02-07-2017 08:24 AM - edited 03-08-2019 09:13 AM
Hi Sir / Madam,
Just want to clarify with you all.
1. can anyone break the password and amend the setting? and put back the original password?
2. do it has any ways to amend the setting on Cisco Cat 3850 or Cat 2960 switches without ant password?
3. Do we have any ways to prevent these happen?
Sorry to ask above questions.
I hope i can get the answer ASAP.
Thank you
From,
James
02-07-2017 08:32 AM
Hi
1. can anyone break the password and amend the setting? and put back the original password?
Yes if they have console direct access anyone can do it , lock your cabinet/rack where its located so you cant just connect up or lock the comms room
2. do it has any ways to amend the setting on Cisco Cat 3850 or Cat 2960 switches without ant password?
Im not sure what exactly are you asking here ?, are you saying to use the switch without a password set , you need a password for at least remote connectivity , its a bad idea to have a production device online without security
3 You can disable password recovery , be very careful doing that if you lose the password you could be in a lot of trouble if you need to get back in , see doc below
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-sy-book/sec-no-svc-pw-recvry.html#GUID-C0C6C993-F6C7-4296-A751-7F7C821988F0
02-07-2017 08:00 PM
Hi Mark Malone,
Thank you so much for your reply.
Another question.
Can i set just specified interface can using telnet or ssh to access the console? Means i disabled all the telnet or ssh. I just enable telnet and ssh access to interface gigabitethernet1/0/1.
thank you
02-08-2017 12:27 AM
Hi
so this is the thing you can easily source how traffic leaves the router by which interface with setting the source for that traffic , now currently if you want to redirect traffic back in by say a particular interface port you need to use acls to block it coming back in through the other ports , we have done this for security its time consuming and is not the best method and the acls become very lengthy when using a lot of MGMT protocols and devices
There is another feature called MPP but its not fully released yet in ios-xe but I have a feature enhancement request open with Cisco currently to get it added , its there in cli but its not fully supported so you will have issues when trying to use it
Im hoping the feature gets pushed soon in the next release or two , I have been told it should be fingers crossed
don't use telnet its not secure and you can see your password if someone sniffs the wire even on the lan locally , use ssh version 2 , set the keys to at least 1024
*****************************************
This is what I got back before I raised the enhancement
As per the information the feature MPP is not supported on ASR1k(IOS-XE) as of now. Please refer feature navigator link below:
http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp
From the link above you can select the feature "Management plane protection" and you will find the supported platforms. Unfortunately this is not yet supported on IOS-XE platforms. Digging internally I could find an enhancement bug as well to add this feature for IOS-XE which was raised earlier however the DDTS was in closed since there was no relevant request raised at that time. You may find the DDTS information from the link below:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCts41086/?reffering_site=dumpcr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide