10.4.2 Lab: Secure Access to a Switch
If you've ever walked into a server room and seen a network switch with the default password still intact, you know that sinking feeling. 2 lab — secure access to a switch — is designed to prevent. Which means that's exactly what the 10. Here's the thing — 4. It's one of those hands-on exercises that feels basic, but the concepts here are exactly what separate a network that gets hacked from one that doesn't Took long enough..
In this lab, you're essentially learning how to lock the front door of a switch before anyone even thinks about trying to get in. Console access, VTY lines, enable passwords, SSH configuration — it all comes together in this exercise. And honestly, if you're studying for any networking certification, this is the kind of skill that shows up on the job far more often than you'd expect.
What Is the 10.4.2 Lab About?
The 10.2 lab is a Cisco networking exercise — you'll find it in curriculums like CCNA — that walks you through securing management access to a Layer 2 switch. 4.It's not about VLANs or spanning tree here. It's about making sure only authorized people can get into the switch's command line interface, and that they're using secure methods to do it.
Here's what you're typically working with:
- Console line security — setting a password on the physical console port so nobody can just walk up and plug in
- VTY line security — securing the virtual terminal lines that allow Telnet or SSH access
- Enable password/secret — the difference between being able to view the configuration and being able to change it
- SSH vs. Telnet — replacing the insecure Telnet protocol with encrypted SSH for remote management
- Login and login local — requiring authentication before granting any access
The lab usually gives you a topology with a PC connected to a switch, and your job is to configure all these security measures step by step. You'll use the command line interface — no GUI shortcuts here.
Why This Lab Matters in the Real World
Here's the thing: switches are the backbone of just about every network. Plus, they connect your computers, your servers, your WiFi access points — everything. If someone can compromise a switch, they can potentially see traffic flowing through it, redirect that traffic, or just shut the whole thing down Which is the point..
Default configurations on Cisco switches are wide open by design. The manufacturer wants you to be able to get in and configure the device without jumping through hoops. But leaving it that way in production? That's like leaving your house key under the doormat.
The 10.It's the baseline. Also, 4. 2 lab teaches you the absolute minimum you should do before putting any switch into service. The stuff you do before you even start thinking about VLANs, STP, or any of the more "exciting" networking topics.
How to Complete the 10.4.2 Lab
Let me walk you through what the lab actually involves. I'm going to break it down step by step, the way you'd work through it on real gear or in something like Packet Tracer.
Step 1: Access the Switch and Enter Privileged Exec Mode
You start by connecting to the switch. In a physical lab, that's a console cable from your PC to the switch's console port. In Packet Tracer, you click the PC, go to the Desktop tab, and open Terminal The details matter here. Worth knowing..
Once you're at the Switch> prompt, you need to get into privileged exec mode. So that's the enable command. Also, you'll see the prompt change to Switch#. This is where you can view and change the configuration.
Switch> enable
Switch#
Step 2: Enter Global Configuration Mode
From privileged exec, you enter configuration mode with configure terminal or just conf t. This is where every command you type affects the switch's overall configuration.
Switch# configure terminal
Switch(config)#
Step 3: Secure the Console Line
This is the first real security step. You need to set a password for console access so nobody can just walk up and connect.
Switch(config)# line console 0
Switch(config-line)# password cisco
Switch(config-line)# login
Switch(config-line)# exit
A few things to notice here. In practice, the login command is what actually forces the switch to ask for that password. The line console 0 command enters console line configuration mode. The password command sets what the user will type when prompted. Skip the login command, and the switch won't prompt for anything — it just lets you in.
Step 4: Secure the VTY Lines (Telnet/SSH Access)
VTY lines are virtual terminal lines — they're what allow remote access to the switch. By default, Cisco switches have 16 VTY lines (0 through 15). You need to secure these too The details matter here..
Switch(config)# line vty 0 4
Switch(config-line)# password cisco
Switch(config-line)# login
Switch(config-line)# exit
This is where a lot of people stop in the lab. Telnet sends everything in clear text — including that password you just set. Because of that, anyone with a packet sniffer can grab it off the network. But here's what most people miss: this configuration only secures Telnet access. That's why the next step matters so much Simple, but easy to overlook..
Step 5: Configure SSH and Disable Telnet
This is where you make the remote access actually secure. SSH encrypts everything, so even if someone intercepts the packets, they can't read the password or any commands you're sending That alone is useful..
First, you need to set a hostname and domain name — SSH requires this for generating encryption keys It's one of those things that adds up..
Switch(config)# hostname Switch1
Switch1(config)# ip domain-name lab.local
Then you generate the SSH key:
Switch1(config)# crypto key generate rsa
The switch will ask about key size. Still, 1024 or 2048 bits is standard for a lab. Bigger numbers are more secure but slower on older hardware Most people skip this — try not to..
Now you configure the VTY lines to accept only SSH:
Switch1(config)# line vty 0 4
Switch1(config-line)# transport input ssh
Switch1(config-line)# login local
Switch1(config-line)# exit
The transport input ssh command restricts access to SSH only — it disables Telnet. The login local command changes things up: now instead of a single shared password, the switch will check against local user accounts you'll create.
Step 6: Create Local User Accounts
With login local configured, you need actual usernames and passwords in the switch's local database.
Switch1(config)# username admin privilege 15 secret AdminPass123!
This creates an admin user with privilege level 15 (full administrative access) and a properly hashed password. Note that I'm using secret instead of password — secret uses a much stronger hashing algorithm than the older password command.
Step 7: Set the Enable Secret
There's one more critical password: the one that protects privileged exec mode. This is what stops someone from just typing enable and getting full access to change the configuration.
Switch1(config)# enable secret MyEnablePass
Here's a pro tip: don't use the same password for console, VTY, and enable. Practically speaking, each should be different. That's basic security hygiene And it works..
Step 8: Verify Your Configuration
Now you test everything. Exit out of configuration mode and try to access the switch the way a user would:
- Disconnect and reconnect to the console — it should ask for your console password
- Try to telnet to the switch from another device — it should fail (Telnet is disabled)
- SSH to the switch — it should prompt for username and password
- Enter privileged exec mode — it should ask for the enable password
Switch1# show running-config
This command shows you the entire configuration. You'll see the passwords (though they're masked unless you specifically look at them), the SSH configuration, and the login settings Which is the point..
Common Mistakes People Make in This Lab
Let me be honest — this lab is straightforward, but there are a few things that trip people up all the time.
Forgetting the login command. You set a console password, but the switch still lets everyone in without prompting. That's because you skipped login under the line configuration. It happens more than you'd think Nothing fancy..
Using Telnet in production. Some students finish the lab with Telnet still working because they didn't configure transport input ssh. Telnet is fine for learning, but never, ever use it on a real network. It's a security risk.
Using weak or default passwords. In a lab, it's easy to just use "cisco" for everything because it's quick. But this lab is supposed to teach you security habits. Use real, strong passwords. Treat it like production.
Not testing everything. A lot of people configure everything, see that it "works," and move on. But they never actually try to SSH in from another device, or never verify that Telnet is actually blocked. Always verify The details matter here..
Practical Tips for Securing Switch Access
If you're putting these skills to use on real equipment — not just a lab — here are a few things worth knowing.
First, consider using AAA with a RADIUS or TACACS+ server instead of local accounts. For larger networks, managing passwords on every device is a nightmare and a security risk. Centralized authentication is the way to go.
Second, think about management VLANs. By default, management traffic (your SSH sessions) uses VLAN 1, which is also the default data VLAN. It's better practice to put management on a separate VLAN that nothing else uses That alone is useful..
Third, restrict which IP addresses can even attempt to connect to the VTY lines. You can use access-class to limit SSH access to specific management stations:
Switch1(config)# line vty 0 4
Switch1(config-line)# access-class 10 in
Then define that access list with the allowed IP addresses No workaround needed..
Fourth, log everything. Configure the switch to send logs to a syslog server. If someone tries to brute force their way in, you want a record of it.
FAQ
What's the difference between the enable password and enable secret commands?
The enable secret command stores the password using a strong hashing algorithm (MD5 by default, though newer IOS versions use something better). That said, the older enable password command stores it in plain text or weakly encrypted. Always use enable secret.
Can I use both Telnet and SSH on the same switch?
Technically yes, but you shouldn't. You can configure transport input all on the VTY lines to allow both. But Telnet is insecure, so just don't do it.
What privilege level should I use for regular users?
Privilege level 1 is basic user mode (like what you get before typing enable). Privilege level 15 is full administrative access. You can create intermediate levels, but most organizations just use two: regular users at some level below 15, and admins at 15 The details matter here..
Do I need to save my configuration?
Yes. The running-config is what's currently in memory. When you reboot the switch, it's gone unless you save it to startup-config with the write memory or copy running-config startup-config command Practical, not theoretical..
What if I lock myself out?
This happens. You set a console password, then exit, and realize you don't remember it. So the solution is to physically access the switch, reboot it, and during the boot process, press the mode button to enter switch boot loader mode. In real terms, from there, you can reset the configuration. It's a pain, but it's the way in That's the part that actually makes a difference. Simple as that..
This changes depending on context. Keep that in mind.
Wrapping Up
The 10.Even so, 4. But 2 lab is one of those foundational exercises that seems simple but teaches you something you'll use every single day in network administration. Securing management access to your switches isn't optional — it's the first thing you do before the switch ever touches a network cable.
This is the bit that actually matters in practice Most people skip this — try not to..
The concepts here — console security, VTY lines, SSH, enable passwords, local user accounts — they all show up in one form or another on every Cisco exam and every real network you'll manage. Master this lab, and you're building habits that will keep your networks safe No workaround needed..
