1
00:00:09,830 --> 00:00:16,160
This is one of multiple videos that help you troubleshoot CCNA scenarios in preparation for the CCNA

2
00:00:16,160 --> 00:00:16,790
exam.

3
00:00:17,630 --> 00:00:22,160
We're going to look at how to troubleshoot multiple issues with telnet in this network.

4
00:00:22,640 --> 00:00:23,530
So let's get started.

5
00:00:24,470 --> 00:00:28,580
On router 1 telnet to the loopback of router 2.

6
00:00:29,490 --> 00:00:34,970
We're told that password is required, but none is set so we're able to telnet to the router but then it's

7
00:00:35,120 --> 00:00:36,650
immediately disconnecting us.

8
00:00:37,800 --> 00:00:44,430
So on router 2, show run pipe begin VTY.

9
00:00:45,460 --> 00:00:52,920
On the VTY line, we've got a command called Login, Login means that the VTY line requires a password.

10
00:00:53,440 --> 00:00:56,830
Notice we're told that password is required, but none is set.

11
00:00:57,160 --> 00:00:59,740
So password needs to be configured on the VTY lines.

12
00:01:02,770 --> 00:01:04,989
So password Cisco, 

13
00:01:06,710 --> 00:01:14,570
let's try again telnet from to router 1 to router 2, we now get a password prompt and if we put the password

14
00:01:14,570 --> 00:01:16,220
in correctly, we can login.

15
00:01:17,260 --> 00:01:22,930
Second problem, when we try to go to enable mode, we are told that no password is set.

16
00:01:24,640 --> 00:01:25,420
So show run pipe include enable.

17
00:01:27,800 --> 00:01:31,910
What you'll notice in the output here is that there is no enabled password.

18
00:01:34,420 --> 00:01:38,350
So run include enable.

19
00:01:39,250 --> 00:01:40,010
No output.

20
00:01:40,030 --> 00:01:40,990
What about secret?

21
00:01:43,160 --> 00:01:50,460
No secret password configured, so enable and we could set a secret or an enable password.

22
00:01:50,480 --> 00:01:52,320
Let's set a secret because that's better.

23
00:01:53,060 --> 00:01:54,260
So we'll just call the Cisco.

24
00:01:56,250 --> 00:02:02,940
When we type enable now, we prompted for a password and we can log into the router, so let's test that

25
00:02:02,940 --> 00:02:10,009
again back on router 1, Telnet to router 2 can log in and we can go to enable mode.

26
00:02:10,889 --> 00:02:12,960
So we've solved the problem on router

27
00:02:12,960 --> 00:02:13,380
2.

28
00:02:13,980 --> 00:02:18,110
What about router 3? I'll telnet to the loopback of router 3.

29
00:02:18,780 --> 00:02:21,950
We're told that the connection is refused by the remote host.

30
00:02:22,500 --> 00:02:25,830
Can we ping that loopback?

31
00:02:26,280 --> 00:02:26,970
Yes, we can.

32
00:02:27,300 --> 00:02:29,550
So this is not an IP connectivity problem.

33
00:02:30,000 --> 00:02:30,900
This is something else.

34
00:02:32,990 --> 00:02:38,650
On router 3, show run pipe begin VTY.

35
00:02:39,760 --> 00:02:45,820
Now, these pipe commands may not work in the exam, so just type show run and then scroll down to the end

36
00:02:45,820 --> 00:02:48,570
of the config to see the VTY configuration.

37
00:02:49,030 --> 00:02:55,240
So you might have to do show run and press spacebar all the way down until you see the VTY config.

38
00:02:55,900 --> 00:02:56,860
Can you see the problem?

39
00:02:57,460 --> 00:03:07,450
Notice here, transport input SSH we're using telnet, but the lines have been restricted to only using SSH,

40
00:03:08,050 --> 00:03:09,970
which is better in the real world

41
00:03:10,810 --> 00:03:17,410
But here we want to be able to telnet so we could specify all which would allow all protocols.

42
00:03:18,070 --> 00:03:22,620
But from a security point of view, we may want to enable only SSH and Telnet.

43
00:03:22,750 --> 00:03:28,510
So show run pipe begin VTY.

44
00:03:30,000 --> 00:03:34,710
So both telnet and SSH are allowed on the VTY line.

45
00:03:37,460 --> 00:03:39,500
Once again, let's see if we can telnet.

46
00:03:40,930 --> 00:03:47,590
We are able to log in to router 3, so we solved the problem on router 3.

47
00:03:48,550 --> 00:03:52,000
Now, what about router 1, can we tell Telnet

48
00:03:52,970 --> 00:03:57,640
to router 1?  Says connection is refused, can we ping router 1?

49
00:03:58,100 --> 00:03:58,860
Yes, we can.

50
00:03:59,660 --> 00:04:01,220
So we need to go back to router 1.

51
00:04:02,410 --> 00:04:04,040
Let's have a look at the configuration.

52
00:04:05,350 --> 00:04:08,800
I'm going to scroll through the config, see if you can find the problem.

53
00:04:11,610 --> 00:04:13,380
So there's the IP address on the loopback.

54
00:04:17,230 --> 00:04:18,190
Can you see a problem?

55
00:04:19,370 --> 00:04:20,029
Notice this, 

56
00:04:20,950 --> 00:04:25,450
access class 1 in, an access list has been applied to the VTY lines

57
00:04:26,940 --> 00:04:33,120
and scrolling up through the config, it's only permitting the loopback of router 2.

58
00:04:34,160 --> 00:04:41,270
When you telnet, it's using the outgoing interface as the source of the Telnet connection.

59
00:04:41,900 --> 00:04:47,180
Now, we could specify source interfaces and try and use the loopback as the source

60
00:04:47,900 --> 00:04:49,760
but for CCNA that's not required.

61
00:04:50,210 --> 00:04:57,380
What we want to do on CCNA is either remove this access list or edit the access list to permit specific

62
00:04:57,380 --> 00:04:58,640
devices in the topology.

63
00:05:00,900 --> 00:05:05,370
So for this vlog, all I'll do is remove the access class.

64
00:05:07,630 --> 00:05:11,530
So show run, pipe begin VTY.

65
00:05:12,630 --> 00:05:14,220
The access class has been removed.

66
00:05:15,530 --> 00:05:16,310
Telnet back, 

67
00:05:17,210 --> 00:05:18,180
still not working.

68
00:05:18,740 --> 00:05:19,610
What's the problem?

69
00:05:21,010 --> 00:05:30,780
Notice here, transport input none, so line VTY 04 transport input telnet and perhaps SSH.

70
00:05:32,880 --> 00:05:36,730
Now we've got the same problem we had previously password required, but none set.

71
00:05:37,740 --> 00:05:46,890
So when I type login, we have to specify a password and then we want to specify an enable password

72
00:05:46,890 --> 00:05:48,150
or a secret password.

73
00:05:50,160 --> 00:05:58,380
So now we can login, so we've solved multiple problems in this topology, make sure that you understand

74
00:05:58,380 --> 00:06:00,330
what's required on a VTY line.

75
00:06:02,340 --> 00:06:10,250
As an example on this router, I'll now change it to say, login local rather than just a login

76
00:06:10,980 --> 00:06:11,350
notice

77
00:06:11,370 --> 00:06:14,400
the problem now telnet to

78
00:06:16,350 --> 00:06:17,100
router 2

79
00:06:19,590 --> 00:06:24,780
and notice, I made another mistake, I was actually working on router 1, so you need to be careful

80
00:06:24,780 --> 00:06:25,860
which routers you're working on.

81
00:06:28,100 --> 00:06:29,220
So let's exit out of here.

82
00:06:29,750 --> 00:06:37,940
That's router 1, I'll exit out of here, back on router 2 now, so I'll telnet back to router 1.

83
00:06:39,380 --> 00:06:43,970
It's asking for a username, so I'll try Cisco, password of Cisco.

84
00:06:45,150 --> 00:06:51,270
That's not going to work because I don't have a username configured, so just to reiterate.

85
00:06:54,950 --> 00:06:59,570
On router 1, we used the command log in local.

86
00:07:00,200 --> 00:07:01,830
So this password has no effect.

87
00:07:02,420 --> 00:07:05,540
We have to specify a local user name.

88
00:07:06,380 --> 00:07:15,210
And just to prove the point, I'll say no password Cisco and go back to the VTY.

89
00:07:16,900 --> 00:07:19,540
So there's no password on the VTY line.

90
00:07:22,940 --> 00:07:28,970
I'm back on router 2, Telnet back to router 1 notice it's asking for a username.

91
00:07:30,500 --> 00:07:42,710
The password on the VTY line is irrelevant when you use login local, so CONFT username David Password

92
00:07:42,710 --> 00:07:43,280
Cisco.

93
00:07:45,870 --> 00:07:48,880
I'll login now as David and I can log in.

94
00:07:49,530 --> 00:07:57,960
The reason I can go to privilege mode because we have an enabled password configured on the router.

95
00:07:59,750 --> 00:08:06,470
Notice enabled password, Cisco, we could change that by saying username David,

96
00:08:07,860 --> 00:08:13,140
Privilege and specify 15 to give David full privileges to the router.

97
00:08:14,540 --> 00:08:21,830
Notice the difference now when I telnet to the router and login, I'm taken immediately to privilege

98
00:08:21,830 --> 00:08:24,070
mode and that's because

99
00:08:27,780 --> 00:08:32,230
We specified the privilege of the user as 15.

100
00:08:32,940 --> 00:08:35,659
This is bad practice, you should use a secret.

101
00:08:36,419 --> 00:08:40,280
So there are some troubleshooting tips on how to troubleshoot telnet.

102
00:08:40,830 --> 00:08:41,700
Thank you for watching.

103
00:08:42,270 --> 00:08:46,860
Don't forget to comment on the video or ask questions, please

104
00:08:46,860 --> 00:08:48,270
like the video if you enjoyed it

105
00:08:48,750 --> 00:08:51,360
and please subscribe, I wish you all the very best.