Basic Configuration/Security

Router>enable
Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#enable secret cisco
R1(config)#line console 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exec-timeout 30 30
R1(config-line)#logging synchronous
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#exec-timeout 10
R1(config-line)#logging synchronous
R1(config-line)#exit
R1(config)#line aux 0
R1(config-line)#password cisco
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#exec-timeout 15 30
R1(config-line)#exit
R1(config)#service password-encryption
R1(config)#service tcp-keepalives-out
R1(config)#service tcp-keepalives-in
R1(config)#banner motd +
Enter TEXT message.  End with the character ‘+’.

WARNING!!! UNAUTHORIZED USERS ARE PROHIBITED TO ACCESS THIS DEVICE!

+
R1(config)#

To enter the privilege exec mode, use the enable command.  In this mode, you can change some of the router settings like time, save/delete the configuration, reload the router etc.; and use the show commands to display the status of specific configuration and interfaces configuration etc.  You can also tell if you are in the privilege exec mode by looking at the # symbol after the name.  The exec mode has the > symbol.

To configure the router, you have to use the global configuration mode by using the configure terminal command.  Here you can add and remove the configuration.  Pretty much changing the router itself for your liking.

The command hostname R1 changes the name of the router from Router to R1.

The command enable secret cisco, added the security to the privilege exec mode.  This command will help prevent unauthorized users to enter the privilege exec mode to execute and change the router’s configuration.  The enable password can also be used; however, it shows the password in the running-config  in clear text.  The enable secret value is hashed with MD5, which is a one way hash algorithm .  Therefore, it doesn’t display the secret in clear text.  If the enable password and enable secret are both in used, the router will only use the enable secret because the router knows that it is more secure than enable password.  In addition, the router will not accept the same password and secret value.

To configure the console port on the back of the router, you have to enter the console configuration mode by using line console 0 command.  To add security to the console port, I added a password which is cisco by using the password cisco.  Also, the command login will promtp every user to enter a password at the login prompt.  The exec-timeout 30 30 will exit the user out of the router for specific period of time.  In this case, it is 30 minutes and 30 seconds.  The the value is 0 0, this will turn off the timeout, you can also turn off the timeout by using the no exec-timeout.

The line vty 0 4 command enters you into vty mode, which is mode for remote connection to the router.  The line aux 0 is the same thing as the other line mode, but this one is related to modem connection.  The configuration on these modes are kind of like similar to the line console.

The service password-encryption command deals with none hashed password like on line mode, and enable password and such.  The password encryption strength is very weak and can easily cracked, but it is better than showing the password in clear text.  The encryption algorithm is Cisco proprietary.

The service tcp-keepalives-in and service tcp-keepalives-out commands will help to terminate the hung tcp connection.  For example, when a PC-A in R1’s LAN has a telnet connection to PC-B in R2’s LAN, and R1 has been restarted, the PC-B in R2’s LAN would not know that that PC-A is alive, so PC-B will keep the hung tcp connection .  These commands will terminate the tcp connection once the router stopped receiving keepalives or response from the other router.

The banner motd command created a banner for those who are trying to log into the router.  The motd stands for Message Of The Day.  This motd appears every time a user tries to log onto to router.  The banner has more parameters can be used like exec, login etc.  The + symbol is a delimiter.  It means that all the characters, including spaces and other symbols, in between the two delimiter will be displayed.  Make sure that don’t use the delimiter part of your motd because it will cut your message off.  For example, banner motd n  My name is R1 n.  The router will only show My instead of My name is R1 because the delimiter is letter n and there is a letter n after the word My, so that router accepted the second n to end the message.

Advertisements

About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in CCNA Security, My CCNA Studies. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s