Quickly Enable SSH on a Cisco Router or Switch

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good afternoon and welcome to another online Cisco tutorial my name is Don pizzette and today I'm going to give you a quick walkthrough on enabling SSH on a cisco router or switch when I get a new piece of Cisco equipment one of the first things that I do is get it set up to a point where I can remotely connect to it that way I don't have to work from the console cable while I'm trying to set it up I don't like to be physically near the equipment nosy and obnoxious so I try and get the equipment in the server room and me in another office somewhere then I can remote in and in do the rest of my configuration now SSH is actually pretty easy to configure remember we want to use SSH to connect to our systems as opposed to telnet because telnet is an unsecure protocol it's transmitting our data in plaintext SSH secure shell on the other hand is going to encrypt all of our data as it's transmitted between our workstation and the router itself now a lot of people don't use SSH and it's a real shame it does require some extra steps to get it configured but I'm going to show you right here it can actually be done pretty easily without anything too terribly fancy I've got a router right here this is a Cisco 3725 and it's got iOS 12.4 on it although you'll find these commands don't really vary between the iOS and the same goes for switches the configuration is actually identical the only thing we need to be concerned about is first off we need to make sure that our iOS image supports the encryption feature set the easiest way to see whether or not you support encryption is if you get into your configuration I'm just going to get into my configuration here and do a crypto question mark if you see crypto commands that lets you know that your router supports cryptography or if your iOS file name has a canine in it that will let you know that it supports cryptography we need this for SSH to work we also need it for VPNs and the secure web services and so forth those other things you need it for but we're definitely going to need it here for SSH all right in order for SSH to work the most important thing it needs is a certificate that it can use for encrypting and decrypting data we're going to need to create a certificate but in order to create a certificate we need a valid fully qualified domain name for our router now if we have a real internet registered domain name we can use that or if we're just trying to get this up quick and dirty we can make up whatever we want I can assign my router a name I'll give it a host name here of r1 and I can assign it a domain name I'll give it demo net now I'm sure that's real domain out there that I don't own but I'm just going to use it here in the example doesn't really matter nobody's going to see it so in this case I'll have our one demo net is going to be my host name once I've got a host name and a domain name defined I can now generate a certificate I'm going to say crypto which is accessing the cryptography feature set key that lets it know that I'm working with a security key generate I'm creating a new key and RSA I want to use the RSA algorithm now in order to support SSH 1.99 or 2.0 we need a key with a 1024 bit modulus you'll notice when I go to create this key it defaults to 512 ok I need to change it to 1024 or I will not get proper ssh support so i'm going to change that right here now depending on your router the processor that's inside of it may not be all that great and so it may take a little while to generate this certificate this particular router has a very snappy processor so you'll see it'll generate that certificate pretty fast as soon as I've got that certificate in place notice what I just got ssh 1.99 has been enabled I'm now running SSH on this router so the first challenge for getting SSH I've been going is now overcome alright now the next thing I need is in order for me to get into this router I have to have a valid IP address and this is a brand new non configured router so it doesn't actually have an IP address right now if I do a show IP interface brief I can see that I've got two interfaces fast Etha net zero size zero' and 0/1 both of which are administrative lead áown I'm going to go in and add an IP address to fast Etha net 0/0 I'm just going to give it a private address 172 X 16 dot 0 dot 1 I'll assign that and I'll do a no shutdown to bring that interface online so that's going to come up that's an IP that my computer can see so that'll be useful there's my status messages letting me know that the line is up so we're good there now we've got an IP address all right now I mentioned that SSH is enabled by default it's just not functional until we got that we have the certificate SSH is functional at this point I can connect to the router and start to work with it my biggest problem at this point the only thing actually stopping me from connecting right now is that when I SSH in the router is going to ask me for a username and a password and so I need to define a username and a password well on a Cisco router we can do that using the username command so I'll just say username and what I want the name to be in this case I'll just say admin so I'm creating a username admin now I want the username admin to have a full administrative access to this router so I'm going to give it a privilege level of 15 and then I need to define a password now I can define the password one of two ways using the password command or using the secret command remember that the password command is going to store that password in plain text and the config whereas the secret command will store it as an md5 hash I'm going to use the secret command here and give it a password of password I'm going really secure here here we can we can spice it up a little bit like Microsoft does and maybe add some special characters in there there we go so I've got an @ symbol and a 0 and a capital piece now we're a little bit more fancy alright so I've got a username what I'm going to find now is that the router still isn't going to ask me for a username at least not until I tell it that I want when somebody logs into a router to ask for a username and a password cisco routers operate in the old model of authentication by default that means they just ask for a password and not a username in order to ask for a username also I need to put myself in the new model for authentication and I do that with the command triple a new - model triple a stands for authentication authorization and accounting triple a new model will make it ask for a username as well as a password all right the only other password that's really useful for me to set at this point is going to be an enable password when somebody enables we need a prompt for a password there so I'm just going to go ahead and say enable secret and I'll specify a password I'll use that same password no sense being too secure here in our little lab environment all right at this point we're up and going and I should be able to SSH into this router there is one other thing that we can do technically I've not only enabled SSH but I've also enabled telnet at the same time I may not want to enable telnet I can go into my vty lines my virtual terminal ports line vty 0 through 4 these are the five virtual lines that are created on all Cisco routers by default that allows people to telnet and ssh in on most switches it's 0 through 15 there's actually 16 lines created on most switches so you'd need to do 0 15 on a switch 0 4 on a router I'm going to go into these lines and I'm going to say transport input SSH that's going to tell it that I only want to allow SSH on my vty ports if I said transport input ssh telnet or transport input all that would allow all axes any protocol including telnet which is non secure I'm going to say SSH which says I only want to allow SSH access on these interfaces alright so that should be enough for us here I'm going to get out of my config and I'll go ahead and save my configuration because that's always a good idea and then I'm going to test it out now I've got an ssh client loaded here on my machine it's actually the same client I'm using here from my console access I like to use putty so I'm going to bring up my putty console here we go and I've already created a little shortcut here for for my ssh connection it's just going to plug in my IP address and and configure ssh so let me go ahead and punch that in and i'll go ahead and connect now in my SSH window when I first launched it I'm going to get this pop-up box right here warning me that I'm connecting to this device and it's presenting me with a certificate do I trust that certificate well it's only going to ask me this the first time if I say yes to this that says I will trust the certificate and I'll start a connection now I've got this one set with a green font instead of gray so we can tell the difference between my SSH session and my console session and so I can log in here I'm going to log in as admin and I'm going to provide that password that I set and there we go I'm logged in to router one and I'm logged in via SSH I can enable I can provide that password that we specified and I'm in a secure connection between me and the router on the other end I can do a show SSH and I can see that I've got an SSH version 2.0 connection in and out it's encrypting using AES 256 which is a pretty strong encryption level with a sha-1 hash being used again on the session so a very secure connection and we're up and we're going at this point I could take my router stick into the networking closet or wherever go back to my office remote in using SSH and we're in business all right let's do a quick recap of the commands that I had to do to get this operational let me bring up a little notepad window here or not good ol oh I'm sorry I've got the notepad plus and when I was taking a little longer to run all right so the first thing I had to do was I had to assign a host name to my router right your router has to have a host name and you have to punch that in as well as the domain name IP domain - name and whatever that domain name is all right so those are the first two commands I had to do once that was done I was able to generate a certificate using cryptokey generate RSA and then I made sure to specify 1024 for the modulus all right after that was done as soon as that certificate was generated I got a message letting me know that SSH was enabled I then created a username set the privilege level and set the password for that user account and told it triple a new - model to let it know it needed to ask for a username and a password alright then I got into my vty lines remember 0 through 4 on a router 0 through 15 on a switch so a little bit different there where I said transport input ssh to restrict it just to supporting SSH SSH connections if I can say it alright once that was done my device was ready to support the SSH connections and I was able to remote in all in all very easy to do if we know the commands to punch in alright so now that you guys have seen that you know there's no excuse for using telnet anymore really we should try and get away from that as soon as possible you don't want to send unencrypted data over your network if you don't have to all right well that wraps up another demonstration I hope you guys learn something and look forward to seeing my next demonstration here soon

Info

Channel: NHGainesville

Views: 239,183

Rating: undefined out of 5

Keywords: new horizons of north florida, gainesville, tallahassee, pensacola, tim broom, don pezet, cisco router, ssh, security, switch, networking, ccna, ccnp, iins, online live learning, 2010 global center of the year

Id: 3v3Iw87vEQ8

Channel Id: undefined

Length: 12min 19sec (739 seconds)

Published: Mon Sep 20 2010