CML 用の検証コンフィグ・テンプレート (2021/12/31 版)
以前に下記のメモを書きました。
改めて各機器の「検証用コンフィグ・テンプレート」をメモしておきます。
初期設定
IOSv
| enable
terminal length 0
configure terminal
no banner exec ^C
no banner incoming ^C
no banner login ^C
!
end
|
IOS-XE
ライセンス・スループットレベルを変更するには以下を実行します。
| configure terminal
license boot level network-premier addon dna-premier
end
write memory
reload
|
| configure terminal
platform hardware throughput level MB 250
!
end
write memory
|
必要に応じて下記の設定を削除/調整します。
crypto pki 関連設定を削除call-home 設定を削除line vty 0 4 の設定を揃える (デフォルトではなぜか line vty 2 にだけ length 0 が入っている為、コンフィグが長くなっている…)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | enable
terminal length 0
configure terminal
no crypto pki certificate chain SLA-TrustPoint
yes
no crypto pki trustpoint SLA-TrustPoint
yes
!
no call-home
!
line vty 0 4
login
length 0
transport input ssh
!
end
|
Cisco ASAv
ASAv はホスト名を ASAv に設定することは出来ません。
| ciscoasa(config)# hostname ASAv
ERROR: Invalid hostname: 'ASAv'
INFO: A hostname cannot be the same as Product-ID when using Smart Licensing.
|
また、Management0/0 の security-level 設定を 100 以外にすると TELNET 出来ない為、100 に設定しています。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55 | hostname ASAv1
!
enable password admin
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
no shutdown
!
clock timezone JST 9
!
dns domain-lookup management
dns server-group DefaultDNS
name-server 1.1.1.1 management
name-server 1.0.0.1 management
!
no pager
!
logging enable
logging timestamp
logging buffer-size 512000
logging buffered debugging
!
route management 0.0.0.0 0.0.0.0 10.0.0.254
!
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
!
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 60
!
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 0.0.0.0 0.0.0.0 management
!
console timeout 60
!
ntp server 162.159.200.123 source management prefer
ntp server 162.159.200.1 source management
!
username admin password admin privilege 15
!
fixup protocol icmp
!
policy-map global_policy
class inspection_default
inspect icmp
!
no service call-home
clear config call-home
!
end
|
Cisco IOSv
コンフィグ例は以下です。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51 | service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
hostname IOSv
!
logging buffered 65536 debugging
!
aaa new-model
!
clock timezone JST +9
!
ip vrf management
!
no ip domain lookup
ip domain name example.local
ip name-server vrf management 1.1.1.1
ip name-server vrf management 1.0.0.1
!
username admin password admin
!
interface GigabitEthernet0/0
ip vrf forwarding management
ip address 10.0.0.1 255.255.255.0
no shutdown
!
ip route vrf management 0.0.0.0 0.0.0.0 10.0.0.254
ip ssh version 2
!
no banner exec ^C
no banner incoming ^C
no banner login ^C
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
line vty 0 4
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
transport input all
!
ntp server vrf management 162.159.200.1
ntp server vrf management 162.159.200.123 prefer
!
crypto key generate rsa modulus 2048
!
end
|
Cisco IOSvL2
管理インターフェイスを no switchport している以外は IOSv と同じです。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52 | service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
hostname IOSvL2
!
logging buffered 65536 debugging
!
aaa new-model
!
clock timezone JST +9
!
ip vrf management
!
no ip domain lookup
ip domain name example.local
ip name-server vrf management 1.1.1.1
ip name-server vrf management 1.0.0.1
!
username admin password admin
!
interface GigabitEthernet0/0
no switchport
ip vrf forwarding management
ip address 10.0.0.1 255.255.255.0
no shutdown
!
ip route vrf management 0.0.0.0 0.0.0.0 10.0.0.254
ip ssh version 2
!
no banner exec ^C
no banner incoming ^C
no banner login ^C
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
line vty 0 4
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
transport input all
!
ntp server vrf management 162.159.200.1
ntp server vrf management 162.159.200.123 prefer
!
crypto key generate rsa modulus 2048
!
end
|
Cisco IOS-XE (CSR1000v)
CSR1000v (IOS-XE) はほぼ IOSv とコンフィグが共通です。 「複数行、ip name-server vrf management が定義されていたら一行にまとめられる」など、微妙な差はありますが、概ねコンフィグを流用出来ます。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48 | service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
hostname CSR1000v
!
logging buffered 65536 debugging
!
aaa new-model
!
clock timezone JST +9
!
ip vrf management
!
ip name-server vrf management 1.1.1.1 1.0.0.1
ip domain lookup source-interface GigabitEthernet1
ip domain name example.local
!
username admin password admin
!
interface GigabitEthernet1
ip vrf forwarding management
ip address 10.0.0.1 255.255.255.0
no shutdown
!
ip http client source-interface GigabitEthernet1
!
ip route vrf management 0.0.0.0 0.0.0.0 10.0.0.254
ip ssh version 2
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
line vty 0 4
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
transport input all
!
ntp server vrf management 162.159.200.1
ntp server vrf management 162.159.200.123 prefer
!
crypto key generate rsa modulus 2048
!
end
|
Cisco IOS-XE (Catalyst 8000v)
Catalyst 8000v (IOS-XE) のコンフィグは CSR1000v (IOS-XE) と共通です。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48 | service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
hostname C8000v
!
logging buffered 65536 debugging
!
aaa new-model
!
clock timezone JST +9
!
ip vrf management
!
ip name-server vrf management 1.1.1.1 1.0.0.1
ip domain lookup source-interface GigabitEthernet1
ip domain name example.local
!
username admin password admin
!
interface GigabitEthernet1
ip vrf forwarding management
ip address 10.0.0.1 255.255.255.0
no shutdown
!
ip http client source-interface GigabitEthernet1
!
ip route vrf management 0.0.0.0 0.0.0.0 10.0.0.254
ip ssh version 2
!
line con 0
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
!
line vty 0 4
exec-timeout 300 0
privilege level 15
logging synchronous
length 0
transport input all
!
ntp server vrf management 162.159.200.1
ntp server vrf management 162.159.200.123 prefer
!
crypto key generate rsa modulus 2048
!
end
|
Cisco NX-OSv
デフォルトではユーザ名が以下になっています。 admin ユーザのパスワードだけ、修正しました。
| ユーザ名 |
デフォルトのパスワード |
修正後のパスワード |
| admin |
cisco |
admin |
| cisco |
cisco |
cisco |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42 | license grace-period
!
hostname NX-OSv
!
feature telnet
!
username admin password admin role network-admin
!
ip name-server 1.1.1.1 1.0.0.1 use-vrf management
!
ntp server 162.159.200.1 prefer use-vrf management
ntp server 162.159.200.123 use-vrf management
!
vrf context management
ip route 0.0.0.0/0 mgmt0 10.0.0.254
!
interface mgmt0
vrf member management
ip address 10.0.0.1/24
no shutdown
!
interface Ethernet 2/1-48
no mac-address
!
interface Ethernet 3/1-48
no mac-address
!
interface Ethernet 4/1-48
no mac-address
!
clock timezone JST 9 0
!
line console
exec-timeout 300
terminal length 0
!
line vty
exec-timeout 300
!
logging timestamp milliseconds
!
end
|
Cisco NX-OS 9000v
NX-OSv 同様、デフォルトではユーザ名が以下になっています。 admin ユーザのパスワードだけ、修正しました。 その他、主だったコンフィグは NX-OSv と共通です。
| ユーザ名 |
デフォルトのパスワード |
修正後のパスワード |
| admin |
cisco |
admin |
| cisco |
cisco |
cisco |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31 | hostname NX-OS9000v
!
feature telnet
!
username admin password admin role network-admin
!
ip name-server 1.1.1.1 1.0.0.1 use-vrf management
!
ntp server 162.159.200.1 prefer use-vrf management
ntp server 162.159.200.123 use-vrf management
!
vrf context management
ip route 0.0.0.0/0 mgmt0 10.0.0.254
!
interface mgmt0
vrf member management
ip address 10.0.0.1/24
no shutdown
!
clock timezone JST 9 0
!
line console
exec-timeout 300
terminal length 0
!
line vty
exec-timeout 300
!
logging timestamp milliseconds
!
end
|
Fortinet FortiOS (FortiGate)
FortiGate-VM evaluation license に下記の記載があります。
Low encryption only (no HTTPS administrative access)
評価ライセンスのままだと HTTPS アクセス出来ない以外にも、SSH アクセスも出来ないようです。 その為、HTTP と TELNET を有効化しておきます。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50 | config system global
set admintimeout 60
set hostname fortigate
set timezone 60
end
config system interface
edit "port1"
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh http telnet
next
end
config system admin
edit admin
set password admin
next
end
config system console
set output standard
end
config system dns
set primary 1.1.1.1
set secondary 1.0.0.1
end
config system ntp
set ntpsync enable
set type custom
set syncinterval 30
config ntpserver
edit 1
set server 162.159.200.123
next
edit 2
set server 162.159.200.1
next
end
end
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 10.0.0.254
set device "port1"
next
end
|
Web UI の表示言語を日本語にしたい場合は以下も設定しておきます。
| config system global
set language japanese
end
|
PaloAlto PAN-OS
| set deviceconfig system ip-address 10.0.0.1
set deviceconfig system netmask 255.255.255.0
set deviceconfig system default-gateway 10.0.0.254
set deviceconfig system timezone Asia/Tokyo
set deviceconfig system hostname PaloAlto
set deviceconfig system dns-setting servers primary 1.1.1.1
set deviceconfig system dns-setting servers secondary 1.0.0.1
set deviceconfig system ntp-servers primary-ntp-server ntp-server-address 216.239.35.12
set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address 216.239.35.8
|
Ubuntu
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27 | #cloud-config
hostname: ubuntu1
manage_etc_hosts: True
system_info:
default_user:
name: admin
password: admin
chpasswd: { expire: False }
ssh_pwauth: True
timezone: Asia/Tokyo
write_files:
- path: /etc/netplan/50-cloud-init.yaml
content: |
network:
ethernets:
ens2:
addresses:
- 10.0.0.1/24
gateway4: 10.0.0.254
dhcp4: false
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
version: 2
runcmd:
- sudo netplan apply
|
VyOS
System DNS と記載されており、現状では「system dns 設定を特定 VRF へ向ける」という設定は出来ないようです。
If you are configuring a VRF for management purposes, there is currently no way to force system DNS traffic via a specific VRF.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | delete system ntp server 0.pool.ntp.org
delete system ntp server 1.pool.ntp.org
delete system ntp server 2.pool.ntp.org
set vrf name management table '999'
set interfaces ethernet eth0 vrf management
set interfaces ethernet eth0 address '10.0.0.1/24'
set protocols vrf management static route 0.0.0.0/0 next-hop 10.0.0.254
set service ssh vrf 'management'
set system domain-name 'example.net'
set system host-name 'vyos'
set system login user admin authentication plaintext-password admin
set system ntp vrf management
set system ntp server 162.159.200.1
set system ntp server 162.159.200.123 prefer
set system time-zone 'Asia/Tokyo'
|