8.1.1 - Console | CCIE Docs

IOS offers interactive device management through the following ports and lines:

TTY Lines
- AUX
- Console
VTY Lines
- Telnet
- SSH
- rlogin

AUX and console are asynchronous ports. AUX is typically used for dial-in access. If you are not using the AUX ports it is a good idea to disable it to prevent unauthorized access.

R1(config)# line aux 0
R1(config-line)# no exec
R1(config-line)# transport input non
R1(config-line)# transport output none
R1(config-line)# exec timeout 0 1
R1(config-line)# no password

Interactive access via a console port is directly accessible by a local user or remotely accessible through the use of a terminal or console server.

The settings for a terminal session to the console are as follows:

Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow Control: None

Of course, console access is a safeguard against many issues, so a local access should always be allowed, either directly or as a fallback on an AAA authentication policy.

The typical console configuration settings might look like this:

R1(config)# service password-encryption
R1(config)# aaa authentication login CONSOLE group tacacs+ line local
R1(config)# username BOB password CISCO
R1(config)# enable secret CISCOSECRET
R1(config)# line con 0
R1(config-line)# login authentication CONSOLE
R1(config-line)# password CISCO
R1(config-line)# exec-timeout 0 0
R1(config-line)# end

There are ways to recove a lost router password if you have console access. You can disable that ability for security purposes with the following line:

R1(config)# no service password-recovery

It is recommended that you store an offline copy of the configuration file if you disable password recovery.

Another useful setting is to ensure that you reserve memory for console access. This is incredibly useful should a router become overloaded due to misconfiguration or a malicious attach.

R1(config)# memory reserve console 4096

Another console setting you may need to adjust is console logging. When using terminal monitor, log messages are sent to the console. Unfortunately, thsi adds a heavy load to the device’s main CPU. To disable this behavior and only log to a log file, use these commands:

R1(config)# no logging console
R1(config)# no logging monitor

One trick that I need to do more research on is a tweak to speed up the display of show running-config. The global configuration command parser config cache interface caches the NVGEN process and speeds up the display. On VIRL, this command cut the output time in half, from 16 seconds to below 8 seconds!

Preventing Packet Spoofing with uRPF SNMP Traps & Informs