Skip to main content

Configuring Security Measures

 

Configuring passwords on the cisco IOS:

Protecting privilege mode:

Option I

DeviceName(config)#enable password XXXX

Option II

DeviceName(config)#enable secret XXXX

NOTE: Using “Option I” is not recommended as it stores password in clear text that can easily be tracked. Whereas “Option II” saves password in encrypted format.

If both passwords are set, IOS uses secret password.

Space Bar is counted as a character in password.

Protecting user mode:

DeviceName(config)# line console 0

DeviceName(config-line)#password XXXX

DeviceName(config-line)#login

Setting up Telnet:

NOTE: This applies after successful IP configuration of the VLAN1 with valid IP address.

DeviceName(config)# line vty X Y

X = First line number and Y= Last line number. i.e. the number of allowed concurrent telnet sessions.

DeviceName(config-line)#password XXXX

NOTE: telnet will not work without any password.

Keeping an eye on telnet session:

DeviceName#termial monitor

It allow to see all the messages from the telnet/ssh session.

Encrypting all passwords in one go:

DeviceName(config)#service password-encryption

It will encrypt all clear text passwords on the IOS. Might not work on older IOS.

Setting up logon banner:

Type of banners:

Login: This only appears when using telnet.

Motd (Message of the Day): It appears on every console.

DeviceName(config)#banner [motd/login] Y XXXXXX Y

Where Y is the delimiting character.

Setting up port security.

DeviceName(config)#interface fa 0/X

DeviceName(config-if)#switchport mode access

This command makes the interface as access port. It means the interface is connected to some other device like PC or router but not to a switch.

DeviceName(config-if)#switchport port-security

DeviceName(config-if)#switchport port-security maximum X

Where X is the number of maximum MAC address allowed to connect through the interface.

DeviceName(config-if)#switchport port-security violation [shutdown/restrict/protect]

Through this command we set up how the switch should response if the “port security” is violated. There are three modes:

1) Shutdown: It is default mode, and will shutdown the interface completely. It will take the interface to “err-disable” mode and will need administrator to manually activate the port.

2) Restrict: It will not shutdown the port but will stop listening to the port unless the authorized device is logged in again. It will also make a log of the event.

3) Protect: It is same as restrict but will not make a log of the event.

DeviceName(config-if)#switchport port-security mac-address [X.X.X/sticky]

Where X.X.X is the MAC addressed in 48 bit format. And “sticky” will automatically get the MAC address of device currently attached to the port.

Configuring a range of interfaces:

DeviceName(config)#interface range fast-ethernet 0/X – Y

Where X is the starting port number(lower) and Y is the last port number(Higher).

Comments

Post a Comment

Popular posts from this blog

Getting Started - I

We can start off our campaign by configuring a small LAN network. We will configure a cisco switch that is connected to end user device and eventually forward traffic to a router with connects our LAN with outside network/ Internet. In our scenario, the configuration will be done on the switch, here we are going to divide the whole process into six stages: 1) Beginning: start up new switch/ wipe out existing configs. 2) Security: passwords & banner. 3) Cosmetics: name & work environment. 4) Management: IP address & gateway. 5) Interfaces: speed, duplex & description. 6) Verify & backup: CDP, TFTP, show interfaces. BEGINNING Very few of us will be born with the silver spoon to have a brand new switch to start off the proceedings, for other not so lucky comrades like me, before we can start any configuration we need to make sure that previous configuration do not effect what we are about to do. At boot up of a brand new switch, it always prompts with a qu...
Post a Comment
Read more