| 1 | Cisco Config Elements |
|---|
| 2 | ===================== |
|---|
| 3 | |
|---|
| 4 | Notes: |
|---|
| 5 | ------ |
|---|
| 6 | * Commands preceded with "$" imply that you should execute the command as |
|---|
| 7 | a general user - not as root. |
|---|
| 8 | * Commands preceded with "#" imply that you should be working as root. |
|---|
| 9 | * Commands with more specific command lines (e.g. "rtr>" or "mysql>") |
|---|
| 10 | imply that you are executing commands on remote equipment, or within |
|---|
| 11 | another program. |
|---|
| 12 | * If a command line ends with "\" this indicates that the command continues |
|---|
| 13 | on the next line and you should treat this as a single line. |
|---|
| 14 | |
|---|
| 15 | Exercises Part I |
|---|
| 16 | ================ |
|---|
| 17 | |
|---|
| 18 | 1. Connect to your router |
|---|
| 19 | ------------------------- |
|---|
| 20 | |
|---|
| 21 | Log in to your vm/pc image and install Telnet: |
|---|
| 22 | |
|---|
| 23 | $ sudo apt-get install telnet |
|---|
| 24 | |
|---|
| 25 | If it is already installed that is fine. |
|---|
| 26 | |
|---|
| 27 | Connect to router in your group. If you are not sure remember to review the |
|---|
| 28 | classroom network diagram. Click on the Network Diagram link on the main NOC |
|---|
| 29 | web page: |
|---|
| 30 | |
|---|
| 31 | http://noc.ws.nsrc.org/ |
|---|
| 32 | |
|---|
| 33 | Now connect to your router: |
|---|
| 34 | |
|---|
| 35 | $ telnet 10.10.0.X |
|---|
| 36 | |
|---|
| 37 | username: cisco |
|---|
| 38 | password: cisco |
|---|
| 39 | |
|---|
| 40 | Display information about your router |
|---|
| 41 | |
|---|
| 42 | routerN>enable |
|---|
| 43 | Password: (default pw "cisco") |
|---|
| 44 | RouterN#show run (space to continue) |
|---|
| 45 | RouterN#show int FastEthernet0/0 |
|---|
| 46 | RouterN#show ? (lists all options) |
|---|
| 47 | RouterN#exit (log off router) |
|---|
| 48 | |
|---|
| 49 | |
|---|
| 50 | |
|---|
| 51 | 2. Configure your router to only use SSH |
|---|
| 52 | ---------------------------------------- |
|---|
| 53 | |
|---|
| 54 | These steps will do the following: |
|---|
| 55 | |
|---|
| 56 | * Create an ssh key for your router |
|---|
| 57 | * Create an encrypted password for the user cisco |
|---|
| 58 | * Encrypt the enable password (cisco) |
|---|
| 59 | * Turn off telnet (unencrypted) access to your router |
|---|
| 60 | * Turn on SSH (version 2) access to your router |
|---|
| 61 | |
|---|
| 62 | You need to work in groups of 4. Get together with the members of your router |
|---|
| 63 | group and assign one person to enter commands. To start connect to one of the |
|---|
| 64 | PCs in use by your group. From that PC image telnet to your router: |
|---|
| 65 | |
|---|
| 66 | $ telnet rtrN.ws.nsrc.org (or "telnet 10.10.0.X") |
|---|
| 67 | |
|---|
| 68 | username: cisco |
|---|
| 69 | password: cisco |
|---|
| 70 | |
|---|
| 71 | rtrN> enable (en) |
|---|
| 72 | password: cisco |
|---|
| 73 | rtrN# configure terminal (conf t) |
|---|
| 74 | rtrN(config)# aaa new-model |
|---|
| 75 | rtrN(config)# crypto key generate rsa |
|---|
| 76 | |
|---|
| 77 | How many bits in the modulus [512]: 2048 |
|---|
| 78 | |
|---|
| 79 | Wait for the key to generate. You can now specify passwords and they will be |
|---|
| 80 | encrypted. First let's remove our cisco user temporarily, then we'll recreate |
|---|
| 81 | the user: |
|---|
| 82 | |
|---|
| 83 | rtrN(config)# no username cisco |
|---|
| 84 | rtrN(config)# username cisco secret 0 <CLASS PASSWORD> |
|---|
| 85 | |
|---|
| 86 | Now the cisco user's password (of <CLASS PASSWORD>) is encrypted. Next let's encrypt |
|---|
| 87 | the enable password as well: |
|---|
| 88 | |
|---|
| 89 | rtrN(config)# enable secret 0 <CLASS PASSWORD> |
|---|
| 90 | |
|---|
| 91 | Now we'll tell our router to only allow SSH connections on the 5 defined |
|---|
| 92 | consoles (vty 0 through 4): |
|---|
| 93 | |
|---|
| 94 | rtrN(config)# line vty 0 4 |
|---|
| 95 | rtrN(config-line)# transport input ssh |
|---|
| 96 | rtrN(config-line)# exit |
|---|
| 97 | |
|---|
| 98 | This drops us out of the "line" configuration mode and back in to the general |
|---|
| 99 | configuration mode. Now we'll tell the router to log SSH-related events and to |
|---|
| 100 | only allow SSH version 2 connections: |
|---|
| 101 | |
|---|
| 102 | rtrN(config)# ip ssh logging events |
|---|
| 103 | rtrN(config)# ip ssh version 2 |
|---|
| 104 | |
|---|
| 105 | Now exit from configuration mode: |
|---|
| 106 | |
|---|
| 107 | rtrN(config)# exit |
|---|
| 108 | |
|---|
| 109 | And, write these changes to the routers permament configuration: |
|---|
| 110 | |
|---|
| 111 | rtrN# write memory (wr mem) |
|---|
| 112 | |
|---|
| 113 | Ok. That's it. You can no longer use telnet to connect to your router. You must |
|---|
| 114 | connect using SSH with the user "cisco" and password <CLASS PASSWORD>. The enable password |
|---|
| 115 | is, also, "cisco" - Naturally in a real-world situation you would use much more |
|---|
| 116 | secure passwords. |
|---|
| 117 | |
|---|
| 118 | Let's exit from the router interface and reconnect using SSH: |
|---|
| 119 | |
|---|
| 120 | rtrN# exit |
|---|
| 121 | |
|---|
| 122 | First, try connection again with telnet: |
|---|
| 123 | |
|---|
| 124 | $ telnet rtrN.ws.nsrc.org |
|---|
| 125 | |
|---|
| 126 | What happens? You should see something like: |
|---|
| 127 | |
|---|
| 128 | Trying 10.10.0.N... |
|---|
| 129 | telnet: Unable to connect to remote host: Connection refused |
|---|
| 130 | |
|---|
| 131 | Now try connecting with SSH: |
|---|
| 132 | |
|---|
| 133 | $ ssh cisco@rtrN.ws.nsrc.org |
|---|
| 134 | |
|---|
| 135 | You should see something looks similar to this: |
|---|
| 136 | |
|---|
| 137 | The authenticity of host 'rtr2.ws.nsrc.org (10.10.0.X)' can't be |
|---|
| 138 | established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e: |
|---|
| 139 | 4f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting |
|---|
| 140 | (yes/no)? |
|---|
| 141 | |
|---|
| 142 | Enter in "yes" and press ENTER to continue... |
|---|
| 143 | |
|---|
| 144 | Now you'll see the follwoing: |
|---|
| 145 | |
|---|
| 146 | Password: <CLASSS PASSWORD> |
|---|
| 147 | rtrN> |
|---|
| 148 | |
|---|
| 149 | Type "enable" to allow us to execute privileged commands: |
|---|
| 150 | |
|---|
| 151 | rtrN> enable |
|---|
| 152 | Password: cisco |
|---|
| 153 | rtrN# |
|---|
| 154 | |
|---|
| 155 | Now let's view the current router configuration: |
|---|
| 156 | |
|---|
| 157 | rtrN# show running (sh run) |
|---|
| 158 | |
|---|
| 159 | Press the space bar to continue. Note some of the entries like: |
|---|
| 160 | |
|---|
| 161 | enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs. |
|---|
| 162 | . |
|---|
| 163 | . |
|---|
| 164 | . |
|---|
| 165 | username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1 |
|---|
| 166 | . |
|---|
| 167 | . |
|---|
| 168 | . |
|---|
| 169 | line vty 0 4 |
|---|
| 170 | exec-timeout 0 0 |
|---|
| 171 | transport input ssh |
|---|
| 172 | |
|---|
| 173 | You can see that both the enable password and the password for the user cisco |
|---|
| 174 | have been encrypted. This is a good thing. |
|---|
| 175 | |
|---|
| 176 | Now you should exit the router interface to complete this exercise: |
|---|
| 177 | |
|---|
| 178 | rtrN# exit |
|---|
| 179 | |
|---|
| 180 | NOTES |
|---|
| 181 | ----- |
|---|
| 182 | |
|---|
| 183 | 1.) If you are locked out of your router after this exercise let your |
|---|
| 184 | instructor know and they can reset your router's configuration back to its |
|---|
| 185 | original state. |
|---|
| 186 | 2.) Please only do this exercise once. If multiple people do this exercise |
|---|
| 187 | it's very likely that access to the router will be broken. |
|---|
| 188 | 3.) During the week you will configure items such as SNMP, Netflow and more on |
|---|
| 189 | your group's router. From now on you can simply connect to the router |
|---|
| 190 | directly from your laptop or desktop machine using SSH. |
|---|
