7-5
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 7 Adminis tering the Switch Prote cting Acces s to Privile ged EX EC Command s
If both the enable and enable secret passwords are defined, users must enter the enable secret password.
Use the level keyword to define a password for a specific privilege level. After you specify the level and
set a password, give the password only to users w ho need to have access at th is level. Use the p r iv il ege
level global configuration command to specify commands accessible at various levels. For more
information, see the Configuring Multiple Privilege Levels section on page 7-8.
If you ena ble passwo rd e ncryp tio n, it a ppli es to al l p assword s inc luding u ser na me p asswords,
authe ntica tion key passwords , the privileged command pa ssword, and consol e and vi rt ual ter mina l lin e
passwords.
To remove a p assword and level, use the no enable password [level level] or no enable secret [level
level] global co nfiguration comm and. To disable pa ssword encr yption, use t he no service
password-encryption global configura tion co mmand.
This exampl e shows how t o configure the en crypt ed password $1$FaD0$Xyti5Rkls3LoyxzS8 for
privilege level 2:
Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Disabling Password Recovery

The default configuration for Catalyst 2950 LRE switches allows an end user with physical access to the
switch to recover from a lost password by interrupting the start process while the switch is powering up
and then by e nter ing a new password. T he pa sswor d re covery d is able fe atur e fo r C ata lyst 2 950 L RE
switches allows the system administrator to protect access to the switch password by disabling part of
this functionality and allowing the user to interrupt the start process only by agreeing to set the system
back to the defau lt configur ation. With password recovery disabled, you can still interrupt the start
process an d chang e the password, but t he co nfiguration file (config. text) and the V LAN data base file
(vlan.da t) a re de lete d.
Note Th e password recovery disabl e feature is valid only on Cat alyst 2 950 LRE swi tches; it is no t availabl e
for Cata lyst 2950 Gigabi t Ethern et switc hes.
Note If you disabl e password recovery, we recommend that you keep a backup copy of the configuration file
on a secure server in case the end user interrupts the start process and sets the system back to defaults.
Do not keep a bac kup copy of the co nfiguration file on the switch. If th e switch i s operatin g in VTP
transparent mode, we recommend that you also keep a backup copy of the VLAN database file on a
secure server. When the switch is returned to the default system configuration, you can download the
save d files to the switch by using the XMODEM protocol. For more informa tion, see t he Re cove ring
from a Lost or Forgotten Password secti on on page 2 8-6.