Four modes for managing routing and switching devices-SSH

 

As a network manager, it is the most common task to configure commands on routers and switches. The purpose is to execute commands and adjust parameters, allows routers and switches to run as required by network administrators. This is almost the operation performed by the network administrator every day. Which of the following methods can be used to manage network devices? Which one is simpler and which one is more efficient? This is mainly based on the actual use of the network administrator. The following is a summary of the management modes of network routing and switching devices.

 

Figure 1 network topology managed using SSH

1. Use SSH (Secure Shell Protocol, Secure Shell Protocol) for management.

1. SSH configuration for Cisco network devices

1 shows the topology for managing network devices using SSH. Cisco 4506 and Cisco 3750 are connected through the Trunk line, and remote PCs manage Cisco 4506 through SSH, cisco 4506 is connected to port G1/3/1 of Cisco 3750 through port 0/25. Both ports are optical ports. The IP address of the PC is 10.10.20.3/24 and is connected to port G1/3750 of Cisco 0/1. The main configurations on Cisco 4506 and Cisco 3750 are as follows.

Configuration on Cisco 4506:

1. interface GigabitEthernet3/1

2. switchport trunk encapsulation dot1q

3. switchport trunk allowed vlan 20, 30-300

4. switchport mode trunk

5. interface Vlan20

6. ip address 10.10.20.1 255.255.0

Configuration on Cisco 3750:

1. interface GigabitEthernet1/0/1

2. switchport access vlan 20

3. switchport mode access

4. interface GigabitEthernet1/0/25

5. switchport trunk encapsulation dot1q

6. switchport trunk allowed vlan 20, 30-300

7. switchport mode trunk

8. interface Vlan20

9. ip address 10.10.20.2 255.255.255.0

From the preceding configuration, we can see that the IP addresses of the Management VLANs of Cisco 4506 and Cisco 3750 are 10.10.20.1/24 and 10.10.20.2/24 respectively, and ports G1/3750 of Cisco 0/1 are located in Vlan 20, and connected to the PC. In this case, the layer-3 Vlan20 ports of Cisco 4506 and Cisco 3750, And the G1/3750 ports of Cisco 0/1 are both located in layer-2 VLAN 20.

To manage the Cisco 4506 switch over SSH on a PC, you also need to configure the following on 4506:

• Switcher (config) # hostname Cisco 4506

• Cisco 4506 (config) # ip domain-name domainname.com

• // Set a domain name for the vswitch. You can also think that the vswitch belongs to this domain.

• Cisco 4506 (config) # crypto key generate rsa

• // This command generates an RSA key and enables SSH. If you delete the RSA key, the SSH service is automatically disabled.

• Cisco 4506 (config) # aaa new-model

• // Enable authentication, authorization, and audit (AAA)

• Cisco 4506 (config) # username cisco password cisco

• // Configure the user name and password

• Cisco 4506 (config) # ip ssh time-out 60

• // Configure the SSH timeout period

• Cisco 4506 (config) # ip ssh authentication-retries 2

• // Configure the number of times SSH authentication is allowed

• Cisco 4506 (config) # line vty 0 15

• Cisco 4506 (config-line) # transport input SSH

• // Apply SSH to a virtual terminal connection

Before running the preceding configuration command, check whether your vswitch and vro support the SSH function. Generally, you can run the show ip ssh command in the Enable mode of a vswitch or vro. For example, run the following command in Cisco 4506 in Figure 1:

1. Cisco 4506 # sh ip ssh

2. SSH Disabled-version 1.99

3.% Please create RSA keys to enable SSH.

4. Authentication timeout: 120 secs; Authentication retries: 3

The above output shows that Cisco 4506 supports the SSH function, but it has not been enabled yet.

After executing the preceding command on Cisco 3750, the following information is displayed:

1. Cisco3750 # sh ip ssh

2. ^

3.% Invalid input detected at '^' marker.

The above output shows that 3750 in Figure 1 does not support the SSH function.

 

Figure 2 virtual terminal parameter configuration

After configuring the above command, you can test your configuration on the PC. First, install the SSH client program on the PC, such as SecureCRT, and then set it in SecureCRT, as shown in Figure 2. Then click Connect, enter the user name cisco and password cisco as prompted to enter the configuration interface of the Cisco 4506 switch.

2. SSH configuration for H3C network devices

H3C network device SSH configuration, in principle and the configuration on the Cisco device is the same, but there is a difference in the command, the following is the H3C S3100-52TP-SI switch as an example, describes how to configure ssh on the H3C switch.

1. <H3C-S3100> system-view

2. [H3C-S3100] public-key local create rsa

3. // generate an RSA key pair

4. [H3C-S3100] public-key local create dsa

5. // generate the DSA key pair

6. [H3C-S3100] ssh server enable

7. // start the SSH server

8. [H3C-S3100] user-interface vty 0 4

9. [H3C-S3100-ui-vty0-4] authentication-mode scheme

10. // set the authentication method for logging on to the user interface of the SSH client to AAA authentication.

11. [H3C-S3100-ui-vty0-4] protocol inbound ssh

12. // set the remote user login protocol on the H3C-S3100 to SSH

13. [H3C-S3100] local-user admin

14. [H3C-S3100-luser-admin] password simple 12345

15. [H3C-S3100-luser-admin] service-type ssh level 3

16. // create a local user admin, set the logon password to 12345, and set the command level for user access to 3, that is, management-level user

17. [H3C-S3100] ssh user admin authentication-type password

18. // specify the password authentication method for the SSH user admin.

After configuring the above command, you can also use SecureCRT, log on to the H3C S3100-52TP-SI Switch Using SSH, enter the user name and password, you can manage and configure.

3. SSH is a security protocol built on the application layer and transport layer. It is also a protocol developed to address the security risks of Telnet. Because Telnet is used to transmit passwords and data in plain text on the network, man-in-the-middle can easily intercept these passwords and data. SSH, however, is based on a mature public key cryptography system that encrypts all transmitted data to prevent malicious damage, leakage, and tampering during data transmission. SSH also uses multiple encryption and authentication methods to solve data encryption and identity authentication issues during transmission, effectively preventing network sniffing and IP address spoofing attacks. It can also provide security protocols for remote logon sessions and other network services to effectively prevent information leakage during Remote Management. Another advantage of using SSH is that data transmission is compressed, which can speed up transmission. SSH can also provide a secure "channel" for FTP and PPP usage ".

The SSH protocol has already been used in SSH1 and SSH2 versions. They are implemented using different protocols, which are incompatible with each other. SSH2 has a great advantage over SSH1 in terms of security, functionality, and performance. Therefore, the most widely used SSH2 is currently.