Lab 3 Goals
● Test vty connectivity and switch management
● Create an enable secret password
● Save the configuration
Lab Requirements
● Switch configured with Lab 2 configuration
● PC configured with
IP address 192.168.1.2 255.255.255.0
● Cisco rollover (console) cable
● Ethernet cable
In Lab 2, the switch was configured with several passwords:
● enable password - pass1
● Console password - pass3
● vty password - pass4
Configure a PC with IP address 192.168.1.2 255.255.255.0. Connect the PC to labsw1, Fast Ethernet 0/1. When the light on the interface turns green, you are ready to start. Test the connectivity with a ping from the PC to the switch VLAN 1 IP address: 192.168.1.75.
1. PC>ping 192.168.1.75
You should receive the following response:
Pinging 192.168.1.75 with 32 bytes of data:
Reply from 192.168.1.75: bytes=32 time=32ms TTL=255
Reply from 192.168.1.75: bytes=32 time=32ms TTL=255
Reply from 192.168.1.75: bytes=32 time=32ms TTL=255
Reply from 192.168.1.75: bytes=32 time=31ms TTL=255
Ping statistics for 192.168.1.75:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 31ms, Maximum = 32ms, Average = 31ms
If the ping is unsuccessful, verify your configuration and cabling. The interface that is connected to the PC and interface VLAN 1 should be " up, up". When the ping is successful, telnet to the switch:
2. PC> telnet 192.168.1.75
You will be prompted for a password. Use the vty password created in Lab 2: pass4. If the vty password (or any other password) is entered incorrectly (or if a mistake was made when creating the vty password), the telnet session will prompt for the password three times before it will terminate with the message [Connection to 192.168.1.75 closed by foreign host]. Performing the test in the console session will allow you to correct the configuration and retest.
Testing the Privileged Exec, or enable, Mode
Enable mode allows all access to the switch. Since enable mode is very powerful, it is usually secured by a password. The enable password configured In Lab 2 is pass1.
3. labsw1 > enable
You will be prompted for the enable password. Enter the enable password created in Lab 2: "pass1."
4. Password: pass1 (The password will not be displayed)
When the password has been entered correctly, the prompt will show:
labsw1 #
The pound sign (#) indicates that enable access has been granted.
Create enable secret password
The purpose of this and the following test is to demonstrate that a vty, or telnet, connection has the same control as a console connection. Configurations can be changed and managed from a vty connection exactly like a console connection.
The enable password created in Lab 2 is considered insecure. Cisco has created a method of bypassing all security, the Password Recovery Procedure. If the Password Recovery Process is used, the enable password could be displayed by using the “show running-config” or “show startup-config” command. The password, “pass1", is in clear text. Verify that the enable password is in clear text is by using the “show running-config” command.
A more secure process is to create an enable secret password instead of the enable password. The enable secret password will be encrypted in all displays, and cannot by determined by using the Password Recovery Process. To create an enable secret password,
5. labsw1 # configure terminal
6. labsw1(config) # enable secret pass5
7. labsw1 (config) # Crtl-Z
Now verify that the enable secret password has been created and that it is encrypted:
8. labsw1 # show running-config
Partial output below
Current configuration : 1350 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$ADGV$w/H8cfK035rDMajX
enable password pass1
!
(Lines omitted)
Now two enable passwords exist: however, only one can be used. If an enable secret password has been created, it will always be the default password. The enable password, "pass1" in this example, will no longer work.
Test this change, exit enable mode with the "disable" command:
9. labsw1 # disable
The prompt, “>” indicates that the access has returned to User Exec Mode.
labsw1 >
Access Privilege Exec mode again by entering the enable command:
10. labsw1 > enable
11. Password:
First, test the change by entering the enable password created in Lab 2: "pass1." It should not work. The Password prompt will be displayed again. This time, enter the enable secret password created in Step 6: "pass5." Enable access should be granted:
labsw1 #
It is best to remove the enable password, since it no longer functions. Removing a configuration is usually accomplished by adding a "no" to the beginning of the command. You saw an example of this in Lab 2 with the "shutdown" command. The shutdown command was removed or reversed by using the "no shutdown" command. As stated earlier, most of the time, the "no" option at the beginning of a command reverses or removes the configuration. Access "configuration mode" and use the no command to remove the enable password.
12. labsw1# configuration terminal
13. labsw1(config) # no enable password
14. labsw1# (config)# Crtl-Z
Verify that the enable password has been removed:
15. labsw1# show running-config
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname labsw1
!
enable secret 5 $1$M9aV$.WWzTZpZ1xlWQQZ0KOsax0
!
.
(Lines omitted)
Save the new configuration.
16. labsw1# copy running-config startup-config
Terminate the vty session
17. labsw1# exit