Basic Security on Cisco Routers

You can access a Cisco router in a number of ways. You can physically access a router through the console port, or you can access a router remotely through a modem via the auxiliary port. You can also access a router through a network or virtual terminal ports (VTY lines), which allow remote Telnet access.

If you do not have physical access to a router—either through a console port or an auxiliary port via dialup—you can access a router through the software interface, called the virtual terminal (also referred to as a VTY port). When you telnet to a router, you might be required to enter the VTY password set by the network administrator. For example, on Router R1, the administrator types R2's remote address and tries to telnet to one of the VTY lines.

Example 4-24 provides the session dialog when a user telnets to the router with the IP address 131.108.1.2.

Example 4-24 Using a VTY Port to Establish a Telnet Connection

R1#Telnet 131.108.1.2 Trying 131.108.1.2 ... Open User Access Verification Password: xxxxx R2>

Cisco routers can have passwords set on all operation modes, including the console port, privilege mode, and virtual terminal access. To set a console password to prevent unauthorized console access to the router, issue the commands shown in Example 4-25.

NOTE All passwords are case-sensitive.

Example 4-25 Setting a Console Password

R1(config)#line con 0 R1(config-line)#password cisco

!You can also set a password on the auxiliary port R1(config)#line aux 0 R1(config-line)#password cisco

To set the privilege mode password, you have two options: the enable and secret password. To set these passwords, use the respective commands listed in Example 4-26.

Example 4-26 Setting Enable and Secret Password

R1(config)#enable password cisco R1(config)#enable secret ccie

The command to set an enable password is enable password password. You can also set a more secure password, called a secret password, which is encrypted when viewing the configuration with the enable secret password command.

The secret password IOS command overrides the enable password. Cisco IOS does not permit you to configure the same password if you apply both commands.

In Example 4-26, the secret password will always be used. Now, issue the show running-config command to display the configuration after entering the enable and secret passwords in Example 4-26.

Example 4-27 displays the output from the show running-config IOS command after entering enable and secret passwords. Example 4-27 show running-config Command on R1

R1#show running-config

Building configuration Current configuration:

version 12.2

Example 4-27 show running-config Command on R1 (Continued) !

hostname R1 !

enable secret 5 $1$Aiy2$GGSCYdG57PdRiNg/.D.XI. enable password cisco

Example 4-27 shows that the secret password is encrypted (using Cisco's proprietary algorithm), while the enable password is readable. This setup enables you to hide secret passwords when the configuration is viewed. If you want, you can also encrypt the enable password by issuing the service password-encryption command, as displayed in Example 4-28. Cisco uses the MD5 algorithm to hash the secret password. You cannot reverse engineer the hashed password (for example, $1$Aiy2$GGSCYdG57PdRiNg/.D.XI.).

Example 4-28 service password-encryption Command

R1(config)#service password-encryption

The service password-encryption command encrypts all passwords issued to the router using the MD5 encryption algorithm. Example 4-29 shows an example of how these passwords appear when the configuration is viewed after all passwords have been encrypted.

Example 4-29 displays the show running-config command output after encrypting all passwords.

Example 4-29 show running-config Command on R1 After Encrypting All Passwords

R1#show running-config

Building configuration... Current configuration:

service password-encryption version 11.2 hostname R1

enable secret 5 $1$Aiy2$GGSCYdG57PdRiNg/.D.XI. enable password 7 0822455D0A16

NOTE Note the digits, 5 and 7, before the encrypted passwords. The number 5 signifies that MD5 Hash algorithm is used for encryption, whereas the number 7 signifies a weaker algorithm. You are not expected to know this for the written exam, but it is valuable knowledge for troubleshooting complex networks. In fact, a great network engineer is measured by his well-defined troubleshooting techniques, and not by how many CCIE lab exams he has passed.

Notice in Example 4-29 that both the secret and enable passwords are encrypted. If you enable the service password-encryption command in global configuration mode, all passwords will be encrypted and will not be viewable when displaying the configuration on the Cisco router.

The final Cisco password you can set is the virtual terminal password. This password verifies remote Telnet sessions to a router. Example 4-30 displays the commands necessary to set the virtual terminal password on a Cisco router.

Example 4-30 password Command to Set a Virtual Terminal Password to ccie

R4(config)#line vty 0 4 R4(config-line)#password ccie

If you issue the no login command below the virtual terminal command (line vty 0 4), remote Telnet users will not be asked to supply a password and will automatically enter EXEC mode. Example 4-31 displays the Telnet session dialogue when the no login command is entered.

Example 4-31 Dialogue Display When No Login Is Enabled

Keep in mind that the preceding setup is not a secure access method for a router network.

0 0

Post a comment