CAP 2 – HARDENING ROUTER PASSWORDS To increase the security security of passwords, the following following should be configured: #Enforce minimum password lengths. R(config)#security passwords min-length length #Disable unattended connections. R(configline)#exec-timeout minutes !seconds" seconds" #Encrypt all passwords in the configuration file. R(config)#service password-encryption #There are two methods of configuring local username accounts. R(config)#username name password password R(config)#username name secret password LOG! "!#A!$"%"!&S #ogin shutdown if Do$ attac%s are suspected R(config)# login 'loc(-)or seconds attempts tries within seconds R(config)# login *uiet-mode access-class &acl-name ' acl-number #Delays between successie login attempts . *elps mitigate dictionary attac%s. This is an optional command. +f not set, a default delay of one second is enforced after the login 'loc(-)or command is configured. R(config)# login delay seconds #eneration of system logging messages for login detection R(config)# login on-)ailure log !every number-of-logins" number-of-logins" R(config)# login on-success log !every number-of logins" logins" -uthentication on ty lines must be configured to use a username and password combination. +f the ty lines are configured to use only a password, the enhanced login features are not enabled. #-s an alternatie, this command generates a log message when the login failure rate is eceeded. R(config)#security authentication )ailure rate threshold-rate log #/ara erificar las opciones etendidas de login R#show login +)ailures, A!!"R R(config)#'anner .exec / incoming / login / motd / slip-ppp0 d message d To%ens are optional optional and can be used within the message section section of the banner command: command: 0(hostname) Displays the host name for the router. 0(domain) Displays the domain name for the router. 0(line) Displays the ty or tty (asynchronous) line number. 0(linedesc) Displays the description that is attached to the line. SS# -ntes de configurar $$* erificar 1ue el router ob2etio esta corriendo una ersion de +3$ criptografica (+/$E4) igual o superior a 56.5(5)T, 56.5(5)T, 1ue cada router tiene su nombre y dominio correspondientes y esta configurada la autenticaci7n de usuario local o sericio ---. R(config)#ip domain-name domain R(config)#crypto (ey generate rsa !general-(eys modulus modulus-size" modulus-size" #/ara borrar una clae rsa R(config)#crypto (ey 1eroi1e rsa R(config)#line vty number R(configline)#transport input ssh R(configline)#login .local / authentication0 #4isco +3$ Release 56.5(5)T and later supports $$*5. 4isco +3$ Release 56.8(9)T and later operates in compatibility mode and supports both $$*5 and $$*6. To change from compatibility mode to a specific ersion, use: R(config)#ip ssh version .2 / 30 #The time interal that the router waits for the $$* client to respond during the $$* negotiation phase (the default is 56 seconds) can be configured using: R(config)#ip ssh time-out seconds #To configure a different number of consecutie $$* retries, use R(config)#ip ssh authentication-retries integer #/ara erificar ssh R#show crypto (ey mypubkey rsa R#show ip ssh
A$$"SO ASADO "! !4"L"S D" PR4L"GO #/ara asignar un niel de priilegio a un comando R(config)#privilege mode &level level ' reset command #/ara erificar en 1ue niel de priilegio se encuentra un usuario R(config)#show privilege
/riilege leels should also be configured for authentication. There are two methods for assigning passwords to the different leels: R(config)#ena'le secret level level password R(config)#username name privilege level secret password /ara acceder a un niel de priilegio: R;ena'le level /assword: fica: #/aso 5. *abilitar --- e ingresar a la ista de root con el comando enable iew R(config)#aaa new-model R#ena'le +view +view-name,, #/aso 6. 4ree una ista (o superista) usando el comando parser iew. Esto habilita el modo de configuraci7n de la ista. Ecluyendo la ista de root, hay un l>mite m?imo de 5@ istas en total. R(config)#parser view view-name +superview, #/aso 8. -signe una contraseAa secret a la ista o superista R(configiew)#secret encrypted-password /aso 9. -signe comandos a la ista con el comando commands o asigne istas a la superista con el comando iew R(configiew)#commands parser-mode &include ' include-exclusive ' exclude !all" !inter)ace interface-name ' command" R(config.iew)#view view-name #/ara erificar las istas configuradas en el sistema desde la ista root usar el comando: R#show parser view all S"G5RDAD D" LOS AR$#4OS D" $O!6G7 8 D"L OS $S$O Two global configurations commands are aailable to configure the 4isco +3$ resilient configuration features: R(config)#secure 'oot-image R(config)#secure 'oot-con)ig
Because the running image and running configuration archies are not isible in the dir command output, use R(config)#show secure 'ootset There are fie steps to restore a primary bootset from a secure archie after the router has been tampered with (by an C=R- erase or a dis% format): Step 2. Reload the router using the reload command. Step 3. rom R3mon mode, enter the dir command to list the contents of the deice that contains the secure bootset file. rom the 4+, the deice name can be found in the output of the show secure bootset command. Step 9. Boot the router with the secure bootset image using the 'oot command with the filename found in $tep 6. Fhen the compromised router boots, change to priileged EGE4 mode and restore the configuration. Step :. Enter global configuration mode using conf t. Step ;. Restore the secure configuration to the supplied filename using the secure 'oot-con)ig restore filename command. PASSWORD R"$O4"R8 Recoering a router password inoles seeral steps.
Step 2. 4onnect to the console port. Step 3. 7 Type enable at the Router; prompt. This puts the router into enable mode and allows you to see the Router# prompt. Step ?. Type copy startupconfig runningconfig to copy the C=R- into memory. Be careful not to type copy runningconfig startupconfig or the startup configuration will be erased. Step 2@7 Type show runningconfig. +n this configuration, the shutdown command appears under all interfaces because all interfaces are currently shut down
Iou can turn logging on and off for these destinations indiidually using R(config)#logging 'u))ered R(config)#logging monitor, R(config)#logging glo'al *oweer, if the logging on command is disabled, no messages are sent to these destinations. 3nly the console receies messages. Enable the timestamp serice if it is not enabled. R(config)#service timestamps log datetime msec S!%Pv2 y S!%Pv3c R(config)#snmp-server community string ro
R(config)#snmp-server community string rw #4onfiguracion del seridor de traps R(config)#snmp-server host &hostname / ip-address version version-string #3pcional R(config)#snmp-server location text R(config)#snmp-server contact text !&P Typically, the date and time settings of the router can be set using one of two methods:
%anually editing the date and time R#cloc( set hh:mm:ss date R#show cloc( !detail" Es preciso tener en cuenta 1ue muchos dispositios 4isco carecen de un relo2 interno 1ue almacene esta informaci7n. /or lo tanto, si el dispositio es reiniciado se pierde la configuraci7n de l a hora local. $on)iguring the !etwor( &ime Protocol B!&PC Paso2- 4onfigurar el huso horario R(config)#cloc( timezone zone-offset Debemos considerar tambiJn 1ue hay pa>ses y regiones 1ue modifican su huso horario de acuerdo a la estaci7n del aAo con fines de ahorro de energ>a. En estos casos podemos indicar al dispositio 1ue debe cumplir con esta norma utiliKando el comando: R(config)#cloc( summer-time timezone recurring ... Paso3- +n an CT/ configured networ%, one or more routers are designated as the master cloc% %eeper (%nown as an CT/ master) using R(config)#ntp master !stratum" Es recomendable 1ue si un router a a funcionar como master posea un relo2hardware interno a bateria. Paso9- CT/ clients either contact the master or listen for messages from the master to synchroniKe their cloc%s. To contact the master, use R(config)#&ntp / sntp0 server &hostname | ip-address !version number " !(ey key-id" !source interface" !pre)er" R#show ntp associations !detail, Rshow ntp status #/ara mantener actualiKado con CT/ la hora de los dispositios 1ue cuetan con un relo2hardware interno a bateria. R(config)#ntp update-calendar R#show calendar +n a -C enironment, CT/ can be configured to use +/ broadcast messages instead by R(config)#ntp 'roadcast client This alternatie reduces configuration compleity because each machine can be configured to send or receie broadcast messages. The accuracy of time%eeping is marginally reduced because the information flow is oneway only. There are two security mechanisms aailable: -4based restriction scheme Encrypted authentication mechanism offered by CT/ ersion 8 or later
•
A5&OS"$5R" -uto$ecure is often used in the field to proide a baseline security policy on a new router. eatures can then be altered to support the security policy of the organiKation.
R# auto secure !no-interact / )ull" !)orwarding / management" !ntp / login / ssh / )irewall / tcp-intercept"
CAP 3 – AAA LO$AL AAA A5"!&$A&O! 4onfiguring local --- serices to authenticate administrator access (character mode access) re1uires a few basic steps. Step 27 -dd usernames and passwords to the local router database for users that need administratie access to the router. R(config)#username name !privilege level" !view view" &secret / password password Step 37 Enable --- globally on the router. R(config)#aaa new-model Step 97 4onfigure --- parameters on the router. R(config)#aaa authentication login &de)ault / list-name method1...!method4" ethod lists enable an administrator to designate one or more security protocols for authentication.
The authentication methods in the de)ault list are used by default on all lines, unless a custom authentication method list is created. +f the default list is not set and there is no other list, only the local user database is chec%ed. This has the same effect as the command aaa authentication login default local. 3n the console, login succeeds without any authentication chec%s if default is not set. R(configline)#login authentication &de)ault / list-name -dditional security can be implemented on the line using: R(config)#aaa local authentication attempts max-)ail number-of-unsuccessful-attempts The aaa local authentication attempts mafail command differs from the login delay command in how it handles failed attempts. The aaa local authentication attempts mafail command loc%s the user account if the authentication fails. This account stays loc%ed until it is cleared by an administrator. The login delay command introduces a delay between failed login attempts without loc%ing the account. R#show aaa local user loc(out R#clear aaa local user loc(out .username username / all0 Step :7 4onfirm and troubleshoot the --- configuration. To display the attributes that are collected for an --- session, use R#show aaa user &all ' uniue-id This command does not proide information for all users who are logged into a deice, but only for those who hae been authenticated or authoriKed using --- or whose sessions are being accounted for by the --- module. To show the uni1ue +D of a session R# show aaa sessions or debug: R#de'ug aaa authentication S"R4"R-AS"D AAA A5"!&$A&O! There are a few basic steps to configure sererbased authentication: Step 2. lobally enable --- to allow the use of all --- elements. This step is a prere1uisite for all other --commands. R(config)#aaa new-model Step 3. $pecify the 4isco $ecure -4$ that will proide --- serices for the router. This can be a T-4-4$L or R-D+<$ serer. or redundancy, it is possible to configure more than one serer. R(config)#tacacs-server host ip-address !single-connection" !(ey key " R(config)#radius-server host ip-address !(ey key " Step 9. 4onfigure the encryption %ey globally needed to encrypt the data transfer between the networ% access serer and 4isco $ecure -4$. R(config)# tacacs-server (ey key R(config)# radius-server (ey key Step :. 4onfigure the --- authentication method list to refer to the T-4-4$L or R-D+<$ serer. R(config)#aaa authentication login &de)ault / list-name group radius group tacacsE localcase Step ;. -pply an authentication policy to lines or interfaces with R(configline)#login authentication &de)ault / list-name
or debugging R#de'ug aaa authentication R#de'ug tacacs +accounting / authentication / authori1ation / events / pac(ets, R#de'ug radius +accounting / authentication / F, S"R4"R-AS"D AAA A5ORA&O! A!D A$$O5!&!G To configure command authoriKation, use R(config)#aaa authori1ation &networ( ' exec ' commands level &de)ault ' list-name method1...!method4" The serice type can specify the types of commands or serices: commands leel for eec (shell) commands eec for starting an eec (shell) networ% for networ% serices (///, $+/, -R-/) Fhen --- authoriKation is not enabled, all users are allowed full access. -fter authentication is started, the default changes to allow no access. This means that the administrator must create a user with full access rights before authoriKation is enabled. ailure to do so immediately loc%s the administrator out of the system the moment the aaa authoriKation command is entered. The only way to recoer from this is to reboot the router. +f this is a production router, rebooting might be unacceptable. Be sure that at least one user always has full rights. •
•
•
To configure --- accounting, use R(config)#aaa accounting &networ( ' exec ' conenction &de)ault ' list-name &start-stop ' stop-only ' none !'roadcast" method1...!method4"
CAP 4 – FIREWALL S&A!DARD A$L R(config)# access-list &5MM &permit ' deny source-addr !source-wildcard" "H&"!D"D A$L R(config)# access-list &55MM & permit ' deny protocol source-addr !source-wildcard" !operator operand" destination-addr !destination-wildcard" !operator operand" !esta'lished,
This is the command to apply the -4 to an interface: R(configif)# ip access-group access-list-number &in ' out This is the command to apply the -4 to a ty line: R(configline)# access-class access-list-number &in ' out !A%"D A$Ls +t is possible to create a named -4 instead of a numbered -4. Camed -4s must be specified as either standard or etended. R(config)# ip access-list !standard ' extended" name_of_!"# #- standard named -4 can use deny and permit statements. R(configstdnacl)# &permit ' deny &source !source-wildcard" ' any #-n etended named -4 offers additional parameters. Router(configetnacl)# &permit ' deny protocol source-addr !source-wildcard" !operator operand" destination-addr !destination-wildcard" !operator operand" !esta'lished"
The show ip access-list command can be used as a basic means of chec%ing the intended effect of an -4. Fith this command, only the number of pac%ets matching a gien access control entry (-4E) is recorded. R"6L"H4" A$Ls To configure a router to use refleie -4s inoles 2ust a few steps: Step 27 4reate an internal -4 that loo%s for new outbound sessions and creates temporary refleie -4Es. Step 3. 4reate an eternal -4 that uses the refleie -4s to eamine return traffic. Step 9. -ctiate the Camed -4s on the appropriate interfaces. This is the synta for the internal -4. Router(config)# ip access-list extended internalN-4Nname Router(configetnacl)# permit protocol sourceaddr !sourcemas%" !operator operand" destinationaddr !destinationmas%" !operator operand" !established" re)lect refleieN-4Nname !timeout seconds"
-fter building the internal etended Camed -4, which creates the refleie -4Es, the temporary entries need to be referenced as traffic flows bac% into the networ%. This is done by building a second etended Camed -4. +n this Camed -4, use the ealuate statement to reference the refleie -4Es that were created from the internal -4. Router(config)# ip access-list extended eternalN-4Nname Router(configetnacl)# evaluate refleieN-4Nname The last step is to apply the -4s. R5(config)# interface sOO R5(configif)# description connection to the +$/. R5(configif)# ip access-group internalN-4 out R5(configif)# ip access-group eternalN-4 in D8!A%$ A$Ls Paso 2 4rear el usuario 1ue se a a loguear al ty Paso 3 - 4rear un -4 1ue permita el ingreso de la conei7n TECET en la interfaK correspondiente del router. -gregar al mismo -4 una entrada de -4 dinamica con: R(config)# access-list &55MM dynamic dynamic_!"#_name !timeout minutes" &permit ' deny protocol sourceaddr !sourcewildcard" !operator operand" destinationaddr !destination wildcard" !operator operand" !established" Paso 9 - -plicar el -4 a la interfaK correspondiente del router. Paso : I En la linea de ty habilitar el login local y el autocommand R(configline)#autocommand access-ena'le +host, +timeout timeout "
&%" A$Ls These are the commands for creating a time range. Router(config)# time-range time_range_name Router(configtimerange)# a'solute !startNtime startNdate" !endNtime endNdate" Router(configtimerange)# periodic dayNofNtheNwee% hh:mm to !dayNofNtheNwee%" hh:mm Router(config)# access-list &55MM &permit ' deny protocol sourceaddr !sourcemas%" !operator operand" destinationaddr !destinationmas%" !operator operand" !established"!log ' loginput"!established" !time-range nameNofNtimeNrange"
To troubleshoot an -4 configuration, use the debug ip pac%et command. Router# de'ug ip pac(et !accesslistnumber" !detail" $A$ There are four steps to configure 4B-4: Step 2. /ic% an interface internal or eternal. Fith 4B-4, internal and eternal refers to the direction of conersation. The interface in which sessions can be initiated must be selected as the internal interface. $essions that originate from the eternal interface will be bloc%ed. Step 3. 4onfigure +/ -4s at the interface.
or the 4isco +3$ irewall to be effectie, both inspection rules and -4s should be strategically applied to all router interfaces. There are two guiding principles for applying inspection rules and -4s on the router: 3n the interface where traffic initiates, apply an -4 in the inward direction that permits only wanted traffic and apply the rule in the inward direction that inspects wanted traffic. 3n other interfaces, apply an -4 in the inward direction that denies all traffic, ecept traffic that has not been inspected by the firewall, such as RE and +4/ traffic that is not related to echo and echo reply messages. 4B-4 inspection •
•
4B-4 inspection supports two types of logging functions: alerts and audits. R(config)# ip inspect alert-o)) R(config)# ip inspect audit-trail To iew information about 4B-4 inspections, use the show ip inspect command. R#show ip inspect &!name inspection_name" ' !con)ig" ' !sessions !detail"" ' !inter)aces" or debugging R#de'ug ip inspect !tcp / udp / icmp / application_name" !events / timers / o'Ject-creation / o'Ject-deletion / )unction-trace / detailed"
The application names to use for inspection are cuseeme, dns, ftpcmd, ftpto%en, h868, http, netshow, rcmd, realaudio, rpc, rtsp, sip, s%inny, smtp, s1lnet, streamwor%s, tftp, and dolie. Beginning with 4isco +3$ Release 56.9(6)T, the de'ug policy-)irewall command replaces the debug ip inspect command. P6 There are seeral steps for configuring P/ with the 4+: Step 2. 4reate the Kones for the firewall with the 1one security command. R(config)# 1one security zone-name R(configsecKone)# description line-of-description Step 3. Define traffic classes with the class-map type inspect command. #The matchany option is the default behaior. R(config)# class-map type inspect !protocolname" !match-any / match-all" class-map-name #The synta for referencing access lists from within the class map is: R(configcmap)# match access-group &access-group ' name access-group-name #/rotocols are matched from within the class map with the synta: R(configcmap)# match protocol protocol-name #Cested class maps can be configured as well using the synta: R(configcmap)# match class-map class-map-name The ability to create a hierarchy of classes and policies by nesting is one of the reasons that P/ is such a powerful approach to creating 4isco +3$ firewalls. +f matchany is specified, traffic must meet 2ust one of the match criteria in the class map. +f match all is specified, traffic must match all of the class map criteria to belong to that particular class. Step 9. $pecify firewall policies with the policy-map type inspect command. R(config)# policy-map type inspect policy-map-name #Traffic classes on which an action must be performed are specified within the policy map. R(configpmap)# class type inspect class-name #The default class (matching all remaining traffic) is specified using this command. R(configpmap)# class class-de)ault #inally, the action to ta%e on the traffic is specified. R(configpmapc)# pass / inspect / drop +log, / police Step :. -pply firewall policies to pairs of source and destination Kones using the 1one-pair security command. R(config)# 1one-pair security zone-pair-name !source source-zone-name ' sel) " destination !sel) ' destination-zonename" #To attach a policymap to a Konepair. R(configsecKonepair)#service-policy type inspect policy-map-name Deeppac%et inspection (attaching a ayer Q policy map to a topleel policy map) can also be configured. This is the synta used with 4isco +3$ Release 56.9(6)T. R(configpmapc)# service-policy .h939 / http / im / imap / p3p / pop9 / sip / smtp / sunrpc / url)ilter0 policy-map The policy map is the name of the ayer Q policy map being applied to the topleel ayer 8 or ayer 9 policy map. Step ;. -ssign router interfaces to Kones using the 1one-mem'er security interface command. R(configif)# 1one-mem'er security zone-name
CAP 5 – IPS El +/$ +3$ de 4isco permite a los administradores gestionar la preenci7n de intrusos en los routers 1ue usan el +3$ de 4isco ersi7n 56.8()T9 o posterior. -ntes de la ersi7n 56.9(55)T del +3$ de 4isco, el +/$ +3$ de 4isco proporcionaba firmas integradas en la imagen del software +3$ de 4isco y soporte a las firmas importadas. En las ersiones TTrain del +3$ de 4isco anteriores a la 56.9(55)T, y en todas las ersiones 56.9 ainline del software +3$ de 4isco, la selecci7n de firmas +/$ inolucra la carga de un archio G en el router. Este archio, llamado archio de definici7n de firmas (signature definition file $D), contiene una descripci7n detallada de cada firma seleccionada en el formato de firma 9. del software de $ensor +/$ de 4isco. - partir de la ersi7n 56.9(55)T del +3$ de 4isco, no hay firmas integradas (hardcoded) en el software +3$ de 4isco. En su lugar, todas las firmas se almacenan en un archio de firma separado y debe ser importado. as ersiones 56.9(55)T y posteriores del +3$ usan los archios de firma de formato @., 1ue pueden ser descargados de 4isco.com (re1uiere un inicio de sesi7n). /ara implementar el +/$ +3$: Paso 27 Descargar los archios +/$ +3$. +3$$4+.p%g Este es el pa1uete de firmas m?s reciente. realmcisco.pub.%ey.tt Esta es la clae criptogr?fica pSblica utiliKada por el +/$ +3$. •
•
Paso 37 4rear un directorio de configuraci7n +/$ +3$ en la flash. R# m(dir ips-directory Paso 97 4onfigurar una clae criptogr?fica +/$ +3$. /ara configurar la clae criptogr?fica del +/$ +3$, abra el archio de teto, copie sus contenidos y pJguelos en el modo de configuraci7n global. El archio de teto emite los comandos para generar la clae R$-. Paso :7 *abilitar el +/$ +3$. :72 +dentifi1ue el nombre de la regla +/$ y especifi1ue la ubicaci7n. R(config)# ip ips name rule-name !acl-name" R(config)# ip ips con)ig location flash:directory-name $/ara ersiones de +3$ posteriores a 56.9(55)T (formato de firmas 9.) R(config)# ip ips sd) location flash:directory-name :73 *abilite la notificaci7n de eentos de registro (logs) y $DEE ($ecure Deice Eent Echange). #El seridor http debe estar habilitado para responder las solicitudes $DEE de los clientes R(config)# ip http server R(config)# ip ips noti)y sdee #/or defecto se encuentra habilitado. R(config)# ip ips noti)y log :79 4onfigurar las categorias de firmas. Todas las firmas se agrupan en categor>as 2er?r1uicas, lo 1ue ayuda a clasificarlas para agruparlas y a2ustarlas m?s f?cilmente. as tres categor>as m?s comunes son all, basic y adanced. R(config)# ip ips signature-category #Dar de ba2a todas las firmas R(configipscategory)# category all R(configipscategoryaction)# retired true R(configipscategoryaction)# exit #Reincorporar las firmas de la categoria basic R(configipscategory)# category iosKips 'asic R(configipscategoryaction)# retired )alse R(configipscategoryaction)# exit :7: -pli1ue la regla +/$ a una interfaK deseada y especifi1ue la direcci7n. R(configif)#ip ips rule-name .in / out0 Paso ;7 4argar el pa1uete de firmas del +/$ +3$ en el router (por T/ oTT/). R#copy ftp:%%ftp_user:password&'erver_()_address%signature_package idcon) R# show ip ips signature count %OD6$A!DO LAS 6R%AS #/ara dar de ba2a una firma en forma indiidual R(config)# ip ips signature-de)inition
R(configsigdef)# signature sig-id subsig-id R(configsigdefsig)#status R(configsigdefsigstatus)#retired true #/ara cambiar la accion de una firma R(config)# ip ips signature-de)inition R(configsigdef)# signature sig-id subsig-id R(configsigdefsig)#engine R(configsigdefsigengine)event-action .produce-alert deny-pac(et-inline reset-tcpconnection0 #/ara cambiar la accion de una categoria R(config)# ip ips signature-category R(configipscategory)# category iosKips 'asic R(configipscategoryaction)#event-action .produce-alert deny-pac(et-inline reset-tcpconnection0 4"R6$A$O! D"L PS R# show ip ips .all / con)iguration / signatures / statistics / inter)aces 0 #/ara deshabilitar +/$, eliminar todas las entradas de configuraci7n +/$ y liberar los recursos din?micamente R# clear ip ips con)iguration #Reinicia las estad>sticas sobre los pa1uetes analiKados y las alarmas eniadas. R# clear ip ips statistics
CAP 6 – SEGURIDAD LAN S"G5RDAD D" P5"R&O os siguientes son los pasos necesarios para configurar seguridad de puertos en un puerto de acceso: Paso 2. 4onfigure una interfaK como interfaK de acceso. $(configif)# switchport mode access $i la interfaK se encuentra en el modo por defecto (dynamic auto), la misma no puede ser configurada como un puerto seguro. Paso 3. *abilitar la seguridad de puerto en la interfaK utiliKando el comando: $(configif)# switchport port-security !mac-address direcci*n-mac !vlan &id-vlan ' &access ' voice"" ' !mac-address stic(y !direcci*n-mac' vlan &id-vlan ' &access ' voice"" ' !maximum valor !vlan &vlan-list ' &access ' voice"" Paso 9. 4onfigurar el nSmero m?imo de direcciones -4 seguras para la interfaK. (3pcional) $(configif)# switchport port-security maximum valor El rango es entre 5 y 586. El alor por defecto es 5. Paso :. 4onfigure el modo de iolaci7n. Esta es la acci7n 1ue el switch realiKa cuando se detecta una iolaci7n de seguridad. $i no se especifica un modo de iolaci7n, el modo por defecto apaga administratiamente el puerto. $(configif)#switchport port-security violation &protect ' restrict ' shutdown ' shutdown vlan 4uando un puerto seguro se encuentra en el estado UerrordisableU (deshabilitado por error), significa 1ue ha ocurrido una iolaci7n y el puerto se encuentra deshabilitado. /ara recuperar el funcionamiento del puerto, debe utiliKarse el comando de configuraci7n global errdisa'le recovery cause psecure-violation , o bien puede habilitarse en forma manual ingresando los comandos de configuraci7n de interfaK shutdown y no shutdown Paso ;7 /ara habilitar o deshabilitar el ene2ecimiento est?tico para un puerto seguro o para configurar el tipo y tiempo de ene2ecimiento. $(configif)#switchport port-security aging &static ' time tiempo ' type &a'solute ' inactivity To erify use $#show port-security !address" !inter)ace interface-id" The -4 address notification feature sends $C/ traps to the networ% management station (C$) wheneer a new -4 address is added to or an old address is deleted from the forwarding tables. -4 address notifications are generated only for dynamic and secure -4 addresses. $(config)#mac address-ta'le noti)ication POR&6AS& The spanningtree /ortast feature causes an interface configured as a ayer 6 access port to transition from the bloc%ing to the forwarding state immediately, bypassing the listening and learning states. This command configures /ortast for all nontrun%ing ports at once. $(config)#spanning-tree port)ast de)ault This command configures /ortfast on an interface. $(configif)#spanning-tree port)ast This command erifies that /ortast has been configured on an interface. $#show running-con)ig PD5 G5ARD B/D< guard is used to protect the switched networ% from the problems caused by receiing B/D
This command configures bpduguard on an interface. $(configif)#spanning-tree 'pduguard +ena'le / disa'le, To display information about the state of spanning tree, use: $#show spanning-tree summary +totals,
ROO& G5ARD Root guard limits the switch ports out of which the root bridge can be negotiated. +f a rootguard enabled port receies B/D
To configure R$/-C, start by configuring the R$/-C =-C. *ere, =-C 5 is created and configured as an R$/-C =-C. 6MH5(config)# vlan 5 6MH5(configlan)# remote-span 6MH5(configlan)# exit Cet, it is necessary to configure the R$/-C source ports and =-Cs. The traffic captured from the source port is
mirrored to a dedicated reflector port, which simply acts li%e a loopbac% interface in that it reflects the captured traffic to the R$/-C =-C. Co traffic is actually sent out the reflector port. +t merely proides an internal loopbac% mechanism for R$/-C source sessions. - reflector port eists only for an R$/-C source session. +n this eample, there is only one source port. 6MH5(config)# monitor session 5 source inter)ace astEthernet O5 6MH5(config)# monitor session 5 destination remote vlan 5 re)lector-port astEthernet O69 6MH5(config)# inter)ace astEthernet O6 6MH5(configif)# switchport mode trun( inally, configure the R$/-C traffic to be forwarded out an interface toward the +D$. +n this eample, the traffic destined for =-C 5 is forwarded out interface ast Ethernet O6. 6MH6(config)# monitor session 6 source remote vlan 5 6MH6(config)# monitor session 6 destination inter)ace astEthernet O8 6MH6(config)# inter)ace astEthernet O6 6MH6(configif)# switchport mode trun(
CAP 8 – VPN GRE
There are fie steps to configuring a RE tunnel: Step 2. 4reating a tunnel interface using the inter)ace tunnel command. Step 3. -ssigning the tunnel an +/ address. Step 9. +dentifying the source tunnel interface using the tunnel source command. Step :. +dentifying the destination of the tunnel using the tunnel destination command. Step ;. 4onfiguring which protocol RE will encapsulate using the tunnel mode gre command. The adantages of RE are that it can be used to tunnel non+/ traffic oer an +/ networ%.
•
&as( 3-
4onfigure a /$V with the crypto isa(mp (ey global configuration command. This %ey must be configured if the authentication preshare command was configured in the + $-V/ policy. R(config)#crypto isa(mp (ey keystring &address peer-address ' hostname hostname By default, the +$-V/ identity is set to use the +/ address. To use the hostname parameter, the +$-V/ identity must be configured to use the host name with the crypto isa(mp identity hostname global configuration mode command. +n addition, DC$ must be accessible to resole the hostname. &as( 9 - During the +$-V/ +/sec $- negotiation that occurs in +VE /hase 6 1uic% mode, the peers agree to use a particular transform set for protecting a particular data flow. Transform sets consist of a combination of an -* transform, an E$/ transform, and the +/sec mode (either tunnel or transport mode). Transform sets are limited to one -* transform and one or two E$/ transforms. ultiple transform sets can be configured. Then one or more of these transform sets can be specified in a crypto map entry. The +/sec $- negotiation uses the transform set that is defined in the crypto map entry to protect the data flows that are specified by the -4 of that crypto map entry. To define a transform set, specify one to four transforms using the crypto ipsec trans)orm-set global configuration command. This command ino%es cryptotransform configuration mode. R(config)#crypto ipsec trans)orm-set transform-set-name transform1 !transform," !transform" !transform4" &as( : - 4rypto -4s identify the traffic flows to protect. 3utbound crypto -4s select outbound traffic that +/sec should protect. Traffic that is not selected is sent in plaintet. +f desired, inbound -4s can be created to filter and
discard traffic that should hae been protected by +/sec. &as( ; - 4rypto map entries that are created for +/sec combine the needed configuration parameters of +/sec $-s, including the following parameters: Fhich traffic to protect using a crypto -4 ranularity of the flow to be protected by a set of $-s Fho the remote +/sec peer is, which determines where the +/secprotected traffic is sent ocal address used for the +/sec traffic (optional) Fhich type of +/sec security is applied to this traffic, choosing from a list of one or more transform sets •
•
•
•
•