To change the enable password, you use "enable password password".
To change the enable secret, you use "enable secret password".
Enable / Disable - Enables or Disables privileged exec mode.
There are five different types of passwords:
1. Enable Password - A global command that restricts access to privileged exec mode. This is a non-encrypted password.
2. Enable Secret - Assigns a one-way encryptographic secret password, available in versions 10.3 and up. This secret password is used instead of the enable password when it exists.
3. Virtual Terminal Password (vty password): The virtual terminal password is used for Telnet sessions into the router. The password can be changed at any time. It can be set up when you configure the router from the console. There can be five distinct passwords corresponding to each vty (vty0 to vty4) or there can be a single password for all vtys.
4. Auxiliary Password: Auxiliary password is used to set password to the auxiliary port. This port is used to access a router through a modem.
5. Console Password: Console password is used to set the console port password.
Given below are the steps in brief that one needs to go through for configuring AAA.
On the client side:
1. Configure AAA
aaa new model
2. Specify AAA server to be accessed by the client
tacacs-server host 192.168.1.2 key cisco@123
3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want.
aaa authentication login MYAUTHLIST group tacacs+ local
4. Create authorization method list to apply on users that have been authenticated.
aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local
5. Apply the method lists to a device interface
a. line vty 0 4
b. login authentication MYAUTHLIST
c. authorization exec MYUAUTHORIZATIONLIST
The syntax for extended access list is given below:
access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input] [time-range time-range-name]
As seen from the syntax, the source ip address precedes the destination. Extended access lists are applied close to source where as standard access lists are applied close to destination.
We can use the statement
access-list <access-list #> [permit/deny] [protocol] host <source-ip-address> <destination-ip-address> <destination-wildcard-mask>
To permit or deny a specific host from accessing a network. Note that if we use "host" command, source wild card mask is not required.
A control plane policing (CoPP): A policy applied to the control plane of a router to protect the CPU from high rates of traffic that could impact router stability. It was created with the sole purpose of protecting the CPU or control plane of a router.
The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.