1
00:00:00,740 --> 00:00:06,560
In this GNS3 topology, I have two routers, router 1 and router 2 which are connected to a

2
00:00:06,560 --> 00:00:13,460
hub which in turn is connected to a cloud allowing me to have access to my local area network from these

3
00:00:13,460 --> 00:00:14,090
two routers.

4
00:00:14,780 --> 00:00:19,880
I've also got a Cisco iOS V layer 2 switch, which I haven't connected to other devices.

5
00:00:20,450 --> 00:00:27,020
I'm going to talk briefly about locking down the console and then we'll discuss Telnet and SSH and

6
00:00:27,020 --> 00:00:29,350
I'll use the same topology for those videos.

7
00:00:30,500 --> 00:00:38,840
So firstly, I've connected to the console of this iOS V layer 2 switch and when I press enter, I'm

8
00:00:38,840 --> 00:00:43,460
put into user mode and then I can type enable to go to privilege mode.

9
00:00:45,020 --> 00:00:52,100
So exit, I'm shown that I'm on the console of the switch press enter and I am in user mode enable 

10
00:00:52,520 --> 00:00:55,810
and then I'm taken to privilege mode with no authentication.

11
00:00:56,120 --> 00:00:57,710
I wasn't asked for a password.

12
00:00:59,460 --> 00:01:04,420
In this example, I'm connecting to the console of a physical 3750 switch.

13
00:01:05,330 --> 00:01:12,200
When I press enter, I'm put into user mode and once again, when I type enable, I can go to privilege

14
00:01:12,200 --> 00:01:15,920
mode, but in this example, the switch is prompting for a password.

15
00:01:18,660 --> 00:01:27,270
So notice the user experience is the same on a physical switch versus a virtual switch running in GNS

16
00:01:27,400 --> 00:01:27,730
3.

17
00:01:28,560 --> 00:01:36,570
So as an example, if I type enable password Cisco and then exit out of the switch, 

18
00:01:37,740 --> 00:01:39,950
press enter, I'm in user mode, 

19
00:01:41,350 --> 00:01:48,120
type enable, and now I have to enter a privilege password or secret password to go to privilege mode,

20
00:01:48,700 --> 00:01:49,970
same as a physical switch.

21
00:01:50,830 --> 00:01:51,550
Notice, please

22
00:01:51,550 --> 00:01:55,570
I was not prompted for a password to get to user mode.

23
00:01:56,110 --> 00:01:58,930
I was only prompted for a password when I typed enable.

24
00:02:00,060 --> 00:02:04,410
There is no password by default on the console of a switch

25
00:02:05,410 --> 00:02:12,190
or router, show run shows a lot of configuration, and if I scroll all the way down to the bottom,

26
00:02:12,610 --> 00:02:15,420
I'll see a line like this line console 0.

27
00:02:15,760 --> 00:02:17,550
So that's the console port of the switch.

28
00:02:18,520 --> 00:02:24,550
I can put a password on that, by typing password and specifying some kind of password.

29
00:02:25,030 --> 00:02:32,110
So I'm going to say Cisco and then I'm going to type login to indicate that we're using the password

30
00:02:32,110 --> 00:02:32,830
on the line.

31
00:02:35,660 --> 00:02:42,230
Not a local username and password database, so I'm going to say show run pipe begin con

32
00:02:45,660 --> 00:02:46,980
or rather, con 0.

33
00:02:48,430 --> 00:02:54,520
So as you can see, this is the configuration on the console, typed password Cisco

34
00:02:55,730 --> 00:03:06,740
and login, type exit. Now in a press center, I'm asked for a password to get to user mode and then enable

35
00:03:07,520 --> 00:03:09,080
will take me to privilege mode.

36
00:03:09,990 --> 00:03:16,470
Now, I could create a local username and password database, so let's do something like this.

37
00:03:18,790 --> 00:03:25,190
That makes no difference, however, in the current configuration, when logging out and pressing enter

38
00:03:25,330 --> 00:03:29,140
I still have to put in my password of Cisco to get to user mode

39
00:03:30,460 --> 00:03:38,470
and I have to put a password in to go to global config mode, and that's because at the moment, 

40
00:03:39,690 --> 00:03:46,950
the console is configured with password Cisco and login, if I changed that to line console 0  

41
00:03:46,950 --> 00:03:50,100
and type login local.

42
00:03:51,260 --> 00:03:55,430
Notice the difference now when I type, exit and press enter.

43
00:03:56,670 --> 00:04:05,940
I'm now asked for a username and a password, and now I gain access to user mode and then I have to type

44
00:04:05,940 --> 00:04:06,450
enable

45
00:04:07,480 --> 00:04:14,680
and my enable password or secret password to go to privilege mode, I can change that again by typing

46
00:04:14,680 --> 00:04:20,649
username David whatever the user is, and using the privilege command.

47
00:04:21,279 --> 00:04:25,360
So privilege and specifying the privileges of that user.

48
00:04:26,410 --> 00:04:27,780
So I'll exit out of here.

49
00:04:29,270 --> 00:04:37,370
press enter prompted for my username, prompted for my password, and notice I am taken immediately to

50
00:04:37,370 --> 00:04:42,380
privilege mode, and that's because on the user.

51
00:04:44,400 --> 00:04:52,350
In this case, David, a privilege of 15 was applied, so the user immediately gets full rights to the

52
00:04:52,350 --> 00:04:53,590
switch upon login. 

53
00:04:54,060 --> 00:05:02,910
We don't have to type, enable and then password to go to the enable mode. Show run pipe again line con, 

54
00:05:04,510 --> 00:05:05,620
line con, rather.

55
00:05:08,170 --> 00:05:15,460
Notice line console 0 has the command password Cisco, that's irrelevant now, so I could actually

56
00:05:15,460 --> 00:05:16,240
remove that

57
00:05:19,960 --> 00:05:22,150
and that's because login local is being used.

58
00:05:24,660 --> 00:05:32,390
So show run, pipe begin line console or line con, I've only got login local on the line, type

59
00:05:32,400 --> 00:05:38,400
exit, press enter, asked for my username straight into privilege mode.

60
00:05:43,010 --> 00:05:47,480
So the password on the line is only used if logging is used.

61
00:05:48,560 --> 00:05:57,200
Notice if I don't have a password and I specify login, I'm told that login is disabled until a password

62
00:05:57,200 --> 00:05:57,650
is set.

63
00:05:58,760 --> 00:05:59,810
So let's try that, 

64
00:06:00,650 --> 00:06:11,660
press enter I'm straight into user mode, exit press enter straight into user mode and I'm now asked to enter

65
00:06:11,660 --> 00:06:12,770
and enable password.

66
00:06:14,970 --> 00:06:23,310
So if I want to put that back to the way it was previously, on the line console, I need to specify a

67
00:06:23,310 --> 00:06:23,970
password

68
00:06:25,350 --> 00:06:33,090
and now when I login, I'm asked for the password on the line as well as my privileged password.

69
00:06:34,170 --> 00:06:35,220
So just to recap, 

70
00:06:39,790 --> 00:06:47,260
login indicates that a password on the line is required to gain access to the console of a router or switch.

71
00:06:47,770 --> 00:06:54,130
If you don't specify a password, login is ignored and you go straight into user mode.

72
00:06:54,700 --> 00:07:01,480
If you specify login local here, the local username and password database is used.

73
00:07:02,470 --> 00:07:08,140
So you'd be asked for your username as well as your password when logging into the console.

74
00:07:08,650 --> 00:07:14,710
If you specify privilege and a privilege level, you don't have to put an enable password in you're taken

75
00:07:14,710 --> 00:07:19,740
straight to the privilege level associated with your user account, 

76
00:07:19,750 --> 00:07:20,920
in this case, it's 15.

77
00:07:21,490 --> 00:07:28,870
Now, if you want to play a trick on someone and I don't suggest you do this in production.

78
00:07:30,000 --> 00:07:38,340
A console has an exact time out in minutes and in seconds you could specify something like this, so

79
00:07:38,340 --> 00:07:43,940
exact time out 01 means that it'll time out after 1 second.

80
00:07:44,460 --> 00:07:50,430
So notice when I press enter and try and gain access to my router, one second later I'm logged out.

81
00:07:50,940 --> 00:07:58,080
So what you need to do to make this work or to fix this is you have to type very quickly or continually

82
00:07:58,080 --> 00:07:58,890
press tab.

83
00:07:58,910 --> 00:08:00,720
So I'm going to press tab with my one finger.

84
00:08:01,350 --> 00:08:07,560
So it's continuously updated and then I'm going to try and type with my other finger

85
00:08:09,850 --> 00:08:15,040
and try and specify the command required, so as you can see, I'm making a lot of typing mistakes,

86
00:08:15,040 --> 00:08:19,540
but that's okay as long as I keep pressing tab.

87
00:08:21,520 --> 00:08:27,520
So once again, this is not something you want to do, but if you do make a mistake, you should specify

88
00:08:27,520 --> 00:08:30,220
00 as an example, which means don't time out.

89
00:08:30,640 --> 00:08:33,190
So now I'm not logged out of the console.

90
00:08:33,909 --> 00:08:39,390
You probably want to set that to some value that's realistic for your environment.

91
00:08:39,909 --> 00:08:45,070
So, say, 5 minutes after 5minutes of inactivity, you'll be logged out of the console.

92
00:08:46,820 --> 00:08:51,340
Another great command on a router is logging Synchronoss.

93
00:08:51,350 --> 00:08:59,450
If I start typing a command like show IP interface brief, you'll notice the command is all over the

94
00:08:59,450 --> 00:09:03,130
place and I have to press tab to see my command.

95
00:09:03,530 --> 00:09:10,700
So once again, if I typed CONFT and press control Z and then type start typing Hello, you'll notice

96
00:09:10,700 --> 00:09:11,690
it's all over the place.

97
00:09:12,230 --> 00:09:12,950
Press tab.

98
00:09:13,190 --> 00:09:14,520
My command is shown again.

99
00:09:15,380 --> 00:09:19,850
So what we want to do is on the line console.

100
00:09:21,360 --> 00:09:27,660
We want to use the command logging Synchronous, so line console 0 logging

101
00:09:28,850 --> 00:09:29,630
synchronous.

102
00:09:30,730 --> 00:09:37,210
Notice the difference now when I press control Z and then type hello, hello is automatically retyped.

103
00:09:38,390 --> 00:09:43,340
So it becomes a lot easier to type commands and see what you're doing when you're getting a lot of output

104
00:09:43,340 --> 00:09:46,460
on the screen, especially when doing debugging.

105
00:09:46,940 --> 00:09:51,160
So don't forget the logging synchronous option on the console.

106
00:09:51,590 --> 00:09:53,120
It's going to save you a lot of trouble.