Skip to content
Blog
Basic Device Access & Management

Basic Device Access & Management

April 17, 2026

I decided to sit down and study for the CCNA once again. I found the best way for me to retain information is by writing it down, and by teaching it to someone. I feel a blog checks both boxes.

Topology

topology

IP Addresses

DeviceInterfaceIP AddressPurpose
R1GigabitEthernet0/110.0.1.1/24Link to SW1
SW1VLAN 1 (SVI)10.0.1.2/24Management SVI
SW1Default Gateway10.0.1.1Points to R1
R2GigabitEthernet210.0.1.3/24Link to SW1

Containerlab YAML File

YAML 
---
name: module01-device-access

topology:
  nodes:
    r1:
      kind: cisco_iosv
      image: vrnetlab/cisco_iosv:high_iron_20200929
      startup-config: ""

    sw1:
      kind: cisco_cat9kv
      image: vrnetlab/cisco_cat9kv:17.15.01
      startup-config: ""

    r2:
      kind: cisco_csr1000v
      image: vrnetlab/cisco_csr1000v:17.03.08a
      startup-config: ""

  links:
    # R1 Gi0/1 <-> SW1 Gi1/0/1
    - endpoints:
        - "r1:eth1"
        - "sw1:eth1"

    # SW1 Gi1/0/2 <-> R2 Gi2
    - endpoints:
        - "sw1:eth2"
        - "r2:eth1"

Hostnames & Domain Name

First thing to do is set the hostnames, so it’ll make it easier to know which console you’re logged into. Having a domain name is required for SSH key generation.

R1
Router# configure terminal
Router(config)# hostname R1
R1(config)# ip domain-name ccna.lab
R1(config)# no ip domain-lookup
R1(config)# end
SW1
Switch# configure terminal
Switch(config)# hostname SW1
SW1(config)# ip domain-name ccna.lab
SW1(config)# no ip domain-lookup
SW1(config)# end
R2
Router# configure terminal
Router(config)# hostname R2
R2(config)# ip domain-name ccna.lab
R2(config)# no ip domain-lookup
R2(config)# end

Passwords & Line Security

Next, I set the enable secret, console password, and VTY line passwords.

R1, SW1, R2
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

(config)# enable secret ccna2026!

(config)# service password-encryption

(config)# line console 0
(config-line)# password console123
(config-line)# login
(config-line)# logging synchronous
(config-line)# exec-timeout 15 0
(config-line)# exit

(config)# line vty 0 4
(config-line)# password vty123
(config-line)# login
(config-line)# logging synchronous
(config-line)# exec-timeout 15 0
(config-line)# exit
Line 1:
Enables secret password
Line 3:
Encrypts all plaintext passwords in the config
Line 6:
Sets password to access console
Line 8:
Prevents syslog messages from interrupting my typing.
Line 9:
Sets a 15 minute idle timeout.

Login Banners

Then I configured MOTD and login banners.

R1, SW1, R2
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

(config)# banner motd #
*********************************************
*  AUTHORIZED ACCESS ONLY                   *
*  All activity is monitored and logged.     *
*  Unauthorized access will be prosecuted.   *
*********************************************
#

(config)# banner login #
== CCNA Lab Device ==
#
Line 1:
Message of the Day banner which is shown to all connections
Line 9:
Login banner which is shown after MOTD, but before the password prompt.

Management IP Addresses

Next I assigned IPs to the interfaces connecting the devices through SW1. This gives me the L3 reachability needed for SSH.

R1
R1# configure terminal

R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip address 10.0.1.1 255.255.255.0
R1(config-if)# description Link to SW1 Gi1/0/1
R1(config-if)# no shutdown
R1(config-if)# exit

R1(config)# end
SW1
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

SW1# configure terminal

SW1(config)# interface GigabitEthernet1/0/1
SW1(config-if)# description Link to R1 Gi0/1
SW1(config-if)# no shutdown
SW1(config-if)# exit

SW1(config)# interface GigabitEthernet1/0/2
SW1(config-if)# description Link to R2 Gi2
SW1(config-if)# no shutdown
SW1(config-if)# exit

SW1(config)# interface Vlan1
SW1(config-if)# ip address 10.0.1.2 255.255.255.0
SW1(config-if)# description Management SVI
SW1(config-if)# no shutdown
SW1(config-if)# exit

SW1(config)# ip default-gateway 10.0.1.1

SW1(config)# end
Lines 3-5:
Ensures the interfaces connecting to R1 and R2 are up
Lines 13-16:
Management SVI on VLAN 1
Line 19:
Default gateway so SW1 can reach the other subnets

ip default-gateway only works when ip routing is disabled.

R2
R2# configure terminal

R2(config)# interface GigabitEthernet2
R2(config-if)# ip address 10.0.1.3 255.255.255.0
R2(config-if)# description Link to SW1 Gi1/0/2
R2(config-if)# no shutdown
R2(config-if)# exit

R2(config)# end

Verify L3 Connectivity

From R1 I ping SW1 and R2

R1# ping 10.0.1.2
R1# ping 10.0.1.3

Fromt SW1 I ping R1 and R2

SW1# ping 10.0.1.1
SW1# ping 10.0.1.3

From R2 I ping R1 and SW1

R2# ping 10.0.1.1
R2# ping 10.0.1.2

Then verified interface status on all devices:

R1# show ip interface brief
SW1# show ip interface brief
R2# show ip interface brief

SSH v2 Configuration

The 4 prerequisites for SSH:

  1. A hostname other than the default
  2. An IP domain-name
  3. RSA keys generated
  4. VTY lines configured for login local with transport input ssh
R1, SW1, R2
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

#configure terminal

(config)# username admin privilege 15 secret admin2026!

(config)# crypto key generate rsa modulus 2048

(config)# ip ssh version 2

(config)# ip ssh time-out 60
(config)# ip ssh authentication-retries 3

(config)# line vty 0 4
(config-line)# transport input ssh
(config-line)# login local
(config-line)# exit

(config)# line vty 5 15
(config-line)# transport input ssh
(config-line)# login local
(config-line)# exit

(config)# end
Line 3:
Creates a local user account
Line 5:
Generates RSA keys
Line 7:
Set SSH version 2
Lines 9-10:
Optional - Set SSH timeout and max retries
Lines 12-14:
Configures VTY lines for SSH with local auth
Lines 17-19:
Optional - Secures VTY 5-15 if available
privilege 15:
Gives the user immediate access to privileged EXEC mode without needing to type enable.
  • login - uses the line password (set with password)
  • login local - uses the local username database (set with username)

SSH requires login local.

Verify SSH Access

I then tested SSH between devices to make sure everything works.

R1
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

R1# ssh -l admin 10.0.1.2
Password: admin2026!
SW1#

SW1# show ip interface brief
SW1# exit
[Connection to 10.0.1.2 closed]

R1# ssh -l admin 10.0.1.3
Password: admin2026!
R2#
R2# exit
Line 1:
SSH from R1 into SW1
Lines 5-7:
Confirm I’m on SW1, then exit back to R1
Line 9:
SSH from R1 into R2

Then verified with show commands.

R1, SW1, R2
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

R1# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3

R1# show ssh

R1# show users

R1# show running-config | section line vty

R1# telnet 10.0.1.2
% Connection refused by remote host
Line 1:
Verify SSH status
Line 5:
See active SSH sessions
Line 7:
See who’s connected
Line 9:
Verify VTY line config
Line 11:
Verify Telnet is blocked

Telnet should not work since I setup tansport input ssh.

Configuration Management

R1
1
2
3
4
5
6
7

R1# show running-config

R1# show startup-config

R1# copy running-config startup-config
Destination filename [startup-config]?  ← press Enter
[OK]
Line 1:
View the running config (what’s active in RAM)
Line 3:
View the startup config (what’s saved in NVRAM)
Line 5:
Save running-config to startup-config
  • copy running-config startup-config saves my work.
  • copy startup-config running-config merges saved config into the running config, it does not replace it.
SW1, R2
SW1# copy running-config startup-config
R2# copy running-config startup-config

SW1# show version
R2# show version

Show Commands

A list of commands to find device information.

show version

show inventory

show processes cpu sorted
show memory statistics

show file systems
dir

showing running-config | section line
Last updated on • Ernesto Diaz