Console Access

Every network devices has the console interface which is a serial RJ45 port on the network device. You can connect a computer running a terminal emulation program such as Tera Term or Hyper Terminal with a rollover cable. The command prompt will be appearing on the terminal emulation program.

Configuring the password on the console interface:

Router(config)#line ?

 First Line number

aux                         Auxiliary line

console                  Primary terminal line

vty                          Virtual terminal

Router (config)#line console 0

Router (config-line)#exit

line console 0


Login disabled on line 0, until ‘password’ is set

Router(config-line)#password cisco


Auxiliary Access

The auxiliary port is for an out of band access & all routers come up with this interface. The external modem is attached to this interface so you can dial into this interface over the PSTN line.


Virtual Line Interfaces

By default, all Cisco routers are come with 5 VTY line interfaces. The vty line are 0, 1, 2, 3, and 4.

The VTY lines are configured as below.

line vty 0 4


% Login disabled on line 6, until ‘password’ is set

Router(config-line)#password cisco


Enable Password

The enable passwords are to protect the access to the enable mode access.

Configuring the enable password

Router(config)#enable password cisco


Secret Password

The enable password is ignored if the enable secret is configured.
The following command creates an encrypted secret MD5 password for the enable mode.

Router(config)#enable secret Cisco123


Service Password Encryption

To prevent accidental discovery of the router’s passwords, the service password encryption is configured which will encrypt all the passwords on the device.

Router(config)#service password encryption


Timeouts for Router Lines

To logout the user inactive line interface console, auxiliary or vty the timeout for line need to be configured. The exec-timeout minutes seconds command terminates an inactive connection.

Router(config)#line console 0

Router(config-line)#exec-timeout 5 20


Configuring Minimum Password Length

This is a configurable feature to enforce the minimum password length for router access.

Router(config)#security passwords min-length 18

Secure Administrative Access to Cisco Routers by Configuring Multiple Privilege Levels

By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15).  However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access.  Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.

Access to each privilege level is enabled through separate passwords, which you specify when configuring the privilege level.

For example, if you want a certain set of users to be able to configure only certain interfaces, but not allow them access to other configuration options.  Then you could create a separate privilege level for only specific interface configuration commands and distribute the password for that level to those users.

Setting the Privilege Level for a Command

To create a new privilege level and associate commands with that privilege level, use the following commands in beginning in global configuration mode:



Step 1

Router(config)# privilegemode level level command-string

Configures the specified privilege level to allow access to the specified command.

Step 2

Router(config)# enable secret level level {0 |5}password-string

Sets the password for the specified privilege level. This is the password users will enter after entering the enable level command to access the specified level.

0 indicates an unencrypted password string follows; 5 indicates an encrypted password string follows.

Step 3

Router(config)# exit

Exists global configuration mode and returns to EXEC mode.

Step 4

Router# do copy running-config startup-config

(Optional) Saves the configuration to the startup configuration file in NVRAM.

Note The do keyword allows execution of EXEC commands in configuration mode.


Changing the Default Privilege Level for Lines

To change the default privilege level for a given line or a group of lines, use the following command in line configuration mode:



Router(config-line)# privilege level level

Specifies a default privilege level for a line.


Displaying Current Privilege Levels

To display the current privilege level you can access based on the password you used, use the following command in EXEC mode:



Router# show privilege

Displays your current privilege level.


Logging In to a Privilege Level

To log into a router at a specified privilege level, use the following command in EXEC mode:



Router# enable level

Logs in to a specified privilege level.


To exit to a specified privilege level, use the following command in EXEC mode:



Router# disable level

Exits to a specified privilege level.