Skip to main content

What is secure shell SSH? How do you configure a secure shell on the Cisco router and switch?

 A secure shell works just like Telnet, SSH allows a user to access a device remotely to manage it. In SSH the connection between the user and the remote device is encrypted and secure including usernames and passwords.

 

  • Secure shell (SSH) is a client-server protocol, an SSH client is a PC, and an  SSH server is a remote device such as a router, switch, or firewall. When we establish the connection a network admin can execute commands on the remote device which could be a route, switch, or firewall.

 


  • We know that having the talent to manage remote devices is not exactly a security best practice because of talent's lack of security. Instead, the accepted alternative to talent is a Secure shell as we discussed earlier encryption and security of SSH.

 

  • We have two versions of Secure Shell (SSH) and SSH version 2 is an IETF standard in this lab we are using SSH version 2. SSH version 1 is not secure compared with version 2. We need to set up access to the Cisco device for SSH, we need a user account on our remote device.



 

 By default, telnet is enabled but, in a few steps, we can configure a secure shell: -

  1.     First, we must ensure that our IOS supports SSH.
  2.  Configure a hostname if you already preconfigure that is good if not then we need to configure the hostname.
  3. Configure domain name if it preconfigures then well and good if it's not then we need to configure.
  4. Configure client authentication.
  5. Configure a server (router, switch, or firewall) to generate the RSA (Rivest-Shamir-Adelman) key.
  6. Configure the SSH version.
  7. Enable SSH on the VTY lines.

Let's see the topology: -

Topology; -


Goal: -


  • configure the topology as per the diagram.
  • configure user name cisco and password cisco321 on both SSH servers.
  • assign IP address to their interfaces.
  • configure domain name internetworks.
  • configure SSH key1024 bit on both SSH servers.
  • configure default gateway 192.168.10.1
  • configure VLAN interface address 192.168.10.100/24
  • make sure PCs get full access remotely to our router and switch.



.

Router(config)#hostname ROUTER_1

ROUTER_1(config)#username cisco privilege 15 password cisco321

ROUTER_1(config)#ip domain-name internetworks

ROUTER_1(config)#crypto key generate rsa


The name for the keys will be: ROUTER_1.internetworks

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.


How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]


ROUTER_1(config)#line vty 0 4


*Mar 1 0:18:13.680: %SSH-5-ENABLED: SSH 1.99 has been enabled


ROUTER_1(config-line)#login local

ROUTER_1(config-line)#transport input ssh

ROUTER_1(config-line)#exit


ROUTER_1(config)#interface gigabitEthernet 0/0

ROUTER_1(config-if)#ip address 192.168.10.1 255.255.255.0

ROUTER_1(config-if)#no shutdown

ROUTER_1(config-if)#exit




Switch(config)#hostname SWITCH-1

SWITCH-1(config)#username cisco privilege 15 password cisco321

SWITCH-1(config)#ip domain-name internetworks

SWITCH-1(config)#crypto key generate rsa general-key modulus 1024


The name for the keys will be: SWITCH-1.internetworks


% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]


*Mar 1 0:26:11.185: %SSH-5-ENABLED: SSH 1.99 has been enabled


SWITCH-1(config)#line vty 0 4

SWITCH-1(config-line)#login local

SWITCH-1(config-line)#transport input all

SWITCH-1(config-line)#end


SWITCH-1(config)#interface vlan 1

SWITCH-1(config-if)#ip address 192.168.10.100 255.255.255.0

SWITCH-1(config-if)#no shutdown

SWITCH-1(config-if)#exit

SWITCH-1(config)#end


%LINK-5-CHANGED: Interface Vlan1, changed state to up


%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up



(now we need to configure IP address on our PC1)





















(after clicking on X scroll down and click on Telnet/SSH client





















(after clicking on Telnet/SSH Client new window popup)




















( now give the hostname or IP address which is 192.168.10.100 for switch / 192.168.10.1 for router and user name cisco for both after this give the password cisoc321)




















I hope you like this article thank you so much for reading. 





Comments

Popular posts from this blog

What is Classification and marking? What is IP Precedence and DSCP Values? What is AF and EF?

  Classification and Marking Classification and marking are the processes of identifying the priority of each packet. This is the first step of QOS control and should be done near the source hosts. Classification is the process of identifying and categorising traffic into classes, typically based upon incoming interface IP precedence, DSCP Source or Destination address. Application classification is the most fundamental QOS building block. Without classification, all packets are treated the same.   The table lists the criteria of classification                                  Marking  Marking is the QOS feature component that colours a packet so it can be identified and distinguished from other packets in QOS treatment. Commonly used markers: link-layer: COS (ISL, 802.1q), MPLS EXP bits,...

OSPF default routing

  OSPF Default Route Configuring OSPF Default route is not a big problem. We have couple of options when we want to OSPF default route. Here is an example R1(config)#router ospf 1  R1(config-router)#default-information originate ?   always       Always advertise default route   metric       OSPF default metric   metric-type  OSPF metric type for default routes   route-map    Route-map reference   <cr> We can change numbers of things for example metric or metric type but most of the people forget about the most important thing is the always keyword.  If we add the always command this feature advertises the default route even if we do not have in our routing table. It will look like that route is installed in routing table.   When we use the default information originate we can advertise a default route in OSPF. But OSPF won’t...

BGP Local preference configuration

BGP Local preference (Local_Pref) Path attribute gives the router inside a single autonomous system a value that they can set per-route and advertise to all iBGP routers inside the autonomous system, so that all routers in the autonomous system agree about which routers is the best exit point for packet destined for that prefix. Local preference (Local_Pref) is the second BGP attribute. We can use the local preference to choose the outbound external BGP path. Local preference is sent to all internal BGP (iBGP) routers in our autonomous system. Local preference (Local_Pref) is not exchanged between external BGP routers. It’s a well-known and discretionary BGP attribute. Default value is 100. The path with the highest local preference is desirable  Topology:- TASK: To reach 50.1.1.1, 15.0.0.1 network router 2 and router 3 using 3.1.1.2 path ( AS 65144) because it has less numbers of au...