1、同步网络时钟、设置日志格式
conf t
clock timezone GMT +8
ntp server 120.25.115.20
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
end
show clock
2、搭建日志服务器
vim /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$template RemoteHost,"/home/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"
*.* ?RemoteHost
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$template RemoteHost,"/home/syslog/%$YEAR%-%$MONTH%-%$DAY%/%FROMHOST-IP%.log"
*.* ?RemoteHost
3、交换机同步日志
conf t
logging on
logging host 192.168.1.15
logging facility local7
logging trap 7
end
write
4、搭建tftp服务器
yum -y install xinetd tftp-server
vim /etc/xinetd.d/tftp
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tmp/config -c
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
chmod ugo+w /tmp/config
/etc/init.d/xinetd start
cat /home/config.sh
#!/bin/bash
#
#
dirdate=`date +%Y%m%d`
mkdir -p /home/$dirdate
mv /tmp/config/* /home/$dirdate
crontab -l
*/30 6 * * * /home/config.sh
5、自动备份到tftp
kron occurrence BAK at 6:00 recurring
policy-list BAK
kron policy-list BAK
cli show run | redirect tftp://192.168.1.1/192.168.1.2.cfg
6、设置访问策略
access-list 1 permit 192.168.1.5
login block-for 60 attempts 3 within 30
login quiet-mode access-class 10
login on-failure log
login on-success log
access-list 1 permit 192.168.1.1
ip domain-name test.com
enable secret Abc@123
username switch_admin password Abc@123
service password-encryption
line console 0
login local
line vty 0 15
access-class 1 in
login local
exec-timeout 5 0
transport input ssh
transport output ssh
crypto key generate rsa