Table of Contents

Cisco stuff on need to know bases

see also: Cisco BGP stuff, networking, Secure IOS Template

http://www.netconfigs.com/tools/bgp.htm
http://www.cisco.com/warp/public/459/bgp-toc.html
http://www.caida.org/tools/measurement/cflowd/
http://www.nanog.org/mtg-0510/pdf/deleskie.pdf
http://www.dslreports.com/faq/8979
http://www.dslreports.com/faq/cisco
Cisco pppoe http://www.dslreports.com/faq/8199
Password recoveryhttp://www.cisco.com/warp/public/474/
Phoenix Cisco User Group (PCUG) Cisco tips presentation (local mirror:Cisco tips)

Password reset and configuration reset

  1. Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON.
  2. If the break sequence does not work, see Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
  3. Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration.
  4. Type reset at the rommon 2> prompt.
  5. The router reboots but ignores its saved configuration.
  6. Type no after each setup question or press Ctrl-C to skip the initial setup procedure.
  7. Type enable at the Router> prompt.You are taken to the enable mode, and the Router# prompt appears.
  8. Important: Type configure memory or copy startup-config running-config to copy the nonvolatile RAM (NVRAM) into memory.

Do not type configure terminal .

  1. Type write terminal or show running-config .

The show running-config and write terminal commands show the configuration of the router. In this configuration you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords (enable password, enable secret, vty, console passwords, and so on) either in encrypted or unencrypted format. The unencrypted passwords can be re-used, the encrypted ones will have to be changed with a new one. #

  1. Type configure terminal and make the changes.
  2. The prompt is now hostname(config)#.
  3. Type enable secret <password> to change the enable secret password, for example.
  4. Issue the no shutdown command on every interface that is used.
  5. If you issue a show ip interface brief command, every interface that you want to use should be “up up”.
  6. Type config-register 0x2102, or the value you recorded in step 2.
  7. Press Ctrl-Z or end to leave the configuration mode.
  8. The prompt is now changed to hostname#.
  9. Type write memory or copy running-config startup-config to commit the changes.
line console/vty x y
exec timeout 0 0
logging synchronous

kako postavis geslo za XY vmesnik:

line console/vty/... 
login
password xxx

Corrupt/missing IOS image

Cisco security tips

Disable:

Cisco config tips

Cisco PIX *

no fixup protocol smtp 25

General security template:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no service config
no service dhcp
no service compress-config  
no ip  http server
no ip bootp server
no ip finger
no ip identd
no ip source-route  
service nagle
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec

ip spd enable
no cdp run
logging buffered 16384
logging trap debugging
logging 169.223.10.20
logging console warnings
ip subnet-zero
ip classless
! Deal with dead connections gracefully
service tcp-keepalives-in
service tcp-keepalives-out
! Do not allow packet to specify their own route
no ip source-route
! Enable Cisco Express Forwarding technology
ip cef

NTP (see also: http://www.nil.com/ipcorner/SecTimeManagement/)

clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!ntp source Loopback0
!ntp master
ntp update-calendar
ntp server x.x.x.x
!ntp broadcast

SNMP

snmp-server community NotTelling RO 1
snmp-server location Somewhere
snmp-server contact Network Operations Centre <noc@net.galaxy>
snmp-server enable traps snmp
snmp-server host 220.144.159.130 SecretToo

DNS

no ip domain-lookup
ip domain-list domain.org
ip domain-list .
ip domain-name domain.org
ip name-server 10.0.0.1
ip name-server 10.1.0.1
line con 0
 exec-timeout 5 0
 password 7 <######>
 login authentication no_tacacs
 transport input none
line aux 0
 exec-timeout 5 0
 password 7 <#######>
 login authentication test
 modem InOut
 transport input all
 stopbits 1
 speed 19200
 flowcontrol hardware
line vty 0 4
 exec-timeout 5 0
 password 7 <########>
 login authentication test
 transport input telnet

General Interface Template:

no ip redirects
no ip direct broadcast
no ip proxy-arp
no ip unreachables
no ip mask-reply
no ip mroute-cache

General Security Template:

service password-encryption
enable secret <removed>
no enable password
! Limit the amount of ICMP traffic (DDOS protection)
rate-limit input access-group 110 2048000 8000 8000 conform-action transmit exceed-action drop
access-list 103 deny tcp any host 10.0.0.1 established

HSRP

Router 1:

interface ethernet 0/0
description Server LAN
ip address 169.223.10.1 255.255.255.0
standby 10 ip 169.223.10.254

Router 2:

interface ethernet 0/0
description Service LAN
ip address 169.223.10.2 255.255.255.0
standby 10 priority 150
standby 10 preempt
standby 10 ip 169.223.10.254

The preempt directive tells router1 and router2 that router2 should be used as default gateway whenever possible.
For example, if router2 were temporarily out of service, it would take over from router1 when it is returned to normal operation.

BGP

router bgp 200
neighbor 215.17.3.1 remote-as 210
neighbor 215.17.3.1 soft-reconfiguration in
neighbor x.x.x.x ebgp-multihop 255
no bgp dampening
“clear ip bgp neighbor 215.17.3.1 soft”.
bgp dampening [[route-map map-name] | [half-life-time reuse-value suppress-value maximumsuppress-time]]
clear ip bgp dampening [<address> <mask>] 

Clear the damping related information. This will also unsuppress the suppressed routes.
Very useful when one of your customers call you about a “unreachable” network that has been suppressed.

Some ISPs use private ASes within their network (typically but not exclusively for customers who multihome onto their backbone). There is a BGP option (CSCdi64489) which prevents any private ASes from being leaked to the Internet:

router bgp 109
neighbor 145.2.2.2 remove-private-AS
DHCP

ip dhcp excluded-address 192.168.10.1

ip dhcp pool my.lan
   network 192.168.10.0 255.255.255.0
   domain-name my.net
   dns-server 212.18.X.X
   default-router 192.168.10.1
   lease 14 0

OSPF

router ospf 100
 network 219.50.10.0 0.0.0.3 area 0
 network 219.10.1.0 0.0.0.3 area 0
 network 220.144.159.64 0.0.0.7 area 0
 network 220.144 159.192 0.0.0.0 area 0
 passive-interface Serial1/0
 passive-interface Serial1/1
 passive-interface Loopback0
 log-adjacency-changes
ACL renumbering

Router(config)#ip access-list resequence MyACL 10 10

vlan up/interface down

no autostate no keepalive

Wireless
dot11 ssid TEST1
mbssid guest-mode
dot11 ssid TEST2
mbssid guest-mode

Then you have to enable mbssid globally on your radio-interface:

interface Dot11Radio0
mbssid
ssid TEST1
ssid TEST2 

interface Dot11Radio1
mbssid
ssid TEST1
ssid TEST2 

Cisco bash policer script

#!/bin/bash
# tnt.aufbix.org
#cir=$(($1*1024*1024))
cir=$(($1*1024*1000))
nburst=$(($cir*3/16))
eburst=$(($nburst*2))
echo "policy-map $1M"
echo "class class-default"
echo "police cir $cir bc $nburst be $eburst conform-action set-dscp-transmit default exceed-action drop  violate-action drop"