Packet Tracer Labs

Lab 10: Securing Remote Access with SSH

Telnet sends passwords in plain text — professionals use SSH. Generate RSA keys, create a local user, restrict the VTY lines to SSH-only, then log in encrypted from a PC. Difficulty: Beginner+ · Time: ~25 min.

Lab objectives

  • Set hostname and domain name (needed for keys)
  • Generate RSA keys and enable SSH v2
  • Create a local user and force SSH-only VTY login
  • Connect via SSH from a PC

Topology & addressing

1× router/switch with management IP 192.168.1.1, 1× PC (192.168.1.10) on the same network.

Step-by-step configuration

hostname R1
ip domain-name attila.local
Identity — required before key generation
crypto key generate rsa → modulus 1024 (or 2048)
ip ssh version 2
Create the encryption keys, force SSHv2
username admin secret cisco123Local login account
line vty 0 4
login local
transport input ssh
VTY uses local users, SSH only — Telnet refused

Verification

From the PC: ssh -l admin 192.168.1.1 → password → you're in, encrypted. Try telnet 192.168.1.1refused, exactly as intended. show ip ssh confirms version 2.

Next lab: labs hub · test yourself: CCNA practice test.

Frequently asked questions

Why is a domain name required for SSH?

RSA keys are generated using the device's fully qualified name (hostname + domain), so both must be set first.

What does transport input ssh do?

It restricts the VTY lines to SSH connections only, refusing insecure Telnet.

Why prefer SSH over Telnet?

Telnet transmits everything — including passwords — in plain text; SSH encrypts the entire session.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.