Cisco Router Basic Security Configuration

AlexM445 · ‎05-24-2023

Hello All,

Let me start off with saying that I am a beginner and trying to learn the fundamentals. I have a basic config on my C921 router that suits my needs. I am turning to the topic of network security and trying to learn how to configure a good secure router. My intent is to add an external network firewall in the near future but I would like some guidance with the basics. What are some topics / concerns when configuring a routers basic security functions? As always, I am trying to learn the basics, so in depth discussion and explanations are very much appreciated.

MHM Cisco World · ‎05-24-2023

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

this help you

AlexM445 · ‎05-24-2023

Thank you very much for the response. I have been going through what you have linked and I do have some very basic questions. How do these two differ "enable secret 12345" and "username test secret 12345"? I am assuming that this is depending on how the router is accessed? I understand the first is through the CLI enable but not sure of what the second is protecting.

MHM Cisco World · ‎05-24-2023

username let you access to Router
the enable let you go from user to config/enable mode

AlexM445 · ‎05-24-2023

My understanding still is not firm. When you say "access the router" do you mean when you first go into the serial console and it asks for a login? I ask because I have used the following to accomplish this:

Router(config)# line console 0
Router(config-line)# password 12345
Router(config-line)# login

How would this differ from the afore mentioned "username test secret 12345" ?

MHM Cisco World · ‎05-24-2023

first since you start read keep away from console (dont config login under it) and config enable password cisco or admin
then start with VTY
when we config VTY we can config login but here we need password
the password in R/SW is in save in may place
1- if you config VTY with login, then the VTY will used the password you enter under the VTY (only password need here)
2- if you config VTY with login local, the VTY will search global mode router for USERNAME + PASSWORD
3- if you config VTY with auth then the VTY, will search the password in radius/tacacs server or local (if server local)

NOW we access the R/SW via VTY using one of password above
the mode is user
>
we need to start config the R/SW
we need to enter
enable
here come the rule of enable password
you need enable password to go from user to config/enable mode

AlexM445 · ‎05-25-2023

I think I am starting to better understand the differences in logging in to the different modes.

I am still not completely clear on what the difference between the Console password (Router(config)# line console 0...) and the VTY password ( "username test secret 12345" ) and what they are protecting. I do understand the enable secret in full now. I understand that you recommended to stay away from the console config for now, with that in mind, what is the "username test secret 12345" accomplishing? I am assuming this has something to do with accessing the router through Telnet? When I enter Putty and navigate to Configuration mode it only asks for the enable password I set up, not the user name and secret that I also set up.

MHM Cisco World · ‎05-27-2023

Console password <<- can you more elaborate about the console password there is no console password and vty password you can use same username/password for both.
you use putty without username/password to access via console ? if yes then you dont config login/login local under the console line

friend
you config username/password in global mode but how will use this user/password ?
this depend on config
if you config under vty login local then you will use it

username/password let you access to router
this will direct you to user mode
router>

to go to enable mode you need enable password
router>en <<- this user mode
password : $$$$
router# <<- this enable mode