Lab5-3.net file for Dynamips:
##################################################
#
# CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
# Lab 5.3 Disabling Unneeded Services
# By Happy Peter http://blog.xuite.net/juilin77/happy
#
##################################################
autostart=false
[localhost:7200]
workingdir = /opt/dynamips/dynagen-0.10.1/UTS/CCNP2/Lab5-3/workingconfig
[[3725]]
# Specify 3725 IOS image on Linux here:
image = /opt/dynamips/images/c3725-ad.bin
ram = 256
idlepc =0x60bf8d58
mmap = true
ghostios = true
confreg = 0x2102
###########################
#
# Define router instances 1
#
###########################
[[Router R1]]
model = 3725
console = 2001
Objectives
‧ Identify and disable unneeded and insecure services on a router
‧ Enable TCP keepalives
Scenario:
In this lab, you will disable unneeded services on a router.
Basic Configuration:
enable
configure terminal
!
no ip domain lookup
!
line console 0
logging synchronous
exec-timeout 0 0
!
host R*
Step 1: Configure the Physical Interface
Because this lab uses only one router, you will simulate an active FastEthernet connection by activating the interface and applying the "no keepalive" command to initiate an “always up” state, regardless of the existence of a device at the remote end.
R1:
interface fastEthernet 0/0
ip address 192.168.10.1 255.255.255.0
no keepalive
no shutdown
Step 2: Ensure Services Are Disabled
At the privileged EXEC prompt, issue the auto secure command to start AutoSecure. You may notice that this command is hidden from the Cisco IOS in-line help system.
R1:
no ip finger
!
no service udp-small-servers
!
no service tcp-small-servers
Step 3: Manage Router Access
Enabling TCP keep alives causes the router to generate periodic keep alive messages, letting it detect and drop broken Telnet connections. This frees up hung telnet sessions.
R1:
service tcp-keepalives-in
!
service tcp-keepalives-out
Step 4: Disable CDP
R1:
no cdp run
Step 5: Disable Other Unused Services
R1:
no service pad
!
no ip bootp server
!
no ip http server
!
no ip source-route
!
no ip gratuitous-arps
Step 6: Disabling Unneeded Interface Services
R1:
interface fastEthernet 0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
Final Configurations
R1:
hostname R1
!
no ip source-route
no ip gratuitous-arps
!
no ip bootp server
no ip domain lookup
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no keepalive
no mop enabled
!
no ip http server
no ip http secure-server
!
no cdp run
!
line con 0
exec-timeout 0 0
logging synchronous
!
end
Reference:
Cisco Networking Academy
http://www.cisco.com/web/learning/netacad/index.html
CCNP Version 5.0: Implementing Secure Converged Wide-Area Networks
Student Lab Manual
最初發表 / 最後更新: 2008.10.03 / 2018.06.11
0 comments:
張貼留言