Professional Documents
Culture Documents
When it comes to basic password security, there are three basic types:
Line Passwords Privileged mode Passwords (enable mode) Username Passwords (optional)
Lets explore these. Line Passwords Line passwords are configured on router lines. Examples of lines are:
Console Line - The console is the main serial administrative port on a router. This is where you configure the router when it is new and has no network configuration. Aux Line The aux line is an auxiliary port. Like the console, it is a physical port on every router. You can think of it as a backup console port. Besides being a backup console port, the aux port is periodically used for administrative console dial up access to the router. VTY Lines Vty lines are virtual tty lines and are used when you connect to the router via telnet or ssh. These are not physical lines on the router but virtual inbound network lines. Async Lines Async lines are asynchronous serial lines and are optional. These async lines are created when you insert an async serial card in a router. You can use the async serial lines to connect dumb-terminals (text-based terminals), serial printers, or modems.
All of these different lines need a password configured on them. Lets find out how to configure Cisco router line passwords.
As you can see in the graphic, we first set the password to cisco using password cisco, then enabled login using that password with the login command. We repeat this on the aux port, like this:
Finally, we configure the same commands on the VTY lines. The catch to doing this is that there is more than one VTY. Because you dont want to have to configure them one at a time, you use a VTY range when performing the configuration. Using a VTY range works by specifying your routers starting and ending VTY number. Inside the configuration mode for this range of VTYs is where you are configuring the password and login commands. In the past, router only had 0-4, or 5, VTY lines. Today, most routers have 0-15, or 16, VTY lines. Make sure that you know how many VTYs your router has so that there arent some lines that are left without a password. Here is what you do to tell how many lines your router has:
As you can see from the screenshot above, this router has 16 (actually 0 to 15) VTY lines. You know this because the last line number is 15. Here is how you would configure the password and login commands on the VTY lines using the range of VTYs:
Username Passwords
Optionally, you can configure usernames and associated passwords on a Cisco router. This is a more advanced level of security than line passwords. Once configured on the lines, the line password is then ignored. You configure the usernames with the username command and can add their password on the same command line. Optionally, you can configure the privilege level of that user. Level 15 is the administrative user. Once you create the username, you need to tell each line to use the local username/password database, on the router. To do this, go back to each line and type login local. Here is an example:
Notice that we were prompted for a username. We typed in one of the users we setup, admin. We were then prompted for admins password. Also, because we specified that admins privilege was 15, we were put directly into privileged mode, with full administrative privileges (and without having to type enable). If we log out, and log back in, notice that user1 doesnt have the # sign, telling us that we are already in privileged mode:
In this article, you learned that there are line passwords and privileged mode passwords. The line passwords protect the console, aux, and vty lines. They are configured with the password and login command. The privileged mode password should be configured with enable secret. Optionally, you can configure usernames and use the login local command on the lines. All routers should be protected by a password, at minimum. Additionally, privileged mode (and configuration mode) should be controlled by an additional password. Your action: check each router for proper line and password security as this is the minimum level of security you should employ.