You can configure access lists to restrict and allow traffic to and from your Cisco device. Use the following commands:
| Command | Description |
|---|---|
password <pass-value> |
Lists the password that is required if the login command (with no other parameters) is configured |
username name password <pass-value> |
Defines one of possibly multiple user names and associated passwords used for user authentication. It is used when the login local line configuration command has been used. |
enable password <pass-value> |
Defines the password required when using the enable command |
enable secret <pass-value> |
Sets the password required for any user to enter enable mode |
service password-encryption |
Directs the Cisco IOS software to encrypt the passwords, CHAP secrets and similar data saved in its configuration file |
ip access-list {standard | extended} {acl-name | acl-number} |
Creates a standard or extended ACL |
permit source <source-wildcar> |
Adds permit rules for a Standard ACL |
deny source <source-wildcard> |
Adds deny rules for an Extended ACL |
ip access-group {acl-name | acl-number} {in | out} |
Applies an ACL to an interface |
show access-lists [acl-name | acl-number] |
Displays ACL configuration |
no ip access-list {standard | extended} {acl-name | acl-number} |
Removes an ACL |
Below are commands to help you troubleshoot and perform basic diagnostics:
NorthOfficeRouter (config) taccess-list 25 deny 152.1€8.1.0 0.0.0.255
NorthOfficeRouter (config) access-list 25 permit any
NorthOf£iceRouter (config) tend
NorthOfficeRoutert
¥SYS-5-CONFIG_I: Configured from console by console
NorthOfficeRoutertshow access-lists 25
Standard IP access list 25
deny 192.168.1.0 0.0.0.255
permit any
NorthOfficeRoutert
Configuring SSH and Remote Access
Use the following commands to configure SSH and remote access:
| Command | Description |
|---|---|
hostname <name> |
Sets a hostname (if not already configured) |
ip domain-name [domain-name] |
Configures an IP domain name |
crypto key generate rsa |
Generates an RSA key pair for SSH |
ip ssh version 2 |
Configures SSH version 2 |
username [username] privilege [level] secret [password] |
Creates a local user account |
line vty [line-range]transport input sshlogin local |
Configures VTY lines for SSH access |
The output below shows the generation of the RSA keys:
NorthOfficeRoutergconfig t
Enter configuration commands, one per line. End with CNTL/Z.
NorthOfficeRouter (config) #ip domain-name Cisco
NorthOfficeRouter (config) #crypto key generate rsa
The name for the keys will be: NorthOfficeRouter. Cisco
Choose the size of the key modulus in the range of 3€0 to 4086 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [S12]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable... [0K]
NorthOfficeRouter (confia) #
Implementing Port Security
Use the following commands to implement port security:
| Command | Description |
|---|---|
switchport port-security |
Enables port security on the interface |
switchport port-security maximum <number> |
Sets the maximum number of secure MAC addresses on the port |
switchport port-security mac-address {mac-addr | {sticky [mac-addr]}} |
Adds a MAC address to the list of secure MAC addresses and optionally configures them as sticky on the interface |
switchport port-security violation {shutdown | restrict | protect} |
Sets the action to be taken when a security violation is detected |
show port security [interface interface-id] |
Displays information about security options configured on the interface |
The example below shows the process of configuring port security on a switch port.
Switch (config) #interface FastEthernet0/7
Switch (config-if)#switchport mode access
Switch (config-if) #switchport port-security
Switch (config-if)#switchport port-security mac-address sticky
Switch (config-if)#
Managing User Accounts
You can use the following commands to manage user accounts:
| Command | Description |
|---|---|
username <username> privilege <level> secret <password> |
Creates a local user account |
show users |
Displays current user sessions |
no username <username> |
Removes a user account |
security passwords min-length <length> |
Sets password complexity requirements |