Agenda: exercises-cisco-config.htm

File exercises-cisco-config.htm, 8.9 KB (added by andy, 5 years ago)
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
2<html xmlns="">
4  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5  <meta http-equiv="Content-Style-Type" content="text/css" />
6  <meta name="generator" content="pandoc" />
7  <title>Cisco Config Elements</title>
8  <style type="text/css">code{white-space: pre;}</style>
9  <link rel="stylesheet" href="../../style.css" type="text/css" />
12<div id="header">
13<h1 class="title">Cisco Config Elements</h1>
14<h3 class="date">Network Monitoring and Management</h3>
16<div id="TOC">
18<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
19<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
20<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
22<li><a href="#exercises-part-i"><span class="toc-section-number">2</span> Exercises Part I</a><ul>
23<li><a href="#work-in-a-group"><span class="toc-section-number">2.1</span> Work in a group</a></li>
24<li><a href="#connect-to-your-router"><span class="toc-section-number">2.2</span> Connect to your router</a></li>
25<li><a href="#configure-your-router-to-only-use-ssh"><span class="toc-section-number">2.3</span> Configure your router to only use SSH</a></li>
27<li><a href="#notes-1"><span class="toc-section-number">3</span> NOTES</a></li>
30<h1 id="introduction"><a href="#introduction"><span class="header-section-number">1</span> Introduction</a></h1>
31<h2 id="goals"><a href="#goals"><span class="header-section-number">1.1</span> Goals</a></h2>
33<li>Learn the basic set of IOS commands required to enable SSH on your Cisco Switch or Router</li>
35<h2 id="notes"><a href="#notes"><span class="header-section-number">1.2</span> Notes</a></h2>
37<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li>
38<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li>
39<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li>
40<li>If a command line ends with &quot;&quot; this indicates that the command continues on the next line and you should treat this as a single line.</li>
42<h1 id="exercises-part-i"><a href="#exercises-part-i"><span class="header-section-number">2</span> Exercises Part I</a></h1>
43<h2 id="work-in-a-group"><a href="#work-in-a-group"><span class="header-section-number">2.1</span> Work in a group</a></h2>
44<p>For this exercise you need to work in groups. Assign one person to type on the keyboard. There should be 3 people in group.</p>
45<p>If you are unsure of what group you are in refer to the Network Diagram on the classroom wiki by going to and clicking on the Network Diagram link.</p>
46<h2 id="connect-to-your-router"><a href="#connect-to-your-router"><span class="header-section-number">2.2</span> Connect to your router</a></h2>
47<p>Log in using ssh ( to your vm/pc image and install Telnet:</p>
48<pre><code>$ sudo apt-get install telnet</code></pre>
49<p>If it is already installed that is fine.</p>
50<p>Now connect to the router in your group:</p>
51<pre><code>$ telnet 10.10.0.N</code></pre>
52<pre><code>username: cisco
53password: cisco</code></pre>
54<p>Display information about your router</p>
56Password:                       (default pw &quot;cisco&quot;)
57RouterN#show run                (space to continue)
58RouterN#show int FastEthernet0/0
59RouterN#show ?                  (lists all options)
60RouterN#exit                    (log off router)</code></pre>
61<h2 id="configure-your-router-to-only-use-ssh"><a href="#configure-your-router-to-only-use-ssh"><span class="header-section-number">2.3</span> Configure your router to only use SSH</a></h2>
62<p>These steps will do the following:</p>
64<li>Create an ssh key for your router</li>
65<li>Create an encrypted password for the user cisco</li>
66<li>Encrypt the enable password (cisco)</li>
67<li>Turn off telnet (unencrypted) access to your router</li>
68<li>Turn on SSH (version 2) access to your router</li>
70<p>You need to work in groups of 4. Get together with the members of your router group and assign one person to enter commands. To start connect to one of the PCs in use by your group. From that PC image telnet to your router:</p>
71<pre><code>$ telnet   (or &quot;telnet 10.10.0.N&quot;)</code></pre>
72<pre><code>username: cisco
73password: cisco</code></pre>
74<pre><code>rtrN&gt; enable                        (en)
75password: cisco
76rtrN# configure terminal            (conf t)
77rtrN(config)# aaa new-model
78rtrN(config)# ip domain-name
79rtrN(config)# crypto key generate rsa
81    How many bits in the modulus [512]: 2048</code></pre>
82<p>Wait for the key to generate. You can now specify passwords and they will be encrypted. First let's remove our cisco user temporarily, then we'll recreate the user:</p>
83<pre><code>rtrN(config)# no username cisco
84rtrN(config)# username cisco secret 0 &lt;CLASS PASSWORD&gt;</code></pre>
85<p>Now the cisco user's password (of <CLASS PASSWORD>) is encrypted. Next let's encrypt the enable password as well:</p>
86<pre><code>rtrN(config)# enable secret 0 &lt;CLASS PASSWORD&gt;</code></pre>
87<p>Now we'll tell our router to only allow SSH connections on the 5 defined consoles (vty 0 through 4):</p>
88<pre><code>rtrN(config)# line vty 0 4
89rtrN(config-line)# transport input ssh
90rtrN(config-line)# exit</code></pre>
91<p>This drops us out of the &quot;line&quot; configuration mode and back in to the general configuration mode. Now we'll tell the router to log SSH-related events and to only allow SSH version 2 connections:</p>
92<pre><code>rtrN(config)# ip ssh logging events
93rtrN(config)# ip ssh version 2</code></pre>
94<p>Now exit from configuration mode:</p>
95<pre><code>rtrN(config)# exit</code></pre>
96<p>And, write these changes to the routers permament configuration:</p>
97<pre><code>rtrN# write memory              (wr mem)</code></pre>
98<p>Ok. That's it. You can no longer use telnet to connect to your router. You must connect using SSH with the user &quot;cisco&quot; and password <CLASS PASSWORD>. The enable password is, also, <CLASS
99PASSWORD> - Naturally in a real-world situation you would use much more secure passwords.</p>
100<p>Before you exit your Telnet session be sure to test ssh connectivity from another PC in your group (or, open another terminal window). Do this in case you made a mistake to avoid locking yourself out of your router.</p>
101<p>First, try connection again with telnet:</p>
102<pre><code>$ telnet</code></pre>
103<p>What happens? You should see something like:</p>
104<pre><code>Trying 10.10.0.N...
105telnet: Unable to connect to remote host: Connection refused</code></pre>
106<p>Now try connecting with SSH:</p>
107<pre><code>$ ssh</code></pre>
108<p>You should see something looks similar to this:</p>
109<pre><code>The authenticity of host &#39; (; can&#39;t be 
110established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e:
1114f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting
112(yes/no)? </code></pre>
113<p>Enter in &quot;yes&quot; and press ENTER to continue...</p>
114<p>Now you'll see the follwoing:</p>
115<pre><code>Password: &lt;CLASSS PASSWORD&gt;
117<p>Type &quot;enable&quot; to allow us to execute privileged commands:</p>
118<pre><code>rtrN&gt; enable
119Password: &lt;CLASS PASSWORD&gt;
121<p>Now let's view the current router configuration:</p>
122<pre><code>rtrN# show running                  (sh run)</code></pre>
123<p>Press the space bar to continue. Note some of the entries like:</p>
124<pre><code>enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs.
128username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1
132line vty 0 4
133exec-timeout 0 0
134transport input ssh</code></pre>
135<p>You can see that both the enable password and the password for the user cisco have been encrypted. This is a good thing.</p>
136<p>Now you should exit the router interface to complete this exercise:</p>
137<pre><code>rtrN# exit</code></pre>
138<p>And, if you still have your older Telnet session in another window be sure to exit from that as well.</p>
139<h1 id="notes-1"><a href="#notes-1"><span class="header-section-number">3</span> NOTES</a></h1>
140<ol style="list-style-type: decimal">
141<li>If you are locked out of your router after this exercise let your instructor know and they can reset your router's configuration back to its original state.</li>
142<li>Please only do this exercise once. If multiple people do this exercise it's very likely that access to the router will be broken.</li>
143<li>During the week you will configure items such as SNMP, Netflow and more on your group's router. From now on you can simply connect to the router directly from your laptop or desktop machine using SSH.</li>