Backup configuration file to TFTP
Cisco IOS software comes with a built-in TFTP client that allows you to connect to a TFTP server on your network.
To upload a configuration file from a switch to a TFTP server for storage, follow these steps:
Step 1. Verify that the TFTP server is running on your network.
Step 2Log in to the switch through the console port or a Telnet session. Enable the switch and then ping the TFTP server.
Step 3. Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename. The Cisco IOS command is:
#copy system:running-config tftp:[[[//location]/directory]/filename] or
#copy nvram:startup-config tftp:[[[//location]/directory]/filename]
Restoring the Configuration
Once the configuration is stored successfully on the TFTP server, it can be copied back to the switch using the following steps:
Step 1. Copy the configuration file to the appropriate TFTP directory on the TFTP server if it is not already there.
Step 2. Verify that the TFTP server is running on your network.
Step 3. Log in to the switch through the console port or a Telnet session. Enable the switch and then ping the TFTP server.
Step 4. Download the configuration file from the TFTP server to configure the switch. Specify the IP address or hostname of the TFTP server and the name of the file to download. The Cisco IOS command is:
#copy tftp:[[[//location]/directory]/filename] system:running-config or
#copy tftp:[[[//location]/directory]/filename] nvram:startup-config
**If the configuration file is downloaded into the running-config, the commands are executed as the file is parsed line by line. If the configuration file is downloaded into the startup-config, the switch must be reloaded for the changes to take effect.
************************** Clearing Configuration Information***********************
S1# erase nvram:
S1# erase startup-config
Caution: You cannot restore the startup configuration file after it has been erased, so make sure that you have a backup of the configuration in case you need to restore it at a later point.
Deleting a Stored Configuration File
S1# delete flash:filename delete a file from Flash memory
*********************** Enable Password Recovery*****************************
Step 1. Connect a terminal or PC with terminal-emulation software to the switch console port.
Step 2. Set the line speed on the emulation software to 9600 baud.
Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.
Step 4. Initialize the Flash file system using the flash_init command.
Step 5. Load any helper files using the load_helper command.
Step 6. Display the contents of Flash memory using the dir flash command:
The switch file system appears:
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
16128000 bytes total (10003456 bytes free)
Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the
rename flash:config.text flash:config.text.old command.
Step 8. Boot the system with the boot command.
Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.
Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.
Step 11. Rename the configuration file to its original name using the
rename flash:config.text.old flash:config.text command.
Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console:
Source filename [config.text]?
Destination filename [running-config]?
Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Step 13. Enter global configuration mode using the configure terminal command.
Step 14. Change the password using the enable secret password command.
Step 15. Return to privileged EXEC mode using the exit command.
Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command.
Step 17. Reload the switch using the reload command.
Note: The password recovery procedure can be different depending on the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.
***************************telnet /ssh configuration*****************************
If you need to re-enable the Telnet protocol on a Cisco 2960 switch, use the following command from line configuration mode:
(config-line)#transport input telnet or
(config-line)#transport input all
SSH CONFIGURATION
This procedure is required if you are configuring the switch as an SSH server. Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair.
Step 1. Enter global configuration mode using the configure terminal command.
Step 2. Configure a hostname for your switch using the hostname hostname command.
Step 3. Configure a host domain for your switch using the ip domain-name domain_name command.
Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command.
When you generate RSA keys, you are prompted to enter a modulus length. Cisco recommends using a modulus size of 1024 bits. A longer modulus length might be more secure, but it takes longer to generate and to use.
Step 5. Return to privileged EXEC mode using the end command.
Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command.
To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.
Configuring the SSH Server
Beginning in privileged EXEC mode, follow these steps to configure the SSH server.
Step 1. Enter global configuration mode using the configure terminal command.
Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
Step 3. Configure the SSH control parameters:
Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. For a SSH connect to be established, a number of phases must be completed, such as connection, protocol negotiation, and parameter negation. The time-out value applies to the amount of time the switch allows for a connection to be established.
By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.
Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. For example, a user can allow the SSH session to sit for more than 10 minutes three times before the SSH session is terminated
Repeat this step when configuring both parameters. To configure both parameters use the ip ssh {timeout seconds | authentication-retries number} command.
Step 4. Return to privileged EXEC mode using the end command.
Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command.
Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command.
If you want to prevent non-SSH connections, add the transport input ssh command in line configuration mode to limit the switch to SSH connections only. Straight (non-SSH) Telnet connections are refused..
*********************DHCP Snooping ***************************
Untrusted ports are those not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.
These steps illustrate how to configure DHCP snooping on a Cisco IOS switch:
Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command.
Step 3. Define ports as trusted or untrusted at the interface level by defining the trusted ports using the
ip dhcp snooping trust command.
Step 4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate__rate__ command.
*************************** Port Security t*********************************
Configure Dynamic Port Security
S1(config)#interface fastEthernet 0/18 Specify the type and number of the physical interface to configure
S1(config-if)#switchport mode access Set the interface mode as access. An interface in the dynamic desirable default
mode cannot be configured as a secure port.
S1(config-if)#switchport port-security Enable port security on the interface.
S1(config-if)#end
Configure Sticky Port Security
S1(config)#interface fastEthernet 0/18 Specify the type and number of the physical interface to configure.
S1(config-if)#switchport mode access Set the interface mode as access.
S1(config-if)#switchport port-security Enable port security on the interface
S1(config-if)#switchport port-security maximum 50 Set the maximum number of secure addresses to 50
S1(config-if)#switchport port-security mac-address [sticky | H.H.H] able sticky learning or 48 bit MAC- address
S1(config-if)#switchport port-security violation [shutdown | restrict | protect]
S1# show port-security [interface interface-id]
S1#show port-security [interface interface-id] Verify Secure MAC Addresses
Security Violation Modes
****************************spanning-tree protocol****************************************
******************************pvstp+*************************************
S1(config)# spanning-tree vlan __vlan-ID__ root primary
S1(config)# spanning-tree vlan __vlan-ID__ root secondary
S1(config)# spanning-tree vlan __vlan-ID__ priority [4096 jumps]
S1# show spanning- tree active
;){kind=link}