Setting Up Telnet and SSH for a Cisco device

Setting Up Telnet for a Cisco device

Telnet is a protocol that allows you to make connection to a remote Cisco device.

You see in that figure

i have PC1 connected to Swich1 which is connected to Router1 and Router1 is also connected to PC2.

PC1 has the ip address 192.168.1.101 /24

Switch1 or to be exact the interface vlan1 has the ip address 192.168.1.11 /24

Router1 interface fa0/1 has the ip address 192.168.1.1 /24

Router1 interface fa0/0 has the ip address 192.168.2.1 /24

PC2 has the ip address 192.168.2.102 /24

I am going to configure Switch1 to accept telnet connection

Switch>enable

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname Switch1

Switch1(config)#enable secret cisco

Switch1(config)#interface vlan1

Switch1(config-if)#ip address 192.168.1.11 255.255.255.0

Switch1(config-if)#no shutdown

Switch1(config-if)#

%LINK-5-CHANGED: Interface Vlan1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Now i am going to telnet to Switch from PC1

PC>telnet 192.168.1.11

Trying 192.168.1.11 ...Open

[Connection to 192.168.1.11 closed by foreign host]

As you see the connection fails. The reason is, i didn’t configure a password on the line vty.

So let me get back to Switch and show you a command you need to avoid to use

Switch1(config)#line vty 0 15

Switch1(config-line)#no login

As you see i use the no login command on the line vty

So let me try again to Telnet to Switch1 from PC1

PC>telnet 192.168.1.11

Trying 192.168.1.11 ...Open

Switch1>

As you see i can connect to the switch without a password. So my advice is never use the no login command in a production network because anyone can remotely telnet to your cisco device.

Now let’s go and and remove the no login command. To do that you need to type the login command

Switch1(config-line)#login

% Login disabled on line 1, until 'password' is set

% Login disabled on line 2, until 'password' is set

% Login disabled on line 3, until 'password' is set

% Login disabled on line 4, until 'password' is set

% Login disabled on line 5, until 'password' is set

% Login disabled on line 6, until 'password' is set

% Login disabled on line 7, until 'password' is set

% Login disabled on line 8, until 'password' is set

% Login disabled on line 9, until 'password' is set

% Login disabled on line 10, until 'password' is set

% Login disabled on line 11, until 'password' is set

% Login disabled on line 12, until 'password' is set

% Login disabled on line 13, until 'password' is set

% Login disabled on line 14, until 'password' is set

% Login disabled on line 15, until 'password' is set

% Login disabled on line 16, until 'password' is set

As you see when i type login the Switch screams at me saying that a Telnet connection is not allowed until a password is set. So don’t think that you did something wrong when you get this output.

So now let me configure the password on the line vty.

Switch1(config-line)#password cisco

The password is now configured. Let’s Telnet to the Switch.

PC>telnet 192.168.1.11

Trying 192.168.1.11 ...Open

User Access Verification

Password:

Switch1>

As you see the Switch is asking me to enter the password to get connection.

But when i put the password i am presented with the User exec Mode. So the Vty password is just to get to the User exec Mode.If you want to get to the User privilege mode you will need to configure an enable secret password from the global configuration mode.

Now let’s try to telnet from PC2

PC>telnet 192.168.1.11

Trying 192.168.1.11 ...

% Connection timed out; remote host not responding

You see the connection fails, because Switch1 is not on the same network as PC2. So the switch need a default gateway that can help it communicate with PC2.

To give the Switch a default gateway you use the command ip default-gateway from the global configuration mode like you see below.

Switch1(config)#ip default-gateway 192.168.1.1

Now let’s try againto telnet from PC2

PC>telnet 192.168.1.11

Trying 192.168.1.11 ...Open

User Access Verification

Password:

Switch1>

Now we are able to telnet from PC2 to Switch1.

Setting Up SSH

You know Telnet is easy to setup, however it is not a secure connection because everything is send in clear text. To be on the safe side i advise you to use SSH on Production network.

Below is the steps you need to take for Settig up SSH.

1-define a username and password from the global config mode

2- define a domain name from the global config mode

3- use the crypto key generate rsa command to generate a key

4- specifie the SSH version

5-configure the line vty to accept SSH connection

Let’s get into those steps.

1-define a username and password from the global config mode

The username and the password is what we are going to use to SSH to the device

Here is the syntax from the global Configuration

Switch1(config)#username john password cisco

Note : you can create multiple usernames and passwords.

2- define a domain name from the global config mode

This domain name is created so we can generate key for the encryption.

Here is the syntax from the Global Configuration Mode.

Switch1(config)#ip domain-name MYDOMAIN.COM

3- use the crypto key generate rsa command to generate a key

the crypto key generate rsa command generate the key for encryption

Here is the syntax from the Global Configuration Mode.

Switch1(config)#crypto key generate rsa

The name for the keys will be: Switch1.MYDOMAIN.COM

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]:

% Generating 512 bit RSA keys, keys will be non-exportable...[OK]

As you see the domain name (MYDOMAIN.COM) is appended to the name of the switch (Switch1).

4- specifie the SSH version

There are two versions of SSH(version1 and version2). I advise you to choose version2 if your device support it , because is lot more secure than version1.

Here is the syntax from the Global Configuration Mode.

Switch1(config)#ip ssh version 2

Please create RSA keys (of at least 768 bits size) to enable SSH v2.

As you see the switch is asking me to create RSA keys of at least 768 bit to enable SSH version2, because i chose 512 bits when i was generating those keys.

5-configure the line vty to accept SSH connection

In this last step we are going to use the login command on the line vty so we can use the username and password we define earlier.

Here is the syntax from the line vty Configuration Mode

Switch1(config)#line vty 0 15

Switch1(config-line)#login local // mean use the username and password defined earlier

That’s all you need for setting up SSH

Now let’s try to start SSH session from PC1

Here is the syntax you need on PC1

ssh [-l userid] [-p portnum] {ipaddr | hostname}

-l is a parameter

Userid is the username you define on the switch

-p portnum is the port number and it’s optional

{ipaddr | hostname} is the ip address or hostname of the device you want to SSH

Here is the syntax you need on the PC.

PC>ssh -l john 192.168.1.11

Open

Password:

Switch1>

As you see i am now connected to Switch1 via SSH.