Vous êtes sur la page 1sur 15

You will be working on migrating a router from customer's management under AT&T management If you see errors on the

circuit then inform customer or PIM and do not continue until the circuit issue is resolved.

!!!!!!!!! DO NOT SAVE THE CONFIG JUST AT THE END OF THE TASK ONC E EVERYTHING CONFIRMED !!!!!!!!!

*************************************************** Step 1 Make sure you can access the router with the password: e login information (PIM or LE) check for note with th

!!!!!!!!!!!!!!!!!!!! OPEN 3 TELNET SESSIONS TO THE ROUTER AND GO TO --- CONF T !!!!!!!!!!!!!!!!!!!! *************************************************** Step 2 Left blank *************************************************** Step 3 Save the running config on the router - copy run start

*************************************************** IMPORTANT apply on the router the following command reload in 50 just to be on safe side the device will be reloaded in 50 minutes, just in case - this is the backout plan

*************************************************** Step 4 Apply the following: conf t ! ! ! ! ### ADD AT&T SNMP CONFIG ### ! ! do term mon ! ! ! no access-list 96 access-list 96 remark SNMP Read Only AT&T networks access-list 96 permit 135.89.160.224 0.0.0.15 access-list 96 permit 135.89.200.240 0.0.0.7 ! no access-list 97 access-list 97 remark SNMP Read and Write AT&T networks access-list 97 permit 135.89.160.224 0.0.0.15 access-list 97 permit 135.89.200.240 0.0.0.7 ! access-list 12 remark VTY ACCESS access-list 12 permit 135.89.160.224 0.0.0.15 access-list 12 permit 135.89.200.240 0.0.0.7 access-list 12 permit 172.30.0.0 0.0.1.255 ! snmp-server host 135.89.160.226 yLhZd9aX5Tiq2GJeN8wB snmp snmp-server host 135.89.200.242 yLhZd9aX5Tiq2GJeN8wB snmp snmp-server community P3sBL7hX8zIgrQnAOy5e RW 97 snmp-server community yLhZd9aX5Tiq2GJeN8wB RO 96 snmp-server tftp-server-list 97 snmp-server enable traps entity snmp-server enable traps snmp snmp-server queue-length 20 snmp-server packetsize 1000 snmp-server system-shutdown snmp-server trap-source Loopback0 ! ! ip tftp source-interface Loopback0 ! ! ! ! STOP AND TRY SNMPWALK FROM THE NODE MANAGER ! ! snmpwalk -v 2c -c P3sBL7hX8zIgrQnAOy5e LOOPBACK_IP_OF_THE_CURRENT_ROUTER ! ! You should see a long output, stop it with Ctrl C ! ! !

! ! ! ! CONTINUE WITH THE COMMANDS ! ! ! ! ! ! ! ### ADD AT&T LAST RESORT CREDENTIALS BEFORE REMOVING CUSTOMER CONFIG ### ! ! ! ! enable secret Xq5BtN2E ! line con 0 exec-timeout 15 0 password JzP86mpA session-timeout 10 ! line aux 0 exec-timeout 15 0 password JzP86mpA session-timeout 10 ! line vty 0 4 transport input telnet no logging synchronous access-class 12 in exec-timeout 15 0 session-timeout 10 password JzP86mpA no privilege level 15 ! line vty 5 15 transport input telnet no logging synchronous access-class 12 in exec-timeout 15 0 session-timeout 10 password JzP86mpA no privilege level 15 ! ! ! ! ! ! ! ! ### CRITICAL COMMANDS TO REMOVE - CONFLICT WITH AT&T MGMT ### ! ! ! no aaa accounting commands 0 default no aaa accounting commands 0 default stop-only group tacacs+ no aaa accounting commands 1 default no aaa accounting commands 1 default stop-only group tacacs+ no aaa accounting commands 15 default

no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no

aaa accounting commands 15 default stop-only group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting connection h323 aaa accounting exec default aaa accounting exec default start-stop group tacacs+ aaa accounting network default aaa accounting network default start-stop group tacacs+ aaa accounting system default aaa accounting system default start-stop group tacacs+ aaa authentication enable default group tacacs+ enable aaa authentication login default group tacacs+ aaa authentication login default group tacacs+ local aaa authentication login h323 group radius aaa authentication login local_auth local aaa authentication login no_pass none aaa authentication login no_tacacs enable aaa authentication login otherport group tacacs+ local aaa authentication login vtyport group tacacs+ local aaa authentication ppp default if-needed aaa authentication ppp secure group tacacs+ aaa authentication username-prompt "Local Username: " aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization console aaa authorization exec default group tacacs+ if-authenticated aaa authorization exec default group tacacs+ local aaa authorization exec default group tacacs+ none aaa authorization exec h323 group radius aaa authorization network default none aaa authorization network secure group tacacs+ aaa new-model aaa session-id common clock calendar-valid clock summer-time CDT date Mar 2 2008 1:00 Nov 1 2008 1:00 clock summer-time CDT date Mar 8 2009 2:00 Nov 1 2009 2:00 clock summer-time CDT recurring clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 clock summer-time EDT date Mar 8 2009 2:00 Nov 1 2009 2:00 clock summer-time EDT recurring clock summer-time MDT date Mar 8 2009 2:00 Nov 1 2009 2:00 clock summer-time PDT date Mar 8 2009 2:00 Nov 1 2009 2:00 clock summer-time cdt recurring clock timezone AKDT -8 clock timezone ALG 1 clock timezone ARG -3 clock timezone CDT -5 clock timezone CDT -6 clock timezone CST -6 clock timezone DST -5 clock timezone EDT -4 0 clock timezone EST -5 clock timezone GMT -3 clock timezone GMT -4 clock timezone GMT -5 clock timezone GMT -6 clock timezone GMT 0 clock timezone GMT 4 clock timezone GMT 7 clock timezone GMT+5 5 clock timezone MST -7

no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no

clock timezone P -3 clock timezone PST -8 clock timezone R -5 clock timezone SGT 8 clock timezone UTC -22 clock timezone UTC -23 clock timezone UTC -4 30 clock timezone UTC -5 clock timezone UTC 2 clock timezone UTC 4 clock timezone UTC 5 30 clock timezone UTC 7 clock timezone UTC 8 clock timezone cst -6 clock timezone gmt 8 clock timezone gmt 5 30 ip http authentication aaa ip http authentication local ip http path flash: ip http secure-server ip http server ip http timeout-policy idle 5 life 86400 requests 10000 ip http timeout-policy idle 60 life 86400 requests 10000 logging 10.100.1.104 logging 10.130.11.221 logging 10.130.21.219 logging 10.130.21.220 logging 10.32.3.2 logging 172.30.1.100 logging 172.30.1.109 logging 172.30.1.49 logging 172.30.1.90 logging 212.31.215.213 logging 81.146.75.13 logging buffered 10000 logging buffered 16384 logging buffered 4096 logging buffered 4096 debugging logging buffered 4096 notifications logging buffered 51200 warnings logging buffered 8192 logging buffered 8192 debugging logging buffered 8192 warnings logging esm config logging history debugging logging history size 200 logging message-counter syslog logging source-interface Loopback0 logging source-interface Loopback101 logging trap debugging logging trap errors ntp clock-period ntp master ntp server 10.130.19.200 prefer ntp server 10.224.1.2 ntp server 10.227.5.1 ntp server 10.229.18.1 ntp server 10.40.40.2 ntp server 10.40.46.21 ntp server 150.141.237.1

no ntp server 150.141.237.2 no ntp server 171.30.96.246 no ntp server 172.30.96.246 no ntp server 192.43.244.18 no ntp server 10.250.255.253 no ntp server 10.250.255.254 no ntp server 10.250.255.255 no ntp source FastEthernet0/0.1 no ntp source GigabitEthernet0/0 no ntp source no ntp update-calendar no radius-server host 10.130.6.210 auth-port 1645 acct-port 1646 key 7 141518340 D07292E373B no radius-server source-ports 1645-1646 no radius-server vsa send accounting no snmp-server community !k33p0ut RW no snmp-server community !k33p@ut RW no snmp-server community !k33p@ut RW 2 no snmp-server community 19M1R20S view SmartsROView RO no snmp-server community 19M1R20S view SmartsROView RO 19 no snmp-server community APR RO no snmp-server community public RO 99 no snmp-server community private RW 99 no snmp-server community C00k1316853C21e RO no snmp-server community P3rLP1UsC2139353 RW no snmp-server community aU5N81ng RO 3 no snmp-server community atlrce RO no snmp-server community atlrce RW 20 no snmp-server community bjpriv RW 2 no snmp-server community bjpub RO 3 no snmp-server community ch4ng3s.W3lc0m3 RW 97 no snmp-server community cudp!g RO no snmp-server community cudp!g RO 1 no snmp-server community cudpig RO no snmp-server community cudpig RO 21 no snmp-server community l1GHT.r34d1ng RO 96 no snmp-server community pri RW 99 no snmp-server community private RW 99 no snmp-server community pub RO 99 no snmp-server community public RO no snmp-server community public RO 98 no snmp-server community snmpatlrecrw RW 18 no snmp-server community C00k1316853C21e RO 99 no snmp-server community P3rLP1UsC2139353 RW 99 no snmp-server host 17.30.1.100 public no snmp-server host 172.17.91.178 public no snmp-server host 172.30.1.109 public no snmp-server host 172.30.1.99 public no snmp-server host 172.30.10.100 pub no snmp-server host 172.30.10.109 pub no snmp-server host 212.31.215.213 version 2c 19M1R20S no snmp-server host 81.146.75.13 version 2c 19M1R20S no snmp-server trap-source no tacacs-server directed-request no tacacs-server host 10.32.3.5 no tacacs-server host 10.40.40.170 no tacacs-server host 10.40.40.170 key 7 153E04190D391F31243F2C no tacacs-server host 172.30.98.128 no tacacs-server host 172.30.98.128 timeout 5 no tacacs-server key 7 00131208105E0A0B

no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no

tacacs-server key 7 00281C130D483F13032D55 tacacs-server key 7 0104070A4F0E0702 tacacs-server key 7 013F09115218321A2D4057 tacacs-server key 7 021105551F030E2C tacacs-server key 7 022A0B4E02153B34404210 tacacs-server key 7 03135A05120A2041 tacacs-server key 7 0328541E0F1C1559420500 tacacs-server key 7 047704130632785B05151C tacacs-server key 7 0527091A285F7A1C15090E tacacs-server key 7 062A0034455D3D0C091B0B tacacs-server key 7 071820425A0C1808 tacacs-server key 7 07232E59471A2D101B1E12 tacacs-server key 7 080D435B000A31021E0715 tacacs-server key 7 08364D401D1C041A tacacs-server key 7 095B4F070D00161F tacacs-server key 7 0960411C1016230707001D tacacs-server key 7 1059081711121306 tacacs-server key 7 1062060C0C04261E000833 tacacs-server key 7 111E180B03170A01 tacacs-server key 7 112516101E013F19082632 tacacs-server key 7 12350A021B18381126273D tacacs-server key 7 13291807021F303F272831 tacacs-server key 7 1400130518012B26 tacacs-server key 7 143B1D1E05171E3E28242A tacacs-server key 7 153E04190D391F31243F2C tacacs-server key 7 044C0A081B244D43 tacacs-server key 7 120E0419060E0D09 tacacs-server key 7 06110E2F584B0814 tacacs-server key 7 051C070135494F04 tftp-server DistinctiveRingList.xml tftp-server flash:Analog1.raw tftp-server flash:Analog2.raw tftp-server flash:AreYouThere.raw tftp-server flash:AreYouThereF.raw tftp-server flash:Bass.raw tftp-server flash:CP7912080001SCCP051117A.sbin tftp-server flash:CVM41.2-0-2-26.sbn tftp-server flash:CVM70.2-0-2-26.sbn tftp-server flash:Chime.raw tftp-server flash:Classic1.raw tftp-server flash:Classic2.raw tftp-server flash:ClockShop.raw tftp-server flash:DistinctiveRingList.xml tftp-server flash:Drums1.raw tftp-server flash:Drums2.raw tftp-server flash:FilmScore.raw tftp-server flash:HarpSynth.raw tftp-server flash:Jamaica.raw tftp-server flash:Jar41.2-9-2-26.sbn tftp-server flash:Jar70.2-9-2-26.sbn tftp-server flash:KotoEffect.raw tftp-server flash:MusicBox.raw tftp-server flash:P00308000500.bin tftp-server flash:P00308000500.loads tftp-server flash:P00308000500.sb2 tftp-server flash:P00308000500.sbn tftp-server flash:Piano1.raw tftp-server flash:Piano2.raw tftp-server flash:Pop.raw tftp-server flash:Pulse1.raw

no tftp-server flash:RingList.xml no tftp-server flash:S00105000300.sbn no tftp-server flash:SCCP11.7-2-1-0S.loads no tftp-server flash:SCCP41.8-0-4SR2S.loads no tftp-server flash:SCCP70.8-0-4SR2S.loads no tftp-server flash:Sax1.raw no tftp-server flash:Sax2.raw no tftp-server flash:TERM41.7-0-3-0S.loads no tftp-server flash:TERM70.7-0-3-0S.loads no tftp-server flash:Vibe.raw no tftp-server flash:apps11.1-0-0-72.sbn no tftp-server flash:apps41.1-1-3-30.sbn no tftp-server flash:apps70.1-1-3-30.sbn no tftp-server flash:bulk-sd-0.txt no tftp-server flash:cmterm_7936.3-3-5-0.bin no tftp-server flash:cnu11.3-0-0-81.sbn no tftp-server flash:cnu41.2-7-6-26.sbn no tftp-server flash:cnu41.3-1-3-30.sbn no tftp-server flash:cnu70.2-7-6-26.sbn no tftp-server flash:cnu70.3-1-3-30.sbn no tftp-server flash:cvm11.7-2-0-66.sbn no tftp-server flash:cvm41sccp.8-0-3-32.sbn no tftp-server flash:cvm70sccp.8-0-3-32.sbn no tftp-server flash:dsp11.1-0-0-73.sbn no tftp-server flash:dsp41.1-1-3-30.sbn no tftp-server flash:dsp70.1-1-3-30.sbn no tftp-server flash:jar11.7-2-0-66.sbn no tftp-server flash:jar41sccp.8-0-3-32.sbn no tftp-server flash:jar70sccp.8-0-3-32.sbn no tftp-server flash:s00104000100.sbn no tftp-server flash:speeddial.xml no tftp-server flash:term11.default.loads no tftp-server flash:term41.default.loads no tftp-server flash:term61.default.loads no tftp-server flash:term70.default.loads no tftp-server flash:term71.default.loads no tftp-server system: no snmp-server tftp-server-list 99 ! ! ! ! ! snmp-server host 135.89.160.226 yLhZd9aX5Tiq2GJeN8wB snmp snmp-server host 135.89.200.242 yLhZd9aX5Tiq2GJeN8wB snmp snmp-server community P3sBL7hX8zIgrQnAOy5e RW 97 snmp-server community yLhZd9aX5Tiq2GJeN8wB RO 96 snmp-server tftp-server-list 97 snmp-server enable traps entity snmp-server enable traps snmp snmp-server queue-length 20 snmp-server packetsize 1000 snmp-server system-shutdown snmp-server trap-source Loopback0 ! ! ip tftp source-interface Loopback0 ! ! !

! ! ! ! ! ! ! no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no

### USERNAMES TO REMOVE - REQUESTED BY CHAD HAASE ###

username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username username

attmrs "conf" "dmccoy" "DN4000" "DN4102" "DN4103" "DN4104" "DN4105" "DN4106" "DN4113" "DN4129" "DN4131" "DN6100" "DN6101" "DN6102" "DN6103" "DN6104" "DN6105" "DN6106" "DN6107" "DN6110" "DN6111" "DN6112" "DN6113" "DN6114" "DN6115" "DN6116" "DN6117" "DN6120" "DN6121" "DN6122" "DN6130" "DN6131" "DN6132" "DN6133" "DN6134" "DN6135" "DN6140" "DN6190" "jwilson" "khaygoo" "main" "name5" "name6" "name7" "name8" "name9" "v2916" "v3900" "v3901" "v3902" "v3904" "v3905"

no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no no

username "v3906" username "v3907" username "v3908" username "v3909" username "v3910" username "v3911" username "v3912" username "v3913" username "v3914" username "v3921" username "v3922" username "v3923" username "v3924" username "v3925" username "v3926" username "v3931" username "v3997" username "v5900" username "v5905" username "v5911" username "v5915" username "v5931" username "v5933" username "wall1" username "wall2" username "wall3" username "alvechr" username "andeneip" username "cawtgra" username "jennphij" username "macjohw" username "mciniaiw" username "noblwils" username "petrgav" username "reidforw" username "robechrg" username "smitkevm" username "Software" username "user9523" username "walkkev" username "wattfra" username "westnea" username "younbarn" username admin username bjnotacacs username bjservices username cisco username qwesttech username scuser username shoregroup username soporte username temp username v3908 username wanteam username att4bhi username "100" username "101" username "102" username "103" username "104"

no username "105" no username "106" no username "107" no username "108" no username "109" no username "110" no username "111" no username "112" no username "113" no username "114" no username "115" no username "116" no username "117" no username "118" no username "119" no username "120" no username hassipass no username verizon no username BHI4att ! ! ! ! ! ! ! ! ! ! ! ### ADD AT&T LOGGING AND NTP TO PRIMARY and DR DMS SERVERS ### ! ! ! ! ! logging 135.89.160.226 logging 135.89.200.242 logging host 135.89.160.226 logging host 135.89.200.242 logging source-interface Loopback0 ! logging buffered 16000 debug logging trap informational ! ! ! ntp server 135.89.160.226 ntp server 135.89.200.242 ! ! ! ! ### HARDENING COMMANDS ### ! ! ! no service finger no service udp-small-servers no service tcp-small-servers no service pad no service config

no ip source-route no ip domain-lookup no snmp-server sparse-tables no snmp-server enable traps syslog no username cisco no tftp-server enable ! no mop enabled no lldp run global no ip bootp server no boot network no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm ! ! no snmp-server enable traps snmp authentication ! service tcp-keepalives-in service tcp-keepalives-out service password-encryption service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone clock timezone GMT 0 ! ! ! ! ! ! banner motd % ******************************************************************************* * Warning Notice * * * * This router is the property of Baker Hughes. The use of the router and its * * related system is restricted solely to AT&T authorized users for legitimate * * business purposes only. The actual or attempted unauthorized access, use, * * or modification of this router or its related system is strictly prohibited * * by AT&T and Baker Hughes. * * * * In accordance with the AT&T Managed Router Service, AT&T users are * * authorized only to access and/or modify network management information and * * configurations, related to the scope and change control processes of the * * contracted agreement. * * * * AT&T users are prohibited from accessing, using, disclosing or modifying * * any other information in any form whatsoever (including applications and * * data) that resides or is contained on any and all other Baker Hughes * * hardware, software, equipment, assets or other devices that host or store * * applications or information. * * * * Unauthorized users are subject to disciplinary proceedings and/or criminal * * and civil penalties under state, federal or other applicable domestic and * * foreign laws. * * * * The use of this router and its related system may be monitored and recorded * * for administrative and security reasons. Anyone accessing this router and * * its related system expressly consents to such monitoring and is advised * * that if monitoring reveals possible evidence of criminal activity, AT&T or * * Baker Hughes may provide the evidence of such activity to law enforcement * * officials. *

* * * All AT&T users must comply with AT&T applicable company policies and the * * contracted agreement with Baker Hughes. * * * ******************************************************************************* % ! ! ! ! ! ! ### RE-ADD CUSTOMER SNMP ACCESS ### ! ! ! no access-list 98 access-list 98 remark SNMP Read Only BHI networks access-list 98 permit 172.30.1.0 0.0.0.255 snmp-server community public RO 98 ! no access-list 99 ! ! ! ! ! ### RE-ADD CUSTOMER SYSLOG ### ! ! logging 172.30.1.100 logging 172.30.1.109 ! ! ! ! ! ### ADD AT&T AAA ### ! ! ! aaa new-model aaa authentication login default group tacacs+ line aaa authentication enable default group tacacs+ enable aaa accounting exec default start-stop group tacacs+ aaa accounting commands 5 default stop-only group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ ! ip tacacs source-interface Loopback0 ! tacacs-server directed-request tacacs-server timeout 10 tacacs-server host 135.89.160.228 port 49160 tacacs-server host 135.89.159.146 port 49160 tacacs-server key KvSy2BuV6jxQa4gczm3d ! aaa authorization config-commands aaa authorization console aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ none !

! ! ! ! ! ! end

*************************************************** Step 5 Make sure you can access the router via AT&T TACACS telnet from a new SecureCRT window *************************************************** Step 6 IMPORTANT If telnet is working with the new AT&T TACACS and snmpwalk test passed snmpwalk -v 2c -c P3sBL7hX8zIgrQnAOy5e LOOPBACK_IP_OF_THE_CURRENT_ROUTER apply the following command on the router reload cancel

*************************************************** Perform the 2 tests snmpwalk -v 2c -c P3sBL7hX8zIgrQnAOy5e LOOPBACK_IP cback LOOPBACK_IP_OF_THE_CURRENT_ROUTER ************************************************** HOSTNAME CHANGE add "-mrs" to the hostname example: existing hostname: in-mumb1-r1 new hostname: in-mumb1-r1-mrs Update GPS: example:

node primary name: in-mumb1-r1 asset alias name: in-mumb1-r1-mrs so ON the router and asset alias in GPS: in-mumb1-r1-mrs and node primary name: in-mumb1-r1 hostfile: in-mumb1-r1 *************************************************** END OF INSTRUCTIONS ***************************************************