321 Studios OL-7141-04 manual Enable Logging, Enable Unicast RPF on Outside Interfaces

Page 42

Chapter 1 Cisco SDM Express

Supplementary Help

The configuration that will be delivered to the router to set the TCP synwait time to 10 seconds is as follows:

ip tcp synwait-time <10>

Enable Logging

Cisco SDM Express will enable logging with time stamps and sequence numbers whenever possible. Because it gives detailed information about network events, logging is critical in recognizing and responding to security events. Time stamps and sequence numbers provide information about the date, time, and sequence in which network events occur.

The configuration that will be delivered to the router to enable and configure logging is as follows, replacing <log buffer size> and <logging server ip address> with the appropriate values that you enter into Cisco SDM Express:

logging console critical

logging trap debugging

logging buffered <log buffer size>

logging <logging server ip address>

Enable Unicast RPF on Outside Interfaces

Cisco SDM Express enables unicast Reverse Path Forwarding (RPF) on all interfaces that connect to the Internet whenever possible. RPF is a feature that causes the router to check the source address of any packet against the interface through which the packet entered the router. If the input interface is not a feasible path to the source address according to the routing table, the packet will be dropped. This source address verification is used to defeat IP spoofing.

This works only when routing is symmetric. If the network is designed in such a way that traffic from host A to host B may normally take a different path than traffic from host B to host A, the check will always fail, and communication between the two hosts will be impossible. This sort of asymmetric routing is common in the Internet core. Ensure that your network does not use asymmetric routing before enabling this feature.

In addition, unicast RPF can be enabled only when IP Cisco Express Forwarding is enabled. Cisco SDM Express will check the router configuration to see if IP Cisco Express Forwarding is enabled. If IP Cisco Express Forwarding is not

 

Cisco SDM Express

1-36

OL-7141-04

Image 42
Contents Cisco SDM Express User’s Guide Cisco SDM Express User’s Guide N T E N T S Contents Cisco SDM Express Edit Mode Contents Welcome A P T E RHostname Field Basic ConfigurationUsername and Password Fields Domain Name FieldEnable Secret Password Field Router ProvisioningSDM Express Secure Device Provisioning Provision From USB TokenUSB Token or USB Flash CNS ServerProvision From USB Flash File Selection Name Wireless Interface ConfigurationLAN Interface Configuration SizeIP Address Field Wireless Parameters FieldsInterface/Bridge-to-Interface List Subnet Mask FieldRefresh, Apply Changes, Discard Changes Buttons Dhcp Server ConfigurationEnable Dhcp server on the LAN interface Check Box Starting IP Address FieldEnding IP Address Field Primary Domain Name Server FieldSecondary Domain Name Server Field Use these DNS values for Dhcp clients Check Box Enable PPPoE Check BoxInternet WAN Ethernet Interface Address Type ListConfirm Password Field Authentication Type Check BoxPassword Field Username FieldStatus Icon and Enable or Disable Button Internet WAN Autodetect EncapsulationInternet WAN User Specified Encapsulation Encapsulation List Virtual Path Identifier FieldVirtual Circuit Identifier Field IP Address for Remote Connection in Central Office Field Enable or Disable Button WAN Interface SelectionAdd Connection, Edit, Delete Buttons Serial Connection Interface ListRefresh Button Frame Relay Configuration Settings Link IP Address and Subnet Mask FieldsLMI Type Field Frame Relay Configuration SettingsDlci Field Use Ietf Frame Relay Encapsulation Check BoxInternet WAN Advanced Options CNS Server InformationFirewall Configuration Primary DNS FieldSecondary DNS Field Security Settings Disable Snmp Services on Your Router Check Box Disable Services that Involve Security Risks Check BoxEnhance Security on Router Access Check Box Encrypt Passwords Check BoxSummary Cisco Network Services Supplementary HelpCisco Router and Security Device Manager Security Settings Disable SnmpDisable Finger Service Disable PAD ServiceDisable TCP Small Servers Service Disable UDP Small Servers Service Disable IP Bootp Server ServiceDisable IP Identification Service Disable CDPDisable IP Source Route Enable Password Encryption ServiceEnable Netflow Switching Enable TCP Keepalives for Inbound Telnet SessionsEnable TCP Keepalives for Outbound Telnet Sessions Enable Sequence Numbers and Time Stamps on DebugsEnable IP CEF Set Scheduler Interval Set Scheduler AllocateSet TCP Synwait Time Enable Logging Enable Unicast RPF on Outside InterfacesDisable IP Gratuitous ARPs Disable IP RedirectsDisable IP Proxy ARP Disable IP Directed BroadcastDisable MOP Service Disable IP UnreachablesDisable IP Mask Reply Set Minimum Password Length to Less Than 6 CharactersSet Authentication Failure Rate to Less Than 3 Retries Set BannerEnable Telnet Settings Enable SSH for Access to the RouterCisco SDM Express Buttons Help ButtonAbout Button Apply Changes Button Reconnecting to the Router After Initial ConfigurationExit Button Discard Changes ButtonTesting Your WAN Internet Connection SDP Troubleshooting Tips Troubleshooting TipsOverview IconsLAN Fields Internet WAN Fields Firewall FieldsUsername/Login Password/Password is Encrypted Fields Edit/Delete ButtonsEdit a Username Encrypt password using MD5 hash algorithm CheckboxBridge/Do not bridge LAN interface with wireless Checkbox Refresh/Apply Changes/Discard Changes ButtonsLAN interface configuration Fields WirelessWAN-Unable to Configure WAN Interface No WAN AvailableEnable Firewall/Disable Firewall Buttons Delete ConnectionFirewall Unable to configure Firewall Window Unable to Configure NATAdd or Edit Address Translation Rule Routing Disable Services that Involve Security Risks Checkbox Select All Recommended by Cisco CheckboxEncrypt Passwords Checkbox Synchronize with my local PC clock CheckboxTools PingSource Field Update SDM from Cisco.comTo clear the output of the ping command Destination FieldUpdate SDM from Local PC Update SDM from CDCCO Login Date and Time Properties Synchronize CheckboxEdit Date and Time Fields Write down these steps and then reset the router Reset to Factory DefaultsSave Running Config to PC Apply ButtonReconfiguring Your PC with a Static or a Dynamic IP Address Microsoft Windows NT Feature Not Available Cisco SDM Express Edit Mode Feature Not Available D E IN-2