电脑技术学习

Cisco路由器autosecure命令小结

dn001

路由器命令auto secure用起来比较方便,而且可以关闭一些不安全的服务和启用一些安全的服务。这里对这个命令做了一个总结。(注:ios版本为:12.3(1)以上才支持使用)


总结如下:


1、关闭一些全局的不安全服务如下:


Finger


PAD


Small Servers


Bootp


HTTP service


Identification Service


CDP


NTP


Source Routing


2、开启一些全局的安全服务如下:


PassWord-encryption service


Tuning of scheduler interval/allocation


TCP synwait-time


TCP-keepalives-in and tcp-kepalives-out


SPD configuration


No ip unreachables for null 0


3、关闭接口的一些不安全服务如下:


ICMP


Proxy-Arp


Directed Broadcast


Disables MOP service


Disables icmp unreachables


Disables icmp mask reply messages.


4、提供日志安全如下:


Enables sequence numbers & timestamp


Provides a console log


Sets log buffered size


Provides an interactive dialogue to configure the logging server ip address.


5、保护访问路由器如下:


Checks for a banner and provides facility to add text to automatically configure:


Login and password


Transport input & output


Exec-timeout


Local AAA


SSH timeout and ssh authentication-retries to minimum number


Enable only SSH and SCP for Access and file transfer to/from the router


6、保护转发Forwarding Plane


Enables Cisco EXPress Forwarding (CEF) or distributed CEF on the router, when available


Anti-spoofing


Blocks all IANA reserved IP address blocks



;Blocks private address blocks if customer desires


Installs a default route to NULL 0, if a default route is not being used


Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested


Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image,


Enables NetFlow on software forwarding platforms