Network security relies heavily on passwords. Cisco routers use passwords to ensure that only "trusted" users can perform certain services. In this Daily Drill Down, Todd Lammle takes you on a journey through Cisco passwords.
In this Daily Drill Down, I will focus on a great way to ensure basic security on a Cisco router: router passwords. Passwords are absolutely the best defense against would-be hackers. Leaving no passwords on a Cisco router can cause major problems. Keep in mind that using passwords is just the first line of defense, and you should have other security features on your network as well.
Cisco has some defense against would-be hackers built into its router Internetworking Operating System (IOS). For example, it is impossible to Telnet into a Cisco router unless an administrator configures the router with a Telnet password or uses the No Login command, which allows users to Telnet into a router with no password. Either way, something has to be configured for Telnet to work. Also, you cannot enter privileged mode (which is the IOS EXEC mode that allows you to view or change the configuration on a router) from Telnet unless an Enable password is set. These are very basic features of Cisco routers and allow only some security.
Here, I will focus on the five basic Cisco router passwords you can use to protect your network. However, first you must know the difference between user mode and privileged mode. Both of these modes are called EXEC mode, and a prompt is used to tell you which mode you are in.
User mode CLI
The user mode EXEC command-line interface (CLI) is sometimes referred to as “useless mode” because it doesn’t do a whole lot. User mode lets you view interface statistics and is typically used by junior administrators to gather facts for the senior staff. You don’t want highly paid people sitting around gathering basic network statistics when a junior administrator can be adequately trained to document this information. To get into user mode, you can connect in one of three ways:
- Console: An RJ-45 connection on all Cisco routers allows full access to the router if no passwords are set.
- Aux: An RJ-45 connection on most routers allows you to connect a modem to the port, dial in to the router, and make a console connection.
- VTY: Virtual Teletype is used to allow a Telnet connection to the router, which will then work like a console port. You must have an active interface on the router for Telnet to connect to the router.
The most important thing to understand about the three connection modes is that they get you into user mode only. To view and change the configuration, you need to be in privileged mode.
Privileged mode CLI
The privileged EXEC mode allows full access to a Cisco router by default, and the configuration can be both viewed and changed in this EXEC mode. You can enter privileged mode by first entering user mode and then typing the command enable.
It is important to remember that to change the router configuration, you must be in privileged EXEC mode. The console, aux, and VTY ports are used to get into user mode only and have nothing to do with how the router is configured.
Here is an example of how to get into privileged mode on a Cisco router through the console port:
Line con 0 now ready, press return to continue
At this point, you press Enter. Next, you will see:
This prompt is asking for the console user-mode password. Then, you will see:
The prompt at user mode is the greater-than sign (>). When you are in privileged mode, the prompt changes to a pound sign (#).
Global configuration mode
Once you are in privileged mode, you enter global configuration mode to change the configuration. You make changes by typing the command configure terminal. However, I prefer to type the shortcut command config t. This allows you to change the running-config, a file that is in DRAM and is the configuration the router is using. You can save the running-config to what is called Non-Violate RAM (NVRAM). The file that is copied into NVRAM is called startup-config and is the configuration that is copied to RAM when the router is rebooted or powered up.
Once you type configure terminalfrom privileged mode, your prompt changes to the following:
This prompt tells you that you are in global configuration mode. From here, you can make changes to the router that affect the router in whole, hence the name global configuration mode. For example, this is the location where you set the router passwords.
If you want to change the configuration of an interface, you would have to enter interface configuration mode from global configuration mode. Here is an example:
Router(config)#interface fastethernet 0/0
Notice the prompt is Router(config-if)#, which tells you that you are in interface configuration mode. From here, you can enable or disable the interface, add IP and IPX addresses, and more.
The five passwords
Now that you understand the difference between user mode, privileged mode, and global and interface configuration modes, you can now set the passwords for each level.
Here are the five passwords you can set on a Cisco router:
- Enable password
- Enable Secret
We will discuss each of these passwords and how to configure them in the following sections.
This is the basic connection into every router. To initially set up a router, you need to connect to the console port and at a minimum enable one interface and set the VTY password. After one interface is enabled and the VTY lines are configured, an administrator can then Telnet into the router and do the final configurations from that connection. However, the console port can be used to configure the complete configuration at any time. This makes it very important to protect the console port with a password.
To configure a console user-mode password, use the Line command from global configuration mode. There is only one console port on all routers, so the command is
line console 0
Here is an example:
Router(config)#line console 0
Notice the prompt changed to Router(config-line)#. This prompt tells you that you are configuring the console, aux, or VTY lines.
To finish configuring the console port, you can use two more commands:
- Login:This tells the router to look under the console line configuration for the password. If you do not use this command, you will not be prompted for a password when you connect to the router’s console port.
- Password: This sets the console user-mode password. It is case sensitive.
The complete command will look like this:
Router(config)#line console 0
On some routers, aux is called the auxiliary port, and on some it is called the aux port. To find the complete command-line name on your router, use a question mark with the Line command as shown:
< 0-4> First Line Number
aux Auxiliary line
console Primary terminal line
vty Virtual terminal
At this point, you can choose the correct command you need. Here is an example of setting the aux port on a Cisco router to prompt for a user-mode password with a console cable connected (this port can be used with or without a modem):
Router(config)#line aux 0
The Virtual Teletype (VTY) lines are used to configure Telnet access to a Cisco router. As I mentioned earlier, the VTY lines must be configured for Telnet to be successful.
Here is an example of an administrator’s attempt to Telnet to a router that does not have the VTY lines configured:
Password not set, connection refused
This is the default on every Cisco router.
To configure the VTY lines, you must use the question mark with the command
to determine the number of lines available on your router. The number varies with the type of router and the IOS version. However, five is the most common number of lines.
Router(config)#line vty 0 ?
<0-4> Last Line Number
Router(config)#line vty 0 4
Notice that you choose all the lines available for the most efficient configuration. You can set each line individually, but because you cannot choose the line you enter the router with when you Telnet, this can cause problems.
You can tell the router to allow Telnet connections without a password by using the No Login command:
Router(config)#line vty 0 4
The Enable password is used to allow security on a Cisco router when an administrator is trying to go from user mode to privileged mode. The Enable password is an old, unencrypted password that will prompt for a password when used from privileged mode. You set the Enable password from global configuration EXEC mode and use the command
enable password password
Here is an example:
Router(config)#enable password lammle
Router#disable (the disable command takes you from privilege mode back to user mode)
The Enable Secret password accomplishes the same thing as Enable. However, it is encrypted by default and supercedes Enable if it is set. In other words, if you set the Enable password and then set the Enable Secret password, the Enable password will never be used.
You set the Enable Secret password from global configuration mode by using the command:
enable secret password
Here’s an example:
Router(config)#enable secret san jose
Encrypting your passwords
The Line command passwords (console, aux, and VTY) are not encrypted by default and can be seen by going into privileged EXEC mode and typing the command
This displays the complete configuration that the router is running, including all the passwords. Remember that the Enable Secret password is encrypted by default, but the other four are not. To encrypt your passwords, use the global configuration command
Here is an example of how to perform manual password encryption (as well as an example of how to set all five passwords):
Router(config)#enable password todd
Router(config)#line vty 0 4
Router(config-line)#line con 0
Router(config-line)#line aux 0
Router(config)#no service password-encryption
Router(config)#enable secret lammle
All of the passwords can be the same except the Enable and the Enable Secret passwords. You should make them different for security reasons, however.
It is extremely important to set your passwords on every Cisco router your company has. If you are studying for your Cisco certification exams, be sure you understand the passwords and how to set them. Remember the difference between the Enable Secret and the Enable password and that the Enable Secret password supercedes the Enable password if it’s set.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.