6.2 Router Hardening

The solution to this task includes setting a local username and "login local" on the vty lines. The reason is that without this the feature will not trigger. No where in the DOCCD is this mentioned. (I couldn't find it in both the "command reference" and "configuration guide" on Cisco's site.)

The reason I bring this up is that we are: "not to change the VTY passwords or access methods unless otherwise specified." I think it should be mentioned that we could change the VTY login to local to make the task complete.




  • Agreed i missed out the username but got everything else right. Although at first feeling angry and annoyed that I lost some marks I also remember the words "check everything" and realisd that if I tested this properly then maybe I would have got this. I am not sure if this sort of thing is going to crop up in the exam or not, but a nice little learning curve none the less...

  • Yes, username and Login can easily been missed, done it myself!


    I've noticed that on the Command reference, I couldn't get the "login on-failure" command...it's in the master index...but if you drill down to the actual document I couldn't find it?


    I wanted to see the meaning of the "login on-failure log"   vs login on-failure" scenario....


    The SG specified that log not necesary....but whats the difference in the commands?


    login block-for 300 attempts 10 within 60

    login quiet-mode access-class 3

    login on-failure log





  • Hi JJ,

       Options are: "login on-failure" will generate both an syslog message and an SNMP trap, "login on-failure trap" will generate only SNMP trap, "login on-failure log" will generate only syslog message. All of these, of course, if you have SNMP and syslog properly configured.

    Good luck with your studies!

  • thanks for clarifying Cristian..... make sense


  • Options are: "login on-failure" will generate both an syslog message and an SNMP trap,

    Informative thanks for sharing!!

  • So the question really should clarifiy what 'logged' means i.e. syslog, SNMP or both.

    I took it to mean just 'log' with the 'log' keyword but it would be nice to have these small things picked up and added to the SGs, the WBs etc.


Sign In or Register to comment.