WEBVTT 0:00:03.200000 --> 0:00:06.680000 Welcome to this video in which we're going to be starting our talk about 0:00:06.680000 --> 0:00:11.780000 Cisco iOS and then moving forward from here using Cisco iOS on vast majority 0:00:11.780000 --> 0:00:17.300000 of our tasks and power points with securing iOS remote access. 0:00:17.300000 --> 0:00:21.160000 Now as a precursor because this is part of the CCNA bootcamp which is 0:00:21.160000 --> 0:00:24.420000 at the end of the learning path for CCNA, I'm assuming you've already 0:00:24.420000 --> 0:00:27.940000 gone through the basics of Cisco iOS command line. 0:00:27.940000 --> 0:00:31.340000 So we already know what the difference is between exec and privilege exec, 0:00:31.340000 --> 0:00:35.280000 between configuration terminal and global config and you know how to move 0:00:35.280000 --> 0:00:40.420000 backwards and forward in the basics of iOS, how to break out of config 0:00:40.420000 --> 0:00:44.260000 mode back into privilege exec mode, some of the basic commands like show 0:00:44.260000 --> 0:00:48.660000 run, show version, show IP interface brief, you've got all that down. 0:00:48.660000 --> 0:00:53.180000 So let's just go a little bit deeper into that now with securing iOS remote 0:00:53.180000 --> 0:00:57.680000 access. So what we're talking about here is how do I secure my Cisco iOS 0:00:57.680000 --> 0:01:03.900000 devices so that only legitimate authorized network admins can get into 0:01:03.900000 --> 0:01:08.800000 the command line, look around and configure and change things. 0:01:08.800000 --> 0:01:13.840000 All right, so let's start by securing the enable password. 0:01:13.840000 --> 0:01:18.900000 So we know that on Cisco devices without an enable password, without an 0:01:18.900000 --> 0:01:23.140000 enable secret, basically the moment somebody gets in, for example, let's 0:01:23.140000 --> 0:01:24.520000 just take a look. 0:01:24.520000 --> 0:01:34.220000 So if I did not have it secured and I went into my device, for example 0:01:34.220000 --> 0:01:41.360000 router one, okay, so here I am, if there was no security here, so this 0:01:41.360000 --> 0:01:46.720000 is at exec mode right now, I could just type enable and then bam, I'm 0:01:46.720000 --> 0:01:51.160000 in. So now I am at privilege exec level and privilege exec level is what 0:01:51.160000 --> 0:01:53.880000 we call privilege level 15. 0:01:53.880000 --> 0:01:58.140000 And at privilege level 15, because remember in Cisco iOS, different commands 0:01:58.140000 --> 0:02:00.120000 are at different privilege levels. 0:02:00.120000 --> 0:02:04.240000 And by default, if you don't move things around, if you don't change things, 0:02:04.240000 --> 0:02:08.980000 privilege level 15 is where you have full access to everything. 0:02:08.980000 --> 0:02:13.560000 And once you are in privilege exec mode, which is called enable mode by 0:02:13.560000 --> 0:02:20.180000 a lot of people, you can do enable privilege level 15, which means you 0:02:20.180000 --> 0:02:20.720000 can do anything. 0:02:20.720000 --> 0:02:23.980000 You can type whatever show command you want. 0:02:23.980000 --> 0:02:27.860000 You can get into configuration mode and start configuring the box. 0:02:27.860000 --> 0:02:30.840000 Of course, you have to learn how to type on your T keyboard, which I clearly 0:02:30.840000 --> 0:02:32.340000 don't know how to do. 0:02:32.340000 --> 0:02:35.080000 And you can start messing around with it. 0:02:35.080000 --> 0:02:39.860000 So the first logical place is that we want to make sure that when people 0:02:39.860000 --> 0:02:45.720000 are right here, that they cannot get into privileged exec level without 0:02:45.720000 --> 0:02:51.400000 a password. So historically speaking, the old way of doing that was the 0:02:51.400000 --> 0:02:54.440000 enable password and then type a password. 0:02:54.440000 --> 0:02:58.300000 But then we now use the enable secret, which encrypts the password so 0:02:58.300000 --> 0:03:01.000000 that people can't read the password. 0:03:01.000000 --> 0:03:08.540000 So just to demonstrate that. 0:03:08.540000 --> 0:03:15.040000 So config T. So if I type an enable password of let's say Cisco, it does 0:03:15.040000 --> 0:03:18.660000 the job. So now someone's trying to get in. 0:03:18.660000 --> 0:03:22.160000 They can't unless they know the password of Cisco to get in. 0:03:22.160000 --> 0:03:25.440000 The problem with that was if somebody looked at your show running config, 0:03:25.440000 --> 0:03:28.720000 there it is in plain text for everybody to see. 0:03:28.720000 --> 0:03:30.860000 We don't want that. 0:03:30.860000 --> 0:03:33.820000 So no enable password Cisco. 0:03:33.820000 --> 0:03:36.460000 The better way to do it was enable secret. 0:03:36.460000 --> 0:03:38.600000 Enable secret Cisco. 0:03:38.600000 --> 0:03:40.560000 We can use the exact same password. 0:03:40.560000 --> 0:03:42.740000 It does the exact same thing. 0:03:42.740000 --> 0:03:44.080000 Now someone's trying to get in. 0:03:44.080000 --> 0:03:46.240000 They still need to know that password of Cisco. 0:03:46.240000 --> 0:03:48.760000 And by the way, it is case sensitive. 0:03:48.760000 --> 0:03:51.200000 So make sure if you're using uppercase and lowercase stuff, you remember 0:03:51.200000 --> 0:03:53.140000 that. But here's the difference. 0:03:53.140000 --> 0:03:57.200000 Now, if I look at my running config, you can't tell what my password was 0:03:57.200000 --> 0:04:01.560000 because it's been hashed into an MD five digest. 0:04:01.560000 --> 0:04:06.220000 So it's much better to use the enable secret instead of the enable password. 0:04:06.220000 --> 0:04:11.560000 Also, if someone has physical access to your console port, we probably 0:04:11.560000 --> 0:04:16.360000 want to password protect that as well by putting in a console password 0:04:16.360000 --> 0:04:18.960000 online console zero. 0:04:18.960000 --> 0:04:26.180000 Okay. So that if someone has physical access to your box and or remote 0:04:26.180000 --> 0:04:31.200000 access to your box, that's the very basic starting point of protecting 0:04:31.200000 --> 0:04:34.920000 it with an enable secret and a console password. 0:04:34.920000 --> 0:04:41.140000 Now, by default, Cisco routers and switches, just because you put an IP 0:04:41.140000 --> 0:04:46.700000 address on them are not automatically enabled for remote access. 0:04:46.700000 --> 0:04:51.560000 So whether I've got an IP address on my box or not, by default, the only 0:04:51.560000 --> 0:04:56.540000 way I can configure it is if I have physical access to the console port. 0:04:56.540000 --> 0:04:57.740000 Well, that's all well and good. 0:04:57.740000 --> 0:05:00.920000 If I'm right there in front of the router switch in the rack in front 0:05:00.920000 --> 0:05:04.320000 of me, but most likely, you're going to want to be able to either tell 0:05:04.320000 --> 0:05:08.060000 net or SSH into that box because you're not going to be there. 0:05:08.060000 --> 0:05:09.500000 Right. You're going to be sitting at your desk. 0:05:09.500000 --> 0:05:11.900000 You're going to be sitting at your home office and you're going to want 0:05:11.900000 --> 0:05:13.700000 to get remote access to it. 0:05:13.700000 --> 0:05:14.720000 So how do we do that? 0:05:14.720000 --> 0:05:19.320000 Well, one way you can do it is by using telnet. 0:05:19.320000 --> 0:05:23.920000 Now with telnet, basically telnet, the idea behind telnet is you can type 0:05:23.920000 --> 0:05:29.280000 in your commands, but it's wrapped inside of an IP packet, which is wrapped 0:05:29.280000 --> 0:05:32.860000 inside of, you know, TCP, which uses the telnet protocol to send your 0:05:32.860000 --> 0:05:37.440000 commands. Downside to telnet is everything is sent like it says in clear 0:05:37.440000 --> 0:05:41.720000 text. So if there's somebody sniffing packets between the two of you, 0:05:41.720000 --> 0:05:43.720000 they can see everything you're typing. 0:05:43.720000 --> 0:05:46.920000 They can see everything that router switch is sending back to you as a 0:05:46.920000 --> 0:05:48.880000 result of the command you're typing. 0:05:48.880000 --> 0:05:50.480000 So it's not secure. 0:05:50.480000 --> 0:05:55.240000 So it's better to use something called secure shell, which like telnet 0:05:55.240000 --> 0:05:58.680000 allows you to send commands back and forth between the router switch and 0:05:58.680000 --> 0:06:00.300000 yourself. But here's the big difference. 0:06:00.300000 --> 0:06:02.180000 Everything is encrypted. 0:06:02.180000 --> 0:06:05.700000 So somebody was in the middle and capturing everything. 0:06:05.700000 --> 0:06:08.380000 It wouldn't do them any good because they wouldn't be able to tell what 0:06:08.380000 --> 0:06:09.740000 it is that you're sending. 0:06:09.740000 --> 0:06:11.120000 It's all encrypted. 0:06:11.120000 --> 0:06:13.580000 All right. So let's start with telnet. 0:06:13.580000 --> 0:06:16.780000 How do we enable it for telnet if I want to do that? 0:06:16.780000 --> 0:06:18.940000 If telnet is perfectly fine with me. 0:06:18.940000 --> 0:06:23.040000 All right. So step number one, we're going to go to what's called a logical 0:06:23.040000 --> 0:06:26.660000 interface called a virtual teletype interface. 0:06:26.660000 --> 0:06:28.920000 That's what VTY stands for. 0:06:28.920000 --> 0:06:34.420000 And in Cisco devices, typically they have at minimum five of these logical 0:06:34.420000 --> 0:06:37.620000 interfaces, 0123 and four. 0:06:37.620000 --> 0:06:39.140000 So that's five interfaces. 0:06:39.140000 --> 0:06:41.960000 So we can configure them all simultaneously. 0:06:41.960000 --> 0:06:44.680000 We're going to give them all a password. 0:06:44.680000 --> 0:06:46.640000 And then we're going to say login. 0:06:46.640000 --> 0:06:48.820000 Now, a lot of times you don't have to type login because it's already 0:06:48.820000 --> 0:06:49.840000 there by default. 0:06:49.840000 --> 0:06:54.620000 Let's take a look and see if that's true on our devices. 0:06:54.620000 --> 0:07:00.200000 All right. So I'm going to say that we can configure anything. 0:07:00.200000 --> 0:07:06.000000 All right. Let me take a step back here for a second. 0:07:06.000000 --> 0:07:12.580000 Both telnet and SSH are protocols by which I can send IP packets to my 0:07:12.580000 --> 0:07:14.920000 router, to my switch. 0:07:14.920000 --> 0:07:19.340000 And then if that router or switch is configured for IP and is configured 0:07:19.340000 --> 0:07:24.700000 to recognize and process telnet and SSH, it can respond to me. 0:07:24.700000 --> 0:07:28.980000 In this case, I don't have any IP on these guys at all. 0:07:28.980000 --> 0:07:33.080000 So I could go to my VTY lines, which are down here at the bottom. 0:07:33.080000 --> 0:07:38.300000 All right. VTY lines. 0:07:38.300000 --> 0:07:43.460000 And right now it's saying, okay, I am allowing telnet and SSH, but without 0:07:43.460000 --> 0:07:48.400000 any IP address, without any passwords, I'm dead in the water. 0:07:48.400000 --> 0:07:52.360000 So it doesn't really matter what your VTY line is configured for if you 0:07:52.360000 --> 0:07:54.020000 don't have any IP addresses. 0:07:54.020000 --> 0:07:56.840000 Show IP interface brief. 0:07:56.840000 --> 0:08:01.640000 At a minimum, you have to have some interface that's got an IP address 0:08:01.640000 --> 0:08:05.180000 on it that is in the up up state. 0:08:05.180000 --> 0:08:09.140000 Got to start there before you even do the stuff that we're showing you 0:08:09.140000 --> 0:08:13.760000 here on your VTY line. 0:08:13.760000 --> 0:08:18.100000 But once your IP address is on an interface, once that interface is active, 0:08:18.100000 --> 0:08:23.080000 once you can ping it from wherever you happen to be, now you can console 0:08:23.080000 --> 0:08:27.440000 into that device and complete your configuration by doing this. 0:08:27.440000 --> 0:08:31.400000 So go on to the VTY line, and there's a couple of ways you can do this. 0:08:31.400000 --> 0:08:36.780000 Now, this method right here is saying, okay, I'm going to give the exact 0:08:36.780000 --> 0:08:40.760000 same static password to all of my network administrators. 0:08:40.760000 --> 0:08:45.400000 So whether I have two network admins or 20 network admins, I'm going to 0:08:45.400000 --> 0:08:49.200000 tell them all that the password is Cisco. 0:08:49.200000 --> 0:08:53.500000 So they just have to implement the telnet command on their application, 0:08:53.500000 --> 0:08:57.680000 tell them about the IP address on my box, and then it'll prompt them for 0:08:57.680000 --> 0:09:03.540000 a password. And that password will be a Cisco and they'll be in. 0:09:03.540000 --> 0:09:06.860000 Another alternative is you could say, hey, I want to assign each of my 0:09:06.860000 --> 0:09:12.300000 network admins their own unique username and password. 0:09:12.300000 --> 0:09:13.580000 So they're all different. 0:09:13.580000 --> 0:09:18.700000 So at that point, you would go to global configuration level, and you 0:09:18.700000 --> 0:09:27.120000 could say username, maybe Bob and maybe privilege 15 password. 0:09:27.120000 --> 0:09:31.140000 How about Bob 123. 0:09:31.140000 --> 0:09:36.580000 And then we go on to our VTY lines again, which brings us down here to 0:09:36.580000 --> 0:09:42.040000 config line, and instead of saying login, we say login local. 0:09:42.040000 --> 0:09:43.880000 What's the difference? 0:09:43.880000 --> 0:09:49.640000 Well, under your VTY line, when you say login, that tells the Cisco iOS 0:09:49.640000 --> 0:09:56.280000 device to expect the password to be under the VTY line to be right there. 0:09:56.280000 --> 0:10:02.380000 When you say login local, that tells the router or switch, hey, the username 0:10:02.380000 --> 0:10:07.920000 and password is configured globally as a username password statement. 0:10:07.920000 --> 0:10:11.260000 Look elsewhere for the credentials. 0:10:11.260000 --> 0:10:16.460000 So that's the basics of configuring telnet access. 0:10:16.460000 --> 0:10:22.920000 So once again, just to review, I need to go on to my device and at a minimum. 0:10:22.920000 --> 0:10:25.840000 I guess I need to get out of here. 0:10:25.840000 --> 0:10:34.020000 I need to go into some interface like gigabit 00 put in some IP address. 0:10:34.020000 --> 0:10:36.960000 And subnet mask. 0:10:36.960000 --> 0:10:39.400000 Make sure the interface is up. 0:10:39.400000 --> 0:10:46.860000 Then I can either type line VTY zero, you know, four and say password, 0:10:46.860000 --> 0:10:50.900000 put in my password login. 0:10:50.900000 --> 0:10:54.860000 And now everybody that logs in via telnet, they're going to have the exact 0:10:54.860000 --> 0:11:01.620000 same password, Cisco, or no password Cisco. 0:11:01.620000 --> 0:11:06.140000 Instead, I could put in a username. 0:11:06.140000 --> 0:11:09.820000 You know, admin one. 0:11:09.820000 --> 0:11:13.560000 Privilege 15. Now, what's the privilege 15 do? 0:11:13.560000 --> 0:11:21.360000 If I leave off privilege 15, if I said instead username admin one password 0:11:21.360000 --> 0:11:26.760000 Cisco, what that would do is when somebody tried to tell that in, they 0:11:26.760000 --> 0:11:31.160000 would get a username prompt and they would type admin one, they would 0:11:31.160000 --> 0:11:33.080000 get a password prompt. 0:11:33.080000 --> 0:11:37.840000 They would type Cisco and that would put them at the exec level. 0:11:37.840000 --> 0:11:42.180000 That would put them right here. 0:11:42.180000 --> 0:11:47.600000 Now they would still have to type enable type in the enable password to 0:11:47.600000 --> 0:11:49.380000 get into privilege exec level. 0:11:49.380000 --> 0:11:58.700000 However, if I do it this way, username admin two privilege 15. 0:11:58.700000 --> 0:12:03.120000 And now I say password, whatever it is, Cisco. 0:12:03.120000 --> 0:12:08.580000 Now, if somebody logs in and they type admin two and Cisco is a password, 0:12:08.580000 --> 0:12:13.800000 they will immediately be put into privilege exec level. 0:12:13.800000 --> 0:12:15.620000 They will not have to type enable. 0:12:15.620000 --> 0:12:17.740000 They will not have to type the enable password. 0:12:17.740000 --> 0:12:22.820000 They are automatically granted privilege level 15 access. 0:12:22.820000 --> 0:12:27.540000 That's the difference of what will happen if you include privilege 15 0:12:27.540000 --> 0:12:32.600000 versus if you don't include privilege 15. 0:12:32.600000 --> 0:12:36.400000 Now, like I said, you probably don't want to enable telnet access because 0:12:36.400000 --> 0:12:38.080000 telnet is not encrypted. 0:12:38.080000 --> 0:12:39.420000 It's not secure. 0:12:39.420000 --> 0:12:45.160000 So we probably want to give our users SSH access instead, which is secure. 0:12:45.160000 --> 0:12:49.160000 Now, in order to configure SSH in our device, we need, once again, we 0:12:49.160000 --> 0:12:52.000000 still need an IP address on a functional interface. 0:12:52.000000 --> 0:12:55.520000 That's our basic prerequisite, but we need a few additional things. 0:12:55.520000 --> 0:12:59.140000 If your device does not already have a host name, you'll want to give 0:12:59.140000 --> 0:13:02.900000 it a host name. You'll want to give it a domain name and you can just 0:13:02.900000 --> 0:13:04.080000 make up the domain name. 0:13:04.080000 --> 0:13:07.440000 If you don't have a real domain name like Cisco.com, I need that. 0:13:07.440000 --> 0:13:09.320000 You could say my router.com. 0:13:09.320000 --> 0:13:13.800000 It just needs that and that needs to have a cryptographic key because 0:13:13.800000 --> 0:13:16.920000 remember SSH is doing everything encrypted. 0:13:16.920000 --> 0:13:18.540000 Everything you're sending is being encrypted. 0:13:18.540000 --> 0:13:22.200000 So both sides need a key to do that. 0:13:22.200000 --> 0:13:26.280000 So how do we actually accomplish this? 0:13:26.280000 --> 0:13:32.500000 Here we go. Host name, my router, IP domain name, you know, I need.com. 0:13:32.500000 --> 0:13:37.540000 And then for your key, the absolute most basic fundamental way to create 0:13:37.540000 --> 0:13:42.120000 the key is crypto key generate RSA. 0:13:42.120000 --> 0:13:45.760000 And that will generate an RSA key for you. 0:13:45.760000 --> 0:13:51.480000 Now, one thing to be familiar with is that when you do crypto key generate 0:13:51.480000 --> 0:13:55.680000 RSA, let's go ahead and do that real quick so you can see what that looks 0:13:55.680000 --> 0:14:03.920000 like. All right, so host name, let's just say R1. 0:14:03.920000 --> 0:14:09.520000 Domain, let's say, I need.com. 0:14:09.520000 --> 0:14:19.980000 Okay, and now we'll say crypto key generate RSA. 0:14:19.980000 --> 0:14:21.480000 Oh, okay, I guess it ended. 0:14:21.480000 --> 0:14:23.860000 So I did domain wrong. 0:14:23.860000 --> 0:14:25.800000 So you don't do domain. 0:14:25.800000 --> 0:14:29.980000 So no domain, that's something else. 0:14:29.980000 --> 0:14:31.260000 That's not creating a domain name. 0:14:31.260000 --> 0:14:38.240000 You all say IP domain dash name. 0:14:38.240000 --> 0:14:40.040000 Now we can do I need.com. 0:14:40.040000 --> 0:14:41.720000 That's the correct way to do it. 0:14:41.720000 --> 0:14:45.640000 And notice it wouldn't even allow me to create the crypto key unless I 0:14:45.640000 --> 0:14:47.660000 had a domain name first. 0:14:47.660000 --> 0:14:51.040000 Now I can redo that command. 0:14:51.040000 --> 0:14:55.700000 Now, notice it's saying by default, it's going to give me a crypto key 0:14:55.700000 --> 0:15:01.800000 that is 512 bytes long or actually 512 bits long. 0:15:01.800000 --> 0:15:06.680000 A lot of times there's some protocols and things and like SSH and certain 0:15:06.680000 --> 0:15:09.440000 versions of SSH that won't work correctly. 0:15:09.440000 --> 0:15:14.140000 If your key is that small, so you really should create a key of at least 0:15:14.140000 --> 0:15:20.460000 1024 bits for all the versions of SSH to work. 0:15:20.460000 --> 0:15:26.240000 And you can see it was very, very fast and it created that key. 0:15:26.240000 --> 0:15:34.480000 So as a best practice, when you do crypto key generate RSA, don't let 0:15:34.480000 --> 0:15:36.100000 it to just default to 512. 0:15:36.100000 --> 0:15:41.060000 You want to increase that to 1024 at an absolute minimum. 0:15:41.060000 --> 0:15:44.900000 And then lastly, we want to configure our VTY lines for password usage 0:15:44.900000 --> 0:15:48.980000 like before. So I already created. 0:15:48.980000 --> 0:15:53.160000 Oops, should run. 0:15:53.160000 --> 0:15:55.620000 So I already created in here. 0:15:55.620000 --> 0:16:00.560000 My username and password statements. 0:16:00.560000 --> 0:16:09.260000 So I still want to go to line VTY 04 and say login local. 0:16:09.260000 --> 0:16:15.680000 Okay, so I still want to do that so that it will use that username and 0:16:15.680000 --> 0:16:23.600000 password I've configured previously. 0:16:23.600000 --> 0:16:28.320000 And then lastly, we want to go on to our VTY line. 0:16:28.320000 --> 0:16:32.680000 And we want to tell it don't do. 0:16:32.680000 --> 0:16:38.160000 Tell that just do SSH and that's what that transport input command says 0:16:38.160000 --> 0:16:48.740000 transport input says, Hey, this is why I'm allowing as remote access. 0:16:48.740000 --> 0:16:53.760000 Notice that by default, well, not necessarily by default, but if we look 0:16:53.760000 --> 0:16:55.880000 under our VTY lines. 0:16:55.880000 --> 0:17:01.740000 We can see here, it says transport input telnet SSH. 0:17:01.740000 --> 0:17:08.060000 That means that, okay, both SSH and telnet are allowed to come in here. 0:17:08.060000 --> 0:17:16.060000 Or you could say line VTY 04, you could say transport input all, which 0:17:16.060000 --> 0:17:17.200000 allows everything. 0:17:17.200000 --> 0:17:23.700000 But to be the most secure, we want to say transport input SSH, which excludes 0:17:23.700000 --> 0:17:31.620000 telnet. Now, one other thing I want to mention here, which doesn't really 0:17:31.620000 --> 0:17:36.780000 have anything to do with remote access methods per se, but it does have 0:17:36.780000 --> 0:17:39.200000 to do with a lab task. 0:17:39.200000 --> 0:17:43.620000 Should you choose to do it that applies some of these concepts, which 0:17:43.620000 --> 0:17:48.180000 is about saving and reverting your configs. 0:17:48.180000 --> 0:17:51.540000 A lot of times when people are first learning about iOS, they learn that, 0:17:51.540000 --> 0:17:57.580000 Oh, to save my config, I simply do copy running dash config startup dash 0:17:57.580000 --> 0:18:02.640000 config. Or simpler way is just doing copy run start, or even simpler than 0:18:02.640000 --> 0:18:06.020000 that, right, mem, or just WR. 0:18:06.020000 --> 0:18:08.780000 They all do the exact same thing. 0:18:08.780000 --> 0:18:17.880000 If I go into my device, whether I do copy running config to startup config, 0:18:17.880000 --> 0:18:22.860000 that does the exact same thing as just WR. 0:18:22.860000 --> 0:18:26.700000 It takes your running config and saves it to your startup config. 0:18:26.700000 --> 0:18:29.160000 Well, you can certainly do that and you should do that. 0:18:29.160000 --> 0:18:33.460000 But sometimes, especially in lab environments when you're playing around, 0:18:33.460000 --> 0:18:39.200000 you might want to have multiple copies of your config saved. 0:18:39.200000 --> 0:18:43.840000 Like maybe I'm doing a BGP lab and everything I've got right now is applicable 0:18:43.840000 --> 0:18:49.100000 to the BGP lab. So I want to save that as a BGP config. 0:18:49.100000 --> 0:18:54.860000 And then I want to create another config for maybe a telnet lab. 0:18:54.860000 --> 0:18:57.760000 And I want to save that as a different name. 0:18:57.760000 --> 0:18:59.960000 Well, how do you do that? 0:18:59.960000 --> 0:19:04.440000 Well, here you can see, you can say copy running dash config and instead 0:19:04.440000 --> 0:19:07.880000 of saving it to envy ram as your startup config, you can see, you can 0:19:07.880000 --> 0:19:12.400000 save it to flash memory and save it as a different name, like Keith dash 0:19:12.400000 --> 0:19:16.800000 config. I could do that right here. 0:19:16.800000 --> 0:19:23.600000 I could say copy my running config to flash colon. 0:19:23.600000 --> 0:19:28.720000 Why don't we call it telnet lab. 0:19:28.720000 --> 0:19:31.100000 And it'll say, okay, is this what you want to call it? 0:19:31.100000 --> 0:19:34.700000 Telnet lab, I'll hit enter for yes. 0:19:34.700000 --> 0:19:38.140000 And now it is stored in flash memory as that. 0:19:38.140000 --> 0:19:42.360000 And I can view that by saying directory flash colon. 0:19:42.360000 --> 0:19:48.600000 And you can see that here we have a lot of different configs pre saved 0:19:48.600000 --> 0:19:53.060000 for various different labs that you can use. 0:19:53.060000 --> 0:19:56.860000 Now the next logical question is, okay, after I've saved this config, 0:19:56.860000 --> 0:20:01.620000 if I want to come back in the future, how do I load that config back? 0:20:01.620000 --> 0:20:07.720000 The way you accomplish that is with the config replace command. 0:20:07.720000 --> 0:20:11.900000 So notice at privileged exec level or enable mode, you can say config 0:20:11.900000 --> 0:20:14.260000 replace flash colon. 0:20:14.260000 --> 0:20:16.360000 So this is where is the config store? 0:20:16.360000 --> 0:20:18.860000 Is it envy ram colon flash colon? 0:20:18.860000 --> 0:20:22.680000 Maybe TFTP colon if it's stored on a remote TFTP server. 0:20:22.680000 --> 0:20:25.040000 And then you give it the name of the config. 0:20:25.040000 --> 0:20:29.460000 Now what config replace does is just like it sounds. 0:20:29.460000 --> 0:20:35.900000 It completely swaps or replaces your current running config with a config 0:20:35.900000 --> 0:20:37.320000 that you're specifying. 0:20:37.320000 --> 0:20:41.080000 So like in this case, you'll say, are you sure you wish to proceed? 0:20:41.080000 --> 0:20:44.360000 Because it's going to completely overwrite everything in your current 0:20:44.360000 --> 0:20:48.740000 config. All your IP addresses everything with the config that you're replacing 0:20:48.740000 --> 0:20:53.760000 it with. So if you say yes, it will actually swap it out. 0:20:53.760000 --> 0:20:58.720000 And in most of our lab tasks, that's what we are going to ask you to do. 0:20:58.720000 --> 0:21:03.080000 We're going to ask you to load or use the config replace command to replace 0:21:03.080000 --> 0:21:07.620000 a config. So for example, if I want to load this config called ACL dash 0:21:07.620000 --> 0:21:15.700000 lab, I would just say config replace flash colon ACL dash lab. 0:21:15.700000 --> 0:21:19.360000 It says, are you sure you want to do it? 0:21:19.360000 --> 0:21:21.740000 I would say why for yes. 0:21:21.740000 --> 0:21:28.240000 And now it loads the config. 0:21:28.240000 --> 0:21:33.560000 And now if we issue the show run command, we can see that everything's 0:21:33.560000 --> 0:21:39.440000 different. I've got some IP addresses in there that I didn't have before. 0:21:39.440000 --> 0:21:44.560000 I have some routing protocols in there that I didn't have before OSPF. 0:21:44.560000 --> 0:21:48.540000 And so that's how you load a pre saved config. 0:21:48.540000 --> 0:21:53.920000 And that concludes this section on Cisco iOS. 0:21:53.920000 --> 0:21:56.440000 Configuring basic remote access.