%%category%% Archives %%page%%

Console Port DS

Step 1: Connect a Workstation (PC or notebook) to the console port of the switch (shown above for Access layer-2 and Distribution layer-3 devices). This is the Cisco Blue cable that comes with the switches (generally a RJ-45 connector on one end and Serial connector on the other, dependant on the switch it was shipped with).

This will enable you to gain console access via Telnet or SSH into your switch. This is how configuration is done at the command line level (if you got this far without ever doing this, it’s a miracle you passed).

Step 2 elete the vlan.dat file

When in privaleged mode, you can type the following commands and delete the vlan.dat file
ASW1#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] ASW1#

Step 3 elete the startup-config file

After erasing the vlan.dat file all vlan information is gone, now the startup config file needs to be erased as this holds VTP, interface, passwords and other information that you want to get rid of to start the switch from scratch.

ASW1#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]? [OK] Erase of nvram: complete ASW1#

Step 4:Reload

After the above steps, it is now time to reload the switch

ASW1#reload System configuration has been modified. Save? [yes/no] no Proceed with reload?

Side Note

As a side note User-Defined VLAN setting is stored in a file on flash called vlan.dat (unix/linux based operating systems like Cisco IOS use case sensitive file naming unlike windows where a file called Aaa.dat and aaa.dat will be seen as identical.

If and when VLAN information is configured and created on a network, this vlan.dat file is used and information stored inside this file. To insert new kit or old kit into a networking (or lab) use the above steps to get rid of the file. If you have for some reason renamed the file using the below steps then you need to follow the below steps.

You can change the file-name where the vlan.dat is stored in the following way:

ASW1(config)#vtp file VLAN.dat

This command changes the vlan.dat file from vlan.dat (all lowercase) uppercase which is seen as different in IOS.

To then delete the file keep in mind that you have to keep the case sensitive spelling otherwise IOS will tell you the file doesn’t exist or delete the old file (vlan.dat) and not the new file where information is actually stored in. To delete the file:

ASW1#delete VLAN.dat

You can name the file anything you want and do pretty much anything you want on “your network”, just keep in mind that keeping things as standard and normal as possible means that if you leave your current job / position / contract the next person to work on that network is going to hate your guts if you went buck wild and creative setting up things in totally weird ways.

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

CDP

Cisco Discovery Protocol (CDP) is a useful and great protocol when you are sitting on the other side of the office/country/planet and don’t know what you are working with on a network but CDP has some holes for attackers to leverage that can cause problems.

CDP uses clear-text and unauthenticated to send information about network topology between network devices. An attacker can use a packet sniffer to get information about network infrastructure that we don’t really want them to have.

CDP isn’t needed on ports that no network management is done (this isn’t the case for Cisco IP Phones). You can also go ballistic and disable CDP totally thats up to you. To disable CDP use the following commands

CDP per-port

switch(config)#configure terminal switch(configp)#interface gigabitethernet 0/1 switch(config-if)#no cdp enable

CDP Globally

switch(config)#configure terminal switch(config)#no cdp run

Be careful with this, CDP is used in conjunction with or as support for other Cisco protocols

Telnet

Telnet has a few problems:

All usernames, passwords, and data sent over a public network (read: Internet) is sent in clear text and is thus vulnerable.
A user with an account on the system can gain elevated privelages.
A remote attacker could crash the Telnet service, preventing legitimate service rendering.
A remote attacker could find an enabled guest account that may be present anywhere in the trusted domain of the server.

iow Dont Telnet over the internet

SSH

SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.

switch(config)#configure terminal switch(config)#line vty 0-15 switch(config-line)#transport input ssh

VTY Access Control Lists (ACL)

One can associate ACLs to permit or deny access to a vty port to a switch.

The Number of VTYs differ make sure you get it right and configure an ACL on ALL the VTY connections and don’t leave one open

switch(config)#configure terminal switch(config)#access-list 12 permit 192.168.0.0 0.0.255.255 switch(config)#line vty 0 15 switch(config-line)#access-class 12 in

Notes and Notices:

Network Ninja

Archive for the 'Telnet' Category

Preparing a used switch for use

Switch Security Layer-2 Attacks – Four

Search

About

Latest

Archives

Categories