Cisco IOS Router Basic Configuration

This topic is to discuss the following lesson:

Hi Rene,

It’s a great article for the beginners. Do you have similar topics for the Cisco Switch

Thank you

BR
Taslim

Hi Taslim,

The basic configuration of a Cisco catalyst switch is similar to this example. The only difference is that a switch has “switchports” and a router has “routed ports”. The difference is that on the router we configure IP addresses on the interfaces, on the switch you’ll need to use a VLAN interface.

Rene

Hi Rene
I have a question ?
When I try to change login local password from plain text password to encrypt password this message appears to me :
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.
so how to solve this ?

and I have another question?
why RSA key need ip domain-name to generate
I need to know the relation between them
and what does ip domain-name exactly means?

thanks Rene

Hi Rene

If I use CLI to remote access to another router how I can use ssh ?

Hi Hussein,

Do you mean how to use SSH client on a Cisco router? You can use the SSH command to hop from one router to another.

Rene

Hi Hussein,

The RSA algorithm requires a domainname to generate the key pair. You’d have to look into the details of RSA to see how they exactly use it. The “ip domain-name” command sets the domain name.

Rene

On the VTY lines you can use the “login” command and the “login local” command. You probably already have the login command so try to remove it before you apply login local.

login = single password
login local = refers to a local database on the router or switch with usernames / passwords.

Thanks for answer Rene

yes I mean that but when I use try to use SSH command and ip address of the router I want to access in packet tracer does not work but when I use telnet it is work correctly.

This is exactly what appears to me:

SW1#ssh 192.168.1.2
                  ^
% Invalid input detected at '^' marker.
	
SW1#tel 192.168.1.2
Trying 192.168.1.2 ...Open


User Access Verification

Username:

Thanks Rene

where can I find the details of RSA ?
is there another Interest of domain name except used to generate the key pair of RSA, I mean we use the "ip domain-name” command to sets the domain name for generating RSA key or there are other utility?

Thanks Rene

Thank you Rene I understand the concept of “login” and “login local” but my question about password encryption let me explain to you my question in another way:
login local refers to a local database on the router or switch with usernames / passwords as you said but the password possible to be encrypted or not if I configure it in plain text how can I change it to encrypted Text or vice versa ,
this is my question?

*when I try to change it this message appears to me :

SW3(config)#us hussein pa 121212
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.

how can I change between them?

Hi Hussein,

Now I understand your question :slight_smile:

There are two methods:

  1. username hussein password cisco123

If you do it like this, then it will be saved in the configuration in clear text.

  1. username hussein secret cisco123

If you use “secret” then it will create a MD5 hash of your password.

You can’t have a “password” and “secret” at the same time for one user account so you are getting this error because you probably already configured a secret for your username. Remove it first and then you can set a password.

It’s also possible to encrypt all plaintext passwords in the configuration with the “service password-encryption” command. However, this is a very poor encryption type:

https://networklessons.com/security/decrypt-type-7-password-using-key-chain/

Rene

Hi Hussein,

SSH client requires a few more parameters than telnet:

R1#ssh ?
  -c    Select encryption algorithm
  -l    Log in using this user name
  -m    Select HMAC algorithm
  -o    Specify options
  -p    Connect to this port
  -v    Specify SSH Protocol Version
  WORD  IP address or hostname of a remote system

Try this:

R1#ssh -l admin 192.168.1.1

Hi Hussein,

I think the wikipedia page is a good start:

The most common use for using the “ip domain-name” command is probably SSH. However it’s also used sometimes for certificates.

To give you an idea, here’s an example where I used certificates for the anyconnect VPN on an ASA firewall:

https://networklessons.com/security/cisco-asa-anyconnect-self-signed-certificate/

Rene

Thanks Rene it’s work but when I try to enter the correct password i did’t have access , why?

thanks Rene I understand know

Let me give you a complete example:

R2(config)#ip domain-name networklessons.local

R2(config)#crypto key generate rsa             

The name for the keys will be: R2.networklessons.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

R2(config)#username rene secret mysecretkey

R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#transport input ssh

And then on another router:

R1#ssh -l rene 192.168.12.2

Password: 

R2>

Thank you Rene for clarification and a full explanation,

It’s work with me in packet tracer but in gns3 it does’t work I think because there is issues of IOS that I used.

Hi Rene,

The router is just route right, so what is the benefit of interface VLAN in the router ? is it for management after assigning ip address to it or there is something else?