Configuring Features
Welcome visitor number:
DNS proxy Password
authentication via radius DHCP-server
cache-flow
Password-privileges trunk port
AAA
accounting AAA authentication AAA
authorization
Log config
commands CPU threshold notification Memory
threshold notification
SNMPv3 NTP SSH Server
DF bit reset URL filtring
WCCP
STOP SMOKING
or you will …
DNS proxy |
ip name-server 193.95.66.10 ip domain-lookup |
Password authentication via radius
The telnet password will be stored in radius server |
aaa new-model aaa authentication login
default enable aaa authentication login viaradius radius local line enable ! radius-server host 172.16.87.14
auth-port 1645 acct-port 1646 radius-server key ra3d1 ! line vty 0 4
login authentication viaradius |
DHCP-server (note that 1 interface on the router
must have IP @ that belongs to the IP range) |
ip dhcp pool pool1 import all network 192.168.1.0
255.255.255.0 default-router 192.168.1.1 domain-name ossasoft.tn dns-server 192.168.2.250 netbios-name-server
192.168.2.250 ! ip dhcp excluded-address
192.168.1.2 192.168.1.100 |
Use show ip dhcp binding to
find leased IP |
Cache flow Used to collect traffic statistics on a net flow
server (example ManageEngine_NetFlowAnalyzer.exe) |
configure terminal ! |
For c6500 switch |
configure terminal mls flow ip full interface Vlan10 ip route-cache flow exit mls nde sender version 5 ip flow-export source
loopback 0 ip flow-export destination
10.10.100.2 9996 |
Password privileges We need to limit user privileges (mannoubi) to just
some commands |
Username mannoubi privilege 0 password 3akkeri privilege exec level 0 ping privilege exec level 0
telnet ! Other commands Enable secret level0
secret0 privilege exec all
level 14 show : all sub-commands of show will be included |
Some servers set the: don't fragment (DF) bit. But
the router needs to fragment due to MTU limitation. You can reset this bit using the
route map |
interface
GigabitEthernet0/0 description internal interface ip address 10.13.1.1 255.255.0.0 ip policy route-map
clear-df-bit ! interface
GigabitEthernet0/1 description external to branches with
MTU problem ip address 10.12.200.254 255.255.0.0 ! ip access-list extended csb-to-remote permit ip host 10.10.10.30 172.25.0.0
0.0.255.255 ! route-map clear-df-bit permit
10 match ip address csb-to-remote set ip df 0 ! |
The router will deny access to youtube.com and
permit all other sites |
ip inspect name MyFilter http urlfilter ip urlfilter
exclusive-domain deny youtube.com ip urlfilter audit-trail ip urlfilter allow-mode on ! interface FastEthernet0/0 ip inspect MyFilter
in |
WCCP |
router(conf)#access-list 101 permit tcp any any eq http router(conf)#access-list 101 permit tcp any any eq https router(conf)# ip wccp 99
redirect-list 101 router(conf)# int e0 router(conf-if)# ip wccp 99 redirect
in |
For inter-valn routing: if your switch is L2
configure a trunk port to this router port. |
interface FastEthernet0/0
no ip address ! interface FastEthernet0/0.1 encapsulation isl 1
(or encapsulation dot1Q 1 native) ip address 10.10.10.1
255.255.255.0 ! interface FastEthernet0/0.2 encapsulation isl 2 (or
encapsulation dot1Q 2) ip address 10.10.11.1
255.255.255.0 |
We need to know what
commands are entered by administrator. These commands will be logged to a
taccacs server. |
aaa new-model aaa accounting commands
1 sabbeb1 start-stop group
tacacs+ aaa accounting commands 15
sabbeb2 start-stop group tacacs+ ! tacacs-server host
10.111.100.2 key kilmitissir ! line
vty 0 4 accounting commands 1 sabbeb1 accounting commands 15 sabbeb2 ! |
Traditionally devices
passwords are stored locally. We can centralize the passwords administration
in aaa server. It is easier and we can monitor access to devices. (in this example, if taccacs
isn’t available, password will be check against local username, then enable password) |
aaa new-model aaa authentication login
default enable aaa authentication login
chorta group tacacs+ local enable ! tacacs-server host
10.10.100.2 key kilmitissir ! line
vty 0 4 login authentication chorta ! |
!for web access to the
device, add the following commands: aaa authorization exec webauthorization group tacacs+ local ! ip http authentication aaa
login-authentication whoisit ip http authentication aaa
exec-authorization webauthorization |
To
restrict commands entered by users |
aaa
authorization config-commands aaa
authorization commands 0 default group tacacs+ none aaa
authorization commands 1 default group tacacs+ none aaa
authorization commands 15 default group tacacs+ none |
SNMPv3 with authentication
and encryption. Username: cw, password: cwpass Only traffic from acl20
will be permitted |
snmp-server
group cwgrp v3 priv access 20 snmp-server
user cw cwgrp v3 auth sha cwpass priv aes 128 cwpass1 ! Access-list
20 ….. |
Allow network device to
get time and date from an NTP server (that could be core switch for example) |
|
NTP server |
NTP client |
ntp
authenticate ntp
master ntp
authentication-key 1 md5 mytimekey ntp
trusted-key 1 ntp
update-calendar |
ntp
authenticate ntp
server 10.50.40.1 key 1 ntp
authentication-key 1 md5 mytimekey ntp
trusted-key 1 ! clock
timezone tunis +1 |
To enable SSh server on
the device |
Username user1
password cisco1 ! ip domain-name test.mycompany.com ! crypto key
generate rsa ip ssh time-out 60 ip ssh authentication-retries 2 ! line vty 0 4 login local transport input telnet ssh |
To
send config commands to one syslog server |
router(config)#archive router(config-archive)#log
config router(config-archive-log-cfg)#notify
syslog router(config-archive-log-cfg)#logging
enable !
then configure the address of syslog server router(config)#logging
192.168.1.1 |
Sends
a syslog msg when CPU utilization exceeds 80% or falls below 70% for a period
of 10s |
router(config)#process
cpu threshold type total rising 80 interval 10 falling 70 interval 10 |
Sends
a syslog msg when free memory
falls below 20000 KB |
router(config)#memory
free low-watermark processor
20000 |
Sends
a syslog msg when free i/o memory
falls below 20000 KB |
router(config)#memory
free low-watermark io 20000 |
Download and extract a tar
file |
archive
download-sw /overwrite tftp://10.50.10.160/c3560-ipbasek9-tar.122-53.SE.tar |
An IP directed broadcast is a datagram which
is sent to the broadcast address of a subnet to which the sending machine is
not directly attached. The directed broadcast is routed through the network
as a unicast packet until it arrives at the target subnet, where it is
converted into a link-layer broadcast |
Example
of use in WoL (Wake on Line): L3(config)#access-list 101 permit udp host 172.16.3.2 any eq 7 !--- This accepts directed broadcasts only from WoL server. L3(config)#ip
forward-protocol udp 7 !--- Specifies the protocol and port to be forwarded. L3(config-if)#interface vlan 2 L3(config-if)#ip address
172.16.2.1 255.255.255.0 L3(config-if)#ip
directed-broadcast 101 L3(config-if)#interface vlan 3 L3(config-if)#ip address
172.16.3.1 255.255.255.0 L3(config-if)#ip
helper-address 172.16.2.255 !-- Enables forwarding of WoL packets
to clients. !-- Works in conjunction with the ip
forward-protocol command. |
Alias can be used to reduce typing. In this example instead of typing show ip interface brief you can type just : s |
Router(config)# alias exec s show ip interface brief |