Securing the CLI
To display keywords or arguments, enter a question mark in place of a keyword or argument. Include a
space before the question mark. This form of help is called command syntax help because it reminds you
which keywords or arguments are applicable based on the command, keywords, and arguments you have
already entered.
For example:
Router# configure ?
memory
network
overwrite-network
terminal
<cr>
To redisplay a command you previously entered, press the up arrow key or Ctrl-P. You can continue to
press the up arrow key to see the last 20 commands you entered.
If you are having trouble entering a command, check the system prompt, and enter the question mark (?)
Tip
for a list of available commands. You might be in the wrong command mode or using incorrect syntax.
Enter exit to return to the previous mode. Press Ctrl-Z or enter the end command in any mode to
immediately return to privileged EXEC mode.
Securing the CLI
Securing access to the CLI prevents unauthorized users from viewing configuration settings or making
configuration changes that can disrupt the stability of your network or compromise your network
security. You can create a strong and flexible security scheme for your router by configuring one or more
of these security features:
•
•
•
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
2-6
Configure from NV memory
Configure from a TFTP network host
Overwrite NV memory from TFTP network host
Configure from the terminal
Protecting access to privileged EXEC commands
At a minimum, you should configure separate passwords for the user EXEC and privileged EXEC
(enable) IOS command modes. You can further increase the level of security by configuring
username and password pairs to limit access to CLI sessions to specific users. For more information,
see "Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions
on Networking Devices" at this URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_sec_4cli.html
Controlling switch access with RADIUS, TACACS+, or Kerberos
For a centralized and scalable security scheme, you can require users to be authenticated and
authorized by an external security server running either Remote Authentication Dial-In User Service
(RADIUS), Terminal Access Controller Access-Control System Plus (TACACS+), or Kerberos.
For more information about RADIUS, see "Configuring RADIUS" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrad.html
For more information about TACACS+, see "Configuring TACACS+" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scftplus.html
For more information about Kerberos, see "Configuring Kerberos" at this URL:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfkerb.html
Configuring a secure connection with SSH or HTTPS
Chapter 2
Command-Line Interfaces
OL-4266-08