When implementing devices, it is important to follow all security guidelines set by the organization. This includes naming devices in a fashion that allows for easy documentation and tracking, but also maintains some form of security. It is not wise to provide too much information about the use of the device in the hostname. There are many other basic security measures that should be taken.

Additional Password Security

Strong passwords are only as useful as they are secret. There are several steps that can be taken to help ensure that passwords remain secret. Using the global configuration command service password-encryption prevents unauthorized individuals from viewing passwords in plaintext in the configuration file, as shown in the figure. This command causes the encryption of all passwords that are unencrypted.

Additionally, to ensure that all configured passwords are a minimum of a specified length, use the security passwords min-length command in global configuration mode.

Another way hackers learn passwords is simply by brute-force attacks, trying multiple passwords until one works. It is possible to prevent this type of attack by blocking login attempts to the device if a set number of failures occur within a specific amount of time.

Router(config)# login block-for 120 attempts 3 within 60

This command will block login attempts for 120 seconds, if there are three failed login attempts within 60 seconds.


A banner message is similar to a no trespassing sign. They are important in order to be able to prosecute, in a court of law, anyone that accesses the system inappropriately. Be sure banner messages comply with security policies for the organization.

Router(config)# banner motd #message#

Exec Timeout

Another recommendation is setting executive timeouts. By setting the exec timeout, you are telling the Cisco device to automatically disconnect users on a line after they have been idle for the duration of the exec timeout value. Exec timeouts can be configured on console, vty, and aux ports.

Router(config)# line vty 0 4

Router(config-vty)# exec-timeout 10

This command will disconnect users after 10 minutes.