This guide is designed to give you better performance and security out of any Cisco device that uses IOS.
It is assumed that the reader has some knowlege with configuring CiscoIOS devices.
The first things that need to be configured should be the following...
By default the timestamps are set to uptime, and if you don't set the timestamps to localtime, the default will be EST (Eastern Standard Time).
Service password-encryption will encrypt passwords with the hash algorithm which is designed to prevent eavesdropping. By default, passwords are not encrypted.
Other things to configure...
For earlier versions of IOS
For later versions of IOS
Depending on the IOS version will depend on whether above settings are default or not, for IOS version 12.3 all of the above are default, nonetheless, enter them all in to be sure.
Because service password-encryption enables the hash algorithm to prevent eavesdropping, it is highly recommend to use secret rather than password because secret uses MD5 encryption. The privileged password has had this feature all along, and as from some releases of IOS version 12.2, the usernames also offer secret rather than password.
Create some local users, if you can, use "secret" otherwise use "password"
Let's get authentication underway
Older RADIUS/TACACS+ Logins
Newer RADIUS/TACACS+ Logins
This configuration will allow telnet (VTY) and console access without having to configure line con0, line aux0, or line vty 0 x. The alternative is to create passwords on each of those areas.
Always a good idea to allow local login when allowing tacacs or radius login. If you don't allow local login and the radius or tacacs server either fails or can't be seen by the Cisco device, you will be locked out.
Depending on the device, it will either allow 5 VTY sessions or 15 VTY sessions. Normally routers will allow 5 VTY sessions whereas the Catalyst switches will allow 15 VTY sessions. The best way to find out is to do the following...
In this example there are 5 VTY sessions (0-4). With the following examples, we will work with 5 VTY sessions.
To control access to the VTY sessions is done using access-lists, both named and numbered access-lists can be used. The numbered access-lists can be standard (1-99), extended (100-199), and expanded (1300-2699). The named access-lists is not supported on all IOS images.
On more recent versions of IOS, remark has also been included with permit and deny. If the IOS version supports remark, it's worthwhile using it, if not so be it.