Handle basic password management on your Cisco router

Changing password defaults to boost securityBy default, your Cisco router is set to use an Enable password. This password is unencrypted, however, so you should avoid using it. To tighten your router security, you can set an Enable Secret password, which is encrypted. When set, the Enable Secret password takes precedence over the Enable password. The router will use the latter only if the former hasn't been set.To set an Enable Secret password, you'll need to switch to Privileged Exec mode. You can then go into Terminal Configuration mode (or Global Configuration mode) to change the router configuration—in this case, to set or change the password. To enter Global Configuration mode, use this command:config t"""")Router#config tNote that the "t" is short for "terminal." When you press [Enter], you'll see this prompt:Router(config)#Now you're ready to enter your Enable Secret password. (Remember that Cisco router passwords are case-sensitive.) Let's say you want to use the password BigSecret. Here's how to set it:Router(config)#enable secret BigSecretYou should always end your configuration session by pressing [Ctrl]Z, so hit that key combination after entering the command. To test your new password, type disable at the router prompt to return to the User Exec prompt (>). Now go back into Privileged Exec mode by typing enable. This time, you'll be prompted for a password—the Enable Secret password you just set up:Router>enablePassword:Setting other key passwordsAnother important password is the Virtual Terminal (vty) password. Unless this password is set, you can't telnet into the router. To set the password, go into Global Configuration mode again. Here are the commands to create the password alsosecret:Router(config)#lin3 vty 0 4Router(config-line)#loginRouter(config-line)#password alsosecretRouter(config-line)#^ZThe 0 and 4 in the first command line indicate that the password will apply to all five available vty lines, from 0 to 4. The ^Z in the last command line is what appears if you press [Ctrl]Z. To gain access to the router via its console port, you'll have to set up a console password as follows (again in Global Configuration mode):line con 0loginpassword anothersecretUse a 0 in the first command line and end your configuration session with [Ctrl]Z. To save all these configuration changes so that they're still in effect the next time the router is restarted, you should copy the router's running configuration to its startup configuration. To do so, you must be in Privileged Exec mode. Using the abbreviated form for the commands running-configuration and startup-configuration, issue the following command:RouterName#copy run startPress [Enter], and it's done.

Working around forgotten passwordsWhat if you forget the encrypted Enable Secret password? Or maybe you don't have access to it to start with because the admin who configured the router has left that company or can't remember the password—that does happen.

The trick is to bypass the router's startup configuration, located in nonvolatile RAM (NVRAM), at boot time. To do that, you must connect to the router via its console port and get into what is known as ROM monitor mode (ROMMON mode). This is the key to the lost password kingdom.The recovery procedure differs depending on router model. For details of the different procedures, check out Cisco's site. Be sure to find the correct procedure for your router model before attempting the recovery. To give you a general idea of how the process works, we'll look at how to recover the Enable Secret password for the 2500 and 4000 series routers.First, turn off the router and connect a computer to the router's console port using the RJ-45-to-RJ-45 rollover cable and an RJ-45-to-DB-9 or RJ-45-to-DB-25 adapter, which is normally supplied with the router. Next, fire up terminal emulation software (such as Hyper Terminal, which is usually shipped with Windows) and configure the settings like this:


9600 baud
8N1
No flow control
No parity

Turn on the router, and within 60 seconds, press the emulation software's [Break] key—in the case of Hyper Terminal, it's [Ctrl][F6]Break].

If the Break command was successful, you should see the prompt:rommon>or just:>depending on your router model. You're now in ROMMON mode. If you're at the rommon> prompt, type the command:confregIf you're at the > prompt, type the command:o/r 0x2142After issuing the command confreg, you'll see the router's current settings and you'll be asked:Do you wish to change the configuration? y/n [n]:Press y to select yes. Choose the default answers to the other questions (press [Enter] or n, for no) until you're asked:Ignore system config info? y/n [n]:Press y. This is the crucial question, as you're actually being prompted about changing a configuration register bit—a key to what we're trying to achieve. Answering yes will set the bit to 1, which is what we want to do.Accept the defaults for the rest of the prompts until you're asked whether you want to change the configuration. This time, press n. You'll now be told that you have to reset or power-cycle for the new configuration to take effect. Issue the command reload or power off and back on again.If you issued the command o/r 0x2142 instead of confreg, you'll go through a similar procedure and have to reboot. Do this with the command:ior:initializeAt this point, you have access to the router without being prompted for the Enable Secret password. After restarting, the router will prompt you about entering Setup mode. Press n. Now you're ready to go into Privileged Exec mode by typing enable (or just en) at the prompt. Notice that you aren't prompted for the Enable Secret password.You can save the startup configuration to the running configuration if you still want to use the configuration that's in NVRAM. We'll run through the process so we can see that lost Enable Secret password. To save the configuration, use the command:RouterName#copy start runand type:RouterName#show runAll will be revealed (including some other information about your running configuration). Now you can change your Enable Secret password, as described above. Then, restore the configuration register to its original value using the following commands:RouterName(config)# config-reg 0x2102RouterName(config)# endSave changes to the configuration with the command:RouterName# copy run startFinally, restart the router and your work is done.

L2, L3 and L4 switching

With the rapid development of computer networks over the last decade, high-end switching has become one of the most important functions on a network for moving data efficiently and quickly from one place to another.Here’s how a switch works: As data passes through the switch, it examines addressing information attached to each data packet. From this information, the switch determines the packet’s destination on the network. It then creates a virtual link to the destination and sends the packet there.The efficiency and speed of a switch depends on its algorithms, its switching fabric, and its processor. Its complexity is determined by the layer at which the switch operates in the OSI (Open Systems Interconnection) Reference Model (see above).OSI is a layered network design framework that establishes a standard so that devices from different vendors work together. Network addresses are based on this OSI Model and are hierarchical. The more details that are included, the more specific the address becomes and the easier it is to find.The Layer at which the switch operates is determined by how much addressing detail the switch reads as data passes through.Switches can also be considered low end or high end. A low-end switch operates in Layer 2 of the OSI Model and can also operate in a combination of Layers 2 and 3. High-end switches operate in Layer 3, Layer 4, or a combination of the two.Layer 2 Switches (The Data-Link Layer)Layer 2 switches operate using physical network addresses. Physical addresses, also known as link-layer, hardware, or MAC-layer addresses, identify individual devices. Most hardware devices are permanently assigned this number during the manufacturing process.Switches operating at Layer 2 are very fast because they’re just sorting physical addresses, but they usually aren’t very smart—that is, they don’t look at the data packet very closely to learn anything more about where it’s headed.Layer 3 Switches (The Network Layer) Layer 3 switches use network or IP addresses that identify locations on the network. They read network addresses more closely than Layer 2 switches—they identify network locations as well as the physical device. A location can be a LAN workstation, a location in a computer’s memory, or even a different packet of data traveling through a network.Switches operating at Layer 3 are smarter than Layer 2 devices and incorporate routing functions to actively calculate the best way to send a packet to its destination. But although they’re smarter, they may not be as fast if their algorithms, fabric, and processor don’t support high speeds.Layer 4 Switches (The Transport Layer)Layer 4 of the OSI Model coordinates communications between systems. Layer 4 switches are capable of identifying which application protocols (HTTP, SNTP, FTP, and so forth) are included with each packet, and they use this information to hand off the packet to the appropriate higher-layer software. Layer 4 switches make packet-forwarding decisions based not only on the MAC address and IP address, but also on the application to which a packet belongs.Because Layer 4 devices enable you to establish priorities for network traffic based on application, you can assign a high priority to packets belonging to vital in-house applications such as Peoplesoft, with different forwarding rules for low-priority packets such as generic HTTP-based Internet traffic.Layer 4 switches also provide an effective wire-speed security shield for your network because any company- or industry-specific protocols can be confined to only authorized switched ports or users. This security feature is often reinforced with traffic filtering and forwarding features.

Spantree and portfast

In a nutshell, enabling spantree portfast on a given port tells thatport to bypass the spanning tree algorithm altogether and drop directly toforwarding packets, it will never use any of the other stages. So no, itwill not go to blocking, and hence is a prime candidate for a bridgingloop should another bridge be connected (and there already be another pathbetween the two devices). Hence the warning that is displayed when youenable portfast on a port.I don't think you're correct here.portfast does not disable STP completely,it only makes a port transition into the forwardingstate without delays.If you disable spanning tree, the ports will come up without any delaycaused by spanning tree. There are other delays like pagp.
But than someone can put a crosover cable into two Ports on this switchand your complete switch cloud will go down. Spanning tree was inventedto prevent such problems.

Spanning-Tree is the 802.1d standard for avoiding loops in a switched network. If someone plugs in cables causing a physical loop in your network spanning-tree will detect it and shut it down. It does this by having switches send messages to each other. These messages are called Bridge Protocol Data Units. When a switch detects a connection that has created a loop in the network it will put that port in a blocking state effectively breaking the loop.


Creating a loop on purpose can help you make fail-over redundant links. If one link goes down the alternate path will automatically be unblocked restoring connectivity. I actually used this once when I had to relocate fiber patch panels in the main data center of my facility. I had a fiber loop between my remote data closets as well as fiber run directly to the data center from each closet. I connected the closets together after setting the spanning-tree priority on the last fiber connection completing the loop. I set the priority so it was lower priority than the direct links up. This way as I disconnected each direct path to relocate the fiber patch panels over to the new rack an alternate path for traffic turned up automatically then back down when reconnected. However this redundancy design is a more advanced topic than our time allows.


There is a downside to having spanning-tree enabled on all switch ports. By default this is enabled on all Cisco switches.


Spanning tree has to recalculate the network tree and adjust every time a port becomes active on a switch with spanning tree enabled.


When a port becomes active spanning-tree will place the switch port into Listening state, then learning state and finally forwarding state. It is not until the forwarding state that network traffic will flow through the port. If you watch a switch and see it go amber for several seconds before going to green and allowing traffic then this port likely has spanning-tree turned on. It takes default 15 seconds to go from listening to learning states. It also takes default 15 seconds to go from learning to forwarding state.


This means it can take 30 seconds for a switch port to let your client pc start sending and receiving network traffic. This can cause havock with windows P Cs? that use DHCP.


You can recognize this issue by noting that your windows pc gets one of the temporary 169.X.X.X Ips. Then you find shortly after you can renew your IP in DHCP and get a proper IP from your network’s dhcp server.


You can fix this by setting each client port into what is known as spanning-tree portfast mode.