Configuring Internal Cisco Router Security
Network security is a hot topic today, and will only increase in importance in
the months and years ahead. While most of the attention is paid to exterior
threats, there are some steps you can take to prevent unwanted Cisco router
access from within your organization.
Whether you want to limit what certain users can do and run on your routers, or
prevent unauthorized users in your company from getting to config mode in the
first place, here are four important yet simple steps you can take to do so.
Encrypt the passwords in your running configuration.
This is a basic Cisco router security command that is often overlooked. It
doesn't do you any good to set passwords for your ISDN connection or Telnet
connections if anyone who can see your router's running configuration can see
the passwords. By default, these passwords are displayed in your running config
in clear text.
One simple command takes care of that. In global configuration mode, run service
password-encryption. This command will encrypt all clear text passwords in your
Set a console password.
If I walked into your network room right now, could I sit down and start
configuring your Cisco routers? If so, you need to set a console password.
This password is a basic yet important step in limiting router access in your
network. Go into line configuration mode with the command "line con 0", and set
a password with the password command.
Limit user capabilities with privilege level commands.
Not everyone who has access to your routers should be able to do anything they
want. With careful use of privilege levels, you can limit the commands given
users can run on your routers.
Privilege levels can be a little clumsy at first, but with practice you'll be
tying your routers down as tight as you like. Visit
for documentation on configuring privilege levels.
Configure an "enable secret" password.
It's not uncommon for me to see a router that has an enable mode password set,
but it's in clear text. By using "enable secret", the enable mode password will
automatically be encrypted. Remember, if you have an enable password and enable
secret password set on the same router, the enable secret password takes precedence.
These four basic steps will help prevent unwanted router access from inside your
network. If only preventing problems from outside your network was as simple!
Chris Bryant, CCIE #12933, is the owner of The Bryant Advantage, home of free
The Ultimate CCNA Study Package, and Ultimate CCNP
Study Packages. For a FREE copy of his latest e-books, "How To Pass The CCNA"
and "How To Pass The CCNP", visit the website and download your free copies. You
can also get FREE CCNA and CCNP exam questions every day! Pass the
with The Bryant Advantage!