Showing posts with label Cisco Router. Show all posts
Showing posts with label Cisco Router. Show all posts

Thursday, January 12, 2012

Important Command to Privilege 15

Now we will try to move certain commands to level 15.
router1>enable
Password:
router1#
Now let us try to configure
router1#config t
Now we will try to move certain commands like telnet, connect, rlogin to level 15
router1(config)#privilege exec level 15 telnet
router1(config)#privilege exec level 15 connect
router1(config)#privilege exec level 15 rlogin
router1(config)#privilege exec level 15 show ip access-group
router1(config)#privilege exec level 15 show access-lists
router1(config)#privilege exec level 15 show logging 


Posted by at No comments:
Labels:

Creating a User Account, Setup telnet & Banner

Now we will create a user, before doing that we need to enter the command shown below.  This command will encrypt the password of the user being created, if not it will be shown in clear text

router1(config)# service password-encryption
Now I will create a username called bala
router1(config)# username bala password @ust!nlol
Now I will set the privilege level of bala
router1(config)# username bala privilege 1
Now we will strengthen the enable password to use MD5sum type 5 in other words.
router1(config)# enable secret T3stP@ssw06d
Now we will tell the router to always use type5 password by
router1(config)# no enable password
Now we will control from where Bala can connect from, I am going to use telnet for test purpose
router1(config)# access-list 1 permit 192.168.1.15
router1(config)# access-list 1 deny any
router1(config)# line vty 0 4
Now we are applying the STD access list to our Virtual Telnet lines.
router1(config-line)# access-class 1 in
Now we will also set the exec-timeout, so it will auto timeout if left unattended.
router1(config-line)# exec-timeout 5 0
Now we will apply this to telnet
router1(config-line)# transport input telnet
Now we will make it use of the local database of usename and password
router1(config-line)# login local
Now let us execute the same
router1(config-line)# exec
Now we will create a banner from Privilege exec level.
router1(config)# banner login #For authorized users only !!!#
Posted by at No comments:
Labels:

Tuesday, January 10, 2012

Time Services

Setting Time Manually
This method is very tedious, error prone as the initial time source may be wrong.

router1# show clock detail
router1# config t
router1(config)# clock timezone IST +5.30
router1(config)# exit
router1# clock set 05:11:00 01 January 2012
router1# show clock

Configuring NTP
For a Cisco router to participate in an NTP network, we must set the NTP source interface and then designate one or more NTP servers. The source interface is the same interface on the same network as the designated server. We can use access lists to control NTP transactions between the client and server.

router1# config t
router1(config)# interface eth 0
router1(config-if)# ntp enable
router1(config-if)#  exit
router1(config)# ntp server 192.168.1.15 source eth 0
router1(config)# access-list 2 permit host 192.168.1.15
router1(config)# access-list 2 deny any log
router1(config)# ntp access-group peer 21
router1(config)#  exit
router1# show ntp associations

Disabling NTP
 
router1# config t
router1(config)# interface eth 0
router1(config-if)# ntp disable
router1(config-if)# end

NTP Authentication

router1# config t
router1(config)# ntp authenticate
router1(config)# ntp authentication-key 1 md5 router
router1(config)# ntp trusted-key 1
router1(config)# ntp server 192.168.1.15 key 1 source eth 0
router1(config)# exit

 
Posted by at No comments:
Labels:

Setting Up Syslog Logging

router1# config t
Here I say I need to log everything from Emergencies to Informational
router1(config)# logging trap information
Here I say I need to log to the syslog server 192.168.1.1
router1(config)# logging 192.168.1.1
Here I say the syslog server to log all events from router1 to local6 facility.
router1(config)# logging facility local6
Here I say I need to send the syslog info through eth0.
router1(config)# logging source-interface eth 0
router1(config)# exit



router1# local6.debug /var/log/router.log
Posted by at 1 comment:
Labels:

SNMP Trap Logging

Here we will make the router to report to a centralized management server on port 162.

router1# config t
router1(config)# logging trap informational
router1(config)# snmp-server host 192.168.1.1 traps public
router1(config)# snmp-server trap-source ethernet 0
router1(config)# snmp-server enable traps syslog
router1(config)#  exit
Posted by at No comments:
Labels:

Log message Severity

Level0 - Emergencies which indicate router is becoming unusable.
Level1 - Alert which need immediate action.
Level2 - Critical Alert which need urgent Attention.
Level3 - Error log, may continue operation.
Level4 - Warning Log, may continue operation.
Level5 - Notifications which indicate normal & important events like interface state changing up to down.
Level6 - Informational indicating packet denied by ACL.
Level7 - Debugging message appear only if debugging is enabled.
Posted by at No comments:
Labels:

Router Logging

To setup logging in router

router1#config t
router1(config)# logging buffered 16000
router1(config)# service timestamp log date msec local show-timezo
router1(config)# exit
router1#show logging
Posted by at No comments:
Labels:

Saturday, January 7, 2012

ACL Standard & Extended

Let us create a Std access list and apply it to an interface

router1(config)#access-list 1 permit  [src_IP]
Now we will apply it to Interface 1 of the router1
router1(config)#interface eth 1
router1(config-if)#ip access-group 1 in
router1(config-if)#end

 Let us create an extended access list and apply it to an interface

router1(config)#access-list 101 permit tcp [src_IP wildcard mask] [src_Port optional] [dst_IP wildcard mask [dst Port optional]
Now we will apply it to Interface 1 of the router1
router1(config)#interface eth 1
router1(config-if)#ip access-group 101 in
router1(config-if)#end
Posted by at No comments:
Labels:

Friday, January 6, 2012

Turning Off unwanted Services in Cisco Routers

General Services
Now we will disable Cisco Discover Protocol at layer 2.
router1#config t
router1(config)# no cdp run

Now we will disable tcp and udp small servers
router1(config)# no service tcp-small-servers
router1(config)# no service udp-small-servers

Now we will disable Finger service
router1(config)# no ip finger
router1(config)# no service finger

Now we will disable HTTP Server
router1(config)# no ip http server

Now we will disable bootp server to prevent other system booting over network
router1(config)# noip bootp server

Now we will disable SNMP
router1(config)# no snmp-server community public RO
router1(config)# no snmp-server community private TW
router1(config)# no snmp-server enable traps
router1(config)# no snmp-server system-shutdown
router1(config)# no snmp-server trap-auth
router1(config)# no snmp-server

Now we will disable DNS lookup to broadcast addresses
router1(config)# no ip domain-lookup

Now we will disable Auto Loading
router1(config)# no boot network
router1(config)# no service config

Now we will disable IP source Routing
router1(config)# no  ip source-route

Now we will see about disabling Interface services

Now we will disable IP Directed Broadcast
router1(config)# interface eth1
router1(config-if)# no ip directed-broadcast

Now we will disable ICMP
router1(config)# interface eth1
router1(config-if)# no ip redirect

router1(config-if)# no ip unreachable
router1(config-if)# no ip mask-reply
router1(config-if)# end

Now we will disable Address Resolution Protocol over different LAN.
router1(config)# no  ip proxy-arp

Now we will disable NTP
router1(config)#access-list 101 deny [ntp|tcp] any any eq 123
router1(config)#interface eth1
router(config-if)#ip access-group 101 in
router(config-if)#ntp disble
router(config-if)#end
         
Now we will disable unused Interfaces
router1#config t
router1(config)#interface eth2
router1(config-if)#shutdown
router1(config-ig)#end
 
Posted by at 2 comments:
Labels:
Subscribe to: Posts (Atom)