[c-nsp] can I know what is this command issue and want to learn about cisco best practice

Rich Davies rich.davies at gmail.com
Fri Oct 17 15:39:13 EDT 2008 

kcc,

Best practice would be to setup an authentication server (TACACS/RADIUS) and
point your gear to that for your AAA, then setup a failsafe userid for when
the device can not talk to the authentication server you still have a backup
account.   Having an auth server is great because you can manage users in 1
place (much easier for long-term administration).  In addition to managing
the user accounts you can get accounting logs which will provide you
tracking for what commands/config changes that user makes).

Also you should consider using level 5 encryption on your userids versus
level 7.   Level 5 password encryption uses an MD5 hash (stronger) whereas
level 7 passwords can be easily broken.

Example:

username test secret mypassword

Using the "secret" option versus "password" will cause it to use the
stronger encryption (MD5).

Another thing regarding best practices - your privilege level in your
example is 15:

> cisco6513(config)#username peter privilege 15 password 7 peterpassword

Do you want that userid to have level 15 access immediately?  You could skip
specifying a privilege level and have an "enable secret" setup which would
require the user to enter a second password (enable) before being granted
FULL level 15 access.  Having multiple levels of passwords is stronger
security versus 1 password then full access (depends on your security needs
really).

Also regarding best practices you should setup a syslog server to start
logging your devices to it.  Makes it much easier to track/troubleshoot an
issue (and be able to pull that data long term i.e., a year or so after the
event happened...)


-Rich




On Fri, Oct 17, 2008 at 3:15 PM, kcc <peterkcc2001 at gmail.com> wrote:

> Thank you so much. Good learning for me
> ls there any best practice tip also?
> I heard some AAA model. but I don't know exactly
>
> Thank you
>
>
> On Fri, Oct 17, 2008 at 2:30 PM, Stephen Kratzer <kratzers at pa.net> wrote:
>
> > On Friday 17 October 2008 13:28:35 kcc wrote:
> > > > Hi all
> > > >
> > > > I am new in cisco
> > > >
> > > > 1/ Can I know what is this command issue?
> > > >
> > > > cisco6513(config)#username peter privilege 15 password 7
> peterpassword
> > > > Invalid encrypted password: peterpassword
> >
> > This command is invalid because the string 'peterpassword' is plaintext.
> > Change the 7 to 0.
> >
> > > > 2/ I want to learn about best practice when doing the cisco config?
> > > > eg:
> > > > I heard it is better to issue command "eg: shutdown xx sec" when
> doing
> > > > the remote configure critical routes
> > > > it can avoid the lost connection. the router can reload the startup
> > > > config even though loss the connection
> >
> > If you are making changes that could potentially cause loss of remote
> > connectivity, and you do not have physical access to the box, it is best
> > practice to issue 'reload in x' where x is the minutes until reload. You
> > want
> > to ensure that x is long enough to make and verify your changes but short
> > enough not to cause extended downtime if you make a mistake. Five to ten
> > minutes is usually good for us. And remember to issue 'reload cancel' if
> > your
> > changes are made successfully.
> >
> > > > Thank you for your help
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list