DNS proxy

ip name-server 193.95.66.10

ip domain-lookup

The telnet password will be stored in radius server

aaa new-model

aaa authentication login default enable

aaa authentication login viaradius radius local line enable

!

radius-server host 172.16.87.14 auth-port 1645 acct-port 1646

radius-server key ra3d1

!

line vty 0 4            

login authentication viaradius

DHCP-server (note that 1 interface on the router must have IP @ that belongs to the IP range)

ip dhcp pool pool1

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   domain-name ossasoft.tn

   dns-server 192.168.2.250

   netbios-name-server 192.168.2.250

!

ip dhcp excluded-address 192.168.1.2  192.168.1.100

Use show ip dhcp binding to find leased IP

Cache flow

Used to collect traffic statistics on a net flow server (example ManageEngine_NetFlowAnalyzer.exe)

configure terminal
interface FastEthernet 0/1
 ip route-cache flow
 exit

!
ip flow-export destination 192.168.9.101 9996
ip flow-export source FastEthernet 0/1
ip flow-export version 5
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
snmp-server ifindex persist

For c6500 switch

configure terminal
mls netflow

mls flow ip full

interface Vlan10

  ip route-cache flow

exit

mls nde sender version 5

ip flow-export source loopback 0

ip flow-export destination 10.10.100.2 9996

Password privileges

We need to limit user privileges (mannoubi) to just some commands

Username mannoubi  privilege 0 password 3akkeri

privilege exec level 0 ping

privilege exec level 0 telnet

!

Other commands

Enable secret level0 secret0

privilege exec all level 14 show : all sub-commands of show will be included

Some servers set the: don't fragment (DF) bit. But the router needs to fragment due to MTU limitation. You can reset this bit using the route map

interface GigabitEthernet0/0

 description internal interface

 ip address 10.13.1.1 255.255.0.0

 ip policy route-map clear-df-bit

!

interface GigabitEthernet0/1

 description external to branches with MTU problem

 ip address 10.12.200.254 255.255.0.0

!

ip access-list extended csb-to-remote

 permit ip host 10.10.10.30 172.25.0.0 0.0.255.255

!

route-map clear-df-bit permit 10

 match ip address csb-to-remote

 set ip df 0

!

The router will deny access to youtube.com and permit all other sites

ip inspect name MyFilter http urlfilter

ip urlfilter exclusive-domain deny youtube.com

ip urlfilter audit-trail

ip urlfilter allow-mode on

!

interface FastEthernet0/0

 ip inspect MyFilter in

WCCP

router(conf)#access-list 101 permit tcp any any eq http

router(conf)#access-list 101 permit tcp any any eq https

router(conf)# ip wccp 99 redirect-list 101

router(conf)# int e0

router(conf-if)# ip wccp 99 redirect in

For inter-valn routing: if your switch is L2 configure a trunk port to this router port.

interface FastEthernet0/0  

 no ip address

!

 interface FastEthernet0/0.1

 encapsulation isl 1 (or encapsulation dot1Q 1 native)

 ip address 10.10.10.1 255.255.255.0  

 !

 interface FastEthernet0/0.2

 encapsulation isl 2 (or encapsulation dot1Q 2)

 ip address 10.10.11.1 255.255.255.0 

We need to know what commands are entered by administrator. These commands will be logged to a taccacs server.

aaa new-model

aaa accounting commands 1   sabbeb1 start-stop group tacacs+

aaa accounting commands 15 sabbeb2 start-stop group tacacs+

!

tacacs-server host 10.111.100.2 key kilmitissir

!

line vty 0 4

  accounting commands 1 sabbeb1

  accounting commands 15 sabbeb2

 !

Traditionally devices passwords are stored locally. We can centralize the passwords administration in aaa server. It is easier and we can monitor access to devices.  (in this example, if taccacs isn’t available, password will be check against local username,  then enable password)

aaa new-model

aaa authentication login default enable

aaa authentication login chorta group tacacs+ local enable

!

tacacs-server host 10.10.100.2 key kilmitissir

!

line vty 0 4

  login authentication chorta

 !

!for web access to the device, add the following commands:

aaa authorization exec webauthorization group tacacs+ local

!

ip http authentication aaa login-authentication whoisit

ip http authentication aaa exec-authorization webauthorization

To restrict commands entered by users

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ none

aaa authorization commands 1 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

SNMPv3 with authentication and encryption. Username: cw, password: cwpass

Only traffic from acl20 will be permitted

snmp-server group cwgrp v3 priv  access 20

snmp-server user cw cwgrp v3 auth sha cwpass priv aes 128 cwpass1

!

Access-list 20 …..

Allow network device to get time and date from an NTP server (that could be core switch for example)

NTP server

NTP client

ntp authenticate

ntp master

ntp authentication-key 1 md5 mytimekey

ntp trusted-key 1

ntp update-calendar

ntp authenticate

ntp server 10.50.40.1 key 1

ntp authentication-key 1 md5 mytimekey

ntp trusted-key 1

!

clock timezone tunis  +1

To enable SSh server on the device

Username user1 password cisco1

!

ip domain-name test.mycompany.com

!

crypto key generate rsa

ip ssh time-out 60

ip ssh authentication-retries 2

!

line vty 0 4

  login local

  transport input telnet ssh

To send config commands to one syslog server

router(config)#archive

router(config-archive)#log config

router(config-archive-log-cfg)#notify syslog

router(config-archive-log-cfg)#logging enable

! then configure the address of syslog server

router(config)#logging 192.168.1.1

Sends a syslog msg when CPU utilization exceeds 80% or falls below 70% for a period of 10s

router(config)#process cpu threshold type total rising 80 interval 10 falling 70 interval 10

Sends a syslog msg when free memory  falls below 20000 KB

router(config)#memory free  low-watermark processor 20000

Sends a syslog msg when free i/o memory  falls below 20000 KB

router(config)#memory free  low-watermark io 20000

Download and extract a tar file

archive download-sw /overwrite tftp://10.50.10.160/c3560-ipbasek9-tar.122-53.SE.tar

Example of use in WoL (Wake on Line):

L3(config)#access-list 101 permit udp host 172.16.3.2 any eq 7

!--- This accepts directed broadcasts only from WoL server.

L3(config)#ip forward-protocol udp 7

!--- Specifies the protocol and port to be forwarded.

L3(config-if)#interface vlan 2

L3(config-if)#ip address 172.16.2.1 255.255.255.0

L3(config-if)#ip directed-broadcast 101

L3(config-if)#interface vlan 3

L3(config-if)#ip address 172.16.3.1 255.255.255.0

L3(config-if)#ip helper-address 172.16.2.255

!-- Enables forwarding of WoL packets to clients.

!-- Works in conjunction with the ip forward-protocol command.

Use the following commands to move the cursor around on the command line to make corrections or changes:

Use any of the following commands to delete command entries if you make a mistake or change your mind: