CCNA Security Commands
-
Upload
mohammed-mostafa -
Category
Documents
-
view
820 -
download
14
Transcript of CCNA Security Commands
![Page 1: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/1.jpg)
Configure secure administrative access:
username name password password
username name secret password
![Page 2: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/2.jpg)
Configure enhanced security for virtual logins
The following commands are available to configure a Cisco IOS device to support the enhanced login features.
Router# configure terminal
Router(config)# login block-for seconds attempts tries within seconds
Router(config)# login quiet-mode access-class {acl-name | acl-number}
Router(config)# login delay seconds
Router(config)# login on-failure log [every login]
Router(config)# login on-success log [every login]
![Page 3: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/3.jpg)
![Page 4: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/4.jpg)
![Page 5: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/5.jpg)
SSH configuration
![Page 6: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/6.jpg)
Configure privilege level
![Page 7: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/7.jpg)
![Page 8: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/8.jpg)
![Page 9: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/9.jpg)
Configure Role based CLI Access
![Page 10: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/10.jpg)
![Page 11: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/11.jpg)
![Page 12: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/12.jpg)
![Page 13: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/13.jpg)
![Page 14: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/14.jpg)
![Page 15: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/15.jpg)
Securing the Cisco IOS image & configuration files
![Page 16: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/16.jpg)
![Page 17: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/17.jpg)
Using syslog for Network security
Use the following steps to configure system logging.
Step 1. Set the destination logging host using the logging host command.
Step 2. (Optional) Set the log severity (trap) level using the logging trap level command.
Step 3. Set the source interface using the logging source-interface command. This specifies that syslog packets contain the IPv4 or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router.
Step 4. Enable logging with the logging on command. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages are sent to these destinations. Only the console receives messages.
![Page 18: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/18.jpg)
Using NTP
![Page 19: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/19.jpg)
![Page 20: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/20.jpg)
![Page 21: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/21.jpg)
Performing security audit
Locking down the router using auto secure
![Page 22: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/22.jpg)
![Page 23: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/23.jpg)
![Page 24: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/24.jpg)
![Page 25: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/25.jpg)
![Page 26: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/26.jpg)
![Page 27: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/27.jpg)
AAA
AAA accounting functions
![Page 28: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/28.jpg)
![Page 29: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/29.jpg)
![Page 30: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/30.jpg)
![Page 31: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/31.jpg)
![Page 32: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/32.jpg)
![Page 33: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/33.jpg)
![Page 34: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/34.jpg)
In this case, a standard ACL can be applied outbound on interface Fa0/0:
R1(config)# access-list 1 deny 172.16.4.0 0.0.0.255
R1(config)# access-list 1 permit any
R1(config)# interface FastEthernet 0/0
R1(config-if)# ip access-group 1 out
As compared to standard ACLs, extended ACLs allow for specific types of traffic to be denied or permitted. Imagine a scenario in which FTP traffic from one subnet must be denied on another subnet. In this case, an extended ACL is required because a specific traffic type is filtered.
R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
R1(config)# access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
R1(config)# access-list 101 permit ip any any
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 101 in
![Page 35: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/35.jpg)
![Page 36: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/36.jpg)
![Page 37: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/37.jpg)
![Page 38: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/38.jpg)
A network administrator has a situation that requires time-based ACLs. Users are not allowed to access the Internet during business hours, except during lunch and after hours until 7 p.m. when the office closes. This is a time-based ACL that supports the requirement:
R1(config)# time-range employee-time
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit
R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet 0/1
![Page 39: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/39.jpg)
R1(config-if)# ip access-group 100 in R1(config-if)# exit
![Page 40: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/40.jpg)
![Page 41: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/41.jpg)
![Page 42: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/42.jpg)
CBAC provides four main functions: traffic filtering, traffic inspection, intrusion detection, and generation of audits and alerts.
The first CBAC commands were introduced to Cisco IOS software in 1997. CBAC is a dramatic improvement over the TCP established and reflexive ACL firewall options in several fundamental ways:
Monitors TCP connection setup Tracks TCP sequence numbers Inspects DNS queries and replies Inspects common ICMP message types Supports applications that rely on multiple connections Inspects embedded addresses Inspects Application Layer information
![Page 43: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/43.jpg)
![Page 44: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/44.jpg)
![Page 45: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/45.jpg)
Router(config)# ip inspect alert-offRouter(config)# ip inspect audit-trail
Router# show ip inspect [parameter]
Router# debug ip inspect protocol parameter
![Page 46: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/46.jpg)
![Page 47: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/47.jpg)
Router# show policy-map type inspect zone-pair session
![Page 48: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/48.jpg)
Step 1. Download the IOS IPS files. Step 2. Create an IOS IPS configuration directory in flash.
Step 3. Configure an IOS IPS crypto key.
Step 4. Enable IOS IPS.
![Page 49: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/49.jpg)
Step 5. Load the IOS IPS signature package to the router.
![Page 50: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/50.jpg)
![Page 51: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/51.jpg)
![Page 52: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/52.jpg)
![Page 53: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/53.jpg)
These are the steps for configuring port security on an access port:
Step 1. Configure an interface as an access interface.
Switch(config-if)# switchport mode access
If an interface is in the default mode (dynamic auto), it cannot be configured as a secure port.
Step 2. Enable port security on the interface using the switchport port-security.
The complete syntax includes a number of optional parameters.
![Page 54: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/54.jpg)
Switch(config-if)# switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]] | [mac-address sticky [mac-address| vlan {vlan-id | {access | voice}}]] [maximum value [vlan {vlan-list | {access | voice}}]]
Step 3. (Optional) Set the maximum number of secure MAC addresses for the interface.
Switch(config-if)# switchport port-security maximum value
The range is 1 to 132. The default is 1.
![Page 55: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/55.jpg)
![Page 56: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/56.jpg)
![Page 57: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/57.jpg)
![Page 58: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/58.jpg)
![Page 59: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/59.jpg)
![Page 60: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/60.jpg)
![Page 61: CCNA Security Commands](https://reader033.fdocuments.net/reader033/viewer/2022061303/54fc29dc4a7959f9348b5390/html5/thumbnails/61.jpg)