1
00:00:00,900 --> 00:00:06,689
One of the great things about GNS3 is you can have many devices as part of a topology and

2
00:00:06,689 --> 00:00:09,440
you can access the consoles of every device.

3
00:00:09,630 --> 00:00:11,520
So as an example, router

4
00:00:11,520 --> 00:00:17,730
1 and router 2 can be accessed directly through GNS3 on my local PC.

5
00:00:18,330 --> 00:00:24,630
However, in the real world, you probably going to want to telnet to devices

6
00:00:26,550 --> 00:00:32,759
because you don't want to walk to the device and connect to the console, that's not realistic if the

7
00:00:32,759 --> 00:00:36,450
devices are on the other side of the country or other side of the world.

8
00:00:37,230 --> 00:00:43,690
So you're going to want to use a protocol such as Telnet to gain access to the remote devices.

9
00:00:44,310 --> 00:00:49,470
Let's assume that router 1 is in one part of the network and router 2 is in a different part of

10
00:00:49,470 --> 00:00:50,040
the network.

11
00:00:51,120 --> 00:00:58,080
In this example, I'll Telnet from router 1 to router 2, let's see what happens by default, so telnet to

12
00:00:58,080 --> 00:00:59,070
to 10.1.1.2. 

13
00:01:00,650 --> 00:01:08,390
I'm told that password is required, but none is set in most cases by default, you cannot telnet to

14
00:01:08,390 --> 00:01:08,860
a router.

15
00:01:09,290 --> 00:01:12,950
You have to do some configuration to allow telnet sessions.

16
00:01:13,610 --> 00:01:24,290
So on router 2 type CONFT the line VTY and specify a VTY range from 0 to a number that depends

17
00:01:24,290 --> 00:01:25,310
on the device.

18
00:01:25,550 --> 00:01:37,040
So on this router, the VTY ranges from 0 to 903, which means you could have 904 simultaneous virtual

19
00:01:37,040 --> 00:01:40,780
terminal lines or VTY lines on the router.

20
00:01:41,270 --> 00:01:46,010
In other words, 904 sessions could be made to the router

21
00:01:46,040 --> 00:01:53,450
at the same time, you'll often see and documentation that they'll create VTY lines 0 to 4, which

22
00:01:53,450 --> 00:01:55,570
gives you five VTY lines.

23
00:01:56,060 --> 00:01:57,770
That's something from the old days

24
00:01:57,980 --> 00:02:02,250
but a lot of Cisco devices today support many more VTY lines than that.

25
00:02:03,260 --> 00:02:13,640
So as an example on this switch, VTY 0 notice there's 1500 VTY lines on this virtual iOS V layer

26
00:02:13,640 --> 00:02:14,270
2 switch

27
00:02:15,320 --> 00:02:25,730
and if I connect to this physical 3750 and type line VTY 0, notice this one has 16 VTY lines.

28
00:02:26,420 --> 00:02:28,410
So that really depends on the device.

29
00:02:28,970 --> 00:02:34,100
This iOS V layer 2 switch has 1001 VTY lines.

30
00:02:34,940 --> 00:02:37,520
I'm going to specify, login and notice.

31
00:02:37,520 --> 00:02:41,400
I'm told that a login is disabled until a password is set.

32
00:02:42,020 --> 00:02:44,030
So once again, if I telnet to the router,

33
00:02:45,180 --> 00:02:51,990
the telnet session is closed, so on router 2 let's add a password of Cisco and now try and telnet to the

34
00:02:51,990 --> 00:02:52,340
router.

35
00:02:52,860 --> 00:02:55,410
Notice I'm prompted for a password.

36
00:02:56,830 --> 00:03:04,750
Now if I type enable, I'm allowed in because this router has an enable password, but if no enable password

37
00:03:04,750 --> 00:03:12,530
was set, so let's disconnect, if no enabled password was set or no secret password was set.

38
00:03:12,970 --> 00:03:20,050
Notice what happens, telnet to the router, enter my telnet password, type enable

39
00:03:21,400 --> 00:03:28,840
and I cannot get to enable mode because no password is configured, you must configure either an enable

40
00:03:28,840 --> 00:03:38,540
password or a secret password, secret being better to go to enable mode through a telnet or SSH session.

41
00:03:39,170 --> 00:03:43,390
So notice the configuration that we did show run pipe begin VTY.

42
00:03:45,050 --> 00:03:52,900
In this case, we enabled 5 VTY lines, 0 to 4, we're using a password on the line for those 5

43
00:03:52,900 --> 00:03:55,940
VTY lines, the same password is used for all of them.

44
00:03:56,570 --> 00:04:01,910
You could specify different passwords for different VTY lines if you wanted to but in this example

45
00:04:01,910 --> 00:04:03,410
we'll keep the password the same.

46
00:04:04,130 --> 00:04:11,150
Hence, when I telnet from router 1 to router 2, I need to put in the password on the line

47
00:04:11,690 --> 00:04:18,019
but to go to enable mode I need to type the enable or secret password. Now again

48
00:04:19,290 --> 00:04:22,470
on the VTY line, similar to the console

49
00:04:23,750 --> 00:04:29,960
we could use the option login local which would use a local username and password database.

50
00:04:32,080 --> 00:04:41,980
Telnet back again, notice now, I'm asked for the username and password of the user, but in this case it's

51
00:04:42,370 --> 00:04:43,200
it's failing.

52
00:04:44,620 --> 00:04:46,120
So let's see what's going on.

53
00:04:46,330 --> 00:04:48,280
Show, run, pipe, include user.

54
00:04:49,720 --> 00:04:56,500
There's no user account configured, so hence the authentication was failing, so I need to type username

55
00:04:57,100 --> 00:05:00,470
whatever the username is and the password of that user.

56
00:05:01,390 --> 00:05:04,390
So now I can log in

57
00:05:05,400 --> 00:05:11,450
and then type enable to go to privilege mode. So once again, what do we do?

58
00:05:11,460 --> 00:05:12,780
We created a user.

59
00:05:13,720 --> 00:05:20,350
called David with a relevant password, not a good idea to use passwords such as the following, you

60
00:05:20,350 --> 00:05:21,250
should use secret.

61
00:05:22,330 --> 00:05:28,030
So I should have done this username, David Secret Cisco.

62
00:05:29,020 --> 00:05:35,950
Now, I'm told I cannot have both a user password and a user secret choose one or the other. So do show

63
00:05:35,950 --> 00:05:37,600
run pipe, include user.

64
00:05:39,260 --> 00:05:42,980
Notice the user is still using a password rather than a secret.

65
00:05:44,940 --> 00:05:48,990
So let's say no username, David

66
00:05:50,360 --> 00:05:56,690
and recreated with a secret, and that's allowed now. Notice previously the password was in clear text, 

67
00:05:57,380 --> 00:06:00,560
do show run pipe include user.

68
00:06:02,390 --> 00:06:06,040
The username is now MD5 hash, so it's much more secure.

69
00:06:09,870 --> 00:06:17,280
Notice the difference now, however, when I telnet and put my username in and my password, I still

70
00:06:17,280 --> 00:06:21,690
have to put in my enable password, but that's a secret password

71
00:06:23,100 --> 00:06:30,780
and what I can do additionally here is specify privilege and give David full privileges

72
00:06:32,090 --> 00:06:39,360
rather than the user having to type the enable password or secret password in this case. So back on router 1

73
00:06:39,590 --> 00:06:48,140
telnet to router 2 username is David password is Cisco notice, I'm taken immediately to privilege mode

74
00:06:48,170 --> 00:06:53,330
mode whereas previously I had to type, enable, and then put in the secret password.

75
00:06:54,270 --> 00:07:02,460
Now, the biggest problem with Telnet is its clear text, so I'll exit back to router 1, let's start doing

76
00:07:02,460 --> 00:07:03,180
a capture here

77
00:07:05,500 --> 00:07:06,970
and I'll capture the traffic

78
00:07:08,790 --> 00:07:18,030
received on this interface. I remember we created a secret password, so on the router show run,

79
00:07:19,140 --> 00:07:21,630
Doesn't show us what that uses password is.

80
00:07:22,950 --> 00:07:31,500
What happens when we telnet, however, so telnet username is David Password, is Cisco straight to

81
00:07:31,500 --> 00:07:35,160
privilege mode. I'll search for telnet

82
00:07:36,790 --> 00:07:37,670
and let's look

83
00:07:39,280 --> 00:07:40,480
through the packet's first.

84
00:07:42,020 --> 00:07:42,680
So

85
00:07:43,660 --> 00:07:48,760
scrolling along, there's D A V I D, 

86
00:07:50,200 --> 00:07:54,030
asking for a password now C I S C O.

87
00:07:55,240 --> 00:07:59,380
We've just captured the user's password if we follow the TCP stream.

88
00:08:01,210 --> 00:08:03,630
I'll just copy that into notepad so you can see it clearly

89
00:08:06,910 --> 00:08:14,500
but what you're seeing here is the TCP stream showing the username and the password, so the password

90
00:08:14,500 --> 00:08:15,550
is shown in clear text.

91
00:08:17,390 --> 00:08:25,190
Telnet allows you to capture passwords and other data off the wire, so it's not a great idea to use

92
00:08:25,190 --> 00:08:25,670
telnet.

93
00:08:26,420 --> 00:08:29,930
You may think it's good to use a secret password, but be careful.

94
00:08:30,440 --> 00:08:36,350
The secret password is hashed on the router, but when the data is sent across the wire, it's in clear

95
00:08:36,350 --> 00:08:39,200
text so a hacker can capture the password.

96
00:08:39,679 --> 00:08:42,530
So you should be using SSH rather than telnet.

97
00:08:43,820 --> 00:08:49,400
Before showing SSH, one last thing on Telnet, you can

98
00:08:51,040 --> 00:08:58,120
also set an exact time out on your telnet sessions so that they get disconnected if there's no activity

99
00:08:58,120 --> 00:08:59,230
for a period of time.

100
00:08:59,710 --> 00:09:04,570
In this example, after 5 minutes, the telnet session would be disconnected

101
00:09:05,440 --> 00:09:08,050
but you could specify another value if you wanted to.