.使用Router與Switch安全網(wǎng)絡(luò)

1、銳捷平安專項(xiàng)認(rèn)證課程銳捷平安專項(xiàng)認(rèn)證課程- -使用使用RouterRouter與與SwitchSwitch平安網(wǎng)絡(luò)平安網(wǎng)絡(luò)Console口口(RJ45)AUX口連接撥口連接撥號(hào)網(wǎng)絡(luò)號(hào)網(wǎng)絡(luò) no service dhcp Router(config)#no ip domain-lookup Router(config)#ip host name ip-addressno ip unreachables Router(config-if)#no ip server / no enable services web-serverRouter/Switch(config)#no ip mask-rep

2、lyRouter(config-if)#no snmp-server / no enable services snmp-agentRouter/Switch(config)#no ip source-routeRouter(config)#shutdown Router(config-if)#no ip proxy-arpRouter(config-if)#line console 0line vty begin endRouter(config)#exec-timeout minutes secondsRouter(config-line)#login localpassword pass

3、wordline vty begin endRouter(config)#access-class acl-number inRouter(config-line)#service tcp-keepalives-in secondsRouter(config)#enable password | secret level level passwordRouter(config)#username username privilege level password passwordRouter(config)#banner motd bannerRouter(config)#enable ser

4、vices ssh-serverSwitch(config)#ip ssh version 1 | 2Switch(config)#snmp-server community string view viewname ro | rw acl-numberRouter(config)#snmp-server host ip-address traps version 1 | 2 string notification-typeRouter(config)#snmp-server enable traps notification-typeRouter(config)#snmp-server gr

5、oup name v3 auth | noauth | priv read readview write writeviewRouter(config)#snmp-server user username groupname v3 encrypted auth md5 | sha password priv des56 passwordRouter(config)#snmp-server host ip-address trap version 3 auth | noauth | privcommunity-stringRouter(config)#logging ip-addressRout

6、er(config)#logging trap levelRouter(config)#service timestamps log | debug uptime | datetimeRouter(config)#service sequence-numbersRouter(config)#logging buffered buffer-size | level Router(config)#logging file flash:filename max-file-size levelRouter(config)#show loggingRouter#clear loggingRouter#l

7、ogging onRouter(config)#擴(kuò)展ACL：報(bào)文過濾詳細(xì)的語句放在前面，默認(rèn)的deny anyip icmp rate-limit unreachables millisecondsRouter(config)#rate-limit input | output access-group number bps burst-normal burst-max conform-action transmit exceed-action dropRouter(config-if)#key chain nameRouter(config)#key key-idRouter(config-

8、keychain)#key-string keyRouter(config-keychian-key)#ip rip authentication mode text | md5Router(config-if)#ip rip authentication key-chain nameRouter(config-if)#area area-id authentication message-digestRouter(config-router)#ip ospf authentication message-digest | nullRouter(config-if)#ip ospf authe

9、ntication-key keyRouter(config-if)#ip ospf message-digest-key key-id md5 keyRouter(config-if)#作防止環(huán)路spanning-tree portfastSwitch(config-if)#spanning-tree portfast disableSwitch(config-if)#spanning-tree portfast defaultSwitch(config)#show spanning-tree interface interfaceSwitch#spanning-tree portfast

10、bpduguard defaultSwitch(config)#spanning-tree bpduguard enable | disable Switch(config-if)#show spanning-tree interface interfaceSwitch#spanning-tree portfast bpdufilter defaultSwitch(config)#spanning-tree bpdufilter enable | disable Switch(config-if)#show spanning-tree interface interfaceSwitch#mac

11、 access-list extended name | access-list-number Switch(config)# permit | deny any | host source-mac-address any | host destination-mac-address ethernet-type time-range time-range-name Switch(config-ext-macl)#mac access-group name | access-list-number in | out Switch(config-if)#switchport protectedSw

12、itch(config-if)#show interface switchportSwitch#storm-control unicast | multicast | broadcast Switch(config-if)#storm-control unicast | multicast | broadcast Switch(config-if)#show storm-control interface Switch#system-guard enableSwitch(config-if)#system-guard scan-dest-ip-attack-packets ppsSwitch(

13、config-if)#system-guard same-dest-ip-attack-packets ppsSwitch(config-if)#system-guard isolate-time secondsSwitch(config-if)#system-guard detect-maxnum numberSwitch(config)#system-guard exception-ip network/mask-lengthSwitch(config)#show system-guard interface interface Switch#show system-guard detec

14、t-ip interface interface Switch#show system-guard isolate-ip interface interface Switch#show system-guard exception-ipSwitch#clear system-guard interface interface Switch#switchport port-securitySwitch(config-if)#switchport port-security maximum numberSwitch(config-if)#switchport port-security mac-a

15、ddress mac-addressSwitch(config-if)#switchport port-security aging time time | static Switch(config-if)#switchport port-security violation protect | restrict | shutdown Switch(config-if)#errdisable recoverySwitch(config)#errdisable recovery interval timeSwitch(config)#show port-securitySwitch#port-s

16、ecurity arp-checkSwitch(config)#switchport port-securitySwitch(config-if)#switchport port-security mac-address mac-address ip-address ip-addressSwitch(config-if)#show port-security arp-checkSwitch#ip dhcp snoopingSwitch(config)#ip dhcp snooping trustSwitch(config-if)#ip dhcp snooping binding mac-add

17、ress vlan vlan-id ip ip-address interface interfaceSwitch(config)#ip dhcp snooping database write-to-flashSwitch(config)#ip dhcp snooping database write-delay secondsSwitch(config)#ip dhcp snooping verify mac-addressSwitch(config)#show ip dhcp snoopingSwitch#show ip dhcp snooping bindingSwitch#clear ip dhcp snooping bindingSwitch#檢查所有收到的ARP報(bào)文ip dhcp snoopingSwitch(config)#ip dhcp snooping trustSwitch(config-if)#ip arp inspectionSwitch(config)#ip arp ins