Configuring Secure Administrative Access

Router(config)#enable secret password

Router(config)#security password min-length length
Router(config)#service password-encryption
Router(config-line)#exec-timeout minutes [seconds]
Router(config)#username name password password
Router(config)#username name secret password
Configuring Enhanced Security for Virtual Logins
Router(config)#login block-for seconds attempts tries within seconds
Router(config)login !uite-mode access-class {acl-number | acl-name}
Router(config)#login delay seconds
Router(config)login on-failure log "every login#
Router(config)login on-success log "every login#
Router(config)#banner $exec % incoming % login % motd % slip-ppp & #message#
Example'
R1config t
R1(config)username ADMIN secret cisco12345
R1(config)#line vty ( )
R1(config-line)#login local
R1(config-line)#exec-timeout * (
R1(config-line)#exit
R1(config)#login block-for +, attempts * within -(
R1(config)#ip access-list standard .E/012-A3014
R1(config-std-nacl)#permit +567+-87+(7+(
R1(config-std-nacl)#permit +567+-87++7+(
R1(config-std-nacl)exit
R1(config)login !uite-mode access-class .E/012-A3014
R1(config)#login delay +(
R1(config)#login on-failure log
R1(config)#loign on-success log
R1(config)#exit
Configuring SS9
Router(config)#ip domain-name domain-name
Router(config)#hostname name
Router(config)crypto key generate rsa
Router#show crypto key mypubkey rsa
Router(config)#crypto key :eroi:e rsa
Router(config)line vty ( )
Router(config-line)transport input ssh
Router(config-line)login local
Router(config-line)exit
Router(config)ip ssh version 6
Router(config)ip ssh authentication-retries integer
Router(config)ip ssh time-out seconds
Router#show ip ssh
Router#show ssh
Configuring .rivilege Level
Router(config)#privilege mode $level level command | reset & command
Router(config)enable secret level level password
Router(config)#username name privilege level level secret password
Router#show privilege
Router>enable ,
Example'
R1config t
R1(config)username ;SE/ privilege level + secret cisco+6*),
R1(config)privilege exec level , ping
R1(config)enable secret level , cisco,
R1(config)username S;..</2 privilege , secret cisco,
R1(config)privilege exec level +( reload
R1(config)enable secret level +( cisco+(
R1(config)username =/-A3014 privilege level +( secret cisco+(
R1(config)usernmae A3014 privilege level +, secret cisco
Configuring /ole-based CL1 Access
Router(config)#aaa new-model
Router(config)enable secret password
Router#enable view $root&
Router#config t
Router(config)#parser view view-name
Router(config-view)#secret password
Router(config-view)#command parser-mode $ include % include-exclusive % exclude & "all# "interface
interface-name % command#
Router(config)#parser view view-name superview
Router(config-view)#secret password
Router(config-view)view view-name
Example'
/+>config?parser view S9<@V1E@
/+>config-view?secret cisco+6*),
/+>config-view?command exec include show
/+>config-view?exit
/+>config?parser view VE/1AB
/+>config-view?secret cisco*6+
/+>config-view?command exec include ping
/+>config-view?exit
/+>config?parser view /EC<<2V1E@
/+>config-view?secret cisco,
/+>config-view?command exec include reload
/+>config-view?exit
/+>config?parser view S;..</2 superview
/+>config-view?secret cisco+*,
/+>config-view?view S9<@V1E@
/+>config-view?view VE/1AB
/+>config-view?exit
/+enable view S;..</2
/+show parser view all
Securing the C1SC< 1<S 1mage and Configuration files

R1#secure boot-image
R1#secure boot-config
R1#show secure bootset
R1#boot filename
R1#secure boot-config restore filename
Syslog D 42. D S40.
Router(config)logging ip
Router(config)#logging on
Router(config)logging source-interface interface-name
Router(config)#logging trap level
Router(config)#service timestamps log datetime msec
/outer>config?snmp-server community string $ ro % rw&
( emergencies
+ alerts
6 critical
* errors
) warning
, notification
- informational
E debugging
Router(config)ntp master "stratum#
Router(config)ntp server $ip-address | hostname& " version number # " key key-id# " source interface
# " prefer #
Router(config)#ntp broadcast client
Router(config)#ntp update-calendar
Router(config)ntp authenticate
Router(config)ntp authentication-key key-number md, key-value
Router(config)#ntp trusted-key key-number
Router#show clock
Router#show ntp
Router#show ntp associations detail
AAA
Router(config)aaa new-model
Router(config)aaa authentication login $ default % list-name& method + F7 "method )#
Router(config)aaa local authentication attempts max-failed integer
Router#show aaa user { all | user-id}
Router#show aaa sessions
Router(config)#tacacs-server host ip-address single-connection
Router(config)tacacs-server key key
Router(config)#radius-server host ip-address
Router(config)#radius-server key key
Router(config)#aaa authentication login default group tacacsG group radius local
Router(config)aaa authori:ation $network % exec % commands level} {default | name}
method 1 [ method 4]
Router(config)#aaa accounting $network % exec % commands level} {default | name}
method 1 [method 4 ]
Example'
Router(config)#aaa authentication login 2ACACSGSE/VE/ group tacacsG enable
Router(config)#line vty ( )
Router(config-line)login authentication $ default % name&
ACL
Standard
access-list $+-55& $permit % deny& source-address [ source-wildcard ]
Extended
access-list $+((-+55& $permit % deny& protocol source-address [ source-wildcard ] [operator operand]
destination-address [destination-wildcard] [operator operand] "established#
4amed
ip access-list "standard % extended# acl-name
Router(config-if)#ip access-group acl-name $in % out&
Router(config-line)access-class acl-name $in % out&
2C. established and /eflexive ACL
R1(config)access-list +(( permit tcp any e! ))* +567+-87+7( (7(7(76,, established
R1(config)access-list +(( permit tcp any +567+-87+7* (7(7(7( e! 66
R1(config)access-list +(( deny ip any any
R1(config)int s(H(H(
R1(config-if)ip access-group +(( in
/eflexive ACL
R1(config)ip access-list extended internalIACL
R1(config-ext-nacl)permit tcp any any e! 8( reflect web-only-ACL
R1(config-ext-nacl)permit udp any any e! ,* reflect dns-only-ACL timeout +(
R1(config)ip access-list extended externalIACL
R1(config-ext-nacl)evaluate web-only-ACL
R1(config-ext-nacl)evaluate dns-only-ACL
R1(config)int s(H(H(
R1(config-if)ip access-class internalIACL out
R1(config-if)ip access-class externalIACL in
3ynamic ACL
R1(config)username student secret cisco+6*),
R1(config)access-list +(+ permit tcp any host +(767676 e! telnet
R1(config)access-list +(+ dynamic testlist timeout +, permit ip +567+-87+(7( (7(7(76,,
+567+-87*(7( (7(7(76,,
R1(config)#int s(H(H+
R1(config-if)ip access-class +(+ in
R1(config)line vty ( )
R1(config-line)login local
R1(config-line)autocommand access-enable host timout ,
2ime-based ACL
R1(config)time-range EVE/B<29E/3AB
R1(config-time-range)periodic 0onday Ariday 8'(( to +E'((
R1(config)access-list +(+ permit tcp +567+-87+(7( (7(7(76,, any e! telnet time-range
EVE/B<29E/3AB
access-list ++6 permit icmp any any echo-replay
access-list ++6 permi icmp any any source-!uench
access-list ++6 permit icmp any any unreachable
access-list ++6 deny icmp any any
access-list ++6 permit ip any any
access-list ++) permit icmp +567+-87+7( (7(7(76,, any echo
access-list ++) permit icmp +567+-87+7( (7(7(76,, any parameter-problem
access-list ++) permit icmp +567+-87+7( (7(7(76,, any packet-too-big
access-list ++) permit icmp +567+-87+7( (7(7(76,, any source-!uench
access-list ++) deny icmp any any
access-list ++) permit ip any any
int s(H(H(
ip access-class ++6 in
int fa(H+
ip access-class ++) in
ipv- access-list name
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
Router(config)#obJect-group service engIserviceIgroup
Router(config-service-grou)#icmp echo
Router(config-service-grou)#tcp telnet
Router(config-service-grou)#udp domai
Router(config)#ip access-list extended aclIpolicy
Router(config-ext-nacl)#permit obJect-group engIserviceIgroup obJect-group engInetworkIgroup
any
Context-based access control CCAC
ACL
Router(config)#ip inspect name inspection-name protocol " alert $ on % off&# [audit-trail {on % off}]
[timeout sec]
Router(config)#ip inspect alert-off
Router(config)ip inspect audit-trailo
Router#show ip inspect parameter
Example'
ip inspect name 0BS12E tcp
ip inspect name 0BS12E udp
interface AastEthernet(H(
>?ip address +(7+(7+(76,) 6,,76,,76,,7(
>?ip access-group +(+ in
>?ip inspect 0BS12E in
interface Serial(H(H(
>?ip access-group +(6 in
access-list +(+
permit tcp +(7+(7+(7( (7(7(76,, any
permit udp +(7+(7+(7( (7(7(76,, any
deny ip any any
access-list +(6
K<4E-CASE3 .<L1CB A1/E@ALL
1! "reate #one
Router(config):one security one-name
Router(config-sec-#one)description description
$! %efine traffic classes
Router(config)#class-map type inspect "match-any % match-all# class-map-name
Router(config-cma)#match address-group acl-name
Router(config-cma)#protocol protocol
Router(config-cma)#match class-map name
&! 'ecif( olic(
Router(config)policy-map type inspect policy-map-name
Router(config-ma)#class type inspect class-name
Router(config-ma)#class class-default
Router(config-ma)#pass % inspect % drop "log# % police
4! )air sourse and destination #one
Router(config)#:one-pair security one-pair-name "sourse source-one-name | self #
" destination destination-one-name % self#
Router(config-ma-c)service-policy type inspect policy-map-name
*! +ssign interfac
:one-member security
int fa(H(
>config-if?:one-member security one-name
1ntrusion .revention
+7 3ownload the 1<S 1S. files
7pkg
7txt
67 Create an 1<S 1S. configuration directory in flash
mkdir directory-name
dir flash'
*7 Configure the 1<S 1S. crypto key
no crypto key public-chain rsa
)7 Create 1.S rule and specify the location
ip ips name rule!name [optional "#$]
ip ips config location flash%directory-name
,7 Enable S3EE and logging
ip http server
ip ips notify sdee
ip sdee events ,((
ip ips notify log
Example'
R1(config)ip ips name iosisp
R1(config)ip ips name ips list L
R1(config)ip ips config location flash'ips
R1(config)ip http server
R1(config)ip ips notify sdee
R1(config)ip ips notify log
R1(config)ip ips signature-category
R1(config-is-categor()category all
R1(config-is-categor(-action)retired true
R1(config-is-categor(-action)exit
R1(config-is-categor()#category iosIips basic
R1(config-is-categor(-action)#retired false
R1(config-is-categor(-action)#exit

R1(config)#int Mi(H+
R1(config-if)#ip ips iosips in
Load the 1<S 1S. signature package on the /outer
copy ftp'HHftpIuser'passwordNserverI1.IaddressHsignatureIpackage idconf
show ip ips signature count
0odify Cisco 1<S 1S. signature
Router(config)ip ips signature-definition
Router(config-sigdef)signature -+*( +(
Router(config-sigdef-sig)status
Router(config-sigdef-sig-status)retired true
Router(config-sigdef-sig-status)enable true
Router(config-sigdef-sig-status)exit
Router(config-sigdef-sig)exit
R1(config)#ip ips signature-category
R1(config-is-categor()#category iosIips basic
R1(config-is-categor(-action)#retired false
R1(config-is-categor(-action)#exit
R1(config)ip ips signature-definition
R1(config-sigdef)signature -+*( +(
R1(config-sigdef-sig)engine
R1(config-sigdef-sig-engine)event-action produce-alert
R1(config-sigdef-sig-engine)event-action deny-packet-inline
R1(config-sigdef-sig-engine)event-action reset-tcp-connection
R1(config)#ip ips signature-category
R1(config-is-categor()#category iosIips basic
R1(config-is-categor(-action)#event-action produce-alert
R1(config-is-categor(-action)#event-action deny-packet-inline
R1(config-is-categor(-action)#event-action reset-tcp-connection
show ip ips all
show ip ips configuration
show ip ips interface
show ip ips signature
show ip ips statistics

Layer 6
.ort Security
switch(config-if)switchport port-security
switch(config-if)switchport port-security mac-address mac-address
switch(config-if)#switchport port-security mac-address sticky
switch(config-if)switchport port-security violation $protect % restrict % shutdown % shutdown vlan&
.ortAast
Oonly access port
switch(config)spanning-tree portfast default
switch(config-if)spanning-tree portfast
C.3; Muard
switch(config)spanning-tree portfast bpduguard default
switch#show spanning-tree summary
switch#show spanning-tree summary totals
switch(config)spanning-tree portfast bpdufilter default
/oot Muard
switch(config-if)spanning-tree guard root
switch#show spanning-tree inconsistentports
Storm control
switch(config-if)storm-control broadcast level E,7,
switch(config-if)storm-control multicast level pps 6k +k
switch(config-if)storm-control action shutdown% trap
S.A4
switch(config-if)monitor session + source interface Mi(H+
switch(config-if)monitor session + destination interface Mi(H6 encapsulation replicate
switchshow monitor session +
.rivate VLA4 Edge
switch(config-if)switchport protect
V.4
+7 Configure compatible ACL
access-list 1,$ ermit ah host 1-$!&,!1!$ host 1-$!&,!$!$
access-list 1,$ ermit es host 1-$!&,!1!$ host 1-$!&,!$!$
access-listt 1,$ ermit ud host 1-$!&,!1!$ host 1-$!&,!$!$ e. *,,
int s,/,/,
i access-grou 1,$ in
$! "onfigure 012
R1(config)#cr(to isa3m olic( 11,
R1(config-isa3m)#authentication re-share #rsa-sig
R1(config-isa3m)#encr(tion des
R1(config-isa3m)#grou +
R1(config-isa3m)#hash md* #sha
R1(config-isa3m)#lifetime 8-)(((
R1(config)#crypto isakmp key key-string address address
&! 4ransform set
crypto ipsec transform-set transform-set-name transform& transform' ( transform)
ah-md*-hmac ah-sha1-hmac es-null es-des es-&des es-aes es-aes $*5
4! "r(to +"6s
access-list 11, ermit tc 1,!,!1!, ,!,!,!$** 1,!,!$!, ,!,!,!$**
*! +l( cr(to ma
crypto map map-name se* ipsec-isakmp
crypto map 0B0A. +( ipsec-isakmp
>?match address ++(
>?set peer +E67*(7676
>?set pfs group+
>?set tranform-set 014E
>?set security-association lifetime seconds 8-)(((
int s(H(H(
>?crypto map 0B0A.
show crypto map
show crypto isakmp policy
show crypto ipsec sa
show crypto ipsec transform-set
show crypto isakmp
show crypto ipsec