Under normal circumstances, in order to achieve secure access to the device, we will add password information to the device or perform corresponding operations to avoid potential security risks. Here are a few common configuration methods.

First of all, set a password on the vty line and the console interface, but it is generally not recommended to set a password for the console, because the devices that can be connected through the console are generally intranet staff, not remote staff. To ensure device security, you can set an enable password to prevent access to the device. There are two encryption methods:

SW1(config)#enable secret cisco

SW1(config)#service password-encryption

/ /Enable password encryption service, the password set after this will be encrypted and stored.

It is recommended to use the former, the former will perform MD5 calculation on the password, and the result obtained is more secure. In order to prevent the device from being incompatible with the first command in the future, both password encryption methods can be used, and the effect of rural compatibility has been achieved.

Secondly, when debugging the device, the function of logging in overtime is often disabled. Therefore, you must remember that after the debugging of the device is completed, use the command to configure the logging in to the device overtime to prevent others from accidentally entering through the console. After the device is installed, it directly obtains administrator rights, causing configuration confusion or tampering.

SW1(config)#line console 0

SW1(config-line)#exec-timeout 5 30 //The configuration timeout is 5 minutes and 30 seconds.


For remote login users, if there is no data passing for a long time, in order to prevent the remote end from responding and automatically close the connection and reduce DOS attacks, the following command can be used

SW1 (config)#service tcp-keepalives-in

//Configure the switch to automatically close the connection when no remote response is received, reducing DOS attacks.

To prevent multiple connection attempts for password guessing, log in to restrict access:

SW1(config)#login block-for 60 attempts 3 within 30

// Configure the user to log in again after 3 consecutive login failures within 30 seconds, wait 60 seconds before logging in again.

SW1(config)#login delay 10

/ /Configure the user to log in successfully, and can log in again after 10 seconds.

You can view the login information with the command:

SW1(config)#login on-failure log < /p>

//Configuration login failure will be recorded in the log

SW1(config)#login on-success log

//Successful configuration login will be recorded in the log


Although no system is ever 100 percent protected, the ability for differentiating between typical network traffic as well as potentially harmful malware is considered crucial and provides the focus of this associate-level certification path. Also, if you wish to acquire this certification, you should gain the CCNP 300-710 Dumps, which are being offered at the EveDumps.


Leave a comment