1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer

Paf.dias.ac.cy is a portal that can help you get your work done

Αυτή η υπηρεσία μπορεί να σας βοηθήσει να γίνετε πιο αποτελεσματικοί στην τάξη και στο μάθημα σας γενικότερα...

Σεμινάριο 04/2015 - ΜΕ08.019 - CISCO Router / Web Server, MySQL Admin

Προγραμματισμός CISCO Router / απλού Router / Web Server Administration / MySQL Server Administration - ΜΕ08.019 - ΠΑΦΟΣ


Συνάντηση 1 & 2

If we use the IP Culculator on our wesite here: http://paf.dias.ac.cy/main/support/ipcalc

==================================================================================

192.168.0.1 - 192.168.7.254 = Total : 2046

If we multiply 8 * 254 = 2032
From 2032 to 2046 we are missing (2046 - 2032 = 14) 14 IPs, where do they come from?

It is the broadcast address of the following netowrks except the last one:

0.255
1.255
2.255
3.255
4.255
5.255
6.255
-------
Total : 7

Plus these IPs from the network address of the following networks as well:

1.0
2.0
3.0
4.0
5.0
6.0
7.0
-------
Total : 7

So 7 + 7 = 14 + 2032 = 2046 which is the actual total number of IPs in this subnet


 

How to Configure SSH only access to your school CISCO Router

====================================================================================================================
aaa new-model
ip domain-name alyk.pafospc.com
ip ssh version 2
crypto key generate rsa        (remember to use 2048)
ip ssh time-out 60
ip ssh authentication-retries 2

line vty 0 4

    !--- Prevent non-SSH Telnets.

transport input ssh

====================================================================================================================

 First test the authentication without SSH to make sure that authentication works with the router Carter before you
 add SSH. Authentication can be with a local username and password or with an authentication, authorization, and
 accounting (AAA) server that runs TACACS+ or RADIUS. (Authentication through the line password is not possible with
 SSH.) This example shows local authentication, which lets you Telnet into the router with username "cisco" and
 password "cisco."


    !--- The aaa new-model command causes the local username and password on the router
    !--- to be used in the absence of other AAA statements.

    aaa new-model
    username cisco password 0 cisco
    line vty 0 4
    transport input telnet

    !--- Instead of aaa new-model, you can use the login local command.

====================================================================================================================

 Authentication Test with SSH

In order to test authentication with SSH, you have to add to the previous statements in order to enable SSH on
Carter and test SSH from the PC and UNIX stations.

    ip domain-name rtp.cisco.com

    !--- Generate an SSH key to be used with SSH.

    crypto key generate rsa
    ip ssh time-out 60
    ip ssh authentication-retries 2

At this point, the show crypto key mypubkey rsa command must show the generated key. After you add the SSH
configuration, test your ability to access the router from the PC and UNIX station. If this does not work, see the
debug section of this document.

====================================================================================================================
 Optional Configuration Settings
Prevent Non-SSH Connections

If you want to prevent non-SSH connections, add the transport input ssh command under the lines to limit the router
to SSH connections only. Straight (non-SSH) Telnets are refused.

    line vty 0 4

    !--- Prevent non-SSH Telnets.

    transport input ssh

Test to make sure that non-SSH users cannot Telnet to the router Carter.
====================================================================================================================
 Set Up an IOS Router or Switch as SSH Client

There are four steps required to enable SSH support on a Cisco IOS router:

    Configure the hostname command.

    Configure the DNS domain.

    Generate the SSH key to be used.

    Enable SSH transport support for the virtual type terminal (vtys).

If you want to have one device act as an SSH client to the other, you can add SSH to a second device called Reed.
These devices are then in a client-server arrangement, where Carter acts as the server, and Reed acts as the client.
The Cisco IOS SSH client configuration on Reed is the same as required for the SSH server configuration on Carter.


    !--- Step 1: Configure the hostname if you have not previously done so.

    hostname carter

    !--- The aaa new-model command causes the local username and password on the router
    !--- to be used in the absence of other AAA statements.

    aaa new-model
    username cisco password 0 cisco

    !--- Step 2: Configure the DNS domain of the router.

    ip domain-name rtp.cisco.com

    !--- Step 3: Generate an SSH key to be used with SSH.

    crypto key generate rsa
    ip ssh time-out 60
    ip ssh authentication-retries 2

    !--- Step 4: By default the vtys' transport is Telnet. In this case,
    !--- Telnet is disabled and only SSH is supported.

    line vty 0 4
    transport input SSH

    !--- Instead of aaa new-model, you can use the login local command.

Issue this command to SSH from the Cisco IOS SSH client (Reed) to the Cisco IOS SSH server (Carter) in order to test
this:

    SSH v1:

        ssh -l cisco -c 3des 10.13.1.99

    SSH v2:

        ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -l cisco 10.31.1.99


====================================================================================================================
 Setup an IOS Router as an SSH server that performs RSA based User Authentication

Complete these steps in order to configure the SSH server to perform RSA based authentication.

    Specify the Host name.

        Router(config)#hostname <host name>

    Define a default domain name.

        Router(config)#ip domain-name <Domain Name>

    Generate RSA key pairs.

        Router(config)#crypto key generate rsa

    Configure SSH-RSA keys for user and server authentication.

        Router(config)#ip ssh pubkey-chain

    Configure the SSH username.

        Router(conf-ssh-pubkey)#username <user name>

    Specify the RSA public key of the remote peer.

        Router(conf-ssh-pubkey-user)#key-string

    Specify the SSH key type and version. (optional)

        Router(conf-ssh-pubkey-data)#key-hash ssh-rsa <key ID>

    Exit the current mode and return to privileged EXEC mode.

        Router(conf-ssh-pubkey-data)#end

    Note: Refer to Secure Shell Version 2 Support for more information.

====================================================================================================================
 Add SSH Terminal-Line Access

If you need outbound SSH terminal-line authentication, you can configure and test SSH for outbound reverse Telnets
through Carter, which acts as a comm server to Philly.

    ip ssh port 2001 rotary 1
    line 1 16
       no exec
       rotary 1
       transport input ssh
       exec-timeout 0 0
       modem In Out
       Stopbits 1

If Philly is attached to Carter's port 2, then you can configure SSH to Philly through Carter from Reed with the
help of this command:

    SSH v1:

        ssh -c 3des -p 2002 10.13.1.99

    SSH v2:

        ssh -v 2 -c aes256-cbc -m hmac-sha1-160 -p 2002 10.31.1.99

You can use this command from Solaris:

    ssh -c 3des -p 2002 -x -v 10.13.1.99


====================================================================================================================
 Restrict SSH access to a subnet

You need to limit SSH connectivity to a specific subnetwork where all other SSH attempts from IPs outside the
subnetwork should be dropped.

You can use these steps to accomplish the same:

    Define an access-list that permits the traffic from that specific subnetwork.

    Restrict access to the VTY line interface with an access-class.

This is an example configuration. In this example only SSH access to the 10.10.10.0 255.255.255.0 subnet is
permitted, any other is denied access.

    Router(config)#access-list 23 permit 10.10.10.0 0.0.0.255
    Router(config)#line vty 5 15
    Router(config-line)#transport input ssh
    Router(config-line)#access-class 23 in
    Router(config-line)#exit

Note: The same procedure to lock down the SSH access is also applicable on switch platforms.
====================================================================================================================
 Configure the SSH Version

Configure SSH v1:

    carter(config)#ip ssh version 1

Configure SSH v2:

    carter(config)#ip ssh version 2

Configure SSH v1 and v2:

    carter(config)#no ip ssh version

Note: You receive this error message when you use SSHv1:

    %SCHED-3-THRASHING: Process thrashing on watched message event.

Note: Cisco bug ID CSCsu51740 (registered customers only) is filed for this issue. Workaround is to configure SSHv2.
====================================================================================================================

Variations on banner Command Output

====================================================================================================================
 debug and show Commands

Before you issue the debug commands described and illustrated here, refer to Important Information on Debug
Commands. Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which
allows you to view an analysis of show command output.

    debug ip ssh—Displays debug messages for SSH.

    show ssh—Displays the status of SSH server connections.

        carter#show ssh
          Connection    Version Encryption    State              Username
           0            1.5     DES           Session started    cisco

    show ip ssh—Displays the version and configuration data for SSH.

        Version 1 Connection and no Version 2

            carter#show ip ssh
              SSH Enabled - version 1.5
              Authentication timeout: 60 secs; Authentication retries: 2

        Version 2 Connection and no Version 1

            carter#show ip ssh
              SSH Enabled - version 2.0
              Authentication timeout: 120 secs; Authentication retries: 3

        Version 1 and Version 2 Connections

            carter#show ip ssh
              SSH Enabled - version 1.99
              Authentication timeout: 120 secs; Authentication retries: 3


CISCO Router - Access Methods

There are several ways to access the CLI environment. The most usual methods are:

  • Console
  • Telnet or SSH
  • AUX port

Console

The CLI can be accessed through a console session, also known as the CTY line. A console uses a low speed serial connection to directly connect a computer or terminal to the console port on the router or switch. The console port is a management port that provides out-of-band access to a router. The console port is accessible even if no networking services have been configured on the device. The console port is often used to access a device when the networking services have not been started or have failed.

Examples of console use are:

  • The initial configuration of the network device
  • Disaster recovery procedures and troubleshooting where remote access is not possible
  • Password recovery procedures

When a router is first placed into service, networking parameters have not been configured. Therefore, the router cannot communicate via a network. To prepare for the initial startup and configuration, a computer running terminal emulation software is connected to the console port of the device. Configuration commands for setting up the router can be entered on the connected computer. During operation, if a router cannot be accessed remotely, a connection to the console can enable a computer to determine the status of the device. By default, the console conveys the device startup, debugging, and error messages. For many IOS devices, console access does not require any form of security, by default. However, the console should be configured with passwords to prevent unauthorized device access. In the event that a password is lost, there is a special set of procedures for bypassing the password and accessing the device. The device should be located in a locked room or equipment rack to prevent physical access.

Telnet and SSH

A method for remotely accessing a CLI session is to telnet to the router. Unlike the console connection, Telnet sessions require active networking services on the device. The network device must have at least one active interface configured with a Layer 3 address, such as an IPv4 address. Cisco IOS devices include a Telnet server process that launches when the device is started. The IOS also contains a Telnet client. A host with a Telnet client can access the vty sessions running on the Cisco device. For security reasons, the IOS requires that the Telnet session use a password, as a minimum authentication method. The methods for establishing logins and passwords will be discussed in a later section. The Secure Shell (SSH) protocol is a more secure method for remote device access. This protocol provides the structure for a remote login similar to Telnet, except that it utilizes more secure network services. SSH provides stronger password authentication than Telnet and uses encryption when transporting session data. The SSH session encrypts all communications between the client and the IOS device. This keeps the user ID, password, and the details of the management session private. As a best practice, always use SSH in place of Telnet whenever possible. Most newer versions of the IOS contain an SSH server. In some devices, this service is enabled by default. Other devices require the SSH server to be enabled. IOS devices also include an SSH client that can be used to establish SSH sessions with other devices. Similarly, you can use a remote computer with an SSH client to start a secure CLI session. SSH client software is not provided by default on all computer operating systems. You may need to acquire, install, and configure SSH client software for your computer.

AUX

Another way to establish a CLI session remotely is via a telephone dialup connection using a modem connected to the router's AUX port. Similar to the console connection, this method does not require any networking services to be configured or available on the device. The AUX port can also be used locally, like the console port, with a direct connection to a computer running a terminal emulation program. The console port is required for the configuration of the router, but not all routers have an auxiliary port. The console port is also preferred over the auxiliary port for troubleshooting because it displays router startup, debugging, and error messages by default. Generally, the only time the AUX port is used locally instead of the console port is when there are problems using the console port, such as when certain console parameters are unknown.

 accessing the cisco ios on a device

 


How to Reset username(s) and password(s) for a CISCO Router

You need to press Ctrl + Break as soon as you see anything on the terminal window

Username:

System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 2009 by cisco Systems, Inc.

C880 platform with 262144 Kbytes of main memory

Readonly ROMMON initialized

monitor: command "boot" aborted due to user interrupt

rommon 1 >

rommon 1>confreg 0x2142

You must reset or power cycle for new config to take effect

rommon 2 >

rommon 2 > reset

5 FastEthernet interfaces

1 Virtual Private Network (VPN) Module

256K bytes of non-volatile configuration memory.

124160K bytes of ATA CompactFlash (Read/Write)

         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: no

Router >

en

Router#copy start run

Router#config term

Router(config)#no enable secret

Router(config)#no enable password

Router(config)#line vty 0 4

Router(config-line)#no login

Router(config-line)#no password

Router(config-line)# exit

Router(config)#line con 0

Router(config-line)#no login

Router(config-line)#no password

Router(config-line)# exit

Router(config)#config-register 0x2102

Router(config)#exit

Router#write mem

 Download Info in Word file format