Follow these directions to create passwords and then encrypt the passwords on a Cisco switch in IOS. First we will create the requirement to enter a password to access the switch.
Note: con is the shortened version of the word console
R1> enableR1# show running-confingR1# configure terminalR1(config)# line console 0R1(config-line)# password passwordR1(config-line)# loginR1(config-line)# exitR1(config)# exitR1# exit
Use the show running-config to verify that the password has been added. Type exit and press enter to sign out of the switch. Attempt to sign into the switch again. You will be prompted for the console password.
Next we password protect VTY.
R1> enableR1# configure terminalR1(config)# vty 0 4R1(config-line)# password passwordR1(config-line)# loginR1(config-line)# exitR1(config)# exitR1# exit
Use the show running-config to verify that the password has been added. Type exit and press enter to sign out of the switch. Attempt to sign into the switch again. You will be prompted for the console password.
Note: The VTY (virtual terminal lines) are used to connect to the router or switch remotely, via SSH or telnet. Because VTY is virtual, there is no physical interface on the router for the VTY interface. When making a VTY connection to the router or switch from a computer in the LAN, the connection flows through the Ethernet LAN interface, which is probably GigabitEthernet0/1. When making a VTY connection to the router or switch from a computer over the WAN, the connection flows throughthe Ethernet WAN interface, which is probably GigabitEthernet0/1.
Next we will create the requirement to enter a password to enter priviledged (enable) mode in the switch.
R1> enableR1# configure terminalR1(config)# enable password passwordR1(config)# exitR1# exit
Use the show running-config to verify that the password has been added. Type exit and press enter to sign out of the switch. Attempt to sign into the switch again. You will be prompted for the console password. Once signed into the switch, type enable and press enter. You will be prompted to enter the password required to access priviledged mode.
Next we will encrypt the password used to access priviledged mode.
R1> enableR1# configure terminalR1(config)# enable secret passwordR1(config)# exitR1# exit
Use the show running-config to verify that the password has been encrypted.
Next will will encrypt the password used to access the switch.
R1> enableR1# configure terminalR1(config)# service password-encryptionR1(config)# exitR1# exit
Use the show running-config to verify that the password has been encrypted. This will also encrypt any new passwords added to the switch in the future.
We can also prevent brute force attacks by implementing a lock out period after numerous unsuccessful sign in attempts.
R1> enableR1# configure terminalR1(config)# login block-for 300 attempts 3 within 120R1(config)# exitR1# exit
The reload command can be used to return the switch to the configuration it had before any changes were made.
To ensure these changes remain saved if the switch is restarted, save the changes to the startup-config. Type copy running-config startup-config and press enter. This saves to NVRAM. To ensure the startup-config contains the encrypted passwords, use the show startup-config command. It is also possible to save the changes to flash using the copy startup-config flash command. Then use the show flash command, and the startup-config file should be listed.