On a PC, an SSH client such as PuTTY is used to connect to an SSH server. For the examples, the following have been configured:
- SSH enabled on switch S1
- Interface VLAN 99 (SVI) with IPv4 address 172.17.99.11 on switch S1
- PC1 with IPv4 address 172.17.99.21
In Figure 19-1, the technician is initiating an SSH connection to the SVI VLAN IPv4 address of S1. The terminal software PuTTY is shown.
Figure 19-1 SSH Connection with PuTTY
After clicking Open in PuTTY, the user is prompted for a username and password. Using the configuration from the previous example, the username admin and password ccna are entered. After entering the correct combination, the user is connected via SSH to the CLI on the Catalyst 2960 switch.
To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. In Example 19-9, SSH version 2 is enabled. To check the SSH connections to the device, use the show ssh command.
Example 19-9 Establishing a Remote SSH Session
Login as:
admin
Using keyboard-interactive authentication.
Password: <ccna>
S1> enable Password: <class>
S1#
show ip ssh
SSH Enabled – version 2.0
Authentication timeout: 90 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCdLksVz2QlREsoZt2f2scJHbW3aMDM8 /8jg/srGFNL
i+f+qJWwxt26BWmy694+6ZIQ/j7wUfIVNlQhI8GUOVIuKNqVMOMtLg8Ud4qAiLbGJfAaP3fyrKmViPpO
eOZof6tnKgKKvJz18Mz22XAf2u/7Jq2JnEFXycGMO88OUJQL3Q==
S1#
show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started admin
0 2.0 OUT aes256-cbc hmac-sha1 Session started admin
%No SSHv1 server connections running.
S1#
Packet Tracer—Configure SSH (19.3.6)
SSH should replace Telnet for management connections. Telnet uses insecure plaintext communications. SSH provides security for remote connections by providing strong encryption of all transmitted data between devices. In this activity, you will secure a remote switch with password encryption and SSH.
Connecting the Switch to the Router (19.4)
Most local networks have only one router. This router is the gateway router, and all hosts and switches on your network must be configured with this information. Next, you‛ll learn how to configure the default gateway on hosts and switches.
Default Gateway for a Host (19.4.1)
For an end device to communicate over the network, it must be configured with the correct IP address information, including the default gateway address. The default gateway is used only when the host wants to send a packet to a device on another network. The default gateway address is generally the router interface address attached to the local network of the host. The IP address of the host device and the router interface address must be in the same network.
For example, assume an IPv4 network topology consists of a router interconnecting two separate LANs. G0/0/0 is connected to network 192.168.10.0, and G0/0/1 is connected to network 192.168.11.0. Each host device is configured with the appropriate default gateway address.
In Figure 19-2, if PC1 sends a packet to PC2, the default gateway is not used. Instead, PC1 addresses the packet with the IPv4 address of PC2 and forwards the packet directly to PC2 through the switch.
Figure 19-2 PC1 Sending a Packet to PC2
What if PC1 sent a packet to PC3? As shown in Figure 19-3, PC1 would address the packet with the IPv4 address of PC3 but would forward the packet to its default gateway, which is the G0/0/0 interface of R1. The router accepts the packet and accesses its routing table to determine that G0/0/1 is the appropriate exit interface based on the destination address. R1 then forwards the packet out of the appropriate interface to reach PC3.
Figure 19-3 PC1 Sending a Packet to PC3
The same process would occur on an IPv6 network, although this is not shown in the topology. Devices would use the IPv6 address of the local router as their default gateway.