1-3
Security Overview
Access Security Features
Telnet and
Web-browser 
access 
(WebAgent)
enabled The default remote management protocols enabled on 
the switch are plain text protocols, which transfer 
passwords in open or plain text that is easily captured. 
To reduce the chances of unauthorized users capturing 
your passwords, secure and encrypted protocols such 
as SSH and SSL (see below for details) should be used 
for remote access. This enables you to employ 
increased access security while still retaining remote 
client access.
Also, access security on the switch is incomplete 
without disabling Telnet and the standard Web browser 
access (WebAgent). Among the methods for blocking 
unauthorized access attempts using Telnet or the 
WebAgent are the following two CLI commands:
• no telnet-server: This command blocks inbound 
Telnet access.
• no web-management: This command prevents use of 
the WebAgent through http (port 80) server access.
If you choose not to disable Telnet and the WebAgent, 
you may want to consider using RADIUS accounting to 
maintain a record of password-protected access to the 
switch. 
“Quick Start: Using the 
Management Interface 
Wizard” on page 1-10
For more on Telnet and the 
WebAgent, refer to the 
chapter on “Interface 
Access and System 
Information” in the Basic 
Operation Guide.
For RADIUS accounting, 
refer to Chapter 6, “RADIUS 
Authentication and 
Accounting”
SSH  disabled SSH provides Telnet-like functions through encrypted, 
authenticated transactions of the following types:
• client public-key authentication: uses one or more 
public keys (from clients) that must be stored on the 
switch. Only a client with a private key that matches 
a stored public key can gain access to the switch.
• switch SSH and user password authentication: this 
option is a subset of the client public-key 
authentication, and is used if the switch has SSH 
enabled without a login access configured to 
authenticate the client’s key. In this case, the switch 
authenticates itself to clients, and users on SSH 
clients then authenticate themselves to the switch by 
providing passwords stored on a RADIUS or 
TACACS+ server, or locally on the switch.
• secure copy (SC) and secure FTP (SFTP): By opening 
a secure, encrypted SSH session, you can take 
advantage of SC and SFTP to provide a secure 
alternative to TFTP for transferring sensitive switch 
information. For more on SC and SFTP, refer to the 
section titled “Using Secure Copy and SFTP” in the 
“File Transfers” appendix of the Management and 
Configuration Guide for your switch. 
“Quick Start: Using the 
Management Interface 
Wizard” on page 1-10
Chapter 8 “Configuring 
Secure Shell (SSH)”
Feature Default 
Setting
Security Guidelines More Information and 
Configuration Details