| 1 | Cisco Config Elements |
|---|
| 2 | ===================== |
|---|
| 3 | |
|---|
| 4 | Notes: |
|---|
| 5 | ------ |
|---|
| 6 | * Commands preceded with "$" imply that you should execute the command as |
|---|
| 7 | a general user - not as root. |
|---|
| 8 | * Commands preceded with "#" imply that you should be working as root. |
|---|
| 9 | * Commands with more specific command lines (e.g. "rtr>" or "mysql>") |
|---|
| 10 | imply that you are executing commands on remote equipment, or within |
|---|
| 11 | another program. |
|---|
| 12 | * If a command line ends with "\" this indicates that the command continues |
|---|
| 13 | on the next line and you should treat this as a single line. |
|---|
| 14 | |
|---|
| 15 | Exercises Part I |
|---|
| 16 | ================ |
|---|
| 17 | |
|---|
| 18 | 1. Connect to your router |
|---|
| 19 | ------------------------- |
|---|
| 20 | |
|---|
| 21 | Log in to your vm/pc image and install Telnet: |
|---|
| 22 | |
|---|
| 23 | $ sudo apt-get install telnet |
|---|
| 24 | |
|---|
| 25 | Connect to router in your group. If you are not sure remember to review the |
|---|
| 26 | classroom network diagram: |
|---|
| 27 | |
|---|
| 28 | http://noc.ws.nsrc.org/wiki/Diagram |
|---|
| 29 | |
|---|
| 30 | Now connect to your router: |
|---|
| 31 | |
|---|
| 32 | $ telnet 10.10.N.254 |
|---|
| 33 | |
|---|
| 34 | username: cisco |
|---|
| 35 | password: cisco |
|---|
| 36 | |
|---|
| 37 | Display information about your router |
|---|
| 38 | |
|---|
| 39 | rtrN>enable (default pw "cisco") |
|---|
| 40 | rtrN#show run (space to continue) |
|---|
| 41 | rtrN#show int FastEthernet0/0 |
|---|
| 42 | rtrN#show ? (lists all options) |
|---|
| 43 | rtrN#exit (log off router) |
|---|
| 44 | |
|---|
| 45 | |
|---|
| 46 | |
|---|
| 47 | 2. Configure your router to only use SSH |
|---|
| 48 | ---------------------------------------- |
|---|
| 49 | |
|---|
| 50 | These steps will do the following: |
|---|
| 51 | |
|---|
| 52 | * Create an ssh key for your router |
|---|
| 53 | * Create an encrypted password for the user cisco |
|---|
| 54 | * Encrypt the enable password (cisco) |
|---|
| 55 | * Turn off telnet (unencrypted) access to your router |
|---|
| 56 | * Turn on SSH (version 2) access to your router |
|---|
| 57 | |
|---|
| 58 | You need to work in groups of 4. |
|---|
| 59 | |
|---|
| 60 | Get together with the members of your router |
|---|
| 61 | group and assign one person to enter commands. To start connect to one of the |
|---|
| 62 | PCs in use by your group. From that PC image telnet to your router: |
|---|
| 63 | |
|---|
| 64 | $ telnet rtrN.ws.nsrc.org (or "telnet 10.10.N.254") |
|---|
| 65 | |
|---|
| 66 | username: cisco |
|---|
| 67 | password: cisco |
|---|
| 68 | |
|---|
| 69 | rtrN> enable (en) |
|---|
| 70 | password: cisco |
|---|
| 71 | rtrN# configure terminal (conf t) |
|---|
| 72 | |
|---|
| 73 | Let's activate the usernames/passwords model (should be activated by default, but let's just be sure): |
|---|
| 74 | |
|---|
| 75 | rtrN(config)# aaa new-model |
|---|
| 76 | |
|---|
| 77 | First let's remove our cisco user temporarily, then we'll recreate |
|---|
| 78 | the user: |
|---|
| 79 | |
|---|
| 80 | rtrN(config)# no username cisco |
|---|
| 81 | rtrN(config)# username cisco secret 0 cisco |
|---|
| 82 | |
|---|
| 83 | Now the cisco user's password (of cisco) is encrypted. Next let's encrypt |
|---|
| 84 | the enable password as well: |
|---|
| 85 | |
|---|
| 86 | rtrN(config)# enable secret 0 cisco |
|---|
| 87 | |
|---|
| 88 | |
|---|
| 89 | To activate SSH, we need to generate a router key: |
|---|
| 90 | rtrN(config)# crypto key generate rsa |
|---|
| 91 | |
|---|
| 92 | How many bits in the modulus [512]: 2048 |
|---|
| 93 | |
|---|
| 94 | Wait for the key to generate. |
|---|
| 95 | |
|---|
| 96 | Now we'll tell our router to only allow SSH connections on the 5 defined |
|---|
| 97 | consoles (vty 0 through 4): |
|---|
| 98 | |
|---|
| 99 | rtrN(config)# line vty 0 4 |
|---|
| 100 | rtrN(config-line)# transport input ssh |
|---|
| 101 | rtrN(config-line)# exit |
|---|
| 102 | |
|---|
| 103 | This drops us out of the "line" configuration mode and back in to the general |
|---|
| 104 | configuration mode. Now we'll tell the router to log SSH-related events and to |
|---|
| 105 | only allow SSH version 2 connections: |
|---|
| 106 | |
|---|
| 107 | rtrN(config)# ip ssh logging events |
|---|
| 108 | rtrN(config)# ip ssh version 2 |
|---|
| 109 | |
|---|
| 110 | Now exit from configuration mode: |
|---|
| 111 | |
|---|
| 112 | rtrN(config)# exit |
|---|
| 113 | |
|---|
| 114 | And, write these changes to the routers permament configuration: |
|---|
| 115 | |
|---|
| 116 | rtrN# write memory (wr mem) |
|---|
| 117 | |
|---|
| 118 | Ok. That's it. You can no longer use telnet to connect to your router. You must |
|---|
| 119 | connect using SSH with the user "cisco" and password "cisco". The enable password |
|---|
| 120 | is, also, "cisco" - Naturally in a real-world situation you would use much more |
|---|
| 121 | secure passwords. |
|---|
| 122 | |
|---|
| 123 | Let's exit from the router interface and reconnect using SSH: |
|---|
| 124 | |
|---|
| 125 | rtrN# exit |
|---|
| 126 | |
|---|
| 127 | First, try connection again with telnet: |
|---|
| 128 | |
|---|
| 129 | $ telnet rtrN.ws.nsrc.org |
|---|
| 130 | |
|---|
| 131 | What happens? You should see something like: |
|---|
| 132 | |
|---|
| 133 | Trying 10.10.N.254... |
|---|
| 134 | telnet: Unable to connect to remote host: Connection refused |
|---|
| 135 | |
|---|
| 136 | Now try connecting with SSH: |
|---|
| 137 | |
|---|
| 138 | $ ssh cisco@rtrN.ws.nsrc.org |
|---|
| 139 | |
|---|
| 140 | You should see something like: |
|---|
| 141 | |
|---|
| 142 | The authenticity of host 'rtr2.ws.nsrc.org (10.10.2.254)' can't be |
|---|
| 143 | established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e: |
|---|
| 144 | 4f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting |
|---|
| 145 | (yes/no)? |
|---|
| 146 | |
|---|
| 147 | Enter in "yes" and press ENTER to continue... |
|---|
| 148 | |
|---|
| 149 | Now you'll see the follwoing: |
|---|
| 150 | |
|---|
| 151 | Password: cisco |
|---|
| 152 | rtrN> |
|---|
| 153 | |
|---|
| 154 | Type "enable" to allow us to execute privileged commands: |
|---|
| 155 | |
|---|
| 156 | rtrN> enable |
|---|
| 157 | Password: cisco |
|---|
| 158 | rtrN# |
|---|
| 159 | |
|---|
| 160 | Now let's view the current router configuration: |
|---|
| 161 | |
|---|
| 162 | rtrN# show running (sh run) |
|---|
| 163 | |
|---|
| 164 | Press the space bar to continue. Note some of the entries like: |
|---|
| 165 | |
|---|
| 166 | enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs. |
|---|
| 167 | . |
|---|
| 168 | . |
|---|
| 169 | . |
|---|
| 170 | username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1 |
|---|
| 171 | . |
|---|
| 172 | . |
|---|
| 173 | . |
|---|
| 174 | line vty 0 4 |
|---|
| 175 | exec-timeout 0 0 |
|---|
| 176 | transport input ssh |
|---|
| 177 | |
|---|
| 178 | You can see that both the enable password and the password for the user cisco |
|---|
| 179 | have been encrypted. This is a good thing. |
|---|
| 180 | |
|---|
| 181 | Now you should exit the router interface to complete this exercise: |
|---|
| 182 | |
|---|
| 183 | rtrN# exit |
|---|
| 184 | |
|---|
| 185 | NOTES |
|---|
| 186 | ----- |
|---|
| 187 | |
|---|
| 188 | 1.) If you are locked out of your router after this exercise let your |
|---|
| 189 | instructor know and they can reset your router's configuration back to its |
|---|
| 190 | original state. |
|---|
| 191 | |
|---|
| 192 | 2.) Please only do this exercise once. If multiple people do this exercise |
|---|
| 193 | it's very likely that access to the router will be broken. |
|---|
| 194 | 3.) During the week you will configure items such as SNMP, Netflow and more on |
|---|
| 195 | your group's router. From now on you can simply connect to the router |
|---|
| 196 | directly from your laptop or desktop machine using SSH. |
|---|
