The main reason for using SSH to access a router prompt is that the other method of using Telnet uses clear text as opposed to SSH which is based on the use of encryption and is much secure and safe than the former.

Lab Topology

Use CLI and SDM to Configure SSH on Cisco Routers to Enable Secured Management Access Fig 1

Lab Setup

  • Make the connection as per the scenario.
  • Use the IP addressing chart below to assign IP address to the routers.

IP Addressing Schema

Router

Interface

IP Address

R1

S0/0

100.1.12.1/24

R2

S0/0

100.1.12.2/24

 

Lab Objectives

  1. Configure SSH feature on R1 by CLI mode. Use following policy for SSH

Domain Name: CCNASECURITY.COM

Key: 512bit

Authentication: should be performed by local database

User: Security

Password:CCNA123

  1. Configure SSH feature on R1 by SDM. Use same policy as CLI.

Configuring SSH via CLI

R1(config)#username Security password CCNA123

R1(config)#ip domain name CCNASECURITY.COM ( It Set the Domain name )

R1(config)#crypto key generate rsa usage-keys (To generate the Encryption Key)

 

After applying the above command, the messages below are generated:

The name for the keys will be: R1.CCNASECURITY.COM

Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus

[512]:

Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 512

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

% Generating 512 bit RSA keys, keys will be non-exportable…[OK]

R1(config)#

*Mar  1 00:13:15.519: %SSH-5-ENABLED: SSH 1.5 has been enabled

 

R1(config)#ip ssh authentication-retries 3 (Set the max failed attempts for an SSH connection)

R1(config)#ip ssh time-out 90 (Set the max idle time for SSH session)

R1(config)#line vty 0 4 R1(config-line)#transport input ssh (Only SSH service will work, telnet will disable)

Verification

R1#show crypto key mypubkey rsa

Key name: R1.CCNASECURITY.COM

Storage Device: not specified

Usage: Signature Key

Key is not exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00B14626 58F5D7BC

99A7DB46 9A930714 D5FFD725 381E9AD0 E07E4C47 9A6EBCE6 E453F870 90AA0D18

209B8453 ED45EED5 130BFED0 AC7F74F9 82CB64AA F420E0F2 EF020301 0001

% Key pair was generated at: 00:13:15 UTC Mar 1 2002

Key name: R1.CCNASECURITY.COM