Command Meaning
(config)#ip http server
Allows an HTTP host to connect to your router
(config)#ip http secure-server
Generates the secure keysD
(config)#ip http authentication local
Tells the router the keys and password will
be found locally on the router
(config)#username name privilege
0-15password password
Sets the username, privilege level (15 is highest),
and password
(config)#Line console 0
Chooses the console line
(config-line)#Login local
Tells the router to use the local information
for login found under the console line
(config-line)#Exit
Goes back one level
(config)#Line vty first_line_number last_
line_number
Chooses the VTY lines to configure
(config-line)#Privledge level 0-15
Sets the privilege level
(config-line)#Login local
Tells the router to use the local information
for login found under the VTY lines
(config-line)#Transport input telnet ssh
Tells the router that it can use both Telnet
and SSH for connectivity
First, enable the HTTP/HTTPS server (your router won’t support HTTPS if it doesn’t have
the advanced services IOS):
Router(config)#
ip http server
Router(config)#
ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router(config)#
ip http authentication local
Second, create a user account using privilege level 15 (the highest level):
Router(config)#
username cisco privilege ?
<0-15> User privilege level
Router(config)#
username cisco privilege 15 password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
Router(config)#
username cisco privilege 15 password 0 cisco
Last, configure the console, SSH, and Telnet to provide local login authentication at privilege
level access:
Router(config)#
line console 0
Router(config-line)#
login local
Router(config-line)#
exit
Router(config)#
line vty 0 ?
<1-1180> Last Line number
Router(config)#
line vty 0 1180
Router(config-line)#
privilege level 15
Router(config-line)#
login local
Router(config-line)#
transport input telnet ssh
Router(config-line)#
^Z
Voilà
! Now let’s connect to my 2811 using HTTPS!
As soon as I connected via
https://1.1.1.1
, I received a security alert message.
I was then prompted to log in with the username/password I created. SDM started loading
and told me to hold on, which means it needs a bit of time to load another window.
Do not
close this window.
The certificate I created with the
ip http-secure-server
command was loaded onto the
router. I chose to click Always Trust Content from this Publisher and then clicked Yes.
Of course, the certificate would not match any site name, so I then had to verify that I
wanted to run it.
I then had to log in again and then wait for SDM to load, during which time the router had
me change my default username and password.
Finally—yes! I am connected to SDM!
After clicking the Configure button at the top of the page, I chose to go step by step through
interface configuration by first choosing the type of interface I wanted to configure and then
clicking the Create New Connection button at the bottom of the page. This opens the LAN
Wizard or WAN Wizard, depending on which interface you choose to configure.
By clicking the Edit Interface/Connection tab, you get to see your interface status.
That’s not all—just double-click an interface to edit it. (You can do this only after you’ve
gone through the LAN Wizard or WAN Wizard and configured the interface.)
Look down at the bottom-left portion of the wizard page, and click the Additional Tasks
button. From there, just click the Router Properties icon.
Here, you can set the hostname, MOTD banner, and enable secret password. Last, I clicked
the DHCP folder and then the DHCP pool icon. I then clicked Add and created a DHCP pool
on my router.
Now, let’s take a look at the configuration on the router:
Todd#
sh run
Building configuration...
[output cut]
hostname Todd
!
ip domain name lammle.com
[output cut]
ip dhcp excluded-address 172.16.10.1
ip dhcp excluded-address 172.16.10.11 172.16.10.254
!
ip dhcp pool Todd's_LAN
import all
network 172.16.10.0 255.255.255.0
!
crypto pki trustpoint TP-self-signed-2645776477
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2645776477
revocation-check none
rsakeypair TP-self-signed-2645776477
!
crypto pki certificate chain TP-self-signed-2645776477
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101
04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967
6E65642D 43657274 69666963 6174652D 32363435 37373634 3737301E
170D3037 30333031 3139313 33335A17 0D323030 31303130 30303030
305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E
65642D43 65727469 66696361 74652D32 36343537 37363437 3730819F
300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BB24
[output cut]
quit
username todd privilege 15 secret 5 $1$nvgs$QRNCWKJ7rfmtNNkD2xvGq/
[output cut]
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 1180
privilege level 15
login local
transport input telnet ssh
!
You can see here that the router created the hostname, DHCP pool, and certificate. We
went through a lot of setup because we were using HTTPS—it’s so much easier and unencumbered
with less setup to just use HTTP. But remember, what we used was an ISR default configuration
to connect using SDM. I seriously encourage you to get SDM for yourself and start
getting familiar with it!