Skip to main content

Configuring Security Measures

 

Configuring passwords on the cisco IOS:

Protecting privilege mode:

Option I

DeviceName(config)#enable password XXXX

Option II

DeviceName(config)#enable secret XXXX

NOTE: Using “Option I” is not recommended as it stores password in clear text that can easily be tracked. Whereas “Option II” saves password in encrypted format.

If both passwords are set, IOS uses secret password.

Space Bar is counted as a character in password.

Protecting user mode:

DeviceName(config)# line console 0

DeviceName(config-line)#password XXXX

DeviceName(config-line)#login

Setting up Telnet:

NOTE: This applies after successful IP configuration of the VLAN1 with valid IP address.

DeviceName(config)# line vty X Y

X = First line number and Y= Last line number. i.e. the number of allowed concurrent telnet sessions.

DeviceName(config-line)#password XXXX

NOTE: telnet will not work without any password.

Keeping an eye on telnet session:

DeviceName#termial monitor

It allow to see all the messages from the telnet/ssh session.

Encrypting all passwords in one go:

DeviceName(config)#service password-encryption

It will encrypt all clear text passwords on the IOS. Might not work on older IOS.

Setting up logon banner:

Type of banners:

Login: This only appears when using telnet.

Motd (Message of the Day): It appears on every console.

DeviceName(config)#banner [motd/login] Y XXXXXX Y

Where Y is the delimiting character.

Setting up port security.

DeviceName(config)#interface fa 0/X

DeviceName(config-if)#switchport mode access

This command makes the interface as access port. It means the interface is connected to some other device like PC or router but not to a switch.

DeviceName(config-if)#switchport port-security

DeviceName(config-if)#switchport port-security maximum X

Where X is the number of maximum MAC address allowed to connect through the interface.

DeviceName(config-if)#switchport port-security violation [shutdown/restrict/protect]

Through this command we set up how the switch should response if the “port security” is violated. There are three modes:

1) Shutdown: It is default mode, and will shutdown the interface completely. It will take the interface to “err-disable” mode and will need administrator to manually activate the port.

2) Restrict: It will not shutdown the port but will stop listening to the port unless the authorized device is logged in again. It will also make a log of the event.

3) Protect: It is same as restrict but will not make a log of the event.

DeviceName(config-if)#switchport port-security mac-address [X.X.X/sticky]

Where X.X.X is the MAC addressed in 48 bit format. And “sticky” will automatically get the MAC address of device currently attached to the port.

Configuring a range of interfaces:

DeviceName(config)#interface range fast-ethernet 0/X – Y

Where X is the starting port number(lower) and Y is the last port number(Higher).

Comments

Post a Comment

Popular posts from this blog

Getting Started - I

We can start off our campaign by configuring a small LAN network. We will configure a cisco switch that is connected to end user device and eventually forward traffic to a router with connects our LAN with outside network/ Internet. In our scenario, the configuration will be done on the switch, here we are going to divide the whole process into six stages: 1) Beginning: start up new switch/ wipe out existing configs. 2) Security: passwords & banner. 3) Cosmetics: name & work environment. 4) Management: IP address & gateway. 5) Interfaces: speed, duplex & description. 6) Verify & backup: CDP, TFTP, show interfaces. BEGINNING Very few of us will be born with the silver spoon to have a brand new switch to start off the proceedings, for other not so lucky comrades like me, before we can start any configuration we need to make sure that previous configuration do not effect what we are about to do. At boot up of a brand new switch, it always prompts with a qu...
Post a Comment
Read more

Getting Started - II

Starting off where we had left it from last post..As we have already covered the first three points, we are going to look into management of the swtich: MANAGEMENT We are going to enable the remote management features of the switch/router, so we don’t have to stand in those cold IT rooms while configuring or monitoring our devices. To start we will look from a perspective of a configuring a Cisco switch. Ethernet allow devices to exchange packets (aka communicate) inter-network with the aid of IP addressing and our case being no exception, we will start by allocating an IP address to our switch.. hmm.. Well some of might be confused by the fact that as switches are layer 2 devices and work with MAC addresses. So what on Earth make us allocate an IP address that is a Layer 3 (refer OSI model) to a layer 2 device like switch. Well it is done solely for remote management purpose. Sounds Alright.. but hey if all the ports on a Switch are layer 2, where are we going to provide the IP a...
Post a Comment
Read more

What is this mystical network!

There is a lot written about networks but most of the times when it comes to Basic questions like "What is a network?"(in regards to information technology), most of us will end up saying "A group of different devices that can intercommunicate in an intelligent manner (of-course you may find some that can only give you a shrug,like me)". When I asked myself all I got were random images of pcs and boxes connected via lines, bolts and clouds. Actually what we should concentrate on is what the network does instead of what the network really is? I still remember asking my high school teacher about this cloud. All I was told was that it's Internet: network of networks. Most of us will be pretty satisfied with the above definition of network but read it again, it tells us about what network is made of, and not what network exactly is. Let's take an example from the latest movie I watched, Shrek: the far away kingdom, where King stamps a letter and give ...
Post a Comment
Read more