A reachable IP address is necessary to manage the switch when not using a serial connection. To set an IP address, input the following commands. This example uses VLAN 1, the default VLAN, and the IP 192.168.0.250 /24.
console> enable console# configure console(config)# interface vlan 1 console(config-if)#ip address 192.168.0.250 255.255.255.0
console(config)# interface out-of-band console(config-if)# ip address 192.168.0.250 255.255.255.0
It is recommended to use the OOB interface to manage your switch when available. The OOB interface is separate from the switching silicon, and reaches the CPU directly. If the production network is experiencing issues, you can still reach the switch through the OOB interface.
It is recommended when using a VLAN to manage your network, to make a separate VLAN exclusively for management. This separates management traffic from your data traffic. This not only helps with performance, but also slightly increases security. You can manage the switch through any reachable VLAN IP address.
If managing the switch from an external network, you must assign the switch a Default Gateway it can use to reach other networks. The following command uses 192.168.0.1 as the Default Gateway address.
console(config)# ip default-gateway 192.168.0.1
To manage the switch, a username and password are required. To manage the switch using telnet or SSH, it is best practice to have an enable password. Input the following commands to configure login access. This is an example with the username as Dell, and password as MYPASSWORD. The enable password example uses ENP@$$w0rd
. These are just examples, and passwords should adhere to your organization's applicable security policy.
console> enable console# configure console(config)# username Dell password MYPASSWORD privilege 15 console(config)# enable password ENP@$$w0rd
The default allowed protocols for management are Telnet and HTTP. Telnet and SSH provide command-line based management through a tool such as PuTTY. HTTP and HTTPS provide a UI-based management through a web browser. It is possible to run all four, or none of the protocols. With all the previous options disabled, there is still the option of serial console.
For security, it is recommended to disable Telnet and HTTP, and enable SSH and HTTPS. Telnet and HTTP transfer packets over plain text, meaning if a person is capturing traffic, they can read all commands of functions pushed through the switch when managing it. SSH and HTTPS encrypt the traffic, which strengthens the packet security.
To enable SSH and HTTPS, input the following commands. SSH and HTTPS require the generation of a DSA and an RSA key. HTTPS requires the creation of a certificate.
console(config)# crypto key generate dsa console(config)# crypto key generate rsa console(config)# ip ssh server console(config)# crypto certificate 1 generate console(config-crypto-cert)# key-generate console(config-crypto-cert)# exit console(config)# ip http secure-server
To disable Telnet and HTTP input the following commands:
console(config)# ip telnet server disable console(config)# no ip http server
When satisfied with the configuration, it must be saved so that if the switch reboots, and the configuration is persistent. Input the following command to save your configuration:
console# write memory This operation may take a few minutes. Management interfaces will not be available during this time. Are you sure you want to save? (y/n) y