When youre looking at a Cisco router configuration, figuring out what the different passwords do can be a little confusing at first. But as I tell all my students, the key to understanding something that looks complex is to break it down to smaller parts.

Having said that, lets take a look at a typical running configuration and then break it down line by line to make sure you understand what each password is doing. This is a must for success on exam day and on the job!

Username r1 password router

Username chris password Bryant

Username david password stimpson

Enable password cisco

Enable secret ccna

Service password-encryption

Line console0

Login

Password passexam

Line vty 0 4

Login

Password ccnp

Theres a lot going on in that little configuration. Working from top to bottom, lets take a look at what each section does.

Username r1 password router

Username chris password Bryant

Username david password stimpson

The username / password combination creates a local database that the router will use to authentication users connecting on your BRI lines, and its also used to authenticate users connecting via telnet!

To use the local database instead of a common VTY password:

Line vty 0 4

Login local

This allows each user to have their own password instead of everyone using the single VTY line password.

Enable password cisco

Enable secret ccna

The enable password and enable secret commands are used to do the same thing protect privileged exec mode, more commonly referred to as enable mode.

Why use both? The enable password is still in use for backwards compatibility. Most routers are configured with both, and theyll probably be different. (This is because the routers going to prompt you for a different password for one if you try to set them both to the same word.)

If we only have one enable mode to protect, but two different passwords, which one should a user enter? The enable secret because the enable secret always has precedence over the enable password. No exceptions. (We dont get to say that very often in Ciscoland, do we? J )

Theres one other major difference. The enable secret is encrypted by default the enable password is displayed in clear text. Actually, all the other passwords you see above will be displayed in clear text by default.

Service password-encryption

This default can be changed by activating a Cisco router service thats off by default. Run the service password-encryption command to encrypt all passwords in your configuration.

Before a user gets to enable mode, though, there may be a password to start working at the console to begin with. This password has to be entered just to get to user exec (assuming the previous user logged out fully and correctly!).

Line console0

Login

Password passexam

Note that there are two commands. You need to enable the password function with the login command, and then set a password. The order in which you enter these two commands does not matter just make sure you enter them both!

Line vty 0 4

Login

Password ccnp

Of course, the VTY lines are used to enable Telnet connectivity and to set a password. Cisco requires a password be set for Telnet access, and this basic configuration will prompt any user for the one single password. This password would apply to all five simultaneous Telnet connections if more than one user were telnetting in at once.

For much more on Telnet, read my tutorial on the subject, found at www.thebryantadvantage.com

To get your CCNA, youve got to be more than ready for password questions. Whether youre asked to set one or troubleshoot an existing configuration on an exam or on the job, these should be second nature to you. And they will be, once you break a configuration like this into smaller parts.

To your success,