Requirement:
The article discussed how to configure secure CLI switch access.
Solution:Secure Shell version 2 (SSHv2) is used by Aruba switches to provide remote access to SSH-enabled management stations. Even though SSH provides Telnet like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions.
Configuration:In the following example, switches Rack2sw1 and Rack2sw2 are configured for SSH CLI access. Telnet access is disabled.
The configuration, verification, and testing associated with the diagram follows:
***** Generate Host Public Key *****
Rack2sw1(config)# crypto key generate ssh rsa bit 2048
Installing new key pair. If the key/entropy cache is
depleted, this could take up to a minute.
Rack2sw2(config)# crypto key generate ssh rsa bit 2048
Installing new key pair. If the key/entropy cache is
depleted, this could take up to a minute.
***** Verify Host Public Key *****
Rack2sw2# show crypto host-public-key fingerprint
2048 7e:45:bb:62:33:ea:3e:6b:d8:7e:c5:f5:9a:e8:a1:0b: host_ssh2.pub
Rack2sw1# show crypto host-public-key fingerprint
2048 d6:a6:e6:9b:98:60:f7:f1:f8:5e:e2:4c:26:aa:08:61: host_ssh2.pub
***** SSH Configuration *****
Rack2sw1(config)# ip ssh
Rack2sw2(config)# ip ssh
***** SSH Configuration *****
Rack2sw2# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : No
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
Rack2sw1# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : No
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
***** Telnet Configuration *****
Rack2sw2(config)# no telnet-server
Rack2sw1(config)# no telnet-server
***** Password Configuration *****
Rack2sw1(config)# password manager plaintext procurve
Rack2sw1(config)# password operator plaintext procurve
Rack2sw2(config)# password manager plaintext procurve
Rack2sw2(config)# password operator plaintext procurve
Verification Rack2sw1# ssh user manager 192.168.2.2
Attempting username/password authentication...
Enter manager@192.168.2.2's password: ********
HP J8698A Switch E5412zl
Software revision K.15.07.0008
Copyright (C) 1991-2012 Hewlett-Packard Development Company, L.P.
RESTRICTED RIGHTS LEGEND
Confidential computer software. Valid license from HP required for possession,
use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer
Software, Computer Software Documentation, and Technical Data for Commercial
Items are licensed to the U.S. Government under vendor's standard commercial
license.
HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
20555 State Highway 249, Houston, TX 77070
Press any key to continue
Rack2sw2# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : No
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
Ciphers : aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,
aes192-cbc,aes128-ctr,aes128-cbc,3des-cbc
MACs : hmac-sha1-96,hmac-md5,hmac-sha1,hmac-md5-96
Ses Type | Source IP Port
--- -------- + ---------------------------------------------- -----
1 console |
2 ssh | 192.168.2.1 61339
3 inactive |
4 inactive |
5 inactive |
6 inactive |
Rack2sw1# telnet 192.168.2.2
Telnet failed: Can't send after socket shutdown.
Rack2sw2# ssh user manager 192.168.2.1
Attempting username/password authentication...
Enter manager@192.168.2.1's password: ********
HP J8698A Switch E5412zl
Software revision K.15.07.0008
Copyright (C) 1991-2012 Hewlett-Packard Development Company, L.P.
RESTRICTED RIGHTS LEGEND
Confidential computer software. Valid license from HP required for possession,
use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer
Software, Computer Software Documentation, and Technical Data for Commercial
Items are licensed to the U.S. Government under vendor's standard commercial
license.
HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
20555 State Highway 249, Houston, TX 77070
Press any key to continue
Rack2sw1# show ip ssh
SSH Enabled : Yes Secure Copy Enabled : No
TCP Port Number : 22 Timeout (sec) : 120
Host Key Type : RSA Host Key Size : 2048
Ciphers : aes256-ctr,aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-ctr,
aes192-cbc,aes128-ctr,aes128-cbc,3des-cbc
MACs : hmac-sha1-96,hmac-md5,hmac-sha1,hmac-md5-96
Ses Type | Source IP Port
--- -------- + ---------------------------------------------- -----
1 console |
2 ssh | 192.168.2.2 56692
3 inactive |
4 inactive |
5 inactive |
6 inactive |
Rack2sw2# telnet 192.168.2.1
Telnet failed: Can't send after socket shutdown.