test me

Site Search:

ICND1 break down -- Switch/Router Passwords And Encryption

Back>


For Better security, we need to configure various passwords on a Cisco switch or router. Passwords can be established on individual lines, such as the console, vty, and to the privileged EXEC mode.

There are two ways to set password for the privileged command level.
Method 1:
Router(config)#enable password password

Method 2:
Router(config)#enable secret password

Both methods enable password protection when you shift to privileged Mode. The "enable secret password" takes priority. Generally speaking, enable secret have tighter security, we should always use it whenever possible. Here is the detail on enable password vs enable secret.

Switch>enable
Switch#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#enable password boston
Switch(config)#enable secret providence
Switch(config)#



Console access, VTY access, TTY access,  Exec level access can also be protected with a password.

To set password for console line, enter command "password password" under line configuration mode. The command "line console 0" brings the device to line configuration mode, where you can configure Cisco lines such console line and vty lines. The prompt sign for line configuration mode is "Switch(config-line)#". ("switch" is the device name, could be different on your switch/router.) Don't confuse the line configuration mode with the interface configuration mode, whose prompt sign is "Switch(config-if)#".

By default, login is not enabled on the console port, so we need to use command "login" to enable it. To disable password protection on the console line, use command "no login", then you will not be asked for a password when access the switch/router through console line.

The following output are from a Cisco 2690-24TT switch:

Switch>enable
Switch#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#line console 0
Switch(config-line)#password cisco
Switch(config-line)#^Z
%SYS-5-CONFIG_I: Configured from console by console
Switch#logout                                     ----this command log you out of the IOS



 Switch con0 is now available

 Press RETURN to get started.

Switch>enable
Switch#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#line console 0
Switch(config-line)#login
Switch(config-line)#^Z
%SYS-5-CONFIG_I: Configured from console by console
Switch#logout

 Switch con0 is now available

 Press RETURN to get started.

 User Access Verification

Password:

Switch>

In the above example, we first set console line password to "cisco", but intentionally forget the "login" command. We then logout and login again. The password protection didn't work as we have expected. We fix the problem by issuing the command "login" under line configuration mode. After logout and login again, the password protection works. Notice that when you issue command "login" before password is set, you will see warning message "% Login disabled on line 0, until 'password' is set". (Do it yourself!)



By default, there are five virtual type terminal (vty) ports on the switch, allowing five concurrent Telnet sessions. To access the five 5 vty ports, use command "line vty 0 4". Note that they are numbered from 0 through 4. For Telnet VTY ports to accept Telnet EXEC session, you must set the vty passwords. To set vty passwords, use command "password password" and "login" under line configuration mode. Again, by default, login is not enabled on the vty ports, so we need to use command "login" to enable it.

The following is tested on a Cisco 2960-24TT switch:

Switch>enable
Switch#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#line vty 0 4
Switch(config-line)#password ccent
Switch(config-line)#login
Switch(config-line)#^Z
%SYS-5-CONFIG_I: Configured from console by console
Switch#

After setting the passwords, we can verify them with command "show running".

Switch#show running-config
Building configuration...

Current configuration : 1036 bytes
!
version 12.2
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$nfOaXEtL3m8TUNtQJIzFG/
enable password boston
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
...lines omitted for clarification...
!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
 no ip address
 shutdown
!
line con 0
 password cisco
 login
!
line vty 0 4
 password ccent
 login

line vty 5 15
 login
!
!
end
Switch#

Notice that all the passwords execpt the "enable secret" are shown in plain text! 

You can also encrypt your passwords, so that hackers can not read the password over your shoulder. The command "service password-encryption" will encrypt all current and future passwods.

In the following demo, we enabled the password encrytion, then check the running configuration agian.

Switch#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#service password-encryption
 Switch(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
Switch#show running
Building configuration...

Current configuration : 1061 bytes
!
version 12.2
service password-encryption
!
hostname Switch
!
enable secret 5 $1$mERr$nfOaXEtL3m8TUNtQJIzFG/
enable password 7 0823435D1D160B
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
...lines omitted for clarification...

!
interface FastEthernet0/24
!
interface GigabitEthernet1/1
!
interface GigabitEthernet1/2
!
interface Vlan1
 no ip address
 shutdown
!
line con 0
 password 7 0822455D0A16
 login
!
line vty 0 4
 password 7 08224F4B070D
 login
line vty 5 15
 login
!
!
end
Switch#

Note that all the passwords are encrypted now.

ICND1 and ICND2 break down

No comments:

Post a Comment