Category Archives: Cisco

Cisco switch Port-Channel (bonding)

Cisco port-channel consists of link agretation.

Switch(config)#conf t
Switch(config)#interface range gi1/0/25-26
Switch(config-if-range)#channel-group 2 mode active
Switch(config-if-range)#exit

Global view:

Switch#show etherchannel summary

Detailed view for port-channel 2 (po2):

Switch#show etherchannel 2 detail

Details of ports included in port-channel (po2):

Switch#show etherchannel 2 port

Suppress port-channel (po2):

Switch#no interface PortChannel2
Switch#no int Po2

Cisco switch port monitoring / mirroring

The goal is to copy traffic of one port or many ports or a vlan to another port.

First create the monitoring session (named 1) and define source port (fa0/0/1) for traffic in and out (both)

Switch(config)#monitor session 1 source interface fa1/0/1 both

Then define the where you copy the traffic for this sesssion, specify destination port (fa1/0/48)

Switch(config)#monitor session 1 destination interface fa1/0/48

Check the monitoring sessions 1

Switch(config)#do show monitor session 1

Delete the session

Switch(config)#no monitor session 1

Linux tacacs+ authentication for Cisco devices

Prerequisite :
– you have already defined a local fallback user on your cisco device in case authentication does not work
– in this case I have already configured ssh access

Part 1: configure tacacs+ server on debian linux

Install package:

apt-get install tacacs+

Configure tacacs+, edit file /etc/tacacs+/tac_plus.conf

###########################################################
# Default Config
###########################################################
# Key, very important
key = mysuperkeypriv
# Use /etc/passwd file to do authentication
default authentication = file /etc/passwd
# Accounting records log file
accounting file = /var/log/tacacs/tac_acc.log

###########################################################
# Groups
###########################################################
group = netadmin {
 default service = permit
 service = exec {
 priv-lvl = 15
 }
}
group = users {
 default service = deny
 service = exec {
 priv-lvl = 1
 }
}

###########################################################
# Netadmin users
###########################################################
user = superadmin {
 member = netadmin
}

###########################################################
# Unprivileged Users
###########################################################
user = albert {
 member = users
 cmd = show {
 deny ip
 deny tacacs
 permit .*
 }
 cmd = quit {
 permit .*
 }
 cmd = exit {
 permit .*
 }
 cmd = logout {
 permit .*
 }
 cmd = ssh {
 permit 192\.168\.1\.[0-9]+
 deny .*
 }
}

Part 2: configure the Cisco device to user the tacacs+ server

Now configure authentication:

tacacs-server host 192.168.1.12
tacacs-server key mysuperkeypriv
aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local none
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

That’s done !