########## ########## ### ROUTER COMMANDS ### ########## ########## enable secret C1SCO % line con 0 password C1SCO

login % line aux 0 password C1SCO login % line vty 0 4 login password C1SCO % service password-encryption % username Bob secret 0 C1SCO % security authentication failure rate 5 log % line con 0 exec-timeout 2 30 % line aux 0 exec-timeout 2 30 % line vty 0 4 exec-timeout 2 30 % privilege exec level 5 debug enable secret level 5 C1SCO % aaa new-model enable view parser view HELPDESK secret 0 C1SCO command exec include all copy commands exec include traceroute commands exec include ping % secure boot-image secure boot-config % login block-for 30 attempts 5 within 10 login quiet-mode access-class 101 login delay 3 login on-failure log login on-success log % banner motd $ % ip http server ip http secure-server ip http authentication local username Bill privilege 15 secret 0 C1SCO

% aaa authentication login default local aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication username-prompt % line console 0 login authentication console-in % int s3/0 ppp authentication chap dial-in % aaa authorization commands 1 Bill local aaa authorization commands 15 Bob local % aaa accounting commands 15 default stop-only group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ % debug aaa authentication debug aaa authorization debug aaa accounting % tacacs-server host 192.168.10.75 single connection tacacs-server key shared1 % auto-secure % ip domain-name ciscopress.com crypto key zeroise rsa crypto key generate rsa general-keys modulus 1024 ip ssh time-out 120 ip ssh authentication-retries 4 ling vty 0 4 transport input ssh % show crypto key mypubkey rsa % access-list compiled % access-list 150 deny ip 12.1.1.0 0.0.0.255 any log access-list 150 deny ip 127.0.0.0 0.255.255.255 any log interface e0/1 ip access-group 150 in % access-list 114 permit icmp 12.2.1.0 0.0.0.255 any echo access-list 114 permit icmp 12.2.1.0 0.0.0.255 any parameter-problem access-list 114 permit icmp 12.2.1.0 0.0.0.255 any packet-too-big access-list 114 permit icmp 12.2.1.0 0.0.0.255 any source-quech access-list 114 deny icmp any any log interface e0/1 ip access-group 114 out % access-list 90 permit host 12.2.1.3 log

access-list 90 deny any log line vty 0 4 login authentication vty-sysadmin transport input ssh access-class 90 in % access-list 12 deny 12.2.2.0 0.0.0.255 access-list 12 permit any router rip distribute-list 12 out version 2 no auto-summary network 12.0.0.0 % ip access-list 104 deny ip any any ip access-list 103 permit http any any ip inspect name FWRULE tcp interface S0 ip access-group 103 out ip access-group 104 in ip inspect FWRULE out % crypto isakmp policy 1 authentication pre-share hash sha encryption aes 128 group 2 lifetime 86400 % crypto isakmp key SECRET address 172.30.2.2 crypto ipsec transform-set MYSET esp-aes esp-sha access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255 crypto map ROUTER1_TO_ROUTER2 ipsec-isakmp set peer 172.30.2.2 match address 101 set transform-set MYSET % interface serial 1/0 crypto map ROUTER1_TO_ROUTER2 ip route 192.168.0.0 255.255.255.0 172.30.2.2 % ########## ########## ### SWITCH COMMANDS ### ########## ########## % interface gigabitethernet 0/3 switchport mode access % interface gigabitethernet 0/4 switchport trunk encapsulation dot1q switchport mode trunk switch nonegotiate % interface gigabitethernet 0/5 switchport trunk native vlan 400 % interface gigabitethernet 0/6 spanning-tree guard root

% interface gigabitethernet 0/7 spanning-tree portfast bpduguard % ip dhcp snooping % interface gigabitethernet 0/8 ip dhcp snooping trust % ip arp inspection vlan 100 % interface gigabitethernet 0/9 ip arp inspection trust % monitor session 1 source interface gigabitethernet0/10 monitor session 1 destination interface gigabitethernet0/11 % access-list 100 permit tcp any host 10.1.1.2 eq telnet vlan access-map ALLOWTELNET 10 match ip address 100 action forward % vlan filter ALLOWTELNET vlan-list 1-100 % interface gigabitethernet 0/12 switchport mode access switchport port-security switchport port-security maximum 5 switchport port-security violation protect switchport port-security mac-address 1234.1234.1234 switchport port-security mac-address sticky % show port-security % radius-server host 192.168.10.1 radius-server key RADIUS!123 %