Cisco IOS Router Basic Configuration

Hi Hussein,

Do you mean how to use SSH client on a Cisco router? You can use the SSH command to hop from one router to another.

Rene

Hi Hussein,

The RSA algorithm requires a domainname to generate the key pair. You’d have to look into the details of RSA to see how they exactly use it. The “ip domain-name” command sets the domain name.

Rene

On the VTY lines you can use the “login” command and the “login local” command. You probably already have the login command so try to remove it before you apply login local.

login = single password
login local = refers to a local database on the router or switch with usernames / passwords.

Thanks for answer Rene

yes I mean that but when I use try to use SSH command and ip address of the router I want to access in packet tracer does not work but when I use telnet it is work correctly.

This is exactly what appears to me:

SW1#ssh 192.168.1.2
                  ^
% Invalid input detected at '^' marker.
	
SW1#tel 192.168.1.2
Trying 192.168.1.2 ...Open


User Access Verification

Username:

Thanks Rene

where can I find the details of RSA ?
is there another Interest of domain name except used to generate the key pair of RSA, I mean we use the "ip domain-name” command to sets the domain name for generating RSA key or there are other utility?

Thanks Rene

Thank you Rene I understand the concept of “login” and “login local” but my question about password encryption let me explain to you my question in another way:
login local refers to a local database on the router or switch with usernames / passwords as you said but the password possible to be encrypted or not if I configure it in plain text how can I change it to encrypted Text or vice versa ,
this is my question?

*when I try to change it this message appears to me :

SW3(config)#us hussein pa 121212
ERROR: Can not have both a user password and a user secret.
Please choose one or the other.

how can I change between them?

Hi Hussein,

Now I understand your question :slight_smile:

There are two methods:

  1. username hussein password cisco123

If you do it like this, then it will be saved in the configuration in clear text.

  1. username hussein secret cisco123

If you use “secret” then it will create a MD5 hash of your password.

You can’t have a “password” and “secret” at the same time for one user account so you are getting this error because you probably already configured a secret for your username. Remove it first and then you can set a password.

It’s also possible to encrypt all plaintext passwords in the configuration with the “service password-encryption” command. However, this is a very poor encryption type:

Rene

Hi Hussein,

SSH client requires a few more parameters than telnet:

R1#ssh ?
  -c    Select encryption algorithm
  -l    Log in using this user name
  -m    Select HMAC algorithm
  -o    Specify options
  -p    Connect to this port
  -v    Specify SSH Protocol Version
  WORD  IP address or hostname of a remote system

Try this:

R1#ssh -l admin 192.168.1.1

Hi Hussein,

I think the wikipedia page is a good start:

The most common use for using the “ip domain-name” command is probably SSH. However it’s also used sometimes for certificates.

To give you an idea, here’s an example where I used certificates for the anyconnect VPN on an ASA firewall:

Rene

Thanks Rene it’s work but when I try to enter the correct password i did’t have access , why?

thanks Rene I understand know

Let me give you a complete example:

R2(config)#ip domain-name networklessons.local

R2(config)#crypto key generate rsa             

The name for the keys will be: R2.networklessons.local
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

R2(config)#username rene secret mysecretkey

R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#transport input ssh

And then on another router:

R1#ssh -l rene 192.168.12.2

Password: 

R2>

Thank you Rene for clarification and a full explanation,

It’s work with me in packet tracer but in gns3 it does’t work I think because there is issues of IOS that I used.

Hi Rene,

The router is just route right, so what is the benefit of interface VLAN in the router ? is it for management after assigning ip address to it or there is something else?

Hi Rene,

How do we know how many VTY lines ( SSH or Telnet ) open in the same router at the same time?
and how to kick one of them or all them except the line that I used?

Hi Hussein,

You can see all lines with the “show line” command and you can disconnect one with the “clear line” command. For SSH it’s better to use “show ssh” as you will be able to see the usernames.

Rene

Hi Hussein,

Normally a router only has L3 interfaces, you will find the VLAN interfaces normally on L2 or L3 switches.

On a L2 switch, this is where you configure the IP address so you can manage it remotely through telnet or SSH.

On L3 switches, we can use an IP address on a VLAN interface as the default gateway for a VLAN. Here’s an example for this:

Rene

thanks Rene,

I I understood the benefit of assigning an IP address on a VLAN interface
on a L2 & L3 switches.

But when I use 2911 router in packet tracer or any other routers, observed one of the interface is vlan and his protocol status is always down and I know that router’s interfaces are routed port so there is no way to access this vlan to one of this router interfaces so my question is what is the benefit of this vlan interface and how to change his protocol status to up.

Greetings,

Hi Hussein,

Did you use one of the Etherswitch modules in the 2911?

Rene

Nope,

I use 2911 in cisco packet tracer and I just drag and drop the icon of this router without add any etherswitch modules؟

I think etherswitch modules it can be added in GNS3 only, right ? or am I wrong?