4.8 Configure network devices for remote access using SSH

4.8 Configure network devices for remote access using SSH

I mentioned router and switch security earlier.  You can access a router or switch remotely via Telnet or SSH, but only SSH is secure.  Do not use Telnet.

You can protect access to a device’s configuration by entering the security configuration.

Type line vty 0 15 to enter the login configuration mode (for the Telnet/SSH only), then use the following commands

• login – this tells the switch/router to prompt for a password for the user mode
• password <password> – where <password> is the password I want to use

In the above example, I only have one user password.  If I have multiple users, they each must know the password.  I could instead create multiple user accounts.  I would type

• username <username> secret <password> – where <username> is the username, and <password> is the password I want to use.  The username is a global command; it isn’t applied inside the line console command.
• line console 0 – now I’ve entered into the login configuration (for the console only; this doesn’t apply to users who connect over Telnet or SSH)
  • login local – this tells the switch/router to prompt for a username and password for the user mode, and to do so from the local configuration, instead of an external server

If we have a large organization, we could connect our switch to an external server, such as a RADIUS server.  The external server handles authentication and user accounts.  This would be better than manually configuring usernames and passwords on every device.

To configure SSH,

• hostname <switch name> – this configures the name of the switch; it should have been set earlier.  We should choose a unique name for each switch/router in our organization.
• ip domain-name <domain name> – this is the domain name for our organization
• crypto key generate rsa – the switch user the hostname and domain name to generate an RSA key (for encryption).  When you enter this command, the switch will ask you for a modulus size. 

We could also disable Telnet or other types of logins with the transport input command.  transport input <parameter> determines which connection method the switch supports.

• transport input all – Telnet and SSH are supported
  • transport input telnet ssh – Telnet and SSH are supported
  • transport input none – Neither Telnet nor SSH are supported
  • transport input ssh – Only SSH is supported
  • transport input telnet – Only Telnet is supported

If we’re curious about who is connected, we can type show ssh.

But how do we connect to the switch via SSH?  What is its IP address?

If we have a static IP

• We enter the VLAN configuration mode by typing interface vlan <VLAN number>.  We should choose a VLAN to configure the IP address on.  We issue the following command to configure an IP address
  • ip address <IP address> <subnet mask> – this provides the interface with an IP address
  • no shutdown – just in case the interface was shut down.
• We issue the following commands in the main configuration
  • ip default-gateway <default gateway IP address> – this provides the switch with a default gateway
  • ip name-server <DNS IP address #1> – this is optional, but allows the switch to use a DNS server

Below, I have configured VLAN 40 to use an IP address of 5.5.5.5/24, and configured the switch to use a default gateway IP address of 5.5.5.1, and a DNS server of 4.4.4.4.

If we have a dynamic IP (DHCP)

• We enter the VLAN configuration mode by typing interface vlan <VLAN number>
  • ip address dhcp – this tells the switch that the interface is using DHCP.  The switch sends out a DHCP request.

Below, I have configured VLAN 40 to use DHCP.

How can we verify the IP address is configured correctly?  We can use one of the following commands

• show running-config – under the VLAN interface, this will show us the VLAN’s static IP address, and under the global configuration, this will show us the switch’s default gateway and DNS
• show interfaces vlan <VLAN number> – this will list details for the VLAN.  We can see if the VLAN has an IP address.
• show dhcp lease – if DHCP is enabled, this command will show us the IP address obtained by the switch.

We can Telnet or SSH from one router into another.  A good reason for this is when there is a routing issue preventing us from accessing a router directly, but the router is still connected to our network indirectly.  We can use the following commands

• ssh <username> <ip address of router>
• telnet <ip address of router>

Once we have connected, the prompt changes to the hostname of the router that is connected.  We can exit the session by typing exit or quit.

We can Telnet or SSH from one router to another to another to another.