Article Summary:
In some environments, secure management access may be required. This article provides the steps necessary to restrict management access using HTTPS and SSH.
Caution: This process requires use of the Command-Line Interface (CLI). This process can be used through a serial or telnet session. However, these steps must be followed in order to prevent unintentionally blocking access to remote management.
This procedure assumes:
- The switch is already configured with an IP address and is reachable within the network.
- There is an account created with Privilege Level 15. To verify this, use the command:
console# show users accounts
Note: After completing these steps, you can expect to receive errors about certificate authenticity. This is due to the certificates and keys being self-generated. This is not an error.
Caution: Before disabling either telnet or HTTP access, verify SSH or HTTPS access.
Note: If SSH or HTTPS is enabled and the disabling of telnet and HTTP is required, go to step 3 to disable telnet and step 5 to disable HTTP.
Process:
- Connect to the switch using CLI
- To enable SSH, enter the following commands:
console>enable
console#config
console(config)#crypto key generate rsa
console(config)#crypto key generate dsa
console(config)# ip ssh server
- To disable telnet, enter:
console(config)# ip telnet server disable
- To enable HTTPS, enter the following commands:
console(config)# crypto certificate 1 generate
console(config-crypto-cert)#key-generate <512-2048>
console(config-crypto-cert)#exit
console(config)#ip https certificate 1
console(config)# ip https server
Note: This system is capable of the generation and storage of two certificates. To generate the second key, replace the number 1 with 2. To activate the second key, use console(config)#ip https certificate 2
.
- To disable HTTP, enter:
console(config)# no ip http server
- After verifying connectivity using SSH or HTTPS, save the configuration by entering:
console# copy running-config startup-config