resetting ios & initial setup

draft

hard / soft reset

connect to its serial console and power up the switch

screen /dev/ttyS0 9600

proceed with a hard reset (while it is on)

hold mode button 3-7 seconds

or start from scratch (erasing both running and startup configs)

write erase
!erase startup-config
reload
System configuration has been modified. Save? [yes/no]: no

initial setup

skip the wizard

Would you like to enter the initial configuration dialog? [yes/no]: no

enter power execution mode and let’s keep global mode

enable
!setup
configure terminal

define a hostname and bring the interfaces up on Vlan1

hostname SWITCH-NAME

interface vlan1
no shutdown
exit

disable the freaking http server

no ip http server

in case you really wanna try it out, reach port 80 and enter password (w/o username)

SNMP and weak password encryption are not enabled by default it seems, no need to forcilbly disable those

!no snmp-server
!no service password-encryption

passwords

interestingly enough, enable does not ask for a password when requested from the serial console. in the contrary, you will get this remotely

nofan>ena
% No password set

therefore

enable secret ?
enable secret PASSWORD

create a local database (allows MD5)

username admin secret ?
username admin secret PASSWORD

define a password for serial console

line console 0
exec-timeout 0 0
logging synchronous
login local
exit

no MD5 w/o local database

!line console 0
!exec-timeout 0 0
!password PASSWORD
!logging synchronous
!login
!exit

eventually define a mgmt ip (only one Switch Virtual Interface at a time, for old l2 switches like 2950)

interface vlanXXX
ip address IP-ADDRESS NETMASK
ip route-cache
exit

and auth method for remote access

line vty 0 4
exec-timeout 0 0
logging synchronous
login local
exit

line vty 5 15
exec-timeout 0 0
logging synchronous
login local
exit

no MD5 w/o local database

!line vty 0 4
!exec-timeout 0 0
!password PASSWORD
!logging synchronous
!login
!exit

!line vty 5 15
!exec-timeout 0 0
!password PASSWORD
!logging synchronous
!login
!exit

ssh

do show memory

ip domain-name DOMAIN !be it domain.tld or whatever
crypto key generate rsa usage-keys
(Signature) How many bits in the modulus [512]: 1024
(Encryption) How many bits in the modulus [512]: 1024

do show memory
do show process

disable telnet

line vty 0 4
transport input ssh
exit

line vty 5 15
transport input ssh
exit

usage

ssh SWITCH-NAME -p 22 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc

vi ~/.ssh/config

Host SWITCH-NAME
        Port 22
        User admin
        KexAlgorithms +diffie-hellman-group1-sha1
        Ciphers +3des-cbc

ssh SWITCH-NAME -p 22 -l admin

ready to go

do show running-config
do write memory
do reload

todo

CISCO 2950 и 3550 прошивка https://arny.ru/hardware/cisco-2950-proshivka/

resources

passwords

no shutdown https://community.cisco.com/t5/other-network-architecture/quot-no-keepalive-quot-and-quot-no-shutdown-quot-command-on/td-p/501769

mgmt ip Assigning the Switch IP Address and Default Gateway from the Configuration Guide.

2960S - Password required, but none set https://community.cisco.com/t5/switching/2960s-password-required-but-none-set/td-p/2190151

IP route-cache https://community.cisco.com/t5/routing/ip-route-cache/td-p/880750 https://learningnetwork.cisco.com/thread/21603

Cisco 2950 Switch with crypto IOS image reporting 1MB less Total memory than Switch with non-crypto IOS https://community.cisco.com/t5/switching/cisco-2950-switch-with-crypto-ios-image-reporting-1mb-less-total/td-p/2493215

line vty 0 4 https://learningnetwork.cisco.com/thread/13484

Difference between vty lines 0 4 and 5 15 https://community.cisco.com/t5/other-network-architecture/difference-between-vty-lines-0-4-and-5-15/td-p/567906

Cisco IOS Password Encryption Facts https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html

Chapter: Passwords and Privileges Commands https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html

MD5 encrypted passwords with user accounts https://community.cisco.com/t5/network-management/md5-encrypted-passwords-with-user-accounts/td-p/991910

enable secret password - different hash each time for same password ? https://community.cisco.com/t5/switching/enable-secret-password-different-hash-each-time-for-same/td-p/2681851

line console password vs privilege mode enable secret https://community.cisco.com/t5/switching/line-console-password-vs-privilege-mode-enable-secret/td-p/2632214

Cisco IOS Enable Secret Type 5 Password Cracker https://www.ifm.net.nz/cookbooks/cisco-ios-enable-secret-password-cracker.html

ssh

how to enable SSH on the catalyst 2950 https://community.cisco.com/t5/other-network-architecture/how-to-enable-ssh-on-the-catalyst-2950/td-p/396935

OpenSSH Legacy Options https://www.openssh.com/legacy.html

How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0? https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0

How To: Enable SSH On A Cisco 2950 http://tuxlabs.com/?cat=81


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml