Introduction
In this guide, we will walk through the steps to configure basic security and management settings on Cisco devices, including hostnames, enable passwords, and password encryption. This lab is perfect for beginners preparing for the CCNA exam.
Key Concepts of the Cisco IOS CLI
EXEC Modes
User EXEC Mode (hostname>)
This is the entry-level mode when you access a Cisco device. It allows basic, non-intrusive commands like viewing the system status and network settings. However, it does not permit any configuration changes.
Privileged EXEC Mode (hostname#)
A more powerful mode where you can execute advanced administrative tasks. Privileged EXEC mode is essential for viewing detailed device information and modifying configurations.
Global Configuration Mode (hostname(config)#)
The mode for making configuration changes to the device. To access it, type configure terminal from privileged EXEC mode.
Configuration Files
Cisco devices use two text-based files to store configurations:
- Running-Config: This file resides in RAM and determines the current operational state of the device. Changes to this file take effect immediately but are lost upon a restart unless saved.
- Startup-Config: Stored in non-volatile RAM (NVRAM), this file contains the saved configuration that is loaded when the device boots. Any changes made to the running-config must be explicitly saved to the startup-config.
Below are essential commands for managing configuration files:
- Save the running-config to startup-config. There are three commands to do:
copy running-config startup-config write write memory
- View the current configurations:
show running-config show startup-config
- Reset the device to factory defaults, three different commands:
write erase erase nvram erase startup-config
Cisco IOS Context-Sensitive Help
Cisco IOS CLI includes built-in tools to assist users with commands, syntax, and options:
- ? : List all the available command in current mode
Switch>? Exec commands: connect Open a terminal connection disable Turn off privileged commands disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC logout Exit from the EXEC ping Send echo messages resume Resume an active network connection show Show running system information ssh Open a secure shell client connection telnet Open a telnet connection terminal Set terminal line parameters traceroute Trace route to destination
- command ?: List available keywords for the command
Switch>enable ? <0-15> Enable level <cr>
Lab Topology
Our lab setup is very simple, includes a router (R1) and a switch (SW1) connected to a PC (PC1).
Now let’s practice!
Instructions
Access the CLI
You can connect via console cable or SSH to your Cisco device. In this Packet Tracer lab, you just need to click on the device. Also, you can skip the configuration dialog by typing no.
--- System Configuration Dialog --- Would you like to enter the initial configuration dialog? [yes/no]: no
Change the Hostname
Let’s assign a name for our Router 1 (R1). Here are the commands:
Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#
Configure Enable Password
The enable password is configured in global configuration mode:
R1>enable R1#configure terminal R1(config)#enable password techlensfocus R1(config)#exit R1#exit R1>enable Password: R1#
By default, this password is stored in plain text and visible in the configuration file. This step helps you understand how an unencrypted password works and its limitations.
To view the enable password in the device’s configuration:
show running-config
Look for the enable password line in the output. The password “techlensfocus” will appear in plain text, as it is not encrypted.
Encrypt the password
In this section, we will ensure current and future passwords are encrypted.
The service password-encryption command applies a weak encryption (Type 7) to these passwords, providing basic protection:
R1>enable R1#configure terminal R1(config)#service password-encryption R1(config)#exit
After enabling password encryption, you need to verify that passwords in the running configuration are no longer displayed in plain text:
R1#show running-config enable password 7 0835494D01150019010D03073F38
Check the output for the enable password. You should see the password has been converted into an encrypted string. The number 7 indicates that the password has been encrypted using Cisco’s Type 7 encryption.
While this encryption is better than plain text, it is relatively weak and can be decrypted with specialized tools.
Configure Encrypted Enable Password
In this step, we will configure a more secure password for privileged EXEC mode. Unlike the enable password command, the enable secret automatically encrypts the password with strong Type 5 encryption (MD5 hashing), providing enhanced security.
R1#configure terminal R1(config)#enable secret cisco R1(config)#exit
Next, we verify the current configuration to ensure the password was configured successfully:
R1#show running-config enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
Locate the enable secret line. The password will be displayed as a hashed value. The number 5 indicates that the password is encrypted using Type 5 (MD5 hashing).
Save the Configuration
It is crucial to save your running configuration to the startup configuration to ensure the changes persist after a reboot. We will use write memory command to complete this task:
R1# write memory Building configuration... [OK]
You can also use the following command to display the saved startup configuration:
show startup-config
Conclusion
In summary, you’ve gained hands-on experience configuring hostnames, passwords, and encryption on Cisco devices. These steps are fundamental for securing network devices and managing access effectively.