There are three main ways of locking down your Cisco switch. Before going into what how to setup the passwords it probably a good idea to talk about the 3 types of passwords. The names pretty much tells you what the password is used for.
- Console – As you should know in order to connect to the console you need to connect the console cable from your laptop into the back of the switch. You need to run a terminal program like Putty that will give you access to the switches text console.
- VTY – By default all cisco switches can not be accessed remotely via a terminal program like PuTTy. There are two methods of connecting remotely either terminal connection or a Secure Shell (SSH) connection. The main difference between the two is one is not-encrypted and the other one is.
- Enable – This is a command that allows you to start programming the switch. This can be setup with a clear text password, encrypted password that is easy to break or a MD5 encrypted password that is almost impossible to break.
Now that you know where and what you can password protect, the next part is to configure these passwords. Depending on the password “type” there may be a few ways of creating a password. Please note that even if you give the different items the same password they are considered different. If a password were to be changed on one, it would not effect the others.
In order to setup the console password you will need to enter these lines.
- conf t
- line console 0 <- the “0” is a zero.
- password consolepassword <- “consolepassword” is the password I specified. please change it to whatever you want.
- login <- If you do not tell the switch “login” it will not prompt you for a password at login.
In order to setup the VTY password you will need to enter these lines.
- conf t
- line vty 0 15 <- the “0” is a zero.
- password vtypassword <- “vtypassword” is the password I specified. please change it to whatever you want.
- login <- If you do not tell the switch “login” it will not prompt you for a password when you log into via telnet or SSH client.
In order to setup the Enable password you will need to enter these lines.
This password is stored completely in clear text in the config file.
- conf t
- enable password enablepassword <- “enablepassword” is the password I specified. please change it to whatever you want.
- service password-encryption <- This step is optional. It encrypts all current and future passwords with a very easy de-cryption algorithem.
It’s a better to idea to use the enable secret password. To use the MD5 encryption you need to run this command. Please note that if you’ve setup the “enable password” AND “enable secret”, The password used in “enable secret” will always be used. It’s also good to note that the two passwords can be different.
- conf t
- enable secret secretpassword <- “enablepassword” is the password I specified. please change it to whatever you want.
Here’s a screenshot where I enable all the passwords in one terminal session:
At this point it’s good to check out the running configuration. To do this type:
Please notice how the secret password doesn’t reflect what you’ve typed. Please also note how the enable password is in clear text. I’m going to remind you if you want to encrypt the “enable password” you would need to type: service password-encryption. Please NOTE that this command doesn’t do anything to the secret password. Ie. it doesn’t encrypt the already encrypted password.
This is what would look like after you have typed “service password-encryption”
Hope this helps 🙂