Introduction to remote login
In many cases, you may not be able to use the console line in front of the device to manage it. In this case, you need to access its CLI through telnet or SSH to manage it remotely. In order to enable remote access, you must first set up a virtual type terminal (VTY);
1. Telnet: Based on the TCP protocol, port number 23, it is a set of programs that provide remote login methods. All transmitted information (including usernames and passwords) are in clear text. The advantage is that it is fast and does not require encryption and encapsulation;
2.SSH: Based on TCP protocol, port number 22, uses RSA algorithm to encrypt all transmitted information (including username and password). Another advantage is that the transmitted data is compressed, so It can speed up the transmission. Currently, there are two versions of SSH (version 1 and version 2). Version 1 has loopholes in some encryption algorithms and has been cracked. Attackers can insert data. Version 2 fixes these loopholes, and version 2 Compatible with version 1;
Topology:
1. Telnet remote login
Remote login methods include None, Password and AAA
R1(config-line)#transport input? all All protocols none No protocols ssh TCP/IP SSH protocol telnet TCP/IP Telnet protocol
1.1Telnet login uses Passowrd password to log in
The first step is to configure the router
Router>enable Router#conf terminal Router(config)#hostname R1 R1(config)#no ip domain lookup //Disable the router from doing DNS resolution to prevent long waits when entering incorrect commands. R1(config)#inter GigabitEthernet 0/0 //Enter the Ethernet port of the router, 0/0 represents the 0th interface in the 0th slot R1(config-if)#ip address 172.16.1.3 255.255.255.0 //Configure the interface IP and mask R1(config-if)#no shutdown //Open the interface, the router interface is closed by default
The second step is to configure Telnet for the router
R1(config)#line vty 0 4 //Enter the VTY virtual terminal of the router, "0 4 means that 5 sessions can be opened at the same time" R1(config-line)#password 111 //Set the password for vty, that is, the Telnet password for remote login R1(config-line)#login //Allow login R1(config-line)#transport input telnet //Allow login through Telnet. Since Telnet is the default method, this command is not required. R1(config-line)#exit R1(config)#enable password cisco //Configure the password to enter the router's privileged mode
Note: If you do not configure a privileged password, you will encounter an error when entering privileged mode via remote access. %No Password set
The third step, verify Telnet login on PC
C:\>telnet 172.16.1.3 Trying 172.16.1.3...Open User Access Verification Password: R1>enable Password:
You can see that you can enter the user mode of router R1 by entering the login password, and you need to enter the password to enter the privileged mode of R1.
1.2 Telnet passwordless login
By default, login is enabled for virtual terminal connections. After deleting login, you do not need to enter the user password to remotely connect to the other party.
R1(config)#line vty 0 4 R1(config-line)#no login
Verify the passwordless login on the PC, log in successfully, and enter the user mode of the remote device.
C:\>telnet 172.16.1.2 Trying 172.16.1.2...Open R1>
1.3 Telnet login uses AAA authentication
To configure another authentication method on the same device, you can either directly configure the new authentication method (the newly configured authentication method takes effect), or delete the original configuration. That is, erase startup-config in privileged mode (delete the contents in NVRAM, use with caution), and then restart the router reload.
R1(config)#username 111 privilege 15 password 111@ //Configure the user name, password and permissions for Telnet login R1(config)#line vty 0 4 R1(config-line)#login local //Configure login using the user name and password of the local database R1(config-line)#transport input telnet //Allow login via Telnet
verify:
C:\>telnet 172.16.1.3 Trying 172.16.1.3...Open User Access Verification Username: 111 Password: R1#
You can see that you need to enter both your username and login password.
Extension
Both enable secret and enable password can be used to configure the password to enter privileged mode. The difference is that enable secret is encrypted and enable password is a clear text password. When using show running-config to view configuration information, if you use the password command, you can see your password; if you use the secret command, you can only see the encrypted string.
If you only want to use ssh to log in, just add ssh after input. If you want both, type all
2. Configure SSH login
Continue to configure SSH login on the router configured with Telnet. The router IP has been configured before when configuring Telnet and will not be configured here.
R1#conf terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#username admin privilege 15 password admin@ //Configure the username, password and permissions for SSH login R1(config)#ip domain-name cisco.com //Configure domain name R1(config)#ip ssh version 2 //Enable v2 version of ssh service R1(config)#ip ssh authentication-retries 2 //Configure the number of authentication retries R1(config)#crypto key generate rsa //Generate RSA key pair, the key length of SSH version 2 is at least 768bit The name for the keys will be: R1.cisco.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 //Set the number of key bits to 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)#transport input ssh //Allow login via SSH. If you only want to log in with ssh, just add ssh after input. If you want both Telnet and SSH, type all
verify:
S1>ssh -l admin 172.16.1.3 Password: R1#
Extension
Telnet and SSH are also allowed to be configured on the switch. The process is basically the same as the configuration on the router. The difference is that the management IP address needs to be configured on the switch.
Configure the management IP address of the switch (the IP address of the computer and the management IP address of the switch are in the same network segment): In a layer 2 switch, the IP address is only used to remotely log in to the management switch. It is not necessary for the operation of the switch, but if it is not configured management IP address, the switch can only use the control port console for local configuration and management.
By default, all ports of the switch belong to VLAN1, which is automatically created and managed by the switch. Each VLAN has only one active management address, so before setting the management address for the Layer 2 switch, you should first select the VLAN1 interface, and then use the ip address configuration command to set the management IP address. The computer connected to vlan1 can directly Telnet or SSH to this address. In order that computers in other network segments can also log in to the switch remotely, a default gateway should be configured on the switch.