05-17-2010 11:47 PM - edited 03-06-2019 11:08 AM
Hi,
I have main router CISCO 3825 VO4 and main switch C3560 48P
and you will see here the running configuration in the router
Plz can you tell me your opinion in this scenario
and if you can give me any concepts or ideas to improve it
show run
Building configuration...
!
version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime
service password-encryption
service compress-config
!
hostname mainRouter
!
boot-start-marker
boot system flash c3825-advsecurityk9-mz.124-22.T.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
no logging buffered
enable secret 5 ##############
!
aaa new-model
!
!
aaa authentication login TEMP group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default
action-type start-stop
group tacacs+
!
aaa accounting commands 1 default
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
!
aaa accounting system default
action-type start-stop
group tacacs+
!
!
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name mydomain.com
ip name-server (IP of Internet Server)
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-#########
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-#########
revocation-check none
rsakeypair TP-self-signed-#########
!
!
crypto pki certificate chain TP-self-signed-##########
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343035 39353035 3533301E 170D3039 30323039 31303036
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
ets….
!
!
archive
log config
logging enable
hidekeys
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
crypto isakmp key ############# address (Location2) no-xauth
!
!
crypto ipsec transform-set AES ah-sha-hmac esp-aes 256
!
crypto ipsec profile Main-location-to-location2-GRE-IPSec
set transform-set AES
!
!
!
ip tcp synwait-time 10
ip telnet source-interface GigabitEthernet0/1.8
ip ssh source-interface Tunnel0
ip ssh logging events
ip ssh version 2
ip scp server enable
!
!
!
interface Loopback0
ip address 10.0.0.254 255.255.255.248
!
interface Tunnel0
description - GRE/IPSec Tunnel to location2
ip address 10.0.0.15 255.255.255.252
tunnel source (Main-location-IP)
tunnel destination (location2-IP)
!
interface GigabitEthernet0/0
description - fibre link to My ISP
no ip address
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/0.444
description - MPLS VLAN 444
encapsulation dot1Q 444
ip address (Real IP 1)
ip flow ingress
ip virtual-reassembly
no cdp enable
!
interface GigabitEthernet0/0.461
description - VPN VLAN 461
encapsulation dot1Q 461
ip address (Real IP 2)
!
interface GigabitEthernet0/1
description - Main Router to main Switch
no ip address
ip nbar protocol-discovery
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1.8
encapsulation dot1Q 8
ip address (Real IP)
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.0.0.12 255.255.255.252
!
interface Group-Async0
physical-layer async
no ip address
encapsulation slip
no group-range
!
router eigrp 1
redistribute ospf 1 metric 1 1 1 1 1 route-map OSPF2EIGRP
passive-interface GigabitEthernet0/0.444
passive-interface GigabitEthernet0/1.8
network 10.0.0.14 0.0.0.3
auto-summary
!
router ospf 1
router-id 10.0.0.254
log-adjacency-changes
redistribute eigrp 1 metric 10 subnets route-map EIGRP2OSPF
redistribute bgp 64917 metric 10 subnets route-map BGP2OSPF
network 10.0.0.12 0.0.0.0 area 1
!
router bgp 64917
no synchronization
bgp log-neighbor-changes
redistribute ospf 1 route-map OSPF2BGP
neighbor (Real IP) remote-as 65000
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 (IP of ISP)
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip tacacs source-interface Tunnel0
!
ip access-list standard Group1
permit (Some IPs)
deny any
ip access-list standard Group2
permit (Some IPs)
deny any
ip access-list standard Group3
permit (Some IPs)
deny any log
ip access-list standard Group4
permit (Some IPs)
deny any log
!
logging trap debugging
logging facility local4
logging source-interface Tunnel0
!
!
!
route-map BGP2OSPF permit 10
match ip address Group1
!
route-map OSPF2BGP permit 10
match ip address Group3
!
route-map OSPF2EIGRP permit 10
match ip address Group3
!
route-map EIGRP2OSPF permit 10
match ip address Group2
!
!
tacacs-server host (tacacs-Server-IP) key 7 ###############
!
control-plane
!
!
line con 0
login authentication TEMP
transport output telnet
line aux 0
login authentication TEMP
transport output telnet
line vty 0 4
access-class Group4 in
login authentication TEMP
transport input telnet ssh
line vty 5 15
access-class Group4 in
login authentication TEMP
transport input telnet ssh
!
scheduler allocate 20000 1000
end
05-17-2010 11:52 PM
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaand what are you trying to do/achieve? You provided a config (thank you, by the way) but that's it? As far as I can see it's "ok" if you don't want to run encryption across your WAN links.
05-18-2010 12:18 AM
Thank you for that
and about "encryption across your WAN links"
Yes, I hope that
plz. give me your ideas for encryption across WAN
thanks
05-18-2010 12:34 AM
Try these:
Configuring a Virtual Tunnel Interface with IP Security
http://www.cisco.com/en/US/customer/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html
GRE Tunnel with VRF Configuration Example
http://www.cisco.com/en/US/customer/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide