How to protect a Cisco switch or router with password encryption in IOS

Home > Search > How-to
  by

Follow these directions to create passwords and then encrypt the passwords on a Cisco switch in IOS. First we will create the requirement to enter a password to access the switch.

  1. In IOS, type enable and press enter
  2. Type show running-config, and press spacebar until you see text such as line con 0, line aux 0, line vty 0 4. Make note of the number after line con.
  3. Type configure terminal and press enter
  4. Type line con followed by the number displayed in show running config and press enter (example: line con 0)

Note: con is the shortened version of the word console

  1. Type password password and press enter (example: password SecretLinePasswd)
  2. Type login and press enter
  3. Type exit and press enter
  4. Type exit and press enter again
R1> enableR1# show running-confingR1# configure terminalR1(config)# line console 0R1(config-line)# password passwordR1(config-line)# loginR1(config-line)# exitR1(config)# exitR1# exit

Use the show running-config to verify that the password has been added. Type exit and press enter to sign out of the switch. Attempt to sign into the switch again. You will be prompted for the console password. 


Next we password protect VTY.

  1. In IOS, type enable and press enter
  2. Type configure terminal and press enter
  3. Type line vty 0 4 and press enter
  4. Type password password and press enter (example: password SecretVtyPasswd)
  5. Type login and press enter
  6. Type exit and press enter
  7. Type exit and press enter again
R1> enableR1# configure terminalR1(config)# vty 0 4R1(config-line)# password passwordR1(config-line)# loginR1(config-line)# exitR1(config)# exitR1# exit

Use the show running-config to verify that the password has been added. Type exit and press enter to sign out of the switch. Attempt to sign into the switch again. You will be prompted for the console password. 

Note: The VTY (virtual terminal lines) are used to connect to the router or switch remotely, via SSH or telnet. Because VTY is virtual, there is no physical interface on the router for the VTY interface. When making a VTY connection to the router or switch from a computer in the LAN, the connection flows through the Ethernet LAN interface, which is probably GigabitEthernet0/1. When making a VTY connection to the router or switch from a computer over the WAN, the connection flows throughthe Ethernet WAN interface, which is probably GigabitEthernet0/1.


Next we will create the requirement to enter a password to enter priviledged (enable) mode in the switch.

  1. In IOS, type enable and press enter
  2. Type configure terminal and press enter
  3. Type enable password password and press enter (example: enable password SecretExecPasswd)
  4. Type exit and press enter
R1> enableR1# configure terminalR1(config)# enable password passwordR1(config)# exitR1# exit

Use the show running-config to verify that the password has been added. Type exit and press enter to sign out of the switch. Attempt to sign into the switch again. You will be prompted for the console password.  Once signed into the switch, type enable and press enter. You will be prompted to enter the password required to access priviledged mode.


Next we will encrypt the password used to access priviledged mode.

  1. In IOS, type enable and press enter
  2. Type configure terminal and press enter
  3. Type enable secret password and press enter (example: enable secret Secretpasswd)
  4. Type exit and press enter
R1> enableR1# configure terminalR1(config)# enable secret passwordR1(config)# exitR1# exit

Use the show running-config to verify that the password has been encrypted.


Next will will encrypt the password used to access the switch.

  1. In IOS, type enable and press enter
  2. Type configure terminal and press enter
  3. Type service password-encryption and press enter
  4. Type exit and press enter
R1> enableR1# configure terminalR1(config)# service password-encryptionR1(config)# exitR1# exit

Use the show running-config to verify that the password has been encrypted. This will also encrypt any new passwords added to the switch in the future.


We can also prevent brute force attacks by implementing a lock out period after numerous unsuccessful sign in attempts.

  1. In IOS, type enable and press enter
  2. Type configure terminal and press enter
  3. Type login block-for x attempts x within x and press enter (example: login block-for 300 attempts 3 within 120)
    • Block-for 300 means the user is blocked for 300 seconds
    • Attempts 3 means the user will be blocked after 3 unsuccessful sign in attempts
    • Within 120 means the 3 unsuccessful sign in attempts needs to occur within 120 seconds
  4. Type exit and press enter
R1> enableR1# configure terminalR1(config)# login block-for 300 attempts 3 within 120R1(config)# exitR1# exit

The reload command can be used to return the switch to the configuration it had before any changes were made.

To ensure these changes remain saved if the switch is restarted, save the changes to the startup-config. Type copy running-config startup-config and press enter. This saves to NVRAM. To ensure the startup-config contains the encrypted passwords, use the show startup-config command. It is also possible to save the changes to flash using the copy startup-config flash command. Then use the show flash command, and the startup-config file should be listed.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments