Professional Documents
Culture Documents
Username and password encryption: 3 ways: 1) username {username} password {password} 2) username
{username} secret {password} 3) username {username} algorithm-type {md5|sha256|scrypt} secret {password}
Configure Line Local Password Authentication:
password password
login to enable password
Configure Line Local Username Password Authentication:
username {username} password {password}
login local to enable username-based authentication at login
3 Levels: Privilege 0 : disable, enable, exit, help, logout; Privilege 1
Privilege Levels and Role- (User Exec): Prompt >; Privilege 15 (Privileged Exec) Prompt # Verify Privilege Levels:
Based Access Change privilege level for command using: privilege {mode} level show running configuration
{level} {command string}
Controlling Access to vty lines Verify access to vty lines with Transport input
transport input {all|none|telnet|ssh}
with using Transport input show line
hostname {hostname}
To force ssh server to only accept version 2
Enabling SSH vty access ip domain-name {domain-name}
ip ssh version 2
crypto key generate rsa
Auxiliary Port: For remote administration EXEC Timeout: Automatically times out idle exec session Absolute Timeout: Automatically times out exec session
through dialup modem connection. exec-timeout {minutes} {seconds} absolute-timeout {minutes}
Disabled by no exec under Line aux0 Default is 10 mins logout-warning {seconds}
TACACS+ TCP 49, Separates AAA into independent functions, can request authorization parameters separately.
Encrypts entire payload, does not support EAP, supports CLI command accounting, network device access control
RADIUS: IETF Standard. Authr & Authn:UDP1645, Acc: UDP1646, AAA transport protocol for EAP returns all
authorization parameters in single reply, encrypts only password, supports EAP for 802.1x authentication, does
not support network device CLI accounting, secure network access
Config AAA for NDAC = Config of device + config of 1)Create local user full privilege username {username} privilege 15 algorithm-
TACACS+ AAA Server type {md5|sha256|scrypt} secret {password}
2)Enable AAA functions aaa new-model
Verifying AAA Config: Establish ssh session
3)Add TACACS+ server iOS < 15.x
Authentication,
tacacs-server host {hostname|host-ip-address} key ke
Authorization,
Accounting iOS >= 15.x
tacacs server name
address ipv4 {hostname|hostip}
key key-string
4)Create AAA group aaa group server tacacs+ group-name
server name server-name
5)Enable AAA AuthN aaa authentication login {default| custom-list}
method…
6)Enable AAA AuthR
aaa authorization exec {default| custom-list} method…
(EXEC)
7)Enable AAA AuthR aaa authorization console
(Console)
8)Enable AAA command aaa authorization commands {privilege level} {default|
AuthR (EXEC) custom-list} method…
9)Enable command AuthR aaa authorization config-commands
in global config mode
10)Enable login aaa accounting exec {privilege level} {default| custom-
accounting list} method…
11)Enable command aaa accounting commands {privilege level} {default|
accounting custom-list} method…
Self Zone: System-level zone, includes all router IP
address. Traffic to and from the zone permitted by
default to support management and control plane
Verify ping
Control Plane Policing: QoS policy
Configuring ACL’s for
applied to traffic to or sourced by
CoPP
router control plane CPU.
Configuring Class Maps
class-map {match-all|match-any}
for CoPP
policy-map policy-map-name
Configuring Policy Maps class class-map-name
for CoPP police police-rate conform-action {transmit|drop} exceed-action {transmit|
drop} violate-action {transmit|drop}
Applying CoPP Policy
service-policy {input|output} policy-name
Map
Verifying CoPP Policy show policy-map control-plane input
Map
Device Hardening: Minimizes amount Disable topology discovery protocols no cdp enable, no lldp transmit, no lldp receive
of information exposed externally
Disable TCS and UDP small services Service tcp-keepalive-in, service keepalive-out