[[os:ios]]
 
Trace: » git » vlems » ios
Table of Contents

In part taken from http://www.swcp.com/~jgentry/topo/cisco.htm

Router Configuration

Initial Setup

# Router>enable
# Router#config
# Router(config)#hostname N115-7206
# N115-7206(config)#interface serial 1/1
# N115-7206(config-if)ip address 192.168.155.2 255.255.255.0
# N115-7206(config-if)no shutdown
# N115-7206(config-if)ctrl-z
# N115-7206#show interface serial 1/1
# N115-7206#config
# N115-7206(config)#interface ethernet 2/3
# N115-7206(config-if)#ip address 192.168.150.90 255.255.255.0
# N115-7206(config-if)#no shutdown
# N115-7206(config-if)#ctrl-z
# N115-7206#show interface ethernet 2/3
# N115-7206#config
# N115-7206(config)#router rip
# N115-7206(config-router)#network 192.168.155.0
# N115-7206(config-router)#network 192.168.150.0
# N115-7206(config-router)#ctrl-z
# N115-7206#show ip protocols
# N115-7206#ping 192.168.150.1
# N115-7206#config
# N115-7206(config)#ip name-server 172.16.0.10
# N115-7206(config)#ctrl-z
# N115-7206#ping archie.au
# N115-7206#config
# N115-7206(config)#enable secret password
# N115-7206(config)#ctrl-z
# N115-7206#copy running-config startup-config
# N115-7206#exit

Enable SSH

  !--- Step 1: Configure the hostname if you have not previously done so.
  hostname carter
  !--- The aaa new-model command causes the local username and password on the router
  !--- to be used in the absence of other AAA statements.
  aaa new-model
  username cisco password 0 cisco
  !--- Step 2: Configure the DNS domain of the router.
  ip domain-name rtp.cisco.com
  !--- Step 3: Generate an SSH key to be used with SSH.
  cry key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 2
  !--- Step 4: By default the vtys' transport is Telnet. In this case, 
  !--- Telnet is disabled and only SSH is supported.
  line vty 0 4
  transport input SSH
  !--- Instead of aaa new-model, you can use the login local command.

Foundry Networks

Enable SSH

aaa authentication login default local
ip address 10.0.0.10/8
! default gateway is optional
ip default-gateway 10.0.0.2
username myuser password mysecretpassword
crypto key generate
! use 'ip ssh' to set additional options

ip ssh 
  authentication-retries    number of authentication retries allowed
  client                    SSH client allowed
  idle-time                 SSH idle time in minutes
  key-authentication        enable/disable public key authentication
  password-authentication   password authentication
  permit-empty-passwd       permit empty password login
  port                      SSH port (default port 22)
  pub-key-file              import client public keys (DSA)
  scp                       enable/disable scp
  timeout                   SSH login timeout in sec.(default 120 sec)

Find Slot/Port

To find out where a given system is plugged in to, do this: 

SX3#sh mac-address | inc 9c
0014.4f0f.b29c  7/17         Dynamic    5112       1

Mirror Port

To monitor traffic on module 1 port 1 coming and going from module 1 port 5, you would do this: 

SX1(config)# mirror-port ethernet 1/1
SX1(config)# interface ethernet 1/5
SX1(config-if-e1000-1/5)# monitor ethernet 1/1 both

Show Mirrored Ports

show mirror

or 

show monitor

Example output: 

myswitch#show monitor
Monitored Port 8/23
  Input mirrored by	: (S4)   2 
  Output mirrored by	: (S4)   2 
Monitored Port 9/1
  Input mirrored by	: (S4)   2 
  Output mirrored by	: (S4)   2 
Monitored Port 10/1
  Input mirrored by	: (S4)   2 
  Output mirrored by	: (S4)   2

Upgrading Firmware (OS)

login via serial (for later reboot monitoring)
enter into enable mode

backup running config (to tftp server):
	copy running tftp ServerIP SavedFileName
	eg: copy run tftp 10.0.1.103 nlb.cfg
Note that cuz of permission problems, one may need to create a file (size 0) in the tftp 
server storage dir so that the uploaded file can be written to disk, and not get failure errors.

actually get the image:
	copy  tftp flash SvrIP FILENAME primary
	eg: copy tftp flash 10.0.1.103 BSI07118T8.bin primary


save old running config:
	write memory

reboot the load balancer for the new firmware/OS to kick in
	reload

verify version after reboot.
	show ver

Modify VLAN Settings

Say you have a configuration like the following and you need to remove port 9/2 from tagged VLAN 10 and make it untagged. (Note “tagged” is used when bridging 2 switches. Untagged traffic is used so traffic traveling the 2 bridge switches is delivered properly on the same switch as well as the remote one) 

sh run
...
vlan 10 name red by port
 tagged ethe 9/1 to 9/2 ethe 10/1 to 10/2 
 untagged ethe 1/1 to 1/24 ethe 2/1 to 2/24 ethe 3/1 to 3/24 ethe 4/1 to 4/24 ethe 5/1 to 5/24 ethe 6/1 to 6/24 ethe 7/1 to 7/24 ethe 8/1 to 8/24 ethe 11/1 to 11/24 ethe 12/1 to 12/24 ethe 13/1 to 13/24 
 router-interface ve 10
 spanning-tree 802-1w
 spanning-tree 802-1w priority 1
...

Now you need to do this: 

superx1600(config)#vlan 10
superx1600(config-vlan-10)#no tagged ethe 9/2
superx1600(config-vlan-10)#untagged ethe 9/2
...
superx1600# write mem

Troubleshooting

Show Configuration

  • ExampleName#show interfaces
  • ExampleName#show ip protocols
  • ExampleName#show ip route
  • ExampleName#show ip arp

Test Connectivity

  • ExampleName# ping xx.xx.xx.xx

VPN Fragmentation

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

  • start vpn
  • connect over vpn to a service, if breaks, do:
  • ping -M do -s 1500 192.168.0.11
  • continue removing 20 at a time until you get a response (1300 is the sweet spot for VPNs)
  • on cisco ASA then do: sysopt connection tcpmss 1280
  • then do the same for WAN ips and set the MTU accordingly: mtu outside 1460

Tips

Typing end gets you out of any sublevel configuration back to the enabled (aka privileged) mode

Hardware Specific

Cisco ASA 5500

Adding Users

ASA5500(config)# username myuser password mysecret
ASA5500(config)# username myuser attributes
ASA5500(config-username)# vpn-group-policy mypolicy

Removing Users

ASA5500# conf t
ASA5500(config)# no username myuser attributes
ASA5500(config)# clear configure username myuser

Adding IPs to a object-group

object-group network myname
network-object kiskeyix 255.255.255.255
name 66.114.86.65 kiskeyix

Remote access VPN

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/site2sit.html

source (client) and destination (local LAN) are inverted for these rules 

access-list from_vpn extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list from_vpn extended permit ip 192.168.20.0 255.255.252.0 10.0.0.0 255.0.0.0 
access-list from_vpn extended permit icmp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0 
access-list from_vpn extended permit icmp 192.168.20.0 255.255.252.0 10.0.0.0 255.0.0.0 
access-list from_vpn extended permit icmp 192.168.20.0 255.255.252.0 192.168.0.0 255.255.255.0 

ip local pool vpn 192.168.20.20-192.168.20.200 mask 255.255.252.0

vpn-filter allows traffic to be permitted/denied after being decrypted through the tunnel

(http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml) 

group-policy pgroup internal
group-policy pgroup attributes
 wins-server value 10.0.0.7
 dns-server value 10.0.0.7
 vpn-simultaneous-logins 99
 vpn-idle-timeout none
 vpn-session-timeout none
 password-storage disable
 ip-comp enable
 default-domain value example.net
 vpn-filter value from_vpn
 webvpn

username foo password @#$@lkjlk2lk encrypted

crypto ipsec transform-set remoteaccess esp-3des esp-sha-hmac 
crypto dynamic-map remoteaaccessdynmap 10 set transform-set remoteaccess
crypto map remoteaccess_map 20 ipsec-isakmp dynamic remoteaaccessdynmap
crypto map remoteaccess_map interface outside
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group tgroup type ipsec-ra
tunnel-group tgroup general-attributes
 address-pool vpn
 default-group-policy pgroup
tunnel-group tgroup ipsec-attributes
 pre-shared-key *

Last, to allow NAT traffic to traverse through the tunnel: 

access-list from_vpn_nat0 extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0 
access-list from_vpn_nat0 extended permit ip 10.0.0.0 255.0.0.0 192.168.20.0 255.255.252.0

And apply these rules to the NAT 0 (special) rule: 

nat (inside) 0 access-list from_vpn_nat0

Site-to-Site VPN

Remember to setup vpn-filter accordingly see this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml 

hostname(config)# interface ethernet0

hostname(config-if)# ip address 10.10.4.100 255.255.0.0

hostname(config-if)# no shutdown

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 
150.150.0.0 255.255.0.0

hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l

hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes

hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.4.108

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory
 
os/ios.txt · Last modified: 2009/07/21 22:57 by lemsx1
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki