Securing Extreme Switch (enabling SSH2)

The idea is to enable ssh2, create an access list for ssh2, and disable telnet and web access. Here’s the procedure :

1.       Upload and Install the ssh module
2.       Enable ssh2
3.       Create an access list
4.       Enable idle timeout
5.       Disable telnet and web access
6.       Save

Some tools we need are the following,

1.       Laptop, console, switch, Ethernet cable.
2.       3CDaemon for TFTP Server and SecureCRT for console remote.

The explanation for each step are the following :

0.       We will need 2 vlans for uploading the module and testing the ssh2 functionality. We create vlan remote01 (port a, w.x.y.z) and remote02 (port b, m.n.o.p).

create vlan remote01    
configure vlan remote01 ipaddress 10.0.254.254/24
configure vlan remote01 add port 1 untagged
create vlan remote02    
configure vlan remote02 ipaddress 192.168.254.254/24
configure vlan remote02 add port 2 untagged

1.       Upload and install the ssh module.

Using the TFTP Server, we download (from the view of the switch) the ssh2 module.

Figure 1. 3CDaemon. Don’t forget to locate the directory correctly! (to the folder where the ssh2 module exists)

  • download image 10.0.254.1 summitX-15.1.1.6-ssh.xmod vr "VR-Default" secondary 
  • download image 10.0.254.1 summitX-15.1.1.6-ssh.xmod vr "VR-Default" primary 

2.       Now, we will enable the ssh2 to each image (fyi, there are 2 image exist at Extreme switch, primary and secondary).

  • use image secondary 
  • reboot
  • run update
  • start process exsshd
  • enable ssh2 

Verify the ssh2 functionality right now (using secureCRT/putty/console form laptop).  Or using the show management command with the following result,

CLI idle timeout                 : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions       : 8
CLI paging                       : Enabled (this session only)
CLI space-completion             : Disabled (this session only)
CLI configuration logging        : Disabled
CLI scripting                    : Disabled (this session only)
CLI scripting error mode         : Ignore-Error (this session only)
CLI persistent mode              : Persistent (this session only)
CLI prompting                    : Disabled (this session only)
Telnet access                    : Enabled (tcp port 23 vr all)
                                 : Access Profile : not set
SSH access                       : Enabled (Key valid, tcp port 22 vr all)
                                 : Access Profile : not set
Web access                       : Disabled (tcp port 80)
                                 : Access Profile : not set
Total Read Only Communities      : 1
Total Read Write Communities     : 1
RMON                             : Disabled
SNMP access                      : Enabled
                                 : Access Profile : not set
SNMP Traps                       : Enabled
SNMP v1/v2c TrapReceivers        : None
 
SNMP stats:     InPkts 0       OutPkts   0       Errors 0       AuthErrors 0
                Gets   0       GetNexts  0       Sets   0       Drops      0       
SNMP traps:     Sent   0       AuthTraps Enabled
SNMP inform:    Sent   0       Retries   0       Failed 0

Enable ssh2 to the primary image,

  • use image primary 
  • reboot
  • run update
  • start process exsshd
  • enable ssh2

And check again 🙂

3.       Create an ssh2 access list

We will create an access list that will enable ssh-remote from the incoming address 10.0.0.0 and deny the rest.

We create a policy, ssh2-acl,

  • edit policy ssh2-acl

fill the following into the text editor (Extreme uses vi btw 🙂 )

entry AllowManagementIP { 
    if match any {                            
        source-address 10.0.0.0/16;
    }
    then {
        permit;
    }
}
entry DenyAll { 
    if match any {
        source-address 0.0.0.0/0;
    }
    then {
        deny;
    }
}

Enable it

  • configure ssh2 access-profile ssh2-acl   

Verify

  • Show policy
  • check policy ssh2-acl
  • try to ping the 10.0.254.254 and 192.168.254.254 (from laptop, switch the Ethernet cable to the port 1 and port 2, respectively). Must be succeed.
  • Try to ssh to 10.0.254.254 (must be succeed) and 192.168.254.254 (mustn’t be succeed, because it isn’t listed in the access list).

4.       Enable idle timeout

  • enable idletimeout

5.       Disabling the telnet and web http

  • disable telnet
  • disable web http

6.       Save

Save to both images

  • save primary
  • save secondary
Advertisements

2 comments on “Securing Extreme Switch (enabling SSH2)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s