Solved: Securing access to Cisco C9200L Switch and Setting passwords

raymondsafadi75858 · ‎08-06-2021

hey all

just looking for some best practice guidelines

what I'm trying to accomplish is locking down the switch with passwords on all fronts, only using ssh for accessing remotely and console when IN front of the switch

the access list I created is just a temp so i used the permit any any command but in future i will lock that down as well

here is a sample of my config terminal entries. let me know if this works.

config terminal

username SYDMAINT privilege 15 secret Tak1#BEE$
enable secret Tak1#BEE
ip access-list standard TELNET-ACCESS
permit any
permit any
exit
line vty 0 4
password Tak1#BEEtelnet
access-class TELNET-ACCESS in
transport input ssh
login local
exit
line console 0
password Tak1#BEEconsole
login local
exit
line aux 0
login local
exit

ip domain name ciscotest.com
crypto key generate rsa

choose ( 2048 )

ip ssh version 2

service password-encryption

wr mem

thanks again i appreciate the help

balaji.bandi · ‎08-06-2021

everything looks ok - (The only ACL does not have any effect since you permitting any) either keep or remove not make any difference.

or you looking to allow only certain IP then it makes sense. Order of operation, First create SSH Cert and adding SSH config will be advised.

config terminal

username SYDMAINT privilege 15 secret Tak1#BEE$
enable secret Tak1#BEE
ip access-list standard TELNET-ACCESS <---- since permit any any then not required
permit any
permit any
exit
line vty 0 4
password Tak1#BEEtelnet
access-class TELNET-ACCESS in < -- this is not required until you want to allow only IP address known
transport input ssh
login local
exit
line console 0
password Tak1#BEEconsole
login local
exit
line aux 0
login local
exit

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎08-06-2021

everything looks ok - (The only ACL does not have any effect since you permitting any) either keep or remove not make any difference.

or you looking to allow only certain IP then it makes sense. Order of operation, First create SSH Cert and adding SSH config will be advised.

config terminal

username SYDMAINT privilege 15 secret Tak1#BEE$
enable secret Tak1#BEE
ip access-list standard TELNET-ACCESS <---- since permit any any then not required
permit any
permit any
exit
line vty 0 4
password Tak1#BEEtelnet
access-class TELNET-ACCESS in < -- this is not required until you want to allow only IP address known
transport input ssh
login local
exit
line console 0
password Tak1#BEEconsole
login local
exit
line aux 0
login local
exit

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎08-08-2021

Hello

@raymondsafadi75858 wrote:

just looking for some best practice guidelines

what I'm trying to accomplish is locking down the switch with passwords on all fronts, only using ssh for accessing remotely and console when IN front of the switch

Using AAA locally would be applicable also, thus removing the requirement to use individual line passwords.

Example:
username xxxxx privilege 15 algorithm-type scrypt secret xxxxxx
crypto key generate rsa label local general-keys modulus 2048
ip ssh version 2

password encryption aes
key config-key password-encrypt

aaa authentication attempts login 2
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorization console

line con 0
transport preferred none
transport output ssh
no pasword

line vty 0 4
transport preferred none
transport input ssh
transport output ssh
no pasword

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎08-08-2021

Cisco generally publishes documentation for securing their devices. You might search their main site and see what you can find.