Mark Krawczyk - Router Running Config Example

advertisement
! Last configuration change at 08:29:42 EST Mon Feb 20 2014 by mwk
! NVRAM config last updated at 08:29:43 EST Mon Feb 20 2014 by mwk
!
version 12.4
no service pad
!
service tcp-keepalives-in
(Used for managing sessions)
service tcp-keepalives-out
!
service timestamps debug datetime localtime show-timezone (used for logging)
service timestamps log datetime localtime show-timezone (used for logging)
service password-encryption (encrypt all passwords)
!
hostname MK_Router
!
!
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
(enable password set)
!
!!!!!!!!!!!!!!!!!!!
TACACS+ SERVER NETWORK INFO !!!!!!!!!!!!!!!!!!!!!!
!
tacacs-server host 192.168.1.100 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
Points the router to the TACACS+ server, secret key shared by router and server
tacacs-server directed-request
!
Sends only username to TACACS+ for authentication (before @)
tacacs-server administration
!
Enables the handling of administrative messages by the TACACS+ daemon
!
!!!!!!!!!!!!!!!!!!!!!!!!! ENABLE TACACS+ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
aaa new-model
!
Enables AAA globally
!
!!!!!!!!!!!!!!!!!!!!!!!!!! DEFINE METHOD LIST !!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
aaa authentication login mwkacs group tacacs+ local enable
! User must authentication with TACACS+ to login, method list mwkacs defined
!
aaa authentication enable default group tacacs+ enable
! Users must authenticate to go to privilege mode
!
aaa authorization exec mwkacs group tacacs+ local
! Ensure access only to users whose profiles are configured with administrative
access
!
aaa authorization commands 15 mwkacs group tacacs+ local none
! Define method list to authorize the execution of administrative level commands
!
aaa accounting exec mwkacs start-stop group tacacs+
!
Enables accounting of an EXEC session, method list tacacs+
!
Sends a “start accounting” notice and “stop accounting” notice for process
!
aaa accounting commands 15 mwkacs start-stop group tacacs+
!
Enable accounting of privileged commands, method list
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
(Disable unused services)
no ip gratuitous-arps
“”
no ip bootp server
“”
no ip domain lookup
“”
username NetAdmin secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
(create unique username)
!
interface Loopback0
ip address 10.1.3.252 255.255.255.255
!
(Defines loopback interface and assign an IP address)
!
interface Serial0/0
description *** WAN1 ***
ip address 10.1.1.26 255.255.255.252
ip access-group mark_filter out
(assign access list)
!
interface FastEthernet0/1
description *** LAN Floor 1 ***
ip address 10.25.20.9 255.255.255.0
no ip proxy-arp
duplex auto
speed auto
!
router ospf 10
(enable OSPF routing protocol, with NO authentication)
router-id 10.1.3.26
log-adjacency-changes
network 10.1.1.24 0.0.0.3 area 0
network 10.25.20.8 0.0.0.3 area 0
!
!
no ip http server
no ip http secure-server
!
ip tacacs source-interface Loopback0 (bind TACACS to Loopback address)
!
ip access-list extended mark_filter
(extended named ACL)
deny
ip host 191.164.1.1 any
permit ip any any
!
logging buffered 100000 informational (The logging buffer is circular, so newer
messages overwrite older messages after the buffer is filled)
logging trap notifications (Normal but significant conditions)
logging source-interface Loopback0
logging 192.168.5.15
logging 192.168.5.10
!
access-list 5 permit 192.168.5.0 0.0.0.255
access-list 5 permit 10.10.10.60 0.0.0.3
access-list 111 permit ip 10.254.253.0 0.0.0.255 10.24.111.0 0.0.0.3 (extended ACL)
access-list 112 permit ip host 10.254.253.1 10.24.95.0 0.0.0.3
!
snmp-server community xxxxxxxxxxxxxxxxxxxxxxxxxx RO
(SNMP community string set)
snmp-server community xxxxxxxxxxxxxxxxxxxxxxxxxx RW 5 (access-list 5)
!
no cdp run
(Turn off CDP)
!
control-plane
!
!!!!!!!! Creates a login banner !!!!!!!!!!!!!!!!!
banner motd
******************Warning!
Warning!
Warning!***********************
This system is restricted to authorized users for business purposes only.
Unauthorized access is a violation of the law. This service may be monitored for
administrative and security reasons. By proceeding you consent to this monitoring.
*******************Warning!
Warning! Warning!
***********************
!
line con 0
exec-timeout 5 0
login local
!
line aux 0
!
!!!!!!!!!!!!!!!!!!!APPLY METHOD LIST TO VTY LINE !!!!!!!!!!!!!!!!!!!!!
!
line vty 0 4
access-class 5 in
(applies access list 5)
exec-timeout 5 0
(idle time out 5 minutes)
authorization commands 15 mwkacs (method list applied)
authorization exec mwkacs
(method list applied)
accounting commands 15 mwkacs
(method list applied)
accounting exec mwkacs
(method list applied)
login authentication mwkacs
(method list applied)
transport input ssh
(allows SSH only)
transport output none
(remote to other network devices, not allowed)
!
ntp source Loopback0
(NTP settings)
ntp server 10.1.2.25
ntp server 10.1.2.24
!
End
Download