Cisco router security configuration command family

For the Cisco router security configuration command family, the following are 10 configuration commands, which are expected to be good for everyone. When talking about configuring a new Cisco router, most configurations depend on the type of the router and the purpose of the service. However, each administrator has his/her own command list for configuring each router correctly. I will share with you the list of ten commands for configuring your own vro.

When talking about configuring a new Cisco router, most configurations depend on the type of the router and the purpose of the service. However, there are some things you should configure on every new Cisco router. Which command standard do you want Cisco to use on each vro? Each administrator configures the commands of each vro correctly. This is a list of ten commands that I think you should configure on each vro (no special order ).

Cisco router security configuration command: configure a Logon account on the router

I strongly recommend that you configure a real user name and password account on the vro and vswitch. This means that you need a user and a password to gain access. In addition, we recommend that you use a secret password for your username, instead of a common password. It uses MD5 encryption to encrypt passwords, and greatly improves security. Example: Router (config) # username root secret My $ Password

After the user name is configured, you must enable the port using the user name. Example:
◆ Router (config) # line con 0
◆ Router (config-line) # login local
◆ Router (config) # line aux 0
◆ Router (config-line) # login local
◆ Router (config) # line vty 0 4
◆ Router (config-line) # login local

Cisco router security configuration command: Set a host name on the router

I guess the default host name on the router is router. You can keep this default value and the vro can run normally. However, it is meaningful to rename a vro and uniquely identify it. For example: Router (config) # hostname Router-Branch-23 In addition, you can configure a domain name on the Router, so that it knows which DNS domain. Example: Router-Branch-23 (config) # ip domain name TechRepublic.com

Cisco router security configuration command: set a password for privileged Mode

When talking about setting a password to enter the privileged mode, many people think of using the enable password command. However, instead of using this command, I strongly recommend using the enable secret command. This command uses the MD5 encryption method to encrypt the password, so the prompt is not displayed in plaintext. Example: Router (config) # enable secret My $ Password

Encrypted router Password

The Cisco router security configuration command does not encrypt the password in the configuration by default. However, you can easily change this point. Example: Router (config) # service password-encryption

Cisco router security configuration command: Disable Web Services

The Cisco router security configuration command also enables Web services by default, which is a security risk. If you don't want to use it, you 'd better disable it. Example: Router (config) # no ip http server

Cisco router security configuration command: Configure DNS or disable DNS Lookup

Let's discuss a small problem I personally think of as a Cisco router: by default, if a command is mistakenly entered in privileged mode, the router thinks you are trying to Telnet to a remote host. However, it performs DNS lookup on the content you enter.

If you do not configure dns on the vro, the command prompt will be suspended until the DNS search fails. For this reason, we recommend that you use one of the following two methods. One option is to disable DNS. The practice is: Router (config) # no ip domain-lookup or, you can correctly configure DNS to point to a real DNS server. Router (config) # ip name-server

Cisco router security configuration command: Configure command alias

Many network administrators know the abbreviation (alias) for configuring commands on routers ). Example: Router (config) # alias exec s sh run, which means you can enter s now without entering the complete show running-configuration command.

Cisco router security configuration command: Set the router clock or configure the NTP server

Most Cisco devices do not have an internal clock. When they are started, they do not know the time. Even if you set the time, If you disable or restart the vro, it does not retain this information. First, set your time zone and daylight saving time. Example:
◆ Router (config) # clock timezone CST-6
◆ Router (config) # clock summer-time CDT recurring
◆ Then, in order to ensure that the router event message shows the correct time, set the router clock or configure an NTP server. An example of clock setting is as follows:
◆ Router # clock set 10:54:00 Oct 5 2005

If you already have an NTP server (or a vro that can access the Internet) in the network, you can use it as the time source. This is your best choice. When the router is started, it will set the clock through the NTP server. Example: Router (config) # ntp server 13.03.4.101

Cisco router security configuration command: do not let log messages disturb your configuration process

Another small problem I think in Cisco IOS is that when I configure a vro, log messages (maybe the Console port, AUX port, or VTY port) are continuously displayed on the console interface ). You can do this in advance. Therefore, I use the log synchronization command on each port. Example:
◆ Router (config) # line con 0
◆ Router (config-line) # logging synchronous
◆ Router (config) # line aux 0
◆ Router (config-line) # logging synchronous
◆ Router (config) # line vty 0 4
◆ Router (config-line) # logging synchronous

In addition, you can modify the execution timeout of these ports on the port. For example, suppose you want to disable the default 10-minute timeout on the VTY line. In line configuration mode, run the exec-timeout 0 0 command so that the router will never exit.

Cisco router security configuration command: record system messages in the router buffer or System Log Server

Capturing router errors and events and monitoring the console are the key to solving the problem. By default, the router does not send buffered event records to the router memory. However, you can configure a router to send buffered event records to the memory. Example: Router (config) # logging buffered 16384 you can also send a Router event to a system log server. Because the server is outside the vro, there is an additional advantage: even if the vro is powered off, the event records are retained.