Agenda: exercises-cisco-config.txt

File exercises-cisco-config.txt, 5.8 KB (added by admin, 6 years ago)
Line 
1Cisco Config Elements
2=====================
3
4Notes:
5------
6* Commands preceded with "$" imply that you should execute the command as
7  a general user - not as root.
8* Commands preceded with "#" imply that you should be working as root.
9* Commands with more specific command lines (e.g. "rtr>" or "mysql>")
10  imply that you are executing commands on remote equipment, or within
11  another program.
12* If a command line ends with "\" this indicates that the command continues
13  on the next line and you should treat this as a single line.
14
15Exercises Part I
16================
17
180. Work in a group
19------------------
20
21For this exercise you need to work in groups. Assign one person to type on
22the keyboard. There should be 4 people in group. For instance, members of
23Group 1 are those on pc1-pc4, Group 2 use pc5-pc8, Group 3 use pc9-12, etc

24
25If you are unsure of what group you are in refer to the Network Diagram on the
26classroom wiki by going to http://noc.ws.nsrc.org/ and clicking on the Network
27Diagram link.
28
291. Connect to your router
30-------------------------
31
32Log in to your vm/pc image and install Telnet:
33
34        $ sudo apt-get install telnet
35
36If it is already installed that is fine.
37
38Now connect to the router in your group:
39
40        $ telnet 10.10.N.254
41
42        username: cisco
43        password: cisco
44
45Display information about your router
46
47        routerN>enable                         
48        Password:                                       (default pw "cisco")
49        RouterN#show run                                (space to continue)
50        RouterN#show int FastEthernet0/0
51        RouterN#show ?                                  (lists all options)
52        RouterN#exit                                    (log off router)
53
54
552. Configure your router to only use SSH
56----------------------------------------
57
58These steps will do the following:
59
60        * Create an ssh key for your router
61        * Create an encrypted password for the user cisco
62        * Encrypt the enable password (cisco)
63        * Turn off telnet (unencrypted) access to your router
64        * Turn on SSH (version 2) access to your router
65
66You need to work in groups of 4. Get together with the members of your router
67group and assign one person to enter commands. To start connect to one of the
68PCs in use by your group. From that PC image telnet to your router:
69
70        $ telnet rtrN.ws.nsrc.org       (or "telnet 10.10.N.254")
71       
72        username: cisco
73        password: cisco
74
75        rtrN> enable                                            (en)
76        password: cisco
77        rtrN# configure terminal                        (conf t)
78        rtrN(config)# aaa new-model
79        rtrN(config)# ip domain-name ws.nsrc.org
80        rtrN(config)# crypto key generate rsa
81
82        How many bits in the modulus [512]: 2048
83       
84Wait for the key to generate. You can now specify passwords and they will be
85encrypted. First let's remove our cisco user temporarily, then we'll recreate
86the user:
87
88        rtrN(config)# no username cisco
89        rtrN(config)# username cisco secret 0 <CLASS PASSWORD>
90
91Now the cisco user's password (of <CLASS PASSWORD>) is encrypted. Next let's encrypt
92the enable password as well:
93
94        rtrN(config)# enable secret 0 <CLASS PASSWORD>
95
96Now we'll tell our router to only allow SSH connections on the 8 defined
97consoles (vty 0 through 7):
98
99        rtrN(config)# line vty 0 8
100        rtrN(config-line)# transport input ssh
101        rtrN(config-line)# exit
102
103This drops us out of the "line" configuration mode and back in to the general
104configuration mode. Now we'll tell the router to log SSH-related events and to
105only allow SSH version 2 connections:
106
107        rtrN(config)# ip ssh logging events
108        rtrN(config)# ip ssh version 2
109
110Now exit from configuration mode:
111
112        rtrN(config)# exit
113
114And, write these changes to the routers permament configuration:
115
116        rtrN# write memory                              (wr mem)
117
118Ok. That's it. You can no longer use telnet to connect to your router. You must
119connect using SSH with the user "cisco" and password <CLASS PASSWORD>. The enable password
120is, also, "cisco" - Naturally in a real-world situation you would use much more
121secure passwords.
122
123Before you exit your Telnet session be sure to test ssh connectivity from another PC in your
124group (or, open another terminal window). Do this in case you made a mistake to avoid locking
125yourself out of your router.
126
127First, try connection again with telnet:
128
129        $ telnet rtrN.ws.nsrc.org
130
131What happens? You should see something like:
132
133        Trying 10.10.N.254...
134        telnet: Unable to connect to remote host: Connection refused
135
136Now try connecting with SSH:
137
138        $ ssh cisco@rtrN.ws.nsrc.org
139
140You should see something looks similar to this:
141
142        The authenticity of host 'rtr2.ws.nsrc.org (10.10.2.254)' can't be     
143    established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e:
144        4f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting
145        (yes/no)?
146
147Enter in "yes" and press ENTER to continue...
148
149Now you'll see the follwoing:
150
151        Password: <CLASSS PASSWORD>
152        rtrN>
153
154Type "enable" to allow us to execute privileged commands:
155
156        rtrN> enable
157        Password: <CLASS PASSWORD>
158        rtrN#
159
160Now let's view the current router configuration:
161
162        rtrN# show running                                      (sh run)
163
164Press the space bar to continue. Note some of the entries like:
165
166        enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs.
167        .
168        .
169        .
170        username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1
171        .
172        .
173        .
174        line vty 0 7
175         exec-timeout 0 0
176         transport input ssh
177
178You can see that both the enable password and the password for the user cisco
179have been encrypted. This is a good thing.
180
181Now you should exit the router interface to complete this exercise:
182
183        rtrN# exit
184       
185And, if you still have your older Telnet session in another window be sure to exit from
186that as well.
187
188NOTES
189-----
190
1911.) If you are locked out of your router after this exercise let your
192    instructor know and they can reset your router's configuration back to its
193    original state.
1942.) Please only do this exercise once. If multiple people do this exercise
195    it's very likely that access to the router will be broken.
1963.) During the week you will configure items such as SNMP, Netflow and more on
197    your group's router. From now on you can simply connect to the router
198    directly from your laptop or desktop machine using SSH.