CCNA Security – Cisco Switch Security Domain 1 Labs and Password Security Strategies

In this Article/Blog Post, I am sharing lab tutorials on Cisco Catalyst Switch.

This Blog article is continuation of CCNA Network Security Series.

This article is 4th Article/Lab Guide for CCNA Security. Completely free for visitors/readers on the web (Google search, Bing Search, Brave, Safari etc)

Search on any search engine ( Google/Bing) for this series by writing – CCNA Network Security Series CybernomadTV or CYNTV, you will get access to all listed articles on the web.

In this article, you will learn securing cisco catalyst switch and get to know following:

1. Setting up Password on a Cisco Switch
2. Securing Exec Mode
3. Securing Privilege mode
4. Removing and disabling password on Cisco Switch CLI
5. Verifying Switch Configurations
6. Encrypting Passwords

All the listed lab tutorials are listed here at this article, all at once each.

protecting network devices is critical, it is important to implement strong password protection on network infra, here we are talking about cisco switches.

Secure Cisco Password Strategy

Some standard password guidelines recommended are as follows:

• password length of at least eight characters, preferably 10 or more characters. A longer password is a more secure password.
• Use complex passwords. Add a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
• Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information. for ex: cisco, admin, root, rebbeca, ruby123
• Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
• Change passwords often. If a password is unknowingly compromised, the window of opportunity for the threat actor to use the password is limited. Password change policy followed can be of 60 days.
• Do not write passwords down and leave them in obvious places such as on the desk or monitor.

Organizations can implement more strategic approach for password management and implementation.

Businesses can adopt password managers across endpoints, and follow more streamlined approach to adopt passwords.

Additionally, you have to follow and adopt mandatory MFA Implementation across IT Infra.

Password Managers

Use a password manager to secure passwords for your online internet activity. Considered to be the best practice to secure passwords, the password manager automatically generates complex passwords for you and will automatically enter them when you access those sites.

You only have to enter a primary password to get access into password manager console. You can also securely share passwords with co-workers without actually revealing the password.

Popular Password managers include – Dashlane, , 1password

For Regular Users – Dashlane, 1password, Proton

For Enterprises – Keeper, Amazon, IBM

Multi-Factor Authentication

Use multi-factor authentication by default. This means that authentication requires two or more independent means of verification.

For example when you enter a password, you would also have to enter a code that is sent to you through email or text message.

MFA Solutions include – Cisco DUO, Microsoft Entra ID, Okta

Setting up Password on a Cisco Switch

When you initially connect to a cisco switch , you have different modes and access levels in switch.

different modes of switches include:

1. Execution Mode
2. Privilege Execution Mode
3. Global Configuration Mode
4. Line Console Global configuration mode

You must implement and add password to secure execution mode which is where you enable the switch by entering the command “enable”

To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration command, as shown in the example.

The zero is used to represent the first (and in most cases the only) console interface.

Next, specify the user EXEC mode password using the password password command. Finally, enable user EXEC access using the login command.

Securing Exec Mode

To secure user EXEC mode access on cisco switch, follow the instructions showcased below.

Enter line console configuration mode using the “line console 0” global configuration command, as shown below.

Follow this commands to secure execution mode on cisco switch cli ( Cisco IOS)

Refer the image below ( Demonstrated on cisco packet tracer)

As you can see the image above, our password implementation has been successful to secure execution mode.

Enter password which we have setup here to enter into privilege mode.

After entering password ( cybernomadtv.com) you are granted into privilege mode. The above image confirms our lab demonstration of adding password on a cisco switch and securing the execution mode on cisco IOS using Switch CLI Mode.

Securing Privilege mode

Console access will now require a password before allowing access to the user EXEC mode.

To have administrator access to all IOS commands including configuring a device, you must gain privileged EXEC mode access. It is the most important access method because it provides complete access to the device.

To secure privileged EXEC access, use the enable secret password global config command, as shown in the example.

Follow these series of commands to secure privilege mode on a cisco switch :

After you have have implemented the password, this is how the switch cli looks.

as you can see below, the switch ios cli have asked for password to access into privilege user exec mode.

Verifying Switch Configurations

To Verify the configurations performed on a switch.

Enter the Command – ” Show running-config“

Refer the image below where the command is performed. You get details like:

As you can refer the image below, the configurations performed is shown below when entered the show running config command.

Now here, we just have set up passwords securing various levels and modes.

But there is a network security weakness if check overall. The passwords are in plain text and can be viewed by someone who can get access to switch cli.

It’s a weakness and vulnerability in the network security infra level and it needs to be secured and protected.

We do have a solution to fix this network security vulnerability. Follow and scroll down below to check how to encrypt passwords on a cisco switch to secure.

Encrypting Passwords

Strong passwords are only useful if they are secret. There are several steps that can be taken to help ensure that passwords remain secret on a Cisco router and switch including these:

• Encrypting all plaintext passwords
• Setting a minimum acceptable password length
• Deterring brute-force password guessing attacks
• Disabling an inactive privileged EXEC mode access after a specified amount of time.

• Learn more in depth network security strategies and lessons on our private learning mode offered online. You can check details about our Network security learning here.
  • At Cybernomadtv, our IT Learning domain have dedicated courses for CCNA Enterprise, CCNA Security which are available as on-demand and live instructor mode.

The startup-config and running-config files display most passwords in plaintext. This is a security threat because anyone can discover the passwords if they have access to these files.

To encrypt all plaintext passwords, use the service password-encryption global config command as shown in the example.

Verify using show running-config command

As you can see the passwords have been encrypted and now the vulnerability has been fixed.

There are more lab tutorials and network security strategies to secure cisco switch.

Get to know more about these in next coming blog articles for the ccna security area.

If you need complete access to learning and more indepth content, you can register for our private training and learning community where you can get trained and get certified under cisco programs.

Get full access to:

1. Blog Content and articles (Free)
2. Insider Knowledge
3. Cisco Products and Solutions demonstration
4. Labs
5. Dedicated Copy of Cert Preps prepared by CYNTV

Check out Cisco CCNA Network security series below

1. CCNA Security 1 – Network Security Overview
2. CCNA Security 2 – Enterprise Cisco Router Security
3. CCNA Security 3 – Network Security Domains

Current Blog Article series – CCNA Security 4 – Cisco Switch Security Domain 1 Labs and Password Security Strategies