16.4.7 Lab – Configure Network Devices with SSH Answers

-


Objectives: Configure fundamental device settings


Configure the router for SSH access in Part 2.


Part 3: Configure SSH Access on the Switch


Part 4: SSH from the Switch's CLI


Context / Scenario

Historically, Telnet was the most used protocol for remotely configuring network devices. The information between the client and server is not encrypted when using Telnet. This enables a network sniffer to capture passwords and configuration data.

The Secure Shell (SSH) protocol creates a secure terminal emulation connection to a router or other networking device. SSH encrypts all data sent over a network connection and authenticates the distant machine. SSH is quickly overtaking Telnet as the preferred remote login technique for network experts. The most common usage of SSH is to log into a distant device and execute instructions. It may also transmit files via Secure FTP (SFTP) and Secure Copy (SCP) protocols.

The connecting network devices must be set to support SSH in order for SSH to operate. In this lab, you will activate the SSH server on a router and then connect a PC with an SSH client to that router. The link on a local network is often established using Ethernet and IP.

Note: Cisco 4221 routers running Cisco IOS XE Release 16.9.4 are used in CCNA hands-on labs (universalk9 image). The lab switches are Cisco Catalyst 2960s running Cisco IOS Release 15.2(2). (lanbasek9 image). Other routers, switches, and versions of Cisco IOS may be used. Depending on the model and Cisco IOS version, the available commands and output may differ from what is shown in the labs. For the correct interface identifiers, consult the Router Interface Summary Table at the end of the lab.

Note: Ensure that any startup settings have been removed from the routers and switches. If you are unclear, contact your Answers.

Refer to the Answers Lab Manual for instructions on initialising and reload devices.


Essential Resources

one router (Cisco 4221 with Cisco IOS XE Release 16.9.4 universal image or comparable)

1 Switch (Cisco 2960 equipped with Cisco IOS Release 15.2(2) lanbasek9 image or equivalent)

1 PC (Windows with a terminal emulation application, such as Tera Term) (Windows with a terminal emulation program, such as Tera Term)

As seen in the topology, the console cables for configuring Cisco IOS devices over console port Ethernet connections.

Instructions

Part 1: Configure the Device's Basic Settings

In Part 1, you will establish the network structure and basic settings, including interface IP addresses, device access, and router passwords.


Step 1: Wire the network according to its topology.

Initialize and reload the router and switch in Step 2.

Configure the router in Step 3.

Launch configuration display


Enter the router's console and activate privileged EXEC mode.

router> enable


Enter configuration mode. router# configure terminal


Disable DNS lookup to prevent the router from misinterpreting instructions given improperly as host names.

router(config)# ip domain-lookup disabled


Assign class as the privileged EXEC encrypted password. router(config)#assign class as the privileged EXEC encrypted password.


router(config)# line console 0 cisco console password enable


router(config-line)# cisco password


router(config-line)# login


Assign cisco as the password for the VTY and allow login.


router(config-line)# cisco password


router(config-line)# login


router(config)# service password-encryption Encrypt the cleartext passwords.


Create a banner indicating that unauthorised access to the device is banned.

router(config)# motd banner Only for Authorized Users! $


Configure and activate the G0/0/1 interface on the router using the Addressing Table's information.

router(config)# g0/0/1 interface


ip address 192.168.1.1 255.255.255.0 router(config-if) #


# No shutdown for router(config-if)


Save the running settings to the startup configuration file.

copy running-config to startup-config on the router


Step 4: Configure PC-A.

Assign an IP address and subnet mask to PC-A.

Configure PC-default A's gateway.

Verify network connection in the fifth step.

Ping R1 using PC-A. If ping fails, investigate the connection.


Close window for configuration


Configure the router for SSH access in Part 2.

Using Telnet to connect to a network device is insecure since all data is transferred in plain text. SSH offers device authentication and encrypts session data, therefore it is ideal for distant connections. In Part 2, you will setup the router to allow SSH via VTY lines.


Step 1: Configure device authentication.

The device's name and domain are used to produce the cryptographic key. Therefore, these names must be supplied before the crypto key instruction is sent.


Launch configuration display


Router hostname configuration. router(config)# hostname R1


Configure the device's domain settings.

R1(config)# ip domain-name ccna-lab.com


Configure the encryption key method in Step 2.

R1(config)# rsa modulus 1024 create cryptographic key


R1.ccna-lab.com will be the name for the keys.




% The size of the key modulus is 1024 bits


% Generate 1024-bit RSA keys that are not exportable...


[OK] (time elapsed was 1 second)




R1(config)#


*Jan 28 21:09:29.867:%


SSH-1.99 has been enabled. SSH-5 has been enabled.


Step 3: Configure a local database username.

Configure a username using admin and Adm1nP@55 as the username and password, respectively.


R1(config)# login admin password Adm1nP@55


Enable SSH on the VTY lines in Step 4.

Using the transport input command, enable Telnet and SSH on incoming VTY lines.

R1(config)# line vty 0 4


R1(config-line)# input transport telnet ssh


Modify the authentication technique to use the local database for user verification.

R1(config-line)# login local


R1(config-line)# end


Save the running settings to the startup configuration file in the fifth step.

R1# clone running-config startup-config


Destination filename [startup-config]?


Developing configuration...


[OK]


R1#


Establish an SSH connection to the router in Step 6.

Commence Tera Term on PC-A.

Create an SSH connection to R1 Use the credentials admin and Adm1nP@55. You should have the ability to initiate an SSH connection with R1.

Close window for configuration


Part 3: Configure SSH Access on the Switch

In Part 3, the switch will be configured to allow SSH connections. After configuring the switch, initiate an SSH connection using TeraTerm.


Step 1: Configure the switch's fundamental settings.

Launch configuration display


Console into the switch and activate EXEC mode with privileges.

switch> allow


Enter configuration mode.

switch# set up terminal


Disable DNS lookup to prevent the router from misinterpreting instructions given improperly as host names.

switch(config)# ip domain-lookup disabled


Assign class as the encrypted password for the EXEC privilege.

switch(config)# Activate the hidden class


switch(config)# line console 0 Assign cisco as the console password and enable login.


switch(config-line)# cisco password


login using switch(config-line)#


Assign the password cisco to the VTY and allow login.

switch(config)# vty 0 line 15


switch(config-line)# cisco password


login using switch(config-line)#


Encrypt the passwords in plain text.

switch(config)# password-encryption service


Create a banner indicating that unauthorised access to the device is banned.

switch(config)# motd banner Only for Authorized Users! $


Configure and activate the switch's VLAN 1 interface based on the Addressing Table.

switch(config)# vlan 1 interface


# ip address 192.168.1.11 255.255.255.0 switch(config-if)


switch(config-if) # do not shut off


Save the settings currently in use to the startup configuration file.

Switch# copy operating-configuration to startup-configuration


Configure the switch for SSH connection in Step 2.

Setup SSH on the switch using the same commands you used to configure SSH on the router in Part 2.


Configure the device's name in accordance with the Addressing Table.

Configure the device's domain settings.

S1(config)# ip domain-name ccna-lab.com


Configure the method of encryption key.

S1(config)# create rsa modulus 1024 cryptographic key


Configure a local database username.

S1(config)# login admin password Adm1nP@55


Enable the Telnet and SSH protocols on the VTY lines.

S1(config)# vty 0 line 15


S1(config-line)# input transport telnet ssh


Modify the authentication technique to use the local database for user verification.

S1(config-line)# login local


S1(config-line)# end


Establish an SSH connection to the switch as the third step.

Start Tera Term from PC-A, and then SSH to the SVI interface on S1.


Are you capable of initiating an SSH session with the switch?


Yes. On a switch, SSH may be setup using the same instructions as on a router.


Close window for configuration


Part 4: SSH From the Switch Command Line

The SSH client is included within the Cisco IOS and is accessible through the CLI. In Section 4, you will SSH to the router via the switch's CLI.


Step 1: View the available Cisco IOS SSH client parameters.

Launch configuration display


Use the question mark (?) to view the ssh command's possible argument choices.


S1# ssh ?


-c Select an encryption method


-l Sign in with this user name


-m Determine HMAC algorithm


-o Provide options


-p Connect to the specified port


Specify the SSH protocol version.


–vrf Specify vrf name


IP address or hostname of a distant system


Step 2: SSH from S1 to R1

You must use the –l admin option when connecting to R1 through SSH. This enables you to log in as administrator. When prompted, enter the password Adm1nP@55.

The command: S1# ssh -l admin 192.168.1.1


Password:


Only for Authorized Users!


R1>


By hitting Ctrl+Shift+6, you may return to S1 without stopping the SSH connection to R1. Release Ctrl+Shift+6 and hit the x key. Displays the switch privileged EXEC prompt.

R1>


S1#


To return to the SSH session on R1 after a blank CLI line, hit Enter. To view the router CLI prompt, you may need to hit Enter a second time.

S1#


[Resuming link 1 to 192.168.1.1...]




R1>


To terminate an SSH session on R1, enter exit at the prompt.

R1# exit




[Connection to 192.168.1.1 terminated by remote host]


S1#


What versions of SSH are supported through the command line interface?


Answers may differ. This may be determined using the command line option ssh –v? The IOS version 15.0(2)-powered 2960 switch supports SSH versions 1 and 2.


S1# ssh –v ?


1 Protocol Version 1


2 Protocol Version 2


Close window for configuration


Reflection Question

How would you provide access to a network device to several users, each with their own username?


Answers may differ. Using the username command, you would add each user's username and password to the local database. Additionally, it is feasible to use a RADIUS or TACACS server, however, this has not yet been explored.


Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many interfaces the router has. There is no way to effectively list all the combinations of configurations for each router class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device. The table does not include any other type of interface, even though a specific router may contain one. An example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be used in Cisco IOS commands to represent the interface.


End of document


Device Configs – Final

Router R1

service timestamps debug datetime msec


service timestamps log datetime msec


service password-encryption


platform qfp utilization monitor load 80


no platform punt-keepalive disable-kernel-core


!


hostname R1


!


boot-start-marker


boot-end-marker


!


enable secret 5 $1$GCE/$FYYjEAZLjxgbowhYaGm430


!


no aaa new-model


!


no ip domain lookup


ip domain name ccna-lab.com


!


login on-success log


!


subscriber templating


!


multilink bundle-name authenticated


!


no license smart enable


diagnostic bootup level minimal


!


spanning-tree extend system-id


!


username admin secret 5 $1$jamS$qnpkPO7Cr9pSdQxO7nSuQ.


!


redundancy


 mode none


!


interface GigabitEthernet0/0/0


 no ip address


 negotiation auto


!


interface GigabitEthernet0/0/1


 ip address 192.168.1.1 255.255.255.0


 negotiation auto


!


interface Serial0/1/0


 no ip address


!


interface Serial0/1/1


 no ip address


!


ip forward-protocol nd


no ip http server


ip http secure-server


!


control-plane


!


banner motd ^C Authorized Users Only ^C


!


line con 0


 password 7 094F471A1A0A


 logging synchronous


 login


 transport input none


 stopbits 1


line aux 0


 stopbits 1


line vty 0 4


 password 7 01100F175804


 login local


 transport input telnet ssh


!


end


Switch S1

service timestamps debug datetime msec


service timestamps log datetime msec


service password-encryption


!


hostname S1


!


boot-start-marker


boot-end-marker


!


enable secret 5 $1$qwAh$PG.EaIxZQgvrgZtc40Xka0


!


username admin secret 5 $1$vE96$6FO83f1rHurSYktgg2l720


!


no aaa new-model


system mtu routing 1500


no ip domain-lookup


ip domain-name ccna-lab.com


!


spanning-tree mode pvst


spanning-tree extend system-id


!


vlan internal allocation policy ascending


!


interface FastEthernet0/1


!


interface FastEthernet0/2


 shutdown


!


interface FastEthernet0/3


 shutdown


!


interface FastEthernet0/4


 shutdown


!


interface FastEthernet0/5


!


interface FastEthernet0/6


!


interface FastEthernet0/7


 shutdown


!


interface FastEthernet0/8


 shutdown


!


interface FastEthernet0/9


 shutdown


!


interface FastEthernet0/10


 shutdown


!


interface FastEthernet0/11


 shutdown


!


interface FastEthernet0/12


 shutdown


!


interface FastEthernet0/13


 shutdown


!


interface FastEthernet0/14


 shutdown


!


interface FastEthernet0/15


 shutdown


!


interface FastEthernet0/16


 shutdown


!


interface FastEthernet0/17


 shutdown


!


interface FastEthernet0/18


 shutdown


!


interface FastEthernet0/19


 shutdown


!


interface FastEthernet0/20


 shutdown


!


interface FastEthernet0/21


 shutdown


!


interface FastEthernet0/22


 shutdown


!


interface FastEthernet0/23


 shutdown


!


interface FastEthernet0/24


 shutdown


!


interface GigabitEthernet0/1


 shutdown


!


interface GigabitEthernet0/2


 shutdown


!


interface Vlan1


 ip address 192.168.1.11 255.255.255.0


!


ip classless


ip http server


ip http secure-server


!


banner motd ^C Authorized Users Only ^C


!


line con 0


 password 7 00071A150754


 logging synchronous


 login


line vty 0 4


 password 7 00071A150754


 login local


 transport input telnet ssh


line vty 5 15


 login


!


end

Location: Canada

Comments

Post a Comment

Popular posts from this blog

🌍 Unlock Your Research Potential with the AfOx Visiting Fellowship at Oxford University!

-
Image
 🌍 Unlock Your Research Potential with the AfOx Visiting Fellowship at Oxford University! 📅 Application Deadline: 6th June 2025 Calling Exceptional African Researchers! The Africa Oxford Initiative (AfOx) Visiting Fellowship Program 2025/2026 is now accepting applications! This prestigious opportunity allows brilliant African scholars to collaborate with Oxford’s world-leading academics, expand their global networks, and advance groundbreaking research. Why Apply? 🔹 12-Month Affiliation with Oxford University – Gain access to world-class resources, mentorship, and a vibrant academic community. 🔹 Hybrid Engagement – 10 months of virtual collaboration (with remote access to Oxford’s libraries and research tools) + 2 months in-person at Oxford (May-June 2026). 🔹 Exclusive Benefits – Includes accommodation, economy flights, visa support, a £250/week stipend, and membership to an Oxford college. 🔹 Strengthen Your Leadership – Enhance your research impact while building lasting int...
Read more

Unlock Your Research Potential: IEG Fellowships for Doctoral Students

-
Image
  Unlock Your Research Potential: IEG Fellowships for Doctoral Students Are you a PhD student in history, theology, or a related historical discipline looking for a prestigious fellowship to advance your research? The Leibniz Institute of European History (IEG) in Mainz, Germany, invites ambitious doctoral candidates to apply for its fully funded fellowship programme. With a monthly stipend of €1,350, access to world-class academic resources, and a vibrant scholarly community, the IEG Fellowship provides the ideal environment to refine your doctoral project and engage with leading experts in European history. Why Choose the IEG Fellowship? 1. Financial Support for Your Research Monthly stipend of €1,350 to cover living expenses in Mainz. Family and child allowances for fellows accompanied by partners or children. No tuition fees—the IEG is a research institution, not a university, so you can focus entirely on your dissertation. 2. A Prestigious Academic Network Work alongside renow...
Read more

Launch Your Career with Chevron: 2025 Internship Program Now Open for Nigerian Students

-
Image
  🚀 Ready to step into the future of energy and innovation? The 2025 Chevron Nigeria Internship Program is your gateway to gaining real-world experience, building your career, and working with one of the world’s leading energy companies. 🗓️ Application Deadline: June 5, 2025 Why Chevron? Why Now? Chevron Nigeria Limited (CNL), a powerhouse in the energy sector and a trusted partner of the Nigerian National Petroleum Company Limited, is offering a rare opportunity for Nigerian students to gain professional experience through its acclaimed Internship Program. At Chevron, values like integrity, diversity, innovation, and excellence aren’t just buzzwords—they’re part of the culture. This internship is more than just a foot in the door. It’s a career-shaping journey. What’s in It for You? Whether you're pursuing an undergraduate degree, a master’s, or a postgraduate diploma, this internship is designed to: ✅ Immerses you in hands-on projects aligned with your academic discipline ✅ Pro...
Read more