| 1 | Cisco Config Elements |
|---|
| 2 | ===================== |
|---|
| 3 | |
|---|
| 4 | Notes: |
|---|
| 5 | ------ |
|---|
| 6 | * Commands preceded with "$" imply that you should execute the command as |
|---|
| 7 | a general user - not as root. |
|---|
| 8 | * Commands preceded with "#" imply that you should be working as root. |
|---|
| 9 | * Commands with more specific command lines (e.g. "rtr>" or "mysql>") |
|---|
| 10 | imply that you are executing commands on remote equipment, or within |
|---|
| 11 | another program. |
|---|
| 12 | * If a command line ends with "\" this indicates that the command continues |
|---|
| 13 | on the next line and you should treat this as a single line. |
|---|
| 14 | |
|---|
| 15 | Exercises Part I |
|---|
| 16 | ================ |
|---|
| 17 | |
|---|
| 18 | 0. Work in a group |
|---|
| 19 | ------------------ |
|---|
| 20 | |
|---|
| 21 | For this exercise you need to work in groups. Assign one person to type on |
|---|
| 22 | the keyboard. There should be 4 people in group. For instance, members of |
|---|
| 23 | Group 1 are those on pc1-pc4, Group 2 use pc5-pc8, Group 3 use pc9-12, etc⊠|
|---|
| 24 | |
|---|
| 25 | If you are unsure of what group you are in refer to the Network Diagram on the |
|---|
| 26 | classroom wiki by going to http://noc.ws.nsrc.org/ and clicking on the Network |
|---|
| 27 | Diagram link. |
|---|
| 28 | |
|---|
| 29 | 1. Connect to your router |
|---|
| 30 | ------------------------- |
|---|
| 31 | |
|---|
| 32 | Log in to your vm/pc image and install Telnet: |
|---|
| 33 | |
|---|
| 34 | $ sudo apt-get install telnet |
|---|
| 35 | |
|---|
| 36 | If it is already installed that is fine. |
|---|
| 37 | |
|---|
| 38 | Now connect to the router in your group: |
|---|
| 39 | |
|---|
| 40 | $ telnet 10.10.N.254 |
|---|
| 41 | |
|---|
| 42 | username: cisco |
|---|
| 43 | password: cisco |
|---|
| 44 | |
|---|
| 45 | Display information about your router |
|---|
| 46 | |
|---|
| 47 | routerN>enable |
|---|
| 48 | Password: (default pw "cisco") |
|---|
| 49 | RouterN#show run (space to continue) |
|---|
| 50 | RouterN#show int FastEthernet0/0 |
|---|
| 51 | RouterN#show ? (lists all options) |
|---|
| 52 | RouterN#exit (log off router) |
|---|
| 53 | |
|---|
| 54 | |
|---|
| 55 | 2. Configure your router to only use SSH |
|---|
| 56 | ---------------------------------------- |
|---|
| 57 | |
|---|
| 58 | These steps will do the following: |
|---|
| 59 | |
|---|
| 60 | * Create an ssh key for your router |
|---|
| 61 | * Create an encrypted password for the user cisco |
|---|
| 62 | * Encrypt the enable password (cisco) |
|---|
| 63 | * Turn off telnet (unencrypted) access to your router |
|---|
| 64 | * Turn on SSH (version 2) access to your router |
|---|
| 65 | |
|---|
| 66 | You need to work in groups of 4. Get together with the members of your router |
|---|
| 67 | group and assign one person to enter commands. To start connect to one of the |
|---|
| 68 | PCs in use by your group. From that PC image telnet to your router: |
|---|
| 69 | |
|---|
| 70 | $ telnet rtrN.ws.nsrc.org (or "telnet 10.10.N.254") |
|---|
| 71 | |
|---|
| 72 | username: cisco |
|---|
| 73 | password: cisco |
|---|
| 74 | |
|---|
| 75 | rtrN> enable (en) |
|---|
| 76 | password: cisco |
|---|
| 77 | rtrN# configure terminal (conf t) |
|---|
| 78 | rtrN(config)# aaa new-model |
|---|
| 79 | rtrN(config)# ip domain-name ws.nsrc.org |
|---|
| 80 | rtrN(config)# crypto key generate rsa |
|---|
| 81 | |
|---|
| 82 | How many bits in the modulus [512]: 2048 |
|---|
| 83 | |
|---|
| 84 | Wait for the key to generate. You can now specify passwords and they will be |
|---|
| 85 | encrypted. First let's remove our cisco user temporarily, then we'll recreate |
|---|
| 86 | the user: |
|---|
| 87 | |
|---|
| 88 | rtrN(config)# no username cisco |
|---|
| 89 | rtrN(config)# username cisco secret 0 <CLASS PASSWORD> |
|---|
| 90 | |
|---|
| 91 | Now the cisco user's password (of <CLASS PASSWORD>) is encrypted. Next let's encrypt |
|---|
| 92 | the enable password as well: |
|---|
| 93 | |
|---|
| 94 | rtrN(config)# enable secret 0 <CLASS PASSWORD> |
|---|
| 95 | |
|---|
| 96 | Now we'll tell our router to only allow SSH connections on the 8 defined |
|---|
| 97 | consoles (vty 0 through 7): |
|---|
| 98 | |
|---|
| 99 | rtrN(config)# line vty 0 8 |
|---|
| 100 | rtrN(config-line)# transport input ssh |
|---|
| 101 | rtrN(config-line)# exit |
|---|
| 102 | |
|---|
| 103 | This drops us out of the "line" configuration mode and back in to the general |
|---|
| 104 | configuration mode. Now we'll tell the router to log SSH-related events and to |
|---|
| 105 | only allow SSH version 2 connections: |
|---|
| 106 | |
|---|
| 107 | rtrN(config)# ip ssh logging events |
|---|
| 108 | rtrN(config)# ip ssh version 2 |
|---|
| 109 | |
|---|
| 110 | Now exit from configuration mode: |
|---|
| 111 | |
|---|
| 112 | rtrN(config)# exit |
|---|
| 113 | |
|---|
| 114 | And, write these changes to the routers permament configuration: |
|---|
| 115 | |
|---|
| 116 | rtrN# write memory (wr mem) |
|---|
| 117 | |
|---|
| 118 | Ok. That's it. You can no longer use telnet to connect to your router. You must |
|---|
| 119 | connect using SSH with the user "cisco" and password <CLASS PASSWORD>. The enable password |
|---|
| 120 | is, also, "cisco" - Naturally in a real-world situation you would use much more |
|---|
| 121 | secure passwords. |
|---|
| 122 | |
|---|
| 123 | Before you exit your Telnet session be sure to test ssh connectivity from another PC in your |
|---|
| 124 | group (or, open another terminal window). Do this in case you made a mistake to avoid locking |
|---|
| 125 | yourself out of your router. |
|---|
| 126 | |
|---|
| 127 | First, try connection again with telnet: |
|---|
| 128 | |
|---|
| 129 | $ telnet rtrN.ws.nsrc.org |
|---|
| 130 | |
|---|
| 131 | What happens? You should see something like: |
|---|
| 132 | |
|---|
| 133 | Trying 10.10.N.254... |
|---|
| 134 | telnet: Unable to connect to remote host: Connection refused |
|---|
| 135 | |
|---|
| 136 | Now try connecting with SSH: |
|---|
| 137 | |
|---|
| 138 | $ ssh cisco@rtrN.ws.nsrc.org |
|---|
| 139 | |
|---|
| 140 | You should see something looks similar to this: |
|---|
| 141 | |
|---|
| 142 | The authenticity of host 'rtr2.ws.nsrc.org (10.10.2.254)' can't be |
|---|
| 143 | established. RSA key fingerprint is 93:4c:eb:ad:5c:4a:a6:3e:8b:9e: |
|---|
| 144 | 4f:e4:e2:eb:e4:7f. Are you sure you want to continue connecting |
|---|
| 145 | (yes/no)? |
|---|
| 146 | |
|---|
| 147 | Enter in "yes" and press ENTER to continue... |
|---|
| 148 | |
|---|
| 149 | Now you'll see the follwoing: |
|---|
| 150 | |
|---|
| 151 | Password: <CLASSS PASSWORD> |
|---|
| 152 | rtrN> |
|---|
| 153 | |
|---|
| 154 | Type "enable" to allow us to execute privileged commands: |
|---|
| 155 | |
|---|
| 156 | rtrN> enable |
|---|
| 157 | Password: <CLASS PASSWORD> |
|---|
| 158 | rtrN# |
|---|
| 159 | |
|---|
| 160 | Now let's view the current router configuration: |
|---|
| 161 | |
|---|
| 162 | rtrN# show running (sh run) |
|---|
| 163 | |
|---|
| 164 | Press the space bar to continue. Note some of the entries like: |
|---|
| 165 | |
|---|
| 166 | enable secret 5 $1$p4/E$PnPk6VaF8QoZMhJx56oXs. |
|---|
| 167 | . |
|---|
| 168 | . |
|---|
| 169 | . |
|---|
| 170 | username cisco secret 5 $1$uNg1$M1yscHhYs..upaPP4p8gX1 |
|---|
| 171 | . |
|---|
| 172 | . |
|---|
| 173 | . |
|---|
| 174 | line vty 0 7 |
|---|
| 175 | exec-timeout 0 0 |
|---|
| 176 | transport input ssh |
|---|
| 177 | |
|---|
| 178 | You can see that both the enable password and the password for the user cisco |
|---|
| 179 | have been encrypted. This is a good thing. |
|---|
| 180 | |
|---|
| 181 | Now you should exit the router interface to complete this exercise: |
|---|
| 182 | |
|---|
| 183 | rtrN# exit |
|---|
| 184 | |
|---|
| 185 | And, if you still have your older Telnet session in another window be sure to exit from |
|---|
| 186 | that as well. |
|---|
| 187 | |
|---|
| 188 | NOTES |
|---|
| 189 | ----- |
|---|
| 190 | |
|---|
| 191 | 1.) If you are locked out of your router after this exercise let your |
|---|
| 192 | instructor know and they can reset your router's configuration back to its |
|---|
| 193 | original state. |
|---|
| 194 | 2.) Please only do this exercise once. If multiple people do this exercise |
|---|
| 195 | it's very likely that access to the router will be broken. |
|---|
| 196 | 3.) During the week you will configure items such as SNMP, Netflow and more on |
|---|
| 197 | your group's router. From now on you can simply connect to the router |
|---|
| 198 | directly from your laptop or desktop machine using SSH. |
|---|
