Welcome back to this CCNA Prep video series where we have been looking at some of the scenario based objectives on the 200-120 exam.

In this video, we will discuss remote access management on Cisco routers including how to use protocols like Telnet and SSH. We will also see how to set timeout values for inactive terminal sessions.

New tutorial videos are posted every Monday, so keep checking back!

If you have any questions, or would like to suggest topics for future videos, please leave them in the comments section below.

Further reading:

CCNA Training – Resources (Intense)

Video Transcript:

Welcome back to this CCNA Prep video series where we have been looking at some of the scenario based objectives on the 200-120 exam.

In this video, we will discuss remote access management on Cisco routers including how to use protocols like Telnet and SSH.

So far in this video series, we have configured routers via the console. In GNS3, this is as simple as right-clicking on the router and selecting console. On real devices however, this involves connecting a cable to the console port and using terminal emulation applications like Putty to configure the device.

Another way to manage devices is using remote access protocols such as Telnet and SSH to connect to that device. The word remote means we do not need to be physically connected to the device; management is done over a network. On Cisco devices, the VTY lines are the ones that allow us to remotely manage devices.

We will begin by discussing Telnet which operates over TCP port 23. Let’s take a look at the default configuration on the VTY lines.

line vty 0 4 means there are 5 VTY lines on this router, 0,1,2,3, and 4.

Because of the “login” command under these lines, the router will require authentication for remote authentications but since there is no default password set, remote connections will not be accepted by default. Let’s test this out.

I can initiate a telnet connection from a Cisco router. So let’s go to the ISP RTR and telnet to this OFFICE rtr. The simplest form of the command is telnet and then the IP address. As you can see, it gave me this message: Password required but none set even though that port 23 was open.

Let’s remedy that. I will just configure a password under the VTY lines. You can specify a different password per line if you wish although that doesn’t really make sense since you won’t know what VTY line you will be connected to when you open a remote connection. Like we did for the console, we just use the “password” command.

Now let’s go back to and telnet again. Now we are required to enter a password so we just enter the password we just configured. As you can see, we are now in the User EXEC mode of the OFFICE router.

There is a problem with Telnet though: it is an unencrypted protocol meaning that everything, including passwords, are sent in clear-text. This means that if anyone is sniffing on your network, they can capture sensitive information.

This brings us to the 2nd commonly used remote access protocol – Secure Shell or SSH. It uses TCP port 22 and provides encryption. There are a couple of things we need to do to enable SSH on a Cisco router:

1. We need to configure a hostname. We have already done that on this router.

2. We need to configure a domain name. Let’s configure a domain name of example.com.

We can also use the “ip domain-name” command with hyphen, they achieve the same thing although it seems the command without the hyphen is the newer version of the command.

Thirdly we need to generate RSA keys that will be used for encryption. We do this using the “crypto key generate rsa” command. Generating RSA keys automatically enables SSH. There are two versions of SSH, version 1 and 2. If you generate any key size less than 768 bits, SSH version 1 will be enabled. Cisco recommends using SSH version 2 and a key size not less than 1024 so let’s use that.

As you can see, it uses the name of the key as the hostname.the domain name and that’s why we needed to configure those first.

With these, SSH is now enabled on our router. If SSH support was disabled on your terminal lines, you can use the “transport input” command to enable it back.

However there one more thing we need to do. Unlike telnet which allows authentication only with a password, SSH requires a username and password combination. We can add usernames to the router’s local database although we can also use external authentication servers.

The command to add usernames is username password or secret . Just like the enable secret, using the secret option is more secure than using the password option.

Now let’s test. Cisco routers have an SSH client so we can test from the ISP router. The format is ssh and then options and then the host we want to connect to. We can use the -v option to specify the SSH version we want to use. However, the only required option when using a router is the -l which allows us to specify the username.

So I will enter the password of ciscossh. Again. and then Again. Finally we see the authentication failed message.

The problem is that the default login command under the VTY lines enables authentication via the password command under those VTY lines. We need to enable authentication via the local database or AAA for SSH to work. We do this by adding the local option to the login command.

Now let’s try again.

Cool stuff.

Before I end this video, I will like to talk about the “exec-timeout” command. We can use this command under terminal lines to set how long an inactive terminal session will remain open before being disconnected. It is common for administrators to log into devices and leave their connections open and unprotected, available to any unauthorized user that has access to their computers.

Let’s test this command. I will configure an exec-timeout value of 10 seconds and then open a remote connection to this device.

As you can see, after 10 seconds of inactivity, the session is disconnected. You can use the exec-timeout 0 0 to ensure that an inactive session never times out.

This brings us to the end of this video where we have discussed remote connectivity protocols including Telnet and SSH. We have also seen how to configure a timeout for inactive sessions.

I hope you have found this video informative and I look forward to the next one in the series.