08-06-2021 01:10 PM - edited 08-06-2021 01:13 PM
hey all
just looking for some best practice guidelines
what I'm trying to accomplish is locking down the switch with passwords on all fronts, only using ssh for accessing remotely and console when IN front of the switch
the access list I created is just a temp so i used the permit any any command but in future i will lock that down as well
here is a sample of my config terminal entries. let me know if this works.
config terminal
username SYDMAINT privilege 15 secret Tak1#BEE$
enable secret Tak1#BEE
ip access-list standard TELNET-ACCESS
permit any
permit any
exit
line vty 0 4
password Tak1#BEEtelnet
access-class TELNET-ACCESS in
transport input ssh
login local
exit
line console 0
password Tak1#BEEconsole
login local
exit
line aux 0
login local
exit
ip domain name ciscotest.com
crypto key generate rsa
choose ( 2048 )
ip ssh version 2
service password-encryption
wr mem
thanks again i appreciate the help
Solved! Go to Solution.
08-06-2021 02:07 PM
everything looks ok - (The only ACL does not have any effect since you permitting any) either keep or remove not make any difference.
or you looking to allow only certain IP then it makes sense. Order of operation, First create SSH Cert and adding SSH config will be advised.
config terminal
username SYDMAINT privilege 15 secret Tak1#BEE$
enable secret Tak1#BEE
ip access-list standard TELNET-ACCESS <---- since permit any any then not required
permit any
permit any
exit
line vty 0 4
password Tak1#BEEtelnet
access-class TELNET-ACCESS in < -- this is not required until you want to allow only IP address known
transport input ssh
login local
exit
line console 0
password Tak1#BEEconsole
login local
exit
line aux 0
login local
exit
08-06-2021 02:07 PM
everything looks ok - (The only ACL does not have any effect since you permitting any) either keep or remove not make any difference.
or you looking to allow only certain IP then it makes sense. Order of operation, First create SSH Cert and adding SSH config will be advised.
config terminal
username SYDMAINT privilege 15 secret Tak1#BEE$
enable secret Tak1#BEE
ip access-list standard TELNET-ACCESS <---- since permit any any then not required
permit any
permit any
exit
line vty 0 4
password Tak1#BEEtelnet
access-class TELNET-ACCESS in < -- this is not required until you want to allow only IP address known
transport input ssh
login local
exit
line console 0
password Tak1#BEEconsole
login local
exit
line aux 0
login local
exit
08-08-2021 04:01 AM
Hello
@raymondsafadi75858 wrote:
just looking for some best practice guidelines
what I'm trying to accomplish is locking down the switch with passwords on all fronts, only using ssh for accessing remotely and console when IN front of the switch
Using AAA locally would be applicable also, thus removing the requirement to use individual line passwords.
Example:
username xxxxx privilege 15 algorithm-type scrypt secret xxxxxx
crypto key generate rsa label local general-keys modulus 2048
ip ssh version 2
password encryption aes
key config-key password-encrypt
aaa authentication attempts login 2
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorization console
line con 0
transport preferred none
transport output ssh
no pasword
line vty 0 4
transport preferred none
transport input ssh
transport output ssh
no pasword
08-08-2021 08:56 AM
Cisco generally publishes documentation for securing their devices. You might search their main site and see what you can find.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide