Network Security-equipment Security reinforcement 02/02 Update SLTechnology News&Howtos

Network Security-equipment Security reinforcement

2025-02-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Network equipment is also a very important equipment at the network boundary. It is the trunk road of the entire data center. There must be no mistakes. In the past two days, Nexus network equipment has been simply strengthened. The main operations are summarized as follows:

1. Create a read-only account in Nexus, such as to view configuration and view other information. Because Nexus has a good and easy-to-operate RBAC control mechanism, this is a good implementation.

A. First create a role called maintain and determine the executable command

N7K(config)#rolename maintain

N7K(config)#rule1 permit command show running-config

N7K(config)#rule2 permit command show mac address-table

N7K(config)#rule3 permit command show access-lists

B. Create an account belonging to maintain, maintainonly

N7K(config)#usernamemaintainonly secret 0 xxxxxx role maintain

C. Use maintainonly login to confirm

N7K# ? ... tried with question marks here, and there was no show command.

end Go to exec mode

exit Exit from command interpreter

N7K #show run...... here is the direct execution is this OK

! Command: show running-config

! Time: Thu Sep 4 13:35:522014

version 6.1(2)

switchname N7K

.N7K# show int...... not allowed to view interface, reality permissiondenied.

% Permission deniedfor the role

2. Add bannermotd warning prompt to the switch, unauthorized people are not allowed to log in to the device.

3. Change the device to ssh login

Feather ssh

No feather telnet

4. Add access-class access control to vty and set login idle timeout to 10min.

Creating an ACL:

Ip access-listlogin_auth

1 permit ip 172.10.10.0/24 any

Then call below vty

Line vty

Access-class login_auth in

Exec-timeout 10

5. Enable root protection on some necessary interfaces

spanning-tree guard root

Enable some other security features

no ip redirects

no ip unreachables

no ip proxy-arp

That's all for now, and we'll continue next time.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.