几个月前,我购买了一台新的Cisco SG300 10 端口千兆以太网(Gigabit Ethernet)管理型交换机,它是我小型家庭网络的最佳投资之一。Cisco交换机有很多功能和选项,您可以配置这些功能和选项来精细控制您的网络。在安全性方面,他们的产品脱颖而出。
话虽如此,思科(Cisco)交换机开箱即用的不安全性是非常有趣的。当您插入它时,它要么从DHCP服务器获取 IP 地址,要么为自己分配一个 IP 地址(通常为 192.168.1.254)并使用cisco作为用户名和密码。哎呀!
由于大多数网络使用 192.168.1.x 网络 ID,因此网络上的任何人都可以完全访问您的交换机。在本文中,我将讨论插入交换机后应立即采取的五个步骤。这将确保您的设备安全且配置正确。
注意:本文面向不熟悉 Cisco 交换机的家庭或小型办公室用户。如果您是思科工程师,您会发现所有这些都非常简单。 (Note: This article is geared towards home or small office users who are new to Cisco switches. If you’re Cisco engineer, you’re going to find all of this very simplistic. )
第 1 步 -更改默认用户名(Change Default Username)和密码(Password)
这显然是第一步,也是最重要的一步。登录交换机后,展开管理(Administration),然后单击用户帐户(User Accounts)。
您要做的第一件事是添加另一个用户帐户,这样您就可以删除原来的 cisco 用户帐户。确保(Make)您授予新帐户完全访问权限,即Cisco用语中的Read/Write Management Access (15)使用强密码,然后注销cisco帐户并使用您的新帐户登录。您现在应该能够删除默认帐户。
启用密码恢复服务(Password Recovery Service)可能也是一个好主意,以防万一您忘记设置的密码。您需要对设备进行控制台访问才能重置密码。
第 2 步 – 分配静态 IP 地址
默认情况下,交换机应该已经有一个静态 IP 地址,但如果没有,您应该手动设置它。如果您不使用 192.168.1 网络 ID,这也是必要的。为此,请展开Administration – Management Interface – IPv4 Interface。
为IP 地址类型(IP Address Type)选择静态(Static)并输入静态 IP 地址。这也将使管理您的交换机变得更加容易。如果您知道网络的默认网关,请继续将其添加到管理默认网关(Administrative Default Gateway)下。
还值得注意的是,IP 地址分配给虚拟LAN接口,这意味着您可以使用 IP 地址访问设备,无论交换机上连接了哪个端口,只要这些端口分配给顶部选择的管理 VLAN( Management VLAN) . 默认情况下,这是VLAN 1 ,所有端口都默认在VLAN 1中。
第 3 步 – 更新固件
由于我便宜的Netgear路由器可以检查Internet以获取软件更新并自动下载和安装它,你会认为一个花哨的Cisco交换机也可以做到这一点。但你错了!可能出于安全原因,他们不这样做,但这仍然很烦人。
要使用新固件更新Cisco交换机,您必须从Cisco网站下载它,然后将其上传到交换机。此外,您必须将活动映像更改为新的固件版本。我真的很喜欢这个功能,因为它提供了一些保护,以防出现问题。
要查找新固件,只需在最后使用“固件”一词搜索(Google)您的交换机型号即可。例如,就我而言,我只是用谷歌搜索了(Google)Cisco SG300-10固件。
我将写另一篇关于如何升级Cisco路由器的固件的文章,因为在这样做之前您需要注意几件事。
第 4 步 - 配置安全访问
我建议的下一步是仅启用对交换机的安全访问。如果您是命令行专家,您真的应该完全禁用 Web GUI并仅打开SSH访问。但是,如果您需要GUI界面,您至少应该将其设置为使用HTTPS而不是 HTTP。
查看我之前的帖子,了解如何为您的交换机启用 SSH 访问(how to enable SSH access for your switch),然后使用 puTTY 之类的工具登录。为了更加安全,您可以使用 SSH 打开公钥身份验证(turn on public key authentication with SSH)并使用私钥登录。您还可以通过 IP 地址限制对管理界面的访问,我将在以后的文章中对此进行介绍。
第 5 步 –将运行配置复制(Copy Running Config)到启动配置(Startup Config)
使用任何Cisco(Cisco)设备时,您最不想习惯的是将运行配置复制到启动配置。基本上(Basically),您所做的所有更改都只存储在RAM中,这意味着当您重新启动设备时,所有设置都将丢失。
为了永久保存配置,您必须将运行配置复制到启动配置,后者存储在NVRAM或非易失性RAM中。为此,请展开Administration,然后File Management,然后单击 Copy/Save Configuration。
默认设置应该是正确的,所以你所要做的就是点击Apply。同样,请确保在对交换机进行任何类型的更改时执行此操作。
这些是让您的交换机初始设置和保护的一些非常基本的配置步骤。我将很快发布更多关于交换机其他方面的高级教程。如果您有任何问题,请随时发表评论。享受!
Five Things You Should Do After Plugging in Your New Cisco Switch
I purchased a new Cisco SG300 10-port Gigаbit Εthernet managed switch a few months back and it’s been onе of the best investments for my small hоme network. Cisco switchеs have sо many features and options that you сan configure to grаnularly control your network. In tеrms of ѕecurity, their products stand out.
With that said, it’s very interesting how unsecure a Cisco switch is fresh out of the box. When you plug it in, it either grabs an IP address from a DHCP server or assigns itself an IP address (usually 192.168.1.254) and uses cisco for the username and password. Yikes!
Since most networks use the 192.168.1.x network ID, your switch is completely accessible to anyone on the network. In this article, I’m going to talk about five immediate steps you should take after you plug in your switch. This will ensure your device is secure and configured properly.
Note: This article is geared towards home or small office users who are new to Cisco switches. If you’re Cisco engineer, you’re going to find all of this very simplistic.
Step 1 – Change Default Username & Password
This is obviously the first step and the most important. Once you log into the switch, expand Administration and then click on User Accounts.
The first thing you’ll want to do is add another user account so that you can then delete the original cisco user account. Make sure that you give the new account full access, which is Read/Write Management Access (15) in Cisco parlance. Use a strong password and then log out of the cisco account and login using your new account. You should now be able to remove the default account.
It’s also probably a good idea to enable the Password Recovery Service, just in case you forget the password you set. You’ll need console access to the device to reset the password.
Step 2 – Assign a Static IP Address
By default, the switch should have a static IP address already, but if not, you should manually set it. It’ll also be necessary if you’re not using the 192.168.1 network ID. To do this, expand Administration – Management Interface – IPv4 Interface.
Choose Static for IP Address Type and enter in a static IP address. This will make it much easier to manage your switch also. If you know the default gateway for your network, go ahead and add that in also under Administrative Default Gateway.
It’s also worth noting that the IP address is assigned to a virtual LAN interface, meaning you can access the device using the IP address regardless of which port is connected on the switch as long as those ports are assigned to the Management VLAN selected at the top. By default, this is VLAN 1 and all ports are by default in VLAN 1.
Step 3 – Update the Firmware
Since my cheap Netgear router can check the Internet for a software update and automatically download and install it, you would think a fancy Cisco switch could do the same. But you’d be wrong! It’s probably for security reasons why they don’t do this, but it’s still annoying.
To update a Cisco switch with new firmware, you have to download it from the Cisco website and then upload it to the switch. In addition, you then have to change the active image to the new firmware version. I really do like this feature as it provides a bit of protection in case something goes wrong.
To find the new firmware, just Google your switch model with the word firmware at the end. For example, in my case, I just Googled Cisco SG300-10 firmware.
I’ll be writing up another article on how to upgrade the firmware for a Cisco router as there are a couple of things you want to be aware of before doing so.
Step 4 – Configure Secure Access
The next step I recommend is enabling only secure access to your switch. If you are a command line pro, you really should disable the web GUI altogether and turn on SSH access only. However, if you need the GUI interface, you should at least set it to use HTTPS rather than HTTP.
Check out my previous post on how to enable SSH access for your switch and then login using a tool like puTTY. For even more security, you can turn on public key authentication with SSH and login using a private key. You can also restrict access to the management interface by IP address, which I will write about in a future post.
Step 5 – Copy Running Config to Startup Config
The last thing you want to get used to when using any Cisco device is copying the running config to the startup config. Basically, all the changes you make are only stored in RAM, which means when you reboot the device, all the settings will be lost.
In order to permanently save the configuration, you have to copy the running config to startup config, the latter of which is stored in NVRAM or non-volatile RAM. To do this, expand Administration, then File Management and then click on Copy/Save Configuration.
The default settings should be correct, so all you have to do is click on Apply. Again, make sure you do this anytime you make any kind of change to your switch.
Those were some really basic configuration steps for getting your switch initially setup and secured. I’ll be posting more advanced tutorials soon on other aspects of the switch. If you have any questions, feel free to comment. Enjoy!