KB ID 000093
Problem
Having the ability to remotely administer network devices, means I don’t have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.
Solution
Cisco Router / Switch – Setup Telnet Access
These days people frown at Telnet. It’s an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I’ll start with Telnet.
1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.
[box]
Router0>enable Router0#conf terminal Enter configuration commands, one per line. End with CNTL/Z. Router0(config)#line vty 0 4 Router0(config-line)#transport input telnet Router0(config-line)# password P@ssword123
[/box]
2. Save the changes and test.
[box]
Router0(config)#exit Router0#write mem Building configuration... [OK] Router0#
[/box]
Cisco Router / Switch – Setup SSH Access
1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.
[box]
Router0>enable Router0#conf terminal Router0(config)#hostname Petes-Router Petes-Router(config)#ip domain-name petenetlive.com Petes-Router(config)#crypto key generate rsa modulus 2048 The name for the keys will be: Petes-Router@petenetlive.com % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 17 seconds) Petes-Router(config)#
[/box]
2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I’ll simply set them up on the device, and use local authentication.
Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.
[box]
Petes-Router(config)#username testuser password testpassword Petes-Router(config)#username petelong privilege 15 password P@ssword123
[/box]
3. Finally allow remote management via SSH, and save the changes.
[box]
Petes-Router(config)#line vty 0 4 Petes-Router(config-line)#transport input ssh Petes-Router(config-line)#exit Petes-Router(config)#exit Petes-Router#write mem Building configuration... [OK] Petes-Router#
[/box]
4. Finally you need to enable AAA Authentication to use the local database;
[box]
Petes-Router(config)#aaa new-model Petes-Router(config)#aaa authentication login default local Petes-Router(config)#aaa authorization exec default local
[/box]
WARNING
This also will enable username/password authentication for ‘console‘ (rollover cable) access. I dont like that, so I remove that with the following commands;
[box]
Switch(config)#aaa authentication login CONSOLE none
Switch(config)#line console 0
Switch(config-line)#login authentication CONSOLE
[/box]
Cisco Router – Restricting Telnet and SSH Access via Access List
You can lock down access further to remote management, by allowing or denying access from an ACL.
WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!
Schedule a Router Reload
[box]
Petes-Router#reload in 20 Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123) Reload reason: Reload Command Proceed with reload? [confirm] {Enter} Petes-Router# ---CARRY OUT THE CHANGES--- Petes-Router#reload cancel Petes-Router# *** *** --- SHUTDOWN ABORTED --- ***
[/box]
1. From the top let’s create a user, and setup the RSA key, (skip this step if you have already done this).
[box]
Router0>enable Router0#conf terminal Router0(config)#hostname Petes-Router Petes-Router(config)#ip domain-name petenetlive.com Petes-Router(config)#crypto key generate rsa modulus 2048 The name for the keys will be: Petes-Router@petenetlive.com % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 17 seconds) Petes-Router(config)#
[/box]
2. Now create an access-list to allow and deny access, (usual ACL rules apply).
Note: Port 23 is Telnet and port 22 is SSH
[box]
Petes-Router(config)#ip access-list extended VTY_ACCESS Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23 Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22 Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23 Petes-Router(config-ext-nacl)#100 deny ip any any Petes-Router(config-ext-nacl)#exit Petes-Router(config)#
[/box]
2. In this example I will set the transport input to all (that’s Telnet AND SSH), then lock access down the the ACL we have just created.
[box]
Petes-Router(config)#line vty 0 4 Petes-Router(config-line)#transport input all Petes-Router(config-line)#login local Petes-Router(config-line)#access-class VTY_ACCESS in Petes-Router(config-line)#exit Petes-Router(config)#exit
[/box]
3. Save your changes and test.
[box]
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
Related Articles, References, Credits, or External Links
NA