All topic guides
SecurityAmalgamated guide

Device Security & Management

SSH, passwords, AAA, SNMP, Syslog, and management plane protection.

How the sources were combined

Panagiss device security covers SSH and management plane. jdepew88 SNMP and Syslog extends monitoring — one operations security guide.

Overview

Device hardening protects the management plane: SSH instead of Telnet, strong passwords, AAA, and secure SNMP/Syslog for monitoring. CCNA expects you to recognize secure vs cleartext management and basic AAA roles.

Management plane overview

Cisco routers and switches ship from the factory with no security — console access requires no password. Hardening the management plane (how administrators reach and configure devices) is among the first tasks in any deployment.

Out-of-band vs in-band management — know where management traffic should flow.

Out-of-band vs in-band management — know where management traffic should flow.

Supplementary figure from Panagiss CCNAmd

PlaneWhat it carriesCCNA focus
ManagementSSH, SNMP, Syslog, NTPAuthentication, encryption, centralized logging
ControlRouting protocols, STP BPDUsNot directly configured here but logged/monitored
DataUser trafficACLs, firewalls (see ACL and threat topics)

Line-level password security

Three independent password levels can be configured:

LevelLinePurpose
Consoleline console 0Physical console cable (always line 0)
VTYline vty 0 15Remote Telnet/SSH
Privileged Execenable secretEscalation from User Exec to Privileged Exec
Basic console and VTY passwords

line console 0 password Flackbox1 login ! line vty 0 15 password Flackbox2 login ! enable secret Flackbox3

Warning

Enable password appears in plain text in show running-config. Enable secret is hashed and supersedes enable password if both exist. Best practice: use enable secret only, never enable password.

Exec timeout

Default inactivity timeout is 10 minutes on console and VTY lines.

Exec timeout

line console 0 exec-timeout 15 0 ! line vty 0 15 exec-timeout 5 30

no exec-timeout or exec-timeout 0 disables timeout (not recommended in production).

Encrypting stored passwords

Line passwords display in plain text by default. Enable service password-encryption to obfuscate them in the running config.

Password encryption

service password-encryption

For stronger protection, use local usernames with secret (MD5/SHA hashed) instead of line-level passwords.

Local username authentication

Local users with privilege levels

username admin1 secret Flackbox1 username admin2 privilege 15 secret Flackbox2 ! line console 0 login local ! line vty 0 15 login local

Privilege levels 0–15: Level 0 = minimal (logout, enable, help); Level 1 = User Exec default; Level 15 = full Privileged Exec. Custom commands can be assigned to intermediate levels with privilege exec level 5 show running-config.

SSH vs Telnet

ProtocolEncryptionCCNA recommendation
TelnetNone — credentials visible to sniffersDisable
SSHEncrypted management sessionEnable SSH v2 only

SSH requires a local username (line passwords not supported) and an RSA key pair (≥768 bits, 1024+ recommended).

Enable SSH and disable Telnet

hostname R1 ip domain-name example.com crypto key generate rsa modulus 2048 ! username admin secret Flackbox1 ! line vty 0 15 transport input ssh login local ! ip ssh version 2

Tip

transport input ssh on VTY lines blocks Telnet. transport input none blocks all remote CLI. Restrict sources with access-class on VTY lines.

AAA and centralized authentication

Scaling beyond per-device local users requires an external AAA server (Cisco ISE, RADIUS, or TACACS+).

FunctionMeaning
AuthenticationWho are you? (username/password)
AuthorizationWhat can you do? (per-command on TACACS+)
AccountingWhat did you do? (audit log)
ProtocolCommon use
RADIUSEnd-user VPN access; combines auth + authz
TACACS+Administrator access to Cisco devices; granular per-command authorization
AAA with TACACS+ (simplified)

username BackupAdmin secret Flackbox1 aaa new-model ! tacacs server Server1 address ipv4 10.10.10.10 key Flackbox1 ! aaa authentication login default group tacacs+ local

Always configure a local fallback user in case the AAA server is unreachable.

VTY access-class

Limit which IP addresses can SSH/Telnet to the device:

VTY source restriction

access-list 1 permit host 10.0.0.10 ! line vty 0 15 access-class 1 in login local transport input ssh

Switch management IP

Layer 2 switches need an IP on an SVI (typically VLAN 1 or a dedicated management VLAN) plus a default gateway for off-subnet management.

Switch management SVI

interface vlan 1 ip address 192.168.0.10 255.255.255.0 no shutdown ! ip default-gateway 192.168.0.1

Best practices

Hardening checklist

service password-encryption no ip http server no cdp run ! banner login ^C Authorized access only. Violators prosecuted. ^C

Banners (banner motd, banner login) display legal warnings. Disable unused services (HTTP, CDP in high-security sites) to reduce attack surface.

NTP time synchronization

Accurate time is required for syslog correlation, Kerberos, and digital certificates.

NTP client

ntp server 10.10.10.50 show clock

Syslog

Cisco devices generate Syslog messages for events (interface up/down, OSPF adjacency, ACL denies). Format:

*Oct 3 00:44:12.627: %LINK-5-CHANGED: Interface Fa0/0, changed state to down

Severity levels (memorize for exam)

LevelKeywordMeaning
0emergenciesSystem unusable
1alertsImmediate action needed
2criticalCritical conditions
3errorsError conditions
4warningsWarning conditions
5notificationsNormal but significant
6informationalInformational messages
7debuggingDebug-level messages

Setting level 3 logs levels 0–3 (emergencies through errors).

Logging destinations

DestinationDefaultConfig
ConsoleAll messagesno logging console to disable
VTY (monitor)Offlogging monitor 6
Buffer (RAM)Alllogging buffered debugging
External serverOfflogging 10.0.0.100 + logging trap debugging
Centralized Syslog

logging 10.0.0.100 logging trap debugging logging source-interface Loopback0

Info

Logging synchronous on console/VTY lines reprints your partially typed command on a new line after a syslog message interrupts — essential for lab comfort: line console 0logging synchronous.

Debug vs show: show is a snapshot; debug streams real-time updates (can overwhelm production CPUs). Use terminal monitor on VTY sessions to see debug output remotely.

SNMP

Simple Network Management Protocol (SNMP) lets an NMS (Network Management System) poll or receive traps from managed devices.

ComponentRole
SNMP Manager (NMS)Central server — polls agents, receives traps
SNMP AgentRuns on router/switch — responds to Get, sends Traps
MIBDatabase of OIDs (variables the manager can query)

SNMP versions (exam-critical)

VersionSecurityNotes
SNMPv1Community strings (plaintext)Legacy
SNMPv2cCommunity strings (plaintext)Adds GetBulk; most common in older networks
SNMPv3Auth + encryptionPreferred — noAuthNoPriv, authNoPriv, authPriv
Trap

SNMPv1/v2c community strings act like shared passwords (public ro, private rw). Never use default communities in production. SNMPv3 uses users and groups with optional encryption.

SNMP operations

OperationDirectionPurpose
GetManager → AgentRead a variable
GetNextManager → AgentWalk the MIB tree
GetBulkManager → AgentBulk retrieval (v2c+)
SetManager → AgentChange a variable
TrapAgent → ManagerAsync alert (link down, HSRP change)
InformAgent → ManagerTrap with acknowledgment

UDP ports: Manager queries typically use UDP 161; traps use UDP 162.

SNMPv2c read-only

snmp-server community PUBLIC ro snmp-server location HQ-DC1 snmp-server contact netops@example.com

SNMPv3 (auth + priv)

snmp-server group ADMIN v3 priv snmp-server user snmpuser ADMIN v3 auth sha AuthPass123 priv aes 128 PrivPass123

Syslog vs SNMP

FeatureSyslogSNMP
DirectionDevice pushes eventsManager pulls (Get) or device pushes (Trap)
DetailOften more verbose textStructured OID counters
Set capabilityNoYes (v2c/v3 Set)
Typical useEvent logging, troubleshootingPerformance monitoring, polling

Modern NMS and SIEM platforms ingest both. NMS focuses on network health; SIEM focuses on security events — significant overlap at CCNA awareness level.

Verification commands

Management plane verification

show running-config | section line show ip ssh show users show logging show snmp show ntp status show aaa servers

Exam checklist

TrapCorrect understanding
SSH needs usernameLine passwords alone won't work for SSH
enable secret vs enable passwordSecret wins; password visible in config
SNMPv2c securityCommunity strings are not encrypted
Syslog severity 3Logs 0, 1, 2, and 3
VTY access-classFilters who can connect, not transit traffic
No local AAA fallbackLockout if RADIUS/TACACS+ server is down

Related lessons on this site

Continue in this domain

Security · guide 2 of 3

Sources & further reading

jdepew88 CCNA Notes (markdown)

psaumur CCNA Course Notes

Additional references

This page is an amalgamated study guide synthesized from the markdown sources above, cross-checked against Cisco's official CCNA exam topics. Verify scope before your exam date.