this different in Cat OS ?

InayathUlla Sharieff · ‎05-27-2013

Hi Madhu,

There is no need to put the input ssh on cat os.

Please find the configuration of SSH:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml

Regards

Inayath

madhu_g1985 · ‎05-27-2013

Hi Inayathulla,

Thanks for the quick reply.

Do we need a permit list to restircit access to certain subnet ? Is that Mandatory?

Example :

sec-cat6000>

set ip permit 172.18.124.0 255.255.255.0 ..Becoz I dont want to put any filter any subnet for SSH.

Also For disbaling Telnet access , If I fdon't have a subnets filtered for it , will just the below command necessary ..

set ip permit disable telnet

InayathUlla Sharieff · ‎05-28-2013

Hi Madhu,

I dont think the permit list is mandatory as per the link, I dont have the box as of now to test, but give it a try it should work.

CatOS Configuration
- Clear all Telnet and replace with ssh
- First set up SSH access

2-

Yes you are correct. Just running this command

set ip permit disable telnet

HTH

Regards

Inayath

madhu_g1985 · ‎05-28-2013

I will try it out and let you know..Thank you

madhu_g1985 · ‎05-29-2013

Hi Inayath,

It woked. But I needed to put a filter for a subnet.

Here I am required to allow every one .

I tried

set ip permit 0.0.0.0 0.0.0.0 ssh -> but it did not take that command.

Do you know how to permit every one ?

InayathUlla Sharieff · ‎05-29-2013

Could you try this:

sec-cat6000> set ip permit 0.0.0.0 0.0.0.0
!--- Turn on SSH.

sec-cat6000> (enable) set ip permit enable ssh
SSH permit list enabled. 

!--- Verity SSH permit list.

sec-cat6000> (enable) show ip permit
Telnet permit list disabled.
Ssh permit list enabled.
Snmp permit list disabled.
Permit List Mask Access-Type 
---------------- ---------------- -------------
0.0.0.0 0.0.0.0  ssh snmp

HTH

Regards

Inayath

madhu_g1985 · ‎05-29-2013

Hi Inayath,

Sure . I will give a try today. But when I tried this yestrday

set ip permit 0.0.0.0 0.0.0.0 ssh -> It gave me a bad mask error.

So not sure it will help. Also it gives a potential vulnerability for snmp since it opens for every one other that our monitoring servers.

Do you agree ?

Thanks,

Madhu.

InayathUlla Sharieff · ‎05-27-2013

Hi Madhu,

Hi Mahdu,

Please find link below on configuring the SSH on Catos:-

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml

To disable telnet:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst6500/catos/

8.x/configuration/guide/ip_perm.html

Here is the command to disable telnet on switches running CATOS:

set ip permit disable ?

telnet Disable/Enable telnet permit

snmp Disable/Enable snmp permit

ssh Disable/Enable ssh permit

You may need to issue the command

"show ip permit" first. The following steps will work, if telnet permit

is disable.

example:

Console> (enable) show ip permit

Telnet permit list disabled.

If no hosts are defined in the telnet permit lists then there is nothing to allow telnet

from therefore disabling telnet.

However, if you need to limit telnet access on the CAT OS you need to define who is

permitted to telnet to the device. To do this use the command:

set ip permit telnet

This creates a permit list, once you do this you can enable the list to be processed by

the switch

set ip permit enable telnet

This tells the switch to only allow telnet for IP addresses defined in the permit list.

HTH

Regards

Inayath

********Please rate and mark the post as answered so others can benefit from it.

glen.grant · ‎05-29-2013

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml

madhu_g1985 · ‎06-01-2013

Hi All,

Finally It worked.

Below is the config I applied.

To Enable SSH

=======

set ip permit enable ssh

set ip permit 10.0.0.0 255.0.0.0 ssh

To Disable Telnet

===========

Set ip permit enable telnet

Thanks Inayath and all for all your help.

How to set up SSH in Cat Os and Disable telnet

CatOS Configuration

set crypto key rsa 1024

set ip permit enable ssh

Clear all Telnet and replace with ssh

clear ip permit {10.1.1.1} telnet

set ip permit {10.1.1.1} ssh

set snmp trap enable ippermi

First set up SSH access