Security management for Cisco routers includes creating passwords to secure access to Cisco routers, and using the correct access table to manage acceptable data streams through Cisco routers.
1. Password Management
The following command sets the password for controlling access from the terminal.
Command operation result
Line console 0 creates a password for the console Terminal
Line vty 0 4 telnet connection to create a password
Enable-password creates a password for Privileged exec mode
Enable-secret uses MD5 encryption to create a password
Service password-encryption
Display the password
2. packet filtering
Cisco's firewall function is mainly implemented through packet filtering.
It can control multiple types of data streams, such as limiting inbound and outbound traffic. By writing an access list, we can restrict the data flow of a specific network or host.
The Accsess-list number has a specific range:
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<200-299> Protocol type-code access list
<700-799> 48-bit MAC address access list
For example, we can define the following access table to allow any host to host 160 .. 10.2.101 packets:
Accsess-list 101 permit ip any host 160.10.2.101
The following statement allows a host to send a udp packet to 160.10.2.100 in the form that the source port is smaller than 1024 to the server, and the destination port of the packet must be dns port 53 ). Gt is great.
Accsess-list 101 permit udp any gt 1023 host 160.10.2.100 eq 53
After creating an access list, you must apply it to the port to filter packets. After entering the port to be controlled, run the following command to apply the access table:
Router (config-if) # ip access-group 101 in
The in indicates to filter the data for this port. Note that a port can only have a list of inbound and outbound directions. If there are several ports, only the first port will take effect.