Wednesday, 7 May 2014

AAA configuration on Cisco Router


Basic AAA configuration on Cisco Router
AAA stands for Authentication, Authorization and Accounting. It is a framework which controls the user access on the devices.

Authentication: It is used to check the identity of an user. It helps us in identifying the users and accordingly we can give access to them
Authorization: It controls the device access as per the user skill level. What access is given to which user. With this we can control access level of different users.  
Accounting: It is primarily used to log the activity of the users. This is very useful in auditing and billing purpose.
  Below are the AAA configuration on Cisco router and switches using Tacacs server. It doesn’t include the ACS configuration, it just explains the configuration required on the router and switches.
Step 1: Configure the Backup credentials. AAA doesn’t mean that we don’t require local credential. It is mandatory to have backdoor credentials so that we can access the devices when our AAA servers are down or unreachable.

 
Router(config)#username Admin password PowerKey
 

 Step 2: Configure Tacacs servers. We can configure multiple Tacacs server.
 
Router (config)#tacacs-server host 192.168.1.10 key mySecretkey1
Router (config)#tacacs-server host 192.168.1.11 key mySecretkey2
 

Step 3: Choose the correct interface to be a source of Tacacs packet. It may create problem if we have multiple interface configured on a router. Choose the interface which has the same IP as in AAA server.

 
Router (config)#ip tacacs source-interface loopback 0
 

Step 4: Check reachability of Tacacs server from router. If there is a firewall between the router and tacacs server then make sure that TCP port 49 is opened to allow tacacs traffic.
Router #ping 192.168.1.10
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Step 5: Enable AAA on router globally.
 
Router (config)#aaa new-model
 

Step 6: Configure the Authentication methods. Below command is applying authentication on router login. Default keyword applies the method on all lines.
Group tacacs+ sending the authentication request to all configured AAA servers.

LOCAL keyword specifies that in case all of the configured tacacs servers become unreachable, user will be authenticated using local user database. This fail back mechanism is not applicable if the TACACS server is reachable via ping but not handling the request may be because of wrong KEY configured on device or due to internal ACS problem.

 
ROUTER(config)#aaa authentication login default group tacacs+ local
 

Step 7: It authorize all the commands entered in Config mode.

 
Router(config)# aaa authorization config-commands
 

Step 8: It checks the privilege level of the user from AAA server. Without this command user will login in user mode only.
 
Router (config)# aaa authorization exec default group tacacs+ local if-authenticated
 

Step 9: Below command provides authorization to the privilege 1 user.
 
Router (config)# aaa authorization commands 1 default group TACACS+ if-authenticated

Step 10: Below command authorize the Level 15 users. Each time user run a command, switch send the query to Tacacs server to check if the user is authorize for it.
 
Router (config)# aaa authorization commands 15 default group TACACS+ local if-authenticated

Step 11: It enable the accounting on all lines.
 
Router(config)# aaa accounting exec default start-stop group tacacs+
 

Step 12: It logs all the activity of level 1 user.

 
Router(config)# aaa accounting commands 1 default start-stop group tacacs+
 

Step 13: It logs all the activity of level 15 users.
 
Router(config)# aaa accounting commands 15 default start-stop group tacacs+
 

Step 14: Applying AAA authentication on VTY lines.

 
Router(config)# line vty 0 15
Router(config-line)# login authentication default
 

Step15. Verification: Try to access the device using Tacacs credential

 

 

SNMP configuration on H3C switches


Step1. Login to Switch with admin access. As soon as you enter your credential, you will be in user mode. In this mode you can only view the command output.

 
< H3C-Switch>
 

Step2. To make configuration changes you must enter in Systemview. It is similar to the exec mode of cisco switches. 

 
<H3C-Switch>system-view
System View: return to User View with Ctrl+Z.
[H3C-Switch]
 

Step3. Configure the Read only SNMP version 2 string. We can also configure the access list 2090 to restrict the snmp communication with specific hosts.

 
[H3C-Switch]snmp-agent community read Cisco acl 2091
 

Step4. Configure basic access list 2091 for snmp server 192.168.1.10.

 
[H3C-Switch]acl number 2091
[H3C-Switch-acl-basic-2090]rule 5 permit source 192.168.1.10 0
 

 Step4. Configure SNMP contact. It is an optional field.

 
[H3C-Switch]snmp-agent sys-info contact Network_Team
 

Step5. Configure the Device Location. It is an optional field. 

 
[H3C-Switch]snmp-agent sys-info location Lab
 

Step6. Enable SNMP version V2c on the switch.

 
[H3C-Switch]snmp-agent sys-info version v2c
 

Step7. Configure SNMP traps. In this example switch will use UDP to send traps to server 192.168.1.10 with snmp string trapstring using version V2c.

 
[H3C-Switch]snmp-agent target-host trap address udp-domain 192.168.1.10 params securityname trapstring v2c
 

 

Port channel configuration on H3C switches


This document explains the port-channel configuration on H3c 5920 switch.

To explain the configuration we have  configured two interfaces Ten-GigabitEthernet1/0/1 and Ten-GigabitEthernet1/0/2 in port-channel 1.

Step1.  Login to Switch with admin access.

< H3C-Switch>

Step2. To make configuration changes you must enter in Systemview.

<H3C-Switch>system-view
System View: return to User View with Ctrl+Z.
[H3C-Switch]

Step3. Go to interface Ten-GigabitEthernet1/0/1. Make sure that member port and bridge port (if already exist) will have same configuration. 

[H3C-Switch]interface Ten-GigabitEthernet1/0/1
[H3C-Switch-Ten-GigabitEthernet1/0/1]port link-aggregation group 1
[H3C-Switch-Ten-GigabitEthernet1/0/1]quit
[H3C-Switch]

 Step4. Configure the link-aggregation command in Ten-GigabitEthernet1/0/2 as well. 

[H3C-Switch]interface Ten-GigabitEthernet1/0/2
[H3C-Switch-Ten-GigabitEthernet1/0/2]port link-aggregation group 1
[H3C-Switch-Ten-GigabitEthernet1/0/2]quit
[H3C-Switch]

Step5. It will create an interface Bridge-Aggregation1 automatically. All the configuration command done in bridge aggregation port will be reflected in member ports.  

Configuration will vary as per the requirement. Configuration done on the Bridge aggregation will be replicated on the member ports automatically.

Note: Description command will not replicated to member ports. It has to be separately configured on member ports.

[H3C-Switch]interface Bridge-Aggregation11
[H3C-Switch-Bridge-Aggregation1]description  Node1
[H3C-Switch-Bridge-Aggregation1]port access vlan 100
[H3C-Switch-Bridge-Aggregation1]link-aggregation mode dynamic
[H3C-Switch-Bridge-Aggregation1]stp edged-port
[H3C-Switch-Bridge-Aggregation2]quit

[H3C-Switch]quit
<H3C-Switch>

Step6. Check the Bridge-Aggregation port status. 

<H3C-Switch>display interface Bridge-Aggregation1
Bridge-Aggregation1 current state: UP  ------<<<<<<<<<<<<<<<<<<<<<<<<
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: b8af-67b0-62df
Description: ### c-r15-04-01 prod ###
20Gbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
PVID: 44
Port link-type: access
 Tagged Vlan:   none
 UnTagged Vlan: 44      ------<<<<<<<<<<<<<<<<<<<<<<<<
Last clearing of counters: Never
Last 300 seconds input:  0 packets/sec 483 bytes/sec    0%
Last 300 seconds output:  15 packets/sec 13967 bytes/sec    0%
Input (total):  5593180175 packets, 3023094095318 bytes
            5589605028 unicasts, 435264 broadcasts, 3139675 multicasts
Input (normal):  5593179967 packets, - bytes
            5589605028 unicasts, 435264 broadcasts, 3139675 multicasts
Input:  0 input errors, 0 runts, 0 giants, 0 throttles
            0 CRC, 0 frame, - overruns, 0 aborts
            - ignored, - parity errors
Output (total): 9287004120 packets, 12729511609083 bytes
            9222258418 unicasts, 23921148 broadcasts, 40824554 multicasts, 0 pauses
Output (normal): 9287004120 packets, - bytes
        9222258418 unicasts, 23921148 broadcasts, 40824554 multicasts, 0 pauses
Output: 0 output errors, - underruns, - buffer failures
            0 aborts, 0 deferred, 0 collisions, 0 late collisions
            0 lost carrier, - no carrier
<H3C-Switch>display interface Bridge-Aggregation1 brief ---<<<<<<<<<<<<<<<<<
The brief information of interface(s) under bridge mode:
Link: ADM - administratively down; Stby - standby
Speed or Duplex: (a)/A - auto; H - half; F - full
Type: A - access; T - trunk; H - hybrid
Interface            Link Speed   Duplex Type PVID Description               
BAGG1                UP   20G(a)  F(a)   A    44   Node1 ### 


Enable SSH on CISCO router and switches


Configure SSH on Cisco Routers and Switches

The Secure Shell (SSH) is a protocol for secure remote login services over an insecure network. This document explains the procedure to configure SSH on Cisco Router and Switches. SSH is preferred over TELNET as it encrypts the communication between server and client and vice versa.

 Before enabling SSH, please make sure that you are able to access the device using telnet. It confirms that authentication credentials either via local username or AAA have been configured correctly.

 Step 1: Configure hostname of the router:

Router(config)#hostname R1

Step 2: Verify IOS for support SSH. Device should have a k9(crypto) software image as shown below:


R1 # show version
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(31)SGA1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 26-Jan-07 14:35 by kellythw
Image text-base: 0x10000000, data-base: 0x115C5630
ROM: 12.2(20r)EW1
Dagobah Revision 95, Swamp Revision 29
R1 uptime is 4 years, 15 weeks, 1 day, 22 hours, 33 minutes
System returned to ROM by power-on
System restarted at 15:30:21 met Fri Feb 6 2009
System image file is "bootflash:cat4500-ipbasek9-mz.122-31.SGA1.bin" ----<<<<<

 You can also use the below command to check if router supports SSH or not:

 R1#sh ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH.  ----------------<<<<<<<<<<<<<<<<
Authentication timeout: 120 secs; Authentication retries: 3

 Step 3: Configure Domain name. It is required to generate the key. Use the ip domain-name command to configure the domain name.

 R1 (config)# ip domain-name lab.local

Step 4: Generate the RSA key using below command:

R1(config)#crypto key generate rsa
The name for the keys will be: R1.lab.local
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.
How many bits in the modulus [512]: 1024 ---<<< Key length should be 1024 or 2048
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Switch(config)# May 25 11:50:29.631: %SSH-5-ENABLED: SSH 1.99 has been enabled ---<<<<< You will get this message if you are generating the key for the first time

 You can see the generated key using the below command:

R1#show crypto key mypubkey rsa
% Key pair was generated at: 12:04:12 UTC May 25 2013
Key name: R1.lab.local
 Storage Device: not specified
 Usage: General Purpose Key
 Key is not exportable.
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00B1953A
  7EDD950E BE52B486 646FCA59 4EFC4652 7DC277A8 400B14EE 8B72E51D C003218B
  FD57E400 069EEA52 F3FDBE69 CD1C6EC2 9055F11E 5F09D35A EE003292 A22AD9CA
  E23FA548 FA53E757 4C0EC4F8 80D71E01 A5EB29C9 083B0A8F 5C3E8BF8 C9CA6C1D
  83C64769 0C57BF12 E13D76E0 63D826CE F0A8B42D FB77455A A4115D48 67020301 0001
% Key pair was generated at: 12:04:12 UTC May 25 2013
Key name: R1.lab.local.server
Temporary key
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C57E1D 6B07B8B8
  4E0647E0 E210473A D92F99EB F264B9D1 BC2AE04D BFF59126 55FE58F0 8561E998
  1045D4F4 591E7032 4EC6A0A5 BA20B0A2 FF0D1269 76FEF992 41C24342 AFFB8838
  CEE5F80A B6540AEC 75F7D0A9 2A6A18F0 BDDA9683 A7FF58E6 1D020301 0001

 Note: You must have hostname and domain name configured before generating the rsa key.

 If you try to generate RSA key without configuring the hostname, you will get the below error:

Router(config)#crypto key generate rsa
% Please define a hostname other than Router.  -----<<<<<<<<<<<<<<<<<<<<<

If you try to generate RSA key without configuring the domain name, you will get the below error:

R1 (config)#crypto key generate rsa
% Please define a domain-name first. -----<<<<<<<<<<<<<<<<<<<<<

Step 5 : Verify SSH status:

R1#sh ip ssh
ssh Enabled - version 1.99 ---------<<<<<<<<<<<<<<<<<<<<
Authentication timeout: 120 secs; Authentication retries: 3

Step 6: Use IP SSH version command to change the SSH version:

R1(config)# ip SSH version 2

Step 7: Test the SSH access. If SSH access is successful then follow Step 8

Step 8: Enable SSH access only.

R1(config)#line vty 0 4 
R1(config-line)#transport input ssh