Scribd
Upload
49 views12 pages

Securing The Router Console Access: Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)

The document discusses securing console access to routers by configuring console passwords, usernames and passwords stored in a local database for authentication, an enable password to restrict access to privileged mode, and other console commands like disabling domain lookup, setting login banners, synchronous logging, and exec timeouts. It provides configuration examples for setting these passwords and commands on two routers to secure console access.

Uploaded by

Avishkar Gote
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
49 views12 pages

Securing The Router Console Access: Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)

The document discusses securing console access to routers by configuring console passwords, usernames and passwords stored in a local database for authentication, an enable password to restrict access to privileged mode, and other console commands like disabling domain lookup, setting login banners, synchronous logging, and exec timeouts. It provides configuration examples for setting these passwords and commands on two routers to secure console access.

Uploaded by

Avishkar Gote
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

Securing the Router c

Console Access
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
 Console Password
 Configuring a Local Database of Users
 Enable Password c

 Other Console Commands


Lab Diagram
PC PC

Switch Switch
c

192.168.1.0/24 192.168.2.0/24
Ethernet 0/0 Ethernet 0/0
Serial 1/0 Serial 1/0

Console R1 192.168.12.0/24 R2

MGMT
PC
Console Password
 By configuring a Console Password, you control access to the Console port based on a Password.

 By default, there is no password set for the console port.

c able to access the Router.


 Anyone with Physical access to the console port will be
Securing the Console using a Password
 Configure the Console port on R1 & R2 using a password of Cisco123.
R1

R1#conf t c
R1(config)#line console 0
R1(config-line)#password Cisco123
R1(config-line)#login
___________________________________________
R2

R2#conf t
R2(config)#line console 0
R2(config-line)#password Cisco123
R2(config-line)#login
Username and Password
 The limitation of the console password is that it is common password for all the administrators.

 If a configuration needs to be traced to a particular administrator, you need to be able to identify the
administrator uniquely.
c
 This can be done by creating a local database of usernames and their corresponding password.

 This provides more accountability in the configuration of the Routers.


Securing the Console using a the Local Database of Users

 Configure admin1 with a password of cisco111 and admin2 with a password of cisco222 in the local database of R1 &
R2.
 Use this database for Console Authentication.
R1
c
R1#conf t
R1(config)#Username admin1 password cisco111
R1(config)#Username admin2 password cisco222
R1(config)#line con 0
R1(config-line)#login local
___________________________________________
R2

R2#conf t
R2(config)#Username admin1 password cisco111
R2(config)#Username admin2 password cisco222
R2(config)#line con 0
R2(config-line)#login local
Enable Password
 Once the user logs into the router, he gets put into the User Exec Mode.

 You can further control access to the Privilege Exec mode by configuring another password for the Privilege
Exec Mode.
c
 This password is called the Enable secret password. By default, there is no Enable secret password.

 This password will be required if the user is logging in remotely using Telnet or SSH.
Securing Privilege Exec Mode using a Pasword
 Configure an Enable Password as ccna123 on R1 & R2.
R1
c
R1#conf t
R1(config)#enable secret ccna123
___________________________________________
R2

R2#conf t
R2(config)#enable secret ccna123
Other Console Commands
 Disable the Domain-lookup in case you type in a wrong command by using the “no ip domain-lookup”
command. This is configured in Global Configuration mode.

 Configure the login banner. This will be displayed after the MOTD Banner prior to the User logging in. This is
a permanent banner. Use the “Banner login” command c to set this banner.

 Configure the Console line such that it moves the cursor to the next line in case a system message or alert
pops on the screen. This helps avoid mistyping commands in case you were typing in a command and a
message popped in disrupting your command and moving the cursor to the end of the message. This is
configured under the Console line by using the “Logging synchoronous” command.

 Configure the exec-timeout to set the timeout of the Login session after it being idle for configured time. This
can be done by using the “exec-timeout” command in the line console mode.
Common Console Commands
 Configure the common Console commands from the previous slide on R1.
R1
c
R1#conf t
R1(config)#no ip domain-lookup
R1(config)#Banner login #
Only Authorized Users of KB School are allowed to login #
R1(config)#line console 0
R1(config-line)#logging synchronous
R1(config-line)#exec-timeout 3 0
Whiteboard

You might also like