enable
conf t
domain-name @domain
hostname @hostnm
interface g1/X
nameif OUTSIDE/INSIDE/DMZ
security-level 1 /100/70
ip address @IP @MASK
no shutdown
dhcpd address @IP_LOW-@IP_HIGH INSIDE
dhcpd dns @IP_DNS interface INSIDE
dhcpd option 3 ip @IP_GATEWAY
dhcpd enable INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 @IP_PUB_REMOTE
ntp authenticate
ntp authentication-key @Nmb_key md5 @Pwd
ntp server @IP_NTP
ntp trusted-key @Nmb_key
username @user password @Pwd
aaa authentication ssh console LOCAL
crypto key generate rsa modulus 1024
yes
ssh @IP_ADMIN_STATION 255.255.255.255 INSIDE
ssh timeout 20
conf t
object network @INSIDE-nat
subnet @IP_NETWORK_LAN @MASK_LAN
nat (inside,outside) dynamic/static interface @IP_PUB
configure terminal
access-list NAT-IP-ALL extended permit ip any any
access-group NAT-IP-ALL in interface OUTSIDE
access-group NAT-IP-ALL in interface DMZ
access-list OUTSIDE-TO-DMZ extended permit tcp any host @IP_PUB_WEB eq @port
access-list OUTSIDE-TO-DMZ extended permit tcp host @IP_STATION_ADMIN host @IP_PUB_WEB eq @protocol
access-list @ID_ACL permit ip Network_LAN_A @WC Network_LAN_B @WC
crypto isakmp policy @ID
encryption aes 1024
hash sha
authentication pre-share
group 2
lifetime 1800
crypto isakmp key keypassword address @IP_PUB_B
crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac
crypto map VPN-MAP @ID ipsec-isakmp
match address @IP_ACL
set transform-set VPN-SET
set peer @IP_PUB_B
set pfs group2
set security-association lifetime seconds 1800
int @int_PUB
crypto map VPN-MAP
¶ IPSec VPN Between ASA and Router
access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
crypto isakmp key sharedkey address 192.168.2.2
tunnel-group 192.168.2.2 ipsec-attributes
pre-shared-key
crypto isakmp enable outside
crypto ipsec transform-set ts esp-3des esp-md5-hmac
crypto map vpn10 match address vpn
crypto map vpn10 set peer 192.168.2.2
crypto map vpn10 set transform-set ts
crypto map vpn interface outside
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key sharedkey address 192.168.1.2
ip access-list extended vpn
permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto ipsec transform-set ts esp-3des esp-md5-hmac
crypto map vpn 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address vpn
interface FastEthernet0/0
crypto map vpn
¶ VLAN Modification and Deletion
Switch(config-if)# no switchport access vlan
Switch# no vlan vlan-id
Switch(config)# delete flash:vlan.dat
# Or
Switch(config)# delete vlan.dat
Switch# configure terminal
Switch(config)# interface @interface_name @id
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan vlan-id
Switch(config-if)# switchport trunk allowed vlan vlan-list
Switch(config-if)# end
Switch# show interfaces interface-id switchport
Switch(config)# interface interface-id
Switch(config-if)# no switchport trunk allowed vlan
Switch(config-if)# no switchport trunk native vlan
Switch(config)# spanning-tree mode rapid-pvst
Switch1(config)# spanning-tree root vlan 1-1000 primary
Switch2(config)# spanning-tree root vlan 1-1000 secondary
Switch(config)# interface @interface_name @ip
Switch(config-if)# spanning-tree portfast
Switch(config)# interface range @iface@id - @iface@id
Switch(config-if-range)# spanning-tree guard root
Switch(config-if-range)# spanning-tree bpduguard enable
Switch(config-if-range)# spanning-tree link-type shared
# or
Switch(config-if-range)# spanning-tree link-type point-to-point
Switch1(config)# interface range @iface@id - @iface@id
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk native vlan X
Switch1(config-if)# channel-group 1 mode desirable
Switch2(config)# interface range @iface@id - @iface@id
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk native vlan X
Switch2(config-if)# channel-group 1 mode auto
Switch1(config)# interface range @iface@id - @iface@id
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk native vlan X
Switch1(config)# channel-group 1 mode active
Switch2(config)# interface range @iface@id - @iface@id
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk native vlan X
Switch2(config)# channel-group 1 mode passive
Switch1(config)# interface port-channel 1
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk native vlan X
Switch2(config)# interface port-channel 1
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk native vlan X
Switch# configure terminal
Switch(config)# vlan vlan-id
Switch(config-vlan)# name vlan-name
Switch(config)# vlan vlan-id2
Switch(config-vlan)# name vlan-name2
Switch(config)# interface vlan vlan-id
Switch(config-if)# description default gateway SVI for @res/@mask
Switch(config-if)# ip add @ip @mask
Switch(config-if)# no shut
Switch(config)# interface vlan vlan-id2
Switch(config-if)# description default gateway svi for @res2/@mask2
Switch(config-if)# ip add @ip2 @mask2
Switch(config-if)# no shut
Switch(config)# interface interface-id
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-id
Switch(config-if)# no shut
Switch(config)# interface interface-id2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan vlan-id2
Switch(config-if)# no shut
Switch(config)# ip routing
Switch(config)# service password-encryption
¶ Task: Create random algorithm for password
Switch(config)# enable algorithm-type SCRYPT secret cisco12345cisco
Switch(config)# enable secret password
¶ Task: Create local user with max rights and secure password
Switch(config)# username bob privilege 15 algorithm-type SCRYPT secret cisco12345cisco
Switch(config)# security password min-length 10
¶ Task: Disable DNS lookup for unknown commands
Switch(config)# no ip domain-lookup
Switch(config)# login block for x attempts y within z
Switch(config)# aaa new-model
Switch(config)# radius server RADIUS
Switch(config-radius)# address ipv4 X.X.X.X auth-port 1812 acct-port 1813
Switch(config-radius)# key password
Switch(config)# aaa authentication login SSH-LOCAL local
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# authentication port-control auto
Switch(config)# dot1x guest-vlan supplicant
Switch# show authentication interface GigabitEthernet0/1
Switch(config)# username bob privilege 15 algorithm-type SCRYPT secret cisco12345cisco