🔒

Network Device Security Overview

Jul 3, 2025

View transcript

Overview

This lecture covers secure remote management of network devices using SSH, console port security, management IP for Layer 2 switches, Telnet configuration, and key SSH commands for the CCNA exam.

Console Port Security

  • By default, no password is required to access the CLI via the console port.
  • Configure a console password with line console 0, then password <value>, and login to require the password.
  • Only one user can connect via the console line at a time.
  • For enhanced security, use login local with configured usernames and passwords on the device.
  • Configure an inactivity logout timer with the exec-timeout command.

Management IP on Layer 2 Switches

  • Layer 2 switches can be managed remotely by assigning an IP address to a Switch Virtual Interface (SVI).
  • Use interface vlan <id>, then ip address <ip> <mask>, and no shutdown to enable the interface.
  • Set a default gateway with ip default-gateway <gateway> for communication outside the local LAN.

Telnet Overview and Configuration

  • Telnet is an old protocol (1969) for remote CLI access, sending all data in plain text (not secure).
  • Telnet uses TCP port 23; the device being accessed is the server, the connecting device is the client.
  • Configure Telnet access on the VTY lines (line vty 0 15) with login local, exec-timeout, and transport input telnet.
  • You can restrict access using an ACL applied with the access-class command.

SSH (Secure Shell)

  • SSH, developed in 1995, encrypts all data and uses TCP port 22 for secure remote CLI access.
  • SSH version 2 (2006) is more secure than version 1; devices supporting both show version 1.99.
  • SSH requires a non-default hostname, a domain name, and RSA key generation.
  • Generate keys after setting hostname and domain with crypto key generate rsa modulus <size>, size ≥ 768 bits for SSHv2.
  • Enable SSH version 2 with ip ssh version 2.
  • Configure VTY lines with login local, exec-timeout, transport input ssh, and optional ACL for security.

CCNA Exam Q&A Highlights

  • Both hostname and domain name are required before generating RSA keys.
  • transport input telnet ssh or transport input all allows both protocols on VTY lines.
  • Use access-class on VTY lines to restrict SSH access by IP.
  • K9 IOS images support SSH; RSA key modulus must be at least 768 bits for SSHv2.
  • For remote SSH, the switch or router acts as the SSH server, and the connecting PC is the client.

Key Terms & Definitions

  • Console Port — Physical port for direct CLI access to a device.
  • VTY Lines — Virtual lines for remote CLI access via Telnet or SSH.
  • SSH (Secure Shell) — Encrypted protocol for secure CLI access; uses TCP port 22.
  • Telnet — Legacy protocol for remote CLI access; unencrypted; uses TCP port 23.
  • SVI (Switch Virtual Interface) — Virtual interface on a switch for management IP.
  • ACL (Access Control List) — Used to restrict access based on IP addresses.
  • RSA Keys — Cryptographic keys generated for enabling SSH.
  • K9 IOS Image — Cisco IOS image version that supports cryptographic features like SSH.

Action Items / Next Steps

  • Practice configuring SSH and related commands in a lab or Packet Tracer.
  • Review flashcards and complete the provided Packet Tracer labs.
  • For further understanding, revisit the command explanations and examples.

Full transcript