Config Lab: CLI Passwords 1
Protecting access to the CLI of Cisco routers and switches starts with basic password security. From there, you can move on to use per-user login security that requires both a username and password, whether using locally-configured username/password pairs or whether taking advantage of the authentication servers already used by users inside the company. For the CCNA exam, though, you start with simple passwords. This lab gives you some practice configuring basic passwords (with no usernames) to protect CLI access.
The Lab Exercise
Lab Requirements
Configure switch SW1 with password security for console, telnet, and privileged-mode access. Configure the passwords so that all users use the same password to reach user mode from the console, with no per-user username required. Likewise, use one password for all users who Telnet into the switch to reach user mode.
This lab begins with all the interfaces shown in Figure 1 working, with IPv4 addresses configured, and with all hosts able to ping other local hosts and hosts in the rest of the Enterprise.
The specific rules for this lab are as follows:
- Use password βjoyβ to protect console access for all users to switch SW1.
- Use password βpeaceβ to protect Telnet access for all users to switch SW1.
- Use password βkindnessβ to protect access to privileged mode for all users, using the more secure configuration option.
Figure 1: Network for this Lab, with Console Access Switch SW1
Initial Configuration
Example 1 shows the non-default configuration added to switch SW1 before your work for this lab begins. Basically, the switch has already been configured with an IP address and a default gateway to allow telnet access.
hostname SW1
ip default-gateway 10.1.1.1
!
interface vlan1
ip address 10.1.1.20 255.255.255.0
Example 1: SW1 Initial Configuration
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration β even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Ciscoβs free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
-
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2. If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
-
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab
- Test the configuration using some of the suggestions below.
Network Device Info:
This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.
Device | Lab Port | Β CML Port |
SW1 | G0/1 | G0/1 |
SW1 | F0/1 | G0/2 |
SW1 | F0/2 | G0/3 |
Host device info:
This table lists host information pre-configured in CML, information that might not be required by the lab but may be useful to you.
Device | IP Address | Mac Address | User/password |
PC | 10.1.1.11 | 02:00:11:11:11:11 | cisco/cisco |
S | 10.1.1.22 | 02:00:22:22:22:22 | cisco/cisco |
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Lab Answers
enable secret kindness
!
line con 0
password joy
login
!
line vty 0 4
password peace
login
!
line vty 5 15
password peace
login
Example: SW1 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Lab Commentary
Cisco routers and switches allow a simple security method for both the console and for Telnet access. Basically, all you have to do is tell the device to use that method by supplying a prompt for the password (the login subcommand), and then define the passwordβs value (the password subcommand).
Note that the answer shows the configuration of the VTY password (to support Telnet) with VTYs 0 through 4 as separate from the configuration of VTYs 5 through 15. This quirk of Cisco output has to do with the fact that older IOS versions support only VTYs 0 through 4. You could have used the commands literally shown in the answer example, or you could have used the command line vty 0 15, followed by those same password and login commands.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | None | No known issues related to this lab. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.
-
- Connect to the console, and try to login with the configured password.
- Using the PC connected to a LAN interface, Telnet into the switch, and try the Telnet password.
- From either, use the enable command to then test the enable password.
Hi, i configured the password for console access in Packet Tracer but when i try to connect from PC0 it doesn’t ask me for any password. Here’s an example of the code that i put
SW1#configure terminbal
SW1(config)#enable secret kindness
Ahmed,
The “enable secret kindness” command tells IOS to ask for a password when any user in user mode uses the enable EXEC command. The “enable” EXEC command tells IOS that the user wants to move to privileged mode, with “enable secret kindness” configured, the user should be prompted at that point, and IOS require “kindness”.
For a user to be prompted for a password before gaining access to user mode from the console, then configure:
line con 0
login
password whatever
I think that’s what you were expecting, right? A password prompt before gaining access at the console?
Or, for Telnet:
line vty 0 15
login
password whatever
Wendell
Hello Mr. Wendell,
I extended this lab exercise to test if I could ping the switch from PC0 (and PC1) or if I could telnet to the switch from PC0.
I configured the switch as follows:
(config)# interface vlan 1
(config-if)# no shutdown
(config)# line vty 0 4
(config-line)# transport input telnet.
Result:
I cannot ping not telnet the switch.
What am I not doing right?
Azza
Hi Azza,
Wonderful! Some suggestions:
1) The vty’s need the subcommand that cause the switch to (a) prompt for a password, and (b) to define the password that is to be used. So, add “login” and “password azza” to the vty’s. I’m assuming you already configured the commands per the normal part of the lab.
Hope this helps…
Hi Wendell,
I am making a slightly change for your configuration as below:
enable secret kindness
!
line con 0
password joy
login
!
line vty 0 4
password peace
login
Transport input Telnet
This is working as well. But I have a question is the command default Cisco transport input none, why does the pc have telnet access by your configuration.
Many Thanks,
Gordon
Hey Gordon,
Oddly enough, for reasons I don’t know, Cisco IOS switches have a default of “transport input all” and routers have a default of “transport input none”.
I just checked Packet Tracer, and it looks like it defaults to “transport input all” on both the switches and routers. I didn’t do a long test. Anyway, short version:
Real switch – default (all) allows Telnet. Real router – default (none) does not.
Packet Tracer appears to allow Telnet on both.
Wendell
Hello, isn’t there a missing line at the end of the answer?
13: login
Or is the 9th line with the login subcommand for vty lines 0 to 4 sufficient to make it work for vty lines 5 to 15?
Angel,
Yeah, it should have had the
“login”
line at the end. I just added it. Thanks for the note!!
Wendell
I got a learning gap by doing this exercise. It is the first gap since I have started following the OCG books.
I know that SW1 in PT software has 17 lines(0-16).
I guess: line 0 is console 0, line 1 is vty 0 (2 to 1, 3 to 2 and so on to 16 to 15), and Telnet or SSH session cost one vty line.
But I never get accurate source to inform me the knowledge.
Any advice to clear the relationships between “lines” and “console and vty”, “lines” and “telnet”?
Hey Tommy,
Indeed, I don’t get into those details in the OCGs. But yes, there’s a more generic concept in routers and switches referenced by the software as lines, with commands like show lines and clear lines associated with those. Routers have a console and an aux port (meant to connect to a modem to allow remote access). Those are lines. Also, in config mode, I’m sure you noticed you reach both the console and vty modes with the line command in global mode.
So, of those you know (console, aux, vty), you can manipulate those more than we discuss in the books. EG, imagine five engineers have SSH connections to a router, you included. You can clear line x (once you figure out which line they’re on) to kick the other engineer out of the router. Or if there’s a problem with IOS clearing up its memory with an earlier login, you can clear the line.
Lines were a little more common to see back in the early days of Cisco. They made interfaces that could support larger-scale phone lines w/ modems attached, for remote access, back when Internet access was dial-up. ISPs in the 1990s might have a bank of Cisco routers w/ lots of sync interfaces with each connected user using a “line”.
Hope this helps…
WEndell
It helps and you have shown that you care your reader.
Thanks very much and good day to you.
Hello, I’m a newb but I’m facing a bit of confusion – From reading ch 4 of your book, I thought “enable secret love” prompts users for passwords when connecting to the switch in exec mode, and “enable secret kindness” prompts users for passwords when moving from exec to enable. Is there a reason we’re not using “enable secret love” here, or am I missing something?
Also, in your solution, I don’t see you setting any passwords to “kindness” as specified in the exercise – “Use password βkindnessβ to protect access to privileged mode for all users, using the more secure configuration option.” Am I missing something here too?
Thank you for any help
Hi Jay,
Welcome to the blog!
So, on your first paragraph, love and kindness are the passwords. Focus on the command and parameter: enable secret. What does that do? It defines the password a user must use to move from user EXEC mode to privileged EXEC mode. Aka the enable password. So, with a prompt like SW1>, if you type enable (an EXEC command), you’ll be prompted for a password. Whatever password was defined earlier with the global config command enable secret is what you have to type here, whether love, kindness, or whatever.
For your second paragraph, I think you just missed it. Click the button to reveal the answer, and the first line is enable secret kindness, which defines the enable password.
Thank you so much for the response! After I read another chapter, it made more sense and your reply helped too. Now I understand, I was overthinking something simple.
Now I’m on chapter 11, this is a lot of information, but you explain things very well. I’m sure I will have more questions on another lab or two. Thanks again!
No problem, Jay. It’s like training for a marathon – you train, improve slowly, but you can’t rush it. Keep pluggin’!
Hello Wendell,
Thank you for all of the great lectures and videos you provide. In regards to the lab answers you provided, why did you split “line vty 0 15” into “line vty 0 4” and “line vty 5 15”? I’m just wondering if the password can just be configured under “line vty 0 15” or does it need to be split the way shown in the lab answers? Thanks!
Mizael,
π
Aw shucks. You’re welcome! π
Yeah, there’s Cisco history there, but here’s the behavior on real gear.
Configure this:
line vty 0 15
login
password cisco
And then do a show run… and IOS has stored it as two sections as shown in lab, one for vty 0 4 and the other for 5 15.
Why why why? It’s historical. Way back (1990s), there were only 5 vtys. When Cisco expanded them, for whatever reason, while numbering them 0 15 (aka 0 through 15), they kept storing the commands separately like that. And never changed the style.
Hi Wendell, thanks for the response! Looking at the show run… command and after reading your history remark it is clearer than water now. Thank you for clarifying and for the “reading break” videos you post on your channel. They really do help a lot to bond everything together!