Console Port Security:
By default, no password is needed when accessing via console port.
You can configure a password on the console line:
R1(config)#line console 0
^There is only one line, so number is always 0
R1(config-line)#password ccna
^Set the password
R1(conifg-line)#login
^Tells the device to require the password on the line
Alternative: Tell device to require usernames instead of a shared password
R1(config)#username smith secret Sammywich
^Creates a user named 'smith' with password 'Sammywich'
R1(config)#line console 0
^Same as previous config, switch over to the console line
R1(config-line)#login local
^Configure device to require a username to gain entry
Assign an IP address to a Layer-2 switch:
Q) Since switches are layer 2, how can we SSH to them?
A) Create a switch virtual interface (SVI) and assign the SVI an IP address. You'll also need to define a default gateway.
SW1(config)#interface vlan1
^Define the SVI
SW1(config-if)#ip address 192.168.1.253 255.255.255.0
^Assign an IP address to the SVI
SW1(config-if)#no shutdown
^Turn on the interface
SW1(config-if)#exit
SW1(config)#ip default-gateway 192.168.1.254
^Configure a default gateway for the switch
Telnet Config:
We are unlikely to enable telnet, but we can learn from looking at it
SW1(config)#enable secret ccna
^Require a password to access privileged exec mode. If we don't do this, we can't get to it via Telnet/SSH.
SW1(config)#username smith secret Sammywich
^Define a local username
SW1(config)#access-list 1 permit host 192.168.2.1
^Create an access-list that we can later assign to a telnet line so we can restrict it to allow incoming connections from a single IP address
SW1(config)#line vty 0 15
^Instead of configuring a single console line, this time we are configuring Virtual TeleType lines 0 through 15 (all of them).
SW1(config-line)#login local
^Require the use of locally defined usernames
SW1(config-line)#exec-timeout 5 0
^Define an inactivity timer of 5 minutes 0 seconds. After this, your session gets disconnected.
SW1(config-line)#transport input telnet
^Restrict these lines to telnet only. No SSH or RLogin.
Other options:
transport input telnet - Only Telnet
transport input ssh - Only SSH
transport input telnet ssh - Both
transport input all - All connections (including telnet, SSH, Rlogin, and more)
transport input none - Nope, nada
SW1(config-line)#access-class 1 in
^Similar to Standard ACLs, this assigns the access list previously defined about a dozen lines up to these lines on incoming sessions.
SSH Config:
Use v2, not v1.
"v1.99" = Supports both v1 and v2
Telnet = TCP port 23
SSH = TCP port 22
You will need an RSA key of at least 768 bits for SSH v2.
Before proceeding, define the hostname and domain name.
Switch>en
Switch#conf t
Switch(config)#hostname SW1
^Configure the device's hostname
SW1(config)#ip domain name jeremysitlab.com
^Configure the device's domain name
SW1(config)#crypto key generate rsa
^This generates the RSA public and private key pair that you will need later. Jeremy uses 2048 as the number of bits int he modulus. Don't fall for the [512] default because we know it needs to at least be 768.
Instead of interactively choosing the modulus length, maybe use this command:
SW1(config)#crypto key generate rsa modulus 2048
(Some countries may need to use smaller modulus lengths due to USA's encryption laws.)
Next 3 commands are the same as Telnet was (above) (except I'll replace "Telnet" with "SSH":
SW1(config)#enable secret ccna
^Require a password to access privileged exec mode. If we don't do this, we can't get to it via Telnet/SSH.
SW1(config)#username smith secret Sammywich
^Define a local username
SW1(config)#access-list 1 permit host 192.168.2.1
^Create an access-list that we can later assign to an ssh line so we can restrict it to allow incoming connections from a single IP address
SW1(config)#ip ssh version 2
^Configure for SSH v2
Next 5 commands are same as Telnet (except for SSH):
SW1(config)#line vty 0 15
^Instead of configuring a single console line, this time we are configuring Virtual TeleType lines 0 through 15 (all of them).
SW1(config-line)#login local
^Require the use of locally defined usernames
SW1(config-line)#exec-timeout 5 0
^Define an inactivity timer of 5 minutes 0 seconds. After this, your session gets disconnected.
SW1(config-line)#transport input ssh
^Restrict these lines to ssh only (no telnet).
SW1(config-line)#access-class 1 in
^Similar to Standard ACLs, this assigns the access list previously defined about a dozen lines up to these lines on incoming sessions.
[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]
