Getting incomplete command on vty line config
-
I am following along in the CCENT Course video named Basic Switch Configurations episode 000000011.
But as you can see below. every time I hit enter after the vty password login. It gives me an incomplete command error?Test-Switch(config)#interface vlan 15
Test-Switch(config-if)#ip address X.X.X.X 255.255.255.0
Test-Switch(config-if)#no shutdown
Test-Switch(config-if)#exit
Test-Switch(config)#hostname Test-Switch
Test-Switch(config)#enable secret XXXXXXXX
Test-Switch(config)#line vty 0 15
Test-Switch(config-line)#password XXXXXXX
Test-Switch(config-line)#login
% Incomplete command. -
Well I blew the switch back to default and started again. :-)
Ii went back and started the video over and began again. We then popped the config back in all the commands were accepted.The only thing is, I have been hammering at these 2960-X switches 12 hours a day for 5 days. And we just cannot get even one of them to accept the login password with SSH for remote management.. They are pingable, the management vlan is right and and has the correct IP.
When we do try to remote in with SSH, it is active and it request the password, but it does not accept it when we put it in. We were very carful on the spelling of each one, even to the point of just cutting and pasting to prevent errors.
My passwords and line logins look like this:
!
hostname Test-Switch
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ndXXXXXXXXXXXXXXXXXXXXXXX
!
username admin privilege 15 secret 5 $1$Jn8U$dXXXXXXXXXXXXXXXX
aaa new-model
!and this:
line con 0
exec-timeout 60 0
password 7 132B18355B280B3D2565
logging synchronous
line vty 0 4
exec-timeout 60 0
password 7 14391D2C5C20XXXXXXXXXXX
logging synchronous
length 0
transport input ssh
line vty 5 15
exec-timeout 60 0
password 7 14391D2C5C20XXXXXXXXX
logging synchronous
transport input ssh
After 60 hours of grinding on this, I am starting to think Truck Driving looks like a promising career :-) -
This post is deleted!
-
Ok, here's what you're missing. You've got to set up a username/password database. You also need to setup the crypto key, ip domain name and configure interface vlan 1
try the following:On your 2960,
-
configure interface vlan 1 with an ip address (this is the management VLAN interface) and enable it with
no shutdown
-
SSH setup requires the following:
a. hostname and domain name:
b. username and password database and enable password
c. generate a crypto key for SSH
d. configure the switch for SSH ACCESS
Switch# config t Switch(config)# interface vlan 1 Switch(config-if)# ip address 172.16.10.1 255.255.255.0 Switch(config-if)#no shutdown Switch(config-if)#exit Switch(config)# hostname Switch1 Switch1(config)# ip domain-name itpro.tv Switch1(config)# username Larry privilege 15 password itprotv Switch1(config)# enable secret itprotv Switch1(config)# crypto key generate rsa *** wait for it ask about the length of the key and type in 1024*** Switch1(config)#ip ssh version 2 Switch1(config)#line vty 0 15 Switch1(config)#login local Switch1(config)#transport input ssh Switch1(config)#do copy run start
On your machine to connect to the switch, verify you have basic connectivity. Ping 172.16.10.1... If ok. then you're ready to to connect with ssh. If not you should trouble shoot connectivity.
Cordially,
Ronnie Wong
Host, ITProTV -
-
Thank you so much Ronnie!
I have modified the script you gave me just slightly and I am wondering if you could look at it and help me grasp the password situation.In it I have used two passwords. the first one "nimda" (admin backwards)if I am seeing this right will be the one that both telnet and SSH will prompt me for as a users name right?
Then the secret password which I represented with "elbane" (enable backwards) would be the password to type when I type enable to get to the Privileged EXEC mode?
Assuming those are what I think they are. Do these two passwords work for all types of login? That is to say Console, Telnet, and SSH? I am afraid as a noob, I kind of had it in my head that each type of login procedure had to be assigned its own password set. Can you clear that up for me? It has been just driving me crazy :-)
So here is what I modified the script you sent me to look like:
Switch# config t
Switch(config)# interface vlan 1
Switch(config-if)# ip address XX.XX.XX.XX 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)# hostname Test Switch
Switch1(config)# ip domain-name XXXXXXXX.edu
Switch1(config)# username admin privilege 15 password nimda
Switch1(config)# enable secret elbane
Switch1(config)# crypto key generate rsa
*** wait for it ask about the length of the key and type in 1024***
Switch1(config)#ip ssh version 2
Switch1(config)#line vty 0 15
Switch1(config)#login local
Switch1(config)#transport input ssh
Switch1(config)#do copy run startOh and should I add this also to make SSH operational?
config t
aaa new-model -
The way you and I have it configured will work all logins. By setting the privilege level to 15, in theory shouldn't need the enable password. But if you don't have one set you may not be able to remote access the device.
Now, you can make multiple entries for many users but you don't have to! :)
Using the
aaa new-model
is hard setting the switch to ask for more than just a password. You can do it and that's how I used to do it all the time but after a while I found out it's redundant. Once you tell the vty line or console line to use the login local, you're telling it to use that username/password combo. If you're planning on on changing this for the future to use something like TACACS+ or RADIUS then aaa new-model will be required.
Enabling SSH will occur when you run thecrypto key generate
(later you'll learn that you can do this also by turning on thehttp secure-server.
So Cisco has more than one way to skin a cat! -
In the old days, before ssh was supported, you could set a password without a username. When you telnet to the device, it would just prompt you for the password. But ssh requires a username, so the login command without an argument won't work if ssh is enabled.
One comment on the crypto setup: 1024 bit RSA keys are no longer considered secure; technology advances in the past few years allow it to be broken. (It isn't easy to break, but a dedicated attacker can build a computer that could conceivably discover the private key in a "reasonable" amount of time.) Most security organizations recommend using 2048 bit keys today; they should be secure until about 2030. (See http://www.keylength.com/en/ if you are curious.)
For a lab device, this isn't important. (Especially if you use insecure passwords!) But if someone pays you to configure a switch or router, use 2048 bits. Use it in the lab just to be in the habit. I don't know if this is on any exam...
-
There is no doubt that the 2048 is more secure than 1024. I agree!
The example that I gave is used to set the minimum for SSH v2. If this is not set to above 1024 it will default to 512 or 768 which is will only allow for SSH v1 support by the device.Cordially,
Ronnie Wong
Host, ITProTV