路由器命令auto secure用起来比较方便,而且可以关闭一些不安全的服务和启用一些安全的服务 。这里对这个命令做了一个总结 。(注:ios版本为:12.3(1)以上才支持使用)
总结如下:
1、关闭一些全局的不安全服务如下:
Finger
PAD
Small Servers
Bootp
HTTP service
Identification Service
CDP
NTP
Source Routing
2、开启一些全局的安全服务如下:
PassWord-encryption service
Tuning of scheduler interval/allocation
TCP synwait-time
TCP-keepalives-in and tcp-kepalives-out
SPD configuration
No ip unreachables for null 0
3、关闭接口的一些不安全服务如下:
ICMP
Proxy-Arp
Directed Broadcast
Disables MOP service
Disables icmp unreachables
Disables icmp mask reply messages.
4、提供日志安全如下:
Enables sequence numbers & timestamp
Provides a console log
Sets log buffered size
Provides an interactive dialogue to configure the logging server ip address.
5、保护访问路由器如下:
Checks for a banner and provides facility to add text to automatically configure:
Login and password
Transport input & output
【Cisco路由器autosecure命令小结】 Exec-timeout
Local AAA
SSH timeout and ssh authentication-retries to minimum number
Enable only SSH and SCP for Access and file transfer to/from the router
6、保护转发Forwarding Plane
Enables Cisco EXPress Forwarding (CEF) or distributed CEF on the router, when available
Anti-spoofing
Blocks all IANA reserved IP address blocks
;Blocks private address blocks if customer desires
Installs a default route to NULL 0, if a default route is not being used
Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image,
Enables NetFlow on software forwarding platforms
推荐阅读
- 路由器ConsolePort
- 经由EthernetPort登入Cisco6200
- 华为内部资料 路由器配置命令
- 专家答疑:Cisco300个问题全解系列之六
- 在路由器上封闭PP点点通的通讯
- 无法登录无线路由器配置界面解决
- 企业级路由器产品概述
- Cisco IOS MSFC2畸形二层帧远程拒绝服务漏洞
- Cisco路由器交换机Anomaly Guard模块
- Cisco IOS畸形BGP包远程拒绝服务漏洞