Cisco Systems RJ-45-to-AUX manual Security at the Access Layer, Configuring Passwords, 261

Next, you must specify a routing protocol: in this case, Enhanced Interior Gateway Routing Protocol (EIGRP). To do so, use the following command:

router eigrp 2

The last step is to apply the configured access list. Use the distribute−list command to interface g0/0 to filter outbound traffic from network 192.129.0.0:

distribute−list 2 out g0/0

Security at the Access Layer

The Access layer has very few policies to apply. The switches at this layer should rely on port−level security and passwords required on the network interfaces. The Access layer policy controls physical access to the components of the network. Physical access involves the following:

∙Configuring users and passwords on the physical devices

∙Limiting Telnet access

∙Limiting access to network switches by implementing privilege levels

∙Configuring banner messages

∙Securing physical devices

∙Implementing port security

∙Managing VLANs

Configuring Passwords

Passwords can be configured on every access method to a Cisco Catalyst switch, by the VTY line, console, Web access, and auxiliary (AUX) ports.

Limiting Telnet Access

VTY access can be secured with a password—but when a careless administrator walks away from a

logged−in Telnet session, the door is open with full access to the entire network. This situation allows anyone to access the open Telnet session and bring the network to its knees.

To lower the chances for this type of vulnerability, you may want to configure a time−out condition and apply it to unused VTY sessions. Cisco IOS calculates unused sessions in seconds or minutes, depending on the IOS version. Should the session not receive a character input from the administrator’s session for the configured amount of time, the session is closed, and the administrator using the session is logged out.

Implementing Privilege Levels

Privilege levels can be assigned to limit switch users’ abilities to perform certain commands or types of commands. You can configure two types of levels in the IOS: user levels and privilege levels. A user level allows a user to perform a subset of commands that does not allow for configuration changes or debug functions. A privilege level, on the other hand, allows the user to use all the available commands, including configuration change commands.

You can assign a user 16 different levels, from level 0 to level 15. Level 1 is set to User EXEC mode by default. This level gives the user very limited access, primarily to show commands. Level 15 defaults to the Privileged EXEC mode, which gives the user full access to all configuration commands in the IOS (including the debug command).

261