Basic Cisco Router Security Configuration - :

Basic Cisco Router Security Configuration

Category: Cisco, Security
Author: gokhankosem, on 05 Aug 17 - 0 Comments
Content Protection by

Basic Cisco Router Security Configuration

Security is an important concern for a network engineer. How can a network engineer provide security of a router? In this basic Cisco router security configuration lesson, we will talk about, how to secure a router. We sill see the router security steps one by one. Let’s start.

basic router security ipcisco

Disabling Unused Ports

For a router basic security configuration, the first step is shutdowning all the unused ports. If you are using a port, it needs to be up. But if you don’t use any ports, then always disable (administratively down) these unused ports.
Shutdowning, in other words, disabling a port is very easy. You can do it with “shutdown” command under that interface.

Router(config)# interface fastethernet 0/0
Router(config-if)# shutdown

Enable and Enable Secret Passwords

The second important router security step is passwords. You should use passwords on your router.
Here, there are two passwords: Enable ans enable secret password.

Enable password stores the password in clear text format. So, it is easy to see it. But ,enable secret password stores password in encrypted mode. So, it is more secure.

To encrypt all passwords in a router/switch, you can use “service pasword-encryption” command.
Let’s see how to configure this paswords on a router.

Router(config)# enable password 12345
Router(config)# enable secret 12345
Router(config)# service password-encryption

Configuring Telnet Access Password

Telnet is not a secure way of connecting to a router. But if you use telnet to connect a router, you should use telnet password.

To configure Telnet access with password, you can use the below commands.

Router (config)#line vty 0 4
Router(config-line)# password 12345

Here, firstly we enter the line vty mode and then set the password string with password keyword. After that, we enter login command to activate it.

Configuring Console Access Password

Like telnet, you also need to configure console access password for a secure router. To do this, firstly you need to enter line console mode and then set the password string. Again, with the login keyword, you can activate it.

To configure Console access with password, you can use the below commands.

Router(config)#line console 0
Router(config-line)# password 12345

Configuring Auxiliary Port Access Password

Aux port access password is rarely used. But like telnet and console, you can configure its password in line aux mode.

To configure Aux Port access with password, you can use the below commands.

Router(config)# line aux 0
Router(config-line)# password 12345
Router(config-line)# login local

Configuring SSH

SSH is generally used to access a router remotely. Because it is more secure then telnet.

Here, we are giving a brief SSH configuration in this basic router security configuration .

Router(config)# ip domain-name
Router(config)# crypto key generate rsa modulus 1024 (key lenght, 1024 higher security)
Router(config)# ip ssh version 2
Router(config)#ip ssh time-out 120
Router(config)#ip ssh authentication-retries 3
Router(config)# ip ssh rsa keypair-name

In this configuration, firstly we configure the domain, named Then we configure the crypto key generation with key lenght. After that, we configure ssh version and ssh timeout value. Lastly, we configure the ssh timeout retry time and rsa keypair name.

Users and Priviledge Levels

A router has many users. For each user gorup you can create different access levels with priviledge levels. Every user in the same priviledge level has same access right.

Below, we created priviledge level 3 limited only with 3 rights (telnet, show startup-config, show ip route) and a user named IPCisco with priviledge level 3.

Router(config)# username IPCisco privilege 3 secret 12345
Router(config)#privilege exec level 3 show startup-config
Router(config)#privilege exec level 3 show ip route
Router(config)#privilege exec level 3 telnet

Giving Messages with Banner Motd

Warning is very important on a router. If a user connects to a router, he need to be warned with some sentences about the router and the risks. Especially, to avoid unauthorized users, you can warn users with a message at the beginning. You can warn users with“banner motd” command.

Below, you can see a warn message configuration. Here our message is “This Router is belong to IPCisco”. When a user login to this router, the he will see this message.

Router(config)# banner motd & “This Router is belong to IPCisco” &

Last Words for Basic Cisco Router Security Configuration

In this basic router security configurations lesson, we tried to tell you, how to configure basic security steps on a Cisco router. Security is a very large lesson. So, with this basic steps, you can only provide basic and first step security for a router or another network device.

About the Author
Gokhan Kosem is a telecommunation and network engineer. His ambition to IP networks and end-to-end system installation made him to prepare this web-site. By sharing his experiences about various networking protocols beside different system installation experiences and Cisco, Juniper, Alcatel-Lucent devices configurations, he is aimed to be helpful for his collegues in all over the world. He is currently lives in Istanbul, Turkey.

Leave a Reply

Copy Protected by Chetan's WP-Copyprotect.