6-5
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter6 Administering the Swi tc h Protecting Access to Privileged EXEC Comman d s
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users who need to have access at this level. Use the privilege
level global configuration command to specify commands accessible at various levels. For more
information, see the “Configuring Multiple Privilege Levels” section on page6-8.
If you enable password encryption, it applies to all passwords including username passwords,
authentication key passwords, the privileged command passwor d, and console and virtual terminal line
passwords.
To remove a password and level, use the no enable password [level level] or no enable secret [level
level] global configuration command. To disable password encryption, use the no service
password-encryption global configuration command.
This example shows how to configure the encrypted password $1 $FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8
Disabling Password Recovery
The default configuration for Catalyst 3550 switches allows an end user with physical access to the
switch to recover from a lost password by interrupting the boot process while the switch is powering up
and then by entering a new password. The password recovery disa ble fea ture for Ca talyst 355 0 Fast
Ethernet switches allows the system administrator to protect access to the switch password by disabling
part of this functionality and allowing the user to inte rrupt the boot pro cess only by agre e ing to se t th e
system back to the default configuration. With password recovery disabled, you can still interrupt the
boot process and change the password, but the configuratio n f ile (c onfig .te xt) an d th e VLA N d ata ba se
file (vlan.dat) are deleted.
Note The password recovery disable feature is valid only on Catalyst 3550 Fast Ethernet switches; it is not
available for Catalyst 3550 Gigabit Ethernet switches.
Note If you disable password recovery, we recommend that you keep a backup copy of t he co nfi gu ratio n
file on a secure server in case the end user interrupts the boot process and sets the system back to
defaults. Do not keep a backup copy of the configuration file on the swit ch. If t he swit ch is operatin g
in VTP transparent mode, we recommend that you also keep a backup copy of the VLAN database
file on a secure server. When the switch is returned to the default system configuration, you can
download the saved files to the switch by using the XMODEM protocol. For more info rmat ion, see
the “Recovering from a Lost or Forgotten Password” section on page 27-3.
Step3 service password-encryption (Optional) Encrypt the password when the password is
defined or when the current configuration is written.
Encryption prevents the password from being readable in the
configuration file.
Step4 end Return to privileged EXEC mode.
Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose