Telnet, HTTP, HTTPS, SSH, SCP

4.1 Troubleshoot device management

📘CCNP Enterprise – ENARSI (300-410)

In network management, devices such as routers and switches need to be accessed and managed remotely. Cisco devices allow several protocols for remote management:

  • Telnet
  • HTTP / HTTPS
  • SSH
  • SCP

Each has its own characteristics, advantages, and security considerations.

1. Telnet

What it is

  • Telnet is a protocol that allows remote access to a device via the command line interface (CLI).
  • It uses TCP port 23.
  • Telnet sends all data, including passwords, in plain text (not encrypted).

Configuration Basics

Router(config)# line vty 0 4
Router(config-line)# login
Router(config-line)# password cisco
Router(config-line)# transport input telnet
  • line vty 0 4 → enables up to 5 simultaneous remote connections.
  • transport input telnet → allows Telnet access.

Verification Commands

show line
show running-config | include line
show ip interface brief

Common Troubleshooting Issues

  1. Cannot connect via Telnet
    • VTY lines not configured for Telnet (transport input missing)
    • ACL blocking TCP port 23
    • Device interface down or IP misconfigured
  2. Authentication fails
    • Password mismatch
    • AAA misconfiguration

Important: Telnet is not secure; it’s rarely used in production networks. Mostly used in labs or for legacy devices.

2. HTTP / HTTPS

What they are

  • HTTP allows device management via a web-based GUI.
  • HTTPS is the secure version of HTTP, encrypting traffic with SSL/TLS.
  • HTTP uses TCP port 80, HTTPS uses TCP port 443.

Configuration Basics

Router(config)# ip http server      # Enable HTTP
Router(config)# ip http secure-server # Enable HTTPS
Router(config)# ip http authentication local # Use local username/password
Router(config)# username admin secret cisco123

Verification Commands

show running-config | include ip http
show ip http server status

Common Troubleshooting Issues

  1. Cannot access GUI
    • HTTP/HTTPS server not enabled
    • Wrong URL (use device IP, e.g., https://192.168.1.1)
    • ACL blocking ports 80/443
    • User authentication issues
  2. Certificate warning on HTTPS
    • Devices use a self-signed certificate by default; browsers may warn.

Tip: HTTPS is preferred in all production networks because it encrypts credentials and data.

3. SSH (Secure Shell)

What it is

  • SSH allows secure remote CLI access.
  • Encrypts all traffic (passwords, commands).
  • Uses TCP port 22.

Configuration Basics

Router(config)# hostname R1
Router(config)# ip domain-name example.com
Router(config)# crypto key generate rsa
Router(config)# username admin secret cisco123
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input ssh
Router(config)# ip ssh version 2
  • RSA key is required for encryption.
  • transport input ssh ensures only SSH is allowed (Telnet disabled).

Verification Commands

show ip ssh
show running-config | include line

Common Troubleshooting Issues

  1. SSH connection fails
    • No RSA key generated
    • VTY line not set to transport input ssh
    • Username/password not configured (login local missing)
    • Device unreachable (interface/IP issue)
  2. SSH version mismatch
    • Cisco recommends SSH version 2
    • Older SSH clients may fail if the device is configured for version 2 only

4. SCP (Secure Copy Protocol)

What it is

  • SCP is used to securely copy files (e.g., configs, IOS images) to/from a device.
  • Uses SSH for encryption, so it’s secure.
  • Requires SSH to be configured first.

Configuration Basics

Router(config)# ip scp server enable

Verification Commands

show ip scp server

Common Troubleshooting Issues

  1. SCP fails
    • SSH not configured
    • User does not exist or lacks privileges
    • Firewall/ACL blocking TCP 22
    • Disk space issues on the device

5. Troubleshooting Checklist (Exam Focus)

When troubleshooting remote access (Telnet, HTTP, HTTPS, SSH, SCP), check the following:

StepWhat to Check
1Interface/IP – device interface must be up and reachable (ping)
2VTY lines – correct configuration for login, transport input
3Authentication – local username/password or AAA configuration
4Protocol enabled – HTTP/HTTPS server, SSH enabled, SCP enabled
5ACL/firewall – ports (23, 22, 80, 443) not blocked
6Version & encryption – SSH version 2, HTTPS certificate

Tip for exam: You may be given a scenario where remote access fails. Step through these checks logically.

Key Points to Remember for ENARSI Exam

  • Telnet: CLI, unencrypted, TCP 23, rarely used in production.
  • HTTP/HTTPS: Web GUI, HTTPS encrypted, TCP 80/443.
  • SSH: CLI, encrypted, TCP 22, secure replacement for Telnet.
  • SCP: Secure file transfer, requires SSH.
  • Always verify interfaces, authentication, ACLs, and protocol enabling when troubleshooting.
  • SSH version 2 is standard; RSA key must exist.
  • GUI access requires proper browser URL (https://IP).
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by