ccr_1016_config
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ccr_1016_config [2015/03/27 18:05] – [Use USB serial port to connect to other devices (switch)] admin | ccr_1016_config [2021/10/09 15:14] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
{{tag> | {{tag> | ||
- | ~~TOC~~ | ||
=====Cloud core router 1016-12 - Configuration ===== | =====Cloud core router 1016-12 - Configuration ===== | ||
Line 14: | Line 13: | ||
* Log in with new user, and disable the default admin user:< | * Log in with new user, and disable the default admin user:< | ||
* Create self signed certificate for HTTPS:< | * Create self signed certificate for HTTPS:< | ||
- | add name=server-template common-name=server | + | / |
/ | / | ||
/ | / | ||
Line 23: | Line 22: | ||
* Disable services, enable SSH / HTTPS:< | * Disable services, enable SSH / HTTPS:< | ||
/ip service enable ssh, | /ip service enable ssh, | ||
+ | * Enable strong crypto (RSA), requires version >= 6.31:< | ||
* Disable default MAC telnet server:< | * Disable default MAC telnet server:< | ||
/tool mac-server mac-winbox disable numbers=0</ | /tool mac-server mac-winbox disable numbers=0</ | ||
Line 76: | Line 76: | ||
* If connection does not happen, power cycle usb first:< | * If connection does not happen, power cycle usb first:< | ||
</ | </ | ||
+ | ====Source validation==== | ||
+ | Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended. | ||
+ | |||
+ | strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded. | ||
+ | * set rp_filter to strict:< |
ccr_1016_config.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1