Article Summary:
In some environments, secure management access may be desired. This article provides the steps necessary to restrict management access using HTTPS and SSH.
Caution: This process requires use of the Command Line Interface (CLI). This process can be utilized through a serial or telnet session. However these steps must be followed in order to prevent unintentionally blocking access to remote management.
This procedure assumes:
- The switch is already configured with an IP address and is reachable within the network.
- There is an account created with Privilege Level 15. To verify this, use the command: console#show users accounts
Note: After completing these steps, you can expect to receive errors about certificate authenticity. This is due to the certificates and keys being self-generated. This is not an error.
Caution: Before disabling either telnet or HTTP access, verify SSH or HTTPS access.
Note: If SSH or HTTPS is enabled and the disabling of telnet and HTTP is desired, skip to step 3 to disable telnet and step 5 to disable HTTP.
- Connect to the switch via CLI
- To enable SSH, enter the following commands:
- console>enable
- console#config
- console(config)#crypto key generate rsa
- console(config)#crypto key generate dsa
- console(config)#ip ssh server
- To disable telnet, enter: console(config)# ip telnet server disable
- To enable HTTPS, enter the following commands"
- console(config)# crypto certificate 1 generate
- console(config-crypto-cert)#key-generate <512-2048>
- console(config-crypto-cert)#exit
- console(config)#ip https certificate 1
- console(config)# ip https server
Note: This system is capable of the generation and storage of 2 certificates. To generate the second key, replace the number 1 with 2. To activate the second key, use (config)#ip https certificate 2.
- To disable HTTP, enter: console(config)# no ip http server
- After verifying connectivity via SSH or HTTPS, save the configuration by entering: console#copy running-config startup-config