Cisco Systems RJ-45-to-AUX manual Limiting Telnet Access, Implementing Privilege Levels

∙Privileged EXEC mode—The Privileged command set includes those commands contained in User EXEC mode, as well as the configure command, through which you can access the remaining command modes. Privileged EXEC mode also includes high−level testing commands, such as debug.

∙Global Configuration mode—Global Configuration mode commands apply to features that affect the system as a whole. Use the configure privileged EXEC command to enter Global Configuration mode.

∙Interface Configuration mode—Many features are enabled on a per−interface basis. Interface Configuration commands modify the operation of an interface such as an Ethernet port or a VLAN.

Configuring Passwords

Passwords can be configured on every access method to a Cisco Catalyst switch. Passwords can be applied to the console port, auxiliary (AUX) port, and VTY lines.

Limiting Telnet Access

VTY access can be secured with a password. However, when a careless administrator walks away from a logged−in Telnet session, the door is open with full access to the entire network. This situation allows anyone with access to the terminal the administrator was using to make changes and attack the network.

A solution is to add another layer of security. You can do this by applying a time−out condition to unused VTY sessions. The Cisco IOSs calculate unused sessions in seconds or minutes, depending on the IOS version. Should the session not receive a character input from the administrator’s session for the configured amount of time, the session is closed, and the administrator using the session is logged out.

Implementing Privilege Levels

Privilege levels can be assigned to limit switch users’ ability to perform certain commands or types of commands. You can configure two types of levels in the IOS: user levels and privilege levels. A user level allows a user to perform a subset of commands that does not allow for configuration changes or debug functions. A privilege level, on the other hand, allows the user to use all the available commands, including configuration change commands.

You can assign a user 16 different levels, from level 0 to level 15. Level 1 is set to User EXEC Mode by default. This level gives the user very limited access, primarily to show commands. Level 15 defaults to Privileged EXEC mode, which gives the user full access to all configuration commands in the IOS (including the debug command).

Privilege level 0 is a special level that allows the user to use a more specific defined set of commands. As an example, you could allow a certain user to use only the show arp command. This command is useful when a third party is using a sniffer on your network and needs to match a MAC address to an IP address and vice versa.

Configuring an IOS−Based CLI Switch

In this section, we will walk through the basic configuration of the IOS−based CLI switches. Although these tasks are not all mandatory, knowing them will help you to better manage your switches.

39