Config Lab: SSH Config

 In 200-301 V1 Ch15: Operating Routers, 200-301 V1 Part 5: IPv4 Routing, 200-301 V1 Parts, Config Lab, Config Lab CCNA Vol 1 Part 2, Hands-on

Todayā€™s post gives you another brief config lab exercise, this time with SSH. Like the previous lab post, this one starts with a cleanly-wiped router config (except the hostname) to make that one router ready for SSH. As usual with this style of lab, no muss, no fuss, just a straightforward short exercise.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

Cisco routers require a little more work to support SSH connections as compared to supporting Telnet. The trick for todayā€™s exercise is to decide just what that bare minimum of non-default commands happens to be to get a router ready for inbound SSH connections.

For todayā€™s lab, configure router R1 in the figure below. The initial config has all default configuration, except it already has a hostname R1 command. Your job is to list the configuration on R1 such that:

  1. A user at PC1, in the same VLAN as R1ā€™s G0/0 interface, can connect successfully into R1 using SSH.
  2. The router cannot rely on any AAA server to list password info and authenticate the user.
  3. The router needs an IP address, so use the numerically highest IP address in the subnet.
  4. Use a cryptographic key length of 768.
  5. Configure no unnecessary commands (that is, use defaults when possible.)
  6. Assume PC1, as well as all LAN devices, have already been configured correctly.

Figure 1 ā€“ Lab Topology for this Lab

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration ā€“ even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Ciscoā€™s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this labā€™s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this labā€™s CML file!

 

Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.

Device Lab Port Ā CML Port
SW1 F0/1 G0/0

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

This lab asks for the required, non-default configuration to enable SSH on router R1, with other conditions. Check out the original lab problem statement for the details. Figure 1 repeats the network diagram, and Example 1 lists the answer.

Figure 1: Router Triangle with IP Subnets

 

ip domain-name certskills.com
!
! On the next command, I added the modulus on the command line;
! you can reply to the prompt question as well.
crypto key generate rsa modulus 768
!
username Wendell password youllneverguessit
!
interface GigabitEthernet0/0
Ā no shutdown
Ā ip address 172.18.1.62 255.255.255.192
!
line vty 0 15
Ā login local
 transport input all
! Note ā€“ if you only did VTYā€™s 0 through 4, thatā€™s ok.

Example 1: R1 SSH Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

This lab does require that you do a little subnetting math. It is the same math as an earlier similar lab that instead focused on Telnet, so you can skip the explanation if you remember the details.

The requirements state the routers use the highest IP addresses in each subnet, but the lab did not list the specific IP address to be used for each router interface. R1 needs IP addresses for each interface, but to meet the requirements of the lab, it only needs an IP address on its G0/0 interface, which is shown in subnet 172.18.1.0/26. That subnet has a range of usable addresses from 172.18.1.1 ā€“ 172.18.1.62, so the configuration uses the .62 address for R1ā€™s G0/0.

To support SSH, the router must use a username and password; it cannot use simple password checking. The router also needs an authentication key, which requires the router to have an IP domain name configured. All three tasks require separate global configuration commands.

On the vty lines, you need to override a few defaults. First, the router vty lines need to be configured to use the local username database (login local) rather than simple password authentication. Second, Cisco router VTYs default to use the transport input noneĀ command, which means that the routers accept neither Telnet nor SSH input through the VTYs. You should override this command to enable input for both telnet and ssh (transport input telnet ssh or transport input all).

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

# Summary Detail
1 Copying the crypto key command into config mode Packet tracer rejects the commandĀ crypto key generate rsa modulus 768Ā when either typed or pasted into config mode. Instead, use the commandĀ crypto key generate rsa,Ā  press enter, and PT will prompt for the modulus setting.

 

Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Ā 

  1. Open a command prompt on the PC and test connectivity to R1ā€™s G0/0 IP address using the ping command.
  2. If successful, test SSH using the ssh -l username ip-address command, substituting the SSH username you configured and the R1 IP address. If successful, you should be prompted for a password, and if you supply the password you just configured, you should reach the user mode prompt of the router.

More Labs with Related Content!

Config Lab: Telnet Config
Config Lab: Switch Duplex and Speed
Subscribe
Notify of
guest

20 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
almeidajoaodealmeida

Hi Mr Odom,
What domain should be used ?

certskills

Hi,
Feel free to call me Wendell, by the way…
The value is unimportant. What is important is that you must have a domain name before the device can generate its SSH key. So, use certskills.com, example.com, yourname.com, whatever you like.
Wendell

David

Hello,

Couple questions here. It is implied that at this point through the book and labs you’ve set up that we would have some sort of understanding of subnetting. I dont think through parts 1-2 that the book has gone over this yet. Maybe it is not intended to be going through labs yet but I figured after each book “part” you would go and complete the related labs for those part chapters. Luckily I already understand subnetting but could be confusing for future end users.

Secondly, maybe I missed it but as far as actually using SSH to enter the router from PC1..Im not sure it was explained as to how to actually complete this. I looked it up elsewhere and was able to establish the connection with a ssh -l hostname ip-address but I would not have been able to complete this from reading so far in the book alone. Am I missing something as a prerequisite or is this intended to be more of a learn as you go type of deal. Loving the book and coursework so far. Thanks for your help.

David

certskills

Hi David,
Thanks for the note, and glad you’re loving the book!
As for your two comments:
For the first one, I assigned the lab to the wrong location. I would normally want people to have read about the topic before a lab requires the topic in the lab. My mistake, now fixed.
On your second point, I’m glad you found the SSH client command for Windows. I probably just get a bit too dogmatic about writing the book by keeping to the exam topics, but the lab could certainly mention how to test. FYI, you can always test w/ router or switch SSH commands – see the end of Chapter 18 Vol 1 for those. E.G, you can ssh from the router CLI to itself to test SSH. I’ll add something to the lab in just a sec.
Thanks again,
Wendell

St_David

The router needs an IP address, so use the numerically highest IP address in the subnet.
More to David,
Isn’t there a hint for routers IP in PC1’s pre-configured default gateway? šŸ™‚

certskills

Ha, just went to add the SSH command, and it’s already there. Just look in the “Verification Tips…” tab. Which is where I went to add it anyway. šŸ™‚
Thanks again,
Wendell

Emil Gasanov

telnet {hostname | ip address} – to connect from cmd/cli
ssh -l username ip-address – to connect from cmd/cli
ssh username@ip-address – to connect from macos terminal

Thabo Sam

hey there. i do not understand why you used there crypto key, username/pass and the domain name commands. please care do example to me

Albert

Hi Wendell, I was wondering if itĀ“d be more accurate to use a cryptographic key length of 768. instead 512 since the lab requirements, best regards.

GJM

I think I got everything here correct on the first try, albeit with lots of ?’s typed at the CLI command prompt lol. The only thing I different was restrict the transport type to SSH only.

Jay Mahannah

I love the repeating of the SSH setup; it has been a few chapters and this was a good time to review that!

jeff

Wendell,

upon downloading the packet tracer files, it appears they are no longer supported/incompatible with the current edition of packet tracer. Is there a fix in the works or perhaps a way to roll back my version of packet tracer?

jeff

Thanks for the quick reply!

I was mistaken, Iā€™m running a dated version (7.3) Apologies.

Nick

Hi Wendell!

Is the line vty command `trasport input all` a required non-default command?

Thank you so much for your CCNA volumes, they have been extremely valuable study materials šŸ™‚

Nick

Thanks for the knowledge! I’ll be sure to pass all this wisdom on when I can

sana

is using transport input ssh not enough for this lab ?

ERMUNDO C RUSSELL

Hey Wendell

When I try and SSH into R1 from PC1 the CLI says invalid command. See the paste below

C:\>ssh -1 Wendell 172.18.1.62
Invalid Command.

Also I configured R1 in line VTY 0 15 with the Transport Input All command but I dont see it in the running config.

line vty 0 4
login local
line vty 5 15
login local
!
!
!
end

ERMUNDO C RUSSELL

Fantastic. Thank you. I winded up figuring out it was an L instead of a 1 through trial and error. Thanks for that default reminder.

20
0
Would love your thoughts, please comment.x
()
x