CommandsDescription
#configure terminalConfigure from the terminal to global configuration mode
#interface fastEthernet 0/1Specifies interface fa0/1
#shutdown |# no shutdownTo disable or enable interface port
#show interfaces fastEthernet 0/1To displays information about an interface fa0/1
#show ip interface briefTo displays a summary of the device interfaces
#speed 10, 100, autoTo set the interface speed 10, 100, or auto
#duplex auto, full, halfTo enable auto duplex | Force full or half-duplex operation
#ping ip-address, hostnameTo test connection or check connectivity
#access-list <1-99>IP standard access list to applies an access-list to the VTY lines
#ip domain-name CCNAApplies a system domain name which is required for the process of generating the cryptographic keys
#access-list <1-99> permit x.x.x.x x.x.x.xCreate standard IP access list ACL to permit access
#ip ssh version 1 or 2Specific the version of SSH
#line vty 0 4Enters the configuration mode to manage remote telnet and ssh sessions.
#enable secretPassword is used for restricting, password is either put through an MD5 or SHA2 hashing algorithm


Task 1: Device password protection.
Step 1: Access the console port of the router.
Step 2: Secure the console port with the password cisco
(please do not use any maverick passwords, and passwords are case-sensitive)

CCNA-R01#config t
Enter configuration commands, one per line. End with CNTL/Z.
CCNA-R01(config)#
CCNA-R01(config)#line console 0
CCNA-R01(config-line)#password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) line password
CCNA-R01(config-line)#password cisco
CCNA-R01(config-line)#login
CCNA-R01(config-line)#
CCNA-R01(config-line)#do copy running-config start
Destination filename [startup-config]?
Building configuration…
[OK]
CCNA-R01(config-line)# CCNA-R01(config-line)#


mode using the End and Exit commands.

CCNA-R01(config)#end
CCNA-R01#
*Mar 1 00:04:21.663: %SYS-5-CONFIG_I: Configured from console by console
CCNA-R01#exit
Step 4: Enter the console password to return to user EXEC mode.
CCNA-R01 con0 is now available
Press RETURN to get started.
User Access Verification
Password:
CCNA-R01#

Step 5: Create a local user account with a username of ccna and a secret password of cisco

CCNA-R01#config t
Enter configuration commands, one per line. End with CNTL/Z.
CCNA-R01(config)#
CCNA-R01(config)#username ccna-learner password cisco

Step 6: Change the security method used on the console port to now prompt the administrator for a username and password.


the person accessing the system.
Task 2: Remote access using Telnet and SSH.
Using telnet (insecure) and ssh (secure) protocols allow administrators to access their
devices remotely, providing IP connectivity exists between the telnet/ssh client and the
telnet/ssh server.
In this task, we are going to configure our router to support telnet and ssh sessions via the
VTY lines.

  1. Configuration on PC1
    PC1> show ip
    NAME : PC1[1]
    IP/MASK : 0.0.0.0/0
    GATEWAY : 0.0.0.0
    DNS :
    MAC : 00:50:79:66:68:00
    LPORT : 20006
    RHOST:PORT : 127.0.0.1:20007
    MTU : 1500
    PC1> ip 172.18.1.10/24 172.18.1.1
    Checking for duplicate address…
    PC1 : 172.18.1.10 255.255.255.0 gateway 172.18.1.1
    a. Test connection ping from PC1’s self IP and IP’s Router (CCNA-R01)
    PC1> ping 172.18.1.10

172.18.1.10 icmp_seq=1 ttl=64 time=0.001 ms
172.18.1.10 icmp_seq=2 ttl=64 time=0.001 ms


PC1> ping 172.18.1.1
84 bytes from 172.18.1.1 icmp_seq=1 ttl=255 time=10.549 ms
84 bytes from 172.18.1.1 icmp_seq=2 ttl=255 time=4.065 ms
PC1>

  1. Configuration on CCNA-R01
    CCNA-R01(config)#
    CCNA-R01(config)#interface fastEthernet 0/1
    CCNA-R01(config-if)#ip address 172.18.1.1 255.255.255.0
    CCNA-R01(config-if)#no shutdown
    CCNA-R01(config-if)#
    *Mar 1 00:36:12.347: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
    *Mar 1 00:36:13.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    CCNA-R01(config-if)#

Step 1: Access the router CLI and navigate to the VTY configuration mode, enter a
command which forces the administrator to provide a username and password.
Hint: Used on the console port in the previous task.

Step 2: From your PC’s desktop launch the Putty application.
Select the connection type radio button for telnet and type in the IP address of routers
R1 172.18.1.1

Click open and enter the username ccna and password cisco
Enter the command to gain access to the privilege mode and type in the secret password of
cisco
Execute the sh users command the output should look like the image below

type in the authentication details, the username and password are sent in clear text
protection via an encrypted channel.
To configure SSH we need to set up a domain name, generate our RSA public/private key
support the SSH protocol.
IP domain-name CCNA-Learner.com
crypto key generate RSA
size of 768 bits or greater)
IP ssh version 2
Optional, if you decided that your company policy dictates that all remote connections must transport input ssh

  1. Configure SSH on CCNA-R01

To configure SSH we need to create ip domain-name ccna-learner.com, and RSA’s keys bits [512] 1024 or 2048

CCNA-R01(config)#ip domain-name ccna-learner.com
CCNA-R01(config)#crypto key generate rsa
The name for the keys will be: CCNA-R01.ccna-learner.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys.
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
CCNA-R01(config)#
*Mar 1 01:23:46.571: %SSH-5-ENABLED: SSH 1.99 has been enabled
CCNA-R01(config)#

CCNA-R01(config)#line vty 0 4
CCNA-R01(config-line)#login local
CCNA-R01(config-line)#transport input ssh
CCNA-R01(config-line)#exit
CCNA-R01(config)#ip ssh version 2
CCNA-R01(config-line)#do copy running start
Destination filename [startup-config]?
Building configuration…
[OK]
CCNA-R01(config-line)#

Step 3: Check that ssh is working by opening a PuTTy session to your router from your PC
the router and open the connection.

Task 3: Limiting remote access based on source IP addresses.
Standard IP ACLs can be used to identify the source IP address of an ssh or telnet client.


Step 1: Check the IP address of your PC and make a note of it below.
Step 2: Access the CLI on the router and navigate to the global configuration mode, this is
where you will need to create a standard IP ACL, which allows only your PC to telnet or ssh
into the router, please use an ACL id of 2.
access-list 2 permit 172.18.1.100 0.0.0.0

Step 4: Apply this ACL to the VTY lines using the appropriate command, use the command
list if you are unsure.
have applied the ACL.
Step 5: Change the IP address on your PC
PC1 172.18.1.120/24

Now try and telnet or ssh to your router, should you be successful?

Step 6: Reset your PC to its original IP address, verify you can telnet or ssh to the router

Task 4: Creating a login banner page.
Most systems have a mandatory security message displayed to anybody accessing the
system.

Step 1: Access the router CLI and create a login message which advises only authorized
users are permitted to access the system.

Step 2: Telnet or ssh to check your login message.
Step 3: Save your running-config

By Admin