Experiment 1: Access network equipment
learning target
- CTY access network equipment
- VTY access network equipment
- TTY access to network equipment
- WEB access network equipment
lab environment
- Cisco Packet Tracer 6.0
Original article, please indicate the source for reprinting: ©️ Sylvan Ding ❤️
Experiment content
CTY access equipment
CTY refers to Consolethe device access method that accesses the device through the interface to realize device control and management.
Select Connections>Consolea cable, connect one end to RS 232the interface of the PC, and the other end to the interface of the routing device Console, and then configure the Console interface through the PC.
# Cisco IOS
Router> enable # 进入路由器特权模式
Router# configure terminal # 进入路由器全局配置模式
Router(config)# line console 0 # 配置Console线路
Router(config-line)# password cisco # 配置Console口令
Router(config-line)# login # 开启登陆密码保护
- Configuration mode : Cisco IOS divides EXEC sessions into user (USER) mode and privileged (privileged) mode. User mode only allows basic monitoring commands, and the router configuration mode cannot be changed in this mode. All configuration commands are available in privileged mode. In privileged mode, you can also enter global mode and other special configuration modes. These special modes are a subset of global configuration mode. During the configuration process, you can
?get command help by using .
VTY access equipment
VTY refers to Virtual Terminala device access method that remotely logs in to the device through a virtual terminal to achieve device control and management.
A certain number of VTY lines are available in different series of Cisco products, but the specific number varies.
The protocols that support remote login are SSHand Telnet. Both SSH and Telnet are used to manage remote connections. SSH uses TCP port 22, and Telnet uses TCP port 23.
Remote login requires that the network device has network services enabled and at least one active interface has an IP address configured. For security reasons, iOS requires the use of passwords for remote sessions as a minimum means of authentication.
Configure Telnet
# 一、路由器配置以太网接口IP地址
Router> enable
Router# configure terminal
Router(config)# hostname Router1 # 配置路由器的主机名
Router1(config)# interface gigabitEthernet 0/0 # 进入路由器的千兆以太网口
Router1(config-if)# ip address 192.168.0.1 255.255.255.0 # 配置接口IP地址
Router1(config-if)# no shutdown # 激活接口(路由器接口默认关闭)
# 二、配置路由器vty
Router1(config-if)# line vty 0 4 # 进入vty线路模式,启用0-4线路(最大并行连接数)
Router1(config-line)# password ciscotelnet # 配置口令
Router1(config-line)# login
# 三、配置路由器特权口令
Router1(config)# enable password ciscotelnet
# 四、配置PC的IP地址:192.168.0.2/24
# 五、PC通过Telnet访问路由器
C:\> telnet 192.168.0.1
- Configure the router in CTY mode. After the configuration is complete, the router and PC are connected through the switch, and the PC accesses
telnetthe router.- Before logging in remotely through Telnet, you need to test the connectivity between the PC and the router. Use the ping command on the PC
C:\> ping 192.168.0.1. After the PC can connect to the Ethernet port of the router normally, use Telnet to log in to the router.- Configure the network card
End Devices>Laptop-PTof the PC ( )FastEthernet0and the router network card in the same network segment, that is192.168.0, to ensure that the two can be connected.
Configure SSH
# 一、路由器配置以太网接口IP地址
Router> enable
Router# configure terminal
Router(config)# hostname Router1
Router1(config)# interface gigabitEthernet 0/0
Router1(config-if)# ip address 10.12.16.1 255.255.255.0
Router1(config-if)# no shutdown
# 二、路由器生成RSA非对称密钥
Router1(config-if)# exit
Router1(config)# ip domain-name demo.com # rsa的秘钥是用`hostname`和`domain-name`产生的
Router1(config)# crypto key generate rsa # 生成RSA秘钥后SSH服务会自动开启
The name for the keys will be: Router1.demo.com
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
*3? 1 0:29:0.594: %SSH-5-ENABLED: SSH 1.5 has been enabled
# 三、配置用户名和密码
Router1(config)# username sylvan privilege 0 password ciscossh # `privilege 0`阻止ssh登陆时自动进入特权模式
Router1(config)# enable password ciscossh # 配置特权模式密码
# 四、配置vty
Router1(config)# line vty 0 4 # 启用0-4线路(最大并行连接数)
Router1(config-line)# transport input ssh # 设置只允许通过ssh协议登陆
Router1(config-line)# exec-timeout 0 0 # 设置连接超时时间:永远与路由器保持连接,除非手动logout
Router1(config-line)# logging synchronous # 同步日志信息输出和调试输出(避免输入过程被日志输出打断)
Router1(config-line)# login local # 配置本地身份验证(登录时需要输入用户名)
# 五、配置PC的IP地址:10.12.16.2/24
# 六、测试ssh登陆Router1
PC>ssh -l sylvan 10.12.16.1
Open
Password:
Router1>
# 七、退出登陆
Router1>exit
[Connection to 10.12.16.1 closed by foreign host]
- Before _testing ssh login to Router1_, first ping test the connectivity.
PC>ping 10.12.16.1 Pinging 10.12.16.1 with 32 bytes of data: Reply from 10.12.16.1: bytes=32 time=1ms TTL=255 Reply from 10.12.16.1: bytes=32 time=0ms TTL=255 Reply from 10.12.16.1: bytes=32 time=0ms TTL=255 Reply from 10.12.16.1: bytes=32 time=0ms TTL=255 Ping statistics for 10.12.16.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms
TTY access device
TTY is a asyncway to achieve device access through an asynchronous port dial-up connection. The term TTY originated from TeleTYpe . The original TTY connected devices through physical lines, but Cisco implemented this function through virtual links .
The early terminal was a Teletype/Teletypewriter, whose English abbreviation was tty. Although terminal equipment is no longer limited to teletypewriters, the name tty has remained.
Configure TTY
Select Routers>1841and insert into slot0the slot HWIC-8A, which provides 8 asynchronous standard ports for connecting to the console interface EIA-232. Use this router as a device terminal server Terminal Server( using a terminal server can reduce the loss of the console interface when configuring multiple routing and switching devices ), use OctalThe Octopus cable connects its Asyncinterface to the console interface of other devices. Create one Laptop-PT, connect to the terminal through console mode, and perform the following configuration to achieve TTY access to the device:
# 一、配置终端服务器`Terminal Server`
Router> en
Router# conf t
Router(config)# host Terminal-Server # 配置终端服务器名称
Terminal-Server(config)# enable p ciscotty # 配置特权模式密码
Terminal-Server(config)# no ip domain-lookup # 阻止DNS解析
# 二、配置终端的回环接口 1.1.1.1/32
Terminal-Server(config)# interface loopback 0
Terminal-Server(config-if)# ip add 1.1.1.1 255.255.255.255
# 三、配置tty异步线路
Terminal-Server(config-if)# end
Terminal-Server# show line
Tty Line Typ Tx/Rx A Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - 0 0 0/0 -
0/0/0 2 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/1 3 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/2 4 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/3 5 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/4 6 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/5 7 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/6 8 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/7 9 TTY 9600/9600 - - - - 0 0 0/0 -
194 194 VTY - - - - 0 0 0/0 -
195 195 VTY - - - - 0 0 0/0 -
196 196 VTY - - - - 0 0 0/0 -
197 197 VTY - - - - 0 0 0/0 -
198 198 VTY - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
10-193
Terminal-Server# conf t
Terminal-Server(config)# line ?
<2-499> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
x/y/z Slot/Subslot/Port for Modems
Terminal-Server(config)# line tty ?
<2-90> First Line number
Terminal-Server(config)# line tty 2 9 # 配置8个异步线路
Terminal-Server(config-line)# transport input all # 允许所有协议都可以连接tty线路
Terminal-Server(config-line)# pas ciscotty # 配置tty连接密码
Terminal-Server(config-line)# login # 设置登陆检查
Terminal-Server(config-line)# exec-timeout 0 0
Terminal-Server(config-line)# logging synchronous
# 四、配置vty虚拟终端线路,用以telnet连接
Terminal-Server(config-line)# exit
Terminal-Server(config)#line vty ?
<0-15> First Line number
Terminal-Server(config-line)# no login # 取消登陆检查
Terminal-Server(config-line)# logging s
Terminal-Server(config-line)# exec-timeout 0 0
# 五、在Terminal中测试telnet访问Router设备
# 按[Ctrl+Shift+6]组合键,放手后再按[X]键回到终端服务器上
# 该方法不会释放Telnet会话,Telnet会话被保留
# 为了显示所有的打开连接,可以使用`show sessions`命令
# 使用`disconnect x`命令可以中止一个激活的反向Telnet会话,其中`x`是需要中断的异步线路号
# `show line x`命令用以显示任何线路的状态,用来查找终端服务器的连接故障
# `clear line tty x`命令用以清除任意tty线路到空闲状态
Terminal-Server#telnet 1.1.1.1 2002
Trying 1.1.1.1 ...Open
User Access Verification
Password: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
--- System Configuration Dialog ---
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>
# 六、配置PC和路由器终端的网卡
# 在PC上的Command Line里通过telnet访问路由器终端,再通过八爪线访问其他设备
# 其具体实现可参照`配置Telnet`
- Loopback :
The loopback interface of the terminal router,interface loopback0created using. A loopback interface is a logical interface and is more stable than any other physical interface. Once created, its physical status and link protocol status are always Up, even if no IP address is configured on the interface. Due to the above characteristics of the loopback interface, the IP address of the loopback interface is more often used as the reverse telnet connection address.
Packets sent to the Loopback port will be processed locally on the router, including routing information. The IP address of the loopback port can be used as the router identifier of the OSPF routing protocol, implemented to send to Telnet, or as a network port for remote Telnet access, etc. Configuring a loopback port is similar to configuring an Ethernet port and can be regarded as a virtual Ethernet port.
Usually there are many interfaces and addresses on each router. Since the telnet command uses TCP packets, when a certain interface of the router goes down due to a fault, other interfaces can still be telneted, and the TCP connection to the router still exists. Therefore, the selected telnet address must never go down, and the virtual interface just meets such requirements. Since this type of interface does not need to communicate with the peer, in order to save address resources, the address of the loopback interface is usually specified as a 32-bit mask.- CAB-OCTAL-ASYNC :
CAB-OCTAL-ASYNCCable (commonly known as八爪线) uses a 68-pin connector and breakout cables and provides eight RJ-45 reverse cable asynchronous ports on each 68-pin connector. You can connect the asynchronous port of each RJ-45 rollover cable device to the device's console or AUX port.
Reverse Telnet
As a dumb terminal, the PC soft terminal is connected to the Console port of the Router through the Console communication cable. The Router is connected to the server, and the terminal cannot communicate directly with the server. By configuring reverse Telnet to log in to the device, you can use the Router as a client to transmit terminal data to the remote server, thereby realizing communication between the dumb terminal and the server.
Specifically, after the router's asynchronous line is connected to the Modem, a direct Telnet conversation communication with the Modem can be established. This process is also called reverse remote login Telnet (reverse Telnet).
To establish a direct Telnet conversation connection, the modem needs to determine the IP address interface of the Ethernet LAN, and then enter the telnet ip-add portcommand to 2000+nthe port of the router. nIt is the line label on the router connected to the modem. It can be viewed through show linethe command in privileged mode. Using ip hostthe configuration command can simplify the Modem to directly establish a Telnet conversation. This command maps the IP address of the port to the device name.
Experimental tasks
A laboratory purchased a new batch of network equipment and built the network topology as shown in the figure below. It includes a Cisco 2911 router (R1), five Cisco 1941 routers (R2~R5), two Cisco Catalyst 2960 switches (S1, S2), and a Cisco Gigabit switch (S3). In order to protect the equipment, all the equipment shown in the picture are placed in the cabinet. The newly purchased Cisco HWIC-8A module is installed on the 2911 router R1, turning it into a terminal server. It is connected to other devices by purchasing eight-claw cables to avoid damaging the console port of the device by repeatedly plugging and unplugging the console cable. The Gigabit ports of all network devices are connected to the Gigabit switch S3. The logical network address of the device connected to the switch S3 is 192.168.0.0/24. The interface addresses assigned to each device are as shown in the topology diagram. Please configure the corresponding network equipment according to the following requirements:
Configure TTY
- Configure R1 so that it can access the 8 network devices connected to it;
- Create loopback interface 10.10.10.10/32 for TTY management;
- Configure the mapping of host names to lines (both uppercase and lowercase host names must be mapped);
- Set the TTY login password to ytvc2017;
- Enable log output synchronization;
- Turn off the domain name resolution function.
R1>en
R1#conf t
R1(config)#no ip domain-lookup
R1(config)#int lo0
R1(config-if)#ip add 10.10.10.10 255.255.255.255
R1(config-if)#end
R1#show line
Tty Line Typ Tx/Rx A Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - 0 0 0/0 -
0/0/0 3 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/1 4 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/2 5 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/3 6 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/4 7 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/5 8 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/6 9 TTY 9600/9600 - - - - 0 0 0/0 -
0/0/7 10 TTY 9600/9600 - - - - 0 0 0/0 -
388 388 VTY - - - - 0 0 0/0 -
389 389 VTY - - - - 0 0 0/0 -
390 390 VTY - - - - 0 0 0/0 -
391 391 VTY - - - - 0 0 0/0 -
392 392 VTY - - - - 0 0 0/0 -
Line(s) not in async mode -or- with no hardware support:
11-387
R1#conf t
R1(config)#line tty 3 10
R1(config-line)#transport input all
R1(config-line)#pas ytvc2017
R1(config-line)#login
R1(config-line)#exe 0 0
R1(config-line)#logging s
R1(config-line)#exit
# --- 主机名小写映射 ---
R1(config)#ip h r2 2003 10.10.10.10
R1(config)#ip h r3 2004 10.10.10.10
R1(config)#ip h r4 2005 10.10.10.10
R1(config)#ip h r5 2006 10.10.10.10
R1(config)#ip h r6 2007 10.10.10.10
R1(config)#ip h s1 2008 10.10.10.10
R1(config)#ip h s2 2009 10.10.10.10
R1(config)#ip h s3 2010 10.10.10.10
# --- 主机名大写映射 ---
R1(config)#ip h R2 2003 10.10.10.10
R1(config)#ip h R3 2004 10.10.10.10
R1(config)#ip h R4 2005 10.10.10.10
R1(config)#ip h R5 2006 10.10.10.10
R1(config)#ip h R6 2007 10.10.10.10
R1(config)#ip h S1 2008 10.10.10.10
R1(config)#ip h S2 2009 10.10.10.10
R1(config)#ip h S3 2010 10.10.10.10
R1(config)#exi
R1#show hosts
Default Domain is not set
Name/address lookup uses domain service
Name servers are 255.255.255.255
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
R2 2003 (perm, OK) 0 IP 10.10.10.10
R3 2004 (perm, OK) 0 IP 10.10.10.10
R4 2005 (perm, OK) 0 IP 10.10.10.10
R5 2006 (perm, OK) 0 IP 10.10.10.10
R6 2007 (perm, OK) 0 IP 10.10.10.10
S1 2008 (perm, OK) 0 IP 10.10.10.10
S2 2009 (perm, OK) 0 IP 10.10.10.10
S3 2010 (perm, OK) 0 IP 10.10.10.10
r2 2003 (perm, OK) 0 IP 10.10.10.10
r3 2004 (perm, OK) 0 IP 10.10.10.10
r4 2005 (perm, OK) 0 IP 10.10.10.10
r5 2006 (perm, OK) 0 IP 10.10.10.10
r6 2007 (perm, OK) 0 IP 10.10.10.10
s1 2008 (perm, OK) 0 IP 10.10.10.10
s2 2009 (perm, OK) 0 IP 10.10.10.10
s3 2010 (perm, OK) 0 IP 10.10.10.10
Configure SSH
- Enable remote SSH management on 6 routers;
- Set the domain name to ytvc.lab;
- Set the user name to Admin and the password to ciscopass;
- A maximum of 9 users are allowed to log in at the same time.
# --- R1配置SSH ---
R1#conf t
R1(config)#int g
R1(config)#int g0/0
R1(config-if)#ip add 192.168.0.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exi
R1(config)#ip domain-n ytvc.lab
R1(config)#crypto key generate rsa
The name for the keys will be: R1.ytvc.lab
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#u Admin pr 0 p ciscopass
R1(config)#line vty 0 8
R1(config-line)#t i ssh
R1(config-line)#logging s
R1(config-line)#login l
# --- R2配置SSH ---
# 以R1为终端,通过反向telnet连接R2
R1#telnet r2
Trying 10.10.10.10 ...Open
User Access Verification
Password: System Bootstrap, Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.
Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO1941/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64/-1(On-board/DIMM0) bit mode with ECC disabled
# ...
R2 con0 is now available
Press RETURN to get started.
R2>
# ...R2配置SSH同R1,区别在于g0/0网卡的IP地址变为192.168.0.2
# --- R3-R6配置SSH ---
# ...方法同上
# --- 测试R1 SSH连接 ---
S1>exit
[Connection to 192.168.0.7 closed by foreign host]
PC>ssh -l Admin 192.168.0.1
Open
Password:
R1>
Configure Telnet
-
Enable Telnet on 3 switches;
-
Up to 9 users are allowed to log in at the same time;
-
Set the VTY command to ytvcpass;
-
Configuring the management IP address of the switch allows the network administrator to remotely manage the switch using telnet or network management software, through the following command:
(switch-config)# interface vlan 1 (switch-config-if)# ip address w.x.y.z netmask a.b.c.d (switch-config-if)# no shutdown -
Note: The enable password of all devices is cisco; the console password is jsjwl, and the host name is configured as shown in the figure above.
# --- S1配置Telnet ---
# 以R1为终端,通过反向telnet连接S1
R1>telnet s1
Trying 10.10.10.10 ...Open
User Access Verification
Password: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
2960-24TT starting...
Base ethernet MAC Address: 0000.0C02.9294
Xmodem file system is available.
Initializing Flash...
# ...
S1 con0 is now available
Press RETURN to get started.
S1>en
S1#conf t
S1(config)#int v1
S1(config-if)#ip add 192.168.0.7 255.255.255.0
S1(config-if)#no sh
S1(config-if)#line vty 0 8
S1(config-line)#pas ytvcpass
S1(config-line)#login
# --- S2-S3配置Telnet ---
# ...方法同S1
# --- 测试S1 Telnet连接 ---
# 通过`config`设置`Admin`的`fastEthernet`网卡IP地址192.168.0.10/24
PC>ping 192.168.0.7 # S1 IP地址192.168.0.7
Pinging 192.168.0.7 with 32 bytes of data:
Reply from 192.168.0.7: bytes=32 time=1ms TTL=255
Reply from 192.168.0.7: bytes=32 time=0ms TTL=255
Reply from 192.168.0.7: bytes=32 time=0ms TTL=255
Reply from 192.168.0.7: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.0.7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
PC>telnet 192.168.0.7
Trying 192.168.0.7 ...Open
User Access Verification
Password:
S1>
Original article, please indicate the source for reprinting: ©️ Sylvan Ding ❤️