网络工程 - 在 Internet-MANAGEMENT PLANE 上强化 Cisco 路由器 - 吾爱随笔录

我需要确认我正确理解 Cisco 手册。所以我的网络是这样的：

ISP_RTR ---x.x.x.x/30--- Perimeter/Edge_RTR ---y.y.y.y/30--- FW1 --- DMZ1
                                            ---z.z.z.z/30--- FW2 --- DMZ2

网络 xxxx/30、yyyy/30、zzzz/30、DMZ1 和 DMZ2 都具有公共 IP 地址。

在我的外围/边缘路由器上，我只需要控制台访问。

所以我配置了命令：

#enable secret password
#service password-encryption
#no service tcp-small-servers
#no service udp-small-servers
#no ip finger
#no ip bootp server
#ip dhcp bootp ignore
#no service dhcp
#no ip domain-lookup
#no service pad
#no service config
#no cdp run
#no lldp run
#service tcp-keepalives-in
#service tcp-keepalives-out
#exception crashinfo maximum files 10
#no ip http server
#no ip http secure-server
#line aux 0
 #transport input none
 #transport output none
 #no exec
 #exec-timeout 0 1
 #no password
#line console 0
 #transport output none
#line vty 0 97
 #transport input none
 #transport output none
 #no exec
 #exec-timeout 0 1
 #no password
 #login

我的 IOS 没有的命令是：

#no mop enabled
#memory reserve console 4096
#exception memory ignore overflow io
#exception memory ignore overflow processor
#no vstack

我还建立了应该保护路由器的 ACL。

#ip access-list extended OUTSIDE
 !---Deny fragments to the infrastructure block
 #deny tcp any host x.x.x.x fragments
 #deny udp any host x.x.x.x fragments
 #deny icmp any host x.x.x.x fragments
 #deny ip any host x.x.x.x fragments
 #deny tcp any y.y.y.y 0.0.0.3 fragments
 #deny udp any y.y.y.y 0.0.0.3 fragments
 #deny icmp any y.y.y.y 0.0.0.3 fragments
 #deny ip any y.y.y.y 0.0.0.3 fragments
 #deny tcp any z.z.z.z 0.0.0.3 fragments
 #deny udp any z.z.z.z 0.0.0.3 fragments
 #deny icmp any z.z.z.z 0.0.0.3 fragments
 #deny ip any z.z.z.z 0.0.0.3 fragments
 !---Deny ip options
 #deny ip any any option any-options
 !---Deny/filter TTL value
 #deny ip any any ttl lt 5
 !---Anti-spoofing entries for RFC3330
 #deny ip host 0.0.0.0 any
 #deny ip 0.0.0.0 0.255.255.255 any
 #deny ip 14.0.0.0 0.255.255.255 any
 #deny ip 24.0.0.0 0.255.255.255 any
 #deny ip 39.0.0.0 0.255.255.255 any
 #deny ip 127.0.0.0 0.255.255.255 any
 #deny ip 128.0.0.0 0.0.255.255 any
 #deny ip 169.254.0.0 0.0.255.255 any
 #deny ip 191.255.0.0 0.0.255.255 any
 #deny ip 192.0.0.0 0.0.0.255 any
 #deny ip 192.0.2.0 0.0.0.255 any
 #deny ip 192.88.99.0 0.0.0.255 any
 #deny ip 198.18.0.0 0.1.255.255 any
 #deny ip 223.255.255.0 0.0.0.255 any
 #deny ip 224.0.0.0 15.255.255.255 any
 #deny ip 240.0.0.0 15.255.255.255 any
 !---Anti-spoofing entries for RFC1918
 #deny ip 10.0.0.0 0.255.255.255 any
 #deny ip 172.16.0.0 0.15.255.255 any
 #deny ip 192.168.0.0 0.0.255.255 any
 !---Anti-spoofing entries for my addresses as source
 #deny ip y.y.y.y 0.0.0.3 any
 #deny ip z.z.z.z 0.0.0.3 any
 #deny ip dmz1-address dmz1-wildcard mask any
 #deny ip dmz2-address dmz2-wildcard mask any
 !---Deny access to infrastructure addresses (router interface and point-to-point links)
 #deny ip any host x.x.x.x
 #deny ip any y.y.y.y 0.0.0.3
 #deny ip any z.z.z.z 0.0.0.3
 !---Permit transit traffic
 #permit ip any any

并将 ACL 应用于与 ISP 路由器的接口：

#interface ge 0/0
 #ip access-group OUTSIDE in

我错过了什么？还是我放的东西太多了？