Securing Extreme Switch

Securing Extreme Switch (enabling SSH2)

The idea is to enable ssh2, create access list for ssh2, and disable telnet and web access. Here’s the procedure :

1. Upload and Install the ssh module2. Enable ssh23. Create access list4. Enable idle timeout5. Disable telnet and web access6. Save

Some tools we need are the following,

1. Laptop, console, switch, Ethernet cable.2. 3CDaemon for TFTP Server and SecureCRT for console remote.

The explanation for each step are the following :

0. We will need 2 vlans for uploading the module and testing the ssh2 functionality. We create vlan remote01 (port a, w.x.y.z) and remote01 (port b, m.n.o.p).

create vlan remote01 configure vlan remote01 ipaddress 10.0.254.254/24configure vlan remote01 add port 1 untagged

create vlan remote02 configure vlan remote02 ipaddress 192.168.254.254/24configure vlan remote02 add port 2 untagged

1. Upload and install the ssh module.Using the TFTP Server, we download (from the view of the switch) the ssh2 module.

Figure 1. 3CDaemon. Don’t forget to locate the directory correctly! (to the folder where the ssh2 module exists)

download image 10.100.241.251 summitX-15.1.1.6-ssh.xmod vr "VR-Default" secondary

download image 10.100.241.251 summitX-15.1.1.6-ssh.xmod vr "VR-Default" primary

2. Now, we will enable the ssh2 to each image (fyi, there are 2 image exist at Extreme switch, primary and secondary).

use image secondary reboot run update start process exsshd enable ssh2

Verify the ssh2 functionality right now (using secureCRT/putty/console form laptop). Or using the show management command with the following result,

CLI idle timeout : Enabled (20 minutes)CLI max number of login attempts : 3CLI max number of sessions : 8CLI paging : Enabled (this session only)CLI space-completion : Disabled (this session only)CLI configuration logging : DisabledCLI scripting : Disabled (this session only)CLI scripting error mode : Ignore-Error (this session only)CLI persistent mode : Persistent (this session only)CLI prompting : Disabled (this session only)Telnet access : Enabled (tcp port 23 vr all) : Access Profile : not set

SSH access : Enabled (Key valid, tcp port 22 vr all) : Access Profile : not setWeb access : Disabled (tcp port 80) : Access Profile : not setTotal Read Only Communities : 1Total Read Write Communities : 1RMON : DisabledSNMP access : Enabled : Access Profile : not setSNMP Traps : EnabledSNMP v1/v2c TrapReceivers : None

SNMP stats: InPkts 0 OutPkts 0 Errors 0 AuthErrors 0 Gets 0 GetNexts 0 Sets 0 Drops 0 SNMP traps: Sent 0 AuthTraps EnabledSNMP inform: Sent 0 Retries 0 Failed 0

Enable ssh2 to the primary image,

use image primary reboot run update start process exsshd enable ssh2

And check again

3. Create an ssh2 access listWe will create an access list that will enable ssh-remote from the incoming address 10.0.0.0 and deny the rest.

We create a policy, ssh2-acl,

edit policy ssh2-acl

fill the following into the text editor (Extreme uses vi btw )

entry AllowManagementIP { if match any { source-address 10.0.0.0/16; } then { permit; }}entry DenyAll { if match any { source-address 0.0.0.0/0; } then { deny;

}}

Enable it configure ssh2 access-profile ssh2-acl

Verify Show policy check policy ssh2-acl try to ping the 10.0.254.254 and 192.168.254.254 (from laptop,

switch the Ethernet cable to the port 1 and port 2, respectively). Must be succeed.

Try to ssh to 10.0.254.254 (must be succeed) and 192.168.254.254 (mustn’t be succeed, because it isn’t listed in the access list).

4. Enable idle timeout enable idletimeout

5. Disabling the telnet and web http disable telnet disable web http

6. Save Save to both images

save primary save secondary

Securing Extreme Switch

Documents

Transcript of Securing Extreme Switch