Setting Router Passwords

The router has a number of ports that allow access to the router, on each of these ports you can specify passwords to provide a layer of security to the router.  There is also the option of disabling login password checking to any of the ports by entering the command to get to the Router(config-line)# section of the port and entering the no login command.  In the examples the password is set to ccna with the enable secret password set to ccna2.

Setting the enable and enable secret password:

Router(config)#enable ccna

Router(config)#enable secret ccna2

The enable secret password is the password you use to gain access to enable mode and to the global configuration mode on the router and is encrypted.  The enable password is used when you do not specify a enable secret password.  The enable password should be different from the enable secret password.

Setting the auxiliary port password:

Router(config)#line aux 0

Router(config-line)#login

Router(config-line)#password ccna

The auxiliary port is on the back of the router and is commonly used to connect a modem to.  It is used to allow a remote user access to the configuration of the router.  If a modem is connected to the port, it should definitely have a password specified for it.

Setting the console password:

Router(config)#line con 0

Router(config-line)#login

Router(config-line)#password ccna

The console port is also on the back of the router and is used to directly connect a console to the router for configuring the router.  The console is usually a PC running a program like HyperTerminal set to 8 N 1.  The PC connects to the console port from the PC's COM port, the COM port uses a 9 pin to RJ45 connector, the connector uses a rolled CAT 5 cable (reversed on one end) to connect to the RJ45 port on the back of the router.  This port should allow logins with passwords if the router is physically secured.  The port should be disabled if it is not regularly used or the router is not securable.  This port can be very useful especially when configuring a new router or a corrupted router as you don't have to rely on IP addresses being correct or the interfaces being up.

Setting the Virtual Terminal (Telnet) password:

Router(config)#line vty 0 4

Router(config-line)#login

Router(config-line)#password ccna

The vty ports are specified with the command line vty 0 4 depending on your router you might have more than five (0,1,2,3,4) virtual terminals available, in that case use the command line vty 0 X where X is the number of terminals -1.  You can also specify less than the maximum, which will limit the number of sessions that can exist on the router.  The Virtual Terminal ports are just that, virtual, as you can't physically see them.  They are the ports that allow users to remotely access the router.  If they are enabled then anyone on any of the networks that the router knows about can attempt to login.  If you aren't going to be doing remote configurations on the router yourself, the vty ports should be disabled and the console port should be enabled.  You can also apply a standard IP access list to the VTY ports.