EasyManuals Logo
Home>Cisco>Network Router>ASR 1000 Series

Cisco ASR 1000 Series User Manual

Cisco ASR 1000 Series
72 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #19 background imageLoading...
Page #19 background image
Page 19 of 72
3.3 Network Protocols and Cryptographic Settings
3.3.1 Remote Administration Protocols
All TOE administration must be performed through an IPsec tunnel. However, it is
recommended that the interactive interface be over SSH. The following method is used to
configure SSH for use in a secure manner.
To only allow ssh for remote administrator sessions, use the transport input ssh command.
This command disables telnet by only allowing ssh connections for remote administrator access.
3.3.1.1 Steps to configure SSH on router: [10] Cisco IOS Security Command Reference
Guides
1. Generate RSA or ECDSA key material choose a longer modulus length for the
evaluated configuration (i.e., 2048 for RSA and 256 or 384 for ECDSA):
TOE-common-criteria(config)# crypto key generate rsa
How many bits in the modulus [512]: 2048
or
TOE-common-criteria(config)# crypto key generate ec keysize [256 or 384]
RSA and ECDSA keys are generated in pairsone public key and one private key. This
command is not saved in the router configuration; however, the keys generated by this
command are saved in the private configuration in NVRAM (which is never displayed to
the user or backed up to another device) the next time the configuration is written to
NVRAM.
Note: Only one set of keys can be configured using the crypto key generate command at
a time. Repeating the command overwrites the old keys.
Note: If the configuration is not saved to NVRAM with a “copy run start, the generated
keys are lost on the next reload of the router.
Note: If the error “% Please define a domain-name first” is received, enter the command
ip domain-name [domain name].
Note: to delete a key, an administrator may use the crypto key zeroize <label> command.
2. Enable ssh
TOE-common-criteria# ip ssh authentication-retries 2
3. Configure ssh timeout
TOE-common-criteria# ip ssh time-out 60
4. Set to use SSH v2
TOE-common-criteria# ip ssh version 2
5. Ensure that the product is configured not to support diffie-hellman-group1-sha1 key
exchange using the following command ‘ip ssh dh min size 2048’:
TOE-common-criteria(config)# ip ssh dh min size 2048

Table of Contents

Other manuals for Cisco ASR 1000 Series

Preview: Software Configuration Guide
Software Configuration Guide602 pages
Preview: Configuration Guide
Configuration Guide126 pages
Preview: Replacing
Replacing120 pages
Preview: Hardware Installation Guide
Hardware Installation Guide594 pages
Preview: Installation And Configuration Guide
Installation And Configuration Guide292 pages
Preview: Quick Start Guide
Quick Start Guide48 pages
Preview: Hardware Installation And Configuration Guide
Hardware Installation And Configuration Guide32 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASR 1000 Series and is the answer not in the manual?

Cisco ASR 1000 Series Specifications

General IconGeneral
BrandCisco
ModelASR 1000 Series
CategoryNetwork Router
LanguageEnglish

Related product manuals