Skip to main content

Configuring Security Measures

 

Configuring passwords on the cisco IOS:

Protecting privilege mode:

Option I

DeviceName(config)#enable password XXXX

Option II

DeviceName(config)#enable secret XXXX

NOTE: Using “Option I” is not recommended as it stores password in clear text that can easily be tracked. Whereas “Option II” saves password in encrypted format.

If both passwords are set, IOS uses secret password.

Space Bar is counted as a character in password.

Protecting user mode:

DeviceName(config)# line console 0

DeviceName(config-line)#password XXXX

DeviceName(config-line)#login

Setting up Telnet:

NOTE: This applies after successful IP configuration of the VLAN1 with valid IP address.

DeviceName(config)# line vty X Y

X = First line number and Y= Last line number. i.e. the number of allowed concurrent telnet sessions.

DeviceName(config-line)#password XXXX

NOTE: telnet will not work without any password.

Keeping an eye on telnet session:

DeviceName#termial monitor

It allow to see all the messages from the telnet/ssh session.

Encrypting all passwords in one go:

DeviceName(config)#service password-encryption

It will encrypt all clear text passwords on the IOS. Might not work on older IOS.

Setting up logon banner:

Type of banners:

Login: This only appears when using telnet.

Motd (Message of the Day): It appears on every console.

DeviceName(config)#banner [motd/login] Y XXXXXX Y

Where Y is the delimiting character.

Setting up port security.

DeviceName(config)#interface fa 0/X

DeviceName(config-if)#switchport mode access

This command makes the interface as access port. It means the interface is connected to some other device like PC or router but not to a switch.

DeviceName(config-if)#switchport port-security

DeviceName(config-if)#switchport port-security maximum X

Where X is the number of maximum MAC address allowed to connect through the interface.

DeviceName(config-if)#switchport port-security violation [shutdown/restrict/protect]

Through this command we set up how the switch should response if the “port security” is violated. There are three modes:

1) Shutdown: It is default mode, and will shutdown the interface completely. It will take the interface to “err-disable” mode and will need administrator to manually activate the port.

2) Restrict: It will not shutdown the port but will stop listening to the port unless the authorized device is logged in again. It will also make a log of the event.

3) Protect: It is same as restrict but will not make a log of the event.

DeviceName(config-if)#switchport port-security mac-address [X.X.X/sticky]

Where X.X.X is the MAC addressed in 48 bit format. And “sticky” will automatically get the MAC address of device currently attached to the port.

Configuring a range of interfaces:

DeviceName(config)#interface range fast-ethernet 0/X – Y

Where X is the starting port number(lower) and Y is the last port number(Higher).

Comments

Post a Comment

Popular posts from this blog

Getting Started - I

We can start off our campaign by configuring a small LAN network. We will configure a cisco switch that is connected to end user device and eventually forward traffic to a router with connects our LAN with outside network/ Internet. In our scenario, the configuration will be done on the switch, here we are going to divide the whole process into six stages: 1) Beginning: start up new switch/ wipe out existing configs. 2) Security: passwords & banner. 3) Cosmetics: name & work environment. 4) Management: IP address & gateway. 5) Interfaces: speed, duplex & description. 6) Verify & backup: CDP, TFTP, show interfaces. BEGINNING Very few of us will be born with the silver spoon to have a brand new switch to start off the proceedings, for other not so lucky comrades like me, before we can start any configuration we need to make sure that previous configuration do not effect what we are about to do. At boot up of a brand new switch, it always prompts with a qu
Post a Comment
Read more

A much needed Intro

Hi all, am just one of those million computer geeks out there that do happen to blog randomly about Cisco and Linux world. I started of this blog to brush up my knowledge and also thought it might be a bit of help for some stranded surfer who do eventually happen to end up reading this blog. I've taken of most of my previous posts in an urge to revamp this blog and give it a new structure. I will try to coverup some of the basics of networking or rather Cisco network ing with the perspective for CCNA. Location: Winter Ave,Stratford,United Kingdom
Post a Comment
Read more

Getting Started - II

Starting off where we had left it from last post..As we have already covered the first three points, we are going to look into management of the swtich: MANAGEMENT We are going to enable the remote management features of the switch/router, so we don’t have to stand in those cold IT rooms while configuring or monitoring our devices. To start we will look from a perspective of a configuring a Cisco switch. Ethernet allow devices to exchange packets (aka communicate) inter-network with the aid of IP addressing and our case being no exception, we will start by allocating an IP address to our switch.. hmm.. Well some of might be confused by the fact that as switches are layer 2 devices and work with MAC addresses. So what on Earth make us allocate an IP address that is a Layer 3 (refer OSI model) to a layer 2 device like switch. Well it is done solely for remote management purpose. Sounds Alright.. but hey if all the ports on a Switch are layer 2, where are we going to provide the IP a
Post a Comment
Read more