Overview
Device hardening protects the management plane: SSH instead of Telnet, strong passwords, AAA, and secure SNMP/Syslog for monitoring. CCNA expects you to recognize secure vs cleartext management and basic AAA roles.
Management plane overview
Cisco routers and switches ship from the factory with no security — console access requires no password. Hardening the management plane (how administrators reach and configure devices) is among the first tasks in any deployment.

Out-of-band vs in-band management — know where management traffic should flow.
Supplementary figure from Panagiss CCNAmd
| Plane | What it carries | CCNA focus |
|---|---|---|
| Management | SSH, SNMP, Syslog, NTP | Authentication, encryption, centralized logging |
| Control | Routing protocols, STP BPDUs | Not directly configured here but logged/monitored |
| Data | User traffic | ACLs, firewalls (see ACL and threat topics) |
Line-level password security
Three independent password levels can be configured:
| Level | Line | Purpose |
|---|---|---|
| Console | line console 0 | Physical console cable (always line 0) |
| VTY | line vty 0 15 | Remote Telnet/SSH |
| Privileged Exec | enable secret | Escalation from User Exec to Privileged Exec |
line console 0 password Flackbox1 login ! line vty 0 15 password Flackbox2 login ! enable secret Flackbox3
Enable password appears in plain text in show running-config. Enable secret is hashed and supersedes enable password if both exist. Best practice: use enable secret only, never enable password.
Exec timeout
Default inactivity timeout is 10 minutes on console and VTY lines.
line console 0 exec-timeout 15 0 ! line vty 0 15 exec-timeout 5 30
no exec-timeout or exec-timeout 0 disables timeout (not recommended in production).
Encrypting stored passwords
Line passwords display in plain text by default. Enable service password-encryption to obfuscate them in the running config.
service password-encryption
For stronger protection, use local usernames with secret (MD5/SHA hashed) instead of line-level passwords.
Local username authentication
username admin1 secret Flackbox1 username admin2 privilege 15 secret Flackbox2 ! line console 0 login local ! line vty 0 15 login local
Privilege levels 0–15: Level 0 = minimal (logout, enable, help); Level 1 = User Exec default; Level 15 = full Privileged Exec. Custom commands can be assigned to intermediate levels with privilege exec level 5 show running-config.
SSH vs Telnet
| Protocol | Encryption | CCNA recommendation |
|---|---|---|
| Telnet | None — credentials visible to sniffers | Disable |
| SSH | Encrypted management session | Enable SSH v2 only |
SSH requires a local username (line passwords not supported) and an RSA key pair (≥768 bits, 1024+ recommended).
hostname R1 ip domain-name example.com crypto key generate rsa modulus 2048 ! username admin secret Flackbox1 ! line vty 0 15 transport input ssh login local ! ip ssh version 2
transport input ssh on VTY lines blocks Telnet. transport input none blocks all remote CLI. Restrict sources with access-class on VTY lines.
AAA and centralized authentication
Scaling beyond per-device local users requires an external AAA server (Cisco ISE, RADIUS, or TACACS+).
| Function | Meaning |
|---|---|
| Authentication | Who are you? (username/password) |
| Authorization | What can you do? (per-command on TACACS+) |
| Accounting | What did you do? (audit log) |
| Protocol | Common use |
|---|---|
| RADIUS | End-user VPN access; combines auth + authz |
| TACACS+ | Administrator access to Cisco devices; granular per-command authorization |
username BackupAdmin secret Flackbox1 aaa new-model ! tacacs server Server1 address ipv4 10.10.10.10 key Flackbox1 ! aaa authentication login default group tacacs+ local
Always configure a local fallback user in case the AAA server is unreachable.
VTY access-class
Limit which IP addresses can SSH/Telnet to the device:
access-list 1 permit host 10.0.0.10 ! line vty 0 15 access-class 1 in login local transport input ssh
Switch management IP
Layer 2 switches need an IP on an SVI (typically VLAN 1 or a dedicated management VLAN) plus a default gateway for off-subnet management.
interface vlan 1 ip address 192.168.0.10 255.255.255.0 no shutdown ! ip default-gateway 192.168.0.1
Best practices
service password-encryption no ip http server no cdp run ! banner login ^C Authorized access only. Violators prosecuted. ^C
Banners (banner motd, banner login) display legal warnings. Disable unused services (HTTP, CDP in high-security sites) to reduce attack surface.
NTP time synchronization
Accurate time is required for syslog correlation, Kerberos, and digital certificates.
ntp server 10.10.10.50 show clock
Syslog
Cisco devices generate Syslog messages for events (interface up/down, OSPF adjacency, ACL denies). Format:
*Oct 3 00:44:12.627: %LINK-5-CHANGED: Interface Fa0/0, changed state to down
Severity levels (memorize for exam)
| Level | Keyword | Meaning |
|---|---|---|
| 0 | emergencies | System unusable |
| 1 | alerts | Immediate action needed |
| 2 | critical | Critical conditions |
| 3 | errors | Error conditions |
| 4 | warnings | Warning conditions |
| 5 | notifications | Normal but significant |
| 6 | informational | Informational messages |
| 7 | debugging | Debug-level messages |
Setting level 3 logs levels 0–3 (emergencies through errors).
Logging destinations
| Destination | Default | Config |
|---|---|---|
| Console | All messages | no logging console to disable |
| VTY (monitor) | Off | logging monitor 6 |
| Buffer (RAM) | All | logging buffered debugging |
| External server | Off | logging 10.0.0.100 + logging trap debugging |
logging 10.0.0.100 logging trap debugging logging source-interface Loopback0
Logging synchronous on console/VTY lines reprints your partially typed command on a new line after a syslog message interrupts — essential for lab comfort: line console 0 → logging synchronous.
Debug vs show: show is a snapshot; debug streams real-time updates (can overwhelm production CPUs). Use terminal monitor on VTY sessions to see debug output remotely.
SNMP
Simple Network Management Protocol (SNMP) lets an NMS (Network Management System) poll or receive traps from managed devices.
| Component | Role |
|---|---|
| SNMP Manager (NMS) | Central server — polls agents, receives traps |
| SNMP Agent | Runs on router/switch — responds to Get, sends Traps |
| MIB | Database of OIDs (variables the manager can query) |
SNMP versions (exam-critical)
| Version | Security | Notes |
|---|---|---|
| SNMPv1 | Community strings (plaintext) | Legacy |
| SNMPv2c | Community strings (plaintext) | Adds GetBulk; most common in older networks |
| SNMPv3 | Auth + encryption | Preferred — noAuthNoPriv, authNoPriv, authPriv |
SNMPv1/v2c community strings act like shared passwords (public ro, private rw). Never use default communities in production. SNMPv3 uses users and groups with optional encryption.
SNMP operations
| Operation | Direction | Purpose |
|---|---|---|
| Get | Manager → Agent | Read a variable |
| GetNext | Manager → Agent | Walk the MIB tree |
| GetBulk | Manager → Agent | Bulk retrieval (v2c+) |
| Set | Manager → Agent | Change a variable |
| Trap | Agent → Manager | Async alert (link down, HSRP change) |
| Inform | Agent → Manager | Trap with acknowledgment |
UDP ports: Manager queries typically use UDP 161; traps use UDP 162.
snmp-server community PUBLIC ro snmp-server location HQ-DC1 snmp-server contact netops@example.com
snmp-server group ADMIN v3 priv snmp-server user snmpuser ADMIN v3 auth sha AuthPass123 priv aes 128 PrivPass123
Syslog vs SNMP
| Feature | Syslog | SNMP |
|---|---|---|
| Direction | Device pushes events | Manager pulls (Get) or device pushes (Trap) |
| Detail | Often more verbose text | Structured OID counters |
| Set capability | No | Yes (v2c/v3 Set) |
| Typical use | Event logging, troubleshooting | Performance monitoring, polling |
Modern NMS and SIEM platforms ingest both. NMS focuses on network health; SIEM focuses on security events — significant overlap at CCNA awareness level.
Verification commands
show running-config | section line show ip ssh show users show logging show snmp show ntp status show aaa servers
Exam checklist
| Trap | Correct understanding |
|---|---|
| SSH needs username | Line passwords alone won't work for SSH |
enable secret vs enable password | Secret wins; password visible in config |
| SNMPv2c security | Community strings are not encrypted |
| Syslog severity 3 | Logs 0, 1, 2, and 3 |
VTY access-class | Filters who can connect, not transit traffic |
| No local AAA fallback | Lockout if RADIUS/TACACS+ server is down |