Cisco4506的安全加固
1.开始SSH登录
CT10000_SNL_4506IN(config)#ip domain-name n4506
CT10000_SNL_4506IN(config)#ip ssh time-out 60
CT10000_SNL_4506IN(config)#ip ssh authentication-retries 5

CT10000_SNL_4506IN(config)#access-list 1302 permit 134.96.82.250 log
CT10000_SNL_4506IN(config)#access-list 1302 permit 192.98.100.45
CT10000_SNL_4506IN(config)#access-list 1302 permit 192.96.70.48
CT10000_SNL_4506IN(config)#access-list 1302 permit 192.96.70.49

CT10000_SNL_4506IN(config)#line vty 0 4
CT10000_SNL_4506IN(config-line)#transport input ssh
CT10000_SNL_4506IN(config-line)#login
CT10000_SNL_4506IN(config-line)#end

CT10000_SNL_4506IN(config)#aaa new-model
CT10000_SNL_4506IN(config)#aaa authentication login default local
CT10000_SNL_4506IN(config)#username hx10 pass asei4n123a98w4

CT10000_SNL_4506IN(config)#line vty
CT10000_SNL_4506IN(config)#line vty 0 4
CT10000_SNL_4506IN(config-line)#login authentication default
CT10000_SNL_4506IN(config-line)#access-class 1302 in
CT10000_SNL_4506IN(config-line)#end

CT10000_SNL_4506IN(config)#no ip source-route
CT10000_SNL_4506IN(config)#no ip http server
CT10000_SNL_4506IN(config)#no cdp run
CT10000_SNL_4506IN(config)#ntp server 192.168.0.22
CT10000_SNL_4506IN(config)#no  service tcp-small-servers
CT10000_SNL_4506IN(config)#no  service udp-small-servers
CT10000_SNL_4506IN(config)#no service finger
CT10000_SNL_4506IN(config)#banner exec c
Enter TEXT message.  End with the character 'c'.
Your IP Address has been logged,if you are not administrator,please leave now!!!c


CT10000_SNL_4506IN(config)#int range  vlan 5 , vlan 10 , vlan 25 , vlan 30
CT10000_SNL_4506IN(config-if-range)#no ip directed-broadcast
CT10000_SNL_4506IN(config-if-range)#no ip proxy-arp

logging on
logging facility local7
logging 192.168.0.121

3750交换机没有ssh,可以开启AAA和源地址登录限制

 login block-for 60 attempts 5 within 60  网络设备锁定设置

spanning-tree vlan xx root primary    交换机设备stp优化