Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Instead of Telnet, you can use Secure Shell, which creates a more secure session than the Telnet
application that uses an unencrypted data stream. Secure Shell (SSH) uses encrypted keys to
send data so that your username and password are not sent in the clear.
I recommend using SSH instead of Telnet whenever possible.
Here are the steps for setting up SSH:
1. Set your hostname:
Router(config)#hostname Todd
208 Chapter 4 Introduction to the Cisco IOS and SDM
2. Set the domain name (both the hostname and domain name are required for the encryption
keys to be generated):
Todd(config)#ip domain-name Lammle.com
3. Create a username and password on the router for login:
Todd(config)#username todd password lammle
4. Generate the encryption keys for securing the session:
Todd(config)#crypto key generate rsa general-keys modulus ?
<360-2048> size of the key modulus [360-2048]
Todd(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: Todd.Lammle.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled
5. Optionally set the max idle timer for a SSH session:
Todd(config)#ip ssh time-out ?
<1-120> SSH time-out interval (secs)
Todd(config)#ip ssh time-out 60
6. Optionally set the max failed attempts for an SSH connection:
Todd(config)#ip ssh authentication-retries ?
<0-5> Number of authentication retries
Todd(config)#ip ssh authentication-retries 2
7. Connect to the VTY lines of the router:
Todd(config)#line vty 0 1180
8. Configure the lines for local authentication:
Todd(config-line)#login local
9. Last, configure SSH as the access protocol:
Todd(config-line)#transport input ssh
If you want to use either SSH or Telnet on the device, then use the keyword telnet at the
end of the command string:
Todd(config-line)#transport input ssh telnet
Here is a summary of the minimum SSH commands (it would be wise to remember this):
Router#config t
Router(config)#hostname Todd
Router and Switch Administrative Configurations 209
Todd(config)#ip domain-name Lammle.com
Todd(config)#username todd password todd
Todd(config)#crypto key generate rsa general-keys modulus 1024
Todd(config)#line vty 0 4
Todd(config-line)#login local
Todd(config-line)#transport input SSH
Verifying the SSH service on your router
If you configure the basic SSH commands on your router, the router will now act as a SSH
server and any host that can run a SSH client can connect. It’s relatively simple.
From the router CLI, use the command ssh –l username IP_ address. The username is
the username created on the Todd router. You will then be prompted for a password, which
is the password configured with the username command. Here is an example of using a SSH
client on a Cisco router to connect to the Todd router that I configured above:
Sally#ssh 192.0.2.157
% No user specified nor available for SSH client
Sally#ssh -l todd 192.0.2.157
Trying 192.0.2.157...Open
Password:
Todd>
Notice that without the username specified that login is not allowed. Also, understand that
the hostname of the router is irrelevant to the username set on the router.
Let’s take a look at encrypting our passwords.
Encrypting Your Passwords
Because only the enable secret password is encrypted by default, you’ll need to manually
configure the user-mode and enable passwords for encryption.
Notice that you can see all the passwords except the enable secret when performing a show
running-config on a router:
Todd#sh running-config
Building configuration...
[output cut]
!
enable secret 5 $1$2R.r$DcRaVo0yBnUJBf7dbG9XE0
enable password todd
!
210 Chapter 4 Introduction to the Cisco IOS and SDM
[output cut]
!
line con 0
exec-timeout 0 0
password console
logging synchronous
login
line aux 0
password aux
login
line vty 0 4
access-class 23 in
privilege level 15
password telnet
login
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password telnet
login
transport input telnet ssh
line vty 16 1180
password telnet
login
!
end
To manually encrypt your passwords, use the service password-encryption command.
Here’s an example of how to do it:
Todd#config t
Enter configuration commands, one per line. End with CNTL/Z.
Todd(config)#service password-encryption
Todd(config)#exit
Todd#sh run
Building configuration...
[output cut]
!
enable secret 5 $1$2R.r$DcRaVo0yBnUJBf7dbG9XE0
enable password 7 131118160F
!
Router and Switch Administrative Configurations 211
[output cut]
!
line con 0
exec-timeout 0 0
password 7 0605002F5F41051C
logging synchronous
login
line aux 0
password 7 03054E13
login
line vty 0 4
access-class 23 in
privilege level 15
password 7 01070308550E12
login
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
password 7 01070308550E12
login
transport input telnet ssh
line vty 16 1180
password 7 120D001B1C0E18
login
!
end
Todd#config t
Todd(config)#no service password-encryption
Todd(config)#^Z
Todd#
There you have it! The passwords will now be encrypted. You just encrypt the passwords,
perform a show run, and then turn off the command. You can see that the enable password and
the line passwords are all encrypted.
I want to talk about encrypting passwords a bit more. As I said, if you set your passwords
and then turn on the service password-encryption command, you have to perform a
show running-config before you turn off the encryption service or your passwords won’t
be encrypted. You don’t have to turn off the encryption service at all; you’d only do that if
your router is running low on processes. And if you turn on the service before you set your
passwords, then you don’t even have to view them to get them encrypted.
212 Chapter 4 Introduction to the Cisco IOS and SDM
But before I get into showing you all about setting descriptions on your routers, let’s go
through a quick summary of how you might set and encrypt your passwords.
1. Encrypt all clear text passwords: service password-encryption
2. Protect access to the user mode prompt: line console 0; password friendSonly
3. Set privileged mode encrypted password: enable secret noWayIn
4. Set password to allow Telnet connections: line vty 0 4; password 2Hard
5. Set privileged mode clear text password: enable password dontuwish
6. Set the VTY lines to only accept Secure Shell: line vty 0 4; transport input ssh
I am not recommending step 5, just showing you the Cisco objectives, and if
you configure step 3, step 5 becomes irrelevant.
Descriptions
Setting descriptions on an interface is helpful to the administrator and, as with the hostname,
only locally significant. The description command is a helpful one because you can, for
instance, use it to keep track of circuit numbers.
Here’s an example:
Todd#config t
Todd(config)#int s0/0/0
Todd(config-if)#description Wan to SF circuit number 6fdda12345678
Todd(config-if)#int fa0/0
Todd(config-if)#description Sales VLAN
Todd(config-if)#^Z
Todd#
You can view the description of an interface with either the show running-config command
or the show interface command:
Todd#sh run
[output cut]
!
interface FastEthernet0/0
description Sales VLAN
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
Router and Switch Administrative Configurations 213
interface Serial0/0/0
description Wan to SF circuit number 6fdda 12345678
no ip address
shutdown
!
[output cut]
Todd#sh int f0/0
FastEthernet0/0 is up, line protocol is down
Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia 001a.2f55.c9e8)
Description: Sales VLAN
[output cut]
Todd#sh int s0/0/0
Serial0/0/0 is administratively down, line protocol is down
Hardware is GT96K Serial
Description: Wan to SF circuit number 6fdda12345678
Doing the do Command
Beginning with IOS version 12.3, Cisco has finally added a command to the IOS that allows
you to view the configuration and statistics from within configuration mode. (In the examples
I gave you in the previous section, all show commands were run from privileged mode.)
description: A Helpful Command
Bob, a senior network administrator at Acme Corporation in San Francisco, has over 50 WAN
links to various branches throughout the U.S. and Canada. Whenever an interface goes down,
Bob spends a lot of time trying to figure out the circuit number as well as the phone number
of the provider of the WAN link.
The interface description command would be very helpful to Bob because he can use this
command on his LAN links to discern exactly where every router interface is connected. And
Bob would benefit tremendously by adding circuit numbers to each and every WAN interface,
along with the phone number of the responsible provider.
So by spending the few hours it would take to add this information to each and every router
interface, Bob can save a huge amount of precious time when his WAN links go down—and
you know they will!
214 Chapter 4 Introduction to the Cisco IOS and SDM
In fact, with a pre-12.3 router, you’d get the following error if you tried to view the
configuration from global-config:
Router(config)#sh run
^
% Invalid input detected at '^' marker.
Compare that to the output I get from entering that same command on my router that’s
running the 12.4 IOS:
Enter configuration commands, one per line. End with CNTL/Z.
Todd(config)#do show run
Building configuration...
Current configuration : 3276 bytes
!
[output cut]
Todd(config)#do sh int f0/0
FastEthernet0/0 is up, line protocol is down
Hardware is MV96340 Ethernet, address is 001a.2f55.c9e8 (bia
001a.2f55.c9e8)
Description: Sales VLAN
[output cut]
So basically, you can pretty much run any command from any configuration prompt
now—cool, huh? Going back to the example of encrypting our passwords, the do command
would definitely have gotten the party started sooner—so, my friends, this is a very, very good
thing indeed!
No comments:
Post a Comment