book

Cisco IOS in a Nutshell, 2nd Edition

by James Boney

August 2005

Intermediate to advanced

798 pages

31h 12m

English

O'Reilly Media, Inc.

Read now

Unlock full access

OrganizationWhat’s New in This EditionConventionsSafari EnabledWe’d Like to Hear from YouAcknowledgments
1.1. IOS User Modes1.2. Command-Line Completion1.3. Get to Know the Question Mark1.4. Command-Line Editing Keys1.5. Pausing Output1.6. show Commands
2.1. IOS Image Filenames2.1.1. Platform Identifier2.1.2. Feature Set2.1.3. Image Execution Location2.2. The New Cisco IOS Packaging Model2.2.1. Example of New Image Name2.2.2. Status of the Release2.2.3. Finding the Release on Cisco’s Web Site2.3. Loading Image Files Through the Network2.3.1. Using TFTP to Download Files2.3.2. Using RCP to Download Files2.3.3. Using SCP to Download Files2.4. Using the IOS Filesystem for Images2.4.1. Upgrading Flash Memory Using the Filesystem Commands2.5. The Router’s Configuration2.6. Loading Configuration Files2.6.1. Loading the running-config2.6.2. Loading the startup-config2.6.3. Saving running-config to startup-config2.6.4. Viewing a Configuration2.6.4.1. Options for the show config command2.6.4.2. Stopping the —More— prompt2.6.5. Erasing a Stored Configuration2.6.6. Saving a Configuration to a Network Server
3.1. Setting the Router Name3.2. Setting the System Prompt3.3. Configuration Comments3.4. The Enable Password3.5. Mapping Hostnames to IP Addresses3.5.1. IP Host Tables3.5.2. Enabling DNS3.6. Setting the Router’s Time3.6.1. The Calendar Versus the Clock3.6.2. Configuring NTP3.7. Enabling SNMP3.8. Cisco Discovery Protocol3.9. System Banners3.9.1. Creating Banners3.9.2. Disabling Banners
4.1. The line Command4.1.1. Absolute and Relative Line Numbering4.2. The Console Port4.3. Virtual Terminals (VTYs)4.4. Asynchronous Ports (TTYs)4.5. The Auxiliary (AUX) Port4.6. show line4.7. Reverse Telnet4.8. Common Configuration Items4.8.1. Communication Parameters4.8.2. Transport Type4.8.3. Session Limits and Timeouts4.8.4. Special Characters and Key Sequences
5.1. Naming and Numbering Interfaces5.1.1. Subinterfaces5.2. Basic Interface Configuration Commands5.2.1. shutdown5.2.2. Interface Descriptions5.2.3. Setting the IP Address and Subnet Mask5.2.3.1. Secondary IP address(es)5.2.4. Other Common Interface Commands5.3. The Loopback Interface5.4. The Null Interface5.5. Ethernet, Fast Ethernet, and Gigabit Ethernet Interfaces5.6. Token Ring Interfaces5.7. ISDN Interfaces5.7.1. A Simple ISDN Configuration5.8. Serial Interfaces5.8.1. Serial Encapsulation5.8.2. Serial T1 Connection5.8.3. T1 Configuration on a 2524 with a CSU/DSU Card5.8.4. Channelized T15.9. Asynchronous Interfaces5.9.1. Using the group-async Command5.9.2. Specifying an IP Address Pool5.9.3. Using BOOTP Configuration Items for Dial-in Connections5.9.4. Using DHCP for IP Addresses and Dial-in Configuration Items5.10. Interface show Commands5.10.1. Clearing the show Command Counters5.10.2. Listing All Interfaces5.10.3. Using the show interface Commands5.10.3.1. show interface accounting5.10.3.2. show ip interface
6.1. Frame Relay6.1.1. Important Frame Relay Terminology6.1.2. Frame Relay Configuration6.1.3. Mapping IP Addresses to DLCIs6.1.3.1. Explicitly mapping DLCIs6.1.3.2. Configuring a multipoint connection6.1.4. Frame Relay Traffic Shaping6.1.4.1. Enabling traffic-shaping on a frame relay link6.1.4.2. Adaptive shaping6.1.5. Frame Relay show Commands6.2. ATM6.2.1. ATM Terminology6.2.2. Configuring Permanent Virtual Circuits6.2.2.1. Configuring an ATM interface with static IP mapping6.2.2.2. Configuring an ATM interface with dynamic IP mapping6.2.3. Configuring Switched Virtual Circuits6.2.3.1. ATM ARP server6.2.4. Configuring with DXI6.2.5. ATM show Commands6.2.6. LAN Emulation (LANE)6.2.6.1. LANE configuration notes6.2.6.2. Configuring the LECS6.2.6.3. Configuring the LES/BUS6.2.6.4. Configuring the LEC6.2.6.5. LANE show commands6.3. DSL6.3.1. Configuring Our DSL Client Router6.3.2. Troubleshooting a DSL Connection6.4. Cable6.5. VoIP6.5.1. VoIP Protocols6.5.1.1. H.3236.5.1.2. MGCP6.5.1.3. SIP6.5.2. VoIP Terminology6.5.3. Examples6.5.3.1. FXO Gateway to PSTN6.5.3.2. H.323 call routing6.5.3.3. MGCP call routing6.5.3.4. SIP Configuration for VoIP
7.1. How Packets Match a List Entry7.1.1. Address/Mask Pairs (Wildcards)7.1.2. Computing a Wildcard for a Given Subnet Mask7.1.3. Access List Processing7.1.4. Implicit Deny7.1.5. Access Lists Are Additive7.1.6. Outbound Access Lists Are More Efficient Than Inbound7.2. Types of Access Lists7.2.1. Extended Access Lists7.2.1.1. Specifying ports7.2.1.2. Established connections7.2.1.3. ICMP protocol entries7.2.1.4. Applying an access list to an interface or line7.2.2. Named Access Lists7.2.2.1. Entering noncontiguous ports7.2.3. Reflexive Access Lists7.2.3.1. Creating the outbound reflexive list7.2.3.2. Creating the inbound reflexive list7.2.3.3. Applying the inbound and outbound reflexive lists to an interface7.2.3.4. Setting the reflexive timeout7.2.3.5. Reflexive list notes7.3. Specific Topics7.3.1. Adding Comments to an Access List7.3.2. Timed Access Lists7.3.3. Building a Gateway Router7.3.3.1. IP address spoofing7.3.3.2. Permitting FTP through an access list7.3.3.3. Passive FTP7.3.3.4. The actual access list7.3.4. Optimizing Your Access Lists7.3.5. Emulating a Packet Sniffer7.3.6. Logging Access List Violations7.3.7. Securely Updating Access Lists7.3.8. Getting the List to a Router with TFTP, RCP, or SCP
8.1. Autonomous System (AS) Numbers8.2. Interior and Exterior Gateway Protocols8.3. Distance-Vector and Link-State Routing Protocols8.3.1. Distance-Vector Protocols8.3.2. Link-State Routing Protocols8.3.3. Administrative Distance8.3.4. Variable-Length Subnet Masks (VLSM) and Classless Routing8.3.5. Protocol Comparison8.4. Static Routes8.4.1. Default Static Routes8.4.2. A Static Route to the Null Interface8.4.3. Backup Static Routes8.5. Split Horizon8.6. Passive Interfaces8.6.1. Route Redistribution8.6.2. Filtering Routes8.6.2.1. Filtering incoming routes8.6.2.2. Filtering outgoing routes8.6.2.3. Filtering updates during redistribution8.6.2.4. Revisiting the example8.6.3. Route Maps8.6.3.1. Enforcing routing policy with route maps8.6.3.2. Enforcing routing policy with the ip policy command8.7. Fast Switching and Process Switching8.7.1. Fast Switching8.7.2. Process Switching8.7.3. Useful show Commands8.7.3.1. show ip route summary8.7.3.2. clear ip route8.7.3.3. show ip protocols
9.1. RIP9.1.1. Basic RIP Configuration9.1.2. Enabling RIPv2 on the Network9.1.3. Redistributing Other Routing Protocols into RIP9.1.4. RIPv2 Authentication9.2. IGRP9.2.1. Basic IGRP Configuration9.2.1.1. IGRP’s metric9.2.1.2. Packet size9.2.1.3. Modifying the range of the network9.2.1.4. IGRP’s load balancing9.2.2. Redistributing Other Protocols into IGRP9.3. EIGRP9.3.1. Enabling EIGRP on the Network9.3.2. EIGRP and Route Summarization9.3.2.1. Enabling route summarization on a specific interface9.3.3. EIGRP Authentication9.3.4. EIGRP Metrics9.3.5. Tuning EIGRP9.3.6. EIGRP show Commands9.3.6.1. show ip eigrp neighbors9.3.6.2. show ip eigrp topology9.3.6.3. show ip eigrp traffic9.3.7. EIGRP Redistribution9.3.7.1. RIP9.3.7.2. IGRP9.3.8. Converting an IGRP Network to EIGRP9.4. OSPF9.4.1. OSPF Concepts9.4.1.1. Areas9.4.1.2. Router types9.4.1.3. Link-state advertisements (LSAs)9.4.1.4. Area types9.4.1.5. Router ID9.4.1.6. Designated router (DR)9.4.2. Enabling OSPF on the Network9.4.3. Sample OSPF Configurations9.4.4. Route Summarization in OSPF9.4.4.1. Inter-area summarization9.4.4.2. External summarization9.4.5. Virtual Backbone Links9.4.6. Interoperability with Other Vendors9.4.7. Default Routes in OSPF9.4.8. NSSAs (Not-So-Stubby Areas)9.4.9. OSPF Configuration Example9.4.9.1. Putting route summarization to use9.4.10. Redistributing Other Protocols into OSPF9.4.11. OSPF show Commands9.4.11.1. show ip ospf border routers9.4.11.2. show ip ospf neighbor9.4.11.3. show ip ospf database9.4.11.4. show ip ospf interface9.5. IS-IS9.5.1. IS-IS Concepts9.5.1.1. Level 1 and level 29.5.1.2. NSAP addressing9.5.1.3. Enabling an interface for IS-IS9.5.2. IS-IS configuration example9.5.3. Show Commands9.5.4. Authentication9.5.5. Metric Tuning9.5.6. Injecting a Default Route9.5.7. IS-IS Route Leaking

Content preview from Cisco IOS in a Nutshell, 2nd Edition

Chapter 15. Router Security

Before deploying a router, you should secure it: that is, you should do everything you can to prevent the router from being misused, either by people within your own organization or by intruders from the outside. This chapter describes the first simple steps you can take toward router security ; however, it’s not a complete discussion by any means. I don’t do anything more than point you in the right direction. For more security review and hints, you might want to look at some O’Reilly titles, especially Hardening Cisco Routers by Thomas Akin and Cisco Cookbook by Kevin Dooley and Ian J. Brown.

Securing Enable Mode Access

One of the basic security items you need to protect is access to the enable mode, which allows a user access to the router’s configuration and boot information. You want to protect this mode as much as possible and give access only to people who really need it and who know what they are doing. For this section, we’ll look at setting the enable password , the enable secret command (which provides additional security), and enable privilege levels.

Setting the Enable Password

The enable password grants the user access to your complete router configuration. It’s much like the superuser or root password on a Unix system or like the Administrator password on Windows. It must be guarded carefully. In Chapter 3, I showed how to set the enable password:

    Router(config)#enable password mypassword

The problem with setting the password this way is ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 0596008694Errata

Cisco IOS in a Nutshell, 2nd Edition

by James Boney

Chapter 15. Router Security

Securing Enable Mode Access

Setting the Enable Password

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

CISCO IOS in a Nutshell

Cisco IOS Cookbook, 2nd Edition

Cisco Software-Defined Access

Cisco Networks: Engineers' Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA

Publisher Resources