Configure a Switch for SSH Secure Access

SSH Overview

The ability to remotely manage your Cisco switch or router is very important. Network administrators are usually not sitting next to the switch or router with a laptop and a console interface connection. There are various methods of managing a network device like a switch or router, remotely over the network. Remote management can be accomplished through a browser based interface (web browser) or more commonly through a terminal interface (CLI). Cisco switches and routers can be configured to use Telnet or SSH for remote terminal access. Telnet is not desirable because it is an unencrypted protocol that sends messages in clear text over the network. SSH is preferred to Telnet because it uses strong key based, encryption techniques to secure data transmission.

Video Tutorials

In the tutorial below, I use Packet Tracer to demonstrate how to configure a Cisco switch to accept SSH terminal connections.  The tutorial covers creating a management VLAN, assigning switchports to VLANs, configuring an IP address for the switch on a virtual interfaces, generating a public and private key pair, configuring the SSH server, and connecting from two different SSH clients.

Click here to download the starter file:


OSPF Overview

Open Shortest Path First (OSPF) is a link-state routing protocol that is designed to work with large, more complex networks. OSPF is a classless routing protocol that supports VLSM and CIDR, and uses the Shortest Path First (SPF) algorithm to calculate the best path to a network. OSPF uses a routing metric of “cost” that in Cisco’s implementation is based mainly on the bandwidth of a link. OSPF is able to support hierarchical and scalable network designs through its ability to handle multiple OSPF routing areas.

The Cisco CCNA curriculum requires students to know how to implement and configure only a single-area OSPF network.

OSPF has some similarities to EIGRP, especially in regards to configuration, like requiring a process-id number, using wildcard bits for the subnet mask, hello packets, neighbor relationships or adjacencies, triggered updates, and the use of multiple tables like the neighbor and topology tables.

OSPF Characteristics

  • Algorithm – Dijsktra’s SPF algorithm
  • Metric – Cost, which is based on the bandwidth of a link
  • Administrative Distance – 110
  • Process-ID number – the process-id number is declared when OSPF is started/configured and is a number from 1 to 65535. The process id number does NOT need to match other OSPF routers in the area in order to create adjacencies (see commands below).
  • Wildcard bits/mask – The wildcard mask is the inverse of a network subnet mask (e.g. is It is declared after the network number in the network command (see commands below)
  • Area number – The area number is a number from 0-255, declared at the end of the network command after the wildcard bits. Routers in the same area will exchange routing information or Link State Updates or LSUs (see commands below)
  • Hello Interval – Hello packets are sent every 10 seconds by default. In order for OSPF routers to establish neighbor adjacencies and exchange routing information successfully, the hello interval needs to match all OSPF routers in the OSPF area.
  • Dead Interval – The dead interval is 40 seconds by default. The dead interval should be 4 times the hello interval, and needs to match all OSPF routers in the area
  • Multiple Tables – Routing Table, Topology Table, and Neighbor Adjacency Table
  • DR and BDR Elections – In broadcast multi-access networks (Ethernet), routers in the OSPF area will elect a Designated Router (DR) and a Backup Designated Router (BDR). The DR will be the receiver and distributor of Link-State Packets to other routers in the OSPF area. The BDR will wait, and be ready to take over the duties of the DR in case it fails.

IOS CLI Commands

The router ospf command starts the OSPF routing process. The process ID number can be a number between 1 and 65535:

 router(config)# router ospf <process-id>

  EXAMPLE: router(config)# router ospf 1

The network command will add a connected network to the routing process. In addition to the network IP address you need to provide the wildcard mask, which is the inverse of the subnet mask and the area parameter and number. Typically in single area OSPF the area is often set to area 0.

 router(config-router)# network <network-number> <wildcard-mask> area <area-number>

  EXAMPLE: router(config-router)# network area 0
EXAMPLE: router(config-router)# network area 0
  EXAMPLE: router(config-router)# network area 0 //for a /30 subnet mask

In OSPF, the router-id command will manually set the router’s router-id. In broadcast multi-access networks the router with the highest router-ID will become the designated router (DR) and the router with the second highest router-ID will become the backup designated router (BDR).

 router(config-router)# router-id <ip-address>

  EXAMPLE: router(config-router)# router-id

The passive-interface command can be used to stop OSPF packets from being sent out of a network interface where there are no other OSPF routers present.

 router(config-router)# passive-interface <interface-number>

  EXAMPLE: router(config-router)# passive-interface fastEthernet 0/0

Cisco’s OSPF cost metrics do not account for links faster than 100 Mbps. For example, a 100 Mbps Ethernet interface will calculate to an OSPF cost of 1, but what if you have a 1000 or 10000 Mbps Ethernet interface? The auto-cost reference-bandwidth can adjust the cost metrics to account for links fast than 100 Mbps.

 router(config-router)# auto-cost reference-bandwidth <megabits-per-second>

  EXAMPLE: router(config-router)# auto-cost reference-bandwidth 10000


The default-information originate command will distribute a default route to other OSPF area routers.

 router(config-router)# default-information originate 

You can use either of the following commands to exit out of router configuration mode.

 router(config-router)# end
router(config-router)# exit

Since OSPF relies on bandwidth for the metric, it is a good idea to set the specific bandwidth of the serial interface, otherwise the Cisco serial interfaces will default to a speed of 1544 Kbps, which may lead to an inaccurate measurement of the cost of the link. It is important to remember that this command is applied to the network interface in interface configuration mode.

 router(config)# interface serial <interface-number>
router(config-if)# bandwidth <speed-in-kbps>

  EXAMPLE: router(config)# interface serial 0/0/0
router(config-if)# bandwidth 384

Another command that is applied to a network interface is the ip ospf priority command. This command can be used to manipulate the DR/BDR election process. By default, the Cisco router’s interfaces are all given an OSPF priority of 1, by changing this value to a higher number you can effect the DR/BDR elections. An OSPF priority of 0 will insure the router is never the DR, but an OSPF priority number of 255 will insure that the router will be elected as the designated router or DR.

 router(config-if)# ip ospf priority <0-255>

  EXAMPLE: router(config-if)# ip ospf priority 255

The following commands are all applied to a network interface, but they all effect the OSPF routing protocol operation. Instead of configuring the bandwidth of the link, which will subsequently effect the calculation of the cost metric, you can configure the cost value directly. To do this you need to know how to manually calculate the cost metric. The cost metric of a network link is calculated by the following method: cost equals 10^8 power divided by the network interface speed in bits per second, e.g. the cost for Fast Ethernet is 10^8/100,000,000 = 1..

 router(config-if)# ip ospf cost <cost-value>

  EXAMPLE: router(config-if)# ip ospf cost 781 //for a 128kbps link

For neighboring OSPF routers to achieve adjacencies the OSPF hello interval and dead interval, on each OSPF router needs to match. In a multi-access, broadcast network the default hello interval is 10 seconds, and the dead interval is set to four times the hello interval, or 40 seconds. You can manipulate these times to, for example: have less hello packets on the network, but if you adjust the hello interval, you also need to adjust the dead interval, and you need to do so, for all OSPF routers in the OSPF area.

 router(config-if)# ip ospf hello-interval <seconds>
router(config-if)# ip ospf dead-interval <seconds>

  EXAMPLE: router(config-if)# ip ospf hello-interval 10
router(config-if)# ip ospf dead-interval 40


The following show commands are useful in verifying and troubleshooting OSPF operation and configuration, as well as identifying the router-ids and the identities of the DR and BDR. 

 router# show ip ospf neighbor
router# show ip ospf interface
router# clear ip ospf process
router# show running-config
router# show ip protocols
router# show ip route

Sample Command Usage

router(config)#router ospf 1
router(config-router)#network area 0
router(config-router)#network area 0
router(config-router)#passive-interface fa0/1
router(config-router)#default-information originate
router#show ip ospf neighbor
router# show ip ospf interface
router# clear ip ospf process

OSPF Show Commands

Example OSPF Network

     router#show ip ospf neighbor

In the “show ip ospf neighbor” command above you can see that the router R0 has established three neighbor relationships or adjacencies with the other routers. The “Neighbor ID” above is the neighbor router’s Router ID#. The Router ID# can be different than the neighbor router’s IP address on the network. In the example above the first router listed has a Router or Neighbor ID of but its IP address on the network is You can also see that router at (R3) is the current BDR or Backup Designated router and that the “Pri” or Router Priority Number has been changed from the default number of 1 to 50. The “State” shows that all three routers have current “FULL” adjacency or neighbor relationships. DROTHER routers will only form FULL adjacencies with DR and BDR routers and 2WAY adjacencies with each other. You can see this in the image of R1’s “show ip ospf neighbor” output above. Even if we only look at the output of R0’s show command above (top router output image) we can infer that the Designated Router or DR must be the router that issued the command (R0), because of the fact that there is no neighbor listed as a DR, only a BDR and two DROTHERs.

     router#show ip route

In the image above, the “show ip route” command has been issued, displaying router R0’s routing table. From the routing table we can tell that the R0 router has two connected networks “c on FastEthernet0/1” and “c on FastEthernet0/0” and that it has learned from OSPF about routes to three additional “o” networks:,, and a “o*E2” candidate default route/gateway of last resort.


OSPF Lab Overview

In this lab, the goal is to set up multiple routers in a multi-access network to observe and control the OSPF DR/BDR election process. The video tutorials below illustrate the process using Packet Tracer to simulate the network environment.


If you have Packet Tracer, and you would like to follow along with the videos, download my Packet Tracer starter file: click here

Video Tutorials

Link-State Routing Protocols

{loadposition adposition4}

Link-State Routing Protocols Overview

Link-State Routing protocols are routing protocols whose algorithms calculate the best paths to networks differently than Distance Vector routing protocols. Whereas Distance Vector protocols know routes by measures of distance and vector(direction) as reported by neighboring routers, Link-State routing protocols calculate their network routes by building a complete topology of the entire network area and then calculating the best path from this topology or map of all the interconnected networks.

{loadposition adposition5}There are two link-state routing protocols, OSPF and IS-IS. The Cisco CCNA curriculum covers the Open Shortest Path First or OSPF link-state routing protocol, and the IS-IS routing protocol is part of the CCNP curriculum.

Link-State Characteristics

  • SPF algorithm – Link-State routing protocols are designed around Dijkstra’s Shortest Path First Algorithm (SPF) in which the shortest path from point A to point B is build around a metric of cost.
  • Cost metric – SPF algorithm finds the shortest path based on a metric network link costs. Each router measures the cost of its own directly connected networks or "links." Cost is a measure of the quality of a link based mostly on bandwidth.
  • Hello packets – Link-State routing protocols establish adjacencies with neighboring routers using hello packets.
  • Link State Packets (LSP) – Initial flooding of link-states to all routers in the network.
  • Topology or SPF Tree – Link-State routing protocols build and maintain a complete map or topology of the network area.   {loadposition adposition6}

Link-State Advantages

  • Faster Convergence – Unlike Distance Vector routing protocols which run algorithm calculations before sending updates, Link-State routing protocols send link-state updates to all routers in the network before running route calculations
  • Triggered Updates – Unlike Distance Vector routing protocols (except EIGRP) which send periodic updates at regular intervals, Link-State routing protocols send LSPs during router startup (flooding) and when a link changes states like going up or down. If their are no changes in the network the protocol only sends hello packets to maintain adjacencies.
  • Scalability – Link-State routing protocols support the ability to configure multiple routing "areas" which allows an administrator to segment a routing protocol processes to defined areas which supports the expansion and troubleshooting of much larger networks.

Link-State Disadvantages

  • Greater Processing Requirements – Link-State routing protocols typically demand greater processing power and memory resources from the router.
  • Greater Administrator Knowledge – Link-State routing protocols can demand advanced administrator knowledge to configure and troubleshoot the network area


{loadposition adposition4}

{loadposition adposition9}

Parent and Child Routes


It is beneficial to understand how Cisco routers look-up routes in the routing table. There are various scenarios where the router might behave contrary to expected and by understanding the router’s look-up processes you may be able to identify a problem and apply a quick remedy.

Cisco routers were originally designed to work according to the classful hierarchy of IPv4 networks. Therefore, to understand the Cisco IOS routing table, it helps to maintain the perspective of classful versus classless networking.

Route Types

In the Cisco CCNA you will need to be able to identify the following types of routes in the routing table:

• Level 1 route – is a network route, a default route, or a supernet route. It is also called an ultimate route.

• Level 2 route – is a subnetted route with a greater than classful subnet mask, it is also a called a child route.

• Parent route – is a classful route, but it is not an ulltimate route. A parent route has subnetted child routes. If there are no child routes there is no parent route. Parent routes do not have an exit interface or next hop IP address. A parent route is also called a level 1 route.

• Child route – A child route is a subnetted route, where the subnet mask is greater than the classful subnet mask (eg. /27 versus /24). A child route is a level 2 route.

• Ultimate route – an ultimate route is a route that has an exit interface or a next hop IP address.

• Default Route – also known as a “gateway of last resort,” is a route configured to the /0 network and mask. This route does not have to qualify or “match” the destination network therefore it is a match for all destinations.

• Network Route – is a level one, ultimate route with an exit interface.

Routing Table Behavior

The router can be configured to behave classfully or classlessly, which is a separate issue from the routing protocol and whether or not the routing protocol has the capability to support classless networks. Classless routing behavior is configured by default on the routers and you can verify this by issuing a “show running-config” command. If you wanted to turn classless behavior on you use the ip classless command, the no ip classless command removes classless behavior

     (config)#ip classless

     (config)#no ip classless

The important difference between “ip classless” and “no ip classless” is that with “ip classless” enabled, if the router finds a matching parent route it will search for a match in the child routes and if it does not finding a matching child routes from the subnets that are available in the routing table it will go back and search the Level 1 routes for a possible secondary match like a default route.

Example: In the image above showing a routing table, if the router was to receive a request for it would find a match to the classful parent route of and proceed to search through the child routes. After not finding a match to it would go on looking in the table for a possible match, if a default route was available, like the default static route “S*” above, it would find a suitable match, because the /0 in the subnet mask indicates that no bits in the route’s network address need to match the packet’s destination address in order to have a match.

With “no ip classless” enabled, the router after not finding a matching child route would simply drop the packet. Why would it drop the packet? My personal guess is that “no ip classless” means “classful behavior” and in the world of purely classful network hierarchies, prior to the possibility of discontiguous classless networks, meaning VLSM and CIDR, either you owned the classful network and therefore all of the possible subnets, or you didn’t, so why keep searching the routing table, the destination network couldn’t possibly be anywhere else, so it is dropped.

Note: In Packet Tracer, the global commands “ip classless” and “no ip classless” are not available.

Video Tutorial


RIPv2 Overview

RIPv2 has one great improvement over RIPv1, instead of sending just the network address in its routing updates it can sends the subnet mask and the next hop address as well, this means that it can advertise non-classful subnets. In this way, RIPv2 supports VLSM and CIDR. Mostly RIPv2 is very similar to RIPv1, it is a Distance Vector routing protocol, it uses hop count as its metric, with a maximum distance of 15 hops. {loadposition adposition5}An important point to remember is the difference in sending and receiving version updates. RIPv1 sends version 1 updates, receives both version 1 and 2 updates, but will ignore the version 2 updates. RIPv2 sends and receives only version 2 updates. Here is a list of the similarities and differences of RIPv2 versus RIPv1.

RIPv2 Differences from RIPv1

VLSM and CIDR – is supported by sending the subnet mask and the next hop address in its routing updates.

Multicasts – its routing updates to instead of broacasting to like RIPv1

Authentication – RIPv2 supports md5 authentication

Updates – RIPv2 sends and receives version 2 updates only. RIPv1 sends version 1 updates and receives both 1 and 2, however version 2 information is ignored.

RIPv2 Similarities to RIPv1

Auto Summarizes by default (You will need to turn this off if you have discontiguous networks)

Distance Vector Protocol

Hop Count is the metric with a maximum of 15 hops, 16 is infinity and is dropped.

Cisco IOS CLI Commands

Below is a list of the RIPv2 commands that you are required to know. The commands reflect a router with three connected network interfaces, one of which is to a non RIP enabled router with a static route that needs to be redistibuted to the other RIP enabled routers.

     router(config)#router rip
router(config-router)#version 2
router(config-router)#no auto-summary
router(config-router)#network <network address>
router(config-router)#network <network address>
router(config-router)#redistribute static
router(config-router)#default-information originate
router(config-router)#passive-interface <interface>
router#debug ip rip

Video Tutorial on RIPv2

In this tutorial, I configure a discontiguous network with RIPv1 to show how it fails, then I configure it with RIPv2 to show how RIPv2 can successfully support classless networks or VLSM and CIDR. If you would like to follow along with the tutorial, then download the Packet Tracer file here:  You will need to have the Packet Tracer program in order to follow along.



The ability of routing protocols to route to networks with Variable Length Subnet Masks (VLSM) and Classless Interdomain Routing (CIDR), along with the creation of NAT and private addressing, has enabled IPv4 to remain a viable network address solution well beyond its original design limitations.

When IPv4 addressing was first developed it was designed as a class based system with Class A, B, C, D, E addresses.

Class A:   –
Class B: –
Class C: –
Class D: –
Class E: –

The IP address class system is based on the IP address as read in binary. This means there is a logic to the classes based on the bit pattern, or the first 4 bits (higher order bits) read left to right. In other words, in all Class A addresses, the first two bits (left to right), in binary, will start with a 01, a Class B address will start with a 10, a Class C address with a 110, a Class D address a 1110, and a Class E address with a 1111.

This class based system was divided into networks and hosts based on a netmask system with the following class-based netmasks:

Class A:  (255 network addresses and 16,777,216 hosts)
Class B:  (65,536 network addresses and 65,536 host addresses)
Class C:  (16,777,216 network addresses and 256 host addresses)

In this system, the networks are defined by the portion of 255s and the hosts are defined by the portion of zeros. Of course, in binary this is simply the ones on the left hand side and the zeros on the right. This class structure creates a hierarchy of larger to smaller networks, and a publicly available class range from Class A to Class C.

We can see the limitations in the system if we set up a hypothetical scenario of a country that reserves one of the two hundred and fifty six available Class A address’ for its country. Let’s say hypothetically that the country reserves the Class A address /8. How would it divide its networks and addresses? In a class based system of networks and hosts it is limited to classful networks. For example:

a hierarchical classful network scenario

1 Class A network for 1 country 256 Class B networks for 256 cities 256 Class C networks for 256 businesses per city 256 Class C public IP addresses per business /8 /16 /16 /16 /16
…to… /16 /8 /8 /8 /8
…to… /8 /8 /8 /8 /8
…to… /8

So in this scenario, a business would be restricted to having one Class C network with 256 public IP addresses. You can easily see the limitations of classful addressing. What if a business only needed 10 IP addresses, the rest would be waisted? Luckily, VLSM, CIDR, NAT and the development of Private Address spaces:, /20, and /16 were designed to help save IP addresses and make networks more flexible by allowing them to be different sizes then the ones mandated by the Classful IPv4 address structure.

If every computer on the internet needed a public IP address we would have run out of IPv4 addresses a long time ago. The development of VLSM and CIDR, NAT, and Private Addressing helped the conservation of IPv4 addresses that was brought about by the need to deal with the exponential growth of the internet and the realisation that IPv4 was simply running out of address space. Since then, IPv4 address space has indeed run out, and IPv6 has been developed which will never run out, but VLSM, CIDR, NAT, and private addressing enabled IPv4 to last much longer than expected and because of those developments IPv4 is still very much in use today.

VLSM – Variable Length Subnet Masks and CIDR – Classless Interdomain Routing

So how does VLSM and CIDR work? CIDR basically means that when routing you are not limited to networks based on /8, /16, or /24 subnet masks, and VLSM means that as long as the address spaces do not overlap, you can divide a classful network like /24 into networks of different sizes and subnet masks like this: /24 (1 network with 256 hosts)
or in the example below, 7 networks of different sizes /25 (1 network with 128 hosts), /26 (1 network with 64 hosts), /27 (1 network with 32 hosts), /28 (1 network with 16 hosts), /29 (1 network with 8 hosts), /30 (1 network with 4 hosts), /30 (1 network with 4 hosts)

How I divide the networks above into variable sizes is based on the subnet mask and the binary place value of the last “1” bit. I like to call this method the “Magic Number.” Notice that the networks above are the same size as the Magic Number of the subnet mask.

the magic number is bold

/25 = 11111111.11111111.11111111.10000000  (the last 1 is in the 128 place)
/26 = 11111111.11111111.11111111.11000000  (the last 1 is in the 64 place)
/27 = 11111111.11111111.11111111.11100000  (the last 1 is in the 32 place)
/28 = 11111111.11111111.11111111.11110000  (the last 1 is in the 16 place)
/29 = 11111111.11111111.11111111.11111000  (the last 1 is in the 8 place)
/30 = 11111111.11111111.11111111.11111100  (the last 1 is in the 4 place)
you cannot do /31 and /32, but you can do /7, /8, /15, /16, /23 /24 etc.
/23 = 11111111.11111111.11111110.00000000  (the last 1 is in the 2 place)
/24 = 11111111.11111111.11111111.00000000  (the last 1 is in the 1 place)

 Summary Routes and Supernets

With CIDR and classless addressing, not only can you divide subnets into smaller subnets you can also generalize or summarize subnets into supernets. A supernet allows a router to put one summary route in its routing table instead of many routes. Take the following example:

Let’s say you have a router that is connected to another router that has the following connected networks: /24 /24 /24 /24 /24 /24

Instead of configuring 16 static routes to reach all of those networks you could configure one supernet route of /16 thus basically saying, all of the 192.168 networks are over there! Of course, if in fact it is only networks 192.168.0 through 192.168.15 then a more correct supernet route would be /20 which says: networks through are over there, because the /20 subnet mask has a magic number of 16, and networks 192.168.16 and up, are not in the range being summarized.

Video Tutorials on VLSM and CIDR

Video Tutorials – A Packet Tracer walkthrough of VLSM CIDR and Summary Routes

Routing Loops


Routing Loops are a risk in networks that utilize an older dynamic routing protocol like RIP. A routing loop is a scenario where data, instead of being routed to its correct destination, is sent from router to router endlessly. This scenario can be caused by routers not receiving updated routing information quickly enough, and as a result, forwarding packets incorrectly and propagating routing information to neighbor routers incorrectly. When every router in the system has the correct routing information the network is said to be converged. Therefore, it is desirable to use a routing protocol that can converge a network quickly and prevent routing loops.

Typically distance vector routing protocols like RIPv1, RIPv2 and IGRP, do not converge networks as quickly as link state routing protocols like OSPF and ISIS, with the EIGRP routing protocol being the exception.

Count-to-inifinity is a RIP routing loop scenario whereby the routes in the routing tables keep increasing their hop-count metric. This is caused by incorrect routing information being propagated on the network.

Distance Vector routing protocols have been designed and improved over the years to minimize the possibility of routing loops. RIP uses the following methods and rules to avoid routing loops and count-to-infinity: split horizon, hold down timers, route poisoning, poison reverse, and TTL values.     

Video Tutorial