Objective
In this beginner lab you will configure Telnet and SSH remote access on
both a
router and a switch. You will also learn the purpose of essential hardening commands used on every Cisco
device —
banner motd, logging synchronous, no ip domain-lookup, and
service password-encryption.
Key Commands Explained
| Command | Mode | What it does |
|---|---|---|
hostname <name> |
Global config | Sets a unique device name. Makes the CLI prompt meaningful and is required for SSH. |
no ip domain-lookup |
Global config | Stops the router from trying to DNS-resolve mistyped commands (eliminates the 30-second hang). |
banner motd # … # |
Global config | Displays a warning message to anyone who connects. Required for legal notice before login. |
logging synchronous |
Line config | Prevents Syslog messages from interrupting your typing mid-command. Essential for usability. |
service password-encryption |
Global config | Applies Type-7 encryption to all plain-text passwords in the running config. |
enable secret <pass> |
Global config | Sets the privileged-mode password using MD5 (Type-5). Always preferred over
enable password.
|
login local |
Line config | Authenticates VTY/console logins against the local username database instead of a line password. |
transport input ssh telnet |
Line config | Restricts VTY lines to accept only SSH and Telnet. Use ssh only for production.
|
Lab Topology
A simple two-device topology: Router R1 connected to Switch SW1. A PC is connected to SW1 on an access port and will be used to Telnet/SSH into both devices.
| Device | Interface / SVI | IP Address | Subnet Mask | Notes |
|---|---|---|---|---|
| R1 | GigabitEthernet0/0 |
192.168.1.1 |
255.255.255.0 |
Default gateway for the LAN |
| SW1 | VLAN 1 (SVI) |
192.168.1.2 |
255.255.255.0 |
Management IP (switches use SVI) |
| PC0 | NIC | 192.168.1.10 |
255.255.255.0 |
Test PC – used to Telnet/SSH |
Why does a switch need a management IP?
Switches operate at Layer 2 and don't route traffic. To manage a switch remotely (Telnet/SSH), you
assign an IP
address to a Switch Virtual Interface (SVI) — typically
interface vlan 1.
You also
need a ip default-gateway so the switch can reply to hosts on other subnets.
Task 1 - Basic Configuration & Banner
Apply this to both R1 and SW1. The commands are identical except the hostname.
R1 – Basic Config
Router> enable Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# hostname R1 R1(config)# no ip domain-lookup R1(config)# enable secret cisco123 R1(config)# service password-encryption R1(config)# banner motd # Enter TEXT message. End with the character '#'. ***************************************************** * WARNING: Authorized Access Only – R1 * * Unauthorized access is strictly prohibited. * ***************************************************** #
SW1 – Basic Config
Switch> enable Switch# configure terminal Switch(config)# hostname SW1 SW1(config)# no ip domain-lookup SW1(config)# enable secret cisco123 SW1(config)# service password-encryption SW1(config)# banner motd # Enter TEXT message. End with the character '#'. ***************************************************** * WARNING: Authorized Access Only – SW1 * * Unauthorized access is strictly prohibited. * ***************************************************** #
Task 2 - Secure the Console Line
The console line is the physical port (used with a rollover cable). Apply this to both devices.
R1(config)# line console 0 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# logging synchronous R1(config-line)# exit
What does
logging synchronous do?
Without it, Syslog messages (like interface state changes) are printed to your terminal
mid-command,
breaking your input. logging synchronous buffers those messages and reprints your partial
command
on a new line after the message — making the CLI usable.
Task 3 - Configure Telnet Access (VTY Lines)
VTY (Virtual Terminal) lines handle all remote login sessions. Routers have 5 (0–4), switches have 16 (0–15).
R1 – Telnet via VTY
R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# logging synchronous R1(config-line)# exit
SW1 – Management SVI + Default Gateway
Before Telnetting to a switch, it needs an IP. Assign it on the VLAN 1 SVI:
SW1(config)# interface vlan 1 SW1(config-if)# description Management SVI SW1(config-if)# ip address 192.168.1.2 255.255.255.0 SW1(config-if)# no shutdown SW1(config-if)# exit SW1(config)# ip default-gateway 192.168.1.1 SW1(config)# line vty 0 15 SW1(config-line)# password cisco SW1(config-line)# login SW1(config-line)# logging synchronous SW1(config-line)# exit
Telnet sends everything in plain text!
Telnet transmits your username, password, and all commands unencrypted across the network. Never use
Telnet in a production environment. It is covered here for lab understanding only — always
prefer SSH.
Task 4 - Test Telnet from PC0
Open the Command Prompt on PC0 (192.168.1.10) and Telnet to both devices:
PC0 > Command Prompt
C:\> telnet 192.168.1.1 *** Authorized Access Only – R1 *** User Access Verification Password: cisco R1> enable Password: cisco123 R1# C:\> telnet 192.168.1.2 *** Authorized Access Only – SW1 *** User Access Verification Password: cisco SW1>
Task 5 - Configure SSH Access
SSH encrypts the session. It requires: a hostname, a domain name, an RSA key pair, and local usernames.
R1 – SSH Config
R1(config)# ip domain-name ccna-lab.local R1(config)# username admin privilege 15 secret Admin@123 R1(config)# crypto key generate rsa modulus 1024 The name for the keys will be: R1.ccna-lab.local % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) R1(config)# ip ssh version 2 R1(config)# line vty 0 4 R1(config-line)# login local R1(config-line)# transport input ssh telnet R1(config-line)# logging synchronous R1(config-line)# exit
SW1 – SSH Config
SW1(config)# ip domain-name ccna-lab.local SW1(config)# username admin privilege 15 secret Admin@123 SW1(config)# crypto key generate rsa modulus 1024 The name for the keys will be: SW1.ccna-lab.local [OK] (elapsed time was 1 seconds) SW1(config)# ip ssh version 2 SW1(config)# line vty 0 15 SW1(config-line)# login local SW1(config-line)# transport input ssh telnet SW1(config-line)# logging synchronous SW1(config-line)# exit
Why
login local instead of login?
login checks the line password (set with password cisco).
login local checks the local user database (set with
username … secret …).
SSH requires login local — it cannot use a bare line password.
Task 6 - Test SSH from PC0
PC0 > Command Prompt
C:\> ssh -l admin 192.168.1.1 *** Authorized Access Only – R1 *** Password: Admin@123 R1# C:\> ssh -l admin 192.168.1.2 *** Authorized Access Only – SW1 *** Password: Admin@123 SW1#
Task 7 - Verification
Use these commands to confirm your configuration is working correctly:
R1# show ip ssh SSH Enabled - version 2.0 Authentication methods:publickey,keyboard-interactive,password Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr Authentication timeout: 120 secs; Authentication retries: 3 R1# show users Line User Host(s) Idle Location * 0 con 0 idle 00:00:00 1 vty 0 admin 192.168.1.10 00:00:02 SW1# show interface vlan 1 Vlan1 is up, line protocol is up Internet address is 192.168.1.2/24 R1# show running-config | section line vty line vty 0 4 logging synchronous login local transport input ssh telnet