Cisco IOS


In part taken from http://www.swcp.com/~jgentry/topo/cisco.htm

Router Configuration

Initial Setup

   # Router>enable
   # Router#config
   # Router(config)#hostname N115-7206
   # N115-7206(config)#interface serial 1/1
   # N115-7206(config-if)ip address 192.168.155.2 255.255.255.0
   # N115-7206(config-if)no shutdown
   # N115-7206(config-if)ctrl-z
   # N115-7206#show interface serial 1/1
   # N115-7206#config
   # N115-7206(config)#interface ethernet 2/3
   # N115-7206(config-if)#ip address 192.168.150.90 255.255.255.0
   # N115-7206(config-if)#no shutdown
   # N115-7206(config-if)#ctrl-z
   # N115-7206#show interface ethernet 2/3
   # N115-7206#config
   # N115-7206(config)#router rip
   # N115-7206(config-router)#network 192.168.155.0
   # N115-7206(config-router)#network 192.168.150.0
   # N115-7206(config-router)#ctrl-z
   # N115-7206#show ip protocols
   # N115-7206#ping 192.168.150.1
   # N115-7206#config
   # N115-7206(config)#ip name-server 172.16.0.10
   # N115-7206(config)#ctrl-z
   # N115-7206#ping archie.au
   # N115-7206#config
   # N115-7206(config)#enable secret password
   # N115-7206(config)#ctrl-z
   # N115-7206#copy running-config startup-config
   # N115-7206#exit 

Enable SSH

   !--- Step 1: Configure the hostname if you have not previously done so.
   hostname carter
   !--- The aaa new-model command causes the local username and password on the router
   !--- to be used in the absence of other AAA statements.
   aaa new-model
   username cisco password 0 cisco
   !--- Step 2: Configure the DNS domain of the router.
   ip domain-name rtp.cisco.com
   !--- Step 3: Generate an SSH key to be used with SSH.
   cry key generate rsa
   ip ssh time-out 60
   ip ssh authentication-retries 2
   !--- Step 4: By default the vtys' transport is Telnet. In this case, 
   !--- Telnet is disabled and only SSH is supported.
   line vty 0 4
   transport input SSH
   !--- Instead of aaa new-model, you can use the login local command.

Foundry Networks

Enable SSH

   aaa authentication login default local
   ip address 10.0.0.10/8
   ! default gateway is optional
   ip default-gateway 10.0.0.2
   username myuser password mysecretpassword
   crypto key generate
   ! use 'ip ssh' to set additional options
   ip ssh 
     authentication-retries    number of authentication retries allowed
     client                    SSH client allowed
     idle-time                 SSH idle time in minutes
     key-authentication        enable/disable public key authentication
     password-authentication   password authentication
     permit-empty-passwd       permit empty password login
     port                      SSH port (default port 22)
     pub-key-file              import client public keys (DSA)
     scp                       enable/disable scp
     timeout                   SSH login timeout in sec.(default 120 sec)

Find Slot/Port

To find out where a given system is plugged in to, do this:

   SX3#sh mac-address | inc 9c
   0014.4f0f.b29c  7/17         Dynamic    5112       1   

Mirror Port

To monitor traffic on module 1 port 1 coming and going from module 1 port 5, you would do this:

   SX1(config)# mirror-port ethernet 1/1
   SX1(config)# interface ethernet 1/5
   SX1(config-if-e1000-1/5)# monitor ethernet 1/1 both

Show Mirrored Ports

   show mirror

or

   show monitor

Example output:

   myswitch#show monitor
   Monitored Port 8/23
     Input mirrored by	: (S4)   2 
     Output mirrored by	: (S4)   2 
   Monitored Port 9/1
     Input mirrored by	: (S4)   2 
     Output mirrored by	: (S4)   2 
   Monitored Port 10/1
     Input mirrored by	: (S4)   2 
     Output mirrored by	: (S4)   2 

Upgrading Firmware (OS)

   login via serial (for later reboot monitoring)
   enter into enable mode
   backup running config (to tftp server):
           copy running tftp ServerIP SavedFileName
           eg: copy run tftp 10.0.1.103 nlb.cfg
   Note that cuz of permission problems, one may need to create a file (size 0) in the tftp 
   server storage dir so that the uploaded file can be written to disk, and not get failure errors.
   actually get the image:
           copy  tftp flash SvrIP FILENAME primary
           eg: copy tftp flash 10.0.1.103 BSI07118T8.bin primary
   save old running config:
           write memory
   reboot the load balancer for the new firmware/OS to kick in
           reload
   verify version after reboot.
           show ver

Modify VLAN Settings

Say you have a configuration like the following and you need to remove **port 9/2** from **tagged** VLAN 10 and make it **untagged**. (Note "tagged" is used when bridging 2 switches. Untagged traffic is used so traffic traveling the 2 bridge switches is delivered properly on the same switch as well as the remote one)

   sh run
   ...
   vlan 10 name red by port
    tagged ethe 9/1 to 9/2 ethe 10/1 to 10/2 
    untagged ethe 1/1 to 1/24 ethe 2/1 to 2/24 ethe 3/1 to 3/24 ethe 4/1 to 4/24 ethe 5/1 to 5/24 ethe 6/1 to 6/24 ethe 7/1 to 7/24 ethe 8/1 to 8/24 ethe 11/1 to 11/24 ethe 12/1 to 12/24 ethe 13/1 to 13/24 
    router-interface ve 10
    spanning-tree 802-1w
    spanning-tree 802-1w priority 1
   ...

Now you need to do this:

   superx1600(config)#vlan 10
   superx1600(config-vlan-10)#no tagged ethe 9/2
   superx1600(config-vlan-10)#untagged ethe 9/2
   ...
   superx1600# write mem

Troubleshooting

Show Configuration

 * ExampleName#show interfaces
 * ExampleName#show ip protocols
 * ExampleName#show ip route
 * ExampleName#show ip arp

Test Connectivity

 * ExampleName# ping xx.xx.xx.xx

VPN Fragmentation

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

 * start vpn
 * connect over vpn to a service, if breaks, do:
 * ping -M do -s 1500 192.168.0.11
 * continue removing 20 at a time until you get a response (1300 is the sweet spot for VPNs)
 * on cisco ASA then do: sysopt connection tcpmss 1280
 * then do the same for WAN ips and set the MTU accordingly: mtu outside 1460

Tips

Typing **end** gets you out of any sublevel configuration back to the **enabled** (aka privileged) mode

Hardware Specific

Cisco ASA 5500

Network Traffic

 show traffic

Adding Users

 ASA5500(config)# username myuser password mysecret
 ASA5500(config)# username myuser attributes
 ASA5500(config-username)# vpn-group-policy mypolicy

Removing Users

 ASA5500# conf t
 ASA5500(config)# no username myuser attributes
 ASA5500(config)# clear configure username myuser

Adding IPs to a object-group

 object-group network myname
 network-object kiskeyix 255.255.255.255
 name 66.114.86.65 kiskeyix

Remote access VPN

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/site2sit.html

source (client) and destination (local LAN) are inverted for these rules

   access-list from_vpn extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0 
   access-list from_vpn extended permit ip 192.168.20.0 255.255.252.0 10.0.0.0 255.0.0.0 
   access-list from_vpn extended permit icmp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0 
   access-list from_vpn extended permit icmp 192.168.20.0 255.255.252.0 10.0.0.0 255.0.0.0 
   access-list from_vpn extended permit icmp 192.168.20.0 255.255.252.0 192.168.0.0 255.255.255.0 
   ip local pool vpn 192.168.20.20-192.168.20.200 mask 255.255.252.0
  • *vpn-filter** allows traffic to be permitted/denied after being decrypted through the tunnel

(http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml)

   group-policy pgroup internal
   group-policy pgroup attributes
    wins-server value 10.0.0.7
    dns-server value 10.0.0.7
    vpn-simultaneous-logins 99
    vpn-idle-timeout none
    vpn-session-timeout none
    password-storage disable
    ip-comp enable
    default-domain value example.net
    vpn-filter value from_vpn
    webvpn
   username foo password @#$@lkjlk2lk encrypted
   crypto ipsec transform-set remoteaccess esp-3des esp-sha-hmac 
   crypto dynamic-map remoteaaccessdynmap 10 set transform-set remoteaccess
   crypto map remoteaccess_map 20 ipsec-isakmp dynamic remoteaaccessdynmap
   crypto map remoteaccess_map interface outside
   isakmp enable outside
   isakmp policy 30 authentication pre-share
   isakmp policy 30 encryption 3des
   isakmp policy 30 hash sha
   isakmp policy 30 group 2
   isakmp policy 30 lifetime 86400
   tunnel-group tgroup type ipsec-ra
   tunnel-group tgroup general-attributes
    address-pool vpn
    default-group-policy pgroup
   tunnel-group tgroup ipsec-attributes
    pre-shared-key *

Last, to allow NAT traffic to traverse through the tunnel:

   access-list from_vpn_nat0 extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0 
   access-list from_vpn_nat0 extended permit ip 10.0.0.0 255.0.0.0 192.168.20.0 255.255.252.0 

And apply these rules to the NAT 0 (special) rule:

   nat (inside) 0 access-list from_vpn_nat0

Site-to-Site VPN

Remember to setup vpn-filter accordingly see this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

   hostname(config)# interface ethernet0
   hostname(config-if)# ip address 10.10.4.100 255.255.0.0
   hostname(config-if)# no shutdown
   hostname(config)# isakmp policy 1 authentication pre-share
   hostname(config)# isakmp policy 1 encryption 3des
   hostname(config)# isakmp policy 1 hash sha
   hostname(config)# isakmp policy 1 group 2
   hostname(config)# isakmp policy 1 lifetime 43200
   hostname(config)# isakmp enable outside
   hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
   hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 
   150.150.0.0 255.255.0.0
   hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l
   hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
   hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
   hostname(config)# crypto map abcmap 1 match address l2l_list
   hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
   hostname(config)# crypto map abcmap 1 set transform-set FirstSet
   hostname(config)# crypto map abcmap interface outside
   hostname(config)# write memory

Advertisement