Actually I found this site quite long time ago, I'm amazed by the craziness of the owner's home lab. You've probably seen this site before, since this site is quite famous.
This site is named Uber Geek, the owner of this site is Scott Morris. His resume alone is outstanding, he's a quadrupleCCIE, meaning he owns all four of the CCIE tracks. And he also wins all other networking certifications that you can dream of.
Once you see the lab he has, you'd understand what I'm saying:
I can't say anything but this lab is just crazy, not only Cisco devices but also Juniper, Sun, Dell, etc. Some of the small ISPs in my country don't even have these kind of devices I think.
Of course with those four big racks and massive amount of devices comes a great requirements. From the heat come from the devices he made special air conditioning environment at his basement.
I know the idea to build this kind of lab is no where near possible for people that just want to pass certification exams like CCNA or even CCNP. Especially if you don't get enough income from your networking projects. Nevertheless having a lab like this will make your future clients won't doubt about your expertise.
So I say, start building your home network lab, add in some Cisco or other devices one by one and maybe eventually you'll come close to Scott Morris' lab.
In the CCNA level, we only know how to connect to Cisco devices using console connection and telnet connection.
We know that no one can tap on the console connection since it's directly connected to the Cisco device, but different story for the telnet connection. Anyone can tap messages from the telnet session.
All messages send in clear text, so it's dangerous to leave default communication with Cisco devices just using telnet.
We can use SSH for secure connection to the Cisco devices. The SSH will encrypt all messages going from your computer to the Cisco devices.
First you're going to need Cisco IOS image that support SSH or IPSec, DES, or 3DES. How would you know that. Well you can just issue the following command:
router> ena router# show ip ssh % Invalid input detected at '^' marker.
If it's showing % Invalid input detected at '^' marker., then the IOS does not support SSH. Now start with the configuration, you have to define a hostname for the Cisco device, and also the domain name for it. In this example I use hostname of "netrouter" and domain name of "ciscolab.home".
router (config)# hostname netrouter netrouter (config)# ip domain-name ciscolab.home
Next is to generate the rsa keypair used for the encryption, your device name plus the domain name will be the name of the key. The modulus is the length of the key, the default value is 512 bits, Cisco recommends a length of 1024 bits.
netrouter (config)# crypto key generate rsa
The name for the keys will be: netrouter.ciscolab.home Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus : 1024 % Generating 1024 bit RSA keys ...[OK]
You can also configure some additional parameters for the SSH Connection:
netrouter (config)# ip ssh authentication-retries 5 netrouter (config)# ip ssh time-out 120 netrouter (config)# ip ssh version 2
The first command sets the number of retries if you failed or mistyped the username and password. The second command sets the time out, the time required to enter the username and password in seconds. The last command sets the version you want to use for the SSH.
Now we have generated keypair for the encryption, how will the Cisco device authenticates the users coming with SSH connection. You can either use a AAA server like RADIUS or TACACS+ or you can just use the Cisco device local username and password. For now I'd just use local authentication, first set the username and password then configure the device to accept local authentication for the line vty connections.
netrouter (config)# username Cisco password homelab netrouter (config)# line vty 0 4 netrouter (config-line)# login local
By now you have successfully configure SSH for Cisco, lets try the SSH, you can use putty for SSH connection, the default port for SSH is 22, you can use other port if you want by issuing ip ssh port 2000 from the global configuration mode. Change the 2000 with other port ranging from 2000 to 10,000.
Here I'm using the default terminal from Macintosh:
There, the SSH is working. But the telnet session is also still working, now I want to restrict the Cisco device to only accept SSH connection and deny telnet connection.
Do not disconnect from your current connection especially if it's telnet session, in case you messed up with the configuration, you can always undo the changes.
netrouter (config)# line vty 0 4 netrouter (config-line)# transport input ssh
Now if I try to connect using telnet, the router will deny it:
Macintosh:~ krishananda$ telnet 192.168.1.1 Trying 192.168.1.1... telnet: connect to address 192.168.1.1: Connection refused telnet: Unable to connect to remote host
Hope this is useful for you.
If you're using macintosh, and you change the rsa key by issuing crypto key generate rsa again on the same device, Your mac will deny the SSH connection, telling you a warning about a man in the middle attack or the rsa key has changed. All you need to do is open your text editor, open a file /users/yourname/.ssh/known_hosts wipe out the content of known_hosts file and save. That should do the trick.
You might be struggling to save money for joining the Cisco Networking Academy or other courses just to pass CCNA exam.
The Cisco Networking Academy is great, yet the other courses, well in my experience, I joined a CCNA course - not the Cisco academy - but to be honest the result was not as I expected. I don't know if this happens in other countries or not, the instructors were not as qualified as they said, sure they passed the CCNA exam also but their experiences in handling Cisco devices were just poor.
So, not satisfied with the result, I browsed the internet and found these three books are valuable to help me passed the CCNA exam.