Software Guide
Page 14
...Status 20-2 Displaying the Port MAC Address 20-4 Displaying Port Capabilities 20-5 Using Telnet 20-6 Changing the Login Timer 20-6 Using Secure Shell Encryption for Telnet Sessions 20-7 Monitoring User Sessions 20-8 Using Ping 20-9 Understanding How Ping Works 20-9 Executing Ping 20-10 Using Layer 2... Traceroute 20-12 Configuring CDP 21-1 Understanding How CDP Works 21-1 Default CDP Configuration 21-2 Configuring CDP on the Switch 21-2 Setting the CDP Global Enable State 21-2 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 xiv 78-15486-01
...Status 20-2 Displaying the Port MAC Address 20-4 Displaying Port Capabilities 20-5 Using Telnet 20-6 Changing the Login Timer 20-6 Using Secure Shell Encryption for Telnet Sessions 20-7 Monitoring User Sessions 20-8 Using Ping 20-9 Understanding How Ping Works 20-9 Executing Ping 20-10 Using Layer 2... Traceroute 20-12 Configuring CDP 21-1 Understanding How CDP Works 21-1 Default CDP Configuration 21-2 Configuring CDP on the Switch 21-2 Setting the CDP Global Enable State 21-2 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 xiv 78-15486-01
Software Guide
Page 203
...plain text. VTP version 3 introduces a way of the password in length Console> (enable) 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 9-27 These two formats are two different formats of the set vtp passwd toto Generating...you paste a secret password into the configuration, the initial password is shown in the configuration: A plain text password or an encrypted hexadecimal secret value. set vtp passwd toto hidden Generating the secret associated to the password configuration. if you configure a plain text ...
...plain text. VTP version 3 introduces a way of the password in length Console> (enable) 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 9-27 These two formats are two different formats of the set vtp passwd toto Generating...you paste a secret password into the configuration, the initial password is shown in the configuration: A plain text password or an encrypted hexadecimal secret value. set vtp passwd toto hidden Generating the secret associated to the password configuration. if you configure a plain text ...
Software Guide
Page 335
... Capabilities, page 20-5 • Using Telnet, page 20-6 • Changing the Login Timer, page 20-6 • Using Secure Shell Encryption for Telnet Sessions, page 20-7 • Monitoring User Sessions, page 20-8 • Using Ping, page 20-9 • Using Layer ... A P T E R Checking Status and Connectivity This chapter describes how to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference. The Catalyst 4912G, 2948G, and 2980G switches are fixed-configuration switches, but are multimodule systems. You can use the [mod_num] argument to specify a particular...
... Capabilities, page 20-5 • Using Telnet, page 20-6 • Changing the Login Timer, page 20-6 • Using Secure Shell Encryption for Telnet Sessions, page 20-7 • Monitoring User Sessions, page 20-8 • Using Ping, page 20-9 • Using Layer ... A P T E R Checking Status and Connectivity This chapter describes how to the Catalyst 4500 Series, Catalyst 2948G, and Catalyst 2980G Switches Command Reference. The Catalyst 4912G, 2948G, and 2980G switches are fixed-configuration switches, but are multimodule systems. You can use the [mod_num] argument to specify a particular...
Software Guide
Page 341
... but takes longer to generate. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 20-7 Note If you are initiated from the switch cannot be automatically logged out after 10 minutes of SSH supports version 1, both the data encryption standard (DES) and 3DES encryption methods, and can be able to use...
... but takes longer to generate. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 20-7 Note If you are initiated from the switch cannot be automatically logged out after 10 minutes of SSH supports version 1, both the data encryption standard (DES) and 3DES encryption methods, and can be able to use...
Software Guide
Page 370
... to a particular security model. The noauth level authenticates a packet by using either the HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm. Simple Network A network management protocol that a user is supposedly sent...a response (for all the users belonging to manage configurations, statistics collection, performance, Protocol (SNMP) and security. 24-2 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 in an unauthorized manner. When an SNMP message does not expect a response,...
... to a particular security model. The noauth level authenticates a packet by using either the HMAC MD5 or SHA algorithms and encrypts the packet using the CBC-DES (DES-56) algorithm. Simple Network A network management protocol that a user is supposedly sent...a response (for all the users belonging to manage configurations, statistics collection, performance, Protocol (SNMP) and security. 24-2 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 in an unauthorized manner. When an SNMP message does not expect a response,...
Software Guide
Page 372
... port and VLAN is always retained and used after a high-availability switchover. 24-4 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 A combination of notifications its users. Table 24-2 Security Model Combinations Model Level Authentication Encryption What Happens v1 noAuthNoPriv Community No String Uses a community string match for its...
... port and VLAN is always retained and used after a high-availability switchover. 24-4 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 A combination of notifications its users. Table 24-2 Security Model Combinations Model Level Authentication Encryption What Happens v1 noAuthNoPriv Community No String Uses a community string match for its...
Software Guide
Page 379
... Subsystem • Security Subsystem • Access Control Subsystem 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 24-11 Chapter 24 Configuring SNMP Understanding SNMPv3 ...These examples show how to specify and display an interface alias: Console> (enable) set snmp ifalias 1 Inband port ifIndex 1 alias set commands that the message is from a valid source • Encryption...
... Subsystem • Security Subsystem • Access Control Subsystem 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 24-11 Chapter 24 Configuring SNMP Understanding SNMPv3 ...These examples show how to specify and display an interface alias: Console> (enable) set snmp ifalias 1 Inband port ifIndex 1 alias set commands that the message is from a valid source • Encryption...
Software Guide
Page 381
...received SNMP messages, generate notifications, receive notifications, and forward messages between SNMP entities. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 24-13 Applications SNMPv3 applications refer to a managed object should be allowed...users and which managed objects. Chapter 24 Configuring SNMP Understanding SNMPv3 Security Subsystem The Security Subsystem authenticates and encrypts messages. Access Control Subsystem The responsibility of the Security Subsystem may support one access control model, the...
...received SNMP messages, generate notifications, receive notifications, and forward messages between SNMP entities. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 24-13 Applications SNMPv3 applications refer to a managed object should be allowed...users and which managed objects. Chapter 24 Configuring SNMP Understanding SNMPv3 Security Subsystem The Security Subsystem authenticates and encrypts messages. Access Control Subsystem The responsibility of the Security Subsystem may support one access control model, the...
Software Guide
Page 447
... iterations until authentication either providing the privilege password or using the MD5 encryption algorithm and adds a TACACS+ packet header. Understanding How TACACS+ Authentication Works TACACS+ is specified by either passes or fails. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-3 You configure each local user. You can...
... iterations until authentication either providing the privilege password or using the MD5 encryption algorithm and adds a TACACS+ packet header. Understanding How TACACS+ Authentication Works TACACS+ is specified by either passes or fails. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-3 You configure each local user. You can...
Software Guide
Page 448
...of login attempts that is used to encrypt RADIUS packets • Specify the RADIUS server timeout interval • Specify the RADIUS retransmit count • Specify the RADIUS server deadtime interval 30-4 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486...on the RADIUS servers. The key itself is configured on the switch, it receives from one that is never transmitted over the network. The TACACS+ clients and servers use the key to encrypt all other authentication methods, local authentication is configured on the ...
...of login attempts that is used to encrypt RADIUS packets • Specify the RADIUS server timeout interval • Specify the RADIUS retransmit count • Specify the RADIUS server deadtime interval 30-4 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486...on the RADIUS servers. The key itself is configured on the switch, it receives from one that is never transmitted over the network. The TACACS+ clients and servers use the key to encrypt all other authentication methods, local authentication is configured on the ...
Software Guide
Page 449
...decides to the Kerberos server. Users and network services register their identity with the user's TGT. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-5 You can be used in uppercase characters. When you use first using the...services. When issued from the network. In Kerberos, this credential is encrypted with the password that verify the identity of a user or service. Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works RADIUS authentication is disabled by the...
...decides to the Kerberos server. Users and network services register their identity with the user's TGT. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-5 You can be used in uppercase characters. When you use first using the...services. When issued from the network. In Kerberos, this credential is encrypted with the password that verify the identity of a user or service. Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works RADIUS authentication is disabled by the...
Software Guide
Page 450
... a network service shares with its TGT. Figure 30-1 illustrates the Kerberos Telnet connection process. 30-6 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 The service credential has the client's identity and the identity... of the desired Telnet server. When the Telnet client receives the encrypted TGT, it shares with the switch's Telnet server and encrypts...
... a network service shares with its TGT. Figure 30-1 illustrates the Kerberos Telnet connection process. 30-6 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 The service credential has the client's identity and the identity... of the desired Telnet server. When the Telnet client receives the encrypted TGT, it shares with the switch's Telnet server and encrypts...
Software Guide
Page 451
... decrypt the TGT with the Kerberos package. Figure 30-2 illustrates the non-Kerberized login process. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-7 If you can launch a non-Kerberized login through a modem or terminal server...successful, you are authenticated to the switch, which is the client software that is provided with the password that you want to the switch. Telnet does not support non-Kerberized login. The KDC sends an encrypted TGT to the switch. 5. The switch prompts you launch a non-Kerberized...
... decrypt the TGT with the Kerberos package. Figure 30-2 illustrates the non-Kerberized login process. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-7 If you can launch a non-Kerberized login through a modem or terminal server...successful, you are authenticated to the switch, which is the client software that is provided with the password that you want to the switch. Telnet does not support non-Kerberized login. The KDC sends an encrypted TGT to the switch. 5. The switch prompts you launch a non-Kerberized...
Software Guide
Page 463
...> (enable) Specifying the TACACS+ Key Note If you configure a TACACS+ key on the TACACS+ server. Command set to encrypt packets. Enter the console or telnet keywords if you configure an identical key on the client, make sure that is used to...the configuration: Console> (enable) set authentication login tacacs enable tacacs login authentication set tacacs key key show tacacs 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-19 set authentication login tacacs enable [all | console | http | telnet] [primary] ...
...> (enable) Specifying the TACACS+ Key Note If you configure a TACACS+ key on the TACACS+ server. Command set to encrypt packets. Enter the console or telnet keywords if you configure an identical key on the client, make sure that is used to...the configuration: Console> (enable) set authentication login tacacs enable tacacs login authentication set tacacs key key show tacacs 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-19 set authentication login tacacs enable [all | console | http | telnet] [primary] ...
Software Guide
Page 469
... to the $enab15$ user. Console> (enable) show radius Login Authentication: Console Session Telnet Session 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-25 It can set radius key key to the RADIUS server. This user needs... disabled radius enabled(primary) enabled(primary) local enabled enabled Console> (enable) Specifying the RADIUS Key The RADIUS key is used to encrypt packets sent set the service-type attribute (attribute 6) to Administrative (value 6) for a RADUIS user to 65 characters. If your ...
... to the $enab15$ user. Console> (enable) show radius Login Authentication: Console Session Telnet Session 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-25 It can set radius key key to the RADIUS server. This user needs... disabled radius enabled(primary) enabled(primary) local enabled enabled Console> (enable) Specifying the RADIUS Key The RADIUS key is used to encrypt packets sent set the service-type attribute (attribute 6) to Administrative (value 6) for a RADUIS user to 65 characters. If your ...
Software Guide
Page 478
...number key-type key-length encrypted-keytab 30-34 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 CISCO.COM deleted Console> (enable) Copying SRVTAB Files To allow remote users to authenticate to the switch using the Trivial File ...domain to a Kerberos realm. To retrieve SRVTAB files to the switch from the KDC. CISCO.COM Console> (enable) Console> (enable) clear kerberos realm CISCO CISCO.COM Kerberos DnsDomain-Realm entry CISCO - The entries are called CISCO.COM, to a DNS domain and how to a Kerberos realm...
...number key-type key-length encrypted-keytab 30-34 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 CISCO.COM deleted Console> (enable) Copying SRVTAB Files To allow remote users to authenticate to the switch using the Trivial File ...domain to a Kerberos realm. To retrieve SRVTAB files to the switch from the KDC. CISCO.COM Console> (enable) Console> (enable) clear kerberos realm CISCO CISCO.COM Kerberos DnsDomain-Realm entry CISCO - The entries are called CISCO.COM, to a DNS domain and how to a Kerberos realm...
Software Guide
Page 479
...host/niners.cisco.com@CISCO.COM 0 Console> (enable) Enabling Credentials Forwarding A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the network using Kerberized Telnet. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software ...set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM Principal Type:0 Timestamp:932423923 Key version number:1 Key type:1 Key length:8 Encrypted key tab:03;;5>00>50;0=0=0 Console...
...host/niners.cisco.com@CISCO.COM 0 Console> (enable) Enabling Credentials Forwarding A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the network using Kerberized Telnet. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software ...set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0 Kerberos SRVTAB entry set to Principal:host/niners.cisco.com@CISCO.COM Principal Type:0 Timestamp:932423923 Key version number:1 Key type:1 Key length:8 Encrypted key tab:03;;5>00>50;0=0=0 Console...
Software Guide
Page 481
...Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key: Kerberos SRVTAB Entries Console> (enable) Defining and Clearing a Private DES Key You can define a private DES key for the switch. Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how... mode: Task Clear the Kerberos clients' mandatory configuration. The key length should be eight characters or less. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-37
...Credentials Forwarding Disabled Kerberos Pre Authentication Method set to Encrypted Unix Time Stamp Kerberos config key: Kerberos SRVTAB Entries Console> (enable) Defining and Clearing a Private DES Key You can define a private DES key for the switch. Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how... mode: Task Clear the Kerberos clients' mandatory configuration. The key length should be eight characters or less. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-37
Software Guide
Page 482
...enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM, Server:170.20.2.1, Port:750 Realm:CISCO.COM, Server:172.20.2.1, Port:750 Kerberos DomainRealm entries: Domain:cisco.com, Realm:CISCO.COM Kerberos Clients Mandatory Kerberos Credentials ...for the duration of the Telnet session. Command telnet [encrypt kerberos] host 30-38 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 Configuring Authentication Chapter 30 Configuring Switch Access Using AAA To define a DES key, perform this...
...enable) show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM, Server:170.20.2.1, Port:750 Realm:CISCO.COM, Server:172.20.2.1, Port:750 Kerberos DomainRealm entries: Domain:cisco.com, Realm:CISCO.COM Kerberos Clients Mandatory Kerberos Credentials ...for the duration of the Telnet session. Command telnet [encrypt kerberos] host 30-38 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01 Configuring Authentication Chapter 30 Configuring Switch Access Using AAA To define a DES key, perform this...
Software Guide
Page 483
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to configure a Telnet session for Kerberos authentication and encryption: Console> (enable) telnet encrypt kerberos 172.20.52...switch: • show kerberos • show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM, Server:187.0.2.1, Port:750 Realm:CISCO.COM, Server:187.20.2.1, Port:750 Kerberos DomainRealm entries: Domain:cisco.com, Realm:CISCO...-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-39
Chapter 30 Configuring Switch Access Using AAA Configuring Authentication This example shows how to configure a Telnet session for Kerberos authentication and encryption: Console> (enable) telnet encrypt kerberos 172.20.52...switch: • show kerberos • show kerberos Kerberos Local Realm:CISCO.COM Kerberos server entries: Realm:CISCO.COM, Server:187.0.2.1, Port:750 Realm:CISCO.COM, Server:187.20.2.1, Port:750 Kerberos DomainRealm entries: Domain:cisco.com, Realm:CISCO...-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-39