Common configuration commands for Cisco network device security management

Network device security management

One 、 Switch 、 Router basic configuration

1. Change the name

Switch(config)#hostname [ name ]
Router(config)#hostname [ name ]

2. Configure privileged mode password
Plaintext password ：

enable password [ password ]

Encrypted password ：

enable secret [ password ]

3. Save configuration

 Under privilege mode 
Switch#copy running-config startup-config 

4. Configure router interface ip

S1(config)#interface  Interface 
S1(config-if)#ip address [ip] [ Mask ]

5. Configuring switching for switches VTY 0 4, password abc(Telnet Connect )

 In global configuration mode ：
S1(config)#line VTy 0 4
S1(config-line)#password abc

6. Set the interface rate and duplex mode

S1(config)#interface f0/1
S1(config-if)#speed 100 // rate 100M
S1(config-if)#duplex auto // Duplex mode automatic 
S1(config-if)#duplex half // Duplex mode half duplex 

Two 、VLAN

1. To configure VlAN Of IP And gateway

S1(config)#interface vlan [id]
S1(config-if)#ip address [ip] [ Mask ]
S1(config)#ip default-gateway [ gateway ]

2. establish vlan

S1(config)#vlan [id]
S1(config-vlan)#name [ name ]

3. Divide the interface into vlan in

S1(config)#interface [ Interface ]
S1(config-if)#switchport access vlan [id]

4. Set up trunk lines

S1(config)#interface [ Interface ]
S1(config-if)#switchport mode trunk

5. Single arm routing

g0/2.10 A subinterface ：
Router(config)#interface g0/2.10 
Router(config-subif)#no shutdown
Router(config-subif)#encapsulation dot1Q [vlan-id]
Router(config-subif)#ip address [ip] [ Mask ]

 And g0/2 The interface of the switch connected to the interface is set as the trunk interface ：
Switch(config-if)#switchport mode trunk

6. Set up the Ethernet channel
example ： The switch S1 Of Fa0/3-Fa0/5 Set as Ethernet channel , Number 1, Set this Ethernet channel to relay mode .

Switch(config)#interface range f0/3-5
Switch(config-if-range)#channel-group 1 mode active
Switch(config-if-range)#exit
Switch(config)#interface port-channel 1
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk

7. Turn on the routing function of layer 3 switching

Switch(config)#ip routing

3、 ... and 、 Set up DHCP The server

1. Set up DHCP The exclusion address of is 202.206.100.1-202.206.100.5

Router(config)#ip dhcp excluded-address 202.206.100.1 202.206.100.5

2. establish DHCP Address pool , be known as outside

Router(config)#ip dhcp pool outside

3. hold 202.206.100.0/24 Put it in the address pool

Router(dhcp-config)#network 202.206.100.0 255.255.255.0

4. The default gateway is 202.206.100.1

Router(dhcp-config)#default-router 202.206.100.1

5.DNS：202.206.100.36

Router(dhcp-config)#dns-server 202.206.100.36

6. relay DNCP The server

Enter relay DHCP The server

Router(config)#interface f0/0 // Enter the interface connecting the host 
Router(config-if)#ip helper-address ip //ip The address is connection DNCP The interface to the server 

Four 、HSPR

1.standby version 2

Router(config)#interface f0/0
Router(config-if)#standby version 2

2. To configure ip
standby Group 1 Of ip yes 202.206.96.1

Router(config-if)#standby 1 ip 202.206.96.1

3. Set priority
standby Group 1 The priority is 150

Router(config-if)#standby 1 priority 150

4. Set preemptive route
Set up standby Group 1 For preemptive routing

Router(config-if)#standby 1 preempt 

5、 ... and 、 Routing table RIP

1. Configure static routing

Router#show ip route // View routing table 
Router(config)#ip route [ip Address ] [ Mask ] [ Next jump ip]

2. Dynamic routing

 Configure dynamic routing ：
Router(config)#router rip 
Router(config-router)#network [ Direct connection network ip]
 Set the passive interface ：
Router(config-router)#passive-interface [ Interface ]

3. Static default routing

Router(config)#ip route 0.0.0.0 0.0.0.0 [ Next jump ip]
 stay RIP The default static route is propagated in the protocol ：
Router(config)#router rip 
Router(config-router)#default-information originate

6、 ... and 、 Routing table OSPF

1. Configure dynamic routing OSPF agreement

Router(config)#router ospf [ process id]
Router(config-router)#network [ Direct connection ip] [ Unmask ] area [ Area number ]

2. route id

Router(config-router)#router-id [ route id] // Configure the routing OSPF Configure the route first id

3. Set the passive interface

Router(config-router)#passive-interface [ Interface ]

4.OSPF Set the default static route for propagation in the protocol

Router(config-router)#default-information originate

7、 ... and 、ACL

1. stay R1 Set standards on ACL, The number is 1, Refuse 192.168.1.2-192.168.1.127 All computers of access to computers outside the local area network , Access to other computers in this LAN will not be affected .

Router(config)#access-list 1 deny 192.168.1.2 0.0.0.127
Router(config)#access-list 1 permit any
Router(config)#interface f0/0
Router(config-if)#ip access-group 1 in

2. stay R1 Set standard naming on ACL, The name is main, Only 192.168.2.12-192.168.2.15 And allow 192.168.1.200-207 Visit the Internet （ It's the intranet 1 And the Internet 2 Outside the network ）, Other computers cannot access the Internet .

Router(config)#ip access-list standard main
Router(config-std-nacl)#permit 192.168.2.12 0.0.0.3
Router(config-std-nacl)#permit 192.168.1.200 0.0.0.7
Router(config-std-nacl)#exit 
Router(config)#interface f0/1
Router(config-if)#ip access-group main out

8、 ... and 、NAT and PAT

( One )NAT
1. Configure static NAT,

Router(config)#ip nat inside source static [ host ip] [ mapping ip]

2. Configuration dynamics NAT

 Set up the address pool ：
Router(config)#ip nat pool [ name ] [ start ip] [ End ip] netmask [ Mask ]

 Set up ACL：
Router(config)#access-list [ Number ] permit [ start ip] [ Unmask ]

 Mapping between address pool and access control list ：
Router(config)#ip nat inside source list [ACL Number ] pool [ name ]

 Configure internal and external interfaces ：
Router(config)#interface [ Interface ]
Router(config-if)#ip nat inside
Router(config)#interface [ Interface ]
Router(config-if)#ip nat outside

( Two )PAT
1. To configure ACL
2. Map the access control list to the port , And overloaded

Router(config)#ip nat inside source list [ACL Number ] interface [ Interface ] overload 

Nine 、 Switch port security settings

1. Set switch port security

Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

2. hold PC1 Of MAC The address is manually bound to the port

Switch(config-if)#switchport port-security mac-address [ host mac]

3. Set port address stickiness

Switch(config-if)#switchport port-security mac-address sticky 

4. Turn on portfast function

Switch(config-if)#spanning-tree portfast 

5. Set the port maximum MAC The number of addresses is 1

Switch(config-if)#switchport port-security maximum 1
 The post violation treatment method is shutdown,
Switch(config-if)#switchport port-security violation shutdown
 The post violation treatment method is restrict
Switch(config-if)#switchport port-security violation restrict