Step 1
|
enable
|
Enables privileged EXEC mode. Enter your password, if prompted.
|
Step 2
|
configure terminal
Device# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new model
Device(config)# aaa new model
|
(Required) Enable the authentication, authorization, and accounting (AAA)
access control model.
|
Step 4
|
aaa authentication login default local
Device(config)# aaa authentication login default local
|
(Required) Sets AAA authentication to use the local username database for
authentication.
|
Step 5
|
aaa authorization exec default local
Device(config)# aaa authorization exec default local
|
Sets the parameters that restrict user access to a network. The user is
allowed to run an EXEC shell.
|
Step 6
|
ip routing
Device(config)# ip routing
|
|
Step 7
|
{ ip| ipv6} name-server
server-address 1 ...server-address 6]
Device(config)# ip name-server vrf Mgmt-vrf
192.168.1.100 192.168.1.200 192.168.1.300
|
(Optional) Specifies the address of one or more name servers to use for name
and address resolution.
You can specify up to six name servers. Separate
each server address with a space. The first server specified is the primary
server. The device sends DNS queries to the primary server first. If that
query fails, the backup servers are queried.
|
Step 8
|
ip domain lookup source-interface
interface-type-number
Device(config)# ip domain lookup
source-interface gigabitethernet0/0
|
Enables DNS-based hostname-to-address
translation on your device. This feature is enabled by default.
If your network devices require connectivity
with devices in networks for which you do not control name assignment, you
can dynamically assign device names that uniquely identify your devices by
using the global Internet naming scheme (DNS).
Note
|
If you configure this command on a Layer 3 physical interface, it is automatically removed from running configuration in case
the port mode is changed or if the device reloads. The only available workaround is to reconfigure the command. Starting with
Cisco IOS XE Dublin 17.12.1, this issue is resolved.
|
|
Step 9
|
ip domain name name
Device(config)# ip domain name vrf
Mgmt-vrf cisco.com
|
Defines a default domain name that the software uses to complete unqualified
hostnames (names without a dotted-decimal domain name).
|
Step 10
|
no username name
Device(config)# no username admin
|
(Required) Clears the specified username, if it exists. For name
, enter the same username you will create in the next
step. This ensures that a duplicate of the username you are going to create
in the next step does not exist.
If you plan to use REST APIs for SSM On-Prem-initiated retrieval of RUM reports, you have to log in to SSM On-Prem. Duplicate
usernames may cause the feature to work incorrectly if there are present in the system.
|
Step 11
|
username name privilege level
password password
Device(config)# username admin privilege 15
password 0 lab
|
(Required) Establishes a username-based authentication system.
The privilege keyword sets the privilege level for the user. A number
between 0 and 15 that specifies the privilege level for the user.
The password allows access to the name argument. A password must be from 1 to
25 characters, can contain embedded spaces, and must be the last option
specified in the username command.
This enables SSM On-Prem to use the product instance native REST.
|
Step 12
|
interface
interface-type-number
Device (config)# interface gigabitethernet0/0
|
Enters interface configuration mode and specifies the Ethernet interface,
subinterface, or VLAN to be associated with the VRF.
|
Step 13
|
vrf forwarding vrf-name
Device(config-if)# vrf forwarding Mgmt-vrf
|
Associates the VRF with the Layer 3 interface. This command activates
multiprotocol VRF on an interface
|
Step 14
|
ip address ip-address mask
Device(config-if)# ip address 192.168.0.1 255.255.0.0
|
Defines the IP address for the VRF.
|
Step 15
|
negotiation auto
Device(config-if)# negotiation auto
|
Enables auto-negotiation operation for the speed and duplex parameters of an
interface.
|
Step 16
|
no shutdown
Device(config-if)# no shutdown
|
Restarts a disabled interface.
|
Step 17
|
end
|
Exits the interface configuration mode and enters global configuration mode.
|
Step 18
|
ip http server
Device(config)# ip http server
|
(Required) Enables the HTTP server on your IP or IPv6 system, including a
Cisco web browser user interface. The HTTP server uses the standard port 80,
by default.
|
Step 19
|
ip http authentication local
ip http authentication
localDevice(config)#
|
(Required) Specifies a particular authentication method for HTTP server
users.
The local keyword means that the login user name,
password and privilege level access combination specified in the local
system configuration (by the username global configuration command) should
be used for authentication and authorization.
|
Step 20
|
ip http secure-server
Device(config)# ip http server
|
(Required) Enables a secure HTTP (HTTPS) server. The HTTPS server uses the
Secure Sockets Layer (SSL) version 3.0 protocol.
|
Step 21
|
ip http max-connections
Device(config)# ip http max-connections 16
|
(Required) Configures the maximum number of concurrent connections allowed
for the HTTP server. Enter an integer in the range from 1 to 16. The default
is 5.
|
Step 22
|
ip tftp source-interface
interface-type-number
Device(config)# ip tftp source-interface
GigabitEthernet0/0
|
Specifies the IP address of an interface as the source address for TFTP
connections.
|
Step 23
|
ip route ip-address ip-mask subnet
mask
Device(config)# ip route vrf mgmt-vrf
192.168.0.1 255.255.0.0 192.168.255.1
|
Configures a route and gateway on the product instance. You can configure
either a static route or a dynamic route.
|
Step 24
|
logging host
Device(config)# logging host 172.25.33.20
vrf Mgmt-vrf
|
Logs system messages and debug output to a remote host.
|
Step 25
|
crypto pki trustpoint SLA-TrustPoint
Device(config)# crypto pki trustpoint SLA-TrustPoint
Device(ca-trustpoint)#
|
(Required) Declares that the product instance should use trustpoint “SLA-TrustPoint” and enters the ca-trustpoint configuration
mode. The product instance does not recognize any trustpoints until you declare a trustpoint using this command.
|
Step 26
|
enrollment terminal
Device(ca-trustpoint)# enrollment terminal
|
Required) Specifies the certificate enrollment method.
|
Step 27
|
revocation-check none
Device(ca-trustpoint)# revocation-check none
|
(Required) Specifes a method that is to be used to ensure that the certificate of a peer is not revoked. For the SSM On-Prem
Deployment topology, enter the none keyword. This means that a revocation check will not be performed and the certificate will always be accepted.
|
Step 28
|
end
Device(ca-trustpoint)# exit
Device(config)# end
|
Exits the ca-trustpoint configuration mode and then the global configuration mode and returns to privileged EXEC mode.
|
Step 29
|
show ip http server session-module
Device# show ip http server session-module
|
(Required) Verifies HTTP connectivity. In the output, check that
SL_HTTP is active. Additionally, you can also perform
the following checks :
-
From device where SSM On-Prem is installed, verify that you can ping the product instance. A successful ping confirms that
the product instance is reachable.
-
From a Web browser on the device where SSM On-Prem is installed verify https://<product-instance-ip>/ . This ensures that the REST API from SSM On-Prem to the product instance works as expected.
|
Step 30
|
copy running-config startup-config
Device# copy running-config startup-config
|
Saves your entries in the configuration file.
|