Handy tools on Cisco routers: SSH, Syslog, Terminal Monitor

SSH, Syslog and Terminal Monitor (term mon) on a Cisco router

Share This Post

If you want to manage many network devices, you simply can’t afford to do it locally. You can’t physically go to one of your devices to check its status, you need to control it remotely. In our application layer article, we discovered we can control a device with Telnet and SSH. Telnet, however, is not secure: it sends everything in clear text, including passwords! For this reason, we might want to use a secure alternative: SSH. Nonetheless, managing a device remotely requires you to add a few more commands to have the same experience as on-site. This is what we are going to achieve with Syslog and terminal monitor.

The best way to learn is to always practice. Therefore, we prepared a Packet Tracer lab that you can download for free using the link below.

Get this lab! Practice what you learn and gain experience with our networking labs and demos - download now

Once you downloaded the lab, just open it with Cisco Packet Tracer. Then, try the commands you see in the article on the devices. You will soon become a master of SSH, Syslog, and Terminal monitor.

SSH, Syslog, and Terminal Monitor Lab Intro

The Topology

For this Packet Tracer lab, we kept the topology extremely flat. As you can see from the image below, we have just a switch connecting a laptop, a server, and a router. The light-blue cable on the left is just a console cable.

Learn how to configure SSH access on a Cisco router using Cisco Packet Tracer
Topology for this lab

Everything is placed in the same network, VLAN 1. We all know that this is not best practice, but it will enable smoother progress of our lab. Everything has a static address in the 192.168.1.0/24 network: the laptop is .10, the server .11 and the router .1.

The Requirements

A simple topology comes with simple requirements. The first thing we want to do is to enable SSH authentication on VTY lines and remove anything else. Then, we want to connect using SSH and see system messages in real-time (this is Terminal monitor). Finally, we want to send all the logs to the server so that they can be stored and read later.

This will see us using the console cable for the first part of the lab, to enable SSH access. After that, we will connect using SSH and continue the configuration from there.

Configuring SSH

A brief explanation

SSH stands for Secure Shell, and it is a protocol that exchanges text between devices. Its major goal is to allow the usage of terminal devices (without graphical interface) remotely. You send some text to the device, and the device sends some text back to you. Unlike Telnet, which sends the characters as you type, SSH encrypts them before sending them out. The device on the other side will decrypt them, and only then process them.

The user experience doesn’t change from Telnet, but security changes. This encryption-decryption process involves some kind of trust between your PC and the remote device. We built this with RSA keys, which are long strings of random-looking text. Each device has a pair of keys, a private and a public one. The private key is used to encrypt data, the public key to decrypt them. Only the public key associated with a private key can decrypt its messages. As a result, if you use the public key of your remote device to decrypt its traffic, you know it was the one encrypting it. For the purpose of this article, you just need to know that you need to create those keys on the router.

Now that you have the fundamentals of encryption, we can start with the configuration!

The Console Cable in Packet Tracer

If you are following the CCNA course, this is the first time you will be using the console cable. It is extremely easy: you just need to open the Laptop and go to the desktop tab. From there, select Terminal.

Select Terminal in Cisco Packet Tracer to use the console cable, later we will use SSH
Select Terminal from here.

A window will pop-up with several pre-compiled parameters. You can leave everything as is and click on “OK”. It will open a white terminal where you can control the router, just like we did in the previous labs.

Enabling SSH

To activate the Secure Shell, we first need to create the RSA keys. The algorithm that creates them starts from the hostname and the domain name, so we need to define both first. Since the host-name is already defined, we can go straight to the domain name. To do that, we can use the ip domain-name configuration command. For this lab, we are going to use “company.local”.

Now, we can generate the keys by using crypto key generate rsa command. As a first question, this command will ask us to provide the modulus size. By default, it is going to use 512 which is quite secure. However, we want even more security, so we will specify 1024. Note that this is mandatory for your scoring. Here’s a recap of the commands discovered until now.

ip domain-name company.local
crypto key generate rsa

Now, we can do a little more fine-tuning. First, we want to turn on SSH version 2, which is better. After that, we want to create a local admin user with a password of “ictshore” and set also the enable secret to “ictshore”.

ip ssh version 2
username admin privilege 15 secret ictshore
enable secret ictshore

At this point, we just need to activate SSH on the VTY lines and tell them to authenticate against the local database. Nothing easier, we just need to modify the transport input and the login method.

line vty 0 15
 transport input ssh
 login local

Here we go. Now SSH is active!

Access a device with SSH

Accessing a device with SSH is a little bit different from Telnet. With telnet, we only need to write telnet and the IP address of the target device. With SSH, instead, we need to type ssh -l, followed by the username and then the target IP. So, using the Admin laptop, open the command prompt and type the code below to test the connection.

ssh -l admin 192.168.1.1

If everything is correct, the connection will open and you will be prompted for the password. Once in, type enable to gain access do privileged-exec commands.

Working with Logs

Terminal Monitor

Logging messages are a great way to see what’s happening on the device, real-time. They automatically appear on the console connection, but they do not on terminal lines (VTYs). For example, try to turn on and off the GigabitEthernet 0/2 interface. You won’t see anything, as from the screenshot below.

Without the terminal monitor (term mon) you will not see logs on VTY lines
No log appears on the screen.

If we want to see the logs, all we need to do is type terminal monitor. This is a privileged exec command, not a configuration command. We can try the same exercise again, and see the logs now.

Use the terminal montitor (term mon) to see the logs as they happen, also in Cisco Packet Tracer
Now we can see the logs.

The terminal monitor is activated on the VTY you are connected. The moment you disconnect, it will be turned off and will require you to turn it on again if you want to gather more logs. To manually turn off the terminal monitor, you don’t negate the command. You need to negate the monitor, so you have to type terminal no monitor (and not “no terminal monitor”). The terminal monitor is often handy when you need to use debug.

Syslog

Syslog is a simple feature present on many devices (not only Cisco) that allows remote logging. In other words, your device sends all the logs to a server instead of buffering them locally. This does not prevent them to be displayed in real-time with the terminal monitor. With a server, you can gather logs of many different devices and analyze them together. To do that even better, you should configure NTP to have consistent timing.

Syslog groups logs into seven different Severity Levels. The lower the severity, the more important (or critical) the event. Here’s a table showing the Syslog severity levels.

IDNameDescription
0EmergencySystem is unusable
1AlertRequires immediate intervention (e.g. database corruption)
2CriticalCritical condition such as a partial hardware fault
3ErrorGeneric error condition
4WarningGeneric warning condition
5NoticeSignificant condition which is not an error, but it may still require special handling
6InformationalInfo message
7DebugDebug-level message
Syslog Severity Levels

With this in mind, you can configure Syslog to send messages to the server only if they are of certain severity (or lower). To do that, you first need to define which is the Syslog server with logging host configuration command. Then, you can use logging trap to define the severity. Here’s what you should type.

logging host 192.168.1.11
logging trap debugging

With these very two commands, your score should reach 100%. If you try to generate more logs (like with the interface on/off trick), you will be able to see them on the server. In case you want to do that, go to the Server and select the “Services” tab. From there, select “Syslog” on the left panel.

Conclusion

In this article, we learned three cornerstone tools that any network engineer uses: SSH, Terminal Monitor, and Syslog. Now it’s time that you go outside and try them. For example, here’s a pro tip: you can establish two concurrent SSH sessions to the same device, and use one of them to configure the device, the other for the terminal monitor. This way you won’t mess together configuration commands with logs.

For your convenience, here we list all the commands you need to remember:

  • Set hostname and ip-domain name, then generate the RSA key with crypto key generate rsa command in order to enable SSH
  • Set the SSH version with ip ssh version command
  • Remember to select SSH as transport input on the VTY lines, and to enable login local
  • You can turn Terminal Monitor on and off with terminal monitor and terminal no monitor privileged-exec command, to see logs on VTY lines
  • You can enable remote logging by specifying a server with logging host and defining the logging severity with logging trap

With this knowledge, you are now starting to be able to manage and maintain complex network infrastructure. Continue onto this path and the CCNA certification will be in your hands in less than you might think.

Don't fail the CCNA Exam!

Failing the CCNA exam equals wasting $300. Don't do that, be prepared instead.
Together with our free course, we offer a companion book with Questions and Answers. And it's only $27.50 if you are following the course.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Alessandro Maggio

2017-07-06T16:30:45+00:00

Unspecified

Free CCNA Course

Unspecified