Contents

Lab0: Ensuring Routers/Switches

In this final delivery of lab 0, we will secure the routers/switches with simple, yet efficient authentication. The following commands will be executed on all routers (R1-R4) and switches (SWA-SWP-SWD):

Enabling Encryption and Lockout

First, we enable password encryption:

1
SWP(config)#service password-encryption

This is crucial, as failing to activate this service will result in visible passwords when backing up the configuration or using the command:

1
SWP(config)#do sh running-config

Console and Auxiliary Lines

We will enable password-protected access each time we connect using these ports:

1
2
3
4
5
6
7
8
9
SWP(config)#line con 0
SWP(config-line)#login
SWP(config-line)#password labFinal
SWP(config-line)#exec-timeout 5 30
SWP(config-line)#line aux 0
SWP(config-line)#login
SWP(config-line)#password labFinal
SWP(config-line)#exec-timeout 5 30
SWP(config-line)#exit

In this example, we used the password “labFinal”. Now, each time we connect to the console of the router/switch, we will be prompted for this password, and if we leave it unused for 5 minutes and 30 seconds, we will be prompted for the password again. Finally:

1
SWP(config)#login block-for 120 attempts 3 within 60

If we fail 3 attempts within 60 seconds, we will have to wait 120 seconds for the next 3 attempts.

Disabling Telnet

If we examine the lines, we see that:

1
2
3
4
5
6
7
8
SWP(config)#do sh running-config
...
line con 0
line aux 0
line vty 0 4
  login
!
...

This means that the telnet service is listening on each router/switch, and we get the following message when trying to connect:

1
2
3
4
5
6
gns3@box:~$ telnet 172.16.20.1
Entering character mode
Escape character is '^]'.
Password required, but none set
Connection closed by foreign host
gns3@box:~$

To disable telnet:

1
2
3
SWP(config)#line vty 0 4
SWP(config-line)#transport input none
SWP(config-line)#

This disables telnet.

Remote Administration using SSH
For remote administration of a router/switch, we need to enable users and SSH. In this lab, since we are not using real hardware, the connection is made through the console (line con 0), but if weneed to enable SSH, the book Cisco Routers for the Desperate, 2nd Edition In Chapter 9, contains detailed instructions on SSH, including user control.

Privileged EXEC Mode with Password

To protect the privileged EXEC mode:

1
2
SWP(config)#enable secret labExec
SWP(config)#no enable password

Now, each time we type “enable”, we will use the password “labExec”. The command “no enable password” prevents using the old way of encrypting passwords. With this configuration, we will have two passwords to use:

  • The first for user mode (each time we use the console or auxiliary line)
  • The second each time we need to configure something (privileged EXEC mode) Now our lab has basic but functional security.