connect to its serial console and power up the switch
screen /dev/ttyS0 screen /dev/ttyS0 9600
either proceed with a hard reset (while it is powered on)
hold mode button 3-7 seconds
and skip the wizard
Would you like to enter the initial configuration dialog? [yes/no]: n
–or– start from scratch (erasing both running and startup configs)
enable write erase !erase startup-config reload System configuration has been modified. Save? [yes/no]: n
and skip the wizard
Would you like to enter the initial configuration dialog? [yes/no]:
now is a good time for firmware upgrade
enter power execution mode and let’s keep global mode
enable !setup configure terminal
define a hostname and bring the interfaces up on Vlan1 and disable the freaking http server
hostname SWITCH-NAME interface vlan1 no shutdown ip address 10.7.7.203 255.255.255.0 ip route-cache no ip http server exit !no ip address !shutdown
in case you really wanna try it out, reach port 80 and enter password w/o username
the management ip can also be set on an alternate VLAN – but only one Switch Virtual Interface at a time – at least for those old layer 2 switches like the 2950
passwords are optional for serial console access
but you have to define some for both remote telnet access and enable
Password required, but none set % No password set
create a local database (allows MD5)
configure terminal username admin secret ? username admin secret PASSWORD
therefore
configure terminal enable secret ? enable secret PASSWORD
define a password for serial console
line console 0 exec-timeout 0 0 logging synchronous login local exit
no MD5 w/o local database
!line console 0 !exec-timeout 0 0 !password PASSWORD !logging synchronous !login !exit
and auth method for remote access
line vty 0 4 exec-timeout 0 0 logging synchronous login local exit line vty 5 15 exec-timeout 0 0 logging synchronous login local exit
no MD5 w/o local database
!line vty 0 4 !exec-timeout 0 0 !password PASSWORD !logging synchronous !login !exit !line vty 5 15 !exec-timeout 0 0 !password PASSWORD !logging synchronous !login !exit
provide at least 1024 unless you want to deal with ssh’s Invalid key length
!do show memory !do show process ip domain-name localdomain !be it domain.tld or whatever crypto key generate rsa usage-keys (Signature) How many bits in the modulus [512]: 1024 (Encryption) How many bits in the modulus [512]: 1024 !do show memory !do show process
disable telnet / switch to SSH
line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit
usage
ssh 10.7.7.203 -p 22 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc
ssh 10.7.7.204 -p 22 -l admin -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc
vi ~/.ssh/config
Host loud1
Hostname 10.7.7.203
User admin
Port 22
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +3des-cbc
Host loud2
Hostname 10.7.7.204
User admin
Port 22
KexAlgorithms +diffie-hellman-group1-sha1
Ciphers +3des-cbc
show running-config write memory reload
mgmt ip Assigning the Switch IP Address and Default Gateway from the Configuration Guide.
2960S - Password required, but none set https://community.cisco.com/t5/switching/2960s-password-required-but-none-set/td-p/2190151
IP route-cache https://community.cisco.com/t5/routing/ip-route-cache/td-p/880750 https://learningnetwork.cisco.com/thread/21603
Cisco 2950 Switch with crypto IOS image reporting 1MB less Total memory than Switch with non-crypto IOS https://community.cisco.com/t5/switching/cisco-2950-switch-with-crypto-ios-image-reporting-1mb-less-total/td-p/2493215
line vty 0 4 https://learningnetwork.cisco.com/thread/13484
Difference between vty lines 0 4 and 5 15 https://community.cisco.com/t5/other-network-architecture/difference-between-vty-lines-0-4-and-5-15/td-p/567906
Cisco IOS Password Encryption Facts https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/107614-64.html
Chapter: Passwords and Privileges Commands https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html
MD5 encrypted passwords with user accounts https://community.cisco.com/t5/network-management/md5-encrypted-passwords-with-user-accounts/td-p/991910
enable secret password - different hash each time for same password ? https://community.cisco.com/t5/switching/enable-secret-password-different-hash-each-time-for-same/td-p/2681851
line console password vs privilege mode enable secret https://community.cisco.com/t5/switching/line-console-password-vs-privilege-mode-enable-secret/td-p/2632214
Cisco IOS Enable Secret Type 5 Password Cracker https://www.ifm.net.nz/cookbooks/cisco-ios-enable-secret-password-cracker.html
how to enable SSH on the catalyst 2950 https://community.cisco.com/t5/other-network-architecture/how-to-enable-ssh-on-the-catalyst-2950/td-p/396935
OpenSSH Legacy Options https://www.openssh.com/legacy.html
How to enable diffie-hellman-group1-sha1 key exchange on Debian 8.0? https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0
How To: Enable SSH On A Cisco 2950 http://tuxlabs.com/?cat=81