SSH Config (Answer)

By certskills August 8, 2012 08:23

This blog post simply lists the answers to the earlier Config lab from a few days ago. No guile, no tricks, just a chance to exercise. The topic for this post: starting from a wiped-clean router, configure support for SSH from a local PC client on a local LAN.

Answers: Configuring SSH

This lab asks for the required, non-default configuration to enable SSH on router R1, with other conditions. Check out the original lab problem statement for the details. Figure 1 repeats the network diagram, and Example 1 lists the answer.

Figure 1: Router Triangle with IP Subnets

This lab does require that you do a little subnetting math as well. It is the same math as an earlier similar lab that instead focused on Telnet, so you can skip the explanation if you remember the details.

The requirements state the routers use the highest IP addresses in each subnet, but the lab did not list the specific IP address to be used for each router interface. R1 needs IP addresses for each interface, but to meet the requirements of the lab, it only needs an IP address on its F0/0 interface, which is shown in subnet That subnet has a range of usable addresses from –, so the configuration uses the .62 address for R1’s F0/0.

To support SSH, the router must use a username and password; it cannot use simple password checking. The router also needs an authentication key, which in turn requires the router to have an IP domain name configured. All three tasks require separate global configuration commands.

On the vty lines, you need to override a few defaults. First, the router vty lines need to be configured to use the local username database (login local), rather than simple password authentication. Second, Cisco router VTYs default to use the transport input none command, which means that the routers accept neither Telnet nor SSH input through the VTYs. You should override this command to enable input for both telnet and ssh (transport input telnet ssh or transport input all).

Example 1 lists the config on R1.

Example 1: R1 SSH Config

Are You Ready? Using Exam Scores
Are You Ready? Making Better Use of Exams
By certskills August 8, 2012 08:23
Write a comment


  1. Bastien September 14, 04:54

    Hello Wendell,
    I’m a bit confused.

    Page 391 of the CCENT ICND1 100-105 book, you wrote :
    “Router IOS defaults to disallow both Telnet and SSH into the router because of the default setting of transport input none in vty configuration mode.”

    Whereas in this lab you say “Cisco router VTYs default to use the transport input all command,”.

    So which is the default setting for routers “transport input none” or “all” (like cisco switchs) ?


    Reply to this comment
    • CCENTSkills September 20, 13:32

      My mistake. Default on routers is “none”. I revised the answer to reflect that fact. Thanks for the notice!

      Reply to this comment
  2. Irving September 4, 21:04

    Hello Wendell:
    I got a little bit confused because i did this lab on Packet Tracer and the default setting on P.T is “transport input all” so I assumed that in real switches and routers the default is always “transport input all” right? and there’s one more thing that i would like to ask. I realized that in order to pass to “privileged mode” using telnet or ssh I have to set an “enable password” or “enable secret” on global configuration mode otherwise the command prompt displays “no password set”
    Is that normal or does it only happen in packet tracer?

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.