Configuring a console password on a Cisco IOS router is a fundamental security step to prevent unauthorized physical access to the device. Here’s how you do it:
Command Steps:
- Enter Global Configuration Mode: You start by entering the global configuration mode from the privileged EXEC mode.
Cisco CLI
Router> enable Router# configure terminal Router(config)# - Access the Console Line: You need to specify that you are configuring the console line (line 0).
Cisco CLI
Router(config)# line console 0 Router(config-line)# - Set the Password: This command sets the password for console access.
Cisco CLI
Router(config-line)# password <your_console_password>Replace
<your_console_password>with the password you want to set. - Enable Login: This command tells the router to require a password for console access. Without this command, the password won’t be enforced.
Cisco CLI
Router(config-line)# login - Set an Executive Timeout (Optional but Recommended): This command automatically logs out an inactive console session after a specified time. This is good practice to prevent someone from leaving a console session open.
Cisco CLI
Router(config-line)# exec-timeout <minutes> <seconds>Example:
exec-timeout 10 0(logs out after 10 minutes of inactivity) - Exit Configuration Modes:
Cisco CLI
Router(config-line)# exit Router(config)# exit Router# - Save the Configuration: To ensure the password persists after a router reload, you must save the running configuration to the startup configuration.
Cisco CLI
Router# write memoryOr the shorter command:
Cisco CLIRouter# copy running-config startup-config
Example Configuration Script:
Router> enable
Router# configure terminal
Router(config)# line console 0
Router(config-line)# password MyC0ns0leP@ssw0rd!
Router(config-line)# login
Router(config-line)# exec-timeout 10 0
Router(config-line)# exit
Router(config)# exit
Router# write memory
Verification:
To test if the console password is set, save the configuration, and then try to log in to the console again (either by physically disconnecting and reconnecting the console cable, or by reloading the device if it’s a lab environment). You should be prompted for the console password before getting to the user EXEC mode (Router>).
Important Considerations:
- Strong Passwords: Always choose a strong, complex password that combines uppercase and lowercase letters, numbers, and special characters.
- Security: This only protects physical access. For remote access (Telnet/SSH), you need to configure VTY passwords as well.
- “login local” vs. “login”: If you configure local usernames and passwords (e.g., using
username <name> password <password>orusername <name> secret <secret>), you would uselogin localon the line. However, for a simple console password,loginis sufficient.
Checkout all labs available here:
CCNA Labs – CCNA Network Simulator
Cert-Ex™ Network Simulator Practice Lab Exercises:Seting Console Password