The Open Systems Interconnection (OSI) model consists of seven layers of network architecture. These layers are the Application, Presentation, Session, Transport, Network, Data-Link, and Physical layers. For the most part if you’re a network administrator, like me, most of your work will be concerned with the first three layers, Physical, Data-Link, and Network.

Now let’s break down the different OSI model layers and what they do:

Layer 7 – Application Layer

The Application layer is generally the closest to the end user. This is where the end user will interact with software in order to communicate across a network. General examples of this layer are telnet,  HTTP, FTP, SMTP.

Layer 6 – Presentation Layer

The Presentation layer is where the data from the Application layer is taken and encapsulated into a form of data that can be used for travel across a network. This layer converts data for use in the Application layer or the Session layer for use in the opposing layer.

Layer 5 – Session Layer

The Session Layer maintains communications or connections between nodes on a network. It establishes, maintains, and terminates. It can operate in full-duplex, half-duplex, or simplex operating modes. Any checkpointing or recovery operations in TCP usually happen on this layer. An example of this layer in action would be an application that uses RPC to execute actions in another address space remotely.

Layer 4 – Transport Layer

The Transport layer is where reliability is controlled through flow control, (de)segmentation, and error control. This is where all data is transfered between end users. Error checking happens on this layer and it can retransmit any failures. Examples of this implementations of this layer are TCP and UDP.

Layer 3 – Network Layer

The Network layer, my favorite, is where all routing happens on a network. This is where data is transferred to it’s destination across one or more networks. This is where routers operate. Data travels across this layer alot like traveling the highway system. Data flows between different routers (hops) to finally make it to it’s destination. The most known implementation of the Network layer is Internet Protocol or IP, as it is most called.

Layer 2 – Data-Link Layer

The Data-Link layer is where data is transfered between nodes on a network. This layer has the capability to detect and correct errors that might have occured on the Physical layer. One of the most well known implementations of this layer is Ethernet. You will find most network switches on this layer. The Data-Link layer provides a connection across the physical link by using vendor assigned hardware MAC address verses assigned IP addresses, like the Network layer does.

Layer 1 – Physical Layer

The Physical layer is where all electrical and physical connections are made. On this layer you will find cabling, hubs, and, network adapters to name a few. Where the Data-Link layer connects multiple nodes, the Physical layer is mostly concerned with connected a single device to the network medium.

That’s a rough introduction to the OSI model. There is a lot more theory of it, but I just wanted to give a quick overview.

All your troubleshooting efforts should start at layer 1, what I like to call ‘checking the basics’. Bypassing layer 1 can cost you alot of time in troubleshooting. I generally make sure cables are plugged in and all devices are powered on. A lot of times you may find a simple easy to correct issue here and save yourself alot of grief in troubleshooting the higher level layers. From there you can just work your way up the layers. This will provide good coverage of possible failures or misconfigurations across the network.

Some network administrators, including my self, talk of a ‘Layer 8′. This is the actual end user themself. I like to call this ‘operator head space and timing’. You should be able to judge and categorize your end users by level of knowledge if you’ve been working with them for some period of time. You can usually skip to ‘Layer 8′ if you’re able to identify the issue with the end user from their complaint. This of course is not part of the Cisco certification process and has more to do with experience in dealing with end users, which you will learn on the job.

We are going to assume you have a Cisco router already setup and in service on your network.

First thing you will want to do is login to your router and go into config mode. Once in config mode you will want to setup a DHCP pool.

Router(config)# ip dhcp pool newpool

You can replace ‘newpool’ with whatever you choose to name your DHCP pool. Next thing we want to do is tell the router the network and subnet.

Router(dhcp-config)# network x.x.x.x y.y.y.y

Replace x.x.x.x with the network address and y.y.y.y with the subnet mask. Next we will tell the router what DNS domain name the clients will use.

Router(dhcp-config)# domain-name domain.com

Obviously, you will replace ‘domain.com’ with your domain. Now we need to tell the router the primary and secondary DNS server IP addresses to be used in the DHCP scope.

Router(dhcp-config)# dns-server 1.1.1.1 2.2.2.2

Replace 1.1.1.1 with your primary DNS server and 2.2.2.2 with your secondary DNS server. We need to specify the default gateway or router.

Router(dhcp-config)# default-router x.x.x.x

Replace x.x.x.x with your default gateway or router IP address. Next we want to specify the length of the lease of the addresses assigned by the DHCP server.

Router(dhcp-config)# lease 7

Here I have set the lease time to expire in 7 days. Alternatively, you can use the syntax ‘lease DAYS HOURS MINUTES’, replacing those variables with the obvious requirements. You can even go as far as setting it for an infinite perios of time using ‘lease infinite’.

This pretty much sums up setting up DHCP on a Cisco router with IOS. I do want to show you one more thing. Suppose you want to exclude some IP address that you want to reserve for static devices. The following command needs to be performed in the the global configuration mode, so type ‘exit’ and perform the following if you are still at the last step.

Router(config)# ip dhcp excluded-address x.x.x.x y.y.y.y

You will want to replace y.y.y.y with the start address of the range you want to exclude and replace y.y.y.y with the end address. Example: ‘ip dhcp excluded-address 192.168.100.0 192.168.100.100. This will exclude addresses all the way up to 192.168.100.100. Therefore, DHCP will start assigning IP address leases at 192.168.100.101.

Now that we have setup our DHCP scope we can enable to DHCP service.

Router(config)# service dhcp

Now you should be able to grab an IP address via DHCP. Don’t forget to save your configuration.

Any how let’s get started.

This assumes you have already logged in to your Cisco router and are in enable mode.

First, you want to check whether SSH has already been enabled.

Router# show ip ssh
%SSH has not been enabled

If you see the result above it obviously means that SSH has not already been enabled on this device.

On with the configuration:

You will want to configure a hostname on your router. This will be performed in configuration mode. (note the prompt)

Router(config)# hostname Router1

The hostname has been set. Now we will configure a domain name for the device.

Router1(config)# ip domain-name Domain1

The domain name has been set. Now we want to generate a RSA key pair.

Router1(config)# crypto key generate rsa modulus 1024

Next we will set a timeout interval.

Router1(config)# ip ssh time-out 120

This will set a time limit of 120 seconds for the SSH session to negotiate.
You can also set a maximum number of retry attempts incase of a failed negotiation.

Router1(config)# ip ssh authentication-retries 3

This will set the maximum amount of retries to 3.
The next thing we will do is change the default port for SSH from 22 to 8855. This is not necessary, however I do recommend it for an added level of security.

Router1(config)# ip ssh port 8855

At this time you can log off of the Cisco device and test the connection with a terminal client. In Windows I like to use PuTTY and in Linux or OSX I use the ssh command in the terminal.

Once you’ve logged in and verified the connection is good you can disable telnet access.

Router1(config)# line vty 0 4
Router1(config)# transport input ssh

Now the only way you will be able to remotely access your Cisco device is via SSH on the port you specified earlier, if you opted to change the default port.

Now to save your configuration changes to the Cisco device, you want to save the running-config to the startup config. There are 2 ways of performing this. I will show you both ways, but you should already know this by now.

Option 1

Router1# wr mem

Option 2

Router1# copy running-config startup-config

Now your new configuration should be saved. One last thing we can do to verify SSH configuration is repeat the first command in this tutorial.

Router1# show ip ssh
SSH Enabled - version x.x
Authentication timeout: 120 secs; Authentication retries; 3

We should see the above result with the configuration that we performed.

That concludes setting up SSH access on your Cisco router or switch. I highly recommend using SSH over telnet especially if you will be managing your device remotely. Telnet will give you absolutely no protection from sniffing.