2009/11/17

Cisco Router notes




! If telnet is configured and enabled, then telnet to the router; else connect to the serial port

(I use putty for both)

myrouter> enable

myrouter# config terminal

myrouter(config)# password encryption aes
myrouter(config)# service password-encryption


! assign a domain name; this is a prerequisite for ssh key generation
myrouter(config)# ip domain-name mydomain.com

! initialize the authentication, authorization and accounting policy
myrouter(config)# aaa new-model

! configure the authentication source; in this case we'll use a local db
myrouter(config)# aaa authentication login default local

! configure the authorization source; the aaa policy is called "default"
myrouter(config)# aaa authorization exec default local

! create a user, assign a low privilege level (so enable password is still needed) and password
myrouter(config)# username my-username password my-password

! apply the policy to the vty
myrouter(config)# line vty 0 4
myrouter(config-line)# login authentication default
myrouter(config)#


! Enable SSHv2 only (disables SSHv1)

myrouter(config)# ip ssh version 2
myrouter(config)# crypto key generate rsa general-keys modulus 1024

! After verifying that ssh works, do this:
! Enable SSH only on virtual terminals (disables telnet)

myrouter(config)# line vty 0 4
myrouter(config-line)# transport input ssh

! add this to the ACL for your wan interface
permit tcp any host (router-external-ip) eq (some-high-range-port)
! Add this nat to open external access to ssh at the high-range port
ip nat inside source static tcp (router-internal-ip) 22 interface FastEthernet0 (the same-high-range-port)



How to copy router config to ssh server with scp:
enable
copy run scp://my-usename:my-password@backuphostname//path/to/folder/$h-$t

archive
path scp://my-usename:my-password@backuphostname//path/to/folder/$h-config
! the write memory option will cause the archive scheduler to create a copy of the config each

time it's saved to nvram. (it will append an incrementing -# to the end)
write-memory
end
(note that you may need the 'file prompt quiet' command to stop it from prompting whether you want to do it.)

# now compare two configs:
show archive config diff system:running-config

scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1
# now replace the running config with an archived one:
config replace scp://my-usename:my-password@backuphostname//path/to/folder/router-config-1 list



# now log all config changes to syslog:
config t
archive
log config
logging enable
! suppress display of passwords in configuration logs
hidekeys
! enable sending of notifications of configuration changes to syslog
notify syslog
exit


#The ‘do’ command allows you to run exec level commands from config mode.

Examples:
Router(config)#do show run

# Enable syslog logging
my-router(config)# logging (my-syslog-server-ip)
! The level "notifications" will include emergencies(0), alerts(1), critical(2), errors(3), warnings(4), and notifications(5); but it will exclude informational(6) and debugging(7)
my-router(config)# logging trap notifications
# optionally specify on what interface the logging should originate
my-router(config)# logging source-interface f0/0

No comments: