How to configure Telnet for a vswitch

We know that vswitches are the core of our network. Some administrators need to remotely manage these devices. Here we will introduce how to configure Telnet for a vswitch. I hope this will help you. Telnet is the initial method supported on earlier Cisco switches. telnet is a common protocol for terminal access, because most of the latest operating systems come with built-in Telnet clients. however, Telnet is not a security method for accessing network devices because it sends all communications in plain text on the network. attackers can use network monitoring software to read each of the keys sent between the Telnet client and the Telnet service of the Cisco switch. due to security issues in the Telnet protocol, SSH becomes the preferred protocol for remote access to the virtual terminal line of Cisco devices.

SSH provides access of the same type as Telnet, but increases security. the communication between the SSH client and the SSH server is encrypted. SSH has gone through multiple versions. Cisco devices currently support SSHv1 and SSHv2. we recommend that you implement SSHv2 as much as possible because it uses a stronger security encryption algorithm than SSHv1.

1. Configure Telnet

Telnet is the default protocol that supports vty on a Cisco switch. if a management IP address is assigned to a Cisco switch, you can use the Telnet client to connect to the switch. initially, the vty line was not safe, and any user trying to connect to the vty line could access the switch.

The previous section describes how to use password authentication to protect access to vswitches over vty lines, which slightly improves the security of the Telnet service.

Because the vty line configured by the vswitch for Telnet is the default transmission mode, you do not need to specify Telnet after the initial configuration of the vswitch. however, if you have changed the transmission protocol of the vty line to only allow SSH, You need to manually enable the Telnet protocol to allow Telnet access.

To enable the Telnet protocol on a Cisco 2960 switch, run the following command in line configuration mode: config-line) # transport input Telnet or config-line) # transport input all. if all transmission protocols are allowed, not only Telnet access is allowed, but also access the switch through SSH.

2. Configure SSH

SSH is an encrypted security function restricted by export. To use this function, the encrypted image must be installed on the switch.

The SSH function includes an SSH server and an SSH integrated client, which is an application running on a vswitch. you can use any SSH client running on the PC or the Cisco SSH client running on the switch to connect to the switch that runs the SSH server.

For server components, the switch supports SSHv1 or SSHv2. for client components, the switch only supports SSHv1.

SSH supports Data Encryption Standard (DES) algorithms, triple DES3DES) algorithms, and password-based user authentication. DES provides 56-bit encryption, while 3DES provides 168-bit encryption. encryption takes time, but DES has less time to encrypt text than 3DES. generally, the encryption standard is specified by the customer. Therefore, if you must configure SSH, ask the customer which standard is used and the discussion about the data encryption method is not within the scope of this course ).

To implement SSH, You need to generate an RSA key. RSA involves the public key and private key. The public key is retained on the public RSA server, while the private key is retained only by the sender and receiver. the public key can be made public to all users and used to encrypt messages. messages encrypted with the public key can only be decrypted with the private key. this is called asymmetric encryption. asymmetric encryption will be discussed in more detail in the "Accessing the WAN, CCNA authentication ation Companion Guide" course.

If you want to configure the switch as an SSH server, you need to configure the switch in privileged mode according to the following steps.

Step 1 use the configure terminal command to enter the global configuration mode.

Step 2 use the hostname command to configure the Host Name of the switch.

Step 3 use the ip domain-name domain_name command to configure the host domain of the switch.

Step 4 enable the SSH server on the switch for local and remote authentication, and then use the crypto key generate rsa command to generate an RSA key pair.

When an RSA key is generated, the system prompts you to enter the module length. cisco recommends 1024-bit modulus length. the longer the modulus length, the safer it is, but the longer it takes to generate and use the modulus. this step completes the basic configuration of the SSH server. The remaining steps describe several options that can be used to optimize the SSH configuration.

Step 5 use the end command to return to the privileged execution mode.

Step 6 use the show ip ssh or show ssh command to display the status of the SSH server on the switch.

Step 7 use the configure terminal command to enter the global configuration mode.

Step 8 (optional) use the ip ssh version [1 | 2] command to configure the switch to run SSHv1 or SSHv2.

If you do not enter this command or do not specify the keyword option 1 or 2, the SSH server selects the maximum SSH version supported by the SSH client. for example, if the SSH client supports SSHv1 and SSHv2, select SSHv2.

Step 9 configure SSH control parameters:

Specify the timeout value in seconds. The default value is 120 seconds. The value range is 0 ~ 120 seconds. In order to establish an SSH connection, many stages must be completed, such as connection, protocol negotiation, and parameter negotiation. The timeout value specifies the time required by the switch to establish a connection.

By default, up to five encrypted SSH connections can coexist for multiple CLI-based network sessions from 0 to 4 ). after the shell is started, the CLI-based Session Timeout value is restored to the default 10 minutes.

Number of times the client can re-authenticate the identity to the server. The default value is 3. The value range is 0 ~ 5. For example, you can allow SSH sessions to last for more than 10 minutes three times before termination.

When you configure these two parameters, repeat this step. to configure these two parameters, use the ip ssh {timeout seconds | authentication-retries number} command.

Step 10 use the end command to return to the privileged execution mode.

Step 11 use the show ip ssh or show ssh command to display the SSH server connection status on the switch.

Step 12 (optional) use the copy running-config startup-config command to save your input in the configuration file.

To delete an RSA key pair, you can use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

To prevent non-SSH connections, you can add the transport input ssh command in line configuration mode to restrict the switch to only allow SSH connections. after the vswitch is configured with Telnet and SSH, the Telnet connection is rejected.