Making Known the Secrets to Network Management. Raising up a new generation of professionals.
Sunday, April 25, 2010
Basic Cisco Router Security and Ethernet Support
Abstract: We're going to quickly configure and secure a stock Cisco 2505 router and enable ethernet support. The tasks that follow:
1) shutdown unnecessary serial ports
2) set passwords
3) change the IP address
The router will start in user (boot) mode. In this mode we can see configuration data but not make alterations. The example router is named Bart and this is the current prompt:
Bart>
Moving into privileged (aka enable) mode allows the admin to make changes. The system indicates privileged mode with # for the prompt:
Bart> enable
Bart#
Closing Unnecessary Serial Ports
The router's serial ports will not be used for this network and both must be turned off. On the prompts, notice that (config) is general configuration mode and (config-if) indicates that a particular 'interface' (serial, ethernet, etc. port) has been selected.
Bart# configure terminal
Bart(config)# interface Serial0
Bart(config-if)# shutdown
(to reenable the command is no shutdown)
Bart(config-if)# exit
(repeat for Serial1)
Bart# write terminal
At this point the configuration information is printed to the screen. Check to ensure the data is properly entered.
Bart# write memory
Enabling and Encrypting Passwords
We'll start with securing the console (initial screen).
Bart# config term
Bart(config)# line console 0
Bart(config-line)# login
Bart(config-line)# password Sk@teb0ard
Bart(config-line)# exit
Remote terminal sessions:
Bart# config term
Bart(config)# line vty 0 4
Bart(config-line)# login
Bart(config-line)# password Krus%Ycl0wn
Bart(config-line)# exit
Privileged mode:
Bart# config term
Bart(config)# enable password Tr<>4ouSe
Bart(config)# exit
Bart# disable (exits privileged mode into user mode)
Bart> enable
Password:
Viewing the system configuration at this point reveals the passwords in plain text. To ensure no one accidentally views sensitive info, it must be encrypted.
Bart# config term
Bart(config)# service password-encryption
Bart(config)# exit
Bart# write terminal (check that all passwords are encrypted)
Telnet into the router to ensure your password works. All changes have been tested.
Bart# write memory (saves the configuration information to NVRAM and will persist through power cycles)
Bart# reload (restarts the router)
System configuration was modified. Save? [yes/no] yes
Proceed with reload? [confirm] *press enter*
Close the terminal window so that someone can't scroll up and collect password data that was previously displayed.
Changing the IP Address
Bart> enable
Bart# conf term
Bart(config)# interface Ethernet0
Bart(config-if)# ip address 192.168.9.1 255.255.255.255
Bart(config-if)# exit
Bart(config)# exit
Bart# write term (check that change was made)
Bart# write mem
Subscribe to:
Post Comments (Atom)
Hi David.
ReplyDeleteI recommend you to use the command "secret" instead the command "password" if your devices support it, this is because the "password" command is made with a reverible algorithm
Regards!!!!
Hello Inner Trax,
ReplyDeleteThanks for your comment - I will forward to Rob, who contributed this article!
Thanks - Dave