Cisco IOS
In part taken from http://www.swcp.com/~jgentry/topo/cisco.htm
Router Configuration
Initial Setup
# Router>enable # Router#config # Router(config)#hostname N115-7206 # N115-7206(config)#interface serial 1/1 # N115-7206(config-if)ip address 192.168.155.2 255.255.255.0 # N115-7206(config-if)no shutdown # N115-7206(config-if)ctrl-z # N115-7206#show interface serial 1/1 # N115-7206#config # N115-7206(config)#interface ethernet 2/3 # N115-7206(config-if)#ip address 192.168.150.90 255.255.255.0 # N115-7206(config-if)#no shutdown # N115-7206(config-if)#ctrl-z # N115-7206#show interface ethernet 2/3 # N115-7206#config # N115-7206(config)#router rip # N115-7206(config-router)#network 192.168.155.0 # N115-7206(config-router)#network 192.168.150.0 # N115-7206(config-router)#ctrl-z # N115-7206#show ip protocols # N115-7206#ping 192.168.150.1 # N115-7206#config # N115-7206(config)#ip name-server 172.16.0.10 # N115-7206(config)#ctrl-z # N115-7206#ping archie.au # N115-7206#config # N115-7206(config)#enable secret password # N115-7206(config)#ctrl-z # N115-7206#copy running-config startup-config # N115-7206#exit
Enable SSH
!--- Step 1: Configure the hostname if you have not previously done so.
hostname carter
!--- The aaa new-model command causes the local username and password on the router !--- to be used in the absence of other AAA statements.
aaa new-model username cisco password 0 cisco
!--- Step 2: Configure the DNS domain of the router.
ip domain-name rtp.cisco.com
!--- Step 3: Generate an SSH key to be used with SSH.
cry key generate rsa ip ssh time-out 60 ip ssh authentication-retries 2
!--- Step 4: By default the vtys' transport is Telnet. In this case, !--- Telnet is disabled and only SSH is supported.
line vty 0 4 transport input SSH
!--- Instead of aaa new-model, you can use the login local command.
Foundry Networks
Enable SSH
aaa authentication login default local ip address 10.0.0.10/8 ! default gateway is optional ip default-gateway 10.0.0.2 username myuser password mysecretpassword crypto key generate ! use 'ip ssh' to set additional options
ip ssh
authentication-retries number of authentication retries allowed
client SSH client allowed
idle-time SSH idle time in minutes
key-authentication enable/disable public key authentication
password-authentication password authentication
permit-empty-passwd permit empty password login
port SSH port (default port 22)
pub-key-file import client public keys (DSA)
scp enable/disable scp
timeout SSH login timeout in sec.(default 120 sec)
Find Slot/Port
To find out where a given system is plugged in to, do this:
SX3#sh mac-address | inc 9c 0014.4f0f.b29c 7/17 Dynamic 5112 1
Mirror Port
To monitor traffic on module 1 port 1 coming and going from module 1 port 5, you would do this:
SX1(config)# mirror-port ethernet 1/1 SX1(config)# interface ethernet 1/5 SX1(config-if-e1000-1/5)# monitor ethernet 1/1 both
Show Mirrored Ports
show mirror
or
show monitor
Example output:
myswitch#show monitor
Monitored Port 8/23
Input mirrored by : (S4) 2
Output mirrored by : (S4) 2
Monitored Port 9/1
Input mirrored by : (S4) 2
Output mirrored by : (S4) 2
Monitored Port 10/1
Input mirrored by : (S4) 2
Output mirrored by : (S4) 2
Upgrading Firmware (OS)
login via serial (for later reboot monitoring) enter into enable mode
backup running config (to tftp server):
copy running tftp ServerIP SavedFileName
eg: copy run tftp 10.0.1.103 nlb.cfg
Note that cuz of permission problems, one may need to create a file (size 0) in the tftp
server storage dir so that the uploaded file can be written to disk, and not get failure errors.
actually get the image:
copy tftp flash SvrIP FILENAME primary
eg: copy tftp flash 10.0.1.103 BSI07118T8.bin primary
save old running config:
write memory
reboot the load balancer for the new firmware/OS to kick in
reload
verify version after reboot.
show ver
Modify VLAN Settings
Say you have a configuration like the following and you need to remove **port 9/2** from **tagged** VLAN 10 and make it **untagged**. (Note "tagged" is used when bridging 2 switches. Untagged traffic is used so traffic traveling the 2 bridge switches is delivered properly on the same switch as well as the remote one)
sh run
...
vlan 10 name red by port
tagged ethe 9/1 to 9/2 ethe 10/1 to 10/2
untagged ethe 1/1 to 1/24 ethe 2/1 to 2/24 ethe 3/1 to 3/24 ethe 4/1 to 4/24 ethe 5/1 to 5/24 ethe 6/1 to 6/24 ethe 7/1 to 7/24 ethe 8/1 to 8/24 ethe 11/1 to 11/24 ethe 12/1 to 12/24 ethe 13/1 to 13/24
router-interface ve 10
spanning-tree 802-1w
spanning-tree 802-1w priority 1
...
Now you need to do this:
superx1600(config)#vlan 10 superx1600(config-vlan-10)#no tagged ethe 9/2 superx1600(config-vlan-10)#untagged ethe 9/2 ... superx1600# write mem
Troubleshooting
Show Configuration
* ExampleName#show interfaces * ExampleName#show ip protocols * ExampleName#show ip route * ExampleName#show ip arp
Test Connectivity
* ExampleName# ping xx.xx.xx.xx
VPN Fragmentation
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
* start vpn * connect over vpn to a service, if breaks, do: * ping -M do -s 1500 192.168.0.11 * continue removing 20 at a time until you get a response (1300 is the sweet spot for VPNs) * on cisco ASA then do: sysopt connection tcpmss 1280 * then do the same for WAN ips and set the MTU accordingly: mtu outside 1460
Tips
Typing **end** gets you out of any sublevel configuration back to the **enabled** (aka privileged) mode
Hardware Specific
Cisco ASA 5500
Network Traffic
show traffic
Adding Users
ASA5500(config)# username myuser password mysecret ASA5500(config)# username myuser attributes ASA5500(config-username)# vpn-group-policy mypolicy
Removing Users
ASA5500# conf t ASA5500(config)# no username myuser attributes ASA5500(config)# clear configure username myuser
Adding IPs to a object-group
object-group network myname network-object kiskeyix 255.255.255.255 name 66.114.86.65 kiskeyix
Remote access VPN
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/site2sit.html
source (client) and destination (local LAN) are inverted for these rules
access-list from_vpn extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list from_vpn extended permit ip 192.168.20.0 255.255.252.0 10.0.0.0 255.0.0.0 access-list from_vpn extended permit icmp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0 access-list from_vpn extended permit icmp 192.168.20.0 255.255.252.0 10.0.0.0 255.0.0.0 access-list from_vpn extended permit icmp 192.168.20.0 255.255.252.0 192.168.0.0 255.255.255.0
ip local pool vpn 192.168.20.20-192.168.20.200 mask 255.255.252.0
- *vpn-filter** allows traffic to be permitted/denied after being decrypted through the tunnel
group-policy pgroup internal
group-policy pgroup attributes
wins-server value 10.0.0.7
dns-server value 10.0.0.7
vpn-simultaneous-logins 99
vpn-idle-timeout none
vpn-session-timeout none
password-storage disable
ip-comp enable
default-domain value example.net
vpn-filter value from_vpn
webvpn
username foo password @#$@lkjlk2lk encrypted
crypto ipsec transform-set remoteaccess esp-3des esp-sha-hmac
crypto dynamic-map remoteaaccessdynmap 10 set transform-set remoteaccess
crypto map remoteaccess_map 20 ipsec-isakmp dynamic remoteaaccessdynmap
crypto map remoteaccess_map interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group tgroup type ipsec-ra
tunnel-group tgroup general-attributes
address-pool vpn
default-group-policy pgroup
tunnel-group tgroup ipsec-attributes
pre-shared-key *
Last, to allow NAT traffic to traverse through the tunnel:
access-list from_vpn_nat0 extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0 access-list from_vpn_nat0 extended permit ip 10.0.0.0 255.0.0.0 192.168.20.0 255.255.252.0
And apply these rules to the NAT 0 (special) rule:
nat (inside) 0 access-list from_vpn_nat0
Site-to-Site VPN
Remember to setup vpn-filter accordingly see this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.100 255.255.0.0
hostname(config-if)# no shutdown
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0
hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l
hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set transform-set FirstSet
hostname(config)# crypto map abcmap interface outside
hostname(config)# write memory
