Table of Contents
Advertisement
Securing the CLI
For example:
Router# configure ?
memory
network
overwrite-network
terminal
<cr>
To redisplay a command you previously entered, press the up arrow key or Ctrl-P. You can continue to
press the up arrow key to see the last 20 commands you entered.
If you are having trouble entering a command, check the system prompt, and enter the question mark (?)
Tip
for a list of available commands. You might be in the wrong command mode or using incorrect syntax.
Enter exit to return to the previous mode. Press Ctrl-Z or enter the end command in any mode to
immediately return to privileged EXEC mode.
Securing the CLI
Securing access to the CLI prevents unauthorized users from viewing configuration settings or making
configuration changes that can disrupt the stability of your network or compromise your network
security. You can create a strong and flexible security scheme for your switch by configuring one or more
of these security features:
•
•
•
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY
2-6
Configure from NV memory
Configure from a TFTP network host
Overwrite NV memory from TFTP network host
Configure from the terminal
Protecting access to privileged EXEC commands
At a minimum, you should configure separate passwords for the user EXEC and privileged EXEC
(enable) IOS command modes. You can further increase the level of security by configuring
username and password pairs to limit access to CLI sessions to specific users. For more information,
see "Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions
on Networking Devices" at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli.html
Controlling switch access with RADIUS, TACACS+, or Kerberos
For a centralized and scalable security scheme, you can require users to be authenticated and
authorized by an external security server running either Remote Authentication Dial-In User Service
(RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+), or Kerberos.
For more information about RADIUS, see "Configuring RADIUS" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html
For more information about TACACS+, see "Configuring TACACS+" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html
For more information about Kerberos, see "Configuring Kerberos" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html
Configuring a secure connection with SSH or HTTPS
To prevent eavesdropping of your configuration session, you can use a Secure Shell (SSH) client or
a browser that supports HTTP over Secure Socket Layer (HTTPS) to make an encrypted connection
to the switch.
For more information about SSH, see "Configuring Secure Shell" at this URL:
Chapter 2
Command-Line Interfaces
OL-11439-03
- Quick Links:
- Product Overview
Hide quick links:
Advertisement
Table of Contents
