網路安全-HardenCISCODevices

餘二五發表於2017-11-08
dev
Introduction
介紹
This document lists all the option that is recommended to help you secure your CISCO IOS system devices,which increases the overall security of your network
這篇文件包含了建議你使用的一些安全選項,旨在幫助你加強使用CISCO IOS系統的裝置的安全性,從整體上整體加強網路安全。


service sequence-numbers 
Each system status messages logged in the system logging process have a sequence reference number applied. This command makes that number visible by displaying it with the message. The sequence number is displayed as the first part of the system status message.
每個記錄的系統狀態資訊在進行記錄的時候都會有一個對應的序列號。這個命令可以使在顯示這條記錄的時候顯示這個序列號。這個序列號在每條記錄的最前面。

!
service sequence-numbers 
!

clock set
Generally, if the system is synchronized by a valid outside timing mechanism, such as a Network Time Protocol (NTP) or VINES clock source, or if you have a router with a hardware clock, you need not set the software clock. Use this command if no other time sources are available. The time specified in this command is assumed to be in the time zone specified by the configuration of the clock timezone command. 
一般的,如果系統時間可以使用外部可用的NTP或者VINES時鐘,或者你的路由器有個一硬體時鐘,你不需要自己設定時鐘。但是如果沒有這些時鐘,下面的命令可以指定系統時鐘。

!
clock set hh:mm:ss day month year
!

clock timezone 
To set the time zone for display purposes, use the clock timezone command in global configuration mode.
使用下面的命令設定時區。

!
clock timezone GMT +8
!

No Service Password-Recovery
The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password. It also prevents anyone from changing the configuration register values and accessing NVRAM.
No Service Password-Recovery是一個加強安全功能的命令,可以阻止任何從 console口連線到路由器的人試圖刪除密碼,而且可以防止修改配置寄存值以及進入NVRAM

!
no service password-recovery
!

spanning-tree portfast
Use this feature . the interface,which is connected to an end devices,such as a workstation,Never use the PortFast feature . switch ports that connect to other switches, hubs, or routers. 
在連線到終端裝置的埠上開啟這個功能,比如說工作站,千萬不要使用在連線到其他交換機、集線器或者路由器的埠上。

!
spanning-tree portfast
!

Logging Level
Each log message that is generated by a Cisco IOS device is assigned .e of eight severities that range from level 0, Emergencies, through level 7, Debug. Unless specifically required, you are advised to avoid logging at level 7. Logging at level 7 produces an elevated CPU load . the device that can lead to device and network instability. 
This configuration example limits log messages that are sent to remote syslog servers and the local log buffer to severities 6 (informational) through 0 (emergencies): 
系統每次生成的log都會有一個相應的級別,從07。如果不是特別指明,請避免記錄級別7,這樣會使得CPU使用增加,甚至導致裝置和網路的穩定性。

!
logging trap 6 
logging buffered 6 
!

No logging console
With Cisco IOS software, it is possible to send log messages to monitor sessions, However, doing so can elevate the CPU load of an IOS device and therefore is not recommended. 
Instead, you are advised to send logging information to the local log buffer, which can be viewed using the show logging command. 
IOS軟體可以將log日誌傳送到螢幕,不過這樣會增加CPU負載,所以不建議使用。建議傳送日誌到log緩衝區,使用 show logging命令可以看到這些日誌。


no logging console 
no logging monitor 


Use Buffered Logging
Cisco IOS software supports the use of a local log buffer so that an administrator can view locally generated log messages. The use of buffered logging is highly recommended versus logging to either the console or monitor sessions. 
There are two configuration options that are relevant when configuring buffered logging: the logging buffer size and the message severities. This configuration example includes the configuration of a logging buffer of 16384 bytes, as well as a severity of 6,indicating that messages at levels 0 through 6 is stored: 
IOS軟體支援使用本地log緩衝,這樣管理員可以在本地產看日誌訊息。強烈建議使用這個選項而不是將log日誌傳送到console或者螢幕。有兩個配置選項,一個是log日誌的大小,另外一個是記錄級別。配置例子裡是將log緩衝設定成16384位元組,記錄級別是06


logging buffered 16384 
logging buffered 6 

Configure Logging Source Interface
In order to provide an increased level of consistency when collecting and reviewing log messages, you are advised to statically configure a logging source interface. For added stability, you are advised to use a loopback interface as the logging source. This configuration example illustrates the use of the logging source−interface interface global configuration command to specify that the IP address of the loopback 0 interface be used for all log messages: 
為了提高收集和檢視log訊息的一致性,建議配置一個靜態的logging埠,使用內部環回埠作為logging埠更為穩定。


interface loopback 0
ip address <IP address> <submask>
logging source−interface Loopback 0 


NetFlow
NetFlow identifies anomalous and security−related network activity by tracking network flows. Cisco Express Forwarding (CEF), or distributed CEF, is a prerequisite to enabling NetFlow. NetFlow can be configured . routers and switches.
NetFlow通過記錄網路流量來辨別反常和安全相關的網路行為。開啟CEF是使用NetFlow的前提。NetFlow可以配置在交換機和路由器上。


ip flow−export destination <ip−address> <udp−port> 
ip flow−export version <version> 

interface <interface> 
ip flow <ingess|egress> 


EXEC Timeout
The exec−timeout command must be used in order to logout sessions . vty or tty lines that are left idle. By default, sessions are disconnected after 10 minutes of inactivity.
必須使用exec−timeout命令關閉空閒的會話。預設情況下,會話空閒10分鐘後關閉。

line con 0 
exec−timeout <minutes> [seconds] 
line vty 0 4 
exec−timeout <minutes> [seconds] 


Keepalives for TCP Sessions 
The service tcp−keepalive−in and service tcp−keepalive−out global configuration commands enable a device to send TCP keepalives for TCP sessions. This ensures that the device . the remote end of the connection is still accessible. 
service tcp−keepalive−intcp−keepalive−out全域性命令保證和遠端裝置的連結是有效的。


service tcp−keepalive−in 
service tcp−keepalive−out 


Secure Shell Version 2 Support
The Secure Shell Version 2 Support feature allows you to configure Secure Shell.
Secure Shell版本2功能可以配置使用Secure Shell

!
hostname cncrouter 
ip domain-name chinanetcloud.com 
crypto key generate rsa modulus 2048
ip ssh version 2 
ip ssh time-out 60
ip ssh authentication-retries 3
ip scp server enable
ip ssh source-interface fa0/0 (or whatever)
line vty 0 4 
transport input ssh 
!

Configure Logging Timestamps
The configuration of logging timestamps helps you correlate events across network devices. Logging timestamps should be configured to include the date and time with millisecond precision and to include the time zone in use . the device. 
logging timestamps可以幫助你辨別裝置事件,配置時間應該精確到毫秒而且必須使用時區。


clock timezone GMT +8
service timestamps log datetime msec localtime show-timezone 
service timestamps debug datetime msec localtime show-timezone 
!

Login Password Retry Lockout
The Login Password Retry Lockout feature, allows an you to lock out a local user account after a configured number of unsuccessful login attempts. .ce a user is locked out, their account is locked until you unlock it. An authorized user who is configured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum. 
Login Password Retry Lockout功能可以使裝置鎖住一個指定多次內未成功登入的使用者。一旦使用者被鎖住,需要手動解鎖。但是擁有級別15的使用者是不會被這個功能鎖住的,所以擁有級別15的使用者必須控制在最少人數。


aaa new−model 
aaa local authentication attempts max−fail <max−attempts> 
aaa authentication login default local 
login block-for 120 attempts 5 within 60

username <name> secret <password> 


No ip mask-reply 
Ensure that the device is not configured to respond to ICMP mask requests. 
保證裝置不會響應ICMP mask 請求。
!
no ip mask-reply


No ip identd
Ensure that the identification service is not enabled.
保證鑑定服務關閉。

No ip directed-broadcast
Ensure that the device is not configured to allow IP directed broadcasts . any interface. 
!
No ip directed-broadcast
!

No ip route-cache 
Using the route cache is often called fast switching. The route cache allows outgoing packets to be load-balanced . a per-destination basis rather than . a per-packet basis. The no ip route-cache command disables fast switching. 
使用路由緩衝又叫做快速交換。路由緩衝允許向外傳送的資料包基於目的地址做負載均衡。

!
no ip route-cache
!

Memory Threshold Notifications 
The feature Memory Threshold Notification, allows you to mitigate low−memory conditions . a device. 
這個功能可以允許你減輕裝置低記憶體的問題。


memory free low−watermark processor <threshold> 
memory free low−watermark io <threshold> 


Memory Reservation is used so that sufficient memory is available for critical notifications. This ensures that management processes continue to function when the memory of the device is exhausted. 
Memory Reservation用於保證關鍵的notifications 能有充足的記憶體。這個功能保證即便裝置的記憶體已經耗盡時管理程式仍然能繼續。


memory reserve critical <value> 


CPU Thresholding Notification
CPU Thresholding Notification feature allows you to detect and be notified when the CPU load . a device crosses a configured threshold. 
CPU負載超過一定的值的時候給予你通告。


snmp−server enable traps cpu threshold 

snmp−server host <host−address> <community−string> cpu 

process cpu threshold type <type> rising <percentage> interval <seconds> [falling <percent 
process cpu statistics limit entry−percentage <number> [size <seconds>] 
!

Reserve Memory for Console Access
Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low . memory.
這個功能能為console留下充足的記憶體,保證為管理裝置時或排錯時能從console的進入。這個功能在裝置低記憶體執行時尤為有效。


memory reserve console 4096 


SNMP Community Strings
Community strings are passwords that are applied to an IOS device to restrict access, both read−only and read−write access, to the SNMP data . the device. 
Community strings是應用在IOS裝置上的限制只讀或者讀寫訪問SNMP資料的密碼。


snmp−server community READONLY RO 
snmp−server community READWRITE RW 


SNMP Community Strings with ACLs
In addition to the community string, an ACL should be applied that further restricts SNMP access to a select group of source IP addresses. 
除了 community string之外,使用ACL來做更進一步的限制對SNMP的讀取。


access−list 98 permit 192.168.100.0 0.0.0.255 
access−list 99 permit 192.168.100.1 

snmp−server community READONLY RO 98 
snmp−server community READWRITE RW 99 


SNMP Views 
SNMP Views are a security feature that can permit or deny access to certain SNMP MIBs.
SNMP Views可以允許或者阻止對SNMP MIB的讀取。


snmp−server view VIEW−SYSTEM−ONLY system include 

snmp−server community LIMITED view VIEW−SYSTEM−ONLY RO 


SNMP Version 3
SNMPv3 provides secure access to devices by authenticating and optionally encrypting packets over the network. 
This command configures a Cisco IOS device for SNMPv3 with an SNMP server group AUTHGROUP and enables .ly authentication for this group by using the auth keyword: 


snmp−server group AUTHGROUP v3 auth 


This command configures a Cisco IOS device for SNMPv3 with an SNMP server group PRIVGROUP and enables both authentication and encryption for this group by using the priv keyword: 


snmp−server group PRIVGROUP v3 priv 

This command configures an SNMPv3 user snmpv3user with an MD5 authentication password of 
authpassword and a 3DES encryption password of privpassword: 

snmp−server user snmpv3user PRIVGROUP v3 auth md5 authpassword priv 3des privpassword 


Disable AUX
In most situations, the AUX port of a device must be disabled to prevent unauthorized access. An AUX portcan be disabled using these commands: 
大多數情況下,AUX埠必須關閉以防止未經授權的進入。


line aux 0 
transport input none 
transport output none 
no exec 
exec−timeout 0 1 
no password 



Cisco IOS Software Configuration Management
This example illustrates the configuration of automatic configuration archiving. 
這個例子演示瞭如何讓系統自動存檔。


archive 
path disk0:archived−config 
maximum 14 
time−period 1440 
write−memory 


Exclusive Configuration Change Access
Exclusive Configuration Change Access feature ensures that .ly .e administrator makes configuration changes to a Cisco IOS device at a given time. 
Exclusive Configuration Change Access可以使得同一時刻只有一個管理員能更改系統配置。 

configuration mode exclusive auto 


Cisco IOS Software Resilient Configuration
The Resilient Configuration feature makes it possible to securely store a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device. When this feature is enabled, it is not possible to alter or remove these backup files.
Resilient Configuration使得可能安全的儲存系統當前使用的IOS檔案和配置檔案,當這個功能開啟時,就不可能修改或者移動這些備份檔案。


secure boot−image 
secure boot−config 


Configuration Change Notification and Logging 
The Configuration Change Notification and Logging feature, makes it possible to log the configuration changes made to a Cisco IOS device. The log is maintained . the Cisco IOS device and contains the user information of the individual who made the change, the configuration command entered, and the time that the change was made.
Configuration Change Notification and Logging可以記錄配置檔案修改的記錄。這個logCISCO裝置維護,包含誰在什麼時候使用了什麼命令,做了什麼修改。


archive 
log config 
logging enable 
logging size 200 
hidekeys 
notify syslog 


Unicast RPF 
Unicast RPF enables a device to verify that the source address of a forwarded packet can be reached through the interface that received the packet. 
Unicast RPF使裝置能從收到資料的埠驗證資料包的源地址是否可達。


ip cef 

interface <interface> 
ip verify unicast source reachable−via <mode> 


IP Source Guard 
IP Source Guard uses information from DHCP snooping to dynamically configure a port access control list (PACL) . the Layer 2 interface, denying any traffic from IP addresses that are not associated in the IP source binding table.
IP Source Guard使用DHCP snooping資訊來動態的配置埠在資料鏈路層的訪問控制,根據IP Source繫結表拒絕任何不在表內的資料流。


ip dhcp snooping 
ip dhcp snooping vlan <vlan−range> 

After DHCP snooping is enabled, these commands enable IPSG: 


interface <interface−id> 
ip verify source 


Port Security
Port Security is used in order to mitigate MAC address spoofing at the access interface. Port Security can use dynamically learned (sticky) MAC addresses to ease in the initial configuration. .ce port security has determined a MAC violation, it can utilize .e of four violation modes. These modes are protect, restrict, shutdown, and shutdown VLAN.
Port Security用於減輕在接入埠上的MAC地址 spoofing。 Port Security可以用於動態的學習MAC地址。一旦埠檢測到MAC地址違反規則,就會採取四種違反模式。保護模式、限制模式、關閉埠或者關閉VLAN


interface <interface> 
switchport 
switchport mode access 
switchport port−security 
switchport port−security mac−address sticky 
switchport port−security maximum <number> 
switchport port−security violation <violation−mode> 
!

Dynamic ARP Inspection 
Dynamic ARP Inspection (DAI) can be utilized to mitigate ARP poisoning attacks . local segments.
Dynamic ARP Inspection可以用於減輕本地網段ARP欺騙攻擊。


ip dhcp snooping 
ip dhcp snooping vlan <vlan−range> 


Cisco IOS Login Enhancements (Login Block)
The Cisco IOS Login Enhancements (Login Block) feature provides a way for you to better secure your Cisco IOS software-based device against possible malicious connection attempts. By enabling this feature, you can slow down “dictionary attacks” by enforcing a “quiet period” if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack. 
Cisco IOS登入增強功能提供一個使用軟體實現更好的裝置安全的方法,阻止可能存在的非善意的連結。使用這種功能後,如果檢測到多個失敗的連結,可以通過強制“安靜時間”減慢“字典攻擊”,從而避免路由裝置遭受Dos攻擊。

!
login delay 
login .-failure log
login .-success log
!

Cisco VTP Vulnerability
Upon receiving a malformed VTP packet, certain devices may reload. The attack could be executed repeatedly causing a extended Denial of Service.
In order to successfully exploit this vulnerability, the attacker must know the VTP domain name, as well as send the malformed VTP packet to a port . the switch configured for trunking. Since there is no way to completely disable the VTP, the better way is to set the VTP mode to transparent in all devices and set VTP password as well.
有些裝置在收到一種畸形的VTP包時會自動重啟,這種攻擊可以被重複執行從而導致Dos。要想成功的利用這種功能,攻擊者必須知道VTP域名,同時還要將這種包發到交換機的trunk埠。不過由於不能關閉VTP,好一些的辦法是設定VTP域名以及使用VTP密碼。

!
vtp mode transparent
vtp password <password>
!

Spanning Tree Protocol Root Guard Enhancement
Any switch can be the root bridge in a network. With the standard STP, any bridge in the network with a lower bridge ID takes the role of the root bridge. The administrator cannot enforce the position of the root bridge.The administrator can set the root bridge priority to 0 in an effort to secure the root bridge position. But there is no guarantee against a bridge with a priority of 0 and a lower MAC address.
任何一個交換機都可能成為根交換機。根據標準STP,任何一個擁有更低的bridge Id的交換機都會成為根交換機。管理員不可以通過設定交換機的優先順序0來確保交換機的根交換機的地位,但是不能保證出現一個交換機的優先順序為0卻擁有更低MAC地址的機器。

!
spanning-tree vlan <vlan num | vlan range> priority 0
!
!
spanning-tree guard root
!

MAC address-table notification
Use the mac address-table notification global configuration command to enable the MAC address notification feature . the switch.
This example shows how to enable the MAC address-table notification feature, set the interval time to 60 seconds, and set the history-size to 100 entries: 
使用 mac address-table notification全域性命令開啟交換機的mac address notification功能。例子顯示了設定間隔時間60秒,歷史記錄大小為100個。

!
mac address-table notification
mac address-table notification interval 60 
mac address-table notification history-size 100
!

Configuring Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker`s computer and then to the router, switch, or host. 
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts . the subnet.
ARP使用廣播將IP地址和MAC地址做對映,但是由於ARP允許沒有理由的ARP回覆,這樣就可以存在ARP攻擊或者欺騙。不懷好意的使用者可以使用ARP欺騙攻擊主機,交換機和連線到2層裝置的路由器。

!
ip arp inspection vlan <vlan num | vlan range>
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
ip arp inspection limit rate 15
!

We should trust . uplink interfaces by using this command:
我們必須相信在uplink口上的ARP

!
interface <interface>
ip arp inspection trust 
!

Using Authentication, Authorization, and Accounting
The Authentication, Authorization, and Accounting (AAA) framework is critical to securing interactive access to network devices.
AAA框架用於保證裝置埠訪問安全。


aaa new-model 

aaa authentication login default local                                          
aaa authorization exec default local  
!

As a security best practice, any unnecessary service must be disabled. These unneeded services, especially those that use UDP (User Datagram Protocol), are infrequently used for legitimate purposes, but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
Issue the no ip finger global configuration command in order to disable Finger service.
實踐中,所有不需要的服務都必須關掉。這些服務,特別是一些不常使用的使用UDP的服務,可以被用作發動Dos或者其他的攻擊。

Issue the no ip finger global configuration command in order to disable finger service.
使用no ip finger全域性配置命令來禁用finger服務。

!
no ip finger


Issue the no ip bootp server global configuration command in order to disable Bootstrap Protocol.
使用no ip bootp server全域性配置命令禁用Bootstrap協議。

!
no ip bootp server
!

DHCP services can be disabled if DHCP relay services are not required. Issue the no service dhcp command in global configuration mode.
如果不需要DHCP,可以禁止DHCP服務。

!
no ip dhcp
!

Issue the no mop enabled command in interface configuration mode in order to disable the Maintenance Operation Protocol (MOP) service. 
在埠配置模式中使用no mop enabled命令來禁止MOP服務。


no mop enabled 
!
Issue the no ip domain−lookup global configuration command in order to disable Domain Name System (DNS) resolution services. 
使用no ip domain-lookup全域性配置命令禁止DNS解析服務。

!
no ip domain-lookup
!

Issue the no service pad command in global configuration mode in order to disable Packet Assembler/Disassembler (PAD) service, which is used for X.25 networks.
使用no service pad全域性命令,禁用用於X.25PAD服務。

!
no service pad
!

Issue no ip domain-lookup configuration command in order to disable Domain Name System resolution services.
使用no ip domain-lookup配置命令禁用DNS服務。

!
no ip domain-lookup
!

Issue no service tcp-small-servers no service udp-small-servers global configuration command to disable small services.
使用no service tcp-small-servers no service udp-small-servers全域性配置命令關閉一些小服務。

!
no service tcp-small-servers 
no service udp-small-servers 
!

HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure−server global configuration command.
HTTP服務可以用no ip http server全域性命令,安全HTTPHTTPS)服務可以用no ip http secure-server全域性配置命令禁用。

!
no ip http server
no ip http secure-server
!

Unless Cisco IOS devices retrieve configurations from the network during startup, the no service config global configuration command must be used. This prevents the Cisco IOS device from attempting to locate a configuration file . the network using TFTP.
如果Cisco裝置在啟動的時候不是從網路中得到配置檔案,no service config命令必須使用。這個可以阻止Cisco裝置試圖從網路中得到配置檔案。

!
no service config
!

Cisco Discovery Protocol (CDP) is a network protocol that is used in order to discover other CDP enabled devices for neighbor adjacency and network topology. CDP can be used by Network Management Systems (NMS) or during troubleshooting. CDP must be disabled . all interfaces that are connected to untrusted networks. This is accomplished with the no cdp enable interface command. Alternatively, CDP can be disabled globally with the no cdp run global configuration command. Note that CDP can be used by a malicious user for reconnaissance and network mapping. 
CDP是一個用於發現網路內鄰居的協議,CDP可以用於網路管理系統或者在排錯的時候使用。如果裝置連線著一個不信任的網路,CDP必須關閉。這可以在埠上使用no cdp enable實現或者使用全域性命令no cdp run實現。小心CDP可以被不善意的使用者用於發現網路拓撲。

!
no cdp run
!

Link Layer Discovery Protocol (LLDP) is an IEEE protocol that is defined in 802.1AB. LLDP is similar to CDP. In order to disable this feature, issue the no lldp transmit and no lldp receive interface configuration commands. Issue the no lldp run global configuration command in order to disable LLDP globally.
LLDP是一個IEEE協議,在802.1AB中定義。LLDPCDP類似。在埠上使用no lldp transmitno lldp receive命令禁用這個功能,或者no lldp run全域性命令關閉。

!
no lldp run
!

Other security options
Ensure that the device is configured to not send ICMP redirect messages.
確保裝置不傳送ICMP重定向訊息。

!
no ip redirect
!

Ensure that the device is configured to not send ICMP unreachable messages. 
確保裝置不傳送ICMP不可達訊息。

!
no ip unreachable
!

Ensure that the proxy ARP service is not enabled . any interface.
確保裝置的每個埠上proxy ARP服務都沒有開啟。

!
no ip proxy-arp 
!

Drop all packets with IP options set.
丟棄任何設定了IP選項的包。

!
ip options drop
!
Ensure that the device is not forwarding IP packets with the source routing option in the header.
確保裝置不轉發頭部設定了IP源路由選項的包。

!
no ip source-route 
!

Turn off UDP broadcast.
關閉UDP廣播。

!
no ip forward-protocol
!

Security passwords min-length, To ensure that all configured passwords are at least a specified length.
安全密碼的最小長度,保證配置的密碼最少不能少於指定長度。

!
security passwords min-length length 
!

Security authentication failure rate, To configure the number of allowable unsuccessful login attempts. 
安全認證失敗速率,指定不成功的登入速率。

!
security authentication failure rate <threshold-rate> log 
!

Limiting Messages to a Syslog Server.
限制log級別。


logging trap level 
!
Disable no gratuitous ARP request.
關閉沒有必要的ARP請求。


no ip gratuitous-arps 
!

Turn VLAN1 off.
關閉VLAN 1

!
interface vlan 1
shutdown
!

Set encapsulation . all trunk ports
每個trunk都要設定封裝。

!
switchport trunk encapsulation dot1q
!

Set all trunk ports to no channel-group
trunk埠設定no channel-group

!
no channel-group
!

Disable IP Source Routing
關閉IP源路由。

!
no ip source−route 
!
本文轉自 justiceplus 51CTO部落格,原文連結:http://blog.51cto.com/johnwang/129062,如需轉載請自行聯絡原作者


相關文章