Router routing protocol Security Configuration

1. First, disable the ARP-Proxy enabled by default, which may cause confusion in the route table.

Router (Config) # no ip proxy-arp or Router (Config-if) # no ip proxy-arp

2. Enable OSPF route protocol authentication. The default OSPF Authentication password is transmitted in plaintext. We recommend that you enable MD5 authentication. And set a certain strength key (Key, the vro must have the same key ).

Router (Config) # router ospf 100 Router (Config-router) # network 192.168.100.0 0.0.255 area 100 ! Enable MD5 authentication. ! Area-id authentication enable authentication, which is plaintext and password authentication. ! Area-id authentication message-digest Router (Config-router) # area 100 authentication message-digest Router (Config) # exit Router (Config) # interface eth0/1 ! Enable the MD5 Key as routerospfkey. ! Ip ospf authentication-key enables the authentication key, but it will be transmitted in plaintext. ! Ip ospf message-digest-key-id (1-255) md5 key Router (Config-if) # ip ospf message-digest-key 1 md5 routerospfkey

3. RIP protocol authentication. Only RIP-V2 supported, RIP-1 not supported. It is recommended to enable RIP-V2. And uses MD5 authentication. Normal authentication is also transmitted in plain text.

Router (Config) # config terminal ! Enable set key chain Router (Config) # key chain mykeychainname Router (Config-keychain) # key 1 ! Set the key string Router (Config-leychain-key) # key-string MyFirstKeyString Router (Config-keyschain) # key 2 Router (Config-keychain-key) # key-string MySecondKeyString ! Enable RIP-V2 Router (Config) # router rip Router (Config-router) # version 2 Router (Config-router) # network 192.168.100.0 Router (Config) # interface eth0/1 ! Use MD5 authentication and select the configured key chain Router (Config-if) # ip rip authentication mode md5 Router (Config-if) # ip rip anthentication key-chain mykeychainname

4. The passive-interface command can disable ports that do not need to receive or forward route information. We recommend that you enable passive-interface for ports that do not require routing. However, in the RIP Protocol, only route information Forwarding is prohibited and receiving is not prohibited. In OSPF, route forwarding and receiving are prohibited.

! In Rip, disable port 0/3 from forwarding route information Router (Config) # router Rip Router (Config-router) # passive-interface eth0/3 ! In OSPF, port 0/3 is prohibited from receiving and forwarding route information. Router (Config) # router ospf 100 Router (Config-router) # passive-interface eth0/3

5. Enable the access list function to Filter Junk and malicious route information and control the network's spam information flow.

Router (Config) # access-list 10 deny 192.168.1.0 0.0.255 Router (Config) # access-list 10 permit any ! The router is prohibited from receiving and updating the route information of the 192.168.1.0 network. Router (Config) # router ospf 100 Router (Config-router) # distribute-list 10 in ! Disable router forwarding to spread route information of 192.168.1.0 Network Router (Config) # router ospf 100 Router (Config-router) # distribute-list 10 out

6. We recommend that you enable the IP Unicast Reverse-Path Verification. It can check the accuracy of the source IP address, so as to prevent certain IP addresses

Spooling. However, it can only be used on routers that enable CEF (Cisco Express Forwarding. Router # config t ! Enable CEF Router (Config) # ip cef ! Enable Unicast Reverse-Path Verification Router (Config) # interface eth0/1 Router (Config) # ip verify unicast reverse-path