Pages

Monday, December 21, 2015

Additional tools and commands on IOS

enable

configure terminal
enable secret cisco
aaa new-model
exit
disable

! Enter the "Root" parser View
! Use the enable secret to enter
enable view
cisco

! Verify that we are in the root view
show parser view

! From the root view, enter configuration mode
configure terminal

! Create a new View, named "help-desk"
parser view help-desk

! Set the secret for this view"
secret cisco-hd

! Lock down what can be done while
! in this help-desk view
commands exec include all show ip
commands exec include show version
commands exec include show
commands exec include logout

! Optionally, create a user, and lock him
! into this new help-desk view.  
! Even though he has privilege level 15
! the user will only be able to perform! tasks allowed by the view
username bob view help-desk privilege 15 secret cisco-bob

! Train the router to use the local database 
! (the running-config) for authentication and
! authorization on the VTY lines by creating 2 custom
! method lists, and applying those methods to the VTY lines
aaa authentication login VTY-Authen local
aaa authorization exec VTY-Author local

! Applying the custom method lists to the
! VTy lines
line vty 0 4
login authentication VTY-Authen
authorization exec VTY-Author
end

Control plane host with ssh
conf t

! Domain name required for RSA key creation
ip domain-name CBTNuggets.com

! Create the keys for SSH (Use minimum of 1024)
crypto key generate rsa modulus 1024

! One way of kicking out TELNET
line vty 0 4
transport input ssh
exit

! Another way of locking down
! management specific management
! protocols to specific ports
! Best to use Out of Band (OOB) management
! when possible
! Enter the logical control-plane interface
control-plane host

! Tell the router to only allow specific
! protocols on specific ports
management-interface fa2/0 allow ssh http https
end

Prep for CCP
configure terminal
ip http server
ip http secure-server
ip http authentication local
username admin privilege 15 secret cisco
end

config terminal
secure boot-image

secure boot-config

do show secure bootset


No comments:

Post a Comment