Lab0: Ensuring Routers/Switches
In this final delivery of lab 0, we will secure the routers/switches with simple, yet efficient authentication. The following commands will be executed on all routers (R1-R4) and switches (SWA-SWP-SWD):
Enabling Encryption and Lockout
First, we enable password encryption:
|
|
This is crucial, as failing to activate this service will result in visible passwords when backing up the configuration or using the command:
|
|
Console and Auxiliary Lines
We will enable password-protected access each time we connect using these ports:
|
|
In this example, we used the password “labFinal”. Now, each time we connect to the console of the router/switch, we will be prompted for this password, and if we leave it unused for 5 minutes and 30 seconds, we will be prompted for the password again. Finally:
|
|
If we fail 3 attempts within 60 seconds, we will have to wait 120 seconds for the next 3 attempts.
Disabling Telnet
If we examine the lines, we see that:
|
|
This means that the telnet service is listening on each router/switch, and we get the following message when trying to connect:
|
|
To disable telnet:
|
|
This disables telnet.
Privileged EXEC Mode with Password
To protect the privileged EXEC mode:
|
|
Now, each time we type “enable”, we will use the password “labExec”. The command “no enable password” prevents using the old way of encrypting passwords. With this configuration, we will have two passwords to use:
- The first for user mode (each time we use the console or auxiliary line)
- The second each time we need to configure something (privileged EXEC mode) Now our lab has basic but functional security.