North(config)# access-list 107 deny ip 192.168.0.0 0.0.255.255 any log
North(config)# ! block multicast (if not used)
North(config)# access-list 107 deny ip 224.0.0.0 15.255.255.255 any
North(config)# ! block some ICMP message types
North(config)# access-list 107 deny icmp any any redirect log
North(config)# access-list 107 deny icmp any any echo log
North(config)# access-list 107 deny icmp any any mask-request log
North(config)# access-list 107 permit ip any 14.2.0.0 0.0.255.255
North(config)# access-list 107 permit ip any 14.1.0.0 0.0.255.255
North(config)# interface Eth 0/0
North(config-if)# description External interface
North(config-if)# ip access-group 107 in
10. Block incoming packets that claim to have the same destination and source address (i.e. a ‘Land’ attack on the router itself). Incorporate this protection into the access list used to restrict incoming traffic into each interface, using a rule like the one shown below.
access-list 102 deny ip host 14.1.1.250
host 14.1.1.250 log
interface Eth 0/1
ip address 14.1.1.250 255.255.0.0
ip access-group 102 in
11. Configure an access list for the virtual terminal lines to control Telnet access. See example commands below.
South(config)# no access-list 92
South(config)# access-list 92 permit 14.2.10.1
South(config)# access-list 92 permit 14.2.9.1
South(config)# line vty 0 4
South(config-line)# access-class 92 in
推荐阅读
- 三 路由器安全配置速查表
- CISCO学习问题之Cisco 路由器中有关ip helper-address的问题
- 发现路由器转发故障的BFD
- 三 路由器网络接口解析大全
- 一 路由器网络接口解析大全
- 二 路由器网络接口解析大全
- 怎样实现路由器回拨电话
- 低碳生活的碳是指什么
- 路由器配置新手上路----桥接与路由
- 2 路由器接口及连接