index_50
Router Security Configuration Guide
UNCLASSIFIED
50
UNCLASSIFIED
Version 1.0g
The auxiliary port, if at all possible, should be disabled. Router Central, in the
sample network diagram (Figure 4-1), has no need for the aux port. The example
below shows how to disable login on the auxiliary port (login to enable mode first):
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# line aux 0
Central(config-line)# transport input none
Central(config-line)# login local
Central(config-line)# exec-timeout 0 1
Central(config-line)# no exec
Central(config-line)# end
Central#
Section 4.1.5 discusses configuration of the auxiliary port if it is required for a
modem. If the auxiliary port is required for a second local serial connection then
configure it as shown below.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# line aux 0
Central(config-line)# exec-timeout 5 0
Central(config-line)# login local
Central(config-line)# transport input none
Central(config-line)# exec
Central(config-line)# end
Central#
The primary mechanism for remote administration of Cisco routers is logging in via
Telnet; these connections are called virtual terminal lines. Login on the virtual
terminal lines should be disabled if remote administration is not absolutely necessary.
Remote administration is inherently dangerous because anyone with a network
sniffer on the right LAN segment can acquire the router passwords and would than be
able to take control of the router. To disable network virtual terminal connections to
the router, create an access list and apply it to the virtual terminal lines as shown in
the example below. [Note: perform these commands only when connected to the aux
or console port, do not perform them while logged into the router via Telnet.]
South# config t
Enter configuration commands, one per line. End with CNTL/Z.
South(config)# no access-list 90
South(config)# access-list 90 deny any log
South(config)# line vty 0 4
South(config-line)# access-class 90 in
South(config-line)# transport input none
South(config-line)# login local
South(config-line)# exec-timeout 0 1
South(config-line)# no exec
South(config-line)# end
South#
If remote administration is necessary, see Section 4.1.5 for details on configuring
remote administration.