{"id":450,"date":"2020-04-06T15:27:55","date_gmt":"2020-04-06T13:27:55","guid":{"rendered":"http:\/\/tech.sosthe.sk\/?page_id=450"},"modified":"2020-04-06T15:27:55","modified_gmt":"2020-04-06T13:27:55","slug":"5-komunikacia-so-switchom","status":"publish","type":"page","link":"http:\/\/tech.sosthe.sk\/index.php\/ccna\/cisco-ios\/5-komunikacia-so-switchom\/","title":{"rendered":"5. Komunik\u00e1cia so switchom"},"content":{"rendered":"
\n

Fyzick\u00e9 pripojenie<\/span><\/h3>\n

Pre komunik\u00e1ciu so switchom sa s n\u00edm mus\u00edme najprv nejak\u00fdm sp\u00f4sobom spoji\u0165.\u00a0M\u00e1me dve mo\u017enosti, spojenie pomocou<\/span><\/p>\n

    \n
  1. konzolov\u00e9ho portu<\/span><\/strong>\u00a0– jedn\u00e1 sa o \u0161peci\u00e1lny port na switchi s konektorom RJ45, ktor\u00fd spoj\u00edme s COM portom na PC, pou\u017e\u00edva sa\u00a0<\/span>rollover cable<\/span><\/em>\u00a0.<\/span><\/li>\n
  2. ethernetov\u00e9ho portu<\/span><\/strong> – na spr\u00e1vne nakonfigurovan\u00fd switch (nastaven\u00e1 IP adresa pre VLAN, \u017eiadne obmedzenia komunik\u00e1cie a pr\u00edstupu) sa m\u00f4\u017eeme pripoji\u0165 cez \u013eubovo\u013en\u00fd sie\u0165ov\u00fd port switcha.\u00a0Pre \u00favodn\u00fa konfigur\u00e1ciu m\u00f4\u017eeme vyu\u017ei\u0165 <\/span>Express Setup<\/span><\/em> (switch si nastav\u00ed ur\u010dit\u00fa IP).\u00a0Pre spojenie sa pou\u017eije klasick\u00fd priamy k\u00e1bel (straight-through cable).<\/span><\/li>\n<\/ol>\n

    Sp\u00f4soby komunik\u00e1cie<\/span><\/h3>\n

    So switchom m\u00f4\u017eeme komunikova\u0165 nieko\u013ek\u00fdmi met\u00f3dami, pomocou<\/span><\/p>\n

      \n
    1. webov\u00e9 rozhranie<\/span><\/strong>\u00a0– niektor\u00e9 konfigur\u00e1cie a monitorovanie mo\u017eno vykon\u00e1va\u0165 cez zabudovan\u00e9 rozhranie, je potrebn\u00e9 ma\u0165 in\u0161talovan\u00fd IOS s t\u00fdmto rozhran\u00edm (\u0161tandardne \u00e1no) a ma\u0165 ho zapnut\u00e9 (\u0161tandardne \u00e1no), pod\u013ea verzie IOSu m\u00f4\u017eeme vyu\u017e\u00edva\u0165 HTTP alebo aj HTTPS.<\/span><\/li>\n
    2. telnet, SSH, konzola<\/span><\/strong>\u00a0– tieto met\u00f3dy n\u00e1m prin\u00e1\u0161a mo\u017enos\u0165 vyu\u017ei\u0165\u00a0<\/span>Command Line Interface<\/span><\/em><\/strong>\u00a0– CLI, teda \u0161irok\u00fa \u0161k\u00e1lu riadkov\u00fdch pr\u00edkazov.\u00a0Konzolov\u00fd pr\u00edstup je defaultne akt\u00edvny, telnet a SSH mus\u00edme nakonfigurova\u0165.\u00a0Pre SSH mus\u00edme ma\u0165 verziu IOSu s podporou \u0161ifrovania.\u00a0Pre tento druh spojenia treba nejak\u00fd program, ja pou\u017e\u00edvam Putty.<\/span><\/li>\n
    3. Cisco Network Assistant (CNA)<\/span><\/strong>\u00a0– pr\u00edpadne \u010fal\u0161ie \u0161peci\u00e1lne aplik\u00e1cie.\u00a0Pre spr\u00e1vu switcha mo\u017en\u00e9 pou\u017ei\u0165 \u0161peci\u00e1lne aplik\u00e1cie, ktor\u00e9 vyu\u017e\u00edvaj\u00fa r\u00f4znych protokolov pre riadenie switcha. <\/span>CNA<\/span><\/em><\/strong>\u00a0je slu\u0161n\u00e1 grafick\u00e1 aplik\u00e1cia (mo\u017eno bezplatne stiahnu\u0165 u Cisca), ktor\u00e1 n\u00e1m u\u013eah\u010d\u00ed rad nastaven\u00ed a m\u00f4\u017ee pracova\u0165 s celou skupinou zariaden\u00ed naraz.<\/span><\/li>\n
    4. SNMP<\/span><\/strong>\u00a0– pomocou protokolu SNMP m\u00f4\u017eeme automatizova\u0165 rad funkci\u00ed, \u010d\u00edta\u0165 aj nastavova\u0165 hodnoty.\u00a0Pr\u00edpadne existuje rad aplik\u00e1ci\u00ed, ktor\u00e9 tento protokol vyu\u017e\u00edvaj\u00fa.<\/span><\/li>\n<\/ol>\n

      Zabezpe\u010denie – overovanie<\/span><\/h3>\n

      Pr\u00edstup na switch je samozrejme potrebn\u00e9 zabezpe\u010di\u0165.\u00a0Z\u00e1kladn\u00e9 dve mo\u017enosti zabezpe\u010denia s\u00fa<\/span><\/p>\n

        \n
      1. pou\u017e\u00edva\u0165 autentiz\u00e1ciu<\/span><\/strong>\u00a0– pre v\u0161etky met\u00f3dy komunik\u00e1cie m\u00f4\u017eeme nastavi\u0165 heslo (a v\u00e4\u010d\u0161inou pou\u017e\u00edvate\u013ea).\u00a0Najjednoduch\u0161ie je nastavi\u0165 iba heslo, ktor\u00e9 sa ulo\u017eia do konfigur\u00e1cie switcha, m\u00f4\u017ee by\u0165 ulo\u017een\u00e9 ne\u0161ifrovan\u00e9 ( <\/span>password<\/code>) alebo pomocou MD5 hashe (\u00a0<\/span>secret<\/code>).\u00a0V lep\u0161om pr\u00edpade m\u00f4\u017eeme vyu\u017ei\u0165\u00a0<\/span>AAA<\/span><\/em><\/strong>\u00a0(Authentication Authorization Accounting).<\/span><\/li>\n
      2. obmedzi\u0165 pr\u00edstup<\/span><\/strong> – zale\u017e\u00ed na met\u00f3de pripojenia<\/span>\n
          \n
        1. konzolov\u00fd port<\/span><\/strong> – pre pou\u017eitie tejto met\u00f3dy je potrebn\u00e9 fyzick\u00fd pr\u00edstup ku switchu, ten by mal by\u0165 v zabezpe\u010denej priestore s obmedzen\u00fdm pr\u00edstupom.<\/span><\/li>\n
        2. ethernetov\u00fd port<\/span><\/strong>\u00a0– v tomto pr\u00edpade je mo\u017en\u00fd pr\u00edstup z celej siete (z tej \u010dasti, kde je switch dosiahnute\u013en\u00fd), preto je dobr\u00e9 povoli\u0165 ur\u010dit\u00e9 protokoly iba do \u0161peci\u00e1lnej VLANy (managovac\u00ed) alebo len z ur\u010ditej adresy, to dosiahneme konfigur\u00e1ciou alebo pomocou\u00a0<\/span>Access Control List<\/span><\/em><\/strong>\u00a0(ACL).<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

          Konfigur\u00e1cia jednotliv\u00fdch vlastnost\u00ed<\/span><\/h3>\n

          Pr\u00edstup cez konzolu<\/span><\/h4>\n

          Pr\u00edstup cez konzolu je defaultne povolen\u00fd a to bez overovania.\u00a0\u010casto ho vyu\u017eijeme pre \u00favodn\u00e9 konfigur\u00e1ciu.\u00a0Ak chceme viac zabezpe\u010di\u0165 pr\u00edstup ku switchu t\u00fdmto sp\u00f4sobom, m\u00f4\u017eeme nastavi\u0165 heslo.\u00a0Ak v\u0161ak m\u00e1 niekto fyzick\u00fd pr\u00edstup k zariadeniu (aby mohol vyu\u017ei\u0165 konzolov\u00fd pr\u00edstup), tak ho v\u00e4\u010d\u0161inou toto heslo nezastav\u00ed.\u00a0M\u00f4\u017ee vykona\u0165\u00a0<\/span>password recovery<\/span><\/em><\/strong>\u00a0(u nov\u0161\u00edch IOS\u016f m\u00f4\u017eeme vypn\u00fa\u0165) alebo m\u00f4\u017ee resetova\u0165 konfigur\u00e1ciu a m\u00e1 pln\u00fd pr\u00edstup na switch.<\/span><\/p>\n

          SWITCH (config) # line console 0 <\/strong>          \/\/ prepneme sa do konfigur\u00e1cie konzoly \r\nSWITCH (config-console) # password c <\/strong>     \/\/ nastav\u00edme heslo<\/span><\/pre>\n
          Pozn .:<\/span><\/em><\/strong>\u00a0U routerov e\u0161te mus\u00edme zapn\u00fa\u0165, aby sa vykon\u00e1vala kontrola hesla pr\u00edkazom<\/span>login<\/code>.\u00a0To sa t\u00fdka v\u0161etk\u00fdch pr\u00edstupov cez<\/span>line<\/code>.<\/span><\/p>\n
          Pr\u00edstup pomocou protokolu telnet<\/span><\/h4>\n
          Pre vzdialen\u00fd pr\u00edstup sa pou\u017e\u00edva\u00a0<\/span>Virtual terminal line<\/span><\/em><\/strong>\u00a0(VTY).\u00a0Pr\u00edstup pomocou telnetu je akt\u00edvna vo chv\u00edli, ke\u010f nastav\u00edme IP adresu pre switch.\u00a0Ale do chv\u00edle, ne\u017e nastav\u00edme heslo pre telnet session, sa nemo\u017eno pripoji\u0165.\u00a0V nastaven\u00ed ur\u010dujeme ko\u013eko s\u00fa\u010dasn\u00fdch spojenie je povolen\u00e9, maxim\u00e1lne 16 (z\u00e1le\u017e\u00ed na modeli).<\/span><\/p>\n
          SWITCH (config) # line vty 0 1 <\/strong>        \/\/ konfiguruje telnetov\u00e9 spojen\u00ed s ID 0 a\u017e 1 \r\nSWITCH (config-line) # password c <\/strong>     \/\/ heslo (tu c) pre pr\u00edstup cez telnet<\/span><\/pre>\n
          Linky, ktor\u00e9 nechceme pou\u017e\u00edva\u0165, je lep\u0161ie vypn\u00fa\u0165<\/span><\/p>\n
          SWITCH (config) # line vty 2 15    <\/strong>           \/\/ spoje 2 a\u017e 15 \r\nSWITCH (config-line) # transport input none   <\/strong>\/\/ \u017eiadny vstup<\/span><\/pre>\n
          Hesl\u00e1 pre linky sa daj\u00fa zada\u0165 iba ne\u0161ifrovan\u00e9.\u00a0Aby sme viac zabezpe\u010dili ich ulo\u017eenie v konfigur\u00e1cii, m\u00f4\u017eeme nastavi\u0165 slu\u017ebu, ktor\u00e1 v\u0161etky hesl\u00e1 uklad\u00e1 pomocou MD5 hashe.<\/span><\/p>\n
          SWITCH (config) # service password-encryption<\/strong> <\/span><\/pre>\n
          Pr\u00edstup pomocou protokolu ssh<\/span><\/h4>\n
          Telnet m\u00e1 nev\u00fdhodu, \u017ee sa v\u0161etky d\u00e1ta (vr\u00e1tane hesiel) zasielaj\u00fa ne\u0161ifrovan\u00e9, tak\u017ee je mo\u017en\u00e9 ich odpo\u010d\u00fava\u0165. Vhodnej\u0161ie je pou\u017ei\u0165 \u0161ifrovan\u00e9 rie\u0161enie a teda ssh.\u00a0Aby sme v\u0161ak mohli ssh pou\u017ei\u0165, potrebujeme verziu IOSu, ktor\u00e1 obsahuje \u0161ifrovanie.\u00a0Potom mus\u00edme vytvori\u0165 u\u017e\u00edvate\u013ea, nastavi\u0165 parametre ssh a vlastn\u00e9 nastavenia pr\u00edstupu.\u00a0Vzdialen\u00fd pr\u00edstup pomocou ssh sa nastavuje obdobne ako telnet, iba zvol\u00edme in\u00fd vstup.<\/span><\/p>\n
          SWITCH (config) # aaa new-model               <\/strong>      \/\/ zapnutie AAA \r\nSWITCH (config) # username cisco secret Heslo       <\/strong>\/\/ vytvorenie pou\u017e\u00edvate\u013ea s heslom ulo\u017een\u00fdm pomocou MD5 hashe \r\nSWITCH (config) # ip ssh time-out 60          <\/strong>      \/\/ parametre SSH - vypr\u0161an\u00ed session \r\nSWITCH (config) # ip ssh authentication-retries 2 <\/strong> \/\/ parametre SSH - po\u010det pokusov o prihl\u00e1senie \r\nSWITCH (config) # ip ssh version 2                  <\/strong>\/\/ parametre SSH - verzia \r\nSWITCH (config) # ip domain name firma.local <\/strong>      \/\/ meno dom\u00e9ny pre vytv\u00e1ran\u00fd certifik\u00e1t \r\nSWITCH (config) # crypto key generate rsa     <\/strong>      \/\/ ak e\u0161te nem\u00e1me, vygenerujeme k\u013e\u00fa\u010d\r\nSWITCH (config) # line vty 0 1 <\/strong>                     \/\/ konfigur\u00e1cie linky s ID 0 a\u017e 1 \r\nSWITCH (config-line) # transport input ssh    <\/strong>     \/\/ vstup je SSH<\/span><\/pre>\n
          Pr\u00edstup do privilegovan\u00e9ho re\u017eimu<\/span><\/h4>\n
          V r\u00e1mci predvo\u013eby sa po pripojen\u00ed ku CLI m\u00f4\u017eeme prepn\u00fa\u0165 do privilegovan\u00e9ho m\u00f3du zadan\u00edm pr\u00edkazu\u00a0<\/span>enabled<\/code>.\u00a0Preto\u017ee v tomto m\u00f3de m\u00f4\u017eeme meni\u0165 konfigur\u00e1ciu switcha, tak sa odpor\u00fa\u010da zabezpe\u010di\u0165 tento pr\u00edstup pomocou hesla. Heslo m\u00f4\u017eeme zada\u0165 tak, \u017ee sa v konfigur\u00e1cii ulo\u017e\u00ed ako oby\u010dajn\u00fd text alebo iba MD5 hash.<\/span><\/p>\n
          SWITCH (config) # enable password c <\/strong>           \/\/ heslo (tu c) ulo\u017een\u00e9 ako \u010dist\u00fd text \r\nSWITCH (config) # enable secret c <\/strong>             \/\/ heslo (tu c) ulo\u017een\u00e9 pomocou MD5 hashe \r\nSWITCH (config) # no enable secret <\/strong>           \/\/ zru\u0161enie hesla<\/span><\/pre>\n
          webov\u00e9 rozhranie<\/span><\/h4>\n
          Potom \u010do nastav\u00edme IP adresu, a m\u00e1me verziu IOSu spolu s webov\u00fdm rozhran\u00edm, tak je automaticky zapnut\u00e9.<\/span><\/p>\n
          SWITCH (config) # ip http server <\/strong>               \/\/ zapne web server \r\nSWITCH (config) # No-IP http server <\/strong>            \/\/ vypne web server<\/span><\/pre>\n
          Ak m\u00e1me verziu IOSu s \u0161ifrovan\u00edm (crypto), tak sa automaticky pou\u017eije pr\u00edstup cez HTTPS.<\/span><\/p>\n
          SWITCH # show ip http server status <\/strong>           \/\/ zobraz\u00ed nastavenie \r\nSWITCH (config) # ip http secure-server <\/strong>       \/\/ zapne HTTPS server<\/span><\/pre>\n
          SNMP<\/span><\/h4>\n
          V predvolenom stave je SNMP vypnut\u00e9.\u00a0SNMP sa zapne nastaven\u00edm\u00a0<\/span>community stringov<\/span><\/em><\/strong>\u00a0(nie\u010do ako heslo pre SNMP, pou\u017e\u00edva sa v SNMPv1 a SNMPv2c, SNMPv3 pou\u017e\u00edva \u00fa\u010dty).<\/span><\/p>\n
          SWITCH (config) # snmp-server community heslo ro    <\/strong>\/\/ nastav\u00ed community string pre \u010d\u00edtanie \r\nSWITCH (config) # snmp-server contact Firma <\/strong>       \/\/ nastav\u00ed kontakt \r\nSWITCH (config) # snmp-server location serverov\u0148a <\/strong> \/\/ nastav\u00ed umiestneniu \r\nSWITCH (config) # no snmp-server                    <\/strong>\/\/ vypne SNMP<\/span><\/pre>\n
          To s\u00fa len z\u00e1kladn\u00e9 nastavenie SNMP.\u00a0M\u00f4\u017eeme samozrejme vytv\u00e1ra\u0165 trapy a nastavova\u0165 mnoho \u010fal\u0161\u00edch parametrov.\u00a0Pre vytv\u00e1ranie pou\u017e\u00edvate\u013eov v SNMPv3 alebo pre nastavenie pou\u017eit\u00e9 verzie SNMP sl\u00fa\u017eia pr\u00edkazy\u00a0<\/span>snmp-server group<\/code>a\u00a0<\/span>snmp-server user<\/code>.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
          Fyzick\u00e9 pripojenie Pre komunik\u00e1ciu so switchom sa s n\u00edm mus\u00edme najprv nejak\u00fdm sp\u00f4sobom spoji\u0165.\u00a0M\u00e1me dve mo\u017enosti, spojenie pomocou konzolov\u00e9ho portu\u00a0– jedn\u00e1 sa o \u0161peci\u00e1lny port…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":431,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/450"}],"collection":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/comments?post=450"}],"version-history":[{"count":1,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/450\/revisions"}],"predecessor-version":[{"id":451,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/450\/revisions\/451"}],"up":[{"embeddable":true,"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/pages\/431"}],"wp:attachment":[{"href":"http:\/\/tech.sosthe.sk\/index.php\/wp-json\/wp\/v2\/media?parent=450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}