Tweet
Trong trường hợp router của bạn có kết nối ra Internet, Auto Secure sẽ thực hiện thêm vài tác vụ liên quan đến cổng kết nối ra Internet. Dưới đây ra thực hiện cấu hình router dùng chức năng Auto Secure cho một router có hai cổng. Cổng thứ nhất F0/0 kết nối vào mạng bên trong. Cổng thứ hai, F0/1 kết nối ra môi trường bên ngoài, Internet.
Đầu tiên ta gán địa chỉ private cho cổng F0/0 là cổng kết nối vào bên trong LAN của doanh nghiệp.
Demo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Demo(config)#int f0/0
Demo(config-if)#ip add 192.168.1.1 255.255.255.0
Demo(config-if)#no shut
Demo(config-if)#exit
Demo(config)#
*Dec 2 04:13:59.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 2 04:14:00.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Sau đó, ta cấu hình cổng F0/1. Giả sử cổng này kết nối ra ngoài Internet. Địa chỉ IP của cổng được xin từ DHCP. Chú ý cách dùng câu lệnh ip address của cổng này.
Demo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Demo(config)#int f0/1
Demo(config-if)#ip add
Demo(config-if)#ip address ?
A.B.C.D IP address
dhcp IP Address negotiated via DHCP
pool IP Address autoconfigured from a local DHCP pool
Demo(config-if)#ip address dhcp
Demo(config-if)#no shut
Demo(config-if)#exit
Như vậy câu lệnh ip address, ngoài tuỳ chọn quen thuộc là gán một địa chỉ cụ thể, còn có các tuỳ chọn cho phép xin IP từ một DHCP server. Ta kiểm tra trạng thái các cổng và địa chỉ IP của nó.
Demo#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet0/1 10.215.219.32 YES DHCP up up
Serial0/1/0 unassigned YES unset administratively down down
Serial0/2/0 unassigned YES unset administratively down down
Thỉng thoảng, trong khi cấu hình các router đấu nối ra Internet, bạn cũng cần chỉ định địa chỉ DNS mà router sẽ dùng để phần giải tên. Câu lệnh chỉ định DNS server được thực hiện như dưới đây. Trong ví dụ này, địa chỉ DNS server của VNN được dùng.
Demo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Demo(config)#ip name-server 203.162.4.191
Demo(config)#exit
Lúc này, bảng định tuyến của router sẽ như dưới đây. Chú ý các địa chỉ gateway of last resort là do DHCP server cấp xuống.
Demo#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.215.219.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.215.219.0 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 10.215.219.254
Sau đây ta sẽ dùng Auto Secure để tăng cường tính bảo mật của thiết bị. Ví dụ này khác ví dụ trước ở điểm, router này có kết nối ra Internet.
Demo#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Router sẽ bắt đầu thu thập thông tin từ người quản trị. Đầu tiên AutoSecure sẽ hỏi router này có kết nối ra Internet không? Nếu có, có bao nhiêu cổng kết nối ra Internet. Mặc định, router cho rằng có 1 cổng kết nối ra Internet.
Is this router connected to internet? [no]: yes
*Dec 2 04:21:16.671: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
Enter the number of interfaces facing the internet [1]:
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet0/1 10.215.219.32 YES DHCP up up
Serial0/1/0 unassigned YES unset administratively down down
Serial0/2/0 unassigned YES unset administratively down down
Router sau đó sẽ hỏi những cổng nào trong các cổng trên của router.
Enter the interface name that is facing the internet: F0/1
Invalid interface name
Enter the interface name that is facing the internet: FastEthernet0/1
Sau khi ta nhập vào cổng kết nối ra Internet, router tự động tắt một số dịch vụ của router.
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Router yêu cầu nhập vào security banner.
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
$This config is for user VnPro$
Router yêu cầu cài đặt các mật khẩu.
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret:
Confirm the enable secret :
passwords do not match
Enter the new enable secret:
Confirm the enable secret :
passwords do not match
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: vnpro
Enter the password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 3
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 3
Router yêu cầu cấu hình SSH.
Configure SSH server? [yes]:
Enter the domain-name: vnpro.org
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Configuring the named ACLs for Ingress Filtering
autosec_iana_reserved_block: This block is subjected to
change by IANA. For an updated list, visit
www.iana.org/assignments/ipv4-address-space.
1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8,
41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8,
72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8,
84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8,
94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8,
103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8,
111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8,
119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8,
197/8, 201/8
autosec_private_block:
10/8, 172.16/12, 192.168/16
autosec_complete_block: This block is a combination of the
autosec_iana_reserved_block, autosec_private_block, and
any packet with a source address of multicast (224/4),
class E (240/4), 0/8, 169.254/16, 192.0.2/24, and 127/8.
Tiếp theo, router yêu cầu cấu hình các ACL để lọc các gói tin trên cổng bên ngoài.
Configuring Ingress Filtering replaces the existing
acl on external interfaces, if any, with Ingress
Filtering acl.
Configure Ingress Filtering on edge interfaces? [yes]:
[1] Apply autosec_iana_reserved_block acl on all edge interfaces
[2] Apply autosec_private_block acl on all edge interfaces
[3] Apply autosec_complete_bogon acl on all edge interfaces
Enter your selection [3]:
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: y
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CThis config is for user VnPro^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0
enable password 7 075E731F1A5C4F52
username vnpro password 7 025756085F5359
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 3 attempts 3 within 3
ip domain-name vnpro.org
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/2/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
access-list compiled
ip access-list extended autosec_iana_reserved_block
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
exit
ip access-list extended autosec_private_block
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
exit
ip access-list extended autosec_complete_bogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
exit
interface FastEthernet0/1
ip access-group autosec_complete_bogon in
exit
access-list 100 permit udp any any eq bootpc
interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/1
ip inspect autosec_inspect out
!
end
Router sẽ hỏi bạn có muốn áp dụng cấu hình này hay không.
Apply this configuration to running-config? [yes]:
Applying the config generated to running-config
The name for the keys will be: Demo.vnpro.org
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys ...[OK]
Demo#sh run
Building configuration...
Current configuration : 9519 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Demo
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0
enable password 7 075E731F1A5C4F52
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name vnpro.org
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
no ip ips deny-action ips-interface
login block-for 3 attempts 3 within 3
!
no ftp-server write-enable
!
username vnpro password 7 025756085F5359
archive
log config
logging enable
!
!
no crypto isakmp ccm
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address dhcp
ip access-group autosec_complete_bogon in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
duplex auto
speed auto
no mop enabled
!
ip classless
!
!
no ip http server
no ip http secure-server
!
ip access-list extended autosec_complete_bogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
ip access-list extended autosec_iana_reserved_block
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosec_private_block
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list compiled
no cdp run
!
control-plane
!
banner motd ^CThis config is for user VnPro^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
!
warm-reboot
end
Demo#
Demo#sh ip access-lists
Extended IP access list 100 (Compiled)
10 permit udp any any eq bootpc
Extended IP access list autosec_complete_bogon (Compiled)
10 deny ip 1.0.0.0 0.255.255.255 any
20 deny ip 2.0.0.0 0.255.255.255 any
30 deny ip 5.0.0.0 0.255.255.255 any
40 deny ip 7.0.0.0 0.255.255.255 any
50 deny ip 23.0.0.0 0.255.255.255 any
60 deny ip 27.0.0.0 0.255.255.255 any
70 deny ip 31.0.0.0 0.255.255.255 any
80 deny ip 36.0.0.0 0.255.255.255 any
90 deny ip 37.0.0.0 0.255.255.255 any
100 deny ip 39.0.0.0 0.255.255.255 any
110 deny ip 41.0.0.0 0.255.255.255 any
120 deny ip 42.0.0.0 0.255.255.255 any
130 deny ip 49.0.0.0 0.255.255.255 any
140 deny ip 50.0.0.0 0.255.255.255 any
150 deny ip 58.0.0.0 0.255.255.255 any
160 deny ip 59.0.0.0 0.255.255.255 any
170 deny ip 60.0.0.0 0.255.255.255 any
180 deny ip 70.0.0.0 0.255.255.255 any
190 deny ip 71.0.0.0 0.255.255.255 any
200 deny ip 72.0.0.0 0.255.255.255 any
210 deny ip 73.0.0.0 0.255.255.255 any
220 deny ip 74.0.0.0 0.255.255.255 any
230 deny ip 75.0.0.0 0.255.255.255 any
240 deny ip 76.0.0.0 0.255.255.255 any
250 deny ip 77.0.0.0 0.255.255.255 any
260 deny ip 78.0.0.0 0.255.255.255 any
270 deny ip 79.0.0.0 0.255.255.255 any
280 deny ip 83.0.0.0 0.255.255.255 any
290 deny ip 84.0.0.0 0.255.255.255 any
300 deny ip 85.0.0.0 0.255.255.255 any
310 deny ip 86.0.0.0 0.255.255.255 any
320 deny ip 87.0.0.0 0.255.255.255 any
330 deny ip 88.0.0.0 0.255.255.255 any
340 deny ip 89.0.0.0 0.255.255.255 any
350 deny ip 90.0.0.0 0.255.255.255 any
360 deny ip 91.0.0.0 0.255.255.255 any
370 deny ip 92.0.0.0 0.255.255.255 any
380 deny ip 93.0.0.0 0.255.255.255 any
390 deny ip 94.0.0.0 0.255.255.255 any
400 deny ip 95.0.0.0 0.255.255.255 any
410 deny ip 96.0.0.0 0.255.255.255 any
420 deny ip 97.0.0.0 0.255.255.255 any
430 deny ip 98.0.0.0 0.255.255.255 any
440 deny ip 99.0.0.0 0.255.255.255 any
450 deny ip 100.0.0.0 0.255.255.255 any
460 deny ip 101.0.0.0 0.255.255.255 any
470 deny ip 102.0.0.0 0.255.255.255 any
480 deny ip 103.0.0.0 0.255.255.255 any
490 deny ip 104.0.0.0 0.255.255.255 any
500 deny ip 105.0.0.0 0.255.255.255 any
510 deny ip 106.0.0.0 0.255.255.255 any
520 deny ip 107.0.0.0 0.255.255.255 any
530 deny ip 108.0.0.0 0.255.255.255 any
540 deny ip 109.0.0.0 0.255.255.255 any
550 deny ip 110.0.0.0 0.255.255.255 any
560 deny ip 111.0.0.0 0.255.255.255 any
570 deny ip 112.0.0.0 0.255.255.255 any
580 deny ip 113.0.0.0 0.255.255.255 any
590 deny ip 114.0.0.0 0.255.255.255 any
600 deny ip 115.0.0.0 0.255.255.255 any
610 deny ip 116.0.0.0 0.255.255.255 any
620 deny ip 117.0.0.0 0.255.255.255 any
630 deny ip 118.0.0.0 0.255.255.255 any
640 deny ip 119.0.0.0 0.255.255.255 any
650 deny ip 120.0.0.0 0.255.255.255 any
660 deny ip 121.0.0.0 0.255.255.255 any
670 deny ip 122.0.0.0 0.255.255.255 any
680 deny ip 123.0.0.0 0.255.255.255 any
690 deny ip 124.0.0.0 0.255.255.255 any
700 deny ip 125.0.0.0 0.255.255.255 any
710 deny ip 126.0.0.0 0.255.255.255 any
720 deny ip 197.0.0.0 0.255.255.255 any
730 deny ip 201.0.0.0 0.255.255.255 any
740 deny ip 10.0.0.0 0.255.255.255 any (279 matches)
750 deny ip 172.16.0.0 0.15.255.255 any
760 deny ip 192.168.0.0 0.0.255.255 any
770 deny ip 224.0.0.0 15.255.255.255 any
780 deny ip 240.0.0.0 15.255.255.255 any
790 deny ip 0.0.0.0 0.255.255.255 any (3 matches)
800 deny ip 169.254.0.0 0.0.255.255 any
810 deny ip 192.0.2.0 0.0.0.255 any
820 deny ip 127.0.0.0 0.255.255.255 any
830 permit ip any any
Extended IP access list autosec_firewall_acl (Compiled)
10 permit udp any any eq bootpc
20 deny ip any any
Extended IP access list autosec_iana_reserved_block (Compiled)
10 deny ip 1.0.0.0 0.255.255.255 any
20 deny ip 2.0.0.0 0.255.255.255 any
30 deny ip 5.0.0.0 0.255.255.255 any
40 deny ip 7.0.0.0 0.255.255.255 any
50 deny ip 23.0.0.0 0.255.255.255 any
60 deny ip 27.0.0.0 0.255.255.255 any
70 deny ip 31.0.0.0 0.255.255.255 any
80 deny ip 36.0.0.0 0.255.255.255 any
90 deny ip 37.0.0.0 0.255.255.255 any
100 deny ip 39.0.0.0 0.255.255.255 any
110 deny ip 41.0.0.0 0.255.255.255 any
120 deny ip 42.0.0.0 0.255.255.255 any
130 deny ip 49.0.0.0 0.255.255.255 any
140 deny ip 50.0.0.0 0.255.255.255 any
150 deny ip 58.0.0.0 0.255.255.255 any
160 deny ip 59.0.0.0 0.255.255.255 any
170 deny ip 60.0.0.0 0.255.255.255 any
180 deny ip 70.0.0.0 0.255.255.255 any
190 deny ip 71.0.0.0 0.255.255.255 any
200 deny ip 72.0.0.0 0.255.255.255 any
210 deny ip 73.0.0.0 0.255.255.255 any
220 deny ip 74.0.0.0 0.255.255.255 any
230 deny ip 75.0.0.0 0.255.255.255 any
240 deny ip 76.0.0.0 0.255.255.255 any
250 deny ip 77.0.0.0 0.255.255.255 any
260 deny ip 78.0.0.0 0.255.255.255 any
270 deny ip 79.0.0.0 0.255.255.255 any
280 deny ip 83.0.0.0 0.255.255.255 any
290 deny ip 84.0.0.0 0.255.255.255 any
300 deny ip 85.0.0.0 0.255.255.255 any
310 deny ip 86.0.0.0 0.255.255.255 any
320 deny ip 87.0.0.0 0.255.255.255 any
330 deny ip 88.0.0.0 0.255.255.255 any
340 deny ip 89.0.0.0 0.255.255.255 any
350 deny ip 90.0.0.0 0.255.255.255 any
360 deny ip 91.0.0.0 0.255.255.255 any
370 deny ip 92.0.0.0 0.255.255.255 any
380 deny ip 93.0.0.0 0.255.255.255 any
390 deny ip 94.0.0.0 0.255.255.255 any
400 deny ip 95.0.0.0 0.255.255.255 any
410 deny ip 96.0.0.0 0.255.255.255 any
420 deny ip 97.0.0.0 0.255.255.255 any
430 deny ip 98.0.0.0 0.255.255.255 any
440 deny ip 99.0.0.0 0.255.255.255 any
450 deny ip 100.0.0.0 0.255.255.255 any
460 deny ip 101.0.0.0 0.255.255.255 any
470 deny ip 102.0.0.0 0.255.255.255 any
480 deny ip 103.0.0.0 0.255.255.255 any
490 deny ip 104.0.0.0 0.255.255.255 any
500 deny ip 105.0.0.0 0.255.255.255 any
510 deny ip 106.0.0.0 0.255.255.255 any
520 deny ip 107.0.0.0 0.255.255.255 any
530 deny ip 108.0.0.0 0.255.255.255 any
540 deny ip 109.0.0.0 0.255.255.255 any
550 deny ip 110.0.0.0 0.255.255.255 any
560 deny ip 111.0.0.0 0.255.255.255 any
570 deny ip 112.0.0.0 0.255.255.255 any
580 deny ip 113.0.0.0 0.255.255.255 any
590 deny ip 114.0.0.0 0.255.255.255 any
600 deny ip 115.0.0.0 0.255.255.255 any
610 deny ip 116.0.0.0 0.255.255.255 any
620 deny ip 117.0.0.0 0.255.255.255 any
630 deny ip 118.0.0.0 0.255.255.255 any
640 deny ip 119.0.0.0 0.255.255.255 any
650 deny ip 120.0.0.0 0.255.255.255 any
660 deny ip 121.0.0.0 0.255.255.255 any
670 deny ip 122.0.0.0 0.255.255.255 any
680 deny ip 123.0.0.0 0.255.255.255 any
690 deny ip 124.0.0.0 0.255.255.255 any
700 deny ip 125.0.0.0 0.255.255.255 any
710 deny ip 126.0.0.0 0.255.255.255 any
720 deny ip 197.0.0.0 0.255.255.255 any
730 deny ip 201.0.0.0 0.255.255.255 any
740 permit ip any any
Extended IP access list autosec_private_block (Compiled)
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 permit ip any any
Extended IP access list sl_def_acl (Compiled)
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit ip any any log
Demo#sh tcp ?
<0-198> Line number
aux Auxiliary line
brief Brief display
console Primary terminal line
intercept Intercept display
statistics TCP protocol statistics
tcb TCB address
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
x/y/z Slot/Subslot/Port for Modems
| Output modifiers
Demo#sh tcp tty
% Incomplete command.
Demo#sh tcp tty ?
<1-192> Line number
Demo#sh tcp tty 1
Demo#sh tcp sta
Demo#sh tcp statistics
Rcvd: 0 Total, 0 no port
0 checksum error, 0 bad offset, 0 too short
0 packets (0 bytes) in sequence
0 dup packets (0 bytes)
0 partially dup packets (0 bytes)
0 out-of-order packets (0 bytes)
0 packets (0 bytes) with data after window
0 packets after close
0 window probe packets, 0 window update packets
0 dup ack packets, 0 ack packets with unsend data
0 ack packets (0 bytes)
Sent: 0 Total, 0 urgent packets
0 control packets (including 0 retransmitted)
0 data packets (0 bytes)
0 data packets (0 bytes) retransmitted
0 data packets (0 bytes) fastretransmitted
0 ack only packets (0 delayed)
0 window probe packets, 0 window update packets
0 Connections initiated, 0 connections accepted, 0 connections established
1 Connections closed (including 0 dropped, 1 embryonic dropped)
0 Total rxmt timeout, 0 connections dropped in rxmt timeout
0 Keepalive timeout, 0 keepalive probe, 0 Connections dropped in keepalive
Demo#sh tcp ?
<0-198> Line number
aux Auxiliary line
brief Brief display
console Primary terminal line
intercept Intercept display
statistics TCP protocol statistics
tcb TCB address
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
x/y/z Slot/Subslot/Port for Modems
| Output modifiers
Demo#sh tcp
Demo#sh cdp ?
entry Information for specific neighbor entry
interface CDP interface status and configuration
neighbors CDP neighbor entries
traffic CDP statistics
| Output modifiers
Demo#sh cdp
% CDP is not enabled
Demo#
Demo#sh ip ?
access-lists List IP access lists
accounting The active IP accounting database
admission Network Admission Control information
aliases IP alias table
arp IP ARP table
as-path-access-list List AS path access lists
auth-proxy Authentication Proxy information
bgp BGP information
cache IP fast-switching route cache
casa display casa information
cef Cisco Express Forwarding
community-list List community-list
ddns Dynamic DNS
dfp DFP information
dhcp Show items in the DHCP database
director Director agent
dns Show DNS zone information
drp Director response protocol
dvmrp DVMRP information
eigrp IP-EIGRP show commands
extcommunity-list List extended-community list
flow NetFlow switching
helper-address helper-address table
host-list Host list
http HTTP information
igmp IGMP information
inspect CBAC (Context Based Access Control) information
interface IP interface status and configuration
ips IPS (Intrusion Prevention System) information
irdp ICMP Router Discovery Protocol
local IP local options
masks Masks associated with a network
mcache IP multicast fast-switching cache
mobile IP Mobility information
mpacket Display possible duplicate multicast packets
mrm IP Multicast Routing Monitor information
mroute IP multicast routing table
msdp Multicast Source Discovery Protocol (MSDP)
mtag IP Multicast Tagswitching TIB
multicast Multicast global information
nat IP NAT information
nbar Network-Based Application Recognition
nhrp NHRP information
ospf &n
Đầu tiên ta gán địa chỉ private cho cổng F0/0 là cổng kết nối vào bên trong LAN của doanh nghiệp.
Demo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Demo(config)#int f0/0
Demo(config-if)#ip add 192.168.1.1 255.255.255.0
Demo(config-if)#no shut
Demo(config-if)#exit
Demo(config)#
*Dec 2 04:13:59.103: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Dec 2 04:14:00.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Sau đó, ta cấu hình cổng F0/1. Giả sử cổng này kết nối ra ngoài Internet. Địa chỉ IP của cổng được xin từ DHCP. Chú ý cách dùng câu lệnh ip address của cổng này.
Demo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Demo(config)#int f0/1
Demo(config-if)#ip add
Demo(config-if)#ip address ?
A.B.C.D IP address
dhcp IP Address negotiated via DHCP
pool IP Address autoconfigured from a local DHCP pool
Demo(config-if)#ip address dhcp
Demo(config-if)#no shut
Demo(config-if)#exit
Như vậy câu lệnh ip address, ngoài tuỳ chọn quen thuộc là gán một địa chỉ cụ thể, còn có các tuỳ chọn cho phép xin IP từ một DHCP server. Ta kiểm tra trạng thái các cổng và địa chỉ IP của nó.
Demo#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet0/1 10.215.219.32 YES DHCP up up
Serial0/1/0 unassigned YES unset administratively down down
Serial0/2/0 unassigned YES unset administratively down down
Thỉng thoảng, trong khi cấu hình các router đấu nối ra Internet, bạn cũng cần chỉ định địa chỉ DNS mà router sẽ dùng để phần giải tên. Câu lệnh chỉ định DNS server được thực hiện như dưới đây. Trong ví dụ này, địa chỉ DNS server của VNN được dùng.
Demo#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Demo(config)#ip name-server 203.162.4.191
Demo(config)#exit
Lúc này, bảng định tuyến của router sẽ như dưới đây. Chú ý các địa chỉ gateway of last resort là do DHCP server cấp xuống.
Demo#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.215.219.254 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.215.219.0 is directly connected, FastEthernet0/1
C 192.168.1.0/24 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 10.215.219.254
Sau đây ta sẽ dùng Auto Secure để tăng cường tính bảo mật của thiết bị. Ví dụ này khác ví dụ trước ở điểm, router này có kết nối ra Internet.
Demo#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Router sẽ bắt đầu thu thập thông tin từ người quản trị. Đầu tiên AutoSecure sẽ hỏi router này có kết nối ra Internet không? Nếu có, có bao nhiêu cổng kết nối ra Internet. Mặc định, router cho rằng có 1 cổng kết nối ra Internet.
Is this router connected to internet? [no]: yes
*Dec 2 04:21:16.671: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
Enter the number of interfaces facing the internet [1]:
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.1 YES manual up up
FastEthernet0/1 10.215.219.32 YES DHCP up up
Serial0/1/0 unassigned YES unset administratively down down
Serial0/2/0 unassigned YES unset administratively down down
Router sau đó sẽ hỏi những cổng nào trong các cổng trên của router.
Enter the interface name that is facing the internet: F0/1
Invalid interface name
Enter the interface name that is facing the internet: FastEthernet0/1
Sau khi ta nhập vào cổng kết nối ra Internet, router tự động tắt một số dịch vụ của router.
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Router yêu cầu nhập vào security banner.
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
$This config is for user VnPro$
Router yêu cầu cài đặt các mật khẩu.
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret:
Confirm the enable secret :
passwords do not match
Enter the new enable secret:
Confirm the enable secret :
passwords do not match
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: vnpro
Enter the password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 3
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 3
Router yêu cầu cấu hình SSH.
Configure SSH server? [yes]:
Enter the domain-name: vnpro.org
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Configuring the named ACLs for Ingress Filtering
autosec_iana_reserved_block: This block is subjected to
change by IANA. For an updated list, visit
www.iana.org/assignments/ipv4-address-space.
1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8,
41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8,
72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8,
84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8,
94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8,
103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8,
111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8,
119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8,
197/8, 201/8
autosec_private_block:
10/8, 172.16/12, 192.168/16
autosec_complete_block: This block is a combination of the
autosec_iana_reserved_block, autosec_private_block, and
any packet with a source address of multicast (224/4),
class E (240/4), 0/8, 169.254/16, 192.0.2/24, and 127/8.
Tiếp theo, router yêu cầu cấu hình các ACL để lọc các gói tin trên cổng bên ngoài.
Configuring Ingress Filtering replaces the existing
acl on external interfaces, if any, with Ingress
Filtering acl.
Configure Ingress Filtering on edge interfaces? [yes]:
[1] Apply autosec_iana_reserved_block acl on all edge interfaces
[2] Apply autosec_private_block acl on all edge interfaces
[3] Apply autosec_complete_bogon acl on all edge interfaces
Enter your selection [3]:
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: y
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CThis config is for user VnPro^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0
enable password 7 075E731F1A5C4F52
username vnpro password 7 025756085F5359
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 3 attempts 3 within 3
ip domain-name vnpro.org
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/2/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
access-list compiled
ip access-list extended autosec_iana_reserved_block
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
exit
ip access-list extended autosec_private_block
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
exit
ip access-list extended autosec_complete_bogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
exit
interface FastEthernet0/1
ip access-group autosec_complete_bogon in
exit
access-list 100 permit udp any any eq bootpc
interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/1
ip inspect autosec_inspect out
!
end
Router sẽ hỏi bạn có muốn áp dụng cấu hình này hay không.
Apply this configuration to running-config? [yes]:
Applying the config generated to running-config
The name for the keys will be: Demo.vnpro.org
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys ...[OK]
Demo#sh run
Building configuration...
Current configuration : 9519 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Demo
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$nEyq$HlTuZIiDeOChLt4arodSI0
enable password 7 075E731F1A5C4F52
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip bootp server
ip domain name vnpro.org
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
no ip ips deny-action ips-interface
login block-for 3 attempts 3 within 3
!
no ftp-server write-enable
!
username vnpro password 7 025756085F5359
archive
log config
logging enable
!
!
no crypto isakmp ccm
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address dhcp
ip access-group autosec_complete_bogon in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect out
duplex auto
speed auto
no mop enabled
!
ip classless
!
!
no ip http server
no ip http secure-server
!
ip access-list extended autosec_complete_bogon
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
ip access-list extended autosec_iana_reserved_block
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 7.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 41.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 49.0.0.0 0.255.255.255 any
deny ip 50.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 70.0.0.0 0.255.255.255 any
deny ip 71.0.0.0 0.255.255.255 any
deny ip 72.0.0.0 0.255.255.255 any
deny ip 73.0.0.0 0.255.255.255 any
deny ip 74.0.0.0 0.255.255.255 any
deny ip 75.0.0.0 0.255.255.255 any
deny ip 76.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 96.0.0.0 0.255.255.255 any
deny ip 97.0.0.0 0.255.255.255 any
deny ip 98.0.0.0 0.255.255.255 any
deny ip 99.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 107.0.0.0 0.255.255.255 any
deny ip 108.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
permit ip any any
remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list
ip access-list extended autosec_private_block
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list compiled
no cdp run
!
control-plane
!
banner motd ^CThis config is for user VnPro^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
!
warm-reboot
end
Demo#
Demo#sh ip access-lists
Extended IP access list 100 (Compiled)
10 permit udp any any eq bootpc
Extended IP access list autosec_complete_bogon (Compiled)
10 deny ip 1.0.0.0 0.255.255.255 any
20 deny ip 2.0.0.0 0.255.255.255 any
30 deny ip 5.0.0.0 0.255.255.255 any
40 deny ip 7.0.0.0 0.255.255.255 any
50 deny ip 23.0.0.0 0.255.255.255 any
60 deny ip 27.0.0.0 0.255.255.255 any
70 deny ip 31.0.0.0 0.255.255.255 any
80 deny ip 36.0.0.0 0.255.255.255 any
90 deny ip 37.0.0.0 0.255.255.255 any
100 deny ip 39.0.0.0 0.255.255.255 any
110 deny ip 41.0.0.0 0.255.255.255 any
120 deny ip 42.0.0.0 0.255.255.255 any
130 deny ip 49.0.0.0 0.255.255.255 any
140 deny ip 50.0.0.0 0.255.255.255 any
150 deny ip 58.0.0.0 0.255.255.255 any
160 deny ip 59.0.0.0 0.255.255.255 any
170 deny ip 60.0.0.0 0.255.255.255 any
180 deny ip 70.0.0.0 0.255.255.255 any
190 deny ip 71.0.0.0 0.255.255.255 any
200 deny ip 72.0.0.0 0.255.255.255 any
210 deny ip 73.0.0.0 0.255.255.255 any
220 deny ip 74.0.0.0 0.255.255.255 any
230 deny ip 75.0.0.0 0.255.255.255 any
240 deny ip 76.0.0.0 0.255.255.255 any
250 deny ip 77.0.0.0 0.255.255.255 any
260 deny ip 78.0.0.0 0.255.255.255 any
270 deny ip 79.0.0.0 0.255.255.255 any
280 deny ip 83.0.0.0 0.255.255.255 any
290 deny ip 84.0.0.0 0.255.255.255 any
300 deny ip 85.0.0.0 0.255.255.255 any
310 deny ip 86.0.0.0 0.255.255.255 any
320 deny ip 87.0.0.0 0.255.255.255 any
330 deny ip 88.0.0.0 0.255.255.255 any
340 deny ip 89.0.0.0 0.255.255.255 any
350 deny ip 90.0.0.0 0.255.255.255 any
360 deny ip 91.0.0.0 0.255.255.255 any
370 deny ip 92.0.0.0 0.255.255.255 any
380 deny ip 93.0.0.0 0.255.255.255 any
390 deny ip 94.0.0.0 0.255.255.255 any
400 deny ip 95.0.0.0 0.255.255.255 any
410 deny ip 96.0.0.0 0.255.255.255 any
420 deny ip 97.0.0.0 0.255.255.255 any
430 deny ip 98.0.0.0 0.255.255.255 any
440 deny ip 99.0.0.0 0.255.255.255 any
450 deny ip 100.0.0.0 0.255.255.255 any
460 deny ip 101.0.0.0 0.255.255.255 any
470 deny ip 102.0.0.0 0.255.255.255 any
480 deny ip 103.0.0.0 0.255.255.255 any
490 deny ip 104.0.0.0 0.255.255.255 any
500 deny ip 105.0.0.0 0.255.255.255 any
510 deny ip 106.0.0.0 0.255.255.255 any
520 deny ip 107.0.0.0 0.255.255.255 any
530 deny ip 108.0.0.0 0.255.255.255 any
540 deny ip 109.0.0.0 0.255.255.255 any
550 deny ip 110.0.0.0 0.255.255.255 any
560 deny ip 111.0.0.0 0.255.255.255 any
570 deny ip 112.0.0.0 0.255.255.255 any
580 deny ip 113.0.0.0 0.255.255.255 any
590 deny ip 114.0.0.0 0.255.255.255 any
600 deny ip 115.0.0.0 0.255.255.255 any
610 deny ip 116.0.0.0 0.255.255.255 any
620 deny ip 117.0.0.0 0.255.255.255 any
630 deny ip 118.0.0.0 0.255.255.255 any
640 deny ip 119.0.0.0 0.255.255.255 any
650 deny ip 120.0.0.0 0.255.255.255 any
660 deny ip 121.0.0.0 0.255.255.255 any
670 deny ip 122.0.0.0 0.255.255.255 any
680 deny ip 123.0.0.0 0.255.255.255 any
690 deny ip 124.0.0.0 0.255.255.255 any
700 deny ip 125.0.0.0 0.255.255.255 any
710 deny ip 126.0.0.0 0.255.255.255 any
720 deny ip 197.0.0.0 0.255.255.255 any
730 deny ip 201.0.0.0 0.255.255.255 any
740 deny ip 10.0.0.0 0.255.255.255 any (279 matches)
750 deny ip 172.16.0.0 0.15.255.255 any
760 deny ip 192.168.0.0 0.0.255.255 any
770 deny ip 224.0.0.0 15.255.255.255 any
780 deny ip 240.0.0.0 15.255.255.255 any
790 deny ip 0.0.0.0 0.255.255.255 any (3 matches)
800 deny ip 169.254.0.0 0.0.255.255 any
810 deny ip 192.0.2.0 0.0.0.255 any
820 deny ip 127.0.0.0 0.255.255.255 any
830 permit ip any any
Extended IP access list autosec_firewall_acl (Compiled)
10 permit udp any any eq bootpc
20 deny ip any any
Extended IP access list autosec_iana_reserved_block (Compiled)
10 deny ip 1.0.0.0 0.255.255.255 any
20 deny ip 2.0.0.0 0.255.255.255 any
30 deny ip 5.0.0.0 0.255.255.255 any
40 deny ip 7.0.0.0 0.255.255.255 any
50 deny ip 23.0.0.0 0.255.255.255 any
60 deny ip 27.0.0.0 0.255.255.255 any
70 deny ip 31.0.0.0 0.255.255.255 any
80 deny ip 36.0.0.0 0.255.255.255 any
90 deny ip 37.0.0.0 0.255.255.255 any
100 deny ip 39.0.0.0 0.255.255.255 any
110 deny ip 41.0.0.0 0.255.255.255 any
120 deny ip 42.0.0.0 0.255.255.255 any
130 deny ip 49.0.0.0 0.255.255.255 any
140 deny ip 50.0.0.0 0.255.255.255 any
150 deny ip 58.0.0.0 0.255.255.255 any
160 deny ip 59.0.0.0 0.255.255.255 any
170 deny ip 60.0.0.0 0.255.255.255 any
180 deny ip 70.0.0.0 0.255.255.255 any
190 deny ip 71.0.0.0 0.255.255.255 any
200 deny ip 72.0.0.0 0.255.255.255 any
210 deny ip 73.0.0.0 0.255.255.255 any
220 deny ip 74.0.0.0 0.255.255.255 any
230 deny ip 75.0.0.0 0.255.255.255 any
240 deny ip 76.0.0.0 0.255.255.255 any
250 deny ip 77.0.0.0 0.255.255.255 any
260 deny ip 78.0.0.0 0.255.255.255 any
270 deny ip 79.0.0.0 0.255.255.255 any
280 deny ip 83.0.0.0 0.255.255.255 any
290 deny ip 84.0.0.0 0.255.255.255 any
300 deny ip 85.0.0.0 0.255.255.255 any
310 deny ip 86.0.0.0 0.255.255.255 any
320 deny ip 87.0.0.0 0.255.255.255 any
330 deny ip 88.0.0.0 0.255.255.255 any
340 deny ip 89.0.0.0 0.255.255.255 any
350 deny ip 90.0.0.0 0.255.255.255 any
360 deny ip 91.0.0.0 0.255.255.255 any
370 deny ip 92.0.0.0 0.255.255.255 any
380 deny ip 93.0.0.0 0.255.255.255 any
390 deny ip 94.0.0.0 0.255.255.255 any
400 deny ip 95.0.0.0 0.255.255.255 any
410 deny ip 96.0.0.0 0.255.255.255 any
420 deny ip 97.0.0.0 0.255.255.255 any
430 deny ip 98.0.0.0 0.255.255.255 any
440 deny ip 99.0.0.0 0.255.255.255 any
450 deny ip 100.0.0.0 0.255.255.255 any
460 deny ip 101.0.0.0 0.255.255.255 any
470 deny ip 102.0.0.0 0.255.255.255 any
480 deny ip 103.0.0.0 0.255.255.255 any
490 deny ip 104.0.0.0 0.255.255.255 any
500 deny ip 105.0.0.0 0.255.255.255 any
510 deny ip 106.0.0.0 0.255.255.255 any
520 deny ip 107.0.0.0 0.255.255.255 any
530 deny ip 108.0.0.0 0.255.255.255 any
540 deny ip 109.0.0.0 0.255.255.255 any
550 deny ip 110.0.0.0 0.255.255.255 any
560 deny ip 111.0.0.0 0.255.255.255 any
570 deny ip 112.0.0.0 0.255.255.255 any
580 deny ip 113.0.0.0 0.255.255.255 any
590 deny ip 114.0.0.0 0.255.255.255 any
600 deny ip 115.0.0.0 0.255.255.255 any
610 deny ip 116.0.0.0 0.255.255.255 any
620 deny ip 117.0.0.0 0.255.255.255 any
630 deny ip 118.0.0.0 0.255.255.255 any
640 deny ip 119.0.0.0 0.255.255.255 any
650 deny ip 120.0.0.0 0.255.255.255 any
660 deny ip 121.0.0.0 0.255.255.255 any
670 deny ip 122.0.0.0 0.255.255.255 any
680 deny ip 123.0.0.0 0.255.255.255 any
690 deny ip 124.0.0.0 0.255.255.255 any
700 deny ip 125.0.0.0 0.255.255.255 any
710 deny ip 126.0.0.0 0.255.255.255 any
720 deny ip 197.0.0.0 0.255.255.255 any
730 deny ip 201.0.0.0 0.255.255.255 any
740 permit ip any any
Extended IP access list autosec_private_block (Compiled)
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 permit ip any any
Extended IP access list sl_def_acl (Compiled)
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit ip any any log
Demo#sh tcp ?
<0-198> Line number
aux Auxiliary line
brief Brief display
console Primary terminal line
intercept Intercept display
statistics TCP protocol statistics
tcb TCB address
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
x/y/z Slot/Subslot/Port for Modems
| Output modifiers
Demo#sh tcp tty
% Incomplete command.
Demo#sh tcp tty ?
<1-192> Line number
Demo#sh tcp tty 1
Demo#sh tcp sta
Demo#sh tcp statistics
Rcvd: 0 Total, 0 no port
0 checksum error, 0 bad offset, 0 too short
0 packets (0 bytes) in sequence
0 dup packets (0 bytes)
0 partially dup packets (0 bytes)
0 out-of-order packets (0 bytes)
0 packets (0 bytes) with data after window
0 packets after close
0 window probe packets, 0 window update packets
0 dup ack packets, 0 ack packets with unsend data
0 ack packets (0 bytes)
Sent: 0 Total, 0 urgent packets
0 control packets (including 0 retransmitted)
0 data packets (0 bytes)
0 data packets (0 bytes) retransmitted
0 data packets (0 bytes) fastretransmitted
0 ack only packets (0 delayed)
0 window probe packets, 0 window update packets
0 Connections initiated, 0 connections accepted, 0 connections established
1 Connections closed (including 0 dropped, 1 embryonic dropped)
0 Total rxmt timeout, 0 connections dropped in rxmt timeout
0 Keepalive timeout, 0 keepalive probe, 0 Connections dropped in keepalive
Demo#sh tcp ?
<0-198> Line number
aux Auxiliary line
brief Brief display
console Primary terminal line
intercept Intercept display
statistics TCP protocol statistics
tcb TCB address
tty Terminal controller
vty Virtual terminal
x/y Slot/Port for Modems
x/y/z Slot/Subslot/Port for Modems
| Output modifiers
Demo#sh tcp
Demo#sh cdp ?
entry Information for specific neighbor entry
interface CDP interface status and configuration
neighbors CDP neighbor entries
traffic CDP statistics
| Output modifiers
Demo#sh cdp
% CDP is not enabled
Demo#
Demo#sh ip ?
access-lists List IP access lists
accounting The active IP accounting database
admission Network Admission Control information
aliases IP alias table
arp IP ARP table
as-path-access-list List AS path access lists
auth-proxy Authentication Proxy information
bgp BGP information
cache IP fast-switching route cache
casa display casa information
cef Cisco Express Forwarding
community-list List community-list
ddns Dynamic DNS
dfp DFP information
dhcp Show items in the DHCP database
director Director agent
dns Show DNS zone information
drp Director response protocol
dvmrp DVMRP information
eigrp IP-EIGRP show commands
extcommunity-list List extended-community list
flow NetFlow switching
helper-address helper-address table
host-list Host list
http HTTP information
igmp IGMP information
inspect CBAC (Context Based Access Control) information
interface IP interface status and configuration
ips IPS (Intrusion Prevention System) information
irdp ICMP Router Discovery Protocol
local IP local options
masks Masks associated with a network
mcache IP multicast fast-switching cache
mobile IP Mobility information
mpacket Display possible duplicate multicast packets
mrm IP Multicast Routing Monitor information
mroute IP multicast routing table
msdp Multicast Source Discovery Protocol (MSDP)
mtag IP Multicast Tagswitching TIB
multicast Multicast global information
nat IP NAT information
nbar Network-Based Application Recognition
nhrp NHRP information
ospf &n