SSH Configuration

IT

SW2 has been newly added to the network, but has not yet been configured.

1.Connect Laptop1 to SW2’s console port to perform the following configurations:
Host name: SW2
Enable secret: ccna
Username/PW: jeremy/ccna
VLAN1 SVI: 192.168.2.253/24
Default gateway: R2

  1. Configure the following console line security settings on SW2:
    Authentication: Local user
    Exec timeout: 5 minutes

  2. Configure SW2 for remote access via SSH:
    Domain name: jeremysitlab.com
    RSA key size: 2048 bits
    Authentication: Local user
    Exec timeout: 5 minutes
    Protocols: SSH only
    +Limit access to PC1 ONLY

1.Connect Laptop1 to SW2’s console port to perform the following configurations:

Host name: SW2
Enable secret: ccna

1
2
3
4
5
6
7
8
9
10
Switch>en
Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#host SW2
SW2(config)#
SW2(config)#
SW2(config)#
SW2(config)#enabl
SW2(config)#enable sec
SW2(config)#enable secret ccna

Username/PW: jeremy/ccna

1
SW2(config)#username jeremy secret ccna

VLAN1 SVI: 192.168.2.253/24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SW2(config)#int ?
  Ethernet         IEEE 802.3
  FastEthernet     FastEthernet IEEE 802.3
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Port-channel     Ethernet Channel of interfaces
  Vlan             Catalyst Vlans
  range            interface range command
SW2(config)#int vlan 1 ?
  <cr>
SW2(config)#int vlan 1
SW2(config-if)#?
Interface configuration commands:
  arp          Set arp type (arpa, probe, snap) or timeout
  description  Interface specific description
  exit         Exit from interface configuration mode
  ip           Interface Internet Protocol config commands
  no           Negate a command or set its defaults
  shutdown     Shutdown the selected interface
  standby      HSRP interface configuration commands
SW2(config-if)#ip address 192.168.2.253 255.255.255.0
SW2(config-if)#no shutdown

SW2(config-if)#
%LINK-5-CHANGED: Interface Vlan1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Default gateway: R2

1
2
3
4
SW2(config)#ip def
SW2(config)#ip default-gateway 192.168.2.254 ?
  <cr>
SW2(config)#ip default-gateway 192.168.2.254

2. Configure the following console line security settings on SW2:

Authentication: Local user
Exec timeout: 5 minutes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
SW2(config)#line console 0
SW2(config-line)#?
Line configuration commands:
  access-class  Filter connections based on an IP access list
  accounting    Accounting parameters
  databits      Set number of data bits per character
  default       Set a command to its defaults
  exec-timeout  Set the EXEC timeout
  exit          Exit from line configuration mode
  flowcontrol   Set the flow control
  history       Enable and control the command history function
  logging       Modify message logging facilities
  login         Enable password checking
  motd-banner   Enable the display of the MOTD banner
  no            Negate a command or set its defaults
  parity        Set terminal parity
  password      Set a password
  privilege     Change privilege level for line
  speed         Set the transmit and receive speeds
  stopbits      Set async line stop bits
  transport     Define transport protocols for line
SW2(config-line)#login ?
  authentication  authenticate using aaa method list
  local           Local password checking
  <cr>
SW2(config-line)#login local
SW2(config-line)#exec?
exec-timeout  
SW2(config-line)#exec
SW2(config-line)#exec-timeout 5

3. Configure SW2 for remote access via SSH:

Domain name: jeremysitlab.com
RSA key size: 2048 bits
Authentication: Local user
Exec timeout: 5 minutes
Protocols: SSH only
+Limit access to PC1 ONLY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
SW2(config)#ip ?
  access-list      Named access-list
  arp              IP ARP global configuration
  default-gateway  Specify default gateway (if not routing IP)
  dhcp             Configure DHCP server and relay parameters
  domain           IP DNS Resolver
  domain-lookup    Enable IP Domain Name System hostname translation
  domain-name      Define the default domain name
  ftp              FTP configuration commands
  host             Add an entry to the ip hostname table
  name-server      Specify address of name server to use
  scp              Scp commands
  ssh              Configure ssh options
SW2(config)#ip domain-name jeremysitlab.com
SW2(config)#crypto ?
  key  Long term key operations
SW2(config)#crypto key ?
  generate  Generate new keys
  zeroize   Remove keys
SW2(config)#crypto key generate ?
  rsa  Generate RSA keys
SW2(config)#crypto key generate rsa ?
  general-keys  Generate a general purpose RSA key pair for signing and
                encryption
  <cr>
SW2(config)#crypto key generate rsa
The name for the keys will be: SW2.jeremysitlab.com
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

SW2(config)#
*Feb 28 10:38:5.462: %SSH-5-ENABLED: SSH 1.99 has been enabled
SW2(config)#access-list ?
  <1-99>     IP standard access list
  <100-199>  IP extended access list
SW2(config)#access-list 1 ?
  deny    Specify packets to reject
  permit  Specify packets to forward
  remark  Access list entry comment
SW2(config)#access-list 1 permit host 192.168.1.1
SW2(config)#line vty 0 15
SW2(config-line)#
SW2(config-line)#login local
SW2(config-line)#exec
SW2(config-line)#exec-timeout 5
SW2(config-line)#trans?
transport  
SW2(config-line)#transport ?
  input   Define which protocols to use when connecting to the terminal server
  output  Define which protocols to use for outgoing connections
SW2(config-line)#transport input ?
  all     All protocols
  none    No protocols
  ssh     TCP/IP SSH protocol
  telnet  TCP/IP Telnet protocol
SW2(config-line)#transport input ssh
SW2(config-line)#acl-?
% Unrecognized command
SW2(config-line)#access?
access-class  
SW2(config-line)#access
SW2(config-line)#access-class ?
  <1-199>  IP access list
  WORD     Access-list name
SW2(config-line)#access-class 1 ?
  in   Filter incoming connections
  out  Filter outgoing connections
SW2(config-line)#access-class 1 in

Confirm.

As we can see, R2 can ping SW2 but cannot SSH into SW2. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
R2>
R2>ping 192.168.2.253

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.253, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 0/0/0 ms

R2>ssh -l ?
  WORD  Login name
R2>ssh -l jeremy ?
  -v    Specify SSH Protocol Version
  WORD  IP address or hostname of a remote system
R2>ssh -l jeremy 192.168.2.253

% Connection refused by remote host
R2>

PC1 is allowed as per the ACL configurations to VTY 0 - 15

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C:\>ping 192.168.2.253

Pinging 192.168.2.253 with 32 bytes of data:

Request timed out.
Reply from 192.168.2.253: bytes=32 time<1ms TTL=253
Reply from 192.168.2.253: bytes=32 time<1ms TTL=253
Reply from 192.168.2.253: bytes=32 time<1ms TTL=253

Ping statistics for 192.168.2.253:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>ssh -l jeremy 192.168.2.253

Password: 



SW2>
SW2>
SW2>en
Password: 
SW2#
SW2#