Securing Extreme Switch (enabling SSH2)

The idea is to enable ssh2, create access list for ssh2, and disable telnet and web access. Heres the procedure : 1. 2. 3. 4. 5. 6. Upload and Install the ssh module Enable ssh2 Create access list Enable idle timeout Disable telnet and web access Save

Some tools we need are the following, 1. Laptop, console, switch, Ethernet cable. 2. 3CDaemon for TFTP Server and SecureCRT for console remote. The explanation for each step are the following : 0. We will need 2 vlans for uploading the module and testing the ssh2 functionality. We create vlan remote01 (port a, w.x.y.z) and remote01 (port b, m.n.o.p).
create vlan remote01 configure vlan remote01 ipaddress 10.0.254.254/24 configure vlan remote01 add port 1 untagged create vlan remote02 configure vlan remote02 ipaddress 192.168.254.254/24 configure vlan remote02 add port 2 untagged

1. Upload and install the ssh module. Using the TFTP Server, we download (from the view of the switch) the ssh2 module.

Figure 1. 3CDaemon. Dont forget to locate the directory correctly! (to the folder where the ssh2 module exists)

download Default" download Default"

image 10.100.241.251 summitX-15.1.1.6-ssh.xmod vr "VRsecondary image 10.100.241.251 summitX-15.1.1.6-ssh.xmod vr "VRprimary

2. Now, we will enable the ssh2 to each image (fyi, there are 2 image exist at Extreme switch, primary and secondary).
use image secondary reboot run update start process exsshd enable ssh2

Verify the ssh2 functionality right now (using secureCRT/putty/console form laptop). Or using the show management command with the following result,
CLI idle timeout CLI max number of login attempts CLI max number of sessions CLI paging CLI space-completion CLI configuration logging CLI scripting CLI scripting error mode CLI persistent mode CLI prompting Telnet access : : : : : : : : : : : Enabled (20 minutes) 3 8 Enabled (this session only) Disabled (this session only) Disabled Disabled (this session only) Ignore-Error (this session only) Persistent (this session only) Disabled (this session only) Enabled (tcp port 23 vr all)

SSH access Web access Total Read Only Communities Total Read Write Communities RMON SNMP access SNMP Traps SNMP v1/v2c TrapReceivers SNMP stats: SNMP traps: SNMP inform: InPkts Gets Sent Sent 0 0 0 0

: : : : : : : : : : : :

Access Profile : not set Enabled (Key valid, tcp port 22 vr all) Access Profile : not set Disabled (tcp port 80) Access Profile : not set 1 1 Disabled Enabled Access Profile : not set Enabled None 0 Errors 0 0 Sets 0 Enabled 0 Failed 0 AuthErrors 0 Drops 0

OutPkts GetNexts AuthTraps Retries

Enable ssh2 to the primary image,

use image primary reboot run update start process exsshd enable ssh2

And check again 3. Create an ssh2 access list We will create an access list that will enable ssh-remote from the incoming address 10.0.0.0 and deny the rest. We create a policy, ssh2-acl,
edit policy ssh2-acl

fill the following into the text editor (Extreme uses vi btw )
entry AllowManagementIP { if match any { source-address 10.0.0.0/16; } then { permit; } } entry DenyAll { if match any { source-address 0.0.0.0/0; }

then { deny; } }

Enable it
configure ssh2 access-profile ssh2-acl Show policy check policy ssh2-acl try to ping the 10.0.254.254 and 192.168.254.254 (from laptop, switch the Ethernet cable to the port 1 and port 2, respectively). Must be succeed. Try to ssh to 10.0.254.254 (must be succeed) and 192.168.254.254 (mustnt be succeed, because it isnt listed in the access list).

Verify

4. Enable idle timeout

enable idletimeout disable telnet disable web http

5. Disabling the telnet and web http

6. Save Save to both images

save primary save secondary