Configuring SSH

Always use SSH, telnet is gone.

Configuring SSH includes configuring a domain name (ip domain-name WORD), generate rsa key (crypto key generate rsa), specify only ssh for vty connection (transport input ssh), specify where to find username and password list (login WORD. This could be local, if you use local, you will want to create username and password in the router)

First you have to configure a domain name for your router with the command (enter this command at the global configuration level)

ip domain-name WORD

WORD: the domain name string.

Then you generate rsa key by the command

crypto key generate rsa [general-keys | usage-keys]

In the picture above, when you try to create an rsa key, there will be two parameters

  1. General-keys. By default Cisco routers use the same key for all encryption (SSH, HTTPS, …)

  2. Usage-keys. Usage-keys create a unique key.

Bit range of an rsa key is 360bits – 2048bits. A minimum of 1024 is usually used. For old series router (2500, 2600 series), generating an rsa key could take a long time (10 – 15 minutes).

You can configure some ssh options through the command (from the global configuration level)

ip ssh time-out NUMBER

NUMBER: in sec, 1-120 secs.

ip ssh authentication retries NUMBER

NUMBER: 0-5 retries


Configuring SNMP

Simple Network Management protocol is good to gather information per interface basis. SNMP version 1 and 2 doesn’t support authentication. SNMP version 1 is an old protocol, it doesn’t support to monitor Gigs link. SNMP version 2 was out primarily to support that problem so that you can monitor high bandwidth link even there are some other enhancements to the SNMP version 1. SNMP version 3 added security. It adds authentication and encryption.

The following command configure SNMP version 1 or 2c.

snmp-server community WORD [ACL] [ro | rw]

WORD: the community string for the snmp community (server).

ro: allow other device (server) from this community to only read information from this router. Usually you will want to use this mode.

: allow other device to read and write information to this device.

ACL: you can use ACL to specify which devices can access the community string with ro | rw mode. So you can specify, devices coming from this address has the rw mode or something like that. Here you either specify the number of the ACL or the name of the ACL.

SNMP works like this, the community string is the only identifier that you need to access SNMP information from the router and it is sent in clear text. So if anybody else send an SNMP request message to the router with the right community string, then the router agrees to give SNMP information to that person.

Management Information Basis (MIB). This is the string that identify what information that you want to access or change if it is in Read-Write mode from the device. It could be in number or string representation. Let’s say that the SNMP server requested information from your router identified with MIB as, that series of number is an identifier for a specific information in your router. Maybe that’s the identifier to get the hostname, bandwidth utilization or the enable secret information. Cisco has its own MIB.

You can configure what MIB people can access in your router by the following configuration (if you don’t specify this, every information could be collected from your router)

snmp-server view STRING

to configure SNMP v3, first you have to configure the local ID for the router by the command

snmp-server engineID local HEX

HEX: hexadecimal (0-9, A-F) value with a minimum of 10 chars. Actually the HEX value is a fixed length string. It’s 16 chars fixed, if you only type 10 chars, Cisco will automatically fill the rest with 0.

Then you want to configure the SNMP group

snmp-server group WORD v3 [auth | noauth | piv]

Here, you name the group (SNMP_CROWS), specify the version that it use and specify if you want users to be authenticated to access this SNMP group (auth) and if you want to use encryption to send SNMP packets in this group (priv).

After that, you configure the users for the SNMP groups

snmp-server user WORD1 WORD2 v3 {auth [md5 | sha] WORD3} {priv [3des | des | aes] WORD4}

WORD1: the name of the user.

WORD2: the name of the group that the user belongs to.

WORD3: the password for the authentication.

WORD4: the privacy password for the user.

In this command you kinda map the user to the SNMP group, you specify that this SNMP will use v3. Note that this command still has other parameters.

If you choose to use authentication, you will want to choose the hashing method. It is either md5 or sha. Then enter what password is required by the users to access this SNMP GROUP

If you choose to use encryption (priv) you specify the encryption method and the encryption key. The available encryption methods are 3des, des, aes. which is not strong enough for an encryption but is better than not using any encryption at all.

You can also specify if you want to use ACL to limit what addresses that this USER GROUP will come from.