ssh cisco router
TRANSCRIPT
-
8/13/2019 ssh Cisco Router
1/2
Here are the steps:
1. Configure a hostname for the router using these commands.
yourname#configure terminalEnter configuration commands, one per line. End with CNTL/Z.yourname (config)#hostname LabRouterLabRouter(config)#
2. Configure a domain name with the ip domain-name command followed by whatever youwould like your domain name to be. I used CiscoLab.com.
LabRouter(config)#ip domain-name CiscoLab.com
3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key
generate rsa command.
Take note of the message that is displayed right after we enter this command: The name for thekeys will be: LabRouter.CiscoLab.com it combines the hostname of the router along with thedomain name we configured to get the name of the encryption key generated; this is why it wasimportant for us to, first of all, configure a hostname then a domain name before we generatedthe keys.
Notice also that it asks us to choose a size of modulus for the key were abou t to generate. Thehigher the modulus, the stronger the encryption of the key. For our example, well use a modulusof 1024.
4. Now that weve generated the key, our next step would be to configure our vty lines for SSHaccess and specify which database we are going to use to provide authentication to the device.The local database on the router will do just fine for this example.
LabRouter(config)#line vty 0 4LabRouter(config-line)#login localLabRouter(config-line)#transport input ssh
http://blog.pluralsight.com/blog/wp-content/uploads/2009/10/Why-and-how-to-configure-Secure-Shell-SSH-on-a-Cisco-Router2.jpg -
8/13/2019 ssh Cisco Router
2/2
5. You will need to create an account on the local routers database to be used for authenticatingto the device. This can be accomplished with these commands.
LabRouter(config)# username XXXX privilege 15 secret XXXX
Fine Tuning Your SSH Configuration
Weve pretty much c ompleted all the steps needed to configure and use SSH on your router;however, there are some other configurations that can be made to further secure your device.
For one, I would highly recommend you enabling an exec time-out on your router to preventanyone from gaining access to the device in cases you forgot to logout or got distracted becauseof an emergency. This way, the router will automatically log you out after the session has beenidle for a set time.
You must configure this command on the line interface as depicted below.
LabRouter(config)#line vty 0 4LabRouter(config-line)# exec-timeout 5
This means that if the session has been idle for 5 minutes, the router will automaticallydisconnect the session.
Use Access Control Lists (ACL) as an added layer of security; this will ensure that only deviceswith certain IP address are able to connect to the router.
So lets say the IP Subnet for your LAN is 192.168.100.0/24, you would create an acl to permitonly traffic from that subnet and apply this acl to the vty lines.
LabRouter(config)#access-list 1 permit 192.168.100.0 0.0.0.255LabRouter(config)#line vty 0 4LabRouter(config-line)#access-class 1 in