Limiting Telnet Access; Implementing Privilege Levels; Configuring An Ios−Based Cli Switch - Cisco RJ-45-to-AUX Brochure

Privileged EXEC mode—The Privileged command set includes those commands contained in User
EXEC mode, as well as the configure command, through which you can access the remaining
command modes. Privileged EXEC mode also includes high−level testing commands, such as debug.
Global Configuration mode—Global Configuration mode commands apply to features that affect the
system as a whole. Use the configure privileged EXEC command to enter Global Configuration
mode.
Interface Configuration mode—Many features are enabled on a per−interface basis. Interface
Configuration commands modify the operation of an interface such as an Ethernet port or a VLAN.
Passwords can be configured on every access method to a Cisco Catalyst switch. Passwords can be applied to
the console port, auxiliary (AUX) port, and VTY lines.

Limiting Telnet Access

VTY access can be secured with a password. However, when a careless administrator walks away from a
logged−in Telnet session, the door is open with full access to the entire network. This situation allows anyone
with access to the terminal the administrator was using to make changes and attack the network.
A solution is to add another layer of security. You can do this by applying a time−out condition to unused
VTY sessions. The Cisco IOSs calculate unused sessions in seconds or minutes, depending on the IOS
version. Should the session not receive a character input from the administrator's session for the configured
amount of time, the session is closed, and the administrator using the session is logged out.

Implementing Privilege Levels

Privilege levels can be assigned to limit switch users' ability to perform certain commands or types of
commands. You can configure two types of levels in the IOS: user levels and privilege levels. A user level
allows a user to perform a subset of commands that does not allow for configuration changes or debug
functions. A privilege level, on the other hand, allows the user to use all the available commands, including
configuration change commands.
You can assign a user 16 different levels, from level 0 to level 15. Level 1 is set to User EXEC Mode by
default. This level gives the user very limited access, primarily to show commands. Level 15 defaults to
Privileged EXEC mode, which gives the user full access to all configuration commands in the IOS (including
the debug command).
Privilege level 0 is a special level that allows the user to use a more specific defined set of commands. As an
example, you could allow a certain user to use only the show arp command. This command is useful when a
third party is using a sniffer on your network and needs to match a MAC address to an IP address and vice
versa.
Configuring an IOS−Based CLI Switch
In this section, we will walk through the basic configuration of the IOS−based CLI switches. Although these
tasks are not all mandatory, knowing them will help you to better manage your switches.
Configuring Passwords
39