I'm on my first network eng job after achieving my CCNA :) I'm the only guy here with no test equipment so I'm being cautious with everything I'm doing.
Basically, I want to change a switch's (3750X) hostname to be in line with the naming convention of the other switches in our buildings. I'm aware I have to enter the "crypto key generate rsa" after changing the hostname. Is there anything else to do after that?
There's a "crypto pki certificate chain" in the config too, would that be affected by a name change? The switch is live and in production.
crypto key generate rsa is to enable the crypto engine that will allow you tu run SSH for example for accessing the switch via SSH.
There are a number of things that you can do on a switch other than the hostname and the crypto.
You can for example configure Vlans, configure a management Vlan to access the switch via an IP address. You can configure SNMP on the switch to monitor it via an SNMP Community on monitoring tools. You can configure the switchports to be in different vlans/subnets. You can configure the switchports to restrict access to a limited number of mac addresses for security purposes. You can configure the vty to restrict access via SSH to the switch. You can configure port SPANs to monitor traffic from one port to another sniffing port.
There are really a huge number of things that you can do on a switch, you need to determine what will be you network setup to decide what is left to configure on your switch.
It's actually up and running and configured with VLANs etc. However, the hostname is xxPOE1 and all the other switches in the domain have a better name that identifies what function they do and where they are located.
I just want to change the hostname of this switch so it is in line with the others, but do not want to affect anything else that will rely on the old hostname or have to do a reload. Hope I've made sense?
Ok, I understood it know
Normally if you change an hostname on the switch it does not have any impact on the configuration.
The only thing you might want to do is to update your DNS records to reflect the new Hostname in your Corporate DNS Server, in case you need to ping the device with the hostname from a test PC.
Or if you have a monitoring tools that is monitoring your switch, you might want to rediscover the device to reflect the new hostname in the monitoring tool.
Hope it helps
Just for completeness, if I changed the hostname and did not put "crypto key generate rsa", I'm assuming I would only lose SSH access? How about the pki certificate chain? Do I need to enter a command there also?
The "pki certificate chain" can be used for many pruposes, one being for instance SSL encryption for the management site and PKI, (public key infrastructure) is used for allowing https access to the switch, if you want to access the switch web interface for example.
Changing the hostname does not have any effect on that command.
HI Ruggero ,
RSA keys are generated with the combination of domain name & host-name . So if you change your host-name how will you be still able to access the device via ssh ?
Yes they are generated with a combination of domain and hostname, however once you have generated them and you change the hostname you will still be able to SSH to the device, there is no need to generate a new pair. SSH does not make a match with your DNS record and what's is inside the RSA key.
Thanks Ruggero ,
Few times I see this error while trying to ssh into device , what should we do in these cases ?
[network@$$$$$ ~]$ ssh -l ***** 10.60.x.x
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/network/.ssh/known_hosts to get rid of this message.
Offending key in /home/network/.ssh/known_hosts:1438
RSA host key for 10.60.73.2 has changed and you have requested strict checking.
Host key verification failed.
This happens when you permanently save the host key in your client cache, by saving it, the SSH client software will do an integrity check to verify if the key is being maliciously changed by a potential attacker. So if you saved the key on the client side and on the remote machine to which you connect 10.60.x.x you have refreshed or regenerated the keys, it will prompt you with a message that someone could be hacking the system.
So if it was not you or one of your colleagues, doing the change in the host key on the remote end, I'd make sure keys gets regenerated again and that you make sure your authentication on the remote end (Radius, local usernames or whatever you have) is not compromised.
If it was done by you, then just update the known_hosts information with the newly generated key so that each time you connect to the remote end , youwill have a correct match.