Hostname & Domain
A hostname is a name for a device that can be used to identify it on a network. It is a unique identifier for the device, it can be used to communicate with the device using various protocols and services. If a device hostname is used in combination with DNS (Domain Name System), a user can communicate with the device by using a hostname and a domain instead of the IP address. The DNS server holds a list of hostnames with corresponding IP addresses. It is common practice to configure a hostname and the domain of the organization the device belongs to.
Description
Enter global configuration mode
Set a hostname for the device
Set the domain name the device belongs to
Close the configuration mode
Display IP domain-name, lookup style, nameservers and the host table
CLI Commands
configure terminal
hostname ABC
ip domain name ABC
end
show hosts
hostname
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname LABSWITCH01
LABSWITCH01(config)#ip domain name configure-networks.com
LABSWITCH01(config)#end
LABSWITCH01#
show hosts
LABSWITCH01#show hosts
Default domain is configure-networks.com
Name servers are 255.255.255.255
NAME TTL CLASS TYPE DATA/ADDRESS
-----------------------------------------
LABSWITCH01#
Domain Lookup
Domain lookup is a feature in Cisco IOS that resolves a hostname to its IP address. The process involves sending a DNS query to a DNS server to find the IP address that corresponds to the hostname. This feature is used to simplify the configuration of network devices and make it easier to manage the network by allowing users to specify hostnames instead of IP addresses. Administrators can also deactivate the domain lookup feature on network devices, if routers and switches should not send DNS querys. A switch or a router with activated domain lookup and a configured DNS server address, is able to process a ping with a hostname as destination information instead of an IP address.
Description
Enter into the global configuration mode
Enable domain lookup (enabled by default)
Disable domain lookup
Provide the IP address of the DNS server
Exit from configuration mode
CLI Commands
configure terminal
ip domain lookup
no ip domain lookup
ip name-server #.#.#.#
end
ip domain lookup
LABSWITCH01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#ip domain lookup
LABSWITCH01(config)#ip name-server 172.168.70.6
LABSWITCH01(config)#end
LABSWITCH01#
no ip domain lookup
LABSWITCH01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#no ip domain lookup
LABSWITCH01(config)#end
LABSWITCH01#
banner login
LABSWITCH01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#banner login +
Enter TEXT message. End with the character '+'.
*******************************************************
* THIS IS A LAB ENVIRONMENT BY CONFIGURE-NETWORKS.COM *
*******************************************************
+
LABSWITCH01(config)#end
LABSWITCH01#
show banner login
LABSWITCH01#show banner login
*******************************************************
* THIS IS A LAB ENVIRONMENT BY CONFIGURE-NETWORKS.COM *
*******************************************************
LABSWITCH01#
banner exec
LABSWITCH01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#banner exec !
Enter TEXT message. End with the character '!'.
#####################
# YOU ARE LOGGED IN #
#####################
!
LABSWITCH01(config)#end
LABSWITCH01#
show banner exec
LABSWITCH01 con0 is now available
Press RETURN to get started.
#####################
# YOU ARE LOGGED IN #
#####################
LABSWITCH01>enable
LABSWITCH01#show banner exec
#####################
# YOU ARE LOGGED IN #
#####################
LABSWITCH01#
banner motd
LABSWITCH01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#banner motd %
Enter TEXT message. End with the character '%'.
HHHHHHHHHHHHHHHHHHHHHHHHHH
H LOCATION OF THE DEVICE H
HHHHHHHHHHHHHHHHHHHHHHHHHH
%
LABSWITCH01(config)#end
LABSWITCH01#
banners
LABSWITCH01 con0 is now available
Press RETURN to get started.
HHHHHHHHHHHHHHHHHHHHHHHHHH
H LOCATION OF THE DEVICE H
HHHHHHHHHHHHHHHHHHHHHHHHHH
*******************************************************
* THIS IS A LAB ENVIRONMENT BY CONFIGURE-NETWORKS.COM *
*******************************************************
User Access Verification
Username: abc
Password:
#####################
# YOU ARE LOGGED IN #
#####################
LABSWITCH01#
Banners are messages that are displayed to users when they log in to a Cisco IOS device or when they access certain services on the device. Banners are often used to communicate important information or warnings to users who access the device. The most common reasons for the use of banners are:
Description
To provide information: Banners can be used to display important information to users who access the device. For example, you can use a banner to display the device's hostname, the device's location, or the terms of service for using the device.
To warn users: Banners can be used to warn users about unauthorized access or other security issues. For example, you can use a banner to warn users that unauthorized access is prohibited, or to remind them to protect their login credentials.
To comply with regulations: Banners can be used to display legal notices or other information that is required by law or regulations. For example, you may need to display a banner that states that the device is monitored, or that the device is for authorized users only.
To improve security: Banners can help improve security by alerting users to potential security risks or by reminding them to follow best practices for protecting their login credentials.
Users & Passwords
Creating a user account and a secret is a good security practice that helps to protect the device and the network from unauthorized access and configuration changes. Password encryption prevents people to see passwords in clear text in a configuration file. The "enable secret" adds an additional step for users to get into the privileged mode.
Description
Enter into global configuration mode
Enable automatic password encryption
Create an admin user and a secret password (privilege level 15 = admin)
Multiple users and privilege levels can be configured (privilege level 1 = read-only)
Set a secret password for entering into privileged mode
Exit from the global configuration mode
Display active users on the device
Display the configured users
CLI Commands
configure terminal
service password-encryption
username ABC privilege 15 secret XYZ
username DEF privilege 1 secret XYZ
enable secret XYZ
end
show users
show running-config | include user
username
LABSWITCH01#
LABSWITCH01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#service password-encryption
LABSWITCH01(config)#username JONDO privilege 15 secret xxx
LABSWITCH01(config)#enable secret xxx
LABSWITCH01(config)#end
LABSWITCH01#show users
LABSWITCH01#
show run | include user
LABSWITCH01#show run | include user
username JONDO privilege 15 secret 9 $9$Kyn
LABSWITCH01#
show user
User Access Verification
Username: jondo
Password:
#####################
# YOU ARE LOGGED IN #
#####################
LABSWITCH01#
LABSWITCH01#show user
Line User Host(s) Idle Location
* 0 con 0 jondo idle 00:00:00
Interface User Mode Idle Peer Address
LABSWITCH01#
Privilege Level
There are 3 privilege levels by default. The user can define additional privilege levels and privide commands to be executable for different user levels. The 3 default privileges are level 0, level 1 and level 15.
Level 0
Restricted user level access
Read-only permission
Only a few commands are available
Level 1
User level access
Read-only permission
Only "debugging" and "show" commands are available
Level 15
Administrator level access
Read & write permission
All commands are available
Access Lines
The "line vty" and "line console" commands are used to configure the remote access and local console access. These lines allow users to connect to the device and access the CLI through a terminal emulator such as "PuTTY" or "HyperTerminal". The console line is mostly used for the initial configuration of a device until it is configured and ready for remote access.
Description
Enter into global configuration mode
Configure console access to the CLI
Use the local user database for authentication
Close the CLI after 10 minutes of inactivity
Keep logging out of commands being typed
Enable the history function and set the buffer size
-
Configure the remote access to the CLI
Use the local user database for authentication
Only allow SSH for remote access to the CLI
Close the CLI after 10 minutes of inactivity
Keep logging out of commands being typed
Enable the history function and set the buffer size
Exit from the global configuration mode
Display the active console access
Display the active remote access
Display the configured vty settings
Display the configured line settings
CLI Commands
configure terminal
line console 0
login local
exec-timeout 10
logging synchronous
history size 256
!
line vty 0 15
login local
transport input ssh
exec-timeout 10
logging synchronous
history size 256
end
show line console 0
show line vty #
show running-config | begin vty
show running-config partition line
line
LABSWITCH01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#line console 0
LABSWITCH01(config-line)#login local
LABSWITCH01(config-line)#exec-timeout 10
LABSWITCH01(config-line)#logging synchronous
LABSWITCH01(config-line)#history size 256
LABSWITCH01(config-line)#!
LABSWITCH01(config-line)#line vty 0 15
LABSWITCH01(config-line)#login local
LABSWITCH01(config-line)#transport input ssh
LABSWITCH01(config-line)#exec-timeout 10
LABSWITCH01(config-line)#logging synchronous
LABSWITCH01(config-line)#history size 256
LABSWITCH01(config-line)#end
LABSWITCH01#
show line console 0
LABSWITCH01#show line console 0
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY - - - - - 0 1 0/0 -
Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 1 stopbits, 8 databits
Status: PSI Enabled, Ready, Active, Automore On
Capabilities: none
Modem state: Ready
Switch 1: RJ45 Console is in use
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
00:10:00 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is unknown.
Session limit is not set.
Time since activation: 00:10:51
Editing is enabled.
History is enabled, history size is 256.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
Shell: disabled
Shell trace: off
No output characters are padded
No special data dispatching characters
LABSWITCH01#
show line vty 0
LABSWITCH01#show line vty 0
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
1 VTY - - - - - 0 0 0/0 -
Line 1, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: No Exit Banner
Capabilities: none
Modem state: Idle
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
00:10:00 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 256.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are ssh.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
Shell: enabled
Shell trace: off
No output characters are padded
No special data dispatching characters
LABSWITCH01#
show running-config partition line
LABSWITCH01#show run partition line
Building configuration...
Current configuration : 343 bytes
!
Configuration of Partition - line
!
!
!
!
line con 0
logging synchronous
login local
history size 256
stopbits 1
line vty 0 4
logging synchronous
login local
history size 256
transport input ssh
line vty 5 15
logging synchronous
login local
history size 256
transport input ssh
line vty 16 31
login
transport input ssh
!
end
LABSWITCH01#
SSH Access
Secure Shell (SSH) is a secure network protocol used to establish a secure connection between a client and a server. It is widely used to securely connect to and manage network devices such as routers and switches. In a Cisco device, SSH access can be enabled by configuring an SSH server and generating an encryption key pair. Once the SSH server is enabled and the encryption key pair is generated, the user can access the device over SSH using a terminal emulator such as PuTTY or HyperTerminal. To log in to the device, the user will need to enter the correct username and password. In SSH version 2, data is encrypted before it is transmitted over the network and a secure channel is established between the client and the server. This helps to prevent eavesdropping, tampering, and message forgery during transmission. SSH uses the network port 22 for communication.
Description
Enter into global configuration mode
If not already done, a domain must be configured
Enable SSH version 2
Define a timeout for open SSH connections
Generate a cryptographic key pair
Exit from the global configuration mode
Display SSH settings
Display cryptographic keys
Display cryptographic keys
CLI Commands
configure terminal
ip domain name ABC
ip ssh version 2
ip ssh time-out #
crypto key generate rsa modulus 2048
end
show ip ssh
show crypto key mypubkey all
show crypto key pubkey-chain rsa
ip ssh version 2
LABSWITCH01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#ip domain name configure-networks.com
LABSWITCH01(config)#ip ssh version 2
LABSWITCH01(config)#crypto key generate rsa modulus 2048
The name for the keys will be: LABSWITCH01.configure-networks.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)
LABSWITCH01(config)#end
show ip ssh
LABSWITCH01#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): SLA-KeyPair2
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDl9JohiOSw155BKNKlWvs1R/wPcpaBu4GPFA10iIyI
juC26gFU+EvJ/fyyu/ATeHCcJbCAL8TtoWM7Bwp+uHCXC/AwQOMTk1lyWQ2aWzosfF3hGkF3eH80YZUU
JGTQtGM3kL0CFJB7rqy3mWmJ78vzav8lg2+kb/glK2wnKt1nJrRIM0AYM0Lq6dSnUtNZ8Y1ELy3Qz6YG
+Pwl44nqYVbg0Yv6W4Pqi+7CfHMdxnKQdzxMOkkDgWP6b597ZtlB4EI/j42H0qLwaGUA4Cvp/sQVP1QC
nxMsDXZ98os1uQoenc7uaeUVvQD3phEICE7ixSDxnNvAqge2T2WsNn5rtAk7
LABSWITCH01#
show crypto key mypubkey all
LABSWITCH01#show crypto key mypubkey all
% Key pair was generated at: 07:13:30 UTC Feb 7 2023
Key name: CISCO_IDEVID_SUDI_LEGACY
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00ABF9CA
E891A292 9AC17ABB 203DF170 9C5EEEBA 6B8189BF 3BBB3E5B C2561849 B03A2CCF
9C2130C1 E3DE6B62 F0E5D898 F1A9EC99 FFC623CC 8234FE51 C95407B2 BE134A3F
5EE49D8C 2ECA659D 60D1CCB5 C44FD51F 71E6667A D8A4FCC1 082E58FC 7765964F
AB8F8561 A6AA5014 66CB1F4C 9756194E 437B713E 81B5CDAA 62F8C179 19020301
0001
% Key pair was generated at: 07:13:30 UTC Feb 7 2023
Key name: CISCO_IDEVID_SUDI
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C8A8E6 9A43AB39 F745559B BE2EB58A FCEBF4FC 921BE2D3 66DB8E18 17F7206E
ECF1C9EE 54502518 B74FC184 7DB7CF25 02A1CD2B 71122975 4968F99B 63851DEC
C135F175 2C28C0C4 4A828B5F 155D10A7 E24FE693 59D8DA72 6F9797C6 F66319D2
E2B18127 97C76156 445F3F89 91B7371C 665A2F31 7B3A3946 0DAEA984 4D19D7E4
1271B283 3BFC76BB A85A67CC C989446C FB89D3B5 947FBB32 EDB47E2A B21A6EB0
62655C53 62542684 5C8E740D 61D197E8 9F903F8F F5359758 90B982C0 2CAA2ABC
B407C05B DD551DCE 6DA8BA5B 226000B4 BE135AC0 D868DF0F E3C7DC03 28340354
5887CE32 7D9CEFE1 8ADDC52C CF843A6D 6B9CFB14 155E2287 832C3575 B5C01834
DD020301 0001
% Key pair was generated at: 07:13:41 UTC Feb 7 2023
Key name: SLA-KeyPair2
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00E5F49A 2188E4B0 D79E4128 D2A55AFB 3547FC0F 729681BB 818F140D 74888C88
8EE0B6EA 0154F84B C9FDFCB2 BBF01378 709C25B0 802FC4ED A1633B07 0A7EB870
970BF030 40E31393 5972590D 9A5B3A2C 7C5DE11A 4177787F 34619514 2464D0B4
633790BD 0214907B AEACB799 6989EFCB F36AFF25 836FA46F F8252B6C 272ADD67
26B44833 40183342 EAE9D4A7 52D359F1 8D442F2D D0CFA606 F8FC25E3 89EA6156
E0D18BFA 5B83EA8B EEC27C73 1DC67290 773C4C3A 49038163 FA6F9F7B 66D941E0
423F8F8D 87D2A2F0 686500E0 2BE9FEC4 153F5402 9F132C0D 767DF28B 35B90A1E
9DCEEE69 E515BD00 F7A61108 084EE2C5 20F19CDB C0AA07B6 4F65AC36 7E6BB409
3B020301 0001
% Key pair was generated at: 07:13:43 UTC Feb 7 2023
Key name: SLA-KeyPair2.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
30820132 300D0609 2A864886 F70D0101 01050003 82011F00 3082011A 02820111
00976563 399B29D8 8288DC67 48D0AE7C 945B2BDC 15DDB69D E5F0F63D 88C3D2A9
57D00CEF 51740F87 A48AE379 6109F3BC E6B17BEA B490E7D3 08DB6319 784EFF7D
1F25B82B B911531B 8AE7C5D3 4726E82D E1DF71F8 2DB98F9B E33FB5A4 55FA7635
19B21A13 0D055D18 A7FA44AB 676D6856 AD9E524A 390C36C6 F66A5B30 6A38D132
1974DFEF 49DFCAF2 4442AC05 DAFBD1F7 80BFF4E7 8FDE26D5 9439FC41 7574AC1C
E30B9C02 259F9A07 1CCF8E08 6FE26AE4 3AD83C62 20F79BF0 3E5EBA3D ED9338FA
8A517C1F 4DC74D0F 369B6BE2 A26C20DB DE55D97D 49DA9262 ED7BAF51 08825FB2
C80B588A 8049E17A 36166D6F A8DEBF82 2A712D2D 78E1A9F3 551D8019 E1D5840B
3E6211DC 50D1450B 49F490A3 81710811 05020301 0001
% Key pair was generated at: 07:30:21 UTC Feb 7 2023
Key name: TP-self-signed-3704575809
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00BBF589 A1195C12 AF65532E 5BE58328 57A3D0F2 C0BA2A07 00BEC62E A6D45B38
01693010 AAB94B52 F76D9ADA 0259D298 9AEEC078 A5AB3DCE D6D0FD0F FAC45514
2991F529 8A815792 C705A385 D780C20C 445051A6 CC0ED099 06E73425 A43E5408
8E9C8E8E A6100057 E80F6B61 29E4249D 1463ACDB E9DF37E6 A3D16235 BCB4A8A9
9A557C2C C1922238 78EA245F 2B220825 FBADCF11 FF4DA467 6A48D8F4 67F16858
DC7DDD78 C7AAA883 6E2672AE 6C1F6B52 D9ED70A9 D5C47506 7D360A26 232981ED
7FA73248 DE4924FC 330CC028 4B11B00A 28C400E7 AB0A1612 9022323C 7C6B92CE
B70438F9 25F54384 C2C05C48 E63A73B5 99CC22DA C09EC17D E7555AD8 6278CA96
FD020301 0001
% Key pair was generated at: 14:55:17 UTC Feb 8 2023
Key name: LABSWITCH01.configure-networks.com
Key type: RSA KEYS
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00DEA8EA FE24AFCF 84F6997E 34F44744 E11FBD16 15FDA5E7 7F9EF476 F9C753C5
61C00860 F1527635 4E107B94 387F22B4 CEA9B3A1 7D91DF3B 5BB3AE08 80358979
67C17677 67CB2A05 0B3298C6 3388D66A 74CA289B 53383BBE FACF7870 5DB63AE7
487667BB C432CCA9 81C5BA62 C8758AA5 78F9B7AA BAB590EB 5383C0BB 49B0CDD8
D7873B0E 05741C84 3922058C F63ED705 7BA08982 07A9159E A9007A89 7251ACE5
96F8813B A58E86B8 3347CC6C F3295314 034A05BD 233929D2 BEA97B7F EC5F8419
E9A365D2 D787E01F A8D83D56 1698F85B 2E790A88 FE34080B DF6385B1 8DE11253
DF3EDE7A 37CE72C1 2936223E FA854869 037D7805 88D84FE6 C2204AD6 23A30D8B
17020301 0001
LABSWITCH01#
show crypto key pubkey-chain rsa
LABSWITCH01#show crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage IP-Address/VRF Keyring Name
C Signing default cn=Cisco Root CA M1,o=Cisco
C Signing default cn=Cisco Root CA 2048,o=Cisco Systems
C Signing default cn=Cisco Manufacturing CA,o=Cisco Systems
C Signing default cn=Cisco Root CA M2,o=Cisco
C Signing default cn=Cisco Manufacturing CA SHA2,o=Cisco
C Signing default cn=Licensing Root - DEV,o=Cisco
C Signing default cn=Cisco Licensing Root CA,o=Cisco
C Signing default cn=ACT2 SUDI CA,o=Cisco
C Signing default cn=Cisco RXC-R2,o=Cisco Systems,c=US
C Signing default cn=VeriSign Class 3 Public Primary Certification Authority - G5,ou=(c) 2006 VeriSign, Inc. - For authorized use only,ou=VeriSign Trust Network,o=VeriSign, Inc.,c=US
C Signing default cn=QuoVadis Root CA 2,o=QuoVadis Limited,c=BM
C Signing default cn=IdenTrust Commercial Root CA 1,o=IdenTrust,c=US
LABSWITCH01#
SSH Connection
The "ssh" command is a client program for connecting to a SSH server. It is used to securely connect to a remote system over an unsecured network, such as the Internet, public LAN, or any network.
Description
Open a SSH connection and provide username and IP address, then enter the user password when the system asks for it
Display information of the current SSH connection
Close the SSH connection
CLI Commands
ssh -l USERNAME #.#.#.#
show ssh
logout
ssh
LABSWITCH01#ssh -l jondo 192.168.10.4
Password:
LABSWITCH02#
LABSWITCH02#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-gcm hmac-sha2-256-etm@openssh.com Session started jondo
0 2.0 OUT aes128-gcm hmac-sha2-256-etm@openssh.com Session started jondo
LABSWITCH02#
LABSWITCH02#
LABSWITCH02#logout
[Connection to 192.168.10.4 closed by foreign host]
LABSWITCH01#
HTTPS Access
HTTP (Hypertext Transfer Protocol) is a protocol for transmitting data over the network. It is the foundation of data communication for the World Wide Web (WWW) and enables communication between a client (such as a web browser) and a server (such as a web server). HTTP Secure (HTTPS) is a secure version of the HTTP protocol used for transmitting data over the web. It is widely used to protect sensitive information such as login credentials. HTTPS access can be enabled by configuring a web server and installing a secure socket layer (SSL) certificate on a network device. The web server can be configured using the "ip http secure-server" command and is necessary to install an SSL certificate on the Cisco device. This can be done using the "crypto key generate rsa" command, which generates a public-private key pair and stores it in the device keyring. It is also recommended to disable the unsecure HTTP version due to security reasons on a switch or router. HTTP communicates via the network port 80 and HTTPS communicates via the network port 443.
Description
Enter into global configuration mode
Disable HTTP access (unsecure)
Enable HTTPS access (secure)
Use the local user database to authenticate for the WEB UI
Exit from the global configuration mode
Display HTTP settings
Display HTTPS settings
CLI Commands
configure terminal
no ip http server
ip http secure-server
ip http authentication local
end
show ip http server all
show ip http server secure status
ip https server
LABSWITCH01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#no ip http server
LABSWITCH01(config)#ip http secure-server
LABSWITCH01(config)#ip http authentication local
LABSWITCH01(config)#end
LABSWITCH01#
show ip http server all
LABSWITCH01#show ip http server all
HTTP server status: Disabled
HTTP server port: 80
HTTP server active supplementary listener ports: 21111
HTTP server authentication method: local
HTTP server auth-retry 0 time-window 0
HTTP server digest algorithm: md5
HTTP server access class: 0
HTTP server IPv4 access class: None
HTTP server IPv6 access class: None
HTTP server base path:
HTTP File Upload status: Disabled
HTTP server upload path:
HTTP server help root:
Maximum number of concurrent server connections allowed: 300
Maximum number of secondary server connections allowed: 50
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 600 seconds
Maximum number of requests allowed on a connection: 25
Server linger time : 60 seconds
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: TP-self-signed-3704575809
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL
HTTP server application session modules:
Session module Name Handle Status Secure-status Description
HTTP_IFS 1 Active Active HTTP based IOS File Server
SL_HTTP 2 Active Active HTTP REST IOS-XE Smart License Server
OPENRESTY_PKI 3 Active Active IOS OpenResty PKI Server
NBAR2 4 Active Active NBAR2 HTTP(S) Server
HOME_PAGE 5 Active Active IOS Homepage Server
BANNER_PAGE 6 Active Active HTTP Banner Page Server
WEB_EXEC 7 Active Active HTTP based IOS EXEC Server
GSI7F10EE0D1EB0-lic 8 Active Active license agent app
GSI7F10EE0C5AE0-web 9 Active Active wsma infra
GSI7F10F15278A0-web 10 Active Active wsma infra
NG_WEBUI 11 Active Active Web GUI
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes
127.0.0.1:21111 127.0.0.1:57104 0 0
Nginx Internal Counters:
Nginx pool = 915
Active connection = 1
Nginx pool available = 902
Maxmum connection Hit = 0
HTTP server statistics:
Accepted connections total: 1
server accepts handled requests
2 2 2
Reading: 0 Writing: 1 Waiting: 0
HTTP server history:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes end-time
127.0.0.1:21111 127.0.0.1:57104 0 404 15:03:44 8/02
127.0.0.1:21111 127.0.0.1:57106 0 277 15:03:46 8/02
conn_history_current_pos: 2
HTTP server help path:
LABSWITCH01#
show ip http server secure status
LABSWITCH01#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: rsa-aes-cbc-sha2 rsa-aes-gcm-sha2
dhe-aes-cbc-sha2 dhe-aes-gcm-sha2 ecdhe-rsa-aes-cbc-sha2
ecdhe-rsa-aes-gcm-sha2 ecdhe-ecdsa-aes-gcm-sha2
HTTP secure server TLS version: TLSv1.2 TLSv1.1
HTTP secure server client authentication: Disabled
HTTP secure server PIV authentication: Disabled
HTTP secure server PIV authorization only: Disabled
HTTP secure server trustpoint: TP-self-signed-3704575809
HTTP secure server peer validation trustpoint:
HTTP secure server ECDHE curve: secp256r1
HTTP secure server active session modules: ALL
LABSWITCH01#
Restricted Remote Access with ACLs
It is possible to limit the remote access to a device by using an access control list (ACL). The ACL 1 in this example allows only the subnet 192.168.2.0/24 to access the device (a wildcard mask is used). All other networks are not allowed to access. Be careful when using this method, you might restrict your own connection to the device. This method does not scale very well and should be handled with care.
Description
Enter into global configuration mode
Define a subnet that is allowed for remote access (wildcard mask)
Prevent all other subnets to reach the device remotely and log failed attempts
Enter into VTY sub configuration menu
Attach the access control list
Exit from the configuration mode
Display access control lists on the device
Display the configured line settings
Display the configured ACL settings
CLI Commands
configure terminal
access-list # permit #.#.#.# #.#.#.#
access-list # deny any log
line vty 0 15
access-class # in
end
show access-lists
show running-config partition line
show running-config partition access-lists
line vty access-list
LABSWITCH01#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
LABSWITCH01(config)#access-list 1 permit 192.168.2.0 0.0.0.255
LABSWITCH01(config)#access-list 1 deny any log
LABSWITCH01(config)#line vty 0 15
LABSWITCH01(config-line)#access-class 1 in
LABSWITCH01(config-line)#end
LABSWITCH01#
show access-lists
LABSWITCH01#show access-lists
Standard IP access list 1
10 permit 192.168.2.0, wildcard bits 0.0.0.255
20 deny any log
Extended IP access list IP-Adm-V4-Int-ACL-global
10 permit tcp any any eq 443
Extended IP access list implicit_deny
10 deny ip any any
Extended IP access list implicit_permit
10 permit ip any any
Extended IP access list meraki-fqdn-dns
Extended IP access list preauth_v4
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
IPv6 access list implicit_deny_v6
deny ipv6 any any sequence 10
IPv6 access list implicit_permit_v6
permit ipv6 any any sequence 10
IPv6 access list preauth_v6
permit udp any any eq domain sequence 10
permit tcp any any eq domain sequence 20
permit icmp any any nd-ns sequence 30
permit icmp any any nd-na sequence 40
permit icmp any any router-solicitation sequence 50
permit icmp any any router-advertisement sequence 60
permit icmp any any redirect sequence 70
permit udp any eq 547 any eq 546 sequence 80
permit udp any eq 546 any eq 547 sequence 90
deny ipv6 any any sequence 100
LABSWITCH01#
show running-config partition line
LABSWITCH01#show running-config partition line
Building configuration...
Current configuration : 381 bytes
!
Configuration of Partition - line
!
!
!
!
line con 0
logging synchronous
login local
history size 256
stopbits 1
line vty 0 4
access-class 1 in
logging synchronous
login local
history size 256
transport input ssh
line vty 5 15
access-class 1 in
logging synchronous
login local
history size 256
transport input ssh
line vty 16 31
login
transport input ssh
!
end
LABSWITCH01#
show running-config partition access-lists
LABSWITCH01#show run partition access-list
Building configuration...
Current configuration : 137 bytes
!
Configuration of Partition - access-list
!
!
!
!
ip access-list standard 1
10 permit 192.168.2.0 0.0.0.255
20 deny any log
!
end
LABSWITCH01#
0 Comments