1. Auto secure
Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:auto secure [management | forwarding] [no-interact | full]Â [ntp | login | ssh | firewall | tcp-intercept]
2. Change Site-to-Site VPN Idle time out to 5 minutes
For IOS Router
R1(config)#crypto ipsec security-association idle-time 300 |
For ASA
ASA1(config)#group-policy GP_1.1.1.2 attributes ASA1(config-group-policy)#vpn-idle-timeout 300 ASA1(config-group-policy)#vpn-session-timeout none |
3. Find Cisco Devices Serial Number
Usually we could use 'show version' command to find out SN , but for Nexus you will have to use 'show inventory' to get Chassis SN
Nexus1#Â show inventory
NAME: "Chassis", DESCR: "Nexus5548 Chassis" PID: N5K-C5548UP Â Â Â , VID: V01 , SN: SSI163604J NAME: "Module 1", DESCR: "O2 32X10GE/Modular Universal Platform Supervisor" PID: N5K-C5548UP Â Â Â , VID: V01 , SN: FOC1645D5F NAME: "Fan 1", DESCR: "Chassis fan module" PID: N5548P-FAN Â Â Â Â , VID: N/A , SN: N/A NAME: "Fan 2", DESCR: "Chassis fan module" PID: N5548P-FAN Â Â Â Â , VID: N/A , SN: N/A NAME: "Power supply 1", DESCR: "AC power supply" PID: N55-PAC-750W Â Â Â , VID: V02 , SN: ART16310D6 NAME: "Power supply 2", DESCR: "AC power supply" PID: N55-PAC-750W Â Â Â , VID: V02 , SN: ART16310SQ NAME: "Module 3", DESCR: "O2 Daughter Card with L3 ASIC" PID: N55-D160L3-V2 Â Â , VID: V01 , SN: FOC1637NT8 NAME: "FEX 101 CHASSIS", DESCR: "N2K-C2248TP-1GE Â CHASSIS" PID: N2K-C2248TP-1GE Â , VID: V03 , SN: SSI1637FHK NAME: "FEX 101 Module 1", DESCR: "Fabric Extender Module: 48x1GE, 4x10GE Supervi sor" PID: N2K-C2248TP-1GE Â , VID: V03 , SN: FOC1645WH9 NAME: "FEX 101 Fan 1", DESCR: "Fabric Extender Fan module" PID: N2K-C2248-FAN Â Â , VID: N/A , SN: N/A NAME: "FEX 101 Power Supply 1", DESCR: "Fabric Extender AC power supply" PID: N2200-PAC-400W Â Â , VID: V04 , SN: LIT16390H9 NAME: "FEX 101 Power Supply 2", DESCR: "Fabric Extender AC power supply" PID: N2200-PAC-400W Â Â , VID: V04 , SN: LIT16390HH NAME: "FEX 102 CHASSIS", DESCR: "N2K-C2248TP-1GE Â CHASSIS" PID: N2K-C2248TP-1GE Â , VID: V03 , SN: SSI16390DJ |
4. Show Commands Information
Show Version / Show Flash / Show Interfaces
Show processes CPU / Show memory / Show stacks / Show buffers
Show running-config / Show startup-config
Flash: IOS
RAM: All tables and configuration when router is running. Info will be lost when power off.
ROM: POST, Bootstrap, Mini-IOS
NVRAM:Startup-config
5. SYSLOG Writing to Local Disk or Flash Card
Router(config)# logging persistent url disk0:/syslog size 134217728 filesize 16384     Â
%Warning: the ratio between logging persistent size and logging persistent filesize is 134217728/16384, suggested ratio is less than 196 in order to achieve good system performace Router(config)# logging persistent url disk0:/syslog size 134217728 filesize 1342177  Router#sh log Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator.   Console logging: disabled   Monitor logging: level debugging, 0 messages logged, xml disabled,            filtering disabled   Buffer logging:  level debugging, 8665 messages logged, xml disabled,           filtering disabled   Exception Logging: size (4096 bytes)   Count and timestamp logging messages: disabled    Persistent logging: enabled, url disk0:/syslog, disk space 134217728 bytes, file size 1342177 bytes, batch size 4096 bytes No active filter modules.   Trap logging: level debugging, 8669 message lines logged     Logging to 10.2.2.3  (udp port 514, audit disabled,        link up),        8668 message lines logged,        0 message lines rate-limited,        0 message lines dropped-by-MD,        xml disabled, sequence number disabled        filtering disabled     Logging Source-Interface:    VRF Name:     Loopback0             Log Buffer (8192 bytes): 12 EST: %C7600_PLATFORM-SP-3-LOW_BATT: Low Voltage detected for NVRAM Battery ........[Omitted] Router# copy disk0:/syslog ftp://myuser:[email protected]/syslog |
6. Check Routers Power Supply Status
Router#show environment SYSTEM POWER SUPPLY STATUS ==========================  Internal Power Supply 1 Type: AC  Internal Power Supply 1 12V Output Status: Normal  Internal Power Supply 2 Type: AC  Internal Power Supply 2 12V Output Status: Fail SYSTEM FAN STATUS =================  Fan 1 OK, Low speed setting  Fan 2 OK, Low speed setting  Fan 3 OK, Low speed setting  Fan 4 OK, Low speed setting  Fan 5 OK, Low speed setting SYSTEM TEMPERATURE STATUS =========================  Intake Left temperature: 25 Celsius, Normal  Intake Right temperature: 22 Celsius, Normal  Exhaust Right temperature: 29 Celsius, Normal  Exhaust Left temperature: 31 Celsius, Normal  CPU temperature: 24 Celsius, Normal  Power Supply Unit 1 temperature: 24 Celsius, Normal       REAL TIME CLOCK BATTERY STATUS ==============================  Battery OK (checked at power up) CPU CORE TEMPERATURE STATUS ===========================  CPU Core current reading, target = 24, reading = 62 : Normal  CPU Core out of target history in past 1045868.0 mins:    Consecutive out-of-range mins high water mark: 0.0    Total minutes out-of-range: 0.0    Last 5 minutes out-of-range: 0.0    Last 5 minutes consecutive out-of-range: 0.0    Last 5 minutes read failure count: 0 SYSTEM WATTAGE ===============  Motherboard, EHWIC, PVDM, Power Supply and Fan Power consumption = 123.1 W  Total System Power consumption is: 123.1 W  Environmental information last updated 00:00:11 ago |
7. Portchannel Adding vlan without downtime
For trunk links, it is best to take out portfast and bpduguard from interface configuration.
no spanning-tree portfast no spanning-tree bpduguard enable
Always add or remove VLANs from the port-channel interface since the individual physical links will inherit the VLAN set automatically.  If added a VLAN to a phyiscal  layer2 interface instead of the logical layer2 port-channel, it will bring the etherchannel down.
For example, to add vlan 50 to etherchannel 3:
conf t
interface port-channel 3
switchport trunk allowed vlan add 50
end
show run interface gi0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-49
switchport mode trunk
channel-group 3 mode on
The last line "channel-group 1 mode on" indicates that this port is part of etherchannel 3.  If you try to add a VLAN 50 to the etherchannel by  adding the VLAN 50 to the physical port g0/3, this port will be removed from  the etherchannel 3 and this will cause spanning tree to throw a wobbly.
8. Cisco Switch Lights Meaning
SYSTEM(SYST) Light
Overall status of the switch.
- Off: Switch is not powered on
- Green: Switch is working fine
- Amber: Switch is powered on but faulty
REDUNDANT POWER SUPPLY(RPS) Light
Provides backup power to the switch if the main supply goes off.
- Off: No RPS available,
- Green: RPS is working fine
- Blinking Green: Providing backup to some other device
- Amber: RPS is faulty
- Flashing Amber: RPS is providing backup(primary power off)
DUPLEX
Duplex status of the switch ports.
- Off: Switch port is half duplex
- Green: Switch port is full duplex
UTIL
Utilization status of the switch ports.
SPEED
Speed status of the switch ports.
- Off: Switch port is operating at 10Mbps
- Green: Switch port is operating at 100Mbps
- Flashing green: Switch port is operating at 1000Mbps
Status of the switch ports.
- Off: No device connected/port is administratively down.
- Green: Device is connected.
- Blinking green: Port is sending/receiving data.
- Alternating green amber: Fault in link/Frames experiencing error
- Amber: Port is blocked by Spanning Tree Protocol
9. Log Cisco Device Configuration ChangeÂ
9.1 Cisco Switches and Routers Commands:
enableOutput from command 'show log':
configure terminal
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
end
000430: *Mar 9 22:28:47.046 EST: %SYS-5-CONFIG_I: Configured from console by john on vty0 (192.168.0.176)
000431: *Mar 9 22:29:49.936 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:archive
000432: *Mar 9 22:29:52.738 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:log config
000433: *Mar 9 22:29:56.966 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:logging enable
000434: *Mar 9 22:30:04.188 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:logging size 200
000435: *Mar 9 22:30:10.832 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:hidekeys
000436: *Mar 9 22:30:15.035 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:notify syslog
000437: *Mar 9 22:30:22.727 EST: %SYS-5-CONFIG_I: Configured from console by john on vty0 (192.168.0.176)
9.2 Cisco ASA
The syslog number 111008 and 111010 will log the command that is entered by user. 111010 is for configuration changes.Here is the syslog for your information:
111008: Message: %ASA-5-111008: User user executed the command string
Explanation: The user entered any command, with the exception of a show command.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html?bookSearch=true#con_8587071
111010: Message: %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd
Explanation: A user made a configuration change.
- username —The user making the configuration change
- application-name —The application that the user is running
- ip addr —The IP address of the management station
- cmd —The command that the user has executed
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html?bookSearch=true#con_8586950
You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.
Also rather than send level 5 messages, it sends level 3 messages.
logging list notif-cfg-changes message 111008-111010 logging list notif-cfg-changes level errors logging trap notif-cfg-changes
Note:Â http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1064820
No comments:
Post a Comment