Archive for July, 2016

Create a user with privilege level 15.
Router(config)# username admin privilege 15 password cisco12345
Configure SSH and Telnet for local login.
Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# transport input telnet
Router(config-line)# transport input telnet ssh
Router(config-line)# exit


To prevent the router from attempting to translate incorrectly entered commands as though they were
host names, disable DNS lookup. Router R1 is shown here as an example.
R1(config)# no ip domain-lookup


Configure a minimum password length for all router passwords.
Use the security passwords command to set a minimum password length of 10 characters.
R1(config)# security passwords min-length 10


Configure a console password and enable login for routers. For additional security, the exectimeout command causes the line to log out after 5 minutes of inactivity. The logging
synchronous command prevents console messages from interrupting command entry.
Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0,
which prevents it from expiring. However, this is not considered a good security practice.
R1(config)# line console 0
R1(config-line)# password ciscocon
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous


Configure a password for the AUX port for router R1.
R1(config)# line aux 0
R1(config-line)# password ciscoauxpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login


Configure the password on the vty lines for router R1.
R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login


Use the login block-for command to configure a 60 second login shutdown (quiet mode timer) if
two failed login attempts are made within 30 seconds.
R1(config)# login block-for 60 attempts 2 within 30


Configure the router to log login activity.
a. Configure the router to generate system logging messages for both successful and failed login
attempts. The following commands log every successful login and log failed login attempts after every
second failed login.
R1(config)# login on-success log
R1(config)# login on-failure log every 2
R1(config)# exit
b. Issue the show login command. What additional information is displayed?
All successful logins are logged.
Every 2 failed logins are logged.


Configure a domain name.
Enter global configuration mode and set the domain name.
R1# conf t
R1(config)# ip domain-name


Use the username command to create the user ID with the highest possible privilege level and a
secret password.
R1(config)# username admin privilege 15 secret cisco12345


Configure the incoming vty lines.
Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to privileged
EXEC mode when accessing the vty lines. Other users will default to user EXEC mode. Use the local
user accounts for mandatory login and validation, and accept only SSH connections.
R1(config)# line vty 0 4
R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit


Erase existing key pairs on the router.
R1(config)# crypto key zeroize rsa


Generate the RSA encryption key pair for the router.
The router uses the RSA key pair for authentication and encryption of transmitted SSH data.
Configure the RSA keys with 1024 for the number of modulus bits. The default is 512, and the range is
from 360 to 2048.
R3(config)# crypto key generate rsa general-keys modulus 1024
The name for the keys will be:
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
*Dec 16 21:24:16.175: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)# exit


Configure SSH timeouts and authentication parameters.
The default SSH timeouts and authentication parameters can be altered to be more restrictive using the
following commands.
R1(config)# ip ssh time-out 90
R1(config)# ip ssh authentication-retries 2