🔧 Basic Device Configuration and Security

1. Set Hostname: hostname <name>

○ Defines the device's hostname.
2. Enable Secret with SCRYPT: enable algorithm-type scrypt secret
<password>
○ Sets a secure enable secret with strong hashing.
3. Encrypt Passwords: service password-encryption
○ Encrypts all plaintext passwords in the configuration file.
4. Disable DNS Lookup: no ip domain-lookup
○ Prevents the device from resolving incorrect commands as hostnames.
5. Set Domain Name: ip domain-name <domain>
○ Configures the domain name, essential for SSH configuration.
6. Create User with Privilege Level and Password:
○ username admin privilege 15 algorithm-type scrypt secret
<password>
○ Creates a user account with maximum privileges (15) and a secure password.
7. Configure SSH Access:
○ lua
Copier le code
crypto key generate rsa modulus 1024
○ ip ssh version 2
○ line vty 0 4
○ transport input ssh
○ login local
○ exec-timeout <minutes>
○
8. Login Blocking: login block-for 180 attempts 4 within 120
○ Blocks login for 3 minutes after 4 failed attempts within 2 minutes.
9. Message-of-the-Day (MOTD) Banner: banner motd $Unauthorized access
prohibited!$
○ Displays a warning message upon login.
10. Save Configuration: copy running-config startup-config
○ Saves the current configuration to NVRAM.

🔐 Console, VTY, and AUX Line Security

1. Console Line Security:
○ php
Copier le code
line console 0
○ password <password>
○ exec-timeout <minutes>
 ○ login
○ logging synchronous
○
2. VTY Line Security:
○ lua
Copier le code
line vty 0 4
○ password <password>
○ exec-timeout <minutes>
○ login local
○ transport input ssh
○
3. Auxiliary Line Security:
○ php
Copier le code
line aux 0
○ password <password>
○ exec-timeout <minutes>
○ login
○
4. Privilege Level for VTY Lines:
○ line vty 0 4 privilege level 15
○ Grants privileged EXEC access by default for level 15 users.

🔑 Advanced AAA Authentication

1. Enable AAA: aaa new-model
○ Activates AAA for authentication, authorization, and accounting.
2. TACACS+ Server Configuration:
○ vbnet
Copier le code
tacacs-server host <IP> key <key>
○ aaa authentication login default group tacacs+ local
○
3. RADIUS Server Configuration:
○ vbnet
Copier le code
radius-server host <IP> key <key>
○ aaa authentication login default group radius local
○

🔒 Port Security on Switches

1. Enable Port Security: switchport port-security
○ Activates port security on a switch interface.
2. Set Maximum MAC Addresses: switchport port-security maximum
<number>
○ Restricts the number of MAC addresses allowed on the port.
3. Enable Sticky MAC: switchport port-security mac-address sticky
○ Enables dynamic learning and sticking of MAC addresses.
4. Set Violation Mode: switchport port-security violation restrict
○ Specifies the action for unauthorized MAC addresses (e.g., restrict,
shutdown).
5. Disable Unused Ports:
○ kotlin
Copier le code
interface range F0/2-24, G0/2
○ shutdown
○
6. BPDU Guard: spanning-tree bpduguard enable
○ Protects against BPDUs received on access ports.

🖧 Network Time Protocol (NTP) and Syslog

1. Configure NTP Server: ntp server <IP>

○ Syncs device time with an NTP server.
2. Enable Syslog Logging: logging <IP>
○ Sends log messages to a Syslog server.
3. Set Log Timestamps: service timestamps log datetime msec
○ Adds timestamps to log messages for event tracking.

📜 Access Control Lists (ACLs)

1. Standard ACL:
○ php
Copier le code
access-list <number> permit <source> <wildcard>
○ access-list <number> deny <source> <wildcard>
○
2. Named Standard ACL:
○ arduino
Copier le code
ip access-list standard File_Server_Restrictions
○ permit host 192.168.20.4
○ permit host 192.168.100.100
○ deny any
○
3. Extended ACL:
 ○ arduino
Copier le code
access-list 100 deny tcp any host <destination> eq 80
○ access-list 100 permit ip any any
○
4. Named Extended ACL:
○ arduino
Copier le code
ip access-list extended ACL_NAME
○ deny tcp host 192.168.1.10 any eq ftp
○ permit ip any any
○
5. IPv6 ACL:
○ arduino
Copier le code
ipv6 access-list BLOCK_HTTP
○ deny tcp any host <IPv6 address> eq www
○ permit ipv6 any any
○
6. Apply ACL to Interface:
○ ip access-group <ACL number or name> in | out

🌐 Router and IP Configuration

1. Set Default Gateway: ip default-gateway <IP>
○ Configures the device’s gateway IP.
2. Static Route: ip route <destination network> <mask> <next hop>
○ Manually routes specific networks.
3. Subinterface for VLAN:
○ csharp
Copier le code
interface <interface>.<subinterface>
○ encapsulation dot1Q <VLAN ID>
○ ip address <IP> <mask>
○
4. OSPF Configuration:
○ php
Copier le code
router ospf 1
○ network <network IP> <wildcard> area 0
○ passive-interface <interface>
○
5. OSPF MD5 Authentication:
 ○ php
Copier le code
area 0 authentication message-digest
○ ip ospf message-digest-key 1 md5 <password>
○

🔄 Spanning Tree Protocol (STP)

1. STP Root:
○ spanning-tree vlan <vlan id> root primary
○ Sets the switch as root bridge for a VLAN.
2. Enable PortFast: spanning-tree portfast
○ Reduces startup time on end-device interfaces.
3. Root Guard: spanning-tree guard root
○ Prevents unauthorized switches from becoming root.

🔐 VPN and IPsec Configuration

1. IKE Phase 1 Policy:
○ csharp
Copier le code
crypto isakmp policy <number>
○ encryption aes
○ authentication pre-share
○ group <group number>
○
2. IPsec Transform Set:
○ crypto ipsec transform-set <name> esp-aes esp-sha-hmac
3. Create Crypto Map:
○ arduino
Copier le code
crypto map <name> <number> ipsec-isakmp
○ set peer <IP>
○ set transform-set <transform set name>
○
4. Apply Crypto Map to Interface:
○ interface <interface> crypto map <name>

🔍 Verification and Testing Commands

1. Show Running Configuration: show run
○ Displays the device’s running configuration.
2. Check Port Security: show port-security
○ Displays port security settings and violations.
3. Verify OSPF Neighbors: show ip ospf neighbor
 ○ Lists OSPF neighbor relationships.
4. Show IP Routes: show ip route
○ Displays the routing table.
5. View IPsec Security Associations: show crypto ipsec sa
○ Shows IPsec tunnel status.
6. Check NTP Status: show ntp status
○ Verifies NTP time synchronization.
7. SSH Verification: show ip ssh
○ Displays current SSH configuration.
8. Ping Test: ping <IP>
○ Tests reachability to another IP.