NetworkJutsu

Networking & Security Services | San Francisco Bay Area

IOS

How to enable SSH on Cisco Routers and Switches

By Leave a Comment

UPDATE: Please read my updated post regarding SSH on Cisco IOS.

On my previous blog post, I talked about one of the things a Network Engineer must do to harden Cisco routers and switches. Today, I am adding another one to the list. I will try to keep adding to this list to raise the importance of security.

As the title says, I am going to show you on how to enable SSH on Cisco IOS devices. The commands are pretty much the same in pretty much all of the IOS versions. If the commands listed here didn’t work, then use the IOS help menu.

The majority, if not all, of the people, know that Telnet sends data in clear text. That said, usernames and passwords are up for grabs. Imagine an unauthorized user logging into company’s Cisco IOS devices and deleting the configuration and rebooting them. When that happens, someone would be let go pretty soon.

To enable SSH on Cisco IOS, you need to have crypto feature in the IOS. If the IOS does not support crypto, then you’re out of luck. If you have a SMARTnet contract, I suggest you upgrade the IOS. For legacy hardware, the only choice is to upgrade it to a newer version. Please check Cisco Feature Navigator to check your IOS if it supports the crypto feature.

Enabling SSH on Cisco IOS

Without further delay, below are the commands to enable SSH on Cisco IOS. With this method, Cisco IOS requires the user to specify the host name and domain name.

Router(config)#host R1
R1(config)#ip domain name domain.com
R1(config)#crypto key generate rsa general-keys modulus 2048
R1(config)#ip ssh version 2
R1(config)#line vty 0 15
R1(config-line)# transport input ssh

Alternatively, Cisco IOS user could enable SSH without specifying the domain name, as shown below. In this case, I am using 4096-bit key size for the RSA keys.

R1(config)#crypto key gen rsa modulus 4096 label SSH_KEY
The name for the keys will be: SSH_KEY

% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 103 seconds)

R1(config)#
*Dec 15 20:38:36.581: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh rsa keypair-name SSH_KEY
R1(config)#
*Dec 15 20:39:38.227: %SSH-5-DISABLED: SSH 1.99 has been disabled
*Dec 15 20:39:38.228: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1(config)#ip ssh ver 2
R1(config)#line vty 0 15
R1(config-line)#transport input ssh

While you don’t need to use the transport input ssh command, it is recommended to disable Telnet altogether. By default, line vty 0 to 15 has the command transport input all configured but not showed in the running configuration or startup configuration. That said, it will allow you to use either SSH or Telnet.

Final Words

Hopefully, this will be included in your standard configuration for all Cisco routers and switches that you have. Telnet is a considered a security risk, so enabling SSH will mitigate security risk on your network.

I hope this has been helpful and thank you for reading!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

Securing Cisco IOS SSH server

Want to learn more about the basics of securing Cisco networks?

CCNA Security Official Cert Guide

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Configure Frame Relay Switching on a Cisco router

By Leave a Comment

Whether you are building a CCIE home lab or not, this will help you configure a Cisco router to act as a Frame Relay switch.

To better understand the topology of this particular scenario, I attached a Visio diagram below.

Without further ado, here are the commands to turn your Cisco router to a Frame Relay switch.

FR (config)#frame-relay switching
!
interface serial 1/1
 description R1 to R2 and R1 to R3
 encapsulation frame-relay
 clock rate 128000
 frame-relay lmi-type cisco
 frame-relay intf-type dce
 frame-relay route 102 interface serial1/2 201
 frame-relay route 103 interface serial1/3 301
!
interface serial 1/2
 description R2 to R1
 encapsulation frame-relay
 clock rate 128000
 frame-relay lmi-type cisco
 frame-relay intf-type dce
 frame-relay route 201 interface serial1/1 102
!
interface serial 1/3
 description R3 to R1
 encapsulation frame-relay
 clock rate 128000
 frame-relay lmi-type cisco
 frame-relay intf-type dce
 frame-relay route 301 interface serial 1/1 103
!
end

To verify that this configuration works, let’s configure all three routers and ping the IP of the interfaces.

R1 configuration:

R1 (config)#interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.102 point-to-point
 ip address 2.2.2.1 255.255.255.0
 frame-relay interface-dlci 102
!
interface Serial0/0.103 point-to-point
 ip address 3.3.3.1 255.255.255.0
 frame-relay interface-dlci 103
!
end

R2 configuration:

R2 (config)#interface Serial0/0
 no ip address
 encapsulation frame-relay
 frame-relay lmi-type cisco
!
interface Serial0/0.201 point-to-point
 ip address 2.2.2.2 255.255.255.0
 frame-relay interface-dlci 201
!
end

R3 configuration:

R3 (config)#interface Serial0/0
 no ip address
 encapsulation frame-relay
!
interface Serial0/0.301 point-to-point
 ip address 3.3.3.3 255.255.255.0
 frame-relay interface-dlci 301
!
end

Ping verification:

R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/15/44 ms
R1#ping 3.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/15/48 ms

R2#ping 2.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/19/76 ms

R3#ping 3.3.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/80 ms

Congratulations, you’ve just configured a Cisco router to act as a Frame Relay switch!

I hope this has been helpful and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Enable IPv6 on Cisco Catalyst 3560

By 3 Comments

When you’re building a Cisco home lab, make sure to buy switches and/or routers that will satisfy the requirements of the track you’re currently studying for. You may also want to future proof your home lab for other Cisco tracks. Future proofing was one of the reasons why I didn’t buy 1841 for my lab and bought 2801 instead. 1841s will not satisfy the requirements of Voice track, which is one of the Cisco tracks that I would like to learn more about. Anyway, CCNP R&S (Routing and Switching) and CCIE R&S requires you to know IPv6. While CCNP does not specifically require to run IPv6 on 3560, it will most likely be used in the CCIE lab exam. I do know that INE materials require you to enable IPv6 on Catalyst 3560 to practice and master the topic.

By default, Catalyst 3560s does not allow you to turn on IPv6 without changing SDM (Switching Database Manager). I did not know this before, so when I tried it on my Catalyst 3560, I got the following:

3560(config)#ipv6 ?
% Unrecognized command

I wasn’t expecting that error, so I went to Cisco’s website and started practicing on how to use Cisco DOC CD – only resource during the CCIE lab exam. Luckily, I was able to find the instructions on how to do it. But, if you want more information then please visit this configuration guide.

Without further ado, here’s a tutorial on how to enable IPv6 on Catalyst 3560.

3560(config)#sdm prefer dual-ipv4-and-ipv6 default
Changes to the running SDM preferences have been stored, but cannot take effect until the next reload.
Use 'show sdm prefer' to see what SDM preference is currently active.

3560(config)#do wr mem
Building configuration...
[OK]

3560#reload

To verify that SDM has been changed:

3560#sho sdm prefer
 The current template is "desktop IPv4 and IPv6 default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.

 number of unicast mac addresses:                  2K
 number of IPv4 IGMP groups + multicast routes:    1K
 number of IPv4 unicast routes:                    3K
   number of directly-connected IPv4 hosts:        2K
   number of indirect IPv4 routes:                 1K
 number of IPv6 multicast groups:                  1K
 number of directly-connected IPv6 addresses:      2K
 number of indirect IPv6 unicast routes:           1K
 number of IPv4 policy based routing aces:         0
 number of IPv4/MAC qos aces:                      0.5K
 number of IPv4/MAC security aces:                 1K
 number of IPv6 policy based routing aces:         0
 number of IPv6 qos aces:                          0.5K
 number of IPv6 security aces:                     0.5K

To verify that IPv6 can now be issued:

3560(config)#ipv6 ?
 access-list      Configure access lists
 cef              Cisco Express Forwarding for IPv6
 dhcp             Configure IPv6 DHCP
 general-prefix   Configure a general IPv6 prefix
 hop-limit        Configure hop count limit
 host             Configure static hostnames
 icmp             Configure ICMP parameters
 local            Specify local options
 mld              Global MLD Snooping enable for Catalyst Vlans
 neighbor         Neighbor
 prefix-list      Build a prefix list
 route            Configure static routes
 router           Enable an IPV6 routing process
 source-route     Process packets with source routing header options
 unicast-routing  Enable unicast routing

To enable IPv6, issue the command below:

3560(config)#ipv6 unicast-routing

It is pretty easy to configure, but if you didn’t know anything about SDM, then you’re probably going to blame the IOS version that is installed, I certainly did.

I hope this helps and thank you for reading!

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

show ip flow top-talkers

By 7 Comments

Who is hogging your precious WAN bandwidth? That’s probably one of the things that you’re asking on your mind when you receive an alert about a certain WAN link has reached its full capacity. Well, you’re in luck. In newer Cisco IOS, it will allow you to enable NetFlow and Top Talkers which gives you the ability to view who are the current top talkers in your network. I really believe that the commands that I am about to show you should be part of your standard configuration on routers.

To enable Top Talkers, issue these commands:

ip flow-top-talkers
 top 10
 sort-by bytes

Enabling Top Talkers is not enough, you also need to enable NetFlow on an interface. According to Cisco, if the router is running Cisco IOS prior to release 12.2(14)S, 12.0(22)S, or 12.2(15)T, the command used to enable NetFlow on an interface is ip route-cache flow. If the router is running Cisco IOS release 12.2.(14)S, 12.0(22)S, 12.2(15)T, or later the command used to enable NetFlow on an interface is ip flow ingress. However, I’ve used ip route-cache flow on a router running Cisco IOS 15.0 and it worked just fine. Try the first one first before using the latter. I have not tried it yet, but you may need to use ip flow egress as well if ip route-cache flow does not work.

In this scenario, I enabled NetFlow on Serial0/2/0.

configure terminal
interface Serial0/2/0
 ip route-cache flow

Once you are done configuring NetFlow on the interface, then you can now issue:

Router#sh ip flow top-talkers

SrcIf    SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Bytes
Se0/2/0  10.1.1.33    Fa0/0 10.2.2.9     06 050E 1BC7  2156K
Se0/2/0  10.1.1.140   Fa0/0 10.2.2.78    06 0A26 10C0  1629K
Se0/2/0  10.1.1.144   Fa0/0 10.2.2.55    06 0A26 0CA6  1352K
Se0/2/0  10.1.1.120   Fa0/0 10.2.2.77    06 0A26 05E8   535K
Se0/2/0  10.1.1.106   Fa0/0 10.2.2.86    06 0A26 086A   361K
Se0/2/0  10.1.1.131   Fa0/0 10.2.2.90    06 0A26 0A7A   135K
Se0/2/0  10.1.1.112   Fa0/0 10.2.2.80    06 0A26 0C28   109K
Se0/2/0  10.1.1.137   Fa0/0 10.2.2.80    06 0A26 0D95    75K
Se0/2/0  10.1.1.142   Fa0/0 10.2.2.82    06 0A26 120B    71K
Se0/2/0  10.1.1.116   Fa0/0 10.2.2.83    06 0A26 0922    47K
10 of 10 top talkers shown. 30 flows processed.

I really think this is a great tool to have in your routers. It will basically help you identify who is congesting your WAN link. I’ve seen scenarios where Security (Loss Prevention) guys, like to see what’s going on in the remote branch and they use their little PC to remotely view the security cameras inside the remote branch. In some environment, that’s a no-no especially if the mission critical applications are being affected. If the QoS (Quality of Service) was designed and implemented correctly, then you shouldn’t have to worry about Security guys viewing and streaming recoded videos because the mission critical applications should have guaranteed bandwidth when there’s a congestion.

I hope this has been helpful and thank you for reading!

Reference

NetFlow MIB and Top Talkers

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

How to configure AAA on Cisco router/switches

By Leave a Comment

I talked about tac_plus here which talks about how to build and configure TACACS+ server. In this blog post, I will cover how to configure AAA on Cisco routers and switches that worked in conjunction with the tac_plus covered in the previous blog.

Backup Local Account

I think the first important step before enabling AAA on Cisco routers and switches is to create a backup local account. Though, one could also configure the device to just use the enable secret as a way to log in. I personally prefer the local account.

username backup password strongpassword

Pointing Cisco device to TACACS+ server

Once local user account is configured, you also need to point your networking devices to the TACACS+ server.

tacacs-server host 192.168.10.100
tacacs-server host 192.168.10.101
!
tacacs-server directed-request
tacacs-server key tacacskey123

Configuring AAA

Now, you’re going to configure the AAA to our networking devices. Start by enabling AAA in the global configuration mode

aaa new-model

These two lines enable authentication part and will tell our networking devices to use TACACS first before using local account. Should both of your TACACS+ servers go down, allow local user account to be used.

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

These commands enable the authorizing commands for the user or group. In some TACACS+ implementation, you do not need to use aaa authorization commands 0 default group tacacs+ none but for our implementation, we’re going to include it.

aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commands

These commands will start recording what commands are being issued to our networking devices. If you do not have a tool for tracking configuration changes like RANCID, then this can be a valuable tool to see what was done. However, reading the accounting log in the TACACS+ is messy. I suggest you implement RANCID if the organization does not have tools like AlterPoint Network Authority or Solarwinds Network Configuration Manager.

aaa accounting update newinfo periodic 5
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting network default start-stop group tacacs+
aaa session-id common

Now, we need to pick a source interface on how to talk to our TACACS+ server. There are scenarios where our routers and/or multilayer switches have two or more links going to our data center, so using a loopback is always a good idea. For layer two switches, our management VLAN interface will be just fine.

ip tacacs source-interface loopback0

Congratulations, you just accomplished one part of hardening your organization’s networking devices!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

How to configure tac_plus (TACACS+ daemon) on Ubuntu Server
TACACS+ (tac_plus daemon) ACL
Adding two-factor authentication (2FA) to TACACS+

Want to learn more about AAA?

AAA Identity Management Security

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.