You are on page 1of 8

Router commands: Setup Router for SDM: 1) Set the router Fa0/0 IP address Router(config)# interface Fa0/0 Router(config-if)#

ip address 10.10.10.1 255.255.255.248 Router(config-if)# no shutdown 2) Enable the HTTP/HTTPS server of the router, using the following Cisco IOS com mands: Router(config)#ip http server Router(config)#ip http secure-server Router(config)#ip http authentication local 3)Create a user account with privilege level 15 (enable privileges). Router(config)# username <username> privilege 15 password 0 <password> 4) Configure SSH and Telnet for local login and privilege level 15: Router(config)# line vty 0 4 Router(config-line)# privilege level 15 Router(config-line)# login local Router(config-line)# transport input telnet Router(config-line)# transport input telnet ssh Router(config-line)# exit Enter Privilege EXEC mode and configure mode Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#enable password cisco R1(config)#enable secret class Encryption R1(config)#service password-encryption !simple encryption to global config Security: stop brute force attack R1(config)#login block-for 300 attempt 2 within 120 !block 2 attempts within 120 sec R1(config)#security authentication failure rate 2 log !logs each time this happe ns AAA Security R1(config)#username ccna password ciscoccna ! local user/passwd on rtr R1(config)#aaa new-model !enables aaa globally R1(config)#aaa authentication login LOCAL_AUTH local ! Local_auth first and loca l is the backup method R1(config-lin)#login authentication LOCAL_AUTH !Then, activate this cmd in conso le and telnet areas to activate Configure console, vty, and enable secret passwords. Configure synchronous loggi ng for the console line. R1(config)#line console 0 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#logging synchronous R1(config-line)#exec-timeout 5 0 !5min 0sec R1(config-line)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#login R1(config-lin)#exec-timeout 5 0 !5min 0 sec R1(config-line)#exit

Configure SSH: Router#config terminal Router(config)#hostname CustomerRouter CustomerRouter(config)#ip domain-name customer.com CustomerRouter(config)#username admin privilege 15 password 0 cisco123 d. Configure the remote incoming vty terminal lines to accept Telnet and SSH. CustomerRouter(config)#line vty 0 4 CustomerRouter(config-line)#privilege level 15 CustomerRouter(config-line)#login local CustomerRouter(config-line)#transport input telnet ssh CustomerRouter(config-line)#exit e. Generate the RSA encryption key pair for the router to use for authentication and encryption of SSH data that is transmitted. The default is 512. CustomerRouter(config)#crypto key generate rsa CustomerRouter#show ip ssh Message-of-the-day (MOTD) banner and no ip domain lookup. R1(config)#banner motd #Unauthorized Use Prohibited# R1(config)#no ip domain lookup Physical Interface (Ethernet) R1(config)#interface FastEthernet 0/0 R1(config-if)#description R1 LAN Default Gateway R1(config-if)#ip address 172.17.0.1 255.255.0.0 R1(config-if)#no shutdown R1(config-if)#end Serial interface R1(config-if)#description WAN link to R2 R1(config-if)#ip address 172.17.0.1 255.255.0.0 R1(config-if)#clock rate 64000 R1(config-if)#no shutdown R1(config-if)#exit PPP On Serial Interface !default is HDLC CustomerRouter(config-if)#encapsulation ppp !to configure PPP vs HDLC R2#debug ppp negotiation !set before changing to PPP R2#debug ppp packet !set before chaning to PPP R2#undebug all ! debug off !below defines how to set authentiacation PAP or CHAP !must first create username and password for earch rtr !R2 is username for R2 and sent-username R1 is for neighbor rtr R2(config)#username R2 password cisco !Authentication R2(config)#interface Serial0/0/0 R2(config-if)#ppp authentication pap R2(config-if)#ppp pap sent-username R1 password cisco or use CHAP which encrypts password R2(config-if)#ppp authentication chap R2(config-if)#debug ppp authentication Frame Relay !Data link layer protocol for layer 2 FR-Switch(config)#frame-relay switching !Fr switching is done on a rtr FR-Switch(config)#interface serial 0/0/0 FR-Switch(config)#clock rate 64000 FR-Switch(config-if)#encapsulation frame-relay FR-Switch(config-if)#frame-relay intf-type dce !tells rtr to send keep-alive msg FR-Switch(config-if)#frame-relay route 102 interface serial 0/0/1 201 !forward D LCI102 traffic on s0/0/0 to s0/0/1 with DLCI 201 FR-Switch(config-if)#no shutdown FR-Switch(config-if)#interface serial 0/0/1 !create the second pvc

FR-Switch(config)#clock rate 64000 FR-Switch(config-if)#encapsulation frame-relay FR-Switch(config-if)#frame-relay intf-type dce FR-Switch(config-if)#frame-relay route 201 interface serial 0/0/0 102 !reverses mapping FR-Switch(config-if)#no shutdown FR-Switch#show frame-relay pvc !verify the fr config FR-Switch#show frame-relay route !this is layer 2 route !now, configuring the routers for FR R1(config)#interface serial 0/0/1 R1(config-if)#encapsulation frame-relay R1(config-if)#no frame-relay inverse-arp !reverse-arp is not reliable, so static map below is sometimes better R1(config-if)#frame-relay map ip 10.1.1.2 102 broadcast !staticly map ipaddr to DLCI. broadcast is used over multiple PVCs R1(config-if)#frame-relay map ip 10.1.1.1 102 !to ping its own interface R1(config-if)#no shutdown !R2 is the other end of the FR pvc R2(config)#interface serial 0/0/1 R2(config-if)#encapsulation frame-relay R2(config-if)#no frame-relay inverse-arp R2(config-if)#frame-relay map ip 10.1.1.1 201 broadcast R2(config-if)#frame-relay map ip 10.1.1.2 201 R2(config-if)#no shutdown R1#show frame-relay pvc !get PVC info and show ip route R1#show frame-relay map !Verify FR mapping... on R1 and R2, FR Switch does not s how any layer 2 tendency R1#debug frame-relay lmi !info about LMI date Alternative: R2(config-if)#encapsulation frame-relay ietf !Alternative, changes FR encapsula tion type R2#show interface serial 0/0/1 !fused to verify encapsulation Alternative: R2(config-if)#frame-relay lmi-type ansi !changes the LMI type R2#debug frame-relay lmi R2#show frame-relay lmi Configure a FR sub-interface R1(config)#interface serial 0/0/1.112 point-to-point R1(config-subif)#ip address 10.1.1.5 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 112 DHCP server Customer(config)#ip dhcp excluded-address 192.168.1.1 Customer(config)#ip dhcp excluded-address 192.168.1.101 192.168.1.254 Customer(config)#ip dhcp pool INTERNAL Customer(dhcp-config)#network 192.168.1.0 255.255.255.0 Customer(dhcp-config)#domain-name abc-widgets.inc Customer(dhcp-config)#default-router 192.168.1.1 Customer(dhcp-config)#dns-server 192.168.1.200 Customer#show ip dhcp binding Customer#show ip dhcp pool IP Helper Config rad(config-if)#ip helper-address x.x.x.x !x.x.x.x is address of dhcp server !this is configured on each interface requesting dhcp address Static NAT CustomerRouter(config)#interface fastethernet 0/0

CustomerRouter(config-if)#ip nat inside CustomerRouter(config-if)#exit CustomerRouter(config)#interface serial 0/0/0 CustomerRouter(config-if)#ip nat outside CustomerRouter(config-if)#exit CustomerRouter(config)#ip nat inside source static 192.168.1.10 209.165.200.227 !<inside local IP> <inside gloabal IP> r1#show ip nat translations r1#show ip nat statistics Dynamic NAT R1(config)#ip nat pool MyPooll 24.1.1.3 24.1.1.6 netmask 255.255.255.0 !Pool for NAT inside global R1(config)#access-list 1 permit 192.18.0.0 0.0.0.255 !acccess list for inside lo cal R1(config)#ip nat inside source list 1 pool MyPool !dynamic Nat cmd; <inside loc al IP><inside gloable IP> R1(config)#interface e0 R1(config)#ip nat inside R1(config)#interface s0 R1(config)#ip nat outside r1#show ip nat translations r1#show ip nat statistics NAT with Overload (PAT) CustomerRouter(config)#access-list 1 remark ACL for PAT CustomerRouter(config)#access-list 1 permit 192.168.1.0 0.0.0.255 CustomerRouter(config)#interface FastEthernet 0/0 CustomerRouter(config-if)#ip nat inside CustomerRouter(config-if)#exit CustomerRouter(config)#interface Serial 2/0 CustomerRouter(config-if)#ip nat outside CustomerRouter(config-if)#exit CustomerRouter(config)#ip nat inside source list 1 interface serial 2/0 overload r1#show ip nat translations r1#show ip nat statistics Default route CustomerRouter(config)#ip route 0.0.0.0 0.0.0.0 next_hop_ip_address !where the last ip address (*.226) is the next hop from the 'CustomerRouter' Static Routing RAD(config)#ip route network_address subnet_mask next_hop_ip_address example: ip route 192.168.1.0 255.255.255.0 10.10.10.2 RIP Routing R1(config)#router rip R1(config-router)#version 2 R1(config-router)#network 172.16.0.0 !advertises the associated network R1(config-router)#passive-interface default !stops advertising on all interfaces R1(config-router)#no passive-interface s0/0/0 !allows adv on interface R1(config-router)#exit R1#debug ip rip R1#show ip route !used to troubleshoot RIP R1#show ip protocols !used to troubleshoot RIP RIP Routing - Password protection; must be completed for each router and each ro uter interface R1(config)#key chain RIP_KEY !define key for RIP to use R1(config-keychain)#key 1

R1(config-keychain-key)#key-string cisco R1(config)#int s0/0/0 !set interface to use key for rip updates; must do on eac h router R1(config-if)#ip rip authentication mode md5 R1(config-if)#ip rip authentication key-chain RIP_KEY OSPF Routing R1(config)#router ospf 1 !network must inlcude the mask R1(config-router)#network 192.168.10.0 0.0.0.255 area 0 !network to advertise R1(config-router)#network 10.1.1.0 0.0.0.3 area 0 !network to advertise !0.0.0.3 is the wildcard for /30 or .252 R1#show ip ospf interface R1#show ip ospf neighbor R1#debug ip ospf events BGP Routing ISP1(config)#router bgp 100 ISP1(config-router)#neighbor 172.16.1.2 remote-as 200 ISP1(config-router)#network 192.168.1.0 ISP1(config-router)#end ISP1#show ip bgp Access-list Standard R3(config)#ip access-list standard STND-1 !create the access list named stnd-1 R3(config-std-nacl)#deny 192.168.11.0 0.0.0.255 log !create the std acl with wi ldcard (255-x) R3(config-std-nacl)#permit any !implicit... deny all R3(config)#interface serial 0/0/1 !apply the acl to the IF R3(config-if)#ip access-group STND-1 in !applied acl to in/out R3#show ip access-list R3#show ip interface Access-list Extended R1(config)#ip access-list extended EXTEND-1 !create the access list name extend1 R1(config-ext-nacl)#deny ip 192.168.10.0 0.0.0.255 host 209.165.200.225 !create ext acl with wildcard (255-x) R1(config-ext-nacl)#permit ip any any !implicit... deny all R1(config)#interface serial 0/0/0 !apple the acl to the IF R1(config-if)#ip access-group EXTEND-1 out !applied acl to in/out R3#show ip access-list R3#show ip interface Access-list VTY's R2(config)#ip access-list standard TASK-5 !creat acl as normal R2(config-std-nacl)#permit 10.2.2.0 0.0.0.3 R2(config-std-nacl)#permit 192.168.30.0 0.0.0.255 R2(config)#line vty 0 4 !apply acl to VTY R2(config-line)#access-class TASK-5 in !User access-class instead of access-gr oup R3#show ip access-list R3#show ip interface Copy a configuration R1#copy running-config startup-config or R1#copy running-config tftp or Router#copy tftp startup-config Clean a router for use:

erase startup-config ! erase nvram: !erases all configureation files reload !reloads the IOS Manage IOS Files: R1#show flash !view IOS images r1#dir all !show all files on router in all location Syslog R1(config)#logging 192.168.10.10 !address of syslog server R1(config)#logging trap warnings !'warnings' is the severity (emergency - debugg ing) R1(config)#service timestamps log datetime msec !adds timestamp to log entry Network Time Protocol (NTP) R1#show ntp status R1#show clock R1(config)# ntp server 192.168.1.5 TACACS server R2(config)#tacacs-server host 192.168.2.2 !set server address R2(config)#tacacs-server key tacacspa55 !set encryption key R2(config)#aaa new-model !enable aaa R2(config)#aaa authentication login default group tacacs+ local !set aut hentication login method R2(config)#line con 0 R2(config-line)#login authentication default !on COnsole, set login m ethod as default Radius Server - Authentication Server R3(config)#radius-server host 192.168.3.2 !set server address R3(config)#radius-server key radiuspa55 !set encryuption key R3(config)#aaa new-model !enable aaa R3(config)#aaa authentication login default group radius local !set aut hentication method R3(config)#line con 0 R3(config-line)#login authentication default !on console, set login method as default Disbale unused global services R1(config)#no service pad R1(config)#no service finger R1(config)#no service udp-small-server R1(config)#no service tcp-small-server R1(config)#no ip bootp server R1(config)#no ip http server R1(config)#no ip finger R1(config)#no ip source-route R1(config)#no ip gratuitous-arps R1(config)#no cdp run Disable unused interface services R1(config-if)#no ip redirects R1(config-if)#no ip proxy-arp R1(config-if)#no ip unreachables R1(config-if)#no ip directed-broadcast R1(config-if)#no ip mask-reply R1(config-if)#no mop enabled Auto Secure Software

R1(config)#auto secure IPS (Intrustion Prevention System) R1(config)#ip ips config location ipsdir !configure the IPS sig storage locatio n R1(config)#ip ips name iosips !create IPS rule R1(config)#service timestamps log datetime msec !Enable logging R1(config)#logging on R1(config)#logging 192.168.1.50 R1(config)#ip ips notify log R1(config)#ip ips signature-category !enable specific IPS categories R1(config-ips-category)#category all R1(config-ips-category-action)#retired true R1(config-ips-category)#category ios_ips basic R1(config-ips-category-action)#retired false R1(config)#int fa0/0 !Apply rule to interface R1(config-if)#ip ips iosips out R1(config)#ip ips signature-definition !change event/action of signature (sig 2 004, sub id 0) R1(config-sigdef)#signature 2004 0 R1(config-sigdef-sig)#status R1(config-sigdef-sig-status)#retired false R1(config-sigdef-sig-status)#enabled true R1(config-sigdef-sig-status)#exit R1(config-sigdef-sig)#engine R1(config-sigdef-sig-engine)#event-action produce-alert R1# show ip ips all !IPS confi status summary Telnet Cmds from Rtr/Swtch: R1#telnet <IP_address> !telnet commands R1#Cntrl+Shift+6, then x !This suspends a telnet session R1#show sessions !Shows what telnet sessions are connected to other hosts R1# <hit enter key>; resume; or resume <session_#> reconnects you to previous te lnet sessions R1#disconnect !closes a suspended session R1#exit; exits from host active session CDP Commands: R1#show CDP neighbors R1#show CDP neighbors detail R1#show CDP entry * Show commands: show arp. show flash. show ip route. show interfaces. show protocols. show users. show version. dir all do !allows you to run user-privilege mode commands clear ip route * !clears all commands prior to time-out SECURITY: -------Create CBAC Inspection Rule: (CBAC = Context based access Control used to create IOS firewall)

R1(config)#ip inspect name IN-OUT-IN icmp !creates inspect statement for icmp o r other protocol R1(config)#ip inspect audit-trail !enables inspect audit R1(config)#int s0/0/1 !enable inspect cmd on interface R1(config-if)#ip inspect IN-OUT-IN out !set inspect on interface R1#show ip inspect sessions