Configure and verify device management

Exam: Cisco 300-101 - CCNP Implementing Cisco IP Routing (ROUTE v2.0)

  • Console and VTY
  • Telnet, HTTP, HTTPS, SSH, SCP
  • (T)FTP

You can connect to your routers and switches physically using your laptops and computers and remotely using a Telnet or and SSH connection. In both the cases, it is important to configure security on your routers and switches to protect your router from an unauthorised access.

Any inbound connection can be made to router through (TTY) Terminal controller lines. There are four types of TTY lines. Each of these lines can be configured with password protection to ensure authorised access. The different types of TTY lines can be seen by typing Show line command on the router, as shown in the code given below:

router1#show line

Tty Typ Tx/Rx A Modem RotyAccOAccI Uses Noise Overruns Int

* 0 CTY - - - - - 0 0 0/0 -

1 TTY 9600/9600 - - - - - 0 0 0/0 -

2 TTY 9600/9600 - - - - - 0 0 0/0 -

...

9 AUX 9600/9600 - - - - - 0 0 0/0 -

10 VTY - - - - - 0 0 0/0 -

...

14 VTY - - - - - 0 0 0/0 -

The code showed four different types of TTY lines as:

  • CTY: A CTY line is Console Port line that is used to access the local system using the console terminal. The console port is serial port, so it allows only the devices such as PC or laptop that use serial interface to connect to routers. This line always appears as line con 0 in the router configuration
  • TTY: A TTY line is an asynchronous line, which allows inbound or outbound connections to modem and terminal connections. A TTY line requires an ASYNC card in the router to provide some of asynchronous serial port numbers on the router that can be used to connect serial printers, serial modems, or dumb ASCII text terminals. This line appears as line x in the router server configuration.
  • AUX: An AUX line is an Auxiliary port that appears as line aux 0 in the router server configuration. The AUX port is typically used to access router, when the console port is already in use.
  • VTY: A VTY line is the Virtual Terminal line that allows you to connect devices remotely to the router. It is mainly used to control inbound Telnet and SSH connections to routers through a software instead of a hardware. They appear in the configuration as line vty 0 4. This means that the router has five VTY ports, and can up to five concurrent network admin connections that allows concurrent configuration of a router at a time.

You can configure more VTY line to your router using the following command.

Router (config)# line 0 20

The command above creates 21 VTY lines (numbered 0 through 20)

Configure VTY and CTY lines

You need to configure the user based authentication to allow users to usethe different types of TTY lines. The following code configures the user based authentication on VTY and CTY lines. For that you need to use the username command in global configuration mode and then to enable password checking at login.Use the login local command in line configuration mode, as shown in the code sample below.

Enter into configuration mode

routerR1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

routerR1(config)#username Tom password testpass

Use line vty command to switch to line configuration mode.

routerR1(config)#line vty 0 4

routerR1(config-line)#

Use Line Con command to configure CTY line

routerR1(config)#line con 0

routerR1(config-line)#

Enable password checking at login.

routerR1(config-line)#login local

Exit configuration mode.

routerR1(config-line)#end

router#

Verify the Configuration

To verify the CTY and VTY line configuration use show running-config command on the router to check the configurations made.

routerR1#show running-config

Building configuration...

usernameTom password 0 testpass


line con 0
linevty 0 4
login local

End

Establish a Telnet connection for verification

You need to now establish a Telnet connection to the router from a different host on the network to test the VTY connection. For testing purpose, you can start a telnet session on the router itself to the IP address of a different active interface on the router. You can find out such interface using the show interfaces command.

The following command uses the interface ethernet 0 on the router that has IP address 10.1.1.4:

routerR1#telnet 10.1.1.4

Trying 10.1.1.4 ... Open

User Access Verification

Username: Tom

Enter the password. The password entered is not displayed.

Password:

Router connection is established.

routerR1

Create an SSH Connection

SSH connection also creates a remote session like a telnet but SSH protocol creates a secure session with a device. To enable an SSH session on a router, you need to type code as:

Enter into global configuration mode

routerR1>config terminal

Set hostname and domain name

routerR1(config)# hostname testrouter
routerR1(config)# ip domain-name testingdomain.com

Generate RSA keys

routerR1(config)# crypto key generate rsa
routerR1(config)# aaa new-model
routerR1(config)# username janet password testpass

Set timeout in seconds and number of trial attempts

routerR1(config)# ipssh time-out 30
routerR1(config)# ipssh authentication-retries 5

Setup Line VTY configurations

routerR1(config)# line vty 0 4
routerR1(config-line)# transport input SSH

HTTP and HTTPS configuration

The CISCO IOS HTTP server provides authentication but not encryption for client connections unlike the HTTPS server that allows a secure SSL (Secure socket layer) or TSL (Transport layer security) connection to a client computer.

To enable HTTP/ HTTPS mode on routerR1 you need to use the following command:

Enter the global configuration mode using the command:

routerR1(config)# enable

Enable HTTP on router

routerR1(config)# ip http server

Enable HTTPs on router

routerR1(config)# ip http secure-server

routerR1(config)# ip http authentication local

Create a user with privilege level 15 to allow the user to execute all Cisco IOS commands.

routerR1(config)# username <username> privilege 15 password 0 <password>

Configure SSH and Telnet for local login and privilege level 15:

routerR1(config)# line vty 0 4
routerR1(config-line)# privilege level 15
routerR1(config-line)# login local
routerR1(config-line)# transport input telnet
routerR1(config-line)# transport input telnet ssh
routerR1(config-line)# exit

Configuring Router as TFTP server

TFTP stands for Trivial File Transfer Protocol, which is a simplified version of the FTP protocol. The TFTP protocol is a Windows NT service for Cisco devices that contains embedded component executable, runner files, and configuration (.cnf) files. A remote TFTP server is useful to upgrade one of the remote routers by using TFTP over the slow WAN connection. And then, you can use that router to act as TFTP server for the local routers to upgrade the remaining routers over high-speed local links.

Use tftp-server command to configure a router as a TFTP server:

routerR1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

routerR1(config)#tftp-server bootflash:c7200p-adventerprisek9-mz.151-3.S4.bin
routerR1(config)#end
routerR1#

Example Question

Q. Which of the following lines allows you to connect devices remotely to a router?

  1. CTY
  2. VTY
  3. TTY
  4. AUX

Answer B

A VTY line is the Virtual Terminal line that allows you to connect devices remotely to the router.

Related IT Guides

  1. Configure and Verify eBGP (IPv4 and IPv6 address families)
  2. Configure and Verify OSPF for IPv6
  3. Configure and verify policy-based routing
  4. Configure and verify switch administration
  5. Configure and verify tracking objects
  6. Explain Frame Relay
  7. Explain TCP operations
  8. Identify Cisco Express Forwarding concepts
  9. Identify IPv6 addressing and subnetting
  10. Identify, configure, and verify IPv4 addressing and subnetting