One of the fundamentals of configuring a Cisco router or switch is enabling a secure management protocol. Telnet sends everything in clear text which makes it vulnerable to anyone sniffing network traffic.
The solution is to utilize SSH, a cryptographic protocol. It is a secure shell providing confidentiality of data being transmitted from your workstation to a router or switch.
Here is our simple topology:
Let’s say we’re consoled into the router and would like to enable SSH so we can manage the router from our desk.
Once you’re are in global configuration mode we hop right in with the following configuration:
conf t ! !! Configure a username with privilege 15 and a secret password of cisco username admin priv 15 secret cisco ! ! !! Before configuring SSH we need to define the domain name for the purpose of generating our key ip domain-name rowelldionicio.com ! ! !! Configure the rya keys with a key length 1024 crypto key generate rsa general-keys mod 1024 ! ! !! Enter the vty line configuration to enable ssh as the input protocol leaving out telnet line vty 0 15 transport input ssh ! !! The login local command tells the router to prompt for a username and password verification against the local database of the router login local exit
Now we test with our Linux client using the command:
ssh -l admin 10.1.1.100
You’ll be prompted for the admin password since the username was defined in the ssh command. Because the admin account is configured with privilege 15 we are automatically put into the global configuration mode, bypassing the enable password.
Here’s what our communication with R1 looks like over the network using SSH:
To compare our traffic with Telnet we will remove SSH:
conf t ! !! Enter line configuration line vty 0 15 ! !! To remove SSH, do not specify the protocol transport input telnet end
In Wireshark I will follow the TCP Stream of the packet that appears to be sending username and password traffic:
We can see the username and password in plain text and also see what commands are being entered:
Follow best practices and manage your routers and switches over SSH. Even if you’re using a dedicated management network I would still recommend encrypting your traffic. It’s simple to configure and your traffic will be encrypted from prying eyes.