Chapter 10: Restricting Network Access

Commands:

10.2.3 Basic password protection

IOS

Set EXEC level password
Switch(config)#enable password level 1 password

Set privileged level password
Switch(config)#enable password level 15 password

Switch(config)#username username password password

Switch(config-line)#login local

Switch(config-line)#login authentication

Switch(config-line)#login tacacs

CLI

Switch> (enable) set enablepass

Switch> (enable) set password

 

10.2.4 Using AAA and Secure Server

IOS

CLI

Switch> (enable) set authentication login local enable

Switch> (enable) set authentication login tacacs enable

Switch> (enable) set tacacs server ip-address

Switch> (enable) set tacacs key key

 

10.2.5 Restricting VTY and HTTP access

IOS

Switch(config)#ip http server

Switch(config)#ip http authentication [aaa | enable | local | tacacs]

Switch(config-line)#access-class number in|out

CLI

Switch> (enable) set interface sc0 [ip_addr / netmask]

Switch> (enable) set ip http server enable

Switch> (enable) set ip http port port_number default

Switch> (enable) show ip http

 

10.2.6 Configuring timeouts

IOS

Switch(config-line)#exec-timeout minutes

CLI

Switch> (enable) set logout [number of minutes]

 

10.2.7 Configuring privilege levels

Router(config)#privilege mode level level command

Router(config)#enable secret level level password

 

10.2.8 Banner messages

Router(config)#banner motd % message here %

Switch(enable)#set banner motd % message here %

 

10.3.1 Policy in the access layer

Switch> (enable) set port security mod_num/port_num...enable mac address

Switch> (enable) show port mod_num/port_num

Switch(config-if)#port security [max-mac-count maximum-mac-count]

Switch#show mac-address-table security [type module/port]

ALSwitch(config-if)#port security action shutdown