CCNA 200-301 Chapter 4 IP Services Lab 045 Configure Network Device for Remote SSH Access

Watch Full Demo on YouTube:

Lab Objective:

Secure Shell (SSH) is a critical feature for network engineers, as it allows secure remote management of devices. Unlike Telnet, SSH provides encrypted communication, ensuring that sensitive data like passwords and configurations are not transmitted in plaintext. In this lab, we will configure a Cisco device for remote SSH access.

By the end, you will understand how to enable and verify SSH functionality, enhancing the security and manageability of your network infrastructure.

By completing this lab, you will be able to:

• Understand the requirements for configuring SSH access on a Cisco device.
• Generate RSA keys to enable SSH.
• Configure and verify a local user database.
• Enable SSH on VTY lines.
• Test SSH connectivity to the configured device.
• Troubleshoot SSH-related issues.

Lab Topology:

Equipment Required:

• 3 x Cisco Router (e.g., CISCO2811/K9)
• 1 x Cisco switch (e.g., Cisco Catalyst series)
• 1 x PC or laptop with Ethernet ports
• Console Cable
• Ethernet Cable for connections between devices
• Computer with Terminal emulation software e.g. PuTTY

IPv4 Address Table:

A. Router IP Address Table:

Device Name	Interface ID	IP Address	Subnet-Mask
R1	Gig0/0/0	10.1.1.1	255.255.255.0
R1	Gig0/0/1	10.1.3.1	255.255.255.252
R1	Gig0/0/2	10.1.2.1	255.255.255.0
R1	Lo0	1.1.1.1	255.255.255.255
R2	Gig0/0/0	10.1.4.1	255.255.255.252
R2	Gig0/0/1	10.1.2.2	255.255.255.252
R2	Lo0	2.2.2.2	255.255.255.255
R3	Gig0/0/0	10.1.4.2	255.255.255.252
R3	Gig0/0/1	10.1.3.2	255.255.255.252
R3	Lo0	3.3.3.3	255.255.255.255

B. Hosts IP Address Table:

Device Name	Interface ID	IP Address	Subnet-Mask	Gateway
MGMT	Fa0	10.1.1.101	255.255.255.0	10.1.1.1

List of Command Summary:

Command	Command Description
enable	enters privileged EXEC mode.
configure terminal	enters global configuration mode from privileged EXEC mode.
hostname [hostname]	assign a device name to router.
show interfaces status	provides a summary of the current status of all interfaces on a Cisco switch. This command displays important information about each interface, including: Port: The interface identifier (e.g., Gi1/0/1). Name: The name or description assigned to the interface, if any. Status: The operational status of the interface (e.g., connected, notconnect, err-disabled). Vlan: The VLAN that the interface is assigned to. Duplex: The duplex mode of the interface (e.g., full, half, auto). Speed: The speed of the interface (e.g., 10, 100, 1000 Mbps, auto). Type: The type of interface (e.g., 10/100/1000BaseTX, SFP). This command is useful for quickly assessing the operational state and configuration details of all interfaces on the switch.
ip domain-name [domain]	The command ip domain-name [domain] in Cisco devices is used to specify a domain name for the device, which is an essential step when configuring features that rely on domain services. The [domain] placeholder is replaced with the desired domain name, such as example.com. This command is primarily useful in settings where DNS resolution or SSH (Secure Shell) configurations are required. When configuring SSH on a Cisco device, the domain name is necessary to generate RSA (Rivest-Shamir-Adleman) keys, which are used for secure encryption during remote access. Without specifying a domain name, the device cannot generate these keys, preventing the proper setup of SSH. For example, using ip domain-name mynetwork.com establishes a default domain that the device associates with its identity. Additionally, the ip domain-name command integrates with DNS functionalities, allowing the router to append the domain name to unqualified hostnames for DNS lookups. For example, if you try to ping host1 and the domain name is set as example.com, the device will automatically append the domain name and query for host1.example.com. This is particularly useful in networks where devices rely on consistent hostname-to-IP address resolution.
crypto key generate rsa general-keys modulus [size of the key modulus]	used on Cisco devices to generate RSA (Rivest-Shamir-Adleman) cryptographic keys for secure communication. RSA keys are critical for enabling secure features such as SSH (Secure Shell), which provides encrypted remote access to the device. This command initiates the creation of a key pair—a private key and a public key—used for encryption and decryption. The [size of the key modulus] parameter specifies the length of the key in bits, such as 1024, 2048, or higher. Larger key sizes provide stronger security by making it more difficult for attackers to break the encryption, though they require more processing power. A common recommendation for modern networks is to use a modulus size of at least 2048 bits for enhanced security. For example, entering crypto key generate rsa general-keys modulus 2048 generates a 2048-bit RSA key pair. These keys are used by SSH to authenticate users and secure data transmitted over the network. Without these keys, SSH cannot function, as it relies on RSA encryption for establishing secure connections. In addition to SSH, RSA keys may also be used for other security protocols, such as digital certificates and VPN encryption, making this command fundamental to implementing strong security practices on Cisco devices.
username [name] privilege [level] secret [password]	used on Cisco devices to create a local user account with a specified privilege level and a securely encrypted password. It is an essential command for configuring authentication and managing access control for administrative tasks. The [name] parameter specifies the username for the account, while the [level] parameter defines the privilege level assigned to the user. Cisco devices use privilege levels ranging from 0 to 15, with level 15 being the highest and granting full administrative access to the device. Assigning specific privilege levels allows for role-based access control, ensuring that users only have permissions appropriate to their responsibilities. The secret [password] part of the command sets an encrypted password for the account. Unlike the password keyword, which stores passwords in plaintext, the secret keyword uses a secure hashing algorithm to protect the password, enhancing the overall security of the device.
line vty [0 4]	The line vty [0 4] command is used in Cisco devices to configure settings for virtual terminal (VTY) lines, which are logical interfaces that enable remote access to the device. VTY lines are most commonly used for protocols such as Telnet and Secure Shell (SSH), allowing administrators to remotely manage the device. The range [0 4] specifies the first five VTY lines (0 through 4), which are the default number of lines configured on most Cisco devices. Each VTY line represents an individual session, meaning up to five simultaneous remote connections can be handled using these lines. If additional remote access sessions are needed, devices may allow the configuration of more VTY lines, such as line vty 0 15, depending on the device model and IOS version. When configuring VTY lines, administrators can define key settings such as authentication, access protocols, and session timeouts. For example: Enabling SSH for secure remote access (transport input ssh). Setting login authentication (login local or specifying an AAA method). Applying an access control list (ACL) to restrict remote connections based on source IPs (access-class command). Configuring the VTY lines properly is essential for securing remote management and preventing unauthorized access. For example, ensuring SSH is enabled instead of Telnet protects the communication by encrypting the session, while setting up local or AAA-based authentication ensures only authorized users can log in.
login local	used in the configuration of Cisco devices to specify that the device should authenticate users based on local credentials stored in its configuration. This command is typically applied in the context of line configurations, either for console access or virtual terminal (VTY) lines. When login local is configured, the device will require the user to enter a valid username and password for authentication, with the credentials being stored in the device’s local database.
logging synchronous	used in Cisco devices to manage the display of log messages during user interaction with the device’s command-line interface (CLI). When this command is enabled, it ensures that log messages do not interrupt the user’s input while typing commands in the CLI. This is particularly useful during active configurations, as log messages can be automatically displayed at the bottom of the terminal, preventing them from interfering with the user’s current session. By default, when log messages are generated, they may appear in the middle of the screen, disrupting the user’s command entry. This can be inconvenient, especially during complex configurations or troubleshooting sessions. The logging synchronous command ensures that log messages do not interfere with the current input or the command-line prompt. Instead, the log message will be displayed at the bottom of the screen, preserving the visibility of the user’s ongoing activity.
transport input ssh	used on Cisco devices to specify which types of remote access protocols are allowed on the virtual terminal (VTY) lines, which are used for Telnet or SSH connections. By configuring this command, you can restrict access to only the Secure Shell (SSH) protocol, preventing other protocols like Telnet from being used for remote management. SSH is a secure alternative to Telnet because it encrypts the session, including authentication and data transmission, making it much more secure. By applying the transport input ssh command to the VTY lines, you ensure that only SSH connections are allowed, and any attempt to connect using Telnet will be denied. This is a best practice for securing access to network devices, as it eliminates the vulnerabilities associated with the unencrypted Telnet protocol.
ssh -l [username] [device IP]	used to initiate an SSH (Secure Shell) connection to a remote device, such as a router or switch, from a local machine. This command specifies the username you will use to authenticate to the remote device and the IP address of the device you are attempting to connect to. Here’s how the command works: -l [username] tells the SSH client which username to use for the login attempt. This is necessary because SSH requires a valid user account on the remote device to authenticate the session. [device IP] is the IP address of the remote device you’re connecting to. This is the target device’s address, typically a router, switch, or server.
show running-config | section interface GigabitEthernet0/*	used to display the configuration details of a specific GigabitEthernet interface (interface GigabitEthernet0/) within the running configuration of a Cisco device. This command allows you to view the configuration settings related to the specified interface only, filtering out other configuration sections. It provides a focused view of the configuration parameters associated with the specified interface, including its IP address, VLAN membership, trunking settings, and any other relevant configuration details. The asterisk (*) is a wildcard character that matches any character or sequence of characters. In this context, it is used to match any subinterface under GigabitEthernet0.
show running-config | section interface FastEthernet0/1$	The “show running-config | section interface FastEthernet0/1$” command is similar to the previous one, but it focuses specifically on the FastEthernet0/1 interface. The “$” symbol at the end of the interface name indicates that the command will match only the interface that ends with “FastEthernet0/1”. This command is helpful when you want to view the configuration details of a specific FastEthernet interface without displaying configurations for other interfaces.
copy running-config startup-config	used to save the currently running configuration (stored in the RAM) to the startup configuration (stored in the NVRAM)
end	exit configuration mode.
exit	exits one level in the menu structure command.

Lab Task:

1. Verify connectivity to ensure that the Management PC can reach all three routers.
2. Attempt to initiate an SSH connection to all routers. You should not be able to SSH into R1, but you should successfully connect to R2 and R3. Use admin and IEE as the user credentials.
3. Access the CLI of R1 and configure a domain name as follows: ieverythingeverywhere.com. Why is this command necessary?
4. Generate RSA keys with a key length greater than 768 bits to enable SSHv2.
5. Create a local admin account with full administrative privileges using the following attributes:
   • Username: admin
   • Secret: IEE
6. Set a secret password for privilege mode access. Use “Cisco” as the password.
7. Enable SSH on the VTY lines and restrict access to SSH only.
8. Test the SSH connection from the Management PC.
9. Save the device configurations.

Lab Solution:

1- Verify connectivity to ensure that the Management PC can reach all three routers.

2- Attempt to initiate an SSH connection to all routers. You should not be able to SSH into R1, but you should successfully connect to R2 and R3. Use admin and IEE as the user credentials.

3- Access the CLI of R1 and configure a domain name as follows: ieverythingeverywhere.com. Why is this command necessary?

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip domain-name ieverythingeverywhere.com
R1(config)#

The ip domain-name command sets the domain name for the device. This domain name, combined with the hostname of the device, is used to create a fully qualified domain name (FQDN).
The FQDN is embedded into the RSA keys, which are generated using the crypto key generate rsa command.

This command is vital for enabling SSHv2 on a Cisco device because it is required for generating cryptographic RSA key pairs, which are the backbone of the SSH protocol’s secure communication.

Without the domain name, the device cannot generate the RSA keys because the FQDN is a mandatory part of the key generation process.

SSH relies on cryptographic RSA keys to encrypt and secure the data exchanged between the client and the device.
The RSA key pair includes a public and private key. These keys are used for encrypting and decrypting communication during an SSH session.

4- Generate RSA keys with a key length greater than 768 bits to enable SSHv2.

R1(config)#crypto key generate rsa general-keys modulus 2048

% You already have RSA keys defined named R1.ieverythingeverywhere.com
% They will be replaced.

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable…[OK]
*Mar 1 7:48:24.701: %SSH-5-ENABLED: SSH 1.99 has been enabled

R1(config)#

5- Create a local admin account with full administrative privileges using the following attributes:

• Username: admin
• Secret: IEE

R1(config)#username admin privilege 15 secret IEE
R1(config)#

6- Set a secret password for privilege mode access. Use “Cisco” as the password.

R1(config)#enable secret Cisco
R1(config)#

7- Enable SSH on the VTY lines and restrict access to SSH only.

R1(config)#line vty 0 4
R1(config-line)#login local
R1(config-line)#logging synchronous
R1(config-line)#transport input ssh
R1(config-line)#exit
R1(config)#exit
R1#

8- Test the SSH connection from the Management PC.

9- Save the device configurations.

Conclusion:

In this lab, we configured a Cisco router for remote access using SSH. By setting a hostname, domain name, and generating RSA keys, we enabled secure, encrypted communication. We also configured local user authentication and restricted VTY lines to SSH-only access. Testing and verification ensured that the setup was functional and secure. This lab demonstrated the importance of secure remote management in modern networks, a skill crucial for any network administrator.

Packet Tracer Lab (Pre/Post configuration):

Download the file below and open the word document to access the Packet Tracer labs.