Is it possible to lock myself out of router/switch access?

workfrom925workfrom925 Member Posts: 196
in CCNA & CCENT
Other than forgetting the console or telnet password, Is it possible to set up a router or switch that would lock myself out of it?
· Share on FacebookShare on Twitter

Comments

  • Vask3nVask3n Member Posts: 517
    Sure, you can lock yourself out using ACLs or by specifying a login method that does not exist (method lists in CCNA: Security).

    Here is an example:

    Let's say I telnet into R1 from my computer on a LAN segment that connects to R1. Let's say earlier in the day I was creating an ACL to block everyone else in the network from telnetting into R1 right? Well if all I did was specify the deny statement(s) in this ACL, I also implicitly denied myself access as well by virtue of the implicit deny at the end of all ACLs. So in this case it would have been better to explicitly permit myself in the ACL and then implicitly deny everyone else to have avoided locking myself out.
    Working on MS-ISA at Western Governor's University
    · Share on FacebookShare on Twitter
  • The IT GuyThe IT Guy Member Posts: 43 ■■□□□□□□□□
    Configuring your AAA services without first establishing connectivity to your tacacs or radius servers w/ omittance of local database credentials will do the trick. Password recovery will have to be performed unless its been disabled. Then you would have to perform a factory reset at the cost of losing your configs.
    · Share on FacebookShare on Twitter
  • workfrom925workfrom925 Member Posts: 196
    Vask3n wrote: »
    Sure, you can lock yourself out using ACLs or by specifying a login method that does not exist (method lists in CCNA: Security).

    Here is an example:

    Let's say I telnet into R1 from my computer on a LAN segment that connects to R1. Let's say earlier in the day I was creating an ACL to block everyone else in the network from telnetting into R1 right? Well if all I did was specify the deny statement(s) in this ACL, I also implicitly denied myself access as well by virtue of the implicit deny at the end of all ACLs. So in this case it would have been better to explicitly permit myself in the ACL and then implicitly deny everyone else to have avoided locking myself out.

    In this example, you can still access it by physically being there and log in through the console. Other than forgetting the password, is it likely to block myself from logging in the console accidentally?
    · Share on FacebookShare on Twitter
  • NetworkVeteranNetworkVeteran Member Posts: 2,338 ■■■■■■■■□□
    In this example, you can still access it by physically being there and log in through the console.

    If you have physical access, you can typically remove console passwords by wiping the config from the rommon. It's almost impossible to permanently lock yourself out unless you are really, really trying to do so.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.