Config Lab: SSH Config

Wendell Odom
By Wendell Odom August 31, 2021 13:05

Today’s post gives you another brief config lab exercise, this time with SSH. Like the previous lab post, this one starts with a cleanly-wiped router config (except the hostname) to make that one router ready for SSH. As usual with this style of lab, no muss, no fuss, just a straightforward short exercise.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

Cisco routers require a little more work to support SSH connections as compared to supporting Telnet. The trick for today’s exercise is to decide just what that bare minimum of non-default commands happens to be to get a router ready for inbound SSH connections.

For today’s lab, configure router R1 in the figure below. The initial config has all default configuration, except it already has a hostname R1 command. Your job is to list the configuration on R1 such that:

  1. A user at PC1, in the same VLAN as R1’s G0/0 interface, can connect successfully into R1 using SSH.
  2. The router cannot rely on any AAA server to list password info and authenticate the user.
  3. The router needs an IP address, so use the numerically highest IP address in the subnet.
  4. Use a cryptographic key length of 768.
  5. Configure no unnecessary commands (that is, use defaults when possible.)
  6. Assume PC1, as well as all LAN devices, have already been configured correctly.

Figure 1 – Lab Topology for this Lab

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!


Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.

Device Lab Port  CML Port
SW1 F0/1 G0/0

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

This lab asks for the required, non-default configuration to enable SSH on router R1, with other conditions. Check out the original lab problem statement for the details. Figure 1 repeats the network diagram, and Example 1 lists the answer.

Figure 1: Router Triangle with IP Subnets


Example 1: R1 SSH Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

This lab does require that you do a little subnetting math. It is the same math as an earlier similar lab that instead focused on Telnet, so you can skip the explanation if you remember the details.

The requirements state the routers use the highest IP addresses in each subnet, but the lab did not list the specific IP address to be used for each router interface. R1 needs IP addresses for each interface, but to meet the requirements of the lab, it only needs an IP address on its G0/0 interface, which is shown in subnet That subnet has a range of usable addresses from –, so the configuration uses the .62 address for R1’s G0/0.

To support SSH, the router must use a username and password; it cannot use simple password checking. The router also needs an authentication key, which requires the router to have an IP domain name configured. All three tasks require separate global configuration commands.

On the vty lines, you need to override a few defaults. First, the router vty lines need to be configured to use the local username database (login local) rather than simple password authentication. Second, Cisco router VTYs default to use the transport input none command, which means that the routers accept neither Telnet nor SSH input through the VTYs. You should override this command to enable input for both telnet and ssh (transport input telnet ssh or transport input all).

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 Copying the crypto key command into config mode Packet tracer rejects the command crypto key generate rsa modulus 768 when either typed or pasted into config mode. Instead, use the command crypto key generate rsa,  press enter, and PT will prompt for the modulus setting.


Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps. 

  1. Open a command prompt on the PC and test connectivity to R1’s G0/0 IP address using the ping command.
  2. If successful, test SSH using the ssh -l username ip-address command, substituting the SSH username you configured and the R1 IP address. If successful, you should be prompted for a password, and if you supply the password you just configured, you should reach the user mode prompt of the router.

More Labs with Related Content!

Config Lab: Telnet Config
Config Lab: Switch Duplex and Speed
Wendell Odom
By Wendell Odom August 31, 2021 13:05
Write a comment


  1. almeidajoaodealmeida December 17, 04:25

    Hi Mr Odom,
    What domain should be used ?

    Reply to this comment
    • certskills December 17, 16:54

      Feel free to call me Wendell, by the way…
      The value is unimportant. What is important is that you must have a domain name before the device can generate its SSH key. So, use,,, whatever you like.

      Reply to this comment
  2. David December 24, 20:50


    Couple questions here. It is implied that at this point through the book and labs you’ve set up that we would have some sort of understanding of subnetting. I dont think through parts 1-2 that the book has gone over this yet. Maybe it is not intended to be going through labs yet but I figured after each book “part” you would go and complete the related labs for those part chapters. Luckily I already understand subnetting but could be confusing for future end users.

    Secondly, maybe I missed it but as far as actually using SSH to enter the router from PC1..Im not sure it was explained as to how to actually complete this. I looked it up elsewhere and was able to establish the connection with a ssh -l hostname ip-address but I would not have been able to complete this from reading so far in the book alone. Am I missing something as a prerequisite or is this intended to be more of a learn as you go type of deal. Loving the book and coursework so far. Thanks for your help.


    Reply to this comment
    • certskills December 27, 17:04

      Hi David,
      Thanks for the note, and glad you’re loving the book!
      As for your two comments:
      For the first one, I assigned the lab to the wrong location. I would normally want people to have read about the topic before a lab requires the topic in the lab. My mistake, now fixed.
      On your second point, I’m glad you found the SSH client command for Windows. I probably just get a bit too dogmatic about writing the book by keeping to the exam topics, but the lab could certainly mention how to test. FYI, you can always test w/ router or switch SSH commands – see the end of Chapter 18 Vol 1 for those. E.G, you can ssh from the router CLI to itself to test SSH. I’ll add something to the lab in just a sec.
      Thanks again,

      Reply to this comment
      • St_David November 27, 13:10

        The router needs an IP address, so use the numerically highest IP address in the subnet.
        More to David,
        Isn’t there a hint for routers IP in PC1’s pre-configured default gateway? 🙂

        Reply to this comment
    • certskills December 27, 17:06

      Ha, just went to add the SSH command, and it’s already there. Just look in the “Verification Tips…” tab. Which is where I went to add it anyway. 🙂
      Thanks again,

      Reply to this comment
    • Emil Gasanov January 25, 05:54

      telnet {hostname | ip address} – to connect from cmd/cli
      ssh -l username ip-address – to connect from cmd/cli
      ssh username@ip-address – to connect from macos terminal

      Reply to this comment
  3. Thabo Sam November 10, 08:10

    hey there. i do not understand why you used there crypto key, username/pass and the domain name commands. please care do example to me

    Reply to this comment
    • Wendell Odom November 11, 19:19

      Hi Thabo,
      Well, those are all commands required to configure SSH on the device. Sounds like you’re asking for a more comprehensive explanation of SSH configuration on a router. Honestly, that’s more than I want to do here. The labs provide practice for topics you’ve learned about from a comprehensive CCNA resource that would explain the topic. That could be from my books or elsewhere – I don’t restrict the pages here – so maybe look in whatever you’re using to study for CCNA and circle back with more specific questions at that point.

      Reply to this comment
  4. Albert December 10, 17:26

    Hi Wendell, I was wondering if it´d be more accurate to use a cryptographic key length of 768. instead 512 since the lab requirements, best regards.

    Reply to this comment
  5. GJM January 12, 01:07

    I think I got everything here correct on the first try, albeit with lots of ?’s typed at the CLI command prompt lol. The only thing I different was restrict the transport type to SSH only.

    Reply to this comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.