|
|
|
|
|
|
by trout
4833 days ago
|
|
|
It's not a 'switch' but rather failed implementation. As well, this is only protecting people that would have otherwise put their saved passwords into insecure locations - like posting to the internet or insecure internal file shares. For public posting the command 'show run brief' will take out all certificate and password information, at least for IOS-XE. NX-OS, IOS, and security IOS have options as well, use 'show run ?' to confirm. |
|
|
Some orgs go to great lengths to segment access to their networking core and establish separation of privileges using AAA, etc. As well, configs can leak out through other means (TAC case, submission to auditors, etc).
Someone who has access to config backups shouldn't be able to bootstrap their privileges by cracking passwords.
In theory "audit our config backups, and fix them up" is a task you can assign to a junior network engineer with a limited account and a copy of RANCID.
Role separation, defense in depth, and all that...