Agenda: exercises-cisco-config.txt

File exercises-cisco-config.txt, 5.7 KB (added by sysadmin, 6 years ago)
Line 
1Cisco Config Elements
2=====================
3
4Notes:
5------
6* Commands preceded with "$" imply that you should execute the command as
7  a general user - not as root.
8* Commands preceded with "#" imply that you should be working as root.
9* Commands with more specific command lines (e.g. "rtr>" or "mysql>")
10  imply that you are executing commands on remote equipment, or within
11  another program.
12* If a command line ends with "\" this indicates that the command continues
13  on the next line and you should treat this as a single line.
14
15Exercises Part I
16================
17
180. Work in a group
19------------------
20
21For this exercise you need to work in groups. Assign one person to type on
22the keyboard. There should be 4 people in group. For instance, members of
23Group 1 are those on pc1-pc4, Group 2 use pc5-pc8, Group 3 use pc9-12, etc

24
25If you are unsure of what group you are in refer to the Network Diagram on the
26classroom wiki by going to http://noc.ws.nsrc.org/ and clicking on the Network
27Diagram link.
28
291. Connect to your router
30-------------------------
31
32Log in to your vm/pc image and install Telnet:
33
34        $ sudo apt-get install telnet
35
36If it is already installed that is fine.
37
38Connect to router in your group. If you are not sure remember to review the
39classroom network diagram. Click on the Network Diagram link on the main NOC
40web page:
41
42        http://noc.ws.nsrc.org/
43
44Now connect to your router:
45
46        $ telnet 10.10.N.254
47
48        username: cisco
49        password: cisco
50
51Display information about your router
52
53        routerN>enable                         
54        Password:                               (default pw "cisco")
55        RouterN#show run                        (space to continue)
56        RouterN#show int FastEthernet0/0
57        RouterN#show ?                          (lists all options)
58        RouterN#exit                            (log off router)
59
60
612. Configure your router to only use SSH
62----------------------------------------
63
64These steps will do the following:
65
66        * Create an ssh key for your router
67        * Create an encrypted password for the user cisco
68        * Encrypt the enable password (cisco)
69        * Turn off telnet (unencrypted) access to your router
70        * Turn on SSH (version 2) access to your router
71
72You need to work in groups of 4. Get together with the members of your router
73group and assign one person to enter commands. To start connect to one of the
74PCs in use by your group. From that PC image telnet to your router:
75
76        $ telnet rtrN.ws.nsrc.org       (or "telnet 10.10.N.254")
77       
78        username: cisco
79        password: cisco
80
81        rtrN> enable                                    (en)
82        password: cisco
83        rtrN# configure terminal                        (conf t)
84        rtrN(config)# aaa new-model
85        rtrN(config)# ip domain-name ws.nsrc.org
86        rtrN(config)# crypto key generate rsa
87
88        How many bits in the modulus [512]: 2048
89       
90Wait for the key to generate. You can now specify passwords and they will be
91encrypted. First let's remove our cisco user temporarily, then we'll recreate
92the user:
93
94        rtrN(config)# no username cisco
95        rtrN(config)# username cisco secret 0 <CLASS PASSWORD>
96
97Now the cisco user's password (of <CLASS PASSWORD>) is encrypted. Next let's encrypt
98the enable password as well:
99
100        rtrN(config)# enable secret 0 <CLASS PASSWORD>
101
102Now we'll tell our router to only allow SSH connections on the 8 defined
103consoles (vty 0 through 7):
104
105        rtrN(config)# line vty 0 8
106        rtrN(config-line)# transport input ssh
107        rtrN(config-line)# exit
108
109This drops us out of the "line" configuration mode and back in to the general
110configuration mode. Now we'll tell the router to log SSH-related events and to
111only allow SSH version 2 connections:
112
113        rtrN(config)# ip ssh logging events
114        rtrN(config)# ip ssh version 2
115
116Now exit from configuration mode:
117
118        rtrN(config)# exit
119
120And, write these changes to the routers permament configuration:
121
122        rtrN# write memory                              (wr mem)
123
124Ok. That's it. You can no longer use telnet to connect to your router. You must
125connect using SSH with the user "cisco" and password <CLASS PASSWORD>. The enable password
126is, also, "cisco" - Naturally in a real-world situation you would use much more
127secure passwords.
128
129Let's exit from the router interface and reconnect using SSH:
130
131        rtrN# exit
132
133First, try connection again with telnet:
134
135        $ telnet rtrN.ws.nsrc.org
136
137What happens? You should see something like:
138
139        Trying 10.10.N.254...
140        telnet: Unable to connect to remote host: Connection refused
141
142Now try connecting with SSH:
143
144        $ ssh cisco@rtrN.ws.nsrc.org
145
146You should see something looks similar to this:
147
148        The authenticity of host 'rtr2.ws.nsrc.org (10.10.2.254)' can't be     
149        established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e:
150        4f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting
151        (yes/no)?
152
153Enter in "yes" and press ENTER to continue...
154
155Now you'll see the follwoing:
156
157        Password: <CLASSS PASSWORD>
158        rtrN>
159
160Type "enable" to allow us to execute privileged commands:
161
162        rtrN> enable
163        Password: <CLASS PASSWORD>
164        rtrN#
165
166Now let's view the current router configuration:
167
168        rtrN# show running                                      (sh run)
169
170Press the space bar to continue. Note some of the entries like:
171
172        enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs.
173        .
174        .
175        .
176        username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1
177        .
178        .
179        .
180        line vty 0 7
181         exec-timeout 0 0
182         transport input ssh
183
184You can see that both the enable password and the password for the user cisco
185have been encrypted. This is a good thing.
186
187Now you should exit the router interface to complete this exercise:
188
189        rtrN# exit
190
191NOTES
192-----
193
1941.) If you are locked out of your router after this exercise let your
195    instructor know and they can reset your router's configuration back to its
196    original state.
1972.) Please only do this exercise once. If multiple people do this exercise
198    it's very likely that access to the router will be broken.
1993.) During the week you will configure items such as SNMP, Netflow and more on
200    your group's router. From now on you can simply connect to the router
201    directly from your laptop or desktop machine using SSH.