Securing console and Telnet access

- Devices on a network should be secured both physically and logically. All network devices should be located in a secure room with locking doors or should be installed in a locking cabinet. Passwords should definitely be configured to prevent unauthorized access to the router's operating system. Applying a password to the console port will provide additional security if someone attaches a cable to that console port and attempts to log into your router.

Setting a console password forces the user to enter the correct password prior to being granted access to the router's command line interface via the console port. I'm gonna show you the sequence of commands that we use to secure both the console ports as well as the virtual terminal ports on the router. Begin by typing "enable." Then "config." From the terminal, we're gonna enter the "line console 0." Next step is to issue the command "password," followed by the password that you would like to use.

In this case, I'm gonna use "MyConsolePassword." Typically passwords are set by your network administrator and have a certain policy in terms of how they are set, how they're named. Then we use the command "login," which forces the use of a password while trying to log into the router. And that is the command sequence. We type "exit" to get out of the line mode. "exit" again to get into the privileged zig zag mode.

We issue a "show run" so I can verify that I have set a password on the console interface. And you can see there towards the bottom of the configuration file that the line console does indeed have that password set with the login required. The next thing I'm gonna show you how to do is how to secure the virtual terminal lines. On the router there are five, and they are numbered 0 to 4. And these are lines that you could use to access the router through an in-band connection.

Again we "config" from the terminal. We go ahead and enter our line, "line vty." Now I can either set separate passwords on each one of the vty lines or I can do one password for all five of the lines. In this case I'm gonna demonstrate how to do a password on the single "line vty 0." "password MyVTY0Password." And then again "login" to force the use of a password when trying to log into the router through the vty line.

"exit," "exit." "show run." Spacebar, spacebar. You can see that I have set not only the console password now, but also the vty 0 password. Finally I'm gonna show you how to secure the remaining vty lines all as one group. So "config t." "line vty 1 4." Notice that the config now say "cofig-line." That's how you know you're in a line configuration mode.

"password MYVTY14Password." And then "login" to force the use of that password when trying to log into the router through vty 1, 2, 3, or 4. I'm gonna use the Control Z this time to get all the way out of the router. Do a "show run." Spacebar, spacebar, spacebar. And you can see that my configuration of my passwords for the line console, for line vty 0, and the line vty 1 through 4 are now set on my router.