show running-config 结果
interface Serial0
ip address x.x.x.x 255.255.255.x
ip ospf message-digest-key 1 md5 xxxxxx(认证码) router ospf 10 router ospf 10
network x.x.x.x 0.0.255.255 area 0 network x.x.x.x 0.0.0.255 area 0 area 0 authentication message-digest H3C
display current-configuration 结果 ospf 100
import-route direct import-route static area 0.0.0.0
interface Vlan-interface 100 ospf authentication-mode md5
访谈网络管理员,是否依据部门的工作职能、重要性和应用系统的级别划分了不同的Vlan,并检查交换机的配置 show vlan
int e0/2
vlan-membership static 2 int e0/3
vlan-membership static 3 ip address 10.1.10.2 255.255.255.0
display vlan all
VLAN ID 100
Description:VLAN 0100 Name: VLAN 0100
路由器 二、 路由器
查看是否设置访问列表 show ip access-list
ip access-list extended 111
access-list 111 permit tcp host x.x.x.x any eq 443 access-list 111 deny any any
关闭思科路由器的一些默认网络服务
no cdp run no cdp enable Cisco设备间特有的2层协议 CDP(Cisco Discovery Protocol)
no service tcp-small-servers no service udp-small-server 标准TCP、UDP网络服务:回应、生成字符等 TCP、UDP Small service
no ip finger no service finger UNIX用户查找服务,允许用户远程列表 Finger no ip bootp server 服务允许其他的路由器从这个服务器引导 BOOTP
no ip source-route IP特性允许数据包指定他们自己的路由 IP Source Routing no ip proxy-arp 启用它容易引起路由表的胡乱 arp-proxy
no ip directed-broadcast 数据包能为广播识别目的VLAN IP Directed Broadcast no ip domain-lookup 路由器能实行DNS解析 WINS 和DNS
display acl config all
acl number 2000
rule deny icmp source any destionation any
应限制网络最大流量数及网络连接数 Show running-config
ip nat translation max-entries host 10.1.1.1 200 限制主机最大连接数为200
class-map match-all kkblue match access-group 1 policy-map blue class kkblue bandwidth 1000 queue-limit 30 class class-defaule
ip address x.x.x.x 255.255.255.x
service-policy output blue 限制主机带宽为1000kbps
display acl config all acl number 3000 rule 1 permit ip
interface Ethernet2/1/9 port access vlan 2109 traffic-shape 10000 256
traffic-limit inbound ip-group 3000 rule 1 system-index 28 tc-index 6 10000 1000000 1000000 10000 conform remark-policed-service exceed drop 限制某端口下得10000kbps访问
查看路由/交换是否有IP/MAC地址绑定 show ip arp
arp x.x.x.x 0000.xxxx.xxxx arpa
display arp
arp static x.x.x.x 0000-xxxx-xxxx
访问规则
show crypto isakmp policy
crypto isakmp polic 10 hash md5
authentication pre-share lifetime 3600
crypto isakmp key cisco address x.x.x.x 255.255.255.x
show crypto ipsec transform-set
crypto ipsec transform-set zhang ah-md5-hmac esp-des crypto map zhang 10 ipsec-isakmp set peer x.x.x.x
set transform-set zhang set pfs group1 match addres 100
show ip access-list
access-list 100 permit tcp host x.x.x.x host x.x.x.x
display ipsec
ike peer center
exchange-mode aggressive pre-shared-key abc id-type name
remote-name center remote-address x.x.x.x
ipsec policy branch1 10 isakmp security acl 3001 ike-perr center
proposal 1
acl number 3001
rule 0 permit ip sourec x.x.x.x 0.0.0.255 destination x.x.x.x 0.0.0.255
限制拨号访问数量
show running-config
encapsulation ppp
ppp authentication chap
dialer map ip x.x.x.x name router1 broadcat 7782001 ppp multilink
dialer idle-timeout 30 dialer load-threshold 128
display dialer
link-protocol ppp
ppp authentication-mode pap ip address x.x.x.x 255.255.255.x dialer enable-circular dialer-group 1
安全审计 查看网络设备的运行情况、网络流量、用户行为的进行日志记录 show logging logging on logging trap notifications logging x.x.x.x
snmp-server community pcitcro R0 snmp-server enable traps syslog ?. ?.
snmp-server host x.x.x.x cisco
display current-configuration
info-center enable
info-center loghost x.x.x.x facility local4 language Chinese info-center source default channel loghost log level information
snmp-agent
snmp-agent community read isPublic
snmp-agent target-host trap address x.x.x.x port 161 parameters securityname aaa snmp-agent trap enable standard authentication coldstart linkdown linkup warmstart snmp-agent trap enable system
检查审计记录是否保护 show logging
logging on
logging trap notifications logging x.x.x.x
display current-configuration
info-center enable
info-center loghost x.x.x.x facility local4 language Chinese
info-center soure default channel loghost log level informational
网络设备防护 查看网络设备的登录用户的身份鉴别 show running-config
line vty 0 4 login
password xxxxxxxx line aux 0 login
password xxxxxxxx line con 0 login
password xxxxxxxx
enable secret
enable secret 5 @#$FERfsadf3213!@#$A
如启用三a认证 aaa new-model
tacacs-server host x.x.x.x single-connecting tacacs-server key shared1