CISCO网络设备加固手册

Cisco Catalyst IE3400 Rugged SeriesData sheet Cisco publicContentsProduct overview 3 Product specifications 5 System dimensions 8 Ordering information 19 Warranty 20 Cisco environmental sustainability 21 Cisco Services 21 Cisco Capital 21 Document history 22The Cisco Catalyst® IE3400 Rugged Series ushers in mainstream adoption of advanced Gigabit Ethernet connectivity in a compact form-factor, modular switch purpose-built fora wide variety of extended enterprise and industrial applications.Product overviewThe Cisco Catalyst IE3400 Rugged Series switches deliver advanced, high-speed Gigabit Ethernet connectivity in a compact form factor, and are designed for a wide range of industrial applications where hardened products are required. The modular design of the Cisco Catalyst IE3400 Rugged Series offers the flexibility to expand up to 26 ports of Gigabit Ethernet with a range of expansion module options. The platform is built to withstand harsh environments in manufacturing, energy, transportation, mining, smart cities, and oil and gas. The IE3400 platform is also ideal for extended enterprise deployments in outdoor spaces, warehouses, and distribution centers.The IE3400 Series runs Cisco IOS® XE, a next-generation operating system with built-in security and trust, featuring secure boot, image signing, and the Cisco® Trust anchor module. Cisco IOS XE also provides API-driven configuration with open APIs and data models.The Cisco Catalyst IE3400 Rugged Series can be managed with powerful management tools such as Cisco DNA Center and Industrial Network Director, and can be easily set up with a completely redesigned, user-friendly, modern GUI tool called WebUI. The platform also supports Full Flexible NetFlow (FNF) for real-time visibility into traffic patterns and threat analysis with Cisco Stealthwatch®.The IE3400 series (with expansion module) supports power budget of up to 480W for PoE/PoE+, shared across 24 ports, and is ideal for connecting PoE-powered end devices such as IP cameras, phones, wireless access points, sensors, and more.Figure 1.Cisco Catalyst IE3400 Rugged SeriesFeatures and benefitsTable 1.IE3400 Features and benefits1 Parallel Redundancy Protocol (PRP) is available on IE3400 base switch on select ports only (Gig1/1 - Gig1/4). Single instance of PRP is supported.2 Orderability currently planned for January, 2021Products overviewTable 2.Product feature sets1 The Hardware PID with “-E” suffix is Network Essentials and with “-A” suffix is Network Advantage. Network Advantage License includes all Network Essentials Features.Product specificationsTable 3 highlights the hardware configuration for Cisco Catalyst IE3400 Rugged Series switches and the supported modules with these switches.Table 3.IE3400 Hardware configurations (incl. IE3400 and IE3300 modules)* PoE modules can only be plugged with PoE base switch. IE3300 expansion modules can also be plugged with IE3400 base switch. However, this combination prevents support for advanced security feature such as SGT/SGACL on the IE3400 base switch.** Network Advantage License includes all Network Essentials features.1 Orderability currently planned for January, 2021Table 4 highlights the hardware specifications for Cisco Catalyst IE3400 Rugged Series switches.Table 4.IE3400 hardware Specifications1 In order to achieve 480W power budget, the minimum power requirements as specified in Table 8 for the switch need to be considered when selecting the power supply.2 The USB and SD card are optional and are not shipped by default with the switch.3 USB 2.0 to load system images and set configurationsFigure 2.Expansion modulesTable 5 highlights the hardware configuration for Cisco Catalyst IE3400 Rugged Series modules.Table 5.Hardware configuration for Cisco Catalyst IE3300 and IE3400 Rugged Series modules1 Orderability currently planned for January, 20212 Please refer to the conditions for using IEEE 802.3bt type 4 standard power in the Hardware Installation Guide at product availability Table 6 highlights the physical configuration for Cisco Catalyst IE3400 Rugged Series switches and modules. Table 6.IE3400 physical configurationsSystem dimensions Front view <IE3400 Non-PoE>Front View <IE3400 PoE>Module dimensions – Front ViewSingle wide expansion modules add 2 inches to the system width effectively.Double wide expansion modules add 3 inches to the system width effectively.Top viewTable 7 highlights the performance and scalability features for Cisco Catalyst IE3400 Rugged Series switches. Table 7.IE3400 performance and scalability features1 Supported with -A SKUs or -E SKUs (with Network Advantage license).2 The SD card is optional and is not shipped by default with the switch.Table 8 highlights the power specifications for Cisco Catalyst IE3400 Rugged Series switches.Table 8.IE3400 power specifications1 Power consumption for non PoE supported model is measured at 12V and for the PoE supported model is measured at 54V. Power consumption does not include PoE power.Table 9 highlights the power specifications for supported expansion modules in Cisco Catalyst IE3400 Rugged Series switches.Table 9.IEM3300/IEM3400 expansion modules power consumption1 Power consumption for non PoE supported model is measured at 12V and for the PoE supported model is measured at 54V. Power consumption does not include PoE power.Table 10 highlights the power supply options for Cisco Catalyst IE3400 Rugged Series switches.Table 10.Power supply options1 The entire power budget for the switch and PoE ports must stay within the power supply wattage.2 The power supplies are not certified for smart grid and hazardous locations. These power supplies are IP20 rated.Table 11 and 12 highlights the supported software features for Cisco Catalyst IE3400 Rugged Series switches. Table 11.Key supported software features (Network Essentials License)1 Supported on Uplink ports2 Parallel Redundancy Protocol (PRP) is available on IE3400 base switch on select ports only (Gig1/1 - Gig1/4). Single instance of PRP is supported.Table 12.Key supported software features (Network Advantage License)** Network Advantage License includes all Network Essentials features.1 SGT/SGACL is supported on IE3400 base switch and only on IEM-3400 expansion modules.Table 13 highlights the details on Cisco DNA Essentials and Cisco DNA Advantage License for Cisco Catalyst IE3400 Rugged Series switches.Table 13.Cisco IE3400 Cisco DNA Essentials and Cisco DNA Advantage licenseCisco DNA licenses for Industrial Ethernet switches are add-on/optional and not mandatory. These do not include Network Tier features.Table 14 highlights the compliance specifications for Cisco Catalyst IE3400 Rugged Series switches.Table pliance specifications11 For more detailed information on safety approved power/thermal ratings refer the Hardware Installation Guide.2 Test in progress.Table 15 highlights Mean-Time-Between-Failures (MTBF) for Cisco Catalyst IE3400 Rugged Series switches. Table 15.MTBF information (Telcordia Issue 3)* Figures are Predicted MTBF numbers, measured according to Telcordia Issue 4. The numbers may vary at availability.Table 16 highlights information about management and standards for Cisco Catalyst IE3400 Rugged Series switches.Table 16.Management and standardsRFC 793: TCPRFC 826: ARPRFC 854: TelnetRFC 959: FTPRFC 1157: SNMPv1RFC 1901,1902-1907 SNMPv2 RFC 2273-2275: SNMPv3RFC 2571: SNMP Management RFC 1166: IP AddressesRFC 1256: ICMP Router Discovery RFC 1305: NTPRFC 951: BootP RFC 1643: Ethernet Interface MIBRFC 1757: RMONRFC 2068: HTTPRFC 2131, 2132: DHCPRFC 2236: IGMP v2RFC 3376: IGMP v3RFC 2474: DiffServ PrecedenceRFC 3046: DHCP Relay Agent Information Option RFC 3580: 802.1x RADIUSRFC 4250-4252: SSH ProtocolRFC 5460: DHCPv6 bulk lease querySNMP MIB objects 802.1X MIBCISCO-DHCP-SNOOPING-MIBCISCO-UDLDP-MIBCISCO-ENVMON-MIBCISCO-PRIVATE-VLAN-MIBCISCO-PAE-MIBCisco-Port-QoS-MIBCISCO-ERR-DISABLE-MIBCISCO- PROCESS-MIBLLDP-MIBCiscoMACNotification-MIBCISCO-CONFIG-COPY-MIBLLDP-MED-MIBBridge-MIBCISCO-CAR-MIBCISCO-LAG-MIBCISCO-SYSLOG-MIBCISCO-FTP-CLIENT-MIBCISCO-VLAN-IFTABLE-RELATIONSHIP-MIBCISCO-VLAN-MEMBERSHIP-MIBCisco-REP-MIBCISCO-PORT-STORM-CONTROL-MIBCISCO-CDP-MIBCISCO-IF-EXTENSION-MIBCISCO-IMAGE-MIBCISCO-MEMORY-POOL-MIBCISCO-PING-MIBSNMP-TARGET-EXT-MIBIF_MIBENTITY-MIBLLDP-EXT-PNO-MIBNOTIFICATION-LOG-MIBOLD-CISCO-CPU-MIBETHERLIKE-MIBOLD-CISCO-SYSTEM-MIBOLD-CISCO-MEMORY-MIBRMON-MIBSNMP-COMMUNITY-MIBSNMP-FRAMEWORK-MIBSNMP-PROXY-MIBSNMP-MPD-MIBSNMP-NOTIFICATION-MIBSNMP-TARGET-MIBSNMP-USM-MIBCISCO-DATACOLLECTION-MIBCISCO-CABLE-DIAG-MIBTable 17 highlights information about supported SFPs for Cisco Catalyst IE3400 Rugged Series switches. Table 17.SFP support1 If non-industrial SFPs (EXT, COM) are used, the switch operating temperature must be derated.Ordering informationTable 18 lists the ordering information for fixed system, expansion modules and memory that are commonly used with the Cisco Catalyst IE3400 switches.Table 18.Ordering information1 Orderability currently planned for January, 2021WarrantyFive-year limited HW warranty on all IE3400 PIDs and all IE Power Supplies (see table 9 above). See link below for more details on warranty https:///c/en/us/products/warranties/warranty-doc-c99-740591.html.Cisco environmental sustainabilityInformation about Cisco’s environme ntal sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainab ility” section of the CSR Report) are provided in the following table:Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.Cisco ServicesCisco CapitalFlexible payment solutions to help you achieve your objectivesCisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.Document historyPrinted in USA C78-741760-06 12/20。

Cisco 路由器及交换机安全加固法则网络层面的安全主要有两个方面，一是数据层面的安全，使用ACL等技术手段，辅助应用系统增强系统的整体安全；二是控制层面的安全，通过限制对网络设备自身的访问，增强网络设备自身的安全性。

数据层面的安全在拙著《网络层权限访问控制――ACL详解》已经较为系统的讨论。

本文主要集中讨论控制层面即设备自身的安全这部分，仍以最大市场占有率的思科设备为例进行讨论。

一、控制层面主要安全威协与应对原则网络设备的控制层面的实质还是运行的一个操作系统，既然是一个操作系统，那么，其它操作系统可能遇到的安全威胁网络设备都有可能遇到；总结起来有如下几个方面：1、系统自身的缺陷：操作系统作为一个复杂系统，不论在发布之前多么仔细的进行测试，总会有缺陷产生的。

出现缺陷后的唯一办法就是尽快给系统要上补丁。

Cisco IOS/Catos与其它通用操作系统的区别在于，IOS/Catos需要将整个系统更换为打过补丁的系统，可以查询取得cisco最新的安全公告信息与补丁信息。

2、系统缺省服务：与大多数能用操作系统一样，IOS与CatOS缺省情况下也开了一大堆服务，这些服务可能会引起潜在的安全风险，解决的办法是按最小特权原则，关闭这些不需要的服务。

3、弱密码与明文密码：在IOS中，特权密码的加密方式强加密有弱加密两种，而普通存取密码在缺省情况下则是明文；4、非授权用户可以管理设备：既可以通过telnet\snmp通过网络对设备进行带内管理，还可以通过console与aux口对设备进行带外管理。

缺省情况下带外管理是没有密码限制的。

隐含较大的安全风险；5、 CDP协议造成设备信息的泄漏；6、 DDOS攻击导致设备不能正常运行，解决方案，使用控制面策略，限制到控制层面的流量；7、发生安全风险之后，缺省审计功能。

二、 Cisco IOS加固对于(4)T之后的IOS版本，可以通过autosecure命令完成下述大多数功能，考虑到大部分用户还没有条件升级到该IOS版本，这里仍然列出需要使用到的命令行：1、禁用不需要的服务：no ip http server 0.0.055access-list 99 deny any log ntp acess-group peer 98 99 in1.1.1 anyaccess-list 110 deny p 2.2.2 any.....access-list 110 deny p 3.3.3 any限制所有其它流量access-list 110 permit ip any any!class-map control-plane-limitmatch access-group 110!policy-map control-plane-policyclass control-plane-limitpolice 32000 conform transmit exceed drop!control-planeservice-policy input control-plane-policy三、 Cisco CatOS加固1、禁用不需要的服务：set cdp disable //禁用cdpset ip http disable //禁用http server，这玩意儿的安全漏洞很多的2、配置时间及日志参数，便于进行安全审计：set logging timestamp enable //启用log时间戳set logging server //向发送logset logging server //向发送log!set timezone PST-8 //设置时区set ntp authenticate enable //启用NTP认证set ntp key 1 md5 uadsf //设置NTP认证用的密码，使用MD5加密。

Cisco Nexus 9332C and 9364C Fixed Spine SwitchesData sheet Cisco publicContentsProduct overview 3 Specifications 4 Performance and scalability 5 Regulatory Standards Compliance 7 Supported optics pluggable 7 Software licensing 8 Ordering information 8 Warranty 10 Cisco environmental sustainability 10 Service and Support 11 Cisco Capital 11 For more information 11Product overviewBased on Cisco® Cloud Scale technology, this platform supports cost-effective, ultra-high-density cloud-scale deployments, an increased number of endpoints, and cloud services with wire-rate security and telemetry. The platform is built on modern system-architecture designed to provide high performance and meet the evolving needs of highly scalable data centers and growing enterprises.The product is designed to support innovative technologies such as Media Access Control Security (MACsec), Virtual Extensible LAN (VXLAN), tunnel endpoint VTEP-to¬-VTEP overlay encryption, CloudSec and Streaming Statistics Export (SSX)1. MACsec is a security technology that allows traffic encryption at the physical layer and provides secure server, border leaf, and leaf-to-spine connectivity. SSX is hardware-based, consisting of a module that reads statistics from the ASIC and sends them to a remote server for analysis. Through this application, users can better understand network performance without any impact on the switch control plane or CPU.Cisco provides two modes of operation for Cisco Nexus® 9000 Series Switches. Organizations can use Cisco NX-OS Software to deploy the switches in standard Cisco Nexus switch environments (NX-OS mode). Organizations can also deploy the infrastructure that is ready to support the Cisco Application Centric Infrastructure (Cisco ACI™) platform to take full advantage of an automated, policy-based, systems-management approach (Cisco ACI mode).Switch modelsThe Cisco Nexus 9364C Spine Switch is a 2-Rack-Unit (2RU) spine switch that supports 12.84 Tbps of bandwidth and 4.3 bpps across 64 fixed 40/100G QSFP28 ports and 2 fixed 1/10G SFP+ ports (Figure 1). Breakout cables are not supported. The last 16 ports marked in green are capable of wire-rate MACsec encryption.1 The switch can operate in Cisco ACI Spine or NX-OS mode.Figure 1.Cisco Nexus 9364C Switch1 See the latest release notes for additional information here.The Cisco Nexus 9332C is a compact form-factor 1-Rack-Unit (1RU) spine switch that supports 6.4 Tbps of bandwidth and 4.4bpps across 32 fixed 40/100G QSFP28 ports and 2 fixed 1/10G SFP+ ports (Figure 2). Breakout cables are not supported. The last 8 ports marked in green are capable of wire-rate MACsec encryption.2 The switch can operate in Cisco ACI Spine or NX-OS mode.Figure 2.Cisco Nexus 9332C SwitchSpecificationsTable 1.Cisco Nexus 9300 ACI Spine Switch specifications2 See the latest release notes for additional information here.3 930W-DC PSU is supported in redundancy mode if 3.5W QSFP+ modules or Passive QSFP cables are used and the system is used in 40°C ambient temperature or less; for other optics or higher ambient temperatures, 930W-DC is supported with 2 PSU’s in nonredundancy mode only.4 750W AC PSU is compatible only with software versions ACI-N9KDK9-14.2 or NXOS-9.3.3 and onwards5 HVAC/HVDC support is on the roadmap for future releases confirmed.Performance and scalabilityTable 2 lists the performance and scalability specifications for the Cisco Nexus 9364C and 9332C switches.Table 2.Performance and scalability specifications* LPM-heavy values are the maximum numbers.** 127 VLANs out of 4096 are reserved.Refer to the Cisco Nexus 9000 Series Verified Scalability Guide for the latest, exact scalability numbers validated for specific software.Regulatory Standards ComplianceTable 3 summarizes regulatory standards compliance for the Cisco Nexus 9364 and 9332C switches. Table 3.Regulatory Standards Compliance: Safety and EMC* Cisco Nexus N9K-C9364C passes EMC Radiated Emissions standards in all configurations, with the only exception being if > 40 pluggable optics of Cisco QSFP-100G-SR4-S, Part# 10-3142-02 (or 10-3142-01) are used.Supported optics pluggableFor details on the optical modules available and the minimum software release required for each supported optical module, visithttps:///en/US/products/hw/modules/ps5455/products_device_support_table_list.html.Software licensingThe software packaging for the Cisco Nexus 9000 Series offers flexibility and a comprehensive feature set. The default system software has a comprehensive Layer 2 security and management feature set. To enable additional functions, including Layer 3 IP unicast and IP multicast routing and Cisco Nexus Data Broker, you must install additional licenses. The licensing guide illustrates the software packaging and licensing available to enable advanced features. For the latest software release information and recommendations, refer to the product bulletin at https:///go/nexus9000.Ordering informationTable 4 presents ordering information for the Cisco Nexus 9300 ACI Spine Switch.Table 4.Ordering information6 The 1100W DC power supply (NXA-PDC-1100W-PE/PI) is shipped with a connector already plugged into the power supply; a cable is therefore not required. For more product specification information, please see the Hardware Installation Guide here.WarrantyThe Cisco Nexus 9300 switch has a 1-year limited hardware warranty. The warranty includes hardware replacement with a 10-day turnaround from receipt of a Return Materials Authorization (RMA).Cisco environmental sustainabilityInformation about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:Reference links to product-specific environmental sustainability information that is mentioned in relevant sections of this data sheet are provided in the following table:7 NXK-ACC-KIT-1RU/2RU are on the roadmap for future releases.© 2022 Cisco and/or its affiliates. All rights reserved. Page 11 of 11Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.Service and SupportCisco offers a wide range of services to help accelerate your success in deploying and optimizing the Cisco Nexus 9300 switch in your data center. The innovative CiscoServices offerings are delivered through a unique combination of people, processes, tools, and partners and are focused on helping you increase operation efficiency and improve your data center network. Cisco Advanced Services uses an architecture-led approach to help you align your data center infrastructure with your business goals and achieve long-term value. Cisco SMARTnet ™ Service helps you resolve mission-critical problems with direct access at any time to Cisco network experts and award-winning resources.Cisco CapitalFlexible payment solutions to help you achieve your objectivesCisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership,conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy,predictable payments. Learn more .For more informationFor more information on the Cisco Nexus 9000 Series and for the latest software release information and recommendations, please visit https:///go/nexus9000.Printed in USA C78-739886-15 04/22。

Maintenance•Reset Device,page1•Reset Options and Load Upgrades,page2•Remote Lock,page3•Remote Wipe,page3•Boot Alternate Image for Cisco DX70,page4•Boot Alternate Image for Cisco DX80,page4•Boot Alternate Image for Cisco DX650,page5•Data Migration,page5•Debugging Log Profiles,page5•User Support,page6Reset DeviceA device reset provides a way to reset or restore various configuration and security settings or provides a wayto recover the device if the device encounters an error.The following procedure describes the types of resets that you can perform.All three reset methods cause deletion of all user data and reset all settings from the device.NoteThe following occurs on a device when you perform a reset:•User configuration settings-Reset to default values.•Network configuration settings-Reset to default values.•Call histories-Get erased.•Locale information-Reset to default values.•Security settings-Reset to default values;this includes deletion of the CTL file and change of the802.1xDevice Authentication parameter to Disabled.Do not power down the device until it completes the factory reset process.Note ProcedureYou can reset the device with any of these operations.Choose the operation that is appropriate for your situation.•Method 1:Cisco Unified Communications Manager Administrator Web GUI1From the Product Specific Configuration Layout area of the device configuration window,enableWipe Device .2Issue an Apply Config,Restart,or Reset command from the Admin GUI to push the wipe to thedevice.•Method 2:Settings application1In the Settings application,choose Backup &reset >Factory data reset .If a PIN or Password is configured on the device,it will need to be entered before the resetcan proceed.Note •Method 3:Key-press sequencesThis method should be used if the device is secured with a PIN or Password lock and the PIN/password has been lost.Follow these steps to reset a Cisco DX70on boot up:1Power on the device and wait for the Mute LED to blink.2Press and hold the Volume Up button until the Mute button is lit red.3Release the Volume Up button,then press and hold the Mute button for 3seconds.Follow these steps to reset a Cisco DX80on boot up:1Press and hold the Volume Up button and power on the device.2Release the Volume Up button when the Mute button is lit red,then press the Mute button.Follow these steps to reset a Cisco DX650on boot up:1Press and hold the #key and power on the device.2When the Message Waiting Indicator (MWI)flashes red once then stays lit,release the #key.Reset Options and Load UpgradesCisco DX Series devices receive configuration changes and load upgrades from Cisco Unified Communications Manager.The following protocol describes how the device handles change requests:•Reset waits for active call to end.MaintenanceReset Options and Load Upgrades•If the device screen is on,user receives a popup dialog box that notifies the user about the changes and the need for restart.The dialog box provides the following options:◦Restart:Dismisses the popup dialog box and restarts the device (default action).◦Snooze:Dismisses the popup dialog box for an hour.The user can set the device to snooze for amaximum of 24hours,after which the device willrestart.The popup dialog box has a countdown timer of 60seconds.The default action beginsif the user does not act.After the user sets the device to snooze,the user has the option to manually reset thedevice at any time from the notifications list.Note ◦If the device screen is off,active audio keeps the request waiting.Remote LockThis feature allows you to lock a device from the Device Configuration window in Cisco UnifiedCommunications Manager.When the device receives a remote lock request,the device immediately terminates any active calls,and the device locks.If the device is not registered with the system at the time of the request,the device is locked the next time that it registers to thesystem.After you issue a remote lock request,the request cannot be canceled.Note Remote Lock Device ProcedureStep 1In the Phone Configuration window for the device,click Lock .Step 2Click Lock to accept the Lock confirmation message.You can view the Lock status in the Device Lock/Wipe Status section of the Phone Configuration window for the device.Remote WipeThis feature allows you to erase the data on a device from the Device Configuration window in Cisco Unified Communications Manager.MaintenanceRemote LockWhen the device receives a remote wipe request,the device immediately terminates any active calls and erases the device data.If the device is not registered with the system at the time of the request,the data is erased the next time that the device registers to thesystem.After you issue a remote wipe request,the request cannot be canceled.Note Remote Wipe Device ProcedureStep 1In the Phone Configuration window for the device,click Wipe .Step 2Click Wipe to accept the Wipe confirmation message.You can view the Wipe status in the Device Lock/Wipe Status section of the Phone Configuration window for the device.Boot Alternate Image for Cisco DX70ProcedureStep 1Power on the device and wait for the Mute LED to blink.Step 2Press and hold the Volume Down button until the Mute button is lit red.Step 3Release the Volume Down button,then press and hold the Mute button for 3seconds.Boot Alternate Image for Cisco DX80ProcedureStep 1Press and hold the Volume Down button and power on the device.Step 2Release the Volume Down button when the Mute button is lit red,then press the Mute button.MaintenanceRemote Wipe DeviceBoot Alternate Image for Cisco DX650ProcedureStep 1Disconnect the power to turn the device off.Step 2Press and hold the *key,then connect the power supply.Step 3Keep the *key held until the message LED becomes solid.Step 4When the message LED flashes 3times,release the *key.The device uses the alternate image to boot.Data MigrationThe data migration feature ensures that a factory reset is not required when data incompatibility exists after a firmwareupgrade.Data may still be lost upon downgrade to an earlier release of firmware.If you upgrade to a newer firmwarerelease,you may not be able to revert to an earlier release without losing data.Note If you downgrade to earlier firmware and the device is not able to migrate data,you receive an alarm.Instruct the user to back up the user data or perform a remote wipe of the device.When the device registers to Cisco Unified Communications Manager,the device detects prior factory resets,overrides migration,downgrades,and reboots.When the device reboots,it loads the downgraded firmware.Debugging Log ProfilesYou can turn on debugging log profiles remotely for a device or group of devices.Set Debugging Log Profile for Call Processing ProcedureStep 1Go to the Product Specific Configuration Layout area of the individual device configuration window or Common Phone Profile window.Step 2Check Log Profile ,and choose Telephony.Step 3Save your changes.Step 4The user is notified that debug logging is enabled in the notification area.The user can expand the messagefor more information,but cannot dismiss the notification.MaintenanceBoot Alternate Image for Cisco DX650Reset Debugging Log Profile to Default ProcedureStep 1Go to the Product Specific Configuration Layout area of the individual device configuration window or Common Phone Profile window.Step 2Check Log Profile ,and select Default to reset all debugs to the default values.This includes debugs that have been set manually from Android Debug Bridge.Step 3Save and apply your changes.Step 4Choose Preset to keep the current debug levels.Step 5Save your changes.User SupportTo successfully use some of the features on their devices,users must receive information from you or from your network team or be able to contact you for assistance.Make sure to provide end users with the names of people to contact for assistance and with instructions for contacting those people.Cisco recommends that you create a web page on your internal support site that provides users with important information about their device.Problem Report ToolUsers submit problem reports to you with the Problem ReportTool.The Problem Report Tool logs are required by Cisco TAC when troubleshooting problems.Note To issue a problem report,users access the Problem Report Tool and provide the date and time that the problem occurred,and a description of the problem.You must add a server address to the Customer Support Upload URL field on Cisco Unified Communications Manager.If you are deploying devices with Mobile and Remote Access through Expressway,you must also add the PRT server address to the HTTP Server Allow list on the Expressway server.Configure Customer Support Upload URLYou must use a server with an upload script to receive PRT files.The PRT uses an HTTP POST mechanism,with the following parameters included in the upload (utilizing multipart MIME encoding):MaintenanceReset Debugging Log Profile to DefaultMaintenanceProblem Report Tool•devicename(example:“SEP001122334455”)•serialno(example:“FCH12345ABC”)•username(the username configured in CUCM,the device owner)•prt_file(example:“probrep-20141021-162840.tar.gz”)A sample script is shown below.This script is provided for reference only.Cisco does not provide supportfor the upload script installed on a customer's server.<?php//NOTE:you may need to edit your php.ini file to allow larger//size file uploads to work.//Modify the setting for upload_max_filesize//I used:upload_max_filesize=20M//Retrieve the name of the uploaded file$filename=basename($_FILES['prt_file']['name']);//Get rid of quotes around the device name,serial number and username if they exist$devicename=$_POST['devicename'];$devicename=trim($devicename,"'\"");$serialno=$_POST['serialno'];$serialno=trim($serialno,"'\"");$username=$_POST['username'];$username=trim($username,"'\"");//where to put the file$fullfilename="/var/prtuploads/".$filename;//If the file upload is unsuccessful,return a500error and//inform the user to try againif(!move_uploaded_file($_FILES['prt_file']['tmp_name'],$fullfilename)){header("HTTP/1.0500Internal Server Error");die("Error:You must select a file to upload.");}>ProcedureStep 1Set up a server that can run your PRT upload script.Step 2Write a script that can handle the parameters listed above,or edit the provided sample script to suit your needs.Step 3Upload your script to your server.Step 4In Cisco Unified Communications Manager,go to the Product Specific Configuration Layout area of the individual device configuration window,Common Phone Profile window,or Enterprise Phone Configurationwindow.Step 5Check Customer support upload URL and enter your upload server URL.Example:/prtscript.phpStep 6Save your changes.Maintenance Take Screenshot From Web BrowserTake Screenshot From Web BrowserProcedureUse your browser to go to this URL:http://<Endpoint IP Address>/CGI/ScreenshotYou receive a prompt that asks for e the associated user ID name and password. Take Screenshot From DeviceProcedurePress the Vol Down button and Power/Lock button for three seconds.Application SupportEvaluate whether the issue is a device issue or a problem with the application.If the problem is applicationrelated,contact the application support center directly.。

CISCO网络设备安全手册二零零五年十一月目录1IOS版本升级 (3)2关闭服务 (3)3用户名 (4)4口令 (4)5访问控制 (5)6使用SSH (6)7使用路由协议md5认证 (6)8网络设备日志 (7)9SNMP (8)10修改设备网络标签 (8)1IOS版本升级➢确保设备操作系统软件版本及时更新，软件版本较低会带来安全性和稳定性方面的隐患，因此要求在设备的FLASH容量允许的情况下升级到较新的版本。

必要情况下可升级设备的FLASH容量。

➢确保所有的网络设备维护在本地进行。

➢对于允许远程登陆管理的网络设备，必须设置口令保护和相应的ACL，限定可远程登录的主机IP地址范围，并使用支持加密的登陆方式，如SSL等。

2关闭服务➢关闭设备上不需要的服务：Small services (echo, discard, chargen, etc.)Router(config)#no service tcp-small-serversRouter(config)#no service udp-small-servers FingerRouter(config)#no service fingerRouter(config)#no ip finger HTTPRouter(config)#no ip http server SNMPRouter(config)#no snmp-server CDPRouter(config)# no cdp run Remote configRouter(config)# no service config Source routingRouter(config)#no ip source-route PadRouter(config)#no service pad ICMPRouter(config)#no ip icmp redirect DNSRouter(config)#no ip name-server➢如果需要使用HTTP管理设备，建议采用以下认证方式：确保使用ip http access-class命令来限制只有授权的地址可以访问；确保使用TACACS+或RADIUS对登录进行认证；Router(config)#ip http access-classRouter(config)#ip http authentication <enable, local, tacacs>Router(config)#ip http port 11111Router(config)#ip http server3用户名➢如果没有使用用户名,增加用户名认证:Router(config)#username myname password mypass➢不同的路由器使用不同的方式激活，可能需要使用line vty，然后设置login local，也可能需要启用AAA模式，配置aaa new-model来激活AAA模式。

INDUSTRY-LEADING CLOUD MANAGEMENTCloud management has a number of benefits that make it easier to build networks large and small:• Single pane of glass management of distributed switch deployments, wireless APs, and firewalls across multiple sites through the browser.• Virtual stacking: manage up to thousands of ports from a single pane of glass.• Layer 7 visibility with operating system, client, and hostname fingerprinting.• Powerful Live Tools such as packet capture and cable test to isolate network issues.• Alerts upon power loss, downtime, or configuration changes.• Role-based administration and automatic, scheduled firmware upgrades over the web.• Regular feature updates and enhancements delivered on demand from the Meraki cloud.• True zero-touch provisioningMS220 & MS320 SeriesOverviewThe Cisco Meraki MS brings the benefits of the cloud to networks of all sizes: simplified management, reduced complexity, network widevisibility and control, with lower operational cost for campus and branch deployments. Cisco Meraki access switching is available in both Layer 2 and powerful Layer 3 models. Mission-critical features — like deep, Layer 7 application visibility, network topology, virtual stacking, QoS for business critical applications, 802.1X access control, and more — are present in all models.The MS320 is a powerful switch designed for branch access, with high-speed connectivity, high availability, PoE+, and optional redundant power supplies. The MS220 family provides layer 2 access switching and is ideal for deploying to branch locations. This family also supports an optional, rack-mountable remote PSU 11Except MS220-8/P models.A FRESH APPROACHMeraki switches are built from the ground up to be easy to manage without compromising any of the power and flexibility traditionally found in enterprise-class switches.Cisco Meraki switches are managed through anelegant, intuitive cloud interface, rather than a cryptic command line. To bring up a Meraki switch, just plug it in; there’s no need for complicated configuration files, or even direct physical access to the switch.Meraki’s centralized management gives administrators deep visibility into the network and how it’s used. See which switches are near capacity across hundreds of sites. Find all configuration changes made by a certain person with instant search.Cloud Managed Access SwitchesENTERPRISE-CLASS HARDWAREMeraki switches feature high-end hardware and an exceptional feature set, including:• Four built-in SFP/SFP+ ports (two SFP ports for MS220-8/P, shared on MS220-24 models)• GbE and 10 GbE uplink ports for high-speed connectivity to aggregation layer switches or other upstream devices• Wire-speed switch fabric (up to 432 Gbps) and QoS queues per port for converged voice, video, and data deployments• Low power consumption, quiet acoustic designs, and shallow rack depth options, enabling flexible deployment in wiring closets as well as offices and classrooms• Fanless design on select models• Up to 740 watt PoE budget with PoE+ support for powering APs, phones, cameras, and other PoE enabled devices (124W forMS220-8/P)• Power over Ethernet and PoE+, up to 30W per port• Lifetime hardware warranty and advanced replacement at no additional cost• Field-replaceable, hot-swappable power supplies and fans. RPS option for mission-critical applications FULL ENTERPRISE FEATURE SETMeraki switches include all of the traditional Ethernet features found on the highest end products, including:• Quality-of-Service (QoS) to prioritize mission critical traffic such as voice and video• IEEE 802.1X support for port based network access control• MAC-based RADIUS auth and MAC whitelisting• Voice VLAN support for simplified VoIP deployments• Port Mirroring to monitor network traffic• DHCP snooping to prevent users from adding unauthorized DHCP servers on the network• IGMP Snooping to optimize network performance with multicast traffic• Link Aggregation Control Protocol (LACP) for high-capacity trunking, and increased availability• Rapid spanning tree, BPDU guard, root guard, and other safeguards to help prevent misconfigurations and reduce convergence time• Per port VLAN configuration• Multiple administrative roles with sophisticated security policy management• Layer 3 on MS320 series extends routing down to the network edgeSimplified Management and OperationsMeraki’s cloud managed architecture makes it simpler than ever to quickly provision and reconfigure switch ports with security, QoS, and other parameters. The Meraki dashboard provides unifiedpolicies, event logs, and monitoring, which make it easy to manage and grow large network deployments.By providing a complete, powerful set of management functions over the web, Meraki’s cloud-based management eliminates the need for proprietary command line configuration interfaces which require expensive and time consuming certifications. Meraki MS switches can be fully deployed and provisioned in minutes, without requiring any local configuration or staging. Additional or replacementswitches can be sent to remote offices and installed by non-technical staff, saving thousands of dollars in time and travel expenses.The Meraki MS family also includes several remote diagnostic features, from network connectivity and cable integrity tests to latency measurement tools. For deep client troubleshooting, administrators can even perform per-port remote pcap packet captures without any additional probes or hardware on site.LAYER 7 VISIBILITYMeraki is the only switch to include integrated Layer 7 fingerprinting. Identify hundreds of applications from business apps to BitTorrent and Y ouTube. User fingerprinting with Google-like search allows administrators to easily identify and control individual users, PCs, iMacs, iPads, Androids, and other devices. This unprecedented visibility allows optimizing of network resources and maintainingoptimal network performance.Combined Views of Thousands of PortsAutomatic E-mail AlertsMeraki Cloud Management ArchitectureScheduled Firmware UpdatesNETWORK TOPOLOGYCisco Meraki switches include integrated network topology, which automatically maps the whole network, shows direct and redundant links across wired and wireless infrastructure, and is essential for troubleshooting network issues that would otherwise require manual mapping, overlay monitoring software, or keeping track of MAC address tables.CONVERGED VOICE, VIDEO AND DATA ENVIRONMENTSThe Meraki switch family is designed to unify data, voice, and video onto a single IP backbone. All Meraki switches support rich quality-of-service (QoS) functionality for prioritizing data, voice, and video traffic. The switches support eight class-of-service (CoS) queues on every port, enabling them to maintain end-to-end traffic prioritization.PoE models provide power VoIP telephones, IP security cameras, wireless access points (APs), and other IP devices. The Meraki MS switches also support standards-based 25.5 watt (30 watt max per port) IEEE 802.3at for powering networked devices like multiple radio IEEE 802.11n APs, video phones and VDI terminals that may require more power than available with IEEE 802.3af. In addition, using CDP and LLDP, PoE power is intelligently budgeted to maximize the number of PoE clients supported.To ease deployment, Meraki switches support the industry-standard Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP), enabling switches to automatically discover Ethernet-enabled devices, determine their power requirements and join the correct virtual LAN (VLAN).MERAKI’S UNIFIED SOFTWARE ARCHITECTUREMeraki switches run the same Meraki operating system used by Meraki’s firewalls and wireless LAN products. The use of a common operating system allows Meraki to deliver a consistent experience across all product YER 3Cisco Meraki MS320 series switches augment security and performance with built-in layer 3 features. Large networkdeployments can use warm spare redundancy, or OSPF to manage routing between VLANs through Meraki’s intuitive, web-baseddashboard.Detail of a typical network topology viewIntegrated Remote, Live Tools Detailed Views of Individual DevicesSpecifying Layer 3 Subnets and RoutesDesigned for Reliability & Environmental EfficiencyThe Meraki switch family was designed for reliable, long-livedoperation in wiring closet environments, which may be prone to high temperatures and limited ventilation. By minimizing total component count and only using proven switching silicon, Meraki is able to deliver mean time between failure (MTBF) ratings of over 750,000 hours on products such as the Meraki MS220-8.Each Meraki switch also operates with a split-plane architecture, where silicon-based switching and data forwarding are separated from software-based control and management. By decoupling theunderlying switching logic from control, each unit is able to deliver wire-speed switching even when advanced software features such as Layer 7 host and OS fingerprinting are enabled.Finally, the highly integrated designs of Meraki switches result in power and cooling savings in large deployment environments of 30-60% when compared with similar managed Gigabit switches.DISTRIBUTED BRANCHES & REMOTE SITESMeraki’s cloud-based system makes it easy to manage a single switch, or thousands of distributed switches, from a single interface.• Troubleshoot problems remotely, e.g., find which port has a bad cable attached.• Add or replace switches without having to send a technicianonsite. Switches automatically download their current configuration as soon as they are connected to the network.• Receive email alerts or SMS messages whenever there’s aCAMPUS EDGEMS switches are ideal for small and large scale campus deployments, where reliability, scalability, and manageability are top priorities.• Virtual Stacking lets administrators manage up to thousands of ports in a single interface without having to physically connect stack members.• 10GbE cable SFP+ ports with link aggregation provide high speed connectivity to aggregation switches such as the MS425.• Get alerts when any switch fails or goes offline, before users complain.Power Options MS220 FAMILY* Cisco RPS Module (PWR-RPS2300)MS320 FAMILYModel Physical Dimensions (H x W x D)Weight Interface Idle/Full Load Power Switching CapacityMS220-8 INCHES:1.75 x 9.05 x 8.66CENTIMETERS:4.46 x 23 x 22.92.37 lb. (1.08 kg) • 8x 10/100/1000BASE-T Ethernet RJ45• 2x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)5/10 W20 GbpsMS220-8P INCHES:1.75 x 9.05 x 8.66CENTIMETERS:4.46 x 23 x 222.96 lb (1.34 kg)• 8x 10/100/1000BASE-T Ethernet RJ45• 2x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)13/159 W20 GbpsMS220-24INCHES:1.74 x 19.1 x 10.11CENTIMETERS:4.44 x 48.5 x 25.75.97 lb (2.71 kg)• 24 x 10/100/1000BASE-T Ethernet RJ45(4 shared with SFP)• 4x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)9/19 W48 GbpsMS220-24P INCHES:1.74 x 19.1 x 10.11CENTIMETERS:4.44 x 48.5 x 25.78.59 lb (3.9 kg)• 24x 10/100/1000BASE-T Ethernet RJ45(4 shared with SFP)• 4x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)30/447 W48 GbpsMS220-48INCHES:1.74 x 19.1 x 14.17CENTIMETERS:4.44 x 48.5 x 368.47 lb (3.84 kg)• 48x 10/100/1000BASE-T Ethernet RJ45• 4x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)28/51 W104 GbpsMS220-48LP INCHES:1.74 x 19.1 x 14.17CENTIMETERS:4.44 x 48.46 x 3610.88 lb (4.93 kg)• 48x 10/100/1000BASE-T Ethernet RJ45• 4x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)45/505 W104 GbpsMS220-48FP INCHES:1.74 x 19.1 x 14.17CENTIMETERS:4.44 x 48.5 x 3610.9 lb (4.94 kg)• 48x 10/100/1000BASE-T Ethernet RJ45• 4x SFP for 1GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)49/903 W104 GbpsMS220 FAMILYModel Physical Dimensions (H x W x D)(depth includes PSU)Weight Interface Idle/Full Load Power Switching CapacityMS320-24 INCHES:1.74 x 19.1 x 20.39CENTIMETERS:4.44 x 48.6 x 51.7910.69 lb (4.85 kg)• 24x 10/100/1000BASE-T Ethernet RJ45• 4x SFP+ for 10GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)24/39 W128 GbpsMS320-24P INCHES:1.74 x 19.1 x 20.39CENTIMETERS:4.44 x 48.6 x 51.7911.85 lb (5.37 kg)• 24x 10/100/1000BASE-T Ethernet RJ45• 4x SFP+ for 10GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)32/454 W128 GbpsMS320-48INCHES:1.74 x 19.1 x 20.39CENTIMETERS:4.44 x 48.6 x 51.7911.38 lb (5.16 kg)• 48x 10/100/1000BASE-T Ethernet RJ45• 4x SFP+ for 10GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)34/55 W176 GbpsMS320-48LP INCHES:1.74 x 19.1 x 20.39CENTIMETERS:4.44 x 48.6 x 51.7912.62 lb (5.72 kg)• 48x 10/100/1000BASE-T Ethernet RJ45• 4x SFP+ for 10GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)46/480 W176 GbpsMS320-48FP INCHES:1.74 x 19.1 x 22.31CENTIMETERS:4.44 x 48.6 x 56.6713.13 lb (5.95 kg)• 48x 10/100/1000BASE-T Ethernet RJ45• 4x SFP+ for 10GbE uplink• Auto negotiation and crossover detection(auto-MDIX crossover)52/885 W176 GbpsMS320 FAMILYDimensions and weight include the chassis assembly as it is shipped, with one power supply and one power supply slot blank.What’s IncludedMS220 FamilyMS220-8 1 x Power Cord (MA-PWR-CORD-US), Inegrated slide-out mounting bracketsMS220-8P 1 x Power Cord (MA-PWR-CORD-US), Inegrated slide-out mounting bracketsMS220-24 1 x Power Cord (MA-PWR-CORD-US)MS220-24P 1 x Power Cord (MA-PWR-CORD-US)MS220-48 1 x Power Cord (MA-PWR-CORD-US)MS220-48LP 1 x Power Cord (MA-PWR-CORD-US)MS220-48FP 1 x Power Cord (MA-PWR-CORD-US)MS320 FamilyMS320-24 1 x Power Cord (MA-PWR-CORD-US), 1 x 250WAC Power Supply (MS-PWR-250WAC), 1 x Power supply slot blank MS320-24P 1 x Power Cord (MA-PWR-CORD-US), 1 x 640WAC Power Supply (MS-PWR-640WAC), 1 x Power supply slot blank MS320-48 1 x Power Cord (MA-PWR-CORD-US), 1 x 250WAC Power Supply (MS-PWR-250WAC), 1 x Power supply slot blank MS320-48LP 1 x Power Cord (MA-PWR-CORD-US), 1 x 640WAC Power Supply (MS-PWR-640WAC), 1 x Power supply slot blank MS320-48FP 1 x Power Cord (MA-PWR-CORD-US), 1 x 1025WAC Power Supply (MS-PWR-1025WAC), 1 x Power supply slot blankAccessoriesThe Meraki MS family supports pluggable optics for high-speed connectivity. Meraki offers several standards-based Gigabit and 10 Gigabit pluggable modules. Supported Meraki accessory modules for MS Switches (no lock-out of third-party optics):Full specifications and compatibility information is available in the Meraki Accessories datasheet: https:///lib/pdf/meraki_datasheet_sfp.pdfSpecificationsManagementManaged via the Web with the Meraki cloud management platformIntegrated with Meraki wireless, security appliance, and device managementZero-touch remote provisioning (no staging needed)Detailed historical per-port and per-client usage statisticsDHCP, client, and hostname fingerprintingSNMPd allows integration with third party network management solutionsAutomatic firmware upgradesRemote DiagnosticsEmail and SMS (text) alerts 1Cable testingLive remote packet captureAggregated event and configuration change logs with instant searchVirtual StackingVirtual stacking supports thousands of switch ports in a single logical stack for unified management, monitoring, and configurationEthernet Switching Capabilities802.1p Quality of Service prioritization802.1Q VLAN tagging for up to 4,094 VLANs802.1D Spanning Tree Protocol (STP) and 802.1w Rapid Spanning TreeBroadcast storm control802.1ab Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) 802.3ad Link aggregation with up to 8 ports per aggregatePort mirroringIGMP snooping for multicast filteringMAC forwarding entries: MS220-8/24: 8,000, MS220-48: 16,000, MS320 family: 32,000, (applies to PoE and non-PoE models)SecurityIntegrated two-factor authenticationRole-based administrationCorporate wide password policy enforcementIEEE 802.1X port-based securityMAC-based RADIUS authenticationPort security: Sticky MAC, MAC whitelistMAC whitelistingSTP Enhancements: BPDU guard, Root guardHybrid authenticationIPv4 ACLs PerformanceNon-blocking fabric2.5 microsecond latencyJumbo frame support (9578 byte Ethernet frame)Layer 3 (MS320 series only)Static routingDHCP Relay (Also supported on MS220)OSPFv2 2Warm Spare for L3 gateway redundancy 2DHCP serverAutomatic DHCP failover in warm spare modePowerPower input: 100 - 240 VAC, 47-63 HzPower consumption: 5-903WMountingRack-mountable with included rack mount hardware (except MS220-8/P) Desktop-mountable with included feetWall-mountable on MS220-8/PKensington lock on MS220-8/PEnvironmentOperating temperature: 0 °C to 40 °CHumidity: 5 to 95% non-condensingLow acoustic noise for office environments; fanless for MS220-8/P and MS220-24RegulatoryCSA (US)IC (Canada)CE (Europe)C-Tick (Australia/New Zealand)RoHSWarrantyFull lifetime hardware warranty with next-day advanced replacement included1 Requires carrier-supported email to SMS gateway MS220 FAMILY MS320 FAMILY2 OSPF and Warm Spare do not operate concurrentlyCiscoSystems,Inc.|500TerryA.FrancoisBlvd,SanFrancisco,CA94158|(415)432-1000|**************** 11。

思科网络设备安全加固一、密码管理密码是用来防止对于网络设备的非授权访问的主要手段，是网络设备本身安全的一部分。

最好的密码处理方法是将这些密码保存在TACACS+或RADIUS认证服务器上。

但是通常网络设备会有一个本地密码进行权限访问。

这时最好采用如下的方式进行设置：1.使用enablesecretEnablesecret命令用于设定进入系统特权模式的密码。

我们最好为其设置一个强壮的密码，该密码应该不会被字典式攻击轻易破解。

还有一点，就是老的系统采用的是enablepassword，虽然它们的功能相似，但是enablepassword采用的加密算法比较较弱，最好不要采用。

Router(Config)#enablesecret12#gF3?0Op9J2.使用servicepassword-encryption这条命令用于对存储在配置文件中的口令进行加密。

避免当配置文件被不怀好意者看见，从而获得这些数据的明文。

但是servicepassword-encryption的加密算法比较简单，很容易被破译。

这个主要是针对enablepassword命令设置的密码。

而enablesecret命令采用的是MD5算法，这种算法是很难进行破译的。

Router(Config)#servicepassword-encryption二、访问控制任何人登录到网络设备上都能够显示一些重要的配置信息。

一个攻击者可以将该设备作为攻击的中转站。

所以我们必须正确控制网络设备的登录访问。

尽管大部分的登录访问缺省都是禁止的。

但是有一些例如，比如控制台端口(Console)默认就是允许登录的。

控制端口是非常特殊的端口，当网络设备重启动的开始几秒，如果发送一个Break信号到控制端口，它就会进入一种监控模式，在这里可以恢复系统的密码，从而可以很容易控制整个系统。

因此如果一个攻击者尽管他没有正常的访问权限，但是能够重启系统（切断电源或使系统崩溃）和访问控制端口（通过直连终端、终端服务器），他就可以控制整个系统，所以我们必须保证所有连接控制端口的访问的安全性。

思科路由器安全配置基线（Version 1.0）2012年12月目录1 引言 (1)2 适用范围 (1)3 缩略语 (1)4 安全基线要求项命名规则 (1)5 文档使用说明 (2)6 注意事项 (3)7 安全配置要求 (3)7.1 账号管理 (3)7.1.1 运维账号共享管理 (3)7.1.2 删除与工作无关账号 (3)7.2 口令管理 (4)7.2.1 静态口令加密 (4)7.2.2 静态口令密文保存 (4)7.2.3 静态口令运维管理 (5)7.3 认证管理 (5)7.3.1 RADIUS认证（可选） (5)7.3.2 TACACS+认证（可选） (6)7.4 日志审计 (6)7.4.1 RADIUS记账（可选） (6)7.4.2 TACACS+记账（可选） (7)7.4.3 启用日志记录 (7)7.4.4 日志记录时间准确性 (8)7.5 协议安全 (8)7.5.1 BGP认证 (8)7.5.2 OSPF认证 (9)7.5.3 LDP认证（可选） (9)7.6 网络管理 (10)7.6.1 SNMP协议版本 (10)7.6.2 修改SNMP默认密码 (10)7.6.3 SNMP通信安全（可选） (11)7.7 设备管理 (11)7.7.1 路由器带内管理方式 (11)7.7.2 路由器带内管理通信 (12)7.7.3 路由器带内管理超时 (12)7.7.4 路由器带内管理验证 (12)7.7.5 路由器带外管理超时 (13)7.7.6 路由器带外管理验证 (13)7.8 系统服务 (14)7.8.1 禁用CDP (14)7.8.2 禁用TCP/UDP Small服务 (14)7.8.3 禁用HTTP SERVER (15)7.8.4 禁用BOOTP SERVER (15)7.8.5 禁用Finger服务（可选） (15)7.8.6 禁用DNS查询（可选） (16)7.8.7 禁用IP Source Routing（可选） (16)7.8.8 禁用IP Directed Broadcast（可选） (16)7.8.9 禁用PROXY ARP（可选） (17)7.9 其它 (17)7.9.1 路由器缺省BANNER管理 (17)7.9.2 路由器空闲端口管理 (18)附录A 安全基线配置项应用统计表 (19)附录B 安全基线配置项应用问题记录表 (21)附录C 中国石油NTP服务器列表 (22)1 引言本文档规定了中国石油使用的思科系列路由器应当遵循的路由器安全性设置标准，是中国石油安全基线文档之一。

CISCO网络设备加固手册1. 简介CISCO网络设备是广泛应用的企业级网络设备，其功能强大、性能稳定、安全性高。

然而，网络攻击日益增多，网络设备成为最容易受到攻击的攻击目标之一。

因此，在使用CISCO网络设备时，需要加强设备的安全性，有效防止网络攻击的发生。

本文档介绍了CISCO网络设备的加固方法，旨在帮助企业用户更好地保护其网络安全。

2. 密码设置访问CISCO网络设备需要输入密码。

因此，密码设置是网络安全的第一步，以下是密码设置的建议：•禁止使用简单的密码，如生日、电话号码等。

•密码长度应为8位以上，并包含大写字母、小写字母、数字和特殊字符。

•定期更换密码，建议每三个月更换一次。

•不要在多个设备上使用相同的密码。

3. 访问控制访问控制是网络安全的关键，它可以限制从外部访问网络设备的地址和端口。

以下是访问控制的建议：•禁止所有不必要的端口访问，只开放必要的端口。

•对于开放的端口，应该限制访问源地址和目的地址，并限制可访问的用户。

•对于ssh、telnet等协议，应该采用加密方式传输。

4. 防火墙防火墙是网络安全的重要组成部分，它可以帮助用户保护其网络设备和数据免受攻击。

以下是防火墙的建议：•配置ACL来限制来自互联网的流量。

•禁止来自未知或未信任IP地址的访问。

•禁用不必要的服务。

5. 授权管理授权管理是配置和管理网络设备的关键，可以实现对网络设备的安全控制。

以下是授权管理的建议：•禁止使用默认帐户和密码，如cisco/cisco等。

•为每个用户分配独立的帐户和密码。

•限制每个用户的访问权限，仅限其访问必要的配置。

6. 系统日志系统日志可以记录网络设备上发生的重要事件，如登录、配置更改、错误等。

以下是系统日志的建议：•配置日志服务器，将系统日志发送到远程服务器上，以便进行分析和查看。

•配置日志级别，仅记录重要的事件。

•定期检查日志，查找异常事件。

7. 漏洞修复CISCO网络设备可能存在某些漏洞，这些漏洞可能会被黑客利用，因此需要及时修复。