Is it possible to lock myself out of router/switch access?

Other than forgetting the console or telnet password, Is it possible to set up a router or switch that would lock myself out of it?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Vask3n

Sure, you can lock yourself out using ACLs or by specifying a login method that does not exist (method lists in CCNA: Security).

Here is an example:

Let's say I telnet into R1 from my computer on a LAN segment that connects to R1. Let's say earlier in the day I was creating an ACL to block everyone else in the network from telnetting into R1 right? Well if all I did was specify the deny statement(s) in this ACL, I also implicitly denied myself access as well by virtue of the implicit deny at the end of all ACLs. So in this case it would have been better to explicitly permit myself in the ACL and then implicitly deny everyone else to have avoided locking myself out.

The IT Guy

Configuring your AAA services without first establishing connectivity to your tacacs or radius servers w/ omittance of local database credentials will do the trick. Password recovery will have to be performed unless its been disabled. Then you would have to perform a factory reset at the cost of losing your configs.

workfrom925

Vask3n wrote: »

Sure, you can lock yourself out using ACLs or by specifying a login method that does not exist (method lists in CCNA: Security).

Here is an example:

Let's say I telnet into R1 from my computer on a LAN segment that connects to R1. Let's say earlier in the day I was creating an ACL to block everyone else in the network from telnetting into R1 right? Well if all I did was specify the deny statement(s) in this ACL, I also implicitly denied myself access as well by virtue of the implicit deny at the end of all ACLs. So in this case it would have been better to explicitly permit myself in the ACL and then implicitly deny everyone else to have avoided locking myself out.

In this example, you can still access it by physically being there and log in through the console. Other than forgetting the password, is it likely to block myself from logging in the console accidentally?

NetworkVeteran

In this example, you can still access it by physically being there and log in through the console.

If you have physical access, you can typically remove console passwords by wiping the config from the rommon. It's almost impossible to permanently lock yourself out unless you are really, really trying to do so.