Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Telnet/SSH Connection to Switch

I'm studying for the CCENT, and I have one issue and two general inquiries I'd like to present.  

 

First of all, I'm having trouble connecting to my 2950 using Telnet/SSH, though I've applied a VTY password.  As an aside, I'm able to connect through the console.  I applied an IP address to the switch, and I'm wondering if there's a part of the process that I've missed.  When using Putty to connect to the IP, I immediately receive the "Network Error: Connection refused" error; the same basic message happens, using Tera Term.  

 

Here's my running config:

 


Switch#show running-config
Building configuration...

Current configuration : 2416 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
no logging console
!
username CCNA password 0 CCIE
ip subnet-zero
!
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 switchport mode access
!
interface FastEthernet0/2
 switchport mode access

" " " " " " " " 

" " " " " " " "
interface FastEthernet0/24
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan2
 ip address 192.168.1.107 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!
line con 0
 exec-timeout 0 0
 password CCENT
 logging synchronous
 login
line vty 0 4
 login local
 transport input telnet ssh
line vty 5 15
 login local
 transport input telnet ssh
!
!
end
 --More--

 

 

The physical connection I'm using is from my desktop's second NIC, and I've configured the IPv4 connection to the switch's listed IP, which is 192.168.1.107.  Is there anything listed above that would be problematic?

 

One of my questions has to do with the IP address that's supposed to be used to receive rsa keys: why is it necessary?  Also, I tried entering the "ip address dhcp" command to grab an address from my WRT54G and received the following:

 


Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-if)#ip address dhcp
                             ^
% Invalid input detected at '^' marker.

 

I'm following the directions in Odom's book, and I don't see what I'm missing.  

 

My other question has to do with passwords, in general.  Entering the username/password on either the interface-subcommand or the global configuration area seems unimportant, here:

 

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#username DDDD password EEEE
Switch(config)#^Z

...and...

Switch#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#login local
Switch(config-line)#transport input ssh telnet
Switch(config-line)#exit
Switch(config)#username FFFF password GGGG
Switch(config)#^Z

 

Here's the running config, afterwards:

 

Switch#show running-config
Building configuration...

Current configuration : 2535 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
no logging console
!
username CCNA password 0 CCIE
username BBBB password 0 CCCC
username DDDD password 0 EEEE
username FFFF password 0 GGGG
ip subnet-zero
!
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
!
 --More--

 

 

It doesn't appear as though exiting out of config-if mode made any difference for the usernames/passwords.  Then again, I can't connect through Telnet/SSH, so I'm not able to test it, at the moment.  

 

I'm really sorry for the huge post, but I didn't want to start multiple threads.  Any help is much appreciated.

 

- B 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7 REPLIES

HelloFirst of all welcome to

Hello

First of all welcome to CSC!

 

Let me try and answer your queries one at a time?

 

Note-as you will learn later on in your studies that the ping (icmp) is not always available for as a security measure it can be disabled as not to advertise the existence of a device.

1) regards your remote access connection via VTY lines,

Can you ping the router from your desktop? - this is make sure you have connectivity to the device, also check to see if you have any software firewall enabled which is prohibiting connection.

Have you tried telnet and ssh from putty?

How are you physically connecting to the switch, are you using a crossover or normal RJ45 cable?

 

2) user access (management plane)

Without getting to indepth with access authentication - to gain access with a username and a password, the basic way would to define an enable password and a local database username and password

enable Password
or
enable secret xxxxx (this is usually the best option)

username test password test

 

line vty 0 xx
login
local
transport input telnet ssh

 

 

res

Paul

 

 

 

 

 

 

Please don't forget to rate any posts that have been helpful. Thanks.
Hall of Fame Super Silver

B Can you tell us what switch

B

 

Can you tell us what switch port your PC connects to? It appears from the incomplete config that you posted that quite a few ports are in vlan 1 and at least one is in vlan 2. Since you configured the IP address of the switch to be in vlan 2 then you need to be connected to vlan 2 to be able to access it from your PC.

 

Can you post the output of arp -a from your PC? If the PC sees an IP and a MAC from the switch then there is some communication and we need to figure out what the other problem is. If there is no IP and MAC entry then there is not communication and that is why telnet and SSH are failing.

 

I would like to address your other question. You have discovered that it is possible to enter the command to create a user ID and password without exiting from interface configuration mode. Cisco did this on purpose and it is not an error - and it does work. The parser examines each command that you enter. When the parser detects that you have entered a global configuration command then the parser will transition to globbal configuration mode and execute the command. You probably noticed that when you did it the prompt changed from the config-line mode to the config global mode. And IOS will do this for all global commands not just for the username command.

 

HTH

 

Rick

New Member

Anyone?  I'm still getting

Anyone?  I'm still getting error messages, when trying to Telnet/SSH....

New Member

You have not configured

You have not configured password(s) on the VTY lines, hence the connection is refused!

The RSA key relates to SSH, as this is an secure connection, thus has a certificate, this is for the connection, it has nothing to do with an address.

You don't need to do anything for your router, devices plugged in will receive an IP address, part of the command you are referring to is if are configuring DHCP on the switch.

Also, it is a good idea to encrypt your passwords!

Martin

Hall of Fame Super Silver

Martin It is true that the

Martin

 

It is true that the original poster has not configured passwords on the vty lines. But he has configured login local on the vty lines and that means that the router would not use the vty passwords even if they were configured. Login local over rides the vty passwords and instructs IOS to authenticate with locally configured ID and password.

 

I do agree with you that SSH is a whole different topic and that we should not attempt to solve SSH issues until we have resolved the issues with telnet.

 

HTH

 

Rick

New Member

First of all, thank you all

First of all, thank you all for the helpful responses!

 

My PC is currently connected through the router, from which a straight-through cable is connected to port Fa0/18, and it is indeed on vlan2, which is associated with 1.107.  

 

I ran the arp -a command, and here's a portion of it:


Interface: 192.168.1.105 --- 0xc
  Internet Address      Physical Address      Type
  192.168.1.1           00-0c-41-d4-6d-a1     dynamic
  192.168.1.104         64-a3-cb-3d-07-64     dynamic
  192.168.1.107         00-0a-b7-13-e5-c0     dynamic

 

1.105 is one of the NICs on the desktop.  The BIA listed for 1.107 is one of the static "CPU" addresses on the switch.  Here's my current running config:

 

Switch#show running-config
Building configuration...

Current configuration : 2434 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
no logging console
!
username CCNA password 0 CCIE
ip subnet-zero
!
ip domain-name modeofinquiry.com
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 switchport mode access
!
interface FastEthernet0/2
 switchport mode access
!
!

!
interface FastEthernet0/18
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/19
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/20
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/21
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/22
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/23
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/24
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan2
 ip address 192.168.1.107 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!
line con 0
 exec-timeout 0 0
 password CCENT
 logging synchronous
 login
line vty 0 4
 password NICE
 login
 transport input telnet ssh
line vty 5 15
 password NICE
 login
 transport input telnet ssh
!
!
end

 

As you can see, I've added the VTY passwords, though I thought I had already done that.  Actually, to what do the "CCNA" and "CCIE" passwords listed above apply?  I'm assuming those are the local login credentials I added for the VTY lines.  

 

I just got through disconnected the switch's straight-through cable from the router and connected it directly to my desktop's second NIC again, and I still can't connect, remotely.  Where should the troubleshooting start, at this point?

Hall of Fame Super Silver

Thank you for the additional

Thank you for the additional information. The output of arp -a does show that there is connectivity between the PC and the switch so we can eliminate connectivity issues as the cause of the problem.

 

I would suggest that for troubleshooting that we just connect the PC directly to the switch. After we solve the access problem if you then want to put the router into the mix that would be ok. But for troubleshooting lets keep it as simple as possible.

 

For troubleshooting there are a couple of questions that you can answer for us:

- on what switch port is the PC connected? (we want to be sure that this switch port is in vlan 2)

- are you using telnet or SSH to test? (I suggest that in testing that we start with only telnet. After telnet is working then we can add SSH)

- Before you try the telnet can you ping the switch address from the PC?

 

Since much of the discussion in this thread has been about IDs and passwords lets have a little review and hope that some of the information may help lead to an understanding of the issue. An IOS device (switch or router) can authenticate with resources that are local to the device or it can authenticate using an authentication server (aaa etc). For this discussion we will focus on local authentication.

The most simple way to authenticate (and the default in IOS) is to authenticate using passwords that are configured for the vty and perhaps for the console. That is what is configured in the most recent version of the config that you posted. If you login on the console it will prompt for a password and will expect the password of CCENT. If you telnet to the switch it will prompt for a password and will expect the password of  NICE.

 

There is an option that can be configured in IOS that is login local. This was what was configured in the original post that began this thread. Login local instructs the IOS device to authenticate with a user ID and a password that are configured on the local device. In the config that you posted there is this line

username CCNA password 0 CCIE

This defines a username of CCNA and a password of CCIE. If login local is configured and you telnet to the switch then it will prompt for a user name and then prompt for a password (different and more secure than the default of just prompting for a password).

 

HTH

 

Rick

6304
Views
0
Helpful
7
Replies
CreatePlease to create content