SSH configuration on IOS Router and Switch

Secure Shell (SSH) provides a secure and reliable mean of connecting to remote devices. It’s an encrypted network protocol that allows users to safely access equipment via command line interface sessions. SSH makes use of TCP port 22 which’s assigned to secure logins, file transfer and port forwarding.

SSH uses public key for authenticating the remote device and encrypt all data between that device and the workstation which makes it the best choice for public networks, unlike (telnet) which transmits data in plain text which subjects it to security threats, this makes (telnet) recommended for private networks only to keep the data uncompromised.

Before continue this LAB first make sure you have already done your basic configuration for your router or switch like IP address configuration, setup gateway, set enable or secret password etc. If this is already done than follow the next steps:-

Step-1: Hostname and Domain-name configuration

Router(config)# hostname LAB
LAB(config)# ip domain-name nazrul.pro

Step-2: Generate the RSA Keys

The router should have RSA keys that it will use during the SSH process. So, generate these using crypto command as shown below.

LAB(config)# crypto key generate rsa 
The name for the keys will be: LAB.nazrul.blog 
Choose the size of the key modulus in the range of 360 to 2048 for your   
General Purpose Keys. Choosing a key modulus greater than 512 may take   a few minutes.
How many bits in the modulus [512]: 1024 
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Step-4: Line VTY configurations for SSH

Setup the following line vty configuration parameters, where input transport is set to SSH. Set the login to local, and password to 7.

LAB(config)#line vty 0 4
LAB(config-line)# transport input ssh
LAB(config-line)# login local
LAB(config-line)# password 7
LAB(config-line)# exit

Step-5: Add username and password

If you don’t have any created user than create a username and password for SSH

LAB(config)# username nazrul password sshpassword

Step-6: SSH Verify 

For verifying ssh from router you just put ip ssh command than router will show you is ssh enable on your router or not.

LAB#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,pass

Now you can able to ssh from remote host.

Continue Reading

Unable to Access Websites due to tcp mss issue

Some days ago a weird issue popped up. One of our client complain about website access issue. From their LAN network some of their user unable to access some websites but all are accessible from other Network. Than we’re checked DNS, Routing, Firewall Filters and related things but didn’t found any mentionable reason. The Interesting subject is; it was not happening for all users. Some users able to browse but some are not. Than we captured the packet and found different segment size generating from different workstation after that we fixed tcp mss on router interface.

Resolution for IOS (Set ip tcp mss on LAN interface):
Router(config)# interface gi0/0/1
Router(config)# ip tcp adjust-mss 1440

Details about Tcp mss :

  1. https://blog.apnic.net/2014/12/15/ip-mtu-and-tcp-mss-missmatch-an-evil-for-network-performance/
  2. https://learningnetwork.cisco.com/thread/40703
  3. http://networking.nitecruzr.net/2007/11/setting-mtu-in-windows-vista.html
Continue Reading

How to Configure SNMP on Cisco IOS Router or Switch?

SNMP protocol helps network administrators to manage, monitor the state of network devices. The network device send some information’s to the NMS server to trace graphics who permit to analyzing the CPU, memory, I/O, Etc. The following case is to enable SNMP client on the Cisco Router is snmp community, followed by the community name and send it trap to specific host.

Step-1: Enable SNMP with the following command:

Router(config)#snmp-server community <community-string> ro
Router(config)#snmp-server community <community-string> rw
Router(config)#snmp-server community public rw

Here community-string is the actual community string. The “ro” means read-only and “rw” for read-write.

Step-2: Use the snmpserver host commandto specify which host or hosts receive SNMP

Router(config)#snmp-server host <ip-address> <version > <community-string>

Here “ip-address” is the IP address of the SNMP management station and “community-string” is the actual community string.

Step-3: Enable the Router to send Simple Network Management Protocol traps or informs (SNMPnotifications), use the snmp-server enable traps global configuration command. After this command is executed, SNMP traps will be sent automatically to the SNMP management station configured in the previous step.

Router(config)#snmp-server enable traps

This command turns on all the varieties of traps. You can also turn on specific traps, by appending them to the above command, one trap variant at time. Some allow for further specificity. For example

Router(config)#snmp-server enable traps frame-relay
Router(config)#snmp-server enable traps envmon temperature
Router(config)#snmp-server enable traps bgp
Router(config)#snmp-server enable traps snmp

Case Summary in point a (Used IOS Version 15.X and SNMP Version 2):

Router(config)#snmp-server community GreenZone rw
Router(config)#snmp-server host 192.168.10.100  version 2c GreenZone
Router(config)#snmp-server enable traps

 

 

Continue Reading

How to force HTTPS using the .htaccess file

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between our browser and the website that we are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between our browser and the website are encrypted. HTTPS is often used to protect highly confidential online transactions like online banking and online shopping order forms.

Web browsers such as Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to visually indicate that a HTTPS connection is in effect.

Sometimes it’s necessary to make sure our website’s visitors use the SSL encrypted connection. SSL (Secure Sockets Layer) is a standard technology behind establishing an encrypted connection between a web server (host) and a web browser (client). SSL is an industry standard and is used by millions of websites to protect their online transactions with their customers.

To enable https on your website you can use Free Let’s Encrypt SSL. Let’s Encrypt is a free, automated, and open Certificate Authority. Now a days some hosting company also provide Free SSL.

Let’s say your hosting provider providing SSL and you have also enabled SSL in your website but browser is not redirecting http to https. For force https enable you just add the following two lines into your  .htaccess file. Make sure hidden files are showing in your public_html directory.

Code:
RewriteCond %{HTTPS} !^on$
RewriteRule (.*) https://yoursite.com/$1 [NC,R=301,L]

Let’s enjoy..

Continue Reading