Agenda: exercises-cisco-config.page

File exercises-cisco-config.page, 7.3 KB (added by andy, 5 years ago)
Line 
1% Cisco Config Elements
2%
3% Network Monitoring and Management
4
5# Introduction
6
7## Goals
8
9* Learn the basic set of IOS commands required to enable SSH on your Cisco
10  Switch or Router
11 
12## Notes
13
14* Commands preceded with "$" imply that you should execute the command as
15  a general user - not as root.
16* Commands preceded with "#" imply that you should be working as root.
17* Commands with more specific command lines (e.g. "rtrX>" or "mysql>")
18  imply that you are executing commands on remote equipment, or within
19  another program.
20* If a command line ends with "\" this indicates that the command continues
21  on the next line and you should treat this as a single line.
22
23# Exercises Part I
24
25## Work in a group
26
27For this exercise you need to work in groups. Assign one person to type on
28the keyboard. There should be 3 people in group.
29
30If you are unsure of what group you are in refer to the Network Diagram on the
31classroom wiki by going to http://noc.ws.nsrc.org/ and clicking on the Network
32Diagram link.
33
34## Connect to your router
35
36Log in using ssh (extN.ws.nsrc.org) to your vm/pc image and install Telnet:
37
38~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39$ sudo apt-get install telnet
40~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
41
42If it is already installed that is fine.
43
44Now connect to the router in your group:
45
46~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
47$ telnet 10.10.0.N
48~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
49
50        username: cisco
51        password: cisco
52
53Display information about your router
54
55~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56routerN>enable                         
57Password:                                               (default pw "cisco")
58RouterN#show run                                (space to continue)
59RouterN#show int FastEthernet0/0
60RouterN#show ?                                  (lists all options)
61RouterN#exit                                    (log off router)
62~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
63
64
65## Configure your router to only use SSH
66
67These steps will do the following:
68
69* Create an ssh key for your router
70* Create an encrypted password for the user cisco
71* Encrypt the enable password (cisco)
72* Turn off telnet (unencrypted) access to your router
73* Turn on SSH (version 2) access to your router
74
75You need to work in groups of 4. Get together with the members of your router
76group and assign one person to enter commands. To start connect to one of the
77PCs in use by your group. From that PC image telnet to your router:
78
79~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
80$ telnet rtrN.ws.nsrc.org       (or "telnet 10.10.0.N")
81~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
82       
83        username: cisco
84        password: cisco
85
86~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
87rtrN> enable                                            (en)
88password: cisco
89rtrN# configure terminal                        (conf t)
90rtrN(config)# aaa new-model
91rtrN(config)# ip domain-name ws.nsrc.org
92rtrN(config)# crypto key generate rsa
93
94        How many bits in the modulus [512]: 2048
95~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96       
97Wait for the key to generate. You can now specify passwords and they will be
98encrypted. First let's remove our cisco user temporarily, then we'll recreate
99the user:
100
101~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
102rtrN(config)# no username cisco
103rtrN(config)# username cisco secret 0 <CLASS PASSWORD>
104~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
105
106Now the cisco user's password (of <CLASS PASSWORD>) is encrypted. Next let's encrypt
107the enable password as well:
108
109~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110rtrN(config)# enable secret 0 <CLASS PASSWORD>
111~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112
113Now we'll tell our router to only allow SSH connections on the 5 defined
114consoles (vty 0 through 4):
115
116~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
117rtrN(config)# line vty 0 4
118rtrN(config-line)# transport input ssh
119rtrN(config-line)# exit
120~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
121
122This drops us out of the "line" configuration mode and back in to the general
123configuration mode. Now we'll tell the router to log SSH-related events and to
124only allow SSH version 2 connections:
125
126~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127rtrN(config)# ip ssh logging events
128rtrN(config)# ip ssh version 2
129~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
130
131Now exit from configuration mode:
132
133~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
134rtrN(config)# exit
135~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
136
137And, write these changes to the routers permament configuration:
138
139~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
140rtrN# write memory                              (wr mem)
141~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
142
143Ok. That's it. You can no longer use telnet to connect to your
144router.  You must connect using SSH with the user "cisco" and
145password <CLASS PASSWORD>.  The enable password is, also, <CLASS
146PASSWORD> - Naturally in a real-world situation you would use much
147more secure passwords.
148
149Before you exit your Telnet session be sure to test ssh connectivity
150from another PC in your group (or, open another terminal window).
151Do this in case you made a mistake to avoid locking yourself out
152of your router.
153
154First, try connection again with telnet:
155
156~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
157$ telnet rtrN.ws.nsrc.org
158~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
159
160What happens? You should see something like:
161
162~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
163Trying 10.10.0.N...
164telnet: Unable to connect to remote host: Connection refused
165~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
166
167Now try connecting with SSH:
168
169~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
170$ ssh cisco@rtrN.ws.nsrc.org
171~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
172
173You should see something looks similar to this:
174
175~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
176The authenticity of host 'rtr2.ws.nsrc.org (10.10.2.254)' can't be     
177established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e:
1784f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting
179(yes/no)?
180~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
181
182Enter in "yes" and press ENTER to continue...
183
184Now you'll see the follwoing:
185
186~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
187Password: <CLASSS PASSWORD>
188rtrN>
189~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
190
191Type "enable" to allow us to execute privileged commands:
192       
193~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
194rtrN> enable
195Password: <CLASS PASSWORD>
196rtrN#
197~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
198
199Now let's view the current router configuration:
200
201~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
202rtrN# show running                                      (sh run)
203~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
204
205Press the space bar to continue. Note some of the entries like:
206
207~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
208enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs.
209.
210.
211.
212username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1
213.
214.
215.
216line vty 0 4
217exec-timeout 0 0
218transport input ssh
219~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
220
221You can see that both the enable password and the password for the user cisco
222have been encrypted. This is a good thing.
223
224Now you should exit the router interface to complete this exercise:
225
226~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
227rtrN# exit
228~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
229       
230And, if you still have your older Telnet session in another window
231be sure to exit from that as well.
232
233# NOTES
234
2351. If you are locked out of your router after this exercise let your
236    instructor know and they can reset your router's configuration back to its
237    original state.
2382. Please only do this exercise once. If multiple people do this exercise
239    it's very likely that access to the router will be broken.
2403. During the week you will configure items such as SNMP, Netflow and more on
241    your group's router. From now on you can simply connect to the router
242    directly from your laptop or desktop machine using SSH.