12-13-2018 01:17 AM - edited 03-08-2019 04:48 PM
Hi,
I have 15 switches on two separate sub nets in my organisation that requires a username and password Encryption to be set up, I need help with the correct configurations to lock down the switches from unauthorised access within the organisation and external threats from hackers, scammers, and remote, aux, and console access
I need to set up each switch with the following configurations as well but not sure how
Static IP
Host name
Authentication Banner
I really appreciate your help.
Thank you
Paul
12-13-2018 01:46 AM
Hello,
you have to decide whether you want to use local authentication or TACACS/RADIUS. Local authentication is fairly simple, just configure a username and password and configure the CON/AUX/VTY with 'login local':
Switch#
username admin privilege 15 password 0 cisco
!
line con 0
login local
line aux 0
login local
line vty 0 4
login local
The authentication banner can be whatever you want. Below is an example ('+' is used as the delimiting character):
Switch#conf t
Switch(config)# banner motd +
******************************************************************************
* WARNING !!! *
* This system is for the use of authorized users only. *
* *
* Individuals using this network without authority, or in excess of their *
* authority, are subject to legal action. *
*
******************************************************************************
Switch(config)#+
12-13-2018 01:56 AM
As for the static IP address on each switch, it is usually good practice to have a dedicated VLAN other than the default VLAN 1 for management. Basically, you assign an IP address from the same subnet to the management interface of each switch, e.g.:
Switch#
!
interface Vlan 10
ip address 192.168.10.1
Hostnames should somehow make sense and be recognizable within your company, e.g.:
Switch#conf t
Switch(config)#hostname S1_DATA_CORP
12-13-2018 02:16 AM
Hi Georg,
Thank you for the quick response, my IT manager has decided to just have a username and password when login in to the privilege mode on the switch and does not want to secure CON/AUX/VTY with 'login local god forbid if we ever get hacked.
what would the configuration be to set up a username and password for enable mode.
thanks
12-13-2018 02:30 AM
Hello,
in that case, use aaa:
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login default local
5. aaa authorization exec default local
6. aaa authorization network local
7. username name [privilege level] {password encryption-type password}
line vty 0 4
transport input all
login authentication default --> this line will probably not be visible in the running config...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide