(config)#auto secure
Configure IP Access-List
port security
(config-if)#switchport port-security
-> enable switchport security, and applied all the default values.
(config-if)#switchport port-security maximum 1
-> allow only 1 mac address
(config-if)#switchport port-security mac-address sticky
-> only use the first learned MAC address
(config-if)#switchport port-security violation [protect | restrict | shutdown]
-> default: shutdown
-> protect: only allow traffic from the secure port and drop packets from other MAC
-> restrict: alert admin
#debug ip packet detail access-list-num
(config)#access-list 102 permit udp any any eq rip
-> permit Routing Information Protocol (RIP):
(config)#access-list 102 permit igrp any any
-> permit Interior Gateway Routing Protocol (IGRP):
(config)#access-list 102 permit eigrp any any
-> permit Enhanced IGRP (EIGRP):
(config)#access-list 102 permit ospf any any
->allow Open Shortest Path First (OSPF):
(config)#access-list 102 permit tcp any any eq 179
->permit Border Gateway Protocol (BGP):
Configure SSH:
(config)#ip domain-name mydomain.com
(config)#crypto key generate rsa
(config)#ip ssh version 2
(config)#ip ssh time-out 120
(config)#ip ssh authentication-retries 3
(config)#line vty 0 15
(config-ine)#transport input SSH
-> ssh only, disable telnet
DHCP snooping:
(config)#ip dhcp snooping [vlan number 99]
(config-if)#ip dhcp snooping trust
(config)#ip dhcp snooping limit rate 10
(config)#no ip http server
(config)#access-list my_list_num permit my_ip_address
(config)#access-list my_list_num deny any
(config)#line vty 0 4
(config-line)#access-list my_access_list_num in
(config-line)#exec-timeout 5 0
-> line times out 5 minutes + 0 seconds
(config-line)#privilege level 12
-> level 15 (1111) is highest.
(config)#ip http access-class my_access_list_num
>> allows only my_ip_address to access vty lines.
(config)#access-list 123 ip permit host my_manager_ip host current_router_hostname
(config)#access-list 123 deny ip any any
>> encrypt traffic to the manage station, not encrypt (deny) traffic to all other IPs.
(config)#crypto ipsec transform-set my_transform_name ah-md5-hmac esp-des
(config)#crypto map my_map policy_id ipsec-isakmp
(config-crypto-map)#set peer manage_ip
(config-crypto-map)#set transform-set my_transform_name
(config-crypto-map)#match address 123
(config)#int s0/1
(config-if)#crypto map my_map
(config)#ip http authentication [enable | local | tacacs | aaa]
(config)#crypto isakmp policy policy_num
>> create a security policy #
(config-isakmp)#authentication pre-share
(config)#username jdoe privilege 5 [password joes_passwd]
(config)#privilege exec level 2 clear line
(config)#privilege exec level 10 telnet
(config)#privilege exec level 10 debug
(config)#privilege exec level 15 show access-lists
(config)#privilege exec level 15 show logging
--> only level 15 can see logging
==> enable moves up level to 15
#disable 2
--> move down to level 2
AAA - authentication, authorization, accounting
(config)#aaa new-model
(config)#aaa authentication login default local
(config)#line vty 0 4
(config-line)#login authentication default
(config)#tacacs-server host x.x.x.x
(config)#tacacs-server key my_tkey
--> apply default aaa authentication to each telnet line
(config)#aaa authentication login default group tacacs+ local
--> use tacacs+ server first, if unreachable, use local login password
(config)#aaa authentication enable default group tacacs+ enable
(config)#ip http authentication aaa
(config)#aaa authorization exec default group tacacs+ if-authenticated
(config)#aaa authorization commands 15 default group tacacs+ if-authenticated
--> allow authenticated users to run any command at their current level
(config)#radius-server host y.y.y.y
(config)#radius-server key my_rkey
(config)#aaa authentication loging default group radius local
(config)#aaa authentication enable default group radius enable
(config)#line con 0
(config-line)#login authentication default
(config)#kerberos local-realm my_kserver.com
(config)#kerberos server my_kserver.com my_k_ip
(config)#kerberos srvtab remote my_k_ip srvtab-filename
(config)#kerberos credentials forward
(config)#aaa authentication login default krb5 local
(config)#line vty 0 4
(config-line)#login authentication default
(config)#key chain myKeyName
(config-keychain)#key 1
(config-keychain)#key-string xxx
(config)#interface s0/0/0
(config-if)#ip authentication mode eigrp 1 md5
(config-if)#ip authentication key-chain eigrp 1 myKeyName
(config)#interface s0/0/1
(config-if)#ip ospf message-digest-key 1 md5 mykey
(config-if)#ip ospf authentication message-digest
(config)#router ospf autonomous_num
(config-router)#area 0 authentication message-digest
(config)#access-list 16 permit x.y.0.0 0.0.255.255
(config)#access-list 16 deny any
(config)#interface s0/0
(config-if)#ip access-group 16 out
(config-if)#no ip redirects
(config-if)#no ip directed-broadcast
(config-if)#no ip mask-reply
(config-if)#no ip unreachables
(config-if)#no ip proxy-arp
(config-if)#no cdp enable
(config-if)#ip verify unicast reverse-path
(config-if)#ntp disable
(config-if)#ip access-group 101 in
(config-if)#ip access-group 102 out
(config)#ntp authenticate
(config)#ntp authentication-key 12 md5 mykey
(config)#ntp trusted-key 12
(config)#ntp server x.x.y.y key 12
(config)#logging console
(config)#logging on
(config)#logging buffered 32000
--> 32000 byte logging buffer
(config)#logging trap debugging
(config)#logging x.y.z.b
--> output syslog to a network device.
Saturday, May 15, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment