You are on page 1of 11

Configuring Secure Administrative Access

Router(config)#enable secret password

Router(config)#security password min-length length
Router(config)#service password-encryption
Router(config-line)#exec-timeout minutes [seconds]
Router(config)#username name password password
Router(config)#username name secret password
Configuring Enhanced Security for Virtual Logins
Router(config)#login block-for seconds attempts tries within seconds
Router(config)login !uite-mode access-class {acl-number | acl-name}
Router(config)#login delay seconds
Router(config)login on-failure log "every login#
Router(config)login on-success log "every login#
Router(config)#banner $exec % incoming % login % motd % slip-ppp & #message#
R1config t
R1(config)username ADMIN secret cisco12345
R1(config)#line vty ( )
R1(config-line)#login local
R1(config-line)#exec-timeout * (
R1(config)#login block-for +, attempts * within -(
R1(config)#ip access-list standard .E/012-A3014
R1(config-std-nacl)#permit +567+-87+(7+(
R1(config-std-nacl)#permit +567+-87++7+(
R1(config)login !uite-mode access-class .E/012-A3014
R1(config)#login delay +(
R1(config)#login on-failure log
R1(config)#loign on-success log
Configuring SS9
Router(config)#ip domain-name domain-name
Router(config)#hostname name
Router(config)crypto key generate rsa
Router#show crypto key mypubkey rsa
Router(config)#crypto key :eroi:e rsa
Router(config)line vty ( )
Router(config-line)transport input ssh
Router(config-line)login local
Router(config)ip ssh version 6
Router(config)ip ssh authentication-retries integer
Router(config)ip ssh time-out seconds
Router#show ip ssh
Router#show ssh
Configuring .rivilege Level
Router(config)#privilege mode $level level command | reset & command
Router(config)enable secret level level password
Router(config)#username name privilege level level secret password
Router#show privilege
Router>enable ,
R1config t
R1(config)username ;SE/ privilege level + secret cisco+6*),
R1(config)privilege exec level , ping
R1(config)enable secret level , cisco,
R1(config)username S;..</2 privilege , secret cisco,
R1(config)privilege exec level +( reload
R1(config)enable secret level +( cisco+(
R1(config)username =/-A3014 privilege level +( secret cisco+(
R1(config)usernmae A3014 privilege level +, secret cisco
Configuring /ole-based CL1 Access
Router(config)#aaa new-model
Router(config)enable secret password
Router#enable view $root&
Router#config t
Router(config)#parser view view-name
Router(config-view)#secret password
Router(config-view)#command parser-mode $ include % include-exclusive % exclude & "all# "interface
interface-name % command#
Router(config)#parser view view-name superview
Router(config-view)#secret password
Router(config-view)view view-name
/+>config?parser view S9<@V1E@
/+>config-view?secret cisco+6*),
/+>config-view?command exec include show
/+>config?parser view VE/1AB
/+>config-view?secret cisco*6+
/+>config-view?command exec include ping
/+>config?parser view /EC<<2V1E@
/+>config-view?secret cisco,
/+>config-view?command exec include reload
/+>config?parser view S;..</2 superview
/+>config-view?secret cisco+*,
/+>config-view?view S9<@V1E@
/+>config-view?view VE/1AB
/+enable view S;..</2
/+show parser view all
Securing the C1SC< 1<S 1mage and Configuration files

R1#secure boot-image
R1#secure boot-config
R1#show secure bootset
R1#boot filename
R1#secure boot-config restore filename
Syslog D 42. D S40.
Router(config)logging ip
Router(config)#logging on
Router(config)logging source-interface interface-name
Router(config)#logging trap level
Router(config)#service timestamps log datetime msec
/outer>config?snmp-server community string $ ro % rw&
( emergencies
+ alerts
6 critical
* errors
) warning
, notification
- informational
E debugging
Router(config)ntp master "stratum#
Router(config)ntp server $ip-address | hostname& " version number # " key key-id# " source interface
# " prefer #
Router(config)#ntp broadcast client
Router(config)#ntp update-calendar
Router(config)ntp authenticate
Router(config)ntp authentication-key key-number md, key-value
Router(config)#ntp trusted-key key-number
Router#show clock
Router#show ntp
Router#show ntp associations detail
Router(config)aaa new-model
Router(config)aaa authentication login $ default % list-name& method + F7 "method )#
Router(config)aaa local authentication attempts max-failed integer
Router#show aaa user { all | user-id}
Router#show aaa sessions
Router(config)#tacacs-server host ip-address single-connection
Router(config)tacacs-server key key
Router(config)#radius-server host ip-address
Router(config)#radius-server key key
Router(config)#aaa authentication login default group tacacsG group radius local
Router(config)aaa authori:ation $network % exec % commands level} {default | name}
method 1 [ method 4]
Router(config)#aaa accounting $network % exec % commands level} {default | name}
method 1 [method 4 ]
Router(config)#aaa authentication login 2ACACSGSE/VE/ group tacacsG enable
Router(config)#line vty ( )
Router(config-line)login authentication $ default % name&
access-list $+-55& $permit % deny& source-address [ source-wildcard ]
access-list $+((-+55& $permit % deny& protocol source-address [ source-wildcard ] [operator operand]
destination-address [destination-wildcard] [operator operand] "established#
ip access-list "standard % extended# acl-name
Router(config-if)#ip access-group acl-name $in % out&
Router(config-line)access-class acl-name $in % out&
2C. established and /eflexive ACL
R1(config)access-list +(( permit tcp any e! ))* +567+-87+7( (7(7(76,, established
R1(config)access-list +(( permit tcp any +567+-87+7* (7(7(7( e! 66
R1(config)access-list +(( deny ip any any
R1(config)int s(H(H(
R1(config-if)ip access-group +(( in
/eflexive ACL
R1(config)ip access-list extended internalIACL
R1(config-ext-nacl)permit tcp any any e! 8( reflect web-only-ACL
R1(config-ext-nacl)permit udp any any e! ,* reflect dns-only-ACL timeout +(
R1(config)ip access-list extended externalIACL
R1(config-ext-nacl)evaluate web-only-ACL
R1(config-ext-nacl)evaluate dns-only-ACL
R1(config)int s(H(H(
R1(config-if)ip access-class internalIACL out
R1(config-if)ip access-class externalIACL in
3ynamic ACL
R1(config)username student secret cisco+6*),
R1(config)access-list +(+ permit tcp any host +(767676 e! telnet
R1(config)access-list +(+ dynamic testlist timeout +, permit ip +567+-87+(7( (7(7(76,,
+567+-87*(7( (7(7(76,,
R1(config)#int s(H(H+
R1(config-if)ip access-class +(+ in
R1(config)line vty ( )
R1(config-line)login local
R1(config-line)autocommand access-enable host timout ,
2ime-based ACL
R1(config)time-range EVE/B<29E/3AB
R1(config-time-range)periodic 0onday Ariday 8'(( to +E'((
R1(config)access-list +(+ permit tcp +567+-87+(7( (7(7(76,, any e! telnet time-range
access-list ++6 permit icmp any any echo-replay
access-list ++6 permi icmp any any source-!uench
access-list ++6 permit icmp any any unreachable
access-list ++6 deny icmp any any
access-list ++6 permit ip any any
access-list ++) permit icmp +567+-87+7( (7(7(76,, any echo
access-list ++) permit icmp +567+-87+7( (7(7(76,, any parameter-problem
access-list ++) permit icmp +567+-87+7( (7(7(76,, any packet-too-big
access-list ++) permit icmp +567+-87+7( (7(7(76,, any source-!uench
access-list ++) deny icmp any any
access-list ++) permit ip any any
int s(H(H(
ip access-class ++6 in
int fa(H+
ip access-class ++) in
ipv- access-list name
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Router(config)#obJect-group service engIserviceIgroup
Router(config-service-grou)#icmp echo
Router(config-service-grou)#tcp telnet
Router(config-service-grou)#udp domai
Router(config)#ip access-list extended aclIpolicy
Router(config-ext-nacl)#permit obJect-group engIserviceIgroup obJect-group engInetworkIgroup
Context-based access control CCAC
Router(config)#ip inspect name inspection-name protocol " alert $ on % off&# [audit-trail {on % off}]
[timeout sec]
Router(config)#ip inspect alert-off
Router(config)ip inspect audit-trailo
Router#show ip inspect parameter
ip inspect name 0BS12E tcp
ip inspect name 0BS12E udp
interface AastEthernet(H(
>?ip address +(7+(7+(76,) 6,,76,,76,,7(
>?ip access-group +(+ in
>?ip inspect 0BS12E in
interface Serial(H(H(
>?ip access-group +(6 in
access-list +(+
permit tcp +(7+(7+(7( (7(7(76,, any
permit udp +(7+(7+(7( (7(7(76,, any
deny ip any any
access-list +(6
1! "reate #one
Router(config):one security one-name
Router(config-sec-#one)description description
$! %efine traffic classes
Router(config)#class-map type inspect "match-any % match-all# class-map-name
Router(config-cma)#match address-group acl-name
Router(config-cma)#protocol protocol
Router(config-cma)#match class-map name
&! 'ecif( olic(
Router(config)policy-map type inspect policy-map-name
Router(config-ma)#class type inspect class-name
Router(config-ma)#class class-default
Router(config-ma)#pass % inspect % drop "log# % police
4! )air sourse and destination #one
Router(config)#:one-pair security one-pair-name "sourse source-one-name | self #
" destination destination-one-name % self#
Router(config-ma-c)service-policy type inspect policy-map-name
*! +ssign interfac
:one-member security
int fa(H(
>config-if?:one-member security one-name
1ntrusion .revention
+7 3ownload the 1<S 1S. files
67 Create an 1<S 1S. configuration directory in flash
mkdir directory-name
dir flash'
*7 Configure the 1<S 1S. crypto key
no crypto key public-chain rsa
)7 Create 1.S rule and specify the location
ip ips name rule!name [optional "#$]
ip ips config location flash%directory-name
,7 Enable S3EE and logging
ip http server
ip ips notify sdee
ip sdee events ,((
ip ips notify log
R1(config)ip ips name iosisp
R1(config)ip ips name ips list L
R1(config)ip ips config location flash'ips
R1(config)ip http server
R1(config)ip ips notify sdee
R1(config)ip ips notify log
R1(config)ip ips signature-category
R1(config-is-categor()category all
R1(config-is-categor(-action)retired true
R1(config-is-categor()#category iosIips basic
R1(config-is-categor(-action)#retired false

R1(config)#int Mi(H+
R1(config-if)#ip ips iosips in
Load the 1<S 1S. signature package on the /outer
copy ftp'HHftpIuser'passwordNserverI1.IaddressHsignatureIpackage idconf
show ip ips signature count
0odify Cisco 1<S 1S. signature
Router(config)ip ips signature-definition
Router(config-sigdef)signature -+*( +(
Router(config-sigdef-sig-status)retired true
Router(config-sigdef-sig-status)enable true
R1(config)#ip ips signature-category
R1(config-is-categor()#category iosIips basic
R1(config-is-categor(-action)#retired false
R1(config)ip ips signature-definition
R1(config-sigdef)signature -+*( +(
R1(config-sigdef-sig-engine)event-action produce-alert
R1(config-sigdef-sig-engine)event-action deny-packet-inline
R1(config-sigdef-sig-engine)event-action reset-tcp-connection
R1(config)#ip ips signature-category
R1(config-is-categor()#category iosIips basic
R1(config-is-categor(-action)#event-action produce-alert
R1(config-is-categor(-action)#event-action deny-packet-inline
R1(config-is-categor(-action)#event-action reset-tcp-connection
show ip ips all
show ip ips configuration
show ip ips interface
show ip ips signature
show ip ips statistics

Layer 6
.ort Security
switch(config-if)switchport port-security
switch(config-if)switchport port-security mac-address mac-address
switch(config-if)#switchport port-security mac-address sticky
switch(config-if)switchport port-security violation $protect % restrict % shutdown % shutdown vlan&
Oonly access port
switch(config)spanning-tree portfast default
switch(config-if)spanning-tree portfast
C.3; Muard
switch(config)spanning-tree portfast bpduguard default
switch#show spanning-tree summary
switch#show spanning-tree summary totals
switch(config)spanning-tree portfast bpdufilter default
/oot Muard
switch(config-if)spanning-tree guard root
switch#show spanning-tree inconsistentports
Storm control
switch(config-if)storm-control broadcast level E,7,
switch(config-if)storm-control multicast level pps 6k +k
switch(config-if)storm-control action shutdown% trap
switch(config-if)monitor session + source interface Mi(H+
switch(config-if)monitor session + destination interface Mi(H6 encapsulation replicate
switchshow monitor session +
.rivate VLA4 Edge
switch(config-if)switchport protect
+7 Configure compatible ACL
access-list 1,$ ermit ah host 1-$!&,!1!$ host 1-$!&,!$!$
access-list 1,$ ermit es host 1-$!&,!1!$ host 1-$!&,!$!$
access-listt 1,$ ermit ud host 1-$!&,!1!$ host 1-$!&,!$!$ e. *,,
int s,/,/,
i access-grou 1,$ in
$! "onfigure 012
R1(config)#cr(to isa3m olic( 11,
R1(config-isa3m)#authentication re-share #rsa-sig
R1(config-isa3m)#encr(tion des
R1(config-isa3m)#grou +
R1(config-isa3m)#hash md* #sha
R1(config-isa3m)#lifetime 8-)(((
R1(config)#crypto isakmp key key-string address address
&! 4ransform set
crypto ipsec transform-set transform-set-name transform& transform' ( transform)
ah-md*-hmac ah-sha1-hmac es-null es-des es-&des es-aes es-aes $*5
4! "r(to +"6s
access-list 11, ermit tc 1,!,!1!, ,!,!,!$** 1,!,!$!, ,!,!,!$**
*! +l( cr(to ma
crypto map map-name se* ipsec-isakmp
crypto map 0B0A. +( ipsec-isakmp
>?match address ++(
>?set peer +E67*(7676
>?set pfs group+
>?set tranform-set 014E
>?set security-association lifetime seconds 8-)(((
int s(H(H(
>?crypto map 0B0A.
show crypto map
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
show crypto isakmp
show crypto ipsec