[ad_1]
16.4.7 Lab – Configure Community Gadgets with SSH
Topology
Addressing Desk
Gadget | Interface | IP Handle | Subnet Masks | Default Gateway |
---|---|---|---|---|
R1 | G0/0/1 | 192.168.1.1 | 255.255.255.0 | N/A |
S1 | VLAN 1 | 192.168.1.11 | 255.255.255.0 | 192.168.1.1 |
PC-A | NIC | 192.168.1.3 | 255.255.255.0 | 192.168.1.1 |
Targets
- Half 1: Configure Primary Gadget Settings
- Half 2: Configure the Router for SSH Entry
- Half 3: Configure the Change for SSH Entry
- Half 4: SSH from the CLI on the Change
Background / Situation
Prior to now, Telnet was the most typical community protocol used to remotely configure community gadgets. Telnet doesn’t encrypt the data between the shopper and server. This permits a community sniffer to intercept passwords and configuration data.
Safe Shell (SSH) is a community protocol that establishes a safe terminal emulation connection to a router or different networking gadget. SSH encrypts all data that passes over the community hyperlink and offers authentication of the distant laptop. SSH is quickly changing Telnet because the distant login instrument of alternative for community professionals. SSH is most frequently used to log in to a distant gadget and execute instructions. Nonetheless, it will possibly additionally switch information utilizing the related Safe FTP (SFTP) or Safe Copy (SCP) protocols.
The community gadgets which are speaking have to be configured to assist SSH to ensure that SSH to operate. On this lab, you’ll allow the SSH server on a router after which hook up with that router utilizing a PC with an SSH shopper put in. On a neighborhood community, the connection is often made utilizing Ethernet and IP.
Be aware: The routers used with CCNA hands-on labs are Cisco 4221 with Cisco IOS XE Launch 16.9.4 (universalk9 picture). The switches used within the labs are Cisco Catalyst 2960s with Cisco IOS Launch 15.2(2) (lanbasek9 picture). Different routers, switches, and Cisco IOS variations can be utilized. Relying on the mannequin and Cisco IOS model, the instructions obtainable and the output produced would possibly range from what’s proven within the labs. Consult with the Router Interface Abstract Desk on the finish of the lab for the right interface identifiers.
Be aware: Make it possible for the routers and switches have been erased and haven’t any startup configurations. If you’re uncertain, contact your teacher.
Teacher Be aware: Consult with the Teacher Lab Handbook for the procedures to initialize and reload gadgets.
Required Assets
- 1 Router (Cisco 4221 with Cisco IOS XE Launch 16.9.4 common picture or comparable)
- 1 Change (Cisco 2960 with Cisco IOS Launch 15.2(2) lanbasek9 picture or comparable)
- 1 PC (Home windows with a terminal emulation program, similar to Tera Time period)
- Console cables to configure the Cisco IOS gadgets through the console ports
- Ethernet cables as proven within the topology
Directions
Half 1: Configure Primary Gadget Settings
In Half 1, you’ll arrange the community topology and configure fundamental settings, such because the interface IP addresses, gadget entry, and passwords on the router.
Step 1: Cable the community as proven within the topology.
Step 2: Initialize and reload the router and swap.
Step 3: Configure the router.
a. Console into the router and allow privileged EXEC mode.
router> allow
b. Enter configuration mode.
router# configure terminal
c. Disable DNS lookup to forestall the router from making an attempt to translate incorrectly entered instructions as if they had been host names.
router(config)# no ip domain-lookup
d. Assign class because the privileged EXEC encrypted password.
router(config)# allow secret class
e. Assign cisco because the console password and allow login.
router(config)# line console 0 router(config-line)# password cisco router(config-line)# login
f. Assign cisco because the VTY password and allow login.
router(config)# line vty 0 4 router(config-line)# password cisco router(config-line)# login
g. Encrypt the plaintext passwords.
router(config)# service password-encryption
h. Create a banner that may warn anybody accessing the gadget that unauthorized entry is prohibited.
router(config)# banner motd $ Licensed Customers Solely! $
i. Configure and activate the G0/0/1 interface on the router utilizing the data contained within the Addressing Desk.
router(config)# interface g0/0/1 router(config-if)# ip tackle 192.168.1.1 255.255.255.0 router(config-if)# no shutdown
j. Save the operating configuration to the startup configuration file.
router# copy running-config startup-config
Step 4: Configure PC-A.
a. Configure PC-A with an IP tackle and subnet masks.
b. Configure a default gateway for PC-A.
Step 5: Confirm community connectivity.
Ping R1 from PC-A. If the ping fails, troubleshoot the connection.
Half 2: Configure the Router for SSH Entry
Utilizing Telnet to connect with a community gadget is a safety danger as a result of all the data is transmitted in a transparent textual content format. SSH encrypts the session information and offers gadget authentication, which is why SSH is advisable for distant connections. In Half 2, you’ll configure the router to simply accept SSH connections over the VTY traces.
Step 1: Configure gadget authentication.
The gadget identify and area are used as a part of the crypto key when it’s generated. Due to this fact, these names have to be entered previous to issuing the crypto key command.
a. Configure gadget identify.
router(config)# hostname R1
b. Configure the area for the gadget.
R1(config)# ip domain-name ccna-lab.com
Step 2: Configure the encryption key technique.
R1(config)# crypto key generate rsa modulus 1024 The identify for the keys shall be: R1.ccna-lab.com % The important thing modulus dimension is 1024 bits % Producing 1024 bit RSA keys, keys shall be non-exportable... [OK] (elapsed time was 1 seconds) R1(config)# *Jan 28 21:09:29.867: %SSH-5-ENABLED: SSH 1.99 has been enabled
Step 3: Configure a neighborhood database username.
Configure a username utilizing admin because the username and [email protected] because the password.
R1(config)# username admin secret [email protected]
Step 4: Allow SSH on the VTY traces.
a. Allow Telnet and SSH on the inbound VTY traces utilizing the transport enter command.
R1(config)# line vty 0 4 R1(config-line)# transport enter telnet ssh
b. Change the login technique to make use of the native database for consumer verification.
R1(config-line)# login native R1(config-line)# finish
Step 5: Save the operating configuration to the startup configuration file.
R1# copy running-config startup-config Vacation spot filename [startup-config]? Constructing configuration... [OK] R1#
Step 6: Set up an SSH connection to the router.
a. Begin Tera Time period from PC-A.
b. Set up an SSH session to R1. Use the username admin and password [email protected] It’s best to be capable of set up an SSH session with R1.
Half 3: Configure the Change for SSH Entry
In Half 3, you’ll configure the swap to simply accept SSH connections. After the swap has been configured, set up an SSH session utilizing Tera Time period.
Step 1: Configure the essential settings on the swap.
a. Console into the swap and allow privileged EXEC mode.
swap> allow
b. Enter configuration mode.
swap# configure terminal
c. Disable DNS lookup to forestall the router from making an attempt to translate incorrectly entered instructions as if they had been host names.
swap(config)# no ip domain-lookup
d. Assign class because the privileged EXEC encrypted password.
swap(config)# allow secret class
e. Assign cisco because the console password and allow login.
swap(config)# line console 0 swap(config-line)# password cisco swap(config-line)# login
f. Assign cisco because the VTY password and allow login.
swap(config)# line vty 0 15 swap(config-line)# password cisco swap(config-line)# login
g. Encrypt the plain textual content passwords.
swap(config)# service password-encryption
h. Create a banner that may warn anybody accessing the gadget that unauthorized entry is prohibited.
swap(config)# banner motd $ Licensed Customers Solely! $
i. Configure and activate the VLAN 1 interface on the swap in line with the Addressing Desk.
swap(config)# interface vlan 1 swap(config-if)# ip tackle 192.168.1.11 255.255.255.0 swap(config-if)# no shutdown
j. Save the operating configuration to the startup configuration file.
Change# copy running-config startup-config
Step 2: Configure the swap for SSH connectivity.
Use the identical instructions that you simply used to configure SSH on the router in Half 2 to configure SSH for the swap.
a. Configure the gadget identify as listed within the Addressing Desk.
b. Configure the area for the gadget.
S1(config)# ip domain-name ccna-lab.com
c. Configure the encryption key technique.
S1(config)# crypto key generate rsa modulus 1024
d. Configure a neighborhood database username.
S1(config)# username admin secret [email protected]
e. Allow Telnet and SSH on the VTY traces.
S1(config)# line vty 0 15 S1(config-line)# transport enter telnet ssh
f. Change the login technique to make use of the native database for consumer verification.
S1(config-line)# login native S1(config-line)# finish
Step 3: Set up an SSH connection to the swap.
Begin Tera Time period from PC-A, after which SSH to the SVI interface on S1.
Can you set up an SSH session with the swap?
Sure. SSH may be configured on a swap utilizing the identical instructions that had been used on the router.
Half 4: SSH From the CLI on the Change
The SSH shopper is constructed into the Cisco IOS and may be run from the CLI. In Half 4, you’ll SSH to the router from the CLI on the swap.
Step 1: View the parameters obtainable for the Cisco IOS SSH shopper.
Use the query mark (?) to show the parameter choices obtainable with the ssh command.
S1# ssh ? -c Choose encryption algorithm -l Log in utilizing this consumer identify -m Choose HMAC algorithm -o Specify choices -p Hook up with this port -v Specify SSH Protocol Model -vrf Specify vrf identify WORD IP tackle or hostname of a distant system
Step 2: SSH to R1 from S1.
a. It’s essential to use the –l admin choice once you SSH to R1. This lets you log in as consumer admin. When prompted, enter [email protected] for the password.
S1# ssh -l admin 192.168.1.1 Password: Licensed Customers Solely! R1>
b. You possibly can return to S1 with out closing the SSH session to R1 by urgent Ctrl+Shift+6. Launch the Ctrl+Shift+6 keys and press x. The swap privileged EXEC immediate shows.
R1> S1#
c. To return to the SSH session on R1, press Enter on a clean CLI line. You could have to press Enter a second time to see the router CLI immediate.
S1# [Resuming connection 1 to 192.168.1.1 ... ] R1>
d. To finish the SSH session on R1, sort exit on the router immediate.
R1# exit [Connection to 192.168.1.1 closed by foreign host] S1#
What variations of SSH are supported from the CLI?
Solutions might range. This may be decided by utilizing the ssh –v ? on the command line. The 2960 swap operating IOS model 15.0(2) helps SSH v1 and V2.
S1# ssh -v ? 1 Protocol Model 1 2 Protocol Model 2
Reflection Query
How would you present a number of customers, every with their very own username, entry to a community gadget?
Solutions might range. You’d add every consumer’s username and password to the native database utilizing the username command. It is usually potential to make use of a RADIUS or TACACS server, however this has not been lined but.
Router Interface Abstract Desk
Router Mannequin | Ethernet Interface #1 | Ethernet Interface #2 | Serial Interface #1 | Serial Interface #2 |
---|---|---|---|---|
1800 | Quick Ethernet 0/0 (F0/0) | Quick Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
1900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2801 | Quick Ethernet 0/0 (F0/0) | Quick Ethernet 0/1 (F0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
2811 | Quick Ethernet 0/0 (F0/0) | Quick Ethernet 0/1 (F0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
2900 | Gigabit Ethernet 0/0 (G0/0) | Gigabit Ethernet 0/1 (G0/1) | Serial 0/0/0 (S0/0/0) | Serial 0/0/1 (S0/0/1) |
4221 | Gigabit Ethernet 0/0/0 (G0/0/0) | Gigabit Ethernet 0/0/1 (G0/0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
4300 | Gigabit Ethernet 0/0/0 (G0/0/0) | Gigabit Ethernet 0/0/1 (G0/0/1) | Serial 0/1/0 (S0/1/0) | Serial 0/1/1 (S0/1/1) |
Be aware: To learn the way the router is configured, take a look at the interfaces to determine the kind of router and what number of interfaces the router has. There is no such thing as a solution to successfully listing all of the mixtures of configurations for every router class. This desk consists of identifiers for the potential mixtures of Ethernet and Serial interfaces within the gadget. The desk doesn’t embody some other sort of interface, though a selected router might include one. An instance of this may be an ISDN BRI interface. The string in parenthesis is the authorized abbreviation that can be utilized in Cisco IOS instructions to signify the interface.
Gadget Configs – Closing
Router R1
service timestamps debug datetime msec service timestamps log datetime msec service password-encryption platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname R1 ! boot-start-marker boot-end-marker ! allow secret 5 $1$GCE/$FYYjEAZLjxgbowhYaGm430 ! no aaa new-model ! no ip area lookup ip area identify ccna-lab.com ! login on-success log ! subscriber templating ! multilink bundle-name authenticated ! no license sensible allow diagnostic bootup degree minimal ! spanning-tree prolong system-id ! username admin secret 5 $1$jamS$qnpkPO7Cr9pSdQxO7nSuQ. ! redundancy mode none ! interface GigabitEthernet0/0/0 no ip tackle negotiation auto ! interface GigabitEthernet0/0/1 ip tackle 192.168.1.1 255.255.255.0 negotiation auto ! interface Serial0/1/0 no ip tackle ! interface Serial0/1/1 no ip tackle ! ip forward-protocol nd no ip http server ip http secure-server ! control-plane ! banner motd ^C Licensed Customers Solely ^C ! line con 0 password 7 094F471A1A0A logging synchronous login transport enter none stopbits 1 line aux 0 stopbits 1 line vty 0 4 password 7 01100F175804 login native transport enter telnet ssh ! finish
Change S1
service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname S1 ! boot-start-marker boot-end-marker ! allow secret 5 $1$qwAh$PG.EaIxZQgvrgZtc40Xka0 ! username admin secret 5 $1$vE96$6FO83f1rHurSYktgg2l720 ! no aaa new-model system mtu routing 1500 no ip domain-lookup ip domain-name ccna-lab.com ! spanning-tree mode pvst spanning-tree prolong system-id ! vlan inner allocation coverage ascending ! interface FastEthernet0/1 ! interface FastEthernet0/2 shutdown ! interface FastEthernet0/3 shutdown ! interface FastEthernet0/4 shutdown ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 shutdown ! interface FastEthernet0/8 shutdown ! interface FastEthernet0/9 shutdown ! interface FastEthernet0/10 shutdown ! interface FastEthernet0/11 shutdown ! interface FastEthernet0/12 shutdown ! interface FastEthernet0/13 shutdown ! interface FastEthernet0/14 shutdown ! interface FastEthernet0/15 shutdown ! interface FastEthernet0/16 shutdown ! interface FastEthernet0/17 shutdown ! interface FastEthernet0/18 shutdown ! interface FastEthernet0/19 shutdown ! interface FastEthernet0/20 shutdown ! interface FastEthernet0/21 shutdown ! interface FastEthernet0/22 shutdown ! interface FastEthernet0/23 shutdown ! interface FastEthernet0/24 shutdown ! interface GigabitEthernet0/1 shutdown ! interface GigabitEthernet0/2 shutdown ! interface Vlan1 ip tackle 192.168.1.11 255.255.255.0 ! ip classless ip http server ip http secure-server ! banner motd ^C Licensed Customers Solely ^C ! line con 0 password 7 00071A150754 logging synchronous login line vty 0 4 password 7 00071A150754 login native transport enter telnet ssh line vty 5 15 login ! finish
[ad_2]