web analytics

Password Security for CLI Access from the Console

A Cisco switch, with default settings, remains relatively secure when locked inside a wiring
closet, because by default, a switch allows console access only. By default, the console
requires no password at all, and no password to reach enable mode for users that happened
to connect from the console. The reason is that if you have access to the physical console
port of the switch, you already have pretty much complete control over the switch.
You could literally get out your screwdriver and walk off with it, or you could unplug the
power, or follow well-published procedures to go through password recovery to break into
the CLI and then configure anything you want to configure.

However, many people go ahead and set up simple password protection for console users.
Simple passwords can be configured at two points in the login process from the console:
when the user connects from the console, and when any user moves to enable mode (using
the enable EXEC command). You may have noticed that back in Example 6-1, the user saw
a password prompt at both points.

Example 6-2 shows the additional configuration commands that were configured prior to
collecting the output in Example 6-1. The output holds an excerpt from the EXEC command
show running-config, which lists the current configuration in the switch.
Example 6-2 Nondefault Basic Configuration
Free CISCO CCNA Routing and Switching ICND1 Study Guide
Working from top to bottom, note that the first configuration command listed by the show
running-config command sets the switch’s hostname to Certskills1. You might have noticed
that the command prompts in Example 6-1 all began with Certskills1, and that’s why the
command prompt begins with the hostname of the switch.

Next, note that the lines with a ! in them are comment lines, both in the text of this book
and in the real switch CLI.

The enable secret love configuration command defines the password that all users must use
to reach enable mode. So, no matter whether a user connects from the console, Telnet, or
SSH, they would use password love when prompted for a password after typing the enable
EXEC command.

Finally, the last three lines configure the console password. The first line (line console 0)
is the command that identifies the console, basically meaning “these next commands apply
to the console only.” The login command tells IOS to perform simple password checking
(at the console). Remember, by default, the switch does not ask for a password for console
users. Finally, the password faith command defines the password the console user must
type when prompted.

This example just scratches the surface of the kinds of security configuration you might
choose to configure on a switch, but it does give you enough detail to configure switches
in your lab and get started (which is the reason I put these details in this first chapter of
Part II). Note that Chapter 8 shows the configuration steps to add support for Telnet and
SSH (including password security), and Chapter 34, “Device Security Features,” shows
additional security configuration as well.

Subscribe To Get

Latest IT certification News 

Help You Pass Any IT Exam