Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
919293949596979899100
98
OL-11615-01
Access Control
There are more access mechanisms to a switch than many administrators realize, from console to a
variety of remote sessions based on protocols like Telnet, rlogin and SSH. Most of these mechanisms are
not enabled by default, but others like console are. In every case it is critical to control who accesses the
device. Anyone who gains access to a switch can obtain critical information about the network,
reconfigure the device, and even take the device out of service. For this reason, every switch in the
network infrastructure should be carefully configured to prevent any unauthorized access.
This section provides best practices to help control access to Cisco Catalyst switches:
Secure Local Password Management, page 98
Interactive Access Control, page 102
Cisco IOS Login Enhancements, page 104
Warning Banners, page 104
Web-Based GUI Access, page 105
Secure Shell (SSH), page 107
SNMP Access, page 108
Secure Local Password Management
Passwords (and similar secrets, such as SNMP community strings) are the primary defense against
unauthorized access to your switch. The best way to handle most passwords is to maintain them on a
TACACS+ or RADIUS authentication server. However, almost every router and switch will still have a
locally configured password for privileged access, and each might also have other password information
in its configuration file. The following paragraphs describe some of the Cisco IOS and Catalyst OS
commands available on Catalyst switches to help prevent unauthorized access.
Password Management in Catalyst OS
The following are the Catalyst OS commands that are used to implement best practices:
set password
set enablepass
set authentication login
set authentication enable
The set password Command
CLI access to switches running Catalyst OS is controlled with a local login password, which by default
is not configured. Use the set password command to configure a login password. Passwords are case
sensitive and can be from 0 to 19 characters in length, including spaces. The command prompts you for
the old password. If the password you enter is valid, you are prompted to enter a new password and to
verify the new password. A zero-length password is allowed by pressing Return.
The following example illustrates the use of this command:
Console> (enable) set password
Enter old password: <
old_password
>
Enter new password: <
new_password
>