How To Configure SSH On A Cisco Device | Secure Connection
Summary
TLDRThis tutorial demonstrates how to configure a Cisco switch for remote access via SSH, a method applicable to routers and firewalls as well. It emphasizes the importance of SSH for secure production environments, contrasting it with the less secure telnet. The guide covers creating an enable password, setting up a user account, modifying the hostname, assigning a domain name, generating RSA keys for encryption, and updating SSH to version 2 for enhanced security. The video also addresses network connectivity issues and concludes with a successful SSH session, highlighting the versatility required by engineers to manage various devices.
Takeaways
- 😀 The video is a tutorial on configuring a Cisco switch for remote SSH access, applicable to routers and firewalls as well.
- 🔒 SSH is recommended over telnet for production environments due to security reasons, as telnet is not secure and sends data in plain text.
- 📝 The presenter has console access to the device and will use it to configure the necessary settings for SSH connectivity.
- 🔑 An enable password is required for accessing the enabled mode during an SSH session for security purposes.
- 👤 A user account named 'incavi trainings' will be created for testing purposes with a password.
- 💻 The hostname of the device needs to be set, which is crucial for creating the encryption keys.
- 🌐 An IP domain name 'kbtronix.local' is assigned to the switch for the SSH session.
- 🔑 RSA keys are generated for encrypting the SSH session, with a choice between different key lengths.
- 🔒 SSH version 2 is selected for its enhanced security over previous versions.
- 📡 The switch's management VLAN is configured with an IP address to ensure network connectivity with the presenter's desktop.
- 📡 Network profiles on the desktop are adjusted from 'public' to 'private' to allow pinging and connectivity from the switch.
Q & A
What is the main topic of the video?
-The video is about configuring a Cisco switch for remote connectivity using SSH.
Why is SSH recommended over telnet for production environments?
-SSH is recommended in production environments because it provides a secure connection, unlike telnet which sends data in plain text and is not secure.
What is the purpose of having console access to the device before configuring SSH?
-Console access allows the initial configuration of the device, such as setting up an IP address, which is necessary for establishing an SSH connection.
What is the significance of creating an enable password for SSH sessions?
-An enable password is required for security reasons to prevent unauthorized access to the enabled mode when connected via SSH.
Why is it necessary to create a user for SSH access?
-Creating a user with a password allows for secure and authenticated access to the device via SSH.
What is the role of the hostname in SSH configuration?
-The hostname is crucial as it is used in creating the key for the SSH session, along with the IP domain name.
What is the purpose of assigning an IP domain name to the switch?
-Assigning an IP domain name helps in identifying the switch uniquely in the network and is used for encryption during the SSH session.
What is the command used to create RSA keys on the Cisco switch?
-The command used to create RSA keys is 'crypto key generate RSA'.
Why is SSH version 2 considered more secure than version 1?
-SSH version 2 offers stronger encryption algorithms and improved security features compared to version 1.
What does the 'login local' command do in the context of SSH configuration?
-The 'login local' command configures the switch to authenticate users locally, using the local user database created on the device.
How does the video demonstrate the importance of network profile settings in connectivity?
-The video shows that the network profile setting needs to be set to 'private' to allow the switch to ping and connect to the computer, which was initially set to 'public' and not accepting connections.
What is the final step to establish an SSH session after configuring the switch?
-The final step is to launch a new SSH session from the desktop, accepting the key from the switch, and logging in with the created user credentials.
Outlines
🔒 Configuring SSH for Secure Remote Access on Cisco Devices
This paragraph outlines the process of configuring a Cisco switch for remote access using SSH, emphasizing the importance of secure connections in production environments. The speaker introduces the topic, mentioning that the process is applicable to routers and firewalls as well. It highlights the use of console access for initial setup and the necessity of an enable password for SSH sessions. The paragraph also promotes a course on CCNA certification available on kbtrends.com, indicating that the video is part of a larger educational series. The speaker guides viewers through the initial steps, such as configuring an IP address and ensuring network connectivity before proceeding with SSH configuration.
🛠️ Finalizing SSH Setup and Testing Connectivity
In this paragraph, the speaker continues the SSH configuration process by creating an enable password and a user account for SSH access. The hostname of the switch is changed to 'sw1', and it's assigned to a domain name 'kbtrenings.local'. The creation of RSA keys for encryption during the SSH session is detailed, with a choice between key lengths, opting for 1024 bits for quicker generation. After generating the keys, the SSH version is updated to version 2 for enhanced security. The configuration concludes with setting up the vty lines to use local user authentication. The speaker then tests the SSH connection from a desktop, troubleshooting a connectivity issue related to network profile settings on the computer. Once resolved, the successful SSH connection is demonstrated, and the speaker reviews active sessions. The paragraph ends with a reminder to manage different brands and models of devices as an engineer and a prompt for viewers to engage with the content on social media and explore additional resources.
Mindmap
Keywords
💡Cisco switch
💡SSH (Secure Shell)
💡Console access
💡CCNA (Cisco Certified Network Associate)
💡Enable password
💡Hostname
💡IP domain name
💡RSA Keys
💡SSH version 2
💡VTY line
💡Ping
Highlights
Introduction to configuring a Cisco switch for remote SSH connection, applicable to routers and firewalls.
SSH recommended over telnet for secure remote connectivity in production environments.
Pre-existing console access to the device is required for configuration.
Explanation of the necessity of an enable password for SSH sessions.
Creation of a test user 'incavi trainings' with a password for SSH access.
Importance of setting a hostname and IP domain name for key generation.
Assignment of a domain name 'kbtronix.local' to the switch.
Generation of RSA keys for SSH session encryption.
Upgrading SSH version to 2 for enhanced security.
Configuring the vty line for local user authentication.
Initial configuration prompt and manual setup choice.
Setting an IP address for the switch's management interface.
Troubleshoot inability to ping the desktop due to network profile settings.
Changing network profile from public to private to allow pings.
SSH connection preparation including enable password and user creation.
Hostname and domain name configuration for the switch.
Crypto key generation process and its duration.
SSH session initiation and key acceptance.
Login using the created user 'KB trainings' and troubleshooting.
Verification of active SSH and console sessions on the switch.
Conclusion summarizing the successful SSH connection setup.
Transcripts
hey what's up guys today I'm going to
show you how to configure a Cisco switch
to connect remotely using SSH and this
is the switch but this can also be
applied to a Cisco router or Cisco
firewall and SSH is recommended in
production if you are in your lab you
can use telnet which is by the way not
secure everything is plain text but if
you are in production dealing with
critical devices or critical systems you
need to use SSH for remote connectivity
we already have console access to this
device and we did that in a previous
lesson actually this lab here is one of
the many Labs that I'm creating on
kbtrains.com for the course on the CCNA
200 301 so if you are trying to start
your career in the tech or you're trying
to boost your career by taking and
passing the CCNA certification the
course goes from zero to engineer check
it out on kbtrends.com so I showed you
in the previous lesson how to connect
using console so now we have the console
connection to this device here it's
right there okay so we can log into it
and make sure that we have of nip
configured so that we can connect to my
desktop that I have here from where
we're going to launch the SSH connection
to this device and talking about SSH
these are the different commands that
we're going to use today first of all we
need to create an enable password when
you are connected to your SSH session
you cannot go in the enabled mode if you
don't have a password in it for security
reasons so when you connect with the
console cable you can go there without
any problem but if you are remote you
need to to have an enabled password and
then after that we're going to create
some users just a single user for test
I'm going to create a user I'll call
incavi trainings with a password and
after that we need to change the
hostname of our device because this is
very crucial when we're going to create
the key the host name and the IP domain
name are going to be used and then I
will assign the switch to an IP domain
name that I'm going to call
kbtronix.local which is just a random
domain name that I made up and then
we're going to create the RSA Keys the
keys are going to be used for encryption
for our SSH session and this is the
command to create the new keys after
that we can change the version of the
SSH to version 2 which is more secure
and then we'll have to go in the vty
line I usually go 0 to 15 to make sure
that we are using local users so we're
going to say login local for the switch
to use the users that we created locally
I have access to the switch here as I
said all right so now the switch is
asking if you want to do some initial
config I'll just say no I'll do
everything manually
and we are in one of the things I want
to do is make sure we have an IP address
and we can ping or we have connectivity
with my desktop so I'm going to connect
this ethernet cable to the port fast
ethernet one here
and by the way let me
look at the vlans
this is a brand new Switch not new but
there's no configuration here so we have
all the ports that are in the VLAN
number one so we're going to configure
the interface Villa number one to be our
management interface and if you don't
want these notifications to mess with
you when you're tapping your command you
need to go under
um the config mode and because we are
connected with the console cable I'll go
on the Align console 0
and I'll just do logging synchronous and
that's enough to avoid those uh those
notifications so now let's go and
configure the NFS VLAN one
NFS VLAN one
I'll give it an IP address of
192.168.1.99 and I'm going to make sure
that the switch will be in the same
network as my computer so the subnet
mask is a slash 24.
I usually do no shot just to make sure
it's up
and that's it let's see if we can ping
our device ping
192.168.1.100 this is the IP of my
desktop
I cannot ping it and I think I know why
we need to go on the device itself and
do ipconfig just to confirm the IP
address we have
192.168.1.100 which is good and one
other thing is that if we look at
Powershell
um if I run this command here that is
going to show me the different network
profiles I have you can see that this
connection is considered as public
that's why the computer is protecting
itself and doesn't accept anything by
the way let's see if I can ping the
switch from the desktop
ping 192
168.1.99 it's working so I know that the
computer can reach the switch but it
doesn't want to accept the connection
from the switch and this is the command
I use to change this network which is
unidentified to change it to private
once I do this
it's going to be private and
my switch can now ping my computer
yes now it's successful so now we have
to do is make sure that our switch is
ready for the SSH connection I'm going
to create the enable password oh let's
go under the config mode
enable password
and the password is kind of obsolete I'm
using this because it's the lab now it's
recommended to use enable secret to
create a password that is very secure
but here I'm going to use juice enable
password and I'll give it the password
of Cisco for the enable and then after
that I need to create a user called KB
trainings
and a password for the user the password
will be Cisco
and then after that I will need to
change the host name of my device right
now it's called switch I need to call it
sw1
and as I said I also need to assign it
to a domain name so I'll do IP domain
name
called kbtrenings that local
and after that we need to create the
crypto Keys all the keys that are going
to use for encryption the command is
crypto
key generate
RSA I'm going to create some RSA keys
and it's asking me for the length of the
key or how many bits do I want to use
I'm going to use 1024 just because it's
shorter but I can use uh 2048 or
whatever because 2048 on this device
will take a while to to create the key
so now the keys are being generated
and it shouldn't take a long time
all right so now that we have the keys
generated we can see that there is a
confirmation saying that SSH has been
enabled so we can then change the
version
ipssh version to version 2 which is more
secure and then I need to go in the vty
line to tell my switch to use local
users for authentication so I go 50 vty
line 0 to 15.
login local
okay once I do that we should be ready
for a new SSH session let's go ahead and
launch a new session from here
the IP is
192.168.0 no that one that 99
it's SSH going to the switch open
it's asking me if I'm trusting the key
that is coming from the switch and I'm
just going to accept it once
let me increase the size of the font
here to maybe 24.
24 26
okay so login as KB trainings this is
the user that we created
password Cisco
and notice that when you type the
password it doesn't show up oh I think I
tapped the wrong password okay so with
the right password I mean here I can do
enable and type Cisco as the password I
am in again if I do show users
it's going to show me the different
sessions that we have to this device we
can see that the console session that's
in the back here is active and the store
is on the session where I'm connected
this is my session right here it's
trying to figure out what's the location
and after a moment my IP address should
come here the IP of my desktop should
show up here
yep it's right there and if I do the
same thing on the console session
you can see that the star is on the
console zero so we have console 0 and
v2y0 all right guys that's all for this
lesson here now we are able to connect
to the device using SSH and again we
have to go with the console cable to be
able to set an IP on the device itself
some devices or some of the brands
because here we're talking about Cisco
but as an engineer you should be able to
manage or to deal with any brands or any
model of device so some other devices
can come with an IP already configured
for management just need to know exactly
what you're dealing with and how to do
initial config on that device thank you
for watching I hope you liked it if you
liked the video like it on YouTube and
subscribe to the channel also follow me
on Facebook Instagram and Twitter and if
you like this video you can also like
the installation of my home switch that
I'm going to leave right here you can go
and check it out and the whole playlist
is in the description thank you so much
and I'll see you in the next one take
care and bye
5.0 / 5 (0 votes)