enable
configure terminal
enable secret cisco
aaa new-model
exit
disable
! Enter the "Root" parser View
! Use the enable secret to enter
enable view
cisco
! Verify that we are in the root view
show parser view
! From the root view, enter configuration mode
configure terminal
! Create a new View, named "help-desk"
parser view help-desk
! Set the secret for this view"
secret cisco-hd
! Lock down what can be done while
! in this help-desk view
commands exec include all show ip
commands exec include show version
commands exec include show
commands exec include logout
! Optionally, create a user, and lock him
! into this new help-desk view.
! Even though he has privilege level 15
! the user will only be able to perform! tasks allowed by the view
username bob view help-desk privilege 15 secret cisco-bob
! Train the router to use the local database
! (the running-config) for authentication and
! authorization on the VTY lines by creating 2 custom
! method lists, and applying those methods to the VTY lines
aaa authentication login VTY-Authen local
aaa authorization exec VTY-Author local
! Applying the custom method lists to the
! VTy lines
line vty 0 4
login authentication VTY-Authen
authorization exec VTY-Author
end
Control plane host with ssh
conf t
! Domain name required for RSA key creation
ip domain-name CBTNuggets.com
! Create the keys for SSH (Use minimum of 1024)
crypto key generate rsa modulus 1024
! One way of kicking out TELNET
line vty 0 4
transport input ssh
exit
! Another way of locking down
! management specific management
! protocols to specific ports
! Best to use Out of Band (OOB) management
! when possible
! Enter the logical control-plane interface
control-plane host
! Tell the router to only allow specific
! protocols on specific ports
management-interface fa2/0 allow ssh http https
end
Prep for CCP
configure terminal
ip http server
ip http secure-server
ip http authentication local
username admin privilege 15 secret cisco
end
config terminal
secure boot-image
secure boot-config
do show secure bootset
configure terminal
enable secret cisco
aaa new-model
exit
disable
! Enter the "Root" parser View
! Use the enable secret to enter
enable view
cisco
! Verify that we are in the root view
show parser view
! From the root view, enter configuration mode
configure terminal
! Create a new View, named "help-desk"
parser view help-desk
! Set the secret for this view"
secret cisco-hd
! Lock down what can be done while
! in this help-desk view
commands exec include all show ip
commands exec include show version
commands exec include show
commands exec include logout
! Optionally, create a user, and lock him
! into this new help-desk view.
! Even though he has privilege level 15
! the user will only be able to perform! tasks allowed by the view
username bob view help-desk privilege 15 secret cisco-bob
! Train the router to use the local database
! (the running-config) for authentication and
! authorization on the VTY lines by creating 2 custom
! method lists, and applying those methods to the VTY lines
aaa authentication login VTY-Authen local
aaa authorization exec VTY-Author local
! Applying the custom method lists to the
! VTy lines
line vty 0 4
login authentication VTY-Authen
authorization exec VTY-Author
end
Control plane host with ssh
conf t
! Domain name required for RSA key creation
ip domain-name CBTNuggets.com
! Create the keys for SSH (Use minimum of 1024)
crypto key generate rsa modulus 1024
! One way of kicking out TELNET
line vty 0 4
transport input ssh
exit
! Another way of locking down
! management specific management
! protocols to specific ports
! Best to use Out of Band (OOB) management
! when possible
! Enter the logical control-plane interface
control-plane host
! Tell the router to only allow specific
! protocols on specific ports
management-interface fa2/0 allow ssh http https
end
Prep for CCP
configure terminal
ip http server
ip http secure-server
ip http authentication local
username admin privilege 15 secret cisco
end
config terminal
secure boot-image
secure boot-config
do show secure bootset
No comments:
Post a Comment