CCNA 6.5: Configure, verify, and troubleshoot basic device hardening


Basic device hardening consists of setting user authentication passwords, enable passwords, restricting access to the device through telnet/SSH and displaying login banners.


Study Notes:

  • Device hardening helps to restrict access to different command modes on routers and switches
Command Mode
Access Method
Exit Method


Log in


Use the logout command.

Privileged EXEC

From user EXEC mode, use the enable EXEC command


To return to user EXEC mode, use the disable command

Global configuration

From privileged EXEC mode, use the configure terminal privileged EXEC command


To return to privileged EXEC mode from global configuration mode, use the exit or end command, or press Ctrl-Z

Interface configuration

From global configuration mode, specify an interface using an interface command


To return to global configuration mode, use the exit command

To return to privileged EXEC mode, use the end command, or press Ctrl-Z

ROM monitor

From privileged EXEC mode, use the reload EXEC command. Press the Break key during the first 60 seconds while the system is booting


To exit ROM monitor mode, use the continue command


6.5.a Local authentication

  • Authentication is a way of identifying a user before permitting access to the network and network services
  • Local authentication on a device references usernames and passwords configured locally on the device
  • Local authentication restricts access to the User Exec command mode to the accounts configured on the device
  • To configure local authentication
Router(config)#username [username] password [password]
Router(config)#aaa new-model
Router(config)#aaa authentication login default local


6.5.b Secure password

  • A secure password prevents access to the Privileged Exec command mode
  • The enable password stores the password in plain text in the configuration
Router(config)#enable password [password]
  • The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration
  • It is recommended to use enable secret instead of enable password
Router(config)#enable secret [password]


6.5.c Access to device

6.5.c (i) Source address

  • Configure an access-control list to only allow access to your device from a trusted source address (i.e. a management machine)
Router(config)#access-list 10 permit
Router(config)#access-list 10 deny any
  • Apply the access-list to the vty lines
Router(config)#line vty 0 4
Router(config-line)#access-class 10 in


6.5.c (ii) Telnet/SSH

  • Telnet is an insecure protocol, do not use it.
  • To disable telnet on a device just specify the protocols that are allowed and all other protocols will be denied.
  • To configure SSH on a router
    • Configure the hostname
    Router(config)#hostname Router1
    • Configure the domain name
    Router(config)#ip domain-name
    • Generate the RSA keys
    Router(config)#crypto key generate rsa
     The name for the keys will be:
     Choose the size of the key modulus in the range of 360 to 2048 for your
       General Purpose Keys. Choosing a key modulus greater than 512 may take
       a few minutes.
    How many bits in the modulus [512]: 1024
     % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
    • Configure the VTY lines
    Router(config)#line vty 0 4
    Router(config-line)#transport input ssh
  • Also remember to configure a local username and password so you can login when the prompt appears


6.5.d Login banner

  • A login banner appears just before the Username: prompt when user authentication is required to login to a device
  • A character delimiter is required to specify the beginning and end of the login banner
Router1(config)#banner login ?
  LINE  c banner-text c, where 'c' is a delimiting character
Router1(config)#banner login %this is the login banner%

this is the login banner

User Access Verification



PacketTracer Lab: CCNA-6.5-Configure-verify-and-troubleshoot-basic-device-hardening.pkt

Subscribe Now for access to the labs!

Leave a Reply
Built by TrailSix