Note: Click the DOWNLOAD link to the right to download the free config files for this lab.
TRANSCRIPT: Welcome to this CCDA lab, where we’ll be looking at some of the security best practices for networks. Including enabling SSH, AAA, and NTP.
So in this lab we have a very simple setup. We have two routers connected to each other via the fast internet interfaces. So if I come to this guy … So say, console, and then if I do a show IP interface brief … So this guy has this IP address, and he also has this loopback interface. Let me see if I can ping the other guy, which will be 12.2. All right, so I can ping.
Now the first thing we want to do, let’s try to telnet. As you can see, telnet, it says the port is open, but password is required, and since none is set, then it didn’t give us access to that guy.
So let’s come here. Now the first thing you want to understand is telnet is not secure, right. So as much as possible, don’t use or enable telnet on your network, use SSH instead.
Now to enable SSH, we need to configure a host name, and a domain name. So domain name, and then let’s just say, example.com. And the reason we need to do that is we need to generate RSA keys. So we go to crypto key generate, and then … of course RSA, and then we can generate two types of keys, general keys or usage keys. For this, you want to generate general keys, and you want to specify a modulus that is greater than 768. Because SSH they are two versions, version 1 and version 2. Anything lower than 768 would enable only version 1. So you need something greater than 768 for version 2. So I’m just going to say 1024. Once the keys have been generated, then you can see that it says, SSH has been enabled.
But right now, it has enabled both. So if I do a show IP SSH, it has enabled … So, right now it says version 1.99, it has enabled both version 1 and version 2. I can actually just restrict it to version 2, like that. IP SSH version 2, right. So as you can see, it says SSH enabled version 2. Version 1.99 means it will support both 1 and 2. All right. Now once you turn on SSH, unlike telnet that requires only a password, SSH will require both a password and a username. So a username and a password. So let’s create one here. I will just use the privilege of 15, that’s the highest, and set the secret to ‘cisco123.’ So, now I will come under the VTY line, and say, login local.
So what this will do is, it will check the local database for the login credentials. Yeah. And another thing that you could do to be more restrictive, is to specify what kind of protocol can be used for remote access. Right now by default, it’s all protocols. But let’s just say we will restrict it to just SSH. So if I go back to R1 and I try to telnet again, since we’ve restricted it to just SSH, you can see that it says, connection refused. But we can SSH … we can use the hyphen l to specify the username. So you must specify a username when you’re connecting from a Cisco router. So let’s say this, and then the address is 12.2. And then it asked me for a password, ‘cisco123.’ If I do a show privilege, I have privilege 15. And if I do a who, I can see the IP address I’m connecting through, right. Cool.
So let’s exit out of here. Now to make it a bit more restrictive, usually you have a network administrator’s subnet. An IP address block 1, IP address that’s a network administrator. So those are the people who should manage your devices. You don’t just want anybody to be able to connect to your devices. So you can be a bit restrictive. We can use the access class command. Now, the access class you would specify a standard access list. It could be a numbered access list or a named access list. So, let’s come here and say, access list, let’s just say, 20. And we’ll permit only the … let’s see, show IP interface brief. Let’s permit only the loopback interface of R1 to be able to connect to R2.
So I can say host 1.1.1. And then I would come under here, line VTY 04, and then say, access class 20. I need to specify whether is the inbound or the outbound, so inbound. All right. So what will happen now is by default, R1 will try to connect using its fast internet 00 interface. So, if I do that, it will be refused, right. So I can come here, and specify the source interface. So loopback 0, and then let’s see now. All right, ‘cisco123.’ And then as you can see, if I do a who, it tells me I’m connected through the loopback interface, right. Okay. Cool. So let’s exit out of here. Now, another thing you can do is to enable AAA. So AAA stands for Authentication, Authorization and Accounting. And you need to be careful with AAA, once you enable AAA you need to … at least, I usually have a backup username and password in the local database, which we already do.
So we just say, AAA new model. Now once you enable AAA … So let me do a show run, section line. Once you enable AAA … As you can see, our login local has cleared from here. Because once you’re using AAA, then you must configure AAA method list. But by default, local database authentication will be required for the VTY lines, but nothing will be required for your console. So right now, even though I don’t have anything, I have not configured any method list, if I come back to R1 and try to SSH … So, ‘cisco123,’ as you can see I gained access, but compare this to this, you will notice here, my privilege … So if I do a show privilege, my privilege is level 1, right. So that’s because by default it’s only authentication it’s doing, authorization has not been configured.
So, what I’m going to do now is, let’s create an authorization method list. So, for exec, so every time you are trying to gain authorization for the exec. I will just leave it as default. And then where do I want to check. I could use RADIUS, so to specify a server group, or in this case I’m just going to say local. So what I’m going to do is telnet again. So if I do a show run, section username, it’s going to use this privilege level, right. Since that’s what is in the local database. So if I do that, ‘cisco123,’ and then if I do a show privilege, as you can see my privilege level is now 15. Cool.
So for AAA, you probably also want to use either a RADIUS server or a TACACS server or something like that. This is just the simplest thing that you could do, using the local database, right. All right. Now the last thing that we’re going to do is NTP. So, let’s look at the clock on this guy. Show clock. As you can see the time is 2002. So I’m going to set the clock to the current time. So it’s 14:36 00, today is the 8 of January 2018. So now if I show clock, that’s the time there. So I’m going to configure this guy as the NTP master, and this guy would get his time from … So R2 will get its time from R1. Right now, the time on this guy is 2002. So, I’m going to come here and say, NTP master, right. And then I will just come to this guy and configure NTP server 10.0.12.1.
Now sometimes NTP on GNS3 doesn’t always work initially, and it could take sometime to work. But let’s see if it works now. As you can see, it shows that we’ve configured it and it’s a candidate, but it hasn’t synchronized yet. So if I were to check the status … Okay, right now it says the clock is synchronized. So, if we were to say, do a show clock, and then you can see that it has collected its time from R1. Now NTP, or synchronizing your time across your devices is very good. Especially for login purposes, and maybe for digital certificates, right. Cool.