The console port/line doesn't require a login by default.
To change this behavior, we add the keyword "login" to the console line and then a password is required before allowing access. The password is added so that we can specify what the required password should be for future console access.
To reverse the process, the "no login" command in line console configuration mode will tell the router/switch that no login is required (even if there is a password configured on the line.
thanks alot Keith , but Maybe I didn't explain my Q very well , what I meant is that when we want to put a password for the console port , two commands are require : (correct me if I'm wrong )
- password ( then the password you want )
then save and exit
however , if i did the opposit , like :
- password ( then the password you want )
still works perfectly , so what's the point of the (login) command ? , what the actual function of it ?? and how can it be revearseable if i has a critical role here?? hopefully I managed to clearify my point
The Reason you need to put in the logincommand is that is tells the Routers/Switch to ask for the password you have configured. These are 2 separate step/processes.
If you only configure the password, the router still doesn't know it has to ask for the password when someone connects. So if you leave out the login, someone connecting via SSH will immediately logged in to the Router/Switch. That is why you need the login command. You have to tell the router that is has to ask for the password you have configured.
I think Keith has answered your question perfectly. login command tells the IOS to ask for a password next time you login in order to reverse it you simply type in no login and that's the pupose of login command
Lets say we are going to visit a friend, and our friend told us they were out for a few minutes, and if we got to the house and they weren't home, to just open the door and come in. Our friend also mentioned that there is a key under the door-mat in case the door is locked.
When we show up, we try the door, it isn't locked so we just go in (no key required, although the key was available if needed).
Now, lets apply that analogy to the console of a new router/switch. If we go to line configuration mode for line con 0 (the console port) and say:
That is similar to putting a key under the door-mat, the key is configured (in this case the password). If we logged off from the console and reconnected, the door isn't locked (no key required) by default. If we want to tell the console line that a password is "required" for access (similar to locking the door), we would then go to line con 0 and add the following:
Which means that a "login" which in this case requires the correct password of "cisco" to be used before access is granted.
If we try to configure the "login" command without having a password configured, the router/switch provides feedback, right then and there regarding the problem.
At the end of the day, if we want to provide basic password protection of the console, we would need both commands implemented.
Let me know if that helps.
I just have a tip that I prefer to use myself.
When it comes to routers and switches for logging in remotely either via ssh or telnet.
in the vty and console section of the config, try using login local.
The reason for this is, the router/switch checks a local database for a user.
Switch(config)# username test privillage 15 secret cisco
Now the line above says this: create username in the data base(test) set their privillage to privillaged mode (15 is the highest) and password is cisco.
This is the reason why I think this is a better option than creating password cisco
under the vty/con line - Password, even with service encryption isnt very great and you cant set a vty password as secret(secret being more secure encryption). Therefore if you set a username using secret rather than password. 1 you will have to provide a username to login as well as a password. If they have access to the config, secret provides better encryption.
When you utilise this, you do not have to specify a password under vty/con and you also dont have to set an enable password, as they have to login as a specified user who (in this case) has full privilages over the router/switch.
Hope this helps.