explanation required

Answered Question
May 19th, 2007

Could someone please explain what is written here especially the paragraph following the commands

2600A#config t

Enter configuration commands, one per line. End with CNTL/Z.

2600A(config)#line aux 0

2600A(config-line)#login

% Login disabled on line 65, until 'password' is set

2600A(config-line)#

Cisco has begun this process of not letting you set the ?login? command before a password

is set on a line because if you set the login command under a line, and then don?t set a password,

the line won?t be usable. And it will prompt for a password that doesn?t exist. So this

is a good thing?a feature, not a hassle!

I have this problem too.
0 votes
Correct Answer by Wilson Samuel about 9 years 7 months ago

Hi Neerav,

I guess you might have got the answer, however if not, I'm sure you will get the answer by this post.

Simply put this way:

1. Console was actually desgined to access the router when you are the admin/owner of the router and its in your physical custody. Hence you never need to configure Login and Password for the same!

2. Aux Port was designed to access the Router using a Modem and a Phone Line, for instance you are at home and you wanted to do some modifications (NOT TO START FROM SCRATCH) to an existing router, and if the Modem is Connected to Aux Port and configured, one can access it and configure the same.

However this gives a potential drawback if there is NO Compulsion for Authentication (read username and/or password), imagine somebody knowing the phone number and dialing into it from a rouge country, and rebooting or erasing your config????

Hence to provide a security, the first thing is that, AUX and VTY PORTS MUST BE CONFIGURED WITH LOGIN AND PASSWORD COMMANDS or else its inaccessible.

I hope you got the message.

Secondly, regarding lines, always remember that Cisco Routers, always treat all TTY and VTY connections as lines, starting from Line 0 and Line 1 which are reserved for Con0 and Aux0 and then any other Async Ports in the Router and then finally for VTY 0 - 15 (in old routers its VTY 0 - 4)

I hope it shall be helpful.

If helpful, please rate.

Kind Regards,

Wilson Sameul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
scottmac Sat, 05/19/2007 - 05:02

The commands are trying to set the AUX port such that a pasword is required to log into the router (this is generally a good security thing to do).

The problem is that no password has been set, but the user is trying to tell the router to use a login (default is to just drop you to the command line).

The paragraph is explaining that Cisco is now checking for the existance of a password before permitting you to set a login ... so that you won't accidently set the router to use login when there is no acceptable password (meaning, you've locked yourself out of the router, at least from the AUX port)

"Line 65" means that there are probably a bunch of serial ports (like a terminal server)or modems installed in this router. Console and AUX are always at the highest line numbers.

Hope this helps

Good Luck

Scott

neerav_kumar Tue, 05/22/2007 - 02:20

You try to telnet into SFRouter from router Corp and receive this message:

Corp#telnet SFRouter

Trying SFRouter (10.0.0.1)?Open

Password required, but none set

[Connection to SFRouter closed by foreign host]

Corp#

Which of the following sequences will address this problem correctly?

A. Corp(config)#line console 0

B. Corp(config-line)#password cisco

C. SFRemote(config)#line console 0

D. SFRemote(config-line)#login

E. SFRemote(config-line)#password cisco

F. Corp(config)#line vty 0 4

G. Corp(config-line)#login

H. Corp(config-line)#password cisco

I. SFRemote(config)#line vty 0 4

J. SFRemote(config-line)#login

K. SFRemote(config-line)#password cisco

According to me the answer to this question should be:

SFRemote(config)#line vty 0 4

SFRemote(config-line)#no login

D. To allow a VTY (Telnet) session into your router, you must set the VTY password. Option

C is wrong because it is setting the password on the wrong router. Notice that the answers have you set the login command before you set the password. Remember, Cisco may have you set

the password before the login command.

If the books answer is right then can somebody please elaborate on it.

dgoodridge Tue, 05/22/2007 - 02:32

In the example you've provided the book is correct. However, if Cisco have now added a 'password existance' check to certain IOS releases then they will either get round to amending the book/exams to elaborate (i.e supplying specific IOS level info) or they'll just make it a multiple choice with no emphasis on getting the commands in the right order.

Unfortunately there are lots of examples of things changing in the real world and overriding examples given in books and exams. The safest bet would be to go with the book answer if the current exam revision and the exam revision referenced by the book match.

Doug

neerav_kumar Tue, 05/22/2007 - 03:24

According to the book....

So what will happen if you try to telnet into a router that doesn?t have a VTY password set?

You?ll receive an error stating that the connection is refused because, well, the password isn?t

set. So, if you telnet into a router and receive the message

Router#telnet SFRouter

Trying SFRouter (10.0.0.1)?Open

Password required, but none set

[Connection to SFRouter closed by foreign host]

Router#

then the remote router (SFRouter in this example) does not have the VTY (telnet) password

set. But you can get around this and tell the router to allow Telnet connections without a password

by using the no login command:

Router(config-line)#line vty 0 4

Router(config-line)#no login

So this way the answer should be:

Corp(config)#line vty 0 4

Corp(config-line)#no login

(sorry i was wrong initially)

what i am not able to get is that how a person with access to Corp router (in the question) can configure SFRouter

dgoodridge Tue, 05/22/2007 - 03:30

I'm not sure I no what you mean.

In the question above the problem is with SFRouter. The solution you provided at the bottom is on Corp, so this wouldn't fix the problem with SFRouter?!?

If you mean, how would you get into the router to configure it without telnet access, then you could use an the console or AUX ports.

neerav_kumar Wed, 05/23/2007 - 03:41

How does the RIPv1 finds subnet and places then in the table? We don't mention anything about the subnets while configuring it.

dgoodridge Wed, 05/23/2007 - 03:48

You do specify the subnets that will associate with the RIP process by using the 'network' command. Your study guides should give you all of the details you need to configure RIPv1 as well has how routes are selected and placed in the route table.

neerav_kumar Wed, 05/23/2007 - 07:21

My study guide is

Sybex CCNA Intro

but it does not say anything about subnets. the only method to configure routers with subnetworks as given the book is:

RIP (v1 and v2), IGRP, and EIGRP use the classful address when configuring the network

address. Because of this, when using RIP and IGRP, all subnet masks must be the same on

all devices in the network (this is called classful routing). To clarify this, let?s say you?re using a Class B network address of 172.16.0.0/24 with subnets 172.16.10.0, 172.16.20.0, and 172.16.30.0. You would type in only the classful network address of 172.16.0.0 and let RIP find the subnets and place them in the routing table.

CSCO10892433 Wed, 05/23/2007 - 03:58

Hi, neerav_kumar

The best answer to this question(the vty question) is getting two real routers and test each option. Believe what the router tells you, not the book.

my 2-cent

SSLIN

dgoodridge Wed, 05/23/2007 - 04:05

This is true in terms of real life, however be weary of any exam type questions relating to this as they will no doubt stick to what has already been published if the exam codes/revision haven't been incremented.

neerav_kumar Sat, 06/09/2007 - 17:02

I am not able to understand the use of break command, what is does and how is it implemented? Someone please elaborate on it.

neerav_kumar Sat, 06/09/2007 - 20:09

What I want to ask how to implement the following statement:

Boot the router and interrupt the boot sequence by performing a break, which will take the router into ROM monitor mode.

In the router sim that i have there is no such options i.e. when i give the command to reload it immediately goes back to the following state

Router>

upon using break command ( Crtl^Z) nothing happens. So how to perform password recovery?

scottmac Sat, 06/09/2007 - 23:28

Ctrl-Z is not a break.

The break key (on English keyboards) is under the pause key in the top right "corner." CTRL-C is also a break to many systems.

CTRL-Z is used to escape back to the enable prompt from config mode (the word "exit" will take you back one level at a time)

Good Luck

Scott

neerav_kumar Thu, 06/14/2007 - 19:59

On a Cisco 2500 router the 2 serial links are used for WAN connection, the AUI link is used for Ethernet connection, then what are the console and the auxiliary ports used for? Are they only used for configuring or they also play a role in data transfer.

Michael Stuckey Fri, 06/15/2007 - 02:59

The console and AUX ports are used mainly for support of the router to get in directly and configure the router. The console port will let you get directly to the root level of the IOS without first having to wait for the unit to boot up. The Aux port will only give you access after the router has booted up completely.

Initially the console was built for direct connection and the aux was built to have a modem attached.

A modem can actually be connected to the console port if configured properly.

The reason for the difference is mainly for security. If you reboot the router you can break into it through the console port. If you reboot the router and are attached to the aux port you are locked out until the router has completed the bootup process thus not giving you the opportunity to cause an interrupt to the IOS to hack the configuration.

If this has helped please rate.

Mike

Correct Answer
Wilson Samuel Fri, 06/15/2007 - 05:56

Hi Neerav,

I guess you might have got the answer, however if not, I'm sure you will get the answer by this post.

Simply put this way:

1. Console was actually desgined to access the router when you are the admin/owner of the router and its in your physical custody. Hence you never need to configure Login and Password for the same!

2. Aux Port was designed to access the Router using a Modem and a Phone Line, for instance you are at home and you wanted to do some modifications (NOT TO START FROM SCRATCH) to an existing router, and if the Modem is Connected to Aux Port and configured, one can access it and configure the same.

However this gives a potential drawback if there is NO Compulsion for Authentication (read username and/or password), imagine somebody knowing the phone number and dialing into it from a rouge country, and rebooting or erasing your config????

Hence to provide a security, the first thing is that, AUX and VTY PORTS MUST BE CONFIGURED WITH LOGIN AND PASSWORD COMMANDS or else its inaccessible.

I hope you got the message.

Secondly, regarding lines, always remember that Cisco Routers, always treat all TTY and VTY connections as lines, starting from Line 0 and Line 1 which are reserved for Con0 and Aux0 and then any other Async Ports in the Router and then finally for VTY 0 - 15 (in old routers its VTY 0 - 4)

I hope it shall be helpful.

If helpful, please rate.

Kind Regards,

Wilson Sameul

neerav_kumar Fri, 06/15/2007 - 21:35

Hi Samuel-Wilson. Your posts really help clear the doubts. Just wanted to say thanks for that.

neerav_kumar Sun, 06/17/2007 - 02:13

In dynamic routing why does the router has to advertise to LAN also i.e. when we are configuring dynamic routing protocol we also add the LAN address to it. There is no router on LAN.

Router(config-router)#network 20.5.30.0

Router(config-router)#netowrk 20.5.40.0

where 20.5.30.0 is the address of the LAN and 20.5.40.0 is the address of the WAN link.

neerav_kumar Tue, 06/19/2007 - 04:39

If the enable mode passwords are not set then is it possible that a person trying to telnet into the router, after entering into user mode on the router, will receive the following message.

2501B>en

% No password set

2501B>

Or if the enable mode password is not set then he will be given access to the privileged mode.

Actions

This Discussion