Cisco 3550 Switch Ios Download
Cisco Catalyst 3550 Series 48 Port Switch, WS-C3550-48-SMI. Standard Multilayer Software Im. USED Cisco WS-C3550-48-SMI 3550 48 Port Switch IOS Image. ASK FOR QUANTITY & DISCOUNT!!! Or Best Offer. Free Shipping. Cisco Catalyst 3550 Series 24-Port Ethernet Switch WS-C3550-24PWR-SMI. This video will show you how to upgrade IOS on Cisco Switch. For this video, I am using Cisco Catalyst 2950 but same method can be applied to Catalyst 2960, 3550, 3650, 3750 as well as chassis switch. If you sign up for a free CCO guest account with Cisco, that level of access allows you to download most of the IOS for access layer switches. That should include the ipservices IOS for the 3550. Update: Just checked my guest login, I have access to 3550, 3560, 3750 ipbase and ipservices. Working Cisco IOS for GNS3. Feel free to download them and use them for your Cisco certifications studies. Gaining access to an unconfigured Cisco 3750 Switch. Go for the.tar image if you use GUI of the switch otherwise if you just use CLI go for the.bin fine. You should go ahead with the latest IOS images for both the switches. Cisco Catalyst 3550 48 SMI Switch. Buttons of choices where I can download specific IOS for 3550 EMI image 12.2.44-SE6(ED) release. I did not download yet because my 3550 will arrive by next month and its IOS image is 12.1.22 (an older one).
- Cisco Ios Free Download
- Cisco 3550 Switch Ios Free Download
- Cisco 3550 Poe Switch
- Cisco 3550 Switch Ios Download Windows 10
- Cisco 3550 Switch Ios Download
Contents
Introduction
This document explains the step-by-step procedure to upgrade the software image on Cisco Catalyst 3550 series switches with use of the command-line interface (CLI).
Prerequisites
Requirements
Before you attempt this configuration, ensure that you are familiar with these topics for Catalyst 3550:
Naming conventions
Feature sets
File systems and boot parameters
Setup of a TFTP server and backup of the configuration
If you are not familiar with the topics, see the Prepare to Upgrade section of this document before you attempt the software upgrade.
If you already meet the requirements, skip any or all of these topics. Go directly to the Software Upgrade Procedure for 3550 Series Switches section of this document.
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Background Information
A software image upgrade can be necessary for these reasons:
You want to implement new features in your network that are available in the later software release.
You want to install a new line card that the current software version does not support.
A known bug has affected your switch. The later software release resolves the bug.
This document does not cover the upgrade procedure that uses Cisco Cluster Management Suite (CMS). For details on this procedure, complete these steps:
Open the CMS application.
Choose Administration > Software Upgrade.
From the menu bar, choose Help.
Prepare to Upgrade
Understand File Extensions: .bin and .tar Files
There are two types of files or file extensions that you see when you download 3550 software from the LAN Switches section of Downloads - Switches (registered customers only) .
The .bin file is the Cisco IOS® Software image. If you only want to use the CLI to manage the switch, the .bin file is the only file to download.
The .tar file is an archive file. The upgrade process extracts both the Cisco IOS image and the CMS files from the .tar file. If you want to manage switches or clusters of switches through a web interface, such as HTML, this file is the only file to download.
Note: When you download a .tar image, the archive utility that is on your PC saves the file. This utility can be WinZip or some other third-party software. There is no need to manually extract the files in archive. The extraction occurs automatically during the upgrade process.
Understand 3550 Software Image Naming Conventions: SMI and EMI
The 3550 is either a Layer 2 (L2) or Layer 3 (L3) switch, which depends on the software version and feature set that you install.
The naming conventions for 3550 images begin with either of these:
The differences between the two are:
The SMI image is essentially an L2-only image. However, Cisco IOS Software Release 12.1(8)EA1b includes enhancements to the L2 feature set. This release and later SMI releases use the term 'Layer2+'. Cisco IOS Software Release 12.1(11)EA1 adds basic L3 functionality to the SMI image. This L3 functionality includes static unicast routing, the Routing Information Protocol (RIP), and other features. This release and later SMI releases use the phrase 'basic Layer 3 routing features'.
The EMI image is an L2 image in combination with a full L3 feature set. This feature set includes:
Interior Gateway Routing Protocol (IGRP) and Enhanced IGRP (EIGRP)
Open Shortest Path First (OSPF) Protocol
Border Gateway Protocol Version 4 (BGP4)
Hot Standby Router Protocol (HSRP)
Protocol Independent Multicast (PIM)
Other advanced services
Note: For more information on SMI and EMI features, refer to the Catalyst 3550 Multilayer Switch Software Configuration Guide under the Catalyst 3550 Multilayer Switches release notes for your version of 3550 software.
Note: All Catalyst 3550 Gigabit Ethernet switches ship with an EMI installation. Catalyst 3550 Fast Ethernet switches ship with either an SMI or EMI installation. You can order the Enhanced Multilayer Software Image Upgrade kit (CD-3550-EMI=) in order to upgrade any Catalyst 3550 Fast Ethernet switch from the SMI to the EMI. However, unless you purchased your 3550 with an EMI image preinstallation, you must purchase the upgrade kit before you download the EMI image.
Issue the show version command in order to verify these items:
The version of software that you run
The location of the image installation
The feature set that you run
The 3550 model that you have
Here is a sample command output:
Understand the 3550 Flash File System and Memory Requirements
3550 Flash File System
The 3550 ships from the factory with the installation of a CMS image (.tar file) in the flash: directory. The extraction process that takes place with a .tar file creates a Cisco IOS image directory. The image directory has the same name as the Cisco IOS image (.bin file), but without the file extension. This directory stores the Cisco IOS image (.bin file) along with an HTML subdirectory that contains the CMS files.
Issue the dir flash: command in order to view the 3550 Flash file system. Here is a sample command output:
If you use just the Cisco IOS image to upgrade, you issue the copy tftp command. The Step-by-Step Procedure for the 3550 with Use of Only the Cisco IOS Image (.bin File) section of this document fully explains this process.
If you upgrade with use of the CMS image (.tar file), you issue the archive download-sw command. The Step-by-Step Procedure for the 3550 with Use of the CMS Image (.tar File) section of this document fully explains this process.
3550 Memory Requirements
DRAM Memory
The synchronous DRAM (SDRAM) configuration on all 3550 switches is 64 MB. There are no minimum DRAM requirements to consider before you upgrade software on the 3550.
Flash Memory
All 3550s have 16 MB of internal Flash memory. The Flash memory is not upgradeable.
There is a limit to the number of images that you can store in Flash. Always check the size, in bytes, of the image in the LAN Switches section of Downloads - Switches (registered customers only) before you upgrade software. Issue the dir flash: command in order to compare the size of this image with the free space in Flash. Here is a sample command output:
If necessary, issue the delete flash: file_name command in order to delete a single Cisco IOS image (.bin file). Or issue the delete /force /recursive command in order to delete a directory and all the files in the directory.
In order to upgrade with use of a CMS image (.tar file), use the archive download-sw command. This command has a few options. One option is the archive download-sw /overwrite command, which overwrites or replaces the old software. Another option is the archive download-sw /leave-old-sw command. This command leaves the old software, but requires more Flash space.
The Software Upgrade Procedure for the 3550 Series Switches section of this document covers in detail the use of the delete command and the archive download-sw command.
Configuration Register Changes and the Set of Boot Statements
Unlike some other Catalyst switches, there is no config-register command on the 3550. You cannot change the configuration register value from the default.
The 3550 automatically searches for a valid software image from which to boot. The search occurs even if you do not set a boot system statement. Set the boot statement anyway, as a precaution. The command to set a boot system statement is boot system flash: file_name.
You can specify multiple images in the boot statement if you separate the image names with a semicolon. The command is boot system flash: file1;file2.
If you use a CMS image on the 3550, the Cisco IOS image (.bin file) extraction creates a directory for the image alone. The boot system command becomes boot system flash: directory/file_name.
The Software Upgrade Procedure for the 3550 Series Switches section of this document covers in detail the use of the boot system command.
Download Software Image
You must download the 3550 software image onto the PC that acts as the TFTP server prior to the actual image upgrade. Download the software image from the LAN Switches section of Downloads - Switches (registered customers only) . In order to download the software image, you must be a registered user and you must log in. If you do not understand which image to download, see the Prepare to Upgrade section of this document.
Install TFTP Server
The sample output in this document uses a third-party TFTP server with installation on a PC that runs Microsoft Windows 2000 Professional. You can use any TFTP server with installation on any platform. You do not need to use a PC with a Windows OS.
Download and install any shareware TFTP software from the Internet on the PC that you want to use to copy the 3550 software image to the switch.
The TFTP server root directory must be the directory to which you download the software image. You can download the images to the default root directory of the TFTP server. Or, you can change the root directory path to the directory that stores the software image.
In order to access the switch CLI, connect a console cable between the switch console port and the PC.
Refer to Connecting a Terminal to the Console Port on Catalyst Switches. The document explains how to access the CLI with the hyperterminal.
Note: You can upgrade the switch with remote Telnet access. However, when you reload the switch during the software upgrade, you lose Telnet connectivity. After you load the new image, you can reestablish the Telnet. However, to troubleshoot in the case of failure, you must have local console access. A switch upgrade with use of console access is best.
Configure a VLAN interface on the switch to be in the same VLAN, or subnet, as your TFTP server with direct connection.
This configuration provides the best results.
If you cannot directly connect your TFTP server to the switch, issue either the ip default-gateway command or the ip route command. These commands set a default gateway to reach the TFTP server.
On the 3550, you can configure a VLAN interface with an IP address and with L2 physical interfaces as members of that VLAN. Alternately, you can configure a physical interface as an L3 interface with its own IP address. This configuration is similar to a router configuration.
This example uses a VLAN interface with a Fast Ethernet L2 physical interface in that VLAN. The 3550 and TFTP server are not in the same subnet, so you configure a default route.
Backup Configuration and Software Image
Perform a backup of the switch configuration to the PC that runs the TFTP server. If you lose the switch configuration for any reason, you can always restore the configuration from the TFTP server.
Issue the copy startup-config tftp command on the 3550 in order to back up your current configuration to a TFTP server. Here is a sample command output:
Software Upgrade Procedure for 3550 Series Switches
There are two upgrade procedures available for the 3550:
If you want to use the CLI only and do not intend to use the CMS software, complete the Step-by-Step Procedure for the 3550 with Use of Only the Cisco IOS Image (.bin File).
If you want to use the latest version of CMS software, complete the Step-by-Step Procedure for the 3550 with Use of the CMS Image (.tar File).
Step-by-Step Procedure for the 3550 with Use of Only the Cisco IOS Image (.bin File)
In this example, you upgrade the software on a 3550 from Cisco IOS Software Release 12.1(12c)EA1 to Cisco IOS Software Release 12.1(13)EA1 with use of only the Cisco IOS image (.bin file). The procedure is the same despite the version of software that you use.
Issue the show version command in order to view the current version of software that you run.
Here is a sample command output:
From the LAN Switches section of Downloads - Switches (registered customers only) , choose Catalyst 3550 software and find the image that you want to download.
Note the size of the image in bytes. This example uses the file c3550-i5q3l2-mz.121-13.EA1.bin. The 'i5q3l2' at the start of the file name tells you that this image is an EMI. The image size is 3993612 bytes, or approximately 4 MB.
Note: The procedure is the same for the SMI. The SMI image has 'i9q3l2' at the start of the file name. The SMI image is smaller and takes up less room in Flash. If you still have questions about whether to use an SMI or EMI image, see the Understand 3550 Software Image Naming Conventions: SMI and EMI section of this document.
Download the image that you want.
Issue the dir flash: command on the 3550 in order to verify the amount of free memory that you have for the upgrade.
Here is a sample command output:
Note: If you already have enough room in Flash for the upgrade, proceed directly to Step 6.
Issue the delete command in order to remove the old Cisco IOS Software Release 12.1(9)EA1c image (.bin file).
This deletion frees up enough room for the upgrade. Here is a sample command output:
An upgrade can require you to free up even more space. The requirement depends on how many images you have stored in Flash. You can delete an old image directory to free up this space.
Note: Remember this storage location so that you can find the old Cisco IOS image (.bin file) as well as the files that you need for the CMS. If you do not use the web interface to manage the switch or you have a newer image directory, the storage location is not a problem.
Issue the delete /force /recursive command in order to delete an image directory and all the subdirectories and files in the image directory. Here is a sample command output:
Issue the copy tftp flash: command in order to perform the upgrade.
Set a boot system statement so that the new image boots on the next reload.
Here is a sample command output:
Issue the write memory command in order to save your changes, and reload the switch.
Here is a sample command output:
Issue the show version command in order to verify that you run the new image.
Here is a sample command output:
Step-by-Step Procedure for the 3550 with Use of the CMS Image (.tar File)
In this example, you upgrade the software on a 3550 from Cisco IOS Software Release 12.1(12c)EA1 to Cisco IOS Software Release 12.1(13)EA1 with use of the CMS image (.tar file).
Issue the show version command in order to view the current version of software that you run.
Here is a sample command output:
From the LAN Switches section of Downloads - Switches (registered customers only) , choose Catalyst 3550 software and find the image that you want to download.
Note the size of the image in bytes. This example uses the file c3550-i5q3l2-tar.121-13.EA1.tar. The 'i5q3l2' at the start of the file name tells you that this image is an EMI. The image size is 6011904 bytes, or approximately 6 MB.
Note: The procedure is the same for the SMI. The SMI image has 'i9q3l2' at the start of the file name. The SMI image is smaller and takes up less room in Flash. If you still have questions about whether to use an SMI or EMI image, see the Understand 3550 Software Image Naming Conventions: SMI and EMI section of this document.
Download the image that you want.
Issue the dir flash: command on the 3550 in order to verify the amount of free memory that you have for the upgrade.
Here is a sample command output:
Note: If you already have enough room in Flash for the upgrade, proceed directly to Step 6 .
To free up memory on the 3550, choose one of these options:
Overwrite or replace the software.
Choose this option if you do not want to keep your current version. Proceed to Step 6.
Manually delete an older image or directory.
Choose this option if you want to keep your current version of software as a backup.
Issue the delete command in order to remove an old Cisco IOS image or directory and make room for the upgrade. Here is a sample command output:
The upgrade installs the Cisco IOS image (.bin file) and the CMS files in the image directory on a 3550. The image directory has the Cisco IOS image name, with the exclusion of the .bin extension. Here is a sample command output:
Issue the delete /force /recursive command in order to delete an image directory and all the files in the image directory. Here is a sample command output:
Issue the archive download-sw command in order to copy over the .tar file and extract all the files inside the .tar file.
There are two options to consider with this command:
/leave-old-sw
If you choose to leave the current version of software as a backup, the command syntax is archive download-sw /leave-old-sw tftp://tftp_server_ip/file_name. As Step 5 discusses, be sure that you have enough space in Flash to use this option.
/overwrite
If you choose to overwrite or replace the current version of software with the newer version, the command syntax is archive download-sw /overwrite tftp://tftp_server_ip/file_name. This document uses this overwrite option.
The upgrade procedure is exactly the same despite the option you choose, but the results differ.
Note: There are additional options that this document does not cover. For details, refer to Working with the IOS File System, Configuration Files, and Software Images for your release of 3550 software.
Issue the dir flash: command. Here is a sample command output:
Issue the archive download-sw command with the /overwrite option. The command replaces the current software version, Cisco IOS Software Release 12.1(12c)EA1, with the later version, Cisco IOS Software Release 12.1(13)EA1. Here is a sample command output:
Confirm that the archive download-sw command with the /overwrite option automatically configures a boot system statement.
With a boot system statement, the new image boots on the next reload of the switch. In order to confirm the configuration of a boot system statement, issue the show boot command.
Here is a sample command output:
If for some reason the configuration of the boot statement does not occur, you can configure the statement. Issue the boot system command.
Here is a sample command output:
Issue the write memory command in order to save your changes and reload the switch.
Here is a sample command output:
Issue the show version command in order to verify that you run the new image.
Here is a sample command output:
Verify
The Software Upgrade Procedure for 3550 Series Switches section of this document provides the commands necessary in order to verify that your configuration works properly.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Software Upgrade Fails, Switch: Prompt Displays, or Switch Reboots Continuously
Your software upgrade can fail for a number of reasons. For example, IP connectivity problems can exist between the switch and TFTP server, or you can have incorrectly set the boot statements. These issues can cause your switch to boot in the switch: mode. If your 3550 displays the switch: prompt or continuously reboots, refer to this document for software recovery procedures:
Saints Row 2----PS4 PS3 PC XBox 360 Playstation 3 Playstation 4 HD 720p 1080P 60FPS 60 Frames per Second FPS End Ending campaign Single Player Let's Play Cutscene All. Oct 14, 2008 Darksiders The time for the great Apocalypse of legend has come in Darksiders as you take on the role of War, one of the four Ho. Saints Row: The Third Years after taking Stilwater for their own, the Third Street Saints. Feb 11, 2014 Welcome to the Saints Row 2 wiki guide. One second, you're on top of Stilwater City, running the 3rd Street Saints to own everyone and everything on the island. Strategy Guide/Walkthrough/FAQ. Pause the game, then access the cell phone. Select 'Dial', then enter one of the following numbers, including the # symbol, and choose 'Call'. If you entered the code correctly, a message will appear. Jan 07, 2009 Chapter 1 - Story Walk-through. This section features a complete walkthrough for the Saints Row 2 story missions. Once you complete the 3rd Street Saints prologue, you can then start to play any of the gang-related missions. We’ve organized this walkthrough in a linear fashion completing each gang in turn. Saints row 2 walkthrough.
Switch Does Not Boot Automatically, Needs a Manual Boot at the ROMMON (switch: Prompt)
If you find that your switch does not boot automatically and needs a manual boot, refer to this document for manual boot at the ROMMON (switch: prompt):
The Switch Not Booting Automatically, Needs a Manual Boot at the ROMMON (switch: Prompt) section of the document Upgrading Software in Catalyst 2900XL and 3500XL Switches Using the Command Line Interface
Cisco Ios Free Download
You Receive the Error_Bad_Mzip Error Message
You see this error when the Cisco IOS image is corrupt or a .tar file uploads through an Xmodem. In order to resolve the issue, complete these steps:
Upload the .bin file to the switch through the Xmodem.
Set the boot path to the correct file name.
Reload the switch.
Check that the image file size is the correct one.
If the image file size is not correct, try to download the image file again.
Refer to these documents to check the recovery procedure:
The Recovering from Corrupted Software section of Troubleshooting
The Step-by-Step Recovery Procedure section of Recovering Catalyst Fixed Configuration Switches from a Corrupted or Missing Image
After the Upgrade the Switch Does not Boot and Moves to EMU Prompt
The prompt occurs due to corrupt software or some problem during the download.
In order to recover from the 'EMU>' prompt, complete these recovery steps:
Cisco 3550 Switch Ios Free Download
Reload the switch, and then press the mode button in order to force the switch to ROMMON.
Perform the ROMMON recovery with the procedure in the Recover from ROMmon Mode section of Recover a Cisco IOS Catalyst 4500/4000 Series Switch from a Corrupt or Missing Image or in Rommon Mode.
Note: Xmodem recovery is not supported when the switch is in the 'EMU>' prompt. The only command that can be executed at the EMU prompt is dir flash:. If any other command is executed at the EMU prompt, the switch dispalys a no response from remote system message from the hyperterminal.
Related Information
Basic IOS Security Configuration
The following lessons and case studies are dedicated to basic Cisco IOS Software security configuration methods and are grouped into several scenarios, variations of which you are likely to encounter in the CCIE Security lab exam or in real life.
Lesson 15-1: Configuring Passwords, Privileges, and Logins
In this lesson, R8 is the router that needs to have basic Cisco IOS Software security features configured. Once R8 is configured, a remote host attempts to log in and perform some tasks.
This lesson covers the following configuration steps:
Step 1 Setting passwords
Step 2 Limiting connection time
Step 3 Configuring vtys and accessing the network remotely
Step 4 Creating user accounts
Step 5 Assigning privileges
Step 6 Local authentication, authorization, and accounting
Step 7 Remote administration with FTP
Step 8 Hiding Telnet addresses
Step 9 Verification
Step 1: Setting Passwords
First, you have to protect access to a router by setting various passwords. Prevent unauthorized login by configuring passwords on the console and virtual terminal lines. The syntax for both of them is identical, as follows:
After the line passwords are set, you need to take care of the privileged EXEC level. You should not use the enable password command because it is not secure and can give away a system password. Instead, opt for the following command:
The enable secret command, as well as the username passwords described in 'Creating User Accounts,' later in this lesson, can be up to 25 characters long, including spaces, and are case sensitive. Example 15-1 demonstrates the application of passwords on R8. Note that both the console and the vty passwords appear scrambled. This is because service password-encryption is enabled on the router to hide the real string from a passerby.
Example 15-1 Password Application on a Router
Step 2: Limiting Connection Time
For security reasons, you do not want to leave the connection to any port, be it console or remote connection, logged in indefinitely. If the connections are configured to time out automatically, the administrator is logged out by a router after a specified period if he forgets to do it himself. The syntax is the same for any line and is as follows:
In Example 15-2, the console and auxiliary (aux) port are both configured to time out after a 5-minute interval.
Example 15-2 Configuring a Timeout Period
NOTE
When you are in a lab-testing environment, a constant timeout can turn into a nuisance. If security is not an immediate concern, you can choose to set the timeout interval to infinity by using the exec-timeout 0 0 command. However, you should never do so in real-world networking.
Step 3: Configuring vtys and Accessing the Network Remotely
As you know, vtys are used for remote network connections to the router. Generally, all the router's vtys have the same configuration. If there are extra vtys that are not used, it is a good practice to disable them with the no line vty command.
Applying an access list to vtys can effectively limit access to the router by specifying which connections are allowed. The command for assigning an access list to vtys is as follows:
Some of the protocols supported by the vtys (for example, rlogin and web) are not secure. To minimize the security risk, you can confine the acceptable type of connection to Telnet only with the following command:
Example 15-3 shows IP access-list 5, which permits host 192.168.1.8. Applying access-list 5 to vty lines for inbound connections means that only one particular host can Telnet to R8.
Example 15-3 The vty Configuration
NOTE
While configuring these commands, make sure that you are connected via an aux or console port. If you perform the commands while logged in to the router via Telnet, you might inadvertently disconnect yourself.
Step 4: Creating User Accounts
In this scenario, administrators log in according to the local router database. Each administrator receives his own username, password, and privilege level assigned, which indicates the level of control an administrator has over the router. The following command places a user in a local database:
In Example 15-4, five administrators are assigned to the database. When they attempt to log in, they are authenticated by their username and corresponding password and are authorized to operate on the prescribed level.
Example 15-4 Creating a Local Database
Step 5: Assigning Privileges
Now that you have specified privilege levels for your users, you can assign a set of commands to a privilege level. Every user at the same privilege level can execute the same set. By default, every command in the Cisco IOS Software is designated for either level 1 or level 15. Level 0 exists, but it is rarely used. It includes following five commands:
- disable
- enable
- exit
- help
- logout
To change the default level and sign up certain commands to another level, use the following command:
Keep in mind that for security reasons, you should move some commands that allow too much freedom for a lower level to a higher level, not the other way around. If you move higher-level commands, such as the configure command, down, you might enable a user to make unauthorized changes by letting him modify his own level to a higher one. Example 15-5 shows how privilege level 3 is limited to three commands:
- telnet
- show ip route
- show startup
Example 15-5 Designating a Privilege Level
Step 6: Local Authentication, Authorization, and Accounting (AAA)
Cisco 3550 Poe Switch
AAA technology is discussed in detail in Chapter 18, 'AAA Services.' Here, you are shown just a few AAA commands that make use of the local database that is configured in Steps 4 and 5 of this lesson. AAA has the following three separate functions:
Authentication—Authentication identifies users before admitting them into a network.
Authorization—Once a user is authenticated, authorization dictates what a user can accomplish on the network.
Accounting—Accounting tracks the user's actions and logs them to monitor resource usage.
Example 15-6 illustrates the AAA commands configured on R8. To start an AAA process, the aaa new-model command is defined. The next command, aaa authentication login default local, names a local database as the one that is used for authentication on R8. The aaa authorization config-commands command enables AAA authorization of configuration commands specified by the aaa authorization commands statement that follows. The aaa authorization exec default local command specifies the local database as the source of authorization information, and the aaa authorization commands 3 default local if-authenticated command means that provided the user has been authenticated successfully, he is authorized by the router, after looking up the local database, to use the specified privilege level 3 commands. The latter command is helpful in the debugging process. Its practical usage is discussed in 'Verification,' later in this lesson.
Example 15-6 AAA Configuration
NOTE
User admin is authorized to operate at privilege level 3 only if the user accesses the router via vty. If the same user attempted to access R8 via console, the user would receive privilege level 15.
Step 7: Remote Administration with FTP
You can use File Transfer Protocol (FTP) to transfer configuration files to and from the router for remote administration. FTP is preferred because Trivial File Transfer Protocol (TFTP) does not support authentication and is, therefore, less secure and should not be used to transfer configuration files. The following commands are used to make the router FTP ready:
The first command specifies the local interface that is set up for the FTP connection. The two subsequent commands create the username and password for authentication on the FTP server. Example 15-7 shows the FTP configuration on R8.
Example 15-7 Configuring FTP
Step 8: Hiding Telnet Addresses
Normally, when you try to Telnet to a device, the router displays the address to which the connection is attempted along with other connection messages. This allows an unauthorized passerby to see it. To suppress the Telnet address, issue the following command:
Step 9: Verification
Example 15-8 demonstrates the output of the debug aaa authentication command followed by the debug aaa authorization command. The combination of these two commands shows the process a router goes through while authenticating and authorizing a user admin logging in from the remote host 192.168.1.6, permitted by access-list 5.
Example 15-8 Debugging AAA
Note that the aaa authorization config-commands commands and aaa authorization commands 3 default local if-authenticated commands of this scenario's AAA configuration were not yet set at the time the debug commands from Example 15-8 were issued. This resulted in the debug output not displaying the user's activity after the user has been authorized.
Example 15-9 shows the debug command output after aaa authorization config-commands commands and aaa authorization commands 3 default local if-authenticated commands have been applied. You can see that the user has issued the show startup-config command authorized for their privilege level.
Example 15-9 Debugging AAA after the authorization config-commands Commands
Lesson 15-2: Disabling Services
Many services are offered by Cisco IOS Software. Although each service carries a useful function, it could present a potential security risk. When services are not used, you need to disable them. Otherwise, they open a security hole for an attacker to manipulate. This lesson is devoted to disabling unnecessary services on R8. Keep in mind that different Cisco IOS Software releases maintain different services on or off by default. If a service is off by default, disabling it does not appear in the running configuration. It is best, however, not to make any assumptions and to explicitly disable all unneeded services, even if you think they are already disabled.
The services covered in this lesson are as follows:
- Router name and DNS name resolution
- Cisco Discovery Protocol (CDP)
- TCP and UDP small servers
- Finger server
- NTP service
- BOOTP server
- Configuration auto-loading
- Proxy ARP
- IP source routing
- IP directed broadcast
- IP unreachables, redirects, and mask replies
Router Name and DNS Name Resolution
If no Domain Name System (DNS) server is specifically mentioned in the router configuration, by default all the name queries are sent to the broadcast address of 255.255.255.255. To alter the default behavior and turn off the automatic lookup, use the following command:
Cisco Discovery Protocol
The Cisco Discovery Protocol (CDP) is a proprietary protocol that Cisco devices use to identify their directly connected neighbors. CDP is not frequently used and, like any other unnecessary local service, is considered potentially harmful to security. You can use the following commands to turn off CDP—globally and per interface:
Disabling CDP per interface is a nice feature because it allows you to still run CDP for the parts of the network that need it.
TCP and UDP Small Servers
Another two services that you should also turn off are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) small servers. They are included in the list of standard TCP and UDP services that hosts should provide but are seldom needed. Use the following commands to disable TCP and UDP small servers:
Finger Server
Next, you need to make sure that the Cisco IOS Software support for the UNIX finger protocol is disabled. Having the finger service enabled allows a user to view other active users. There are many known ways that the service can be misused and the information can fall into the wrong hands. To keep your network security in full force, you should consider turning off the finger service. After all, those who are not authorized to log in to the router have no business looking up those who do. Use the following command to disable the finger service:
NTP Service
If NTP, described earlier in 'Network Time Protocol Security,' is not used in the network, disable it with the following interface command:
BOOTP Server
In theory, BOOTP service might sound like a good idea. It is meant for use in networks where a centralized strategy of Cisco IOS Software deployment is implemented. One router can be used by other routers to load its operating system. However, the BOOTP protocol is seldom used, and it gives a hacker an opportunity to steal an IOS image. Therefore, in most situations, you should disable it using the following command:
Configuration Auto-Loading
The routers can find their startup configuration either in their own NVRAM or load it over the network. Obviously, loading in from elsewhere is taking a security risk. To disable the router's ability to get its configuration from the network, apply the following commands:
Proxy ARP
Proxy Address Resolution Protocol (ARP) replies are sent to an ARP request destined for another device. When an intermediate Cisco device knows the MAC address of the destination device, it can act as a proxy. When an ARP request is destined for another Layer 3 network, a proxy ARP device extends a LAN perimeter by enabling transparent access between multiple LAN segments. This presents a security problem. An attacker can issue multiple ARP requests and use up the proxy ARP device's resources when it tries to respond to these requests in a denial-of-service (DoS) attack.
Proxy ARP is enabled on Cisco router interfaces. Disable it with the following interface command whenever it is not needed:
NOTE
If, however, static routes use the interface as the destination instead of a next-hop router, proxy ARP is required.
IP Source Routing
An option is found in the header of every IP packet. The Cisco IOS Software examines the option and acts accordingly. Sometimes an option indicates source routing. This means that the packet is specifying its own route. Even though it is the default, this feature has several drawbacks. First, to allow source routing in the ISP environment means that a customer selects a route as they please. Also, this feature poses a known security risk, such as a hacker taking control of a packet's route and directing it through his network. So, if source routing is not necessary in your network, you should disable it on all routers by using the following command:
IP-Directed Broadcast
If IP directed broadcast is enabled on a router's interface, it allows the interface to respond to the Internet Control Message Protocol (ICMP) requests directed to a broadcast address of its subnet. This can cause excessive traffic and possibly bring a network down, which is a tool often used by hackers in a smurf attack.
NOTE
During a smurf attack, the ping requests sent to a broadcast address are forwarded to up to 255 hosts on a subnet. Because the return address of the ping request is spoofed to be the address of the attack target, all hosts that receive the ping requests reply to the attack target, flooding it with replies.
You can turn off IP directed broadcast capability on every interface with the following command:
IP Unreachables, Redirects, and Mask Replies
Cisco 3550 Switch Ios Download Windows 10
ICMP messages that are automatically sent by Cisco routers in response to various actions can give away a lot of information, such as routes, paths, and network conditions, to an unauthorized individual. Attackers commonly use the following three types of ICMP message response features:
Unreachable—A response to a nonbroadcast packet that uses an unknown protocol known as Protocol Unreachable, or a response to a packet that a responding device failed to deliver because there is no known route to a destination (Host Unreachable)
Redirect—A response to a packet that notifies the sender of a better route to a destination
Mask Reply—A response from a network device that knows a subnet mask for a particular subnet in an internetwork to a Mask Request message from a device that requires such knowledge
To disable the automatic messaging feature on interfaces, use the following commands:
Verification
Example 15-10 shows that all the services discussed in this lesson are disabled on R8. You do not see some of them in the running configuration output because of the default settings in this particular version of Cisco IOS Software.
Example 15-10 Disabling Unnecessary Services
Lesson 15-3: Setting up a Secure HTTP Server
In this scenario, R8 needs to be configured as the HTTP server so that it allows remote management through the Cisco web browser interface. The syntax for the HTTP server command is as follows:
Specifying the Port Number
You should change the HTTP port number from the default of 80 to something else to hide the HTTP server from an intruder. To modify the default, use the following command:
Specifying Authentication Technique
Next, you need to set up basic user authentication on your HTTP server. Although, you can use AAA services for this purpose, this example queries for the local database. The configuration of usernames and passwords in the database was discussed in the first lesson in 'Configuring Passwords, Privileges, and Logins.' Use the following command to set up basic user authentication on your local HTTP server:
Limiting Access to the Server
To limit access to the server, you can create an access list and then apply it to the HTTP configuration. To associate the list with the HTTP server access, generate the following command:
Syslog Logging
You can choose to enable the logging of a router's events to a syslog server, including the HTTP-related activity. To specify syslog logging, use the following set of commands:
The first command on the list, logging on, turns the logging on. The logging facility [syslog] command names a syslog server as the logging monitor. The logging source-interfacelocal-interface command identifies local interface that forwards logs to the server. The loggingsyslog-server-address command points to the syslog server's IP address. The logging trap command sets up the trap level.
Verification
Example 15-11 displays the running configuration of R8. Notice the resolution of the HTTP commands. For example, the port number is changed to 8080. Access-list 11, permitting host 192.168.1.8, was created on R8. FastEthernet0/1 forwards logs to the server.
Example 15-11 HTTP Configuration
Now that the HTTP server has been successfully configured, an authorized user can log in. Figures 15-1 and 15-2 show the browser login prompt and the postlogin screen, respectively.
Figure 15-1 HTTP Login Prompt
Figure 15-2 Administrator's Browser Screen
Case Study 15-1: Secure NTP Configuration
Figure 15-3 describes the network topology where R6 is a client of two NTP masters: R5 and R8. To throw in a twist, PIX2 is placed between R8 and R6. This case study is not meant as an in-depth demonstration of the NTP protocol. The main goal is to achieve a functional, secure NTP configuration between the three routers using MD5 authentication.
Figure 15-3 Network Topology for NTP Configuration
This case study covers the following steps:
Step 1 Setting up time
Step 2 Setting up NTP relationships
Step 3 Configuring PIX2
Step 4 Restricting NTP access
Step 5 Configuring NTP authentication
Step 6 Verification
Step 1: Setting up Time
If you are using a local router as your time synchronization source, the first task you need to complete is to set the clock on the router that is to be your server, R5 in this case. The following command establishes the time (in military format) and date on the router:
Then, on all participating routers, set the time zone as compared to the Coordinated Universal Time (UTC). Also, configure the routers to automatically switch to daylight-saving time when appropriate. The following two commands identify the time zone and configure daylight-saving time for that zone:
This scenario uses Pacific Standard Time (PST), offset 8 hours from the UTC. The summertime clock comes into effect on the first and ends on the second specified day every year, as shown in Example 15-12.
Example 15-12 Coordinating Clocks
Step 2: Setting Up NTP Relationships
When an external NTP source is not available, as is the case with this NTP configuration scenario, you need to designate a local router as the master that is to be the source of time in the network. To appoint a router as the NTP master, use the following command:
To implement redundancy, two routers act as masters: R5 and R8. When an NTP client is configured with several NTP masters, the stratum level of a master is the deciding factor. The stratum level of R5 is 1, and the stratum level of R8 is 3; this means that R5 takes precedence over R8.
Next, you need to set up peering between routers for clock synchronization. Use the following command:
Each router in the network has been peered up with the two other routers, as shown in Example 15-13.
Example 15-13 NTP Router Relationships
Step 3: Configuring PIX2
Because R8 is separated from R6 by PIX2, the configuration is not fully functional without the firewall's involvement. For a comprehensive reference on the PIX functions and commands, see Chapter 23, 'Cisco PIX Firewall.' In this case study, you are offered a short explanation of the commands that are necessary to enable NTP between the routers.
In Example 15-14, you can see that inside and outside interfaces have been assigned their IP addresses. R6 was associated with IP address 130.100.26.6 with the name 130.100.26.6 R6 statement. Inside-to-outside Network Address Translation (NAT) has been enabled with the global (outside) 10 interface and nat (inside) 10 0.0.0.0 0.0.0.0 0 0 commands. The static(inside,outside) 130.100.26.8 192.168.1.1 netmask 255.255.255.255 0 0 command specifies the outside IP address to be translated to the inside for packet forwarding to R8. The route outside 0.0.0.0 0.0.0.0 R6 1 command designates R6 as the default gateway to the outside. Finally, the access list permitting NTP traffic destined for R8 has been applied to the inbound traffic of the outside interface.
Example 15-14 PIX2 Configuration for NTP
Step 4: Restricting NTP Access
You can assign an access list to the NTP process to exercise better control over your NTP synchronization. For example, R6 needs to limit the sources of its NTP updates to R5 and R8 only. To allow NTP traffic from the two routers, specify an access list, such as the one in Example 15-15, allowing 140.100.56.5 and 130.100.26.8, and apply it to NTP with the following command:
Example 15-15 NTP Access List
Cisco 3550 Switch Ios Download
Step 5: Configuring NTP Authentication
You have reached the final step of this configuration. NTP supports MD5 authentication, which is useful for preserving your network's security. When MD5 authentication is enforced, your router can be sure that the NTP updates that arrived are from the authorized source. To configure NTP MD5 authentication, perform the following tasks on all the participating routers:
Step 1 Start the NTP authentication process.
Step 2 Specify the NTP authentication-key, MD5 authentication type and string.
Step 3 Set up an NTP trusted key that matches the authentication-key.
Step 4 Add the authentication-key to the peer statements.
To accomplish these tasks, use the following commands and review their application on the routers shown in Example 15-16:
Example 15-16 MD5 Authentication of NTP
Step 6: Verification
To verify that your NTP configuration is working properly, issue the following commands on any of the routers (see Example 15-17):
Example 15-17 Verifying NTP Operation
NOTE
If you make any changes to the master or the client NTP configuration, they do not take effect until you restart the router in question.
Case Study 15-2: Configuring SSH
In this case study, R5 has been selected as an SSH server. After you complete the necessary configuration tasks, an SSH-enabled client—R6 in this case—can securely connect to the router for administration. (Refer to Figure 15-3 to see the topology.)
The preliminary tasks for configuring SSH are specifying a host name and a domain name for a router. As a result, two statements—hostname R5 and ip domain-name cisco.com—have been placed on R5. After taking this non-SSH-specific step, you can begin the SSH configuration procedure, which includes the following steps:
Step 1 Allowing access for a client
Step 2 Setting up usernames
Step 3 Generating RSA keys
Step 4 Fine-tuning SSH
Step 5 Verification
Step 1: Allowing Access for a Client
To limit SSH access to a known client only, create an access list that specifies the IP address of R6. The access-list 15 permit 140.100.56.6 log command is a standard access list that helps achieve the desired outcome.
The syntax for the command that assigns an inbound access list to the vtys was discussed in Lesson 15-1. When applied to this scenario, it results in the following line-mode command:
Step 2: Setting Up Usernames
The next step is to create user accounts, as described in Lesson 15-1. However, instead of using AAA, a local login has been specified here, as follows:
In other words, the login local command indicates to the router that when a user is trying to connect via SSH, the router uses the local database configured with the username admin privilege 15 password cisco command to authenticate the said user.
Step 3: Generating RSA Keys
For R5 to become an SSH server, it needs to get an RSA key pair. To generate a new RSA key pair for R5, use the following command:
At the next prompt, specify R5.cisco.com as the name for the keys and the default of 512 bits accepted for the key modulus. By generating the RSA key pair, you automatically enabled SSH on the router. To exercise further control over your SSH, use the commands described in the next step.
Step 4: Fine-Tuning SSH
Authentication timeout is the interval, measured in seconds, that the server waits until a client responds with a password. The default and the maximum are both 120 seconds. In this configuration, the timeout stands at 60 seconds. The syntax for configuring the authentication timeout is as follows:
If a user logs in incorrectly several times, the router drops the connection. The default for authentication attempts is 3, and the maximum is 5. In this example, the default is kept, but the syntax for the command is as follows:
In Lesson 15-1, you allowed Telnet as the type of connection over vtys on R8. Here, you specify SSH as the connection of choice in the following manner:
Step 5: Verification
Example 15-18 shows the output of the running configuration of R5. All the steps that have been covered in this case study are displayed.
Example 15-18 SSH Configuration
To determine whether the configuration is working, the next logical step is to try to connect to R5 from R6 via SSH. Issue the following statement on R6, as shown in Example 15-19:
Type in the password at the prompt.
Example 15-19 Connecting from R6 to R5 via SSH
Once you are successfully connected, you can input show ssh on R5 to verify that SSH has been successfully enabled and check that your session is using SSH. Example 15-20 shows the output of the show ssh command, which displays the status of SSH server connections, and the show ip ssh command, which demonstrates the version and configuration data for SSH.
Example 15-20 The show ssh and show ip ssh Commands on R5
If you use the Cisco IOS Software debug ip ssh command, you can monitor the SSH operation. Example 15-21 illustrates the output of the debug ip ssh client command. The first part of the output is the display of user activity, and the second is the log line that was recorded after the user exited the SSH server.