Catalyst Password Protection
When you first receive a Catalyst from Cisco, it has no password set. In other words, the password is <ENTER> to enter both the EXEC and privilege modes. Your first task as a conscientious network administrator should be to change the passwords to the unit. This helps to prevent unauthorized children in adult form from modifying the Catalyst and disrupting your network. Example 4-11 shows a Catalyst session where the user changes the EXEC and enable passwords.
The user starts by changing the enable password for privilege mode with the command set enablepass. The Catalyst immediately prompts for the old password. If you are doing this to a Catalyst with a fresh configuration file, you should respond with <ENTER>. Otherwise, you need to know the existing enable password. If you do not know the existing enable password, see the following section, “Catalyst Password Recovery,” for details on what to do next.
Example 4-11 Modifying a Catalyst’s Passwords
Console> (enable) set enablepass
Enter old password: cntgetin
Sorry password incorrect.
Console> (enable) set enablepass
Enter old password: cantgetin
Enter new password: stillcantgetin
Retype new password: stillcantgetin
Console> (enable) set password
Enter old password: guessthis
Enter new password: guessthis2
Retype new password: guessthis2
Note that italicized text is not displayed in real output.
In Example 4-11, the user types in the wrong enable password, so the Catalyst shows an error message and stops the modification process. The user tries again, but this time enters a correct existing enable password. The Catalyst then asks the user to enter the new enable password, twice, to confirm the entry.
The user then changes the normal mode password with the set password command. As with the enable password, the user has to know the existing password before the Catalyst allows any changes to the password. Upon entering the correct password, the Catalyst asks for the new password and a confirmation.
Catalyst Password Recovery
If at any time you forget the normal mode or enable passwords, you need to start a password recovery process. Password recovery on the Catalyst 5000/6000 series differs from the methods used on a Cisco router or on other Catalyst models.
You must be at the Catalyst console to perform password recovery. Password recovery requires a power cycle of the system by toggling the power switch. After you power cycle the Catalyst, the Catalyst goes through its initialization routines and eventually prompts you for a password to enter the normal mode. At this point, you have 30 seconds to perform password recovery.
The trick in Catalyst password recovery lies in its behavior during the first 30 seconds after booting: when the Catalyst first boots, it ignores the passwords in the configuration file. It uses the default password <ENTER> during this time. So, when the Catalyst prompts you for an existing password at any time, simply type <ENTER> and the Catalyst accepts your response. Immediately enter set password or set enablepass to change the appropriate password(s).
When the Catalyst asks during the password recovery process what to use for the new password, simply respond with <ENTER> too. Otherwise, trying to type in new passwords sometimes leads to a need to reboot again, particularly if you are a poor typist. By initially setting the password to the default value, you minimize your probability of entering a bad value. After setting the enable and EXEC passwords to the default, you can at your leisure go back and change the values without the pressure of completing the process during the 30 seconds provided for password recovery.
As with many security situations, it is imperative that you consider physical security of your boxes. As demonstrated in the password recovery process, an attacker simply needs the ability to reboot the Catalyst and access to the console to get into the privilege mode. When in the privilege mode, the attacker can make any changes that he desires. Keep your Catalyst closets secured and minimize access to consoles.
A security configuration issue of which you should be aware: change the SNMP community strings from their default values. Example 4-6 shows the output from a Catalyst configuration file where the SNMP community strings are still at their default value. A system attacker might use SNMP to change your system. He starts with these common default values. Make them difficult to guess, but remember that they are transmitted over the network in clear text and are, therefore, snoopable.