Cisco交换机的安全加固
Cisco4506的安全加固1.开始SSH登录
CT10000_SNL_4506IN(config)#ip domain-name n4506
CT10000_SNL_4506IN(config)#ip ssh time-out 60
CT10000_SNL_4506IN(config)#ip ssh authentication-retries 5
CT10000_SNL_4506IN(config)#access-list 1302 permit 134.96.82.250 log
CT10000_SNL_4506IN(config)#access-list 1302 permit 192.98.100.45
CT10000_SNL_4506IN(config)#access-list 1302 permit 192.96.70.48
CT10000_SNL_4506IN(config)#access-list 1302 permit 192.96.70.49
CT10000_SNL_4506IN(config)#line vty 0 4
CT10000_SNL_4506IN(config-line)#transport input ssh
CT10000_SNL_4506IN(config-line)#login
CT10000_SNL_4506IN(config-line)#end
CT10000_SNL_4506IN(config)#aaa new-model
CT10000_SNL_4506IN(config)#aaa authentication login default local
CT10000_SNL_4506IN(config)#username hx10 pass asei4n123a98w4
CT10000_SNL_4506IN(config)#line vty
CT10000_SNL_4506IN(config)#line vty 0 4
CT10000_SNL_4506IN(config-line)#login authentication default
CT10000_SNL_4506IN(config-line)#access-class 1302 in
CT10000_SNL_4506IN(config-line)#end
CT10000_SNL_4506IN(config)#no ip source-route
CT10000_SNL_4506IN(config)#no ip http server
CT10000_SNL_4506IN(config)#no cdp run
CT10000_SNL_4506IN(config)#ntp server 192.168.0.22
CT10000_SNL_4506IN(config)#noservice tcp-small-servers
CT10000_SNL_4506IN(config)#noservice udp-small-servers
CT10000_SNL_4506IN(config)#no service finger
CT10000_SNL_4506IN(config)#banner exec c
Enter TEXT message.End with the character 'c'.
Your IP Address has been logged,if you are not administrator,please leave now!!!c
CT10000_SNL_4506IN(config)#int rangevlan 5 , vlan 10 , vlan 25 , vlan 30
CT10000_SNL_4506IN(config-if-range)#no ip directed-broadcast
CT10000_SNL_4506IN(config-if-range)#no ip proxy-arp
logging on
logging facility local7
logging 192.168.0.121
3750交换机没有ssh,可以开启AAA和源地址登录限制
login block-for 60 attempts 5 within 60网络设备锁定设置
spanning-tree vlan xx root primary 交换机设备stp优化
页:
[1]