The console port of network devices must be secured, at a bare minimum, by requiring the user to supply a strong password. This reduces the chance of unauthorized personnel physically plugging a cable into the device and gaining device access.

The following commands are used in global configuration mode to set a password for the console line:

Switch(config)# line console 0

Switch(config-line)# password cisco

Switch(config-line)# login

From global configuration mode, the command line console 0 is used to enter line configuration mode for the console. The zero is used to represent the first (and in most cases only) console interface.

The second command, password cisco specifies a password for the console line.

The login command configures the switch to require authentication upon login. When login is enabled and a password set, the console user will be prompted to enter a password before gaining access to the CLI.

VTY Password

The vty lines allow access to a Cisco device via Telnet. By default, many Cisco switches support up to 16 vty lines that are numbered 0 to 15. The number of vty lines supported on a Cisco router varies with the type of router and the IOS version. However, five is the most common number of vty lines configured. These lines are numbered 0 to 4 by default, though additional lines can be configured. A password needs to be set for all available vty lines. The same password can be set for all connections. However, it is often desirable that a unique password be set for one line to provide a fall-back for administrative entry to the device if the other connections are in use.

Example commands used to set a password on vty lines:

Switch(config)# line vty 0 15

Switch(config-line)# password cisco

Switch(config-line)# login

By default, the IOS includes the login command on the VTY lines. This prevents Telnet access to the device without authentication. If, by mistake, the no login command is set, which removes the requirement for authentication, unauthorized persons could connect across the network to the line using Telnet. This would be a major security risk.

The figure illustrates the securing of the user EXEC access on the console and Telnet lines.