How to enable SSH CLI on Cisco 2960 Switch

Unanswered Question
Nov 13th, 2012

Dear all,

i would like to know how to set the following on cisco ws-c2960-24 ttl:

1. SSH CLI

2.PORT SECURITY REMOVAL: Limits MAC@per port with no shutdown

3.Set port to protect

4.Set RSTP

5. Finally how do i set up TFTP Server from windows server 2008

Thanks

Jude.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (2 ratings)
Thanveer Mohd Tue, 11/13/2012 - 11:15

Dear Friend Jude,

I have this for you

1) for ssh enabling

line vty 0 4

transport input ssh

login local

For Port security removal

conf t

no switchport port-security

for securing over mac

conf t

Switch(config)# interface gig 0/1

Switch(config-if)# switchport port-security mac-address ?

  H.H.H   48 bit mac address

  sticky  Configure dynamic secure addresses as sticky

Set port to protect

conf t

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# switchport protected

Set RSTP

MSTP—This spanning-tree mode is based on the IEEE 802.1s standard. You can map multiple VLANs to the same spanning-tree instance, which reduces the number of spanning-tree instances required to support a large number of VLANs. The MSTP runs on top of the RSTP (based on IEEE 802.1w), which provides for rapid convergence of the spanning tree by eliminating the forward delay and by quickly transitioning root ports and designated ports to the forwarding state. In a switch stack, the cross-stack rapid transition (CSRT) feature performs the same function as RSTP. You cannot run MSTP without RSTP or CSRT

Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

Command

Purpose

Step 1

configure terminal

Enter global configuration mode.

Step 2

interface interface-id

Specify the interface to be configured, and enter interface configuration mode.

Step 3

switchport mode {access | trunk}

Set the interface switchport mode as access or trunk; an interface in the default mode (dynamic auto) cannot be configured as a secure port.

Step 4

switchport voice vlan vlan-id

Enable voice VLAN on a port.

vlan-id—Specify the VLAN to be used for voice traffic.

Step 5

switchport port-security

Enable port security on the interface.

Step 6

switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]]

(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

(Optional) vlan—set a per-VLAN maximum value

Enter one of these options after you enter the vlan keyword:

vlan-list—On a trunk port, you can set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

access—On an access port, specify the VLAN as an access VLAN.

voice—On an access port, specify the VLAN as a voice VLAN.

Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses.

Step 7

switchport port-security [violation {protect | restrict | shutdown | shutdown vlan}]

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

shutdown—The interface is error disabled when a violation occurs, and the port LED turns off. A syslog message is logged, and the violation counter increments.

shutdown vlan—Use to set the security violation mode per VLAN. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. You can manually re-enable it by entering the shutdown and no shutdown interface configuration commands or by using the clear errdisable interface vlan privileged EXEC command.

Step 8

switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]

(Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

Note If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration.

(Optional) vlan—set a per-VLAN maximum value.

Enter one of these options after you enter the vlan keyword:

vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.

access—On an access port, specify the VLAN as an access VLAN.

voice—On an access port, specify the VLAN as a voice VLAN.

Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN. If an interface is configured for voice VLAN, configure a maximum of two secure MAC addresses.

Step 9

switchport port-security mac-address sticky

(Optional) Enable sticky learning on the interface.

Step 10

switchport port-security mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]

(Optional) Enter a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration.

Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address.

(Optional) vlan—set a per-VLAN maximum value.

Enter one of these options after you enter the vlan keyword:

vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.

access—On an access port, specify the VLAN as an access VLAN.

voice—On an access port, specify the VLAN as a voice VLAN.

Note The voice keyword is available only if a voice VLAN is configured on a port and if that port is not the access VLAN.

Step 11

end

Return to privileged EXEC mode.

Step 12

show port-security

Verify your entries.

Step 13

copy running-config startup-config

(Optional) Save your entries in the configuration file.

TFTP

Needs to install tftp in the server and you must be able to ping the router/switch from the tftp server and able to telnet the ports of tftp server and vice versa.

You may also follow the link  as guided by Rick

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a008020260d.shtml

Please rate all the help full posts, it may help others to find the answers quickly

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

cpapageorg Fri, 11/23/2012 - 02:27

Hi ,

I will add also for ssh you must:

- generate a ssh key  (crypto key generate rsa)

- create a domain name (ip domain-name test.com)

and as Muhammad says:

line vty 0 4

transport input ssh

login local

okoroji80 Thu, 12/06/2012 - 05:58

Dear Christo,

i would like you to highlight on the generation of the Key more.

as i also have to do the following on the switch :

how to i accomplish this

1. Deploy IOS Code containing Crypto ( K9 Image) features and reload the device with the new IOS

2. Generate RSA KEY on the network device + domain name.

3.set limit per MAC@to 4

4.set port to be protected instead of shutdown when limit exceeded

5.enable err disable recovery for link-flap events

6. set up required limits for port security settings preserving current NOD exception

Actions

Login or Register to take actions

This Discussion

Posted November 13, 2012 at 9:46 AM
Stats:
Replies:5 Avg. Rating:4
Views:52763 Votes:0
Shares:15
Tags: No tags.

Discussions Leaderboard