Lab 15
Cisco IOS Secure Copy
Lab Objective:
The objective of this lab exercise is for you to learn and understand how configure the Cisco IOS Secure Copy feature on Cisco IOS routers.
Lab Purpose:
The Secure Copy (SCP) feature relies on Secure Shell (SSH) and provides a secure and authenticated method for copying router configuration or router image files.
Lab Difficulty:
This lab has a difficulty rating of 7/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Lab 15 Configuration Tasks
Task 1:
Configure the hostnames and IP addresses on R1 and R2 as illustrated in the network diagram. Configure R2 to send R1 clocking information at a rate of 512Kbps. Ping between R1 and R2 to verify your configuration and ensure that the two routers have IP connectivity.
Task 2:
Configure R1 as an SCP server as follows:
- Configure a domain name of net
- Use an RSA key size of 1024
- The SSH session should time out after 30 seconds of inactivity
- SSH users can only attempt to log in 2 times
Task 3:
Configure a user with the name admin, a privilege level of 15 and a secret of cisco on R1.
Task 4:
Configure Authentication and Authorization on R1 as follows:
- Authentication for inbound connections should be performed against the local database
- Authorization for EXEC access should be granted based on local user privileges
Task 5:
Save the running configuration of R1 to Flash memory using the file name TEST. In addition to this, configure R1 as a TFTP server so that remote users can download this file.
Task 6:
Securely copy the file TEST from R1 to the Flash memory of R2 and verify your work.
Lab 15 Configuration and Verification
Task 1:
| Router(config)#hostname R1
R1(config)#interface serial0/0 R1(config-if)#no shutdown R1(config-if)#ip address 10.1.1.1 255.255.255.0 R1(config-if)#end R1# |
| Router(config)#hostname R2
R2(config)#int serial0/0 R2(config-if)#no shutdown R2(config-if)#ip address 10.1.1.2 255.255.255.252 R2(config-if)#clock rate 512000 R2(config-if)#exit R2(config)#exit R2# R2#ping 10.1.1.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms |
Task 2:
| R1(config)#ip domain-name howtonetwork.net
R1(config)#crypto key generate rsa The name for the keys will be: R1.howtonetwork.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R1(config)#ip ssh time-out 30 R1(config)#ip ssh authentication-retries 2 R1(config)#ip scp server enable R1(config)#exit R1# |
Task 3:
| R1(config)#username admin privilege 15 secret cisco
R1(config)#exit R1# |
Task 4:
| R1(config)#aaa new-model
R1(config)#aaa authentication login default local R1(config)#aaa authorization exec default local R1(config)#exit R1# |
Task 5:
| R1#copy running-config flash:
Destination filename [r1-confg]? TEST Erase flash: before copying? [confirm]n Verifying checksum… OK (0x9A6B) 2746 bytes copied in 10.681 secs (257 bytes/sec) R1(config)#tftp-server flash:TEST R1(config)#exit R1# R1#show flash:
System flash directory: File Length Name/status 1 19615064 c2600-advsecurityk9-mz.124-15.T9.bin 2 1038 home.shtml 3 2754 sdmconfig-26xx.cfg 4 112640 home.tar 5 1505280 common.tar 6 6389760 sdm.tar 7 931840 es.tar 8 2766 TEST [28567284 bytes used, 4462856 available, 33030140 total]32768K bytes of processor board System flash (Read/Write) |
Task 6:
| R2#copy scp: flash:
Address or name of remote host []? 10.1.1.1 Source username [R2]? admin Source filename []? TEST Destination filename [TEST]? Erase flash: before copying? [confirm]n Password: ! Verifying checksum… OK (0x6C6) 2766 bytes copied in 3.843 secs (720 bytes/sec) R2# |
Lab 15 Configurations
R1 Configuration
| R1#show running-config
Building configuration…
Current configuration : 2789 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! aaa session-id common no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! no ip domain lookup ip domain name howtonetwork.net ! multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-533650306 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-533650306 revocation-check none rsakeypair TP-self-signed-533650306 ! ! crypto pki certificate chain TP-self-signed-533650306 certificate self-signed 01 30820238 308201A1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31303335 315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 A10043E2 FB10C1D1 BA18F3AD 554F081C ACA14F4C EA48E0C1 4739653D B7759EE7 8EB29881 7F391723 E2BB7EC6 54EB6F25 B4E94520 DF8DA15C 3B9E6F7C 3AA57549 80AB643F A9427071 965DD56A 2D3E60CE 775F2ED5 C9014FCD F313F3EB B5189F62 09F461BC 32E3E78F F93C8B07 0740DDA8 7B880D1B A3185787 CE621B35 3511A9D5 02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D 11040630 04820252 31301F06 03551D23 04183016 8014CD63 D2C471B7 ABA4ACF9 C2B6020D 4A895471 C7F9301D 0603551D 0E041604 14CD63D2 C471B7AB A4ACF9C2 B6020D4A 895471C7 F9300D06 092A8648 86F70D01 01040500 03818100 6BE0FD98 BEC0DCDD AA6E3059 44434A63 DECC9224 22D81B23 35A29E70 74C17E92 14001495 9E01FEA1 373EB386 9A046E56 14910BC5 05671798 869B8753 96E711EA E51B8908 130D9B62 52F21D30 02B4C8AE FBB2919E 14815B80 E1C2FB39 97FEC0C2 190CAC10 DD5CB1E3 EE8724A7 9A256D79 11855629 06428889 E237A7B9 D2808A50 quit ! ! username admin privilege 15 secret 5 $1$qMaz$S4.GkUbxDSA4iWn7CBQuU. archive log config hidekeys ! ! ! ! ip ssh time-out 30 ip ssh authentication-retries 2 ip scp server enable ! ! ! interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.1 255.255.255.252 ! ip forward-protocol nd ! ! ip http server ip http secure-server ! ! ! ! tftp-server flash:TEST ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 password cisco ! ! end |
R2 Configuration
| R2#show running-config
Building configuration…
Current configuration : 795 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! no logging console ! no aaa new-model no network-clock-participate slot 1 no network-clock-participate wic 0 ip cef ! ! ! ! no ip domain lookup ! multilink bundle-name authenticated ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 10.1.1.2 255.255.255.252 clock rate 512000 ! ip forward-protocol nd ! ! ip http server ip http authentication local no ip http secure-server ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line vty 0 4 privilege level 15 password cisco login ! ! end |
