Access Control Lists (ACLs)
access-list [num] [permit|deny] [source]
- Standard ACL (1-99, 1300-1999)
- Controls traffic by source IP
ip access-list extended [name]
- Named extended ACL configuration
- More granular control options
access-group [acl] [in|out]
- Applies ACL to interface
- Direction: inbound or outbound
Authentication
username [name] privilege [level] secret [pass]
- Creates local user account
- Privilege levels 0-15
enable secret [password]
- Sets encrypted enable password
- Overrides enable password
login local
- Use local username database
- Applied to line configurations
SSH Configuration
ip ssh version 2
- Enables SSH version 2 only
- More secure than version 1
crypto key generate rsa modulus [bits]
- Generates RSA key pair
- 1024+ bits recommended
line vty 0 15
- Configure virtual terminal lines
- SSH/Telnet access lines
Port Security
switchport port-security
- Enables port security on interface
- Restricts MAC addresses
switchport port-security maximum [num]
- Sets max allowed MAC addresses
- Default is 1
switchport port-security violation [action]
- Actions: shutdown, restrict, protect
- Response to security violation
Logging and Monitoring
logging [ip-address]
- Sends logs to syslog server
- Centralized log collection
show logging
- Displays local log buffer
- Recent system messages
logging trap [level]
- Sets syslog severity level
- 0-7 (emergency to debugging)
SNMP Security
snmp-server community [string] ro
- Read-only community string
- Version 1/2c authentication
snmp-server host [ip] version 3 [user]
- SNMPv3 with encryption
- User-based security
Verification Commands
show access-lists
- Displays all ACLs and hit counts
- Shows permit/deny statistics
show port-security interface [int]
- Port security status and violations
- Learned MAC addresses
show users
- Currently logged-in users
- Connection details and idle time
show privilege
- Current user privilege level
- Access rights information
Example Security Config
|
|