Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
cisco [2006/01/30 19:47] 193.77.104.168 |
cisco [2010/07/15 14:59] greebo |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Cisco stuff on need to know bases ====== | ||
+ | |||
+ | see also: **[[cisco: | ||
+ | |||
+ | |||
+ | |||
+ | ==== Related documents ==== | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | [[http:// | ||
+ | Cisco pppoe [[http:// | ||
+ | Password recovery[[http:// | ||
+ | [[http:// | ||
+ | |||
+ | ==== Password reset and configuration reset ==== | ||
+ | |||
+ | - Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON. | ||
+ | - If the break sequence does not work, see Standard Break Key Sequence Combinations During Password Recovery for other key combinations. | ||
+ | - Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration. | ||
+ | - Type reset at the rommon 2> prompt. | ||
+ | - The router reboots but ignores its saved configuration. | ||
+ | - Type no after each setup question or press Ctrl-C to skip the initial setup procedure. | ||
+ | - Type enable at the Router> prompt.You are taken to the enable mode, and the Router# prompt appears. | ||
+ | - Important: Type configure memory or copy startup-config running-config to copy the nonvolatile RAM (NVRAM) into memory.\\ | ||
+ | Do not type configure terminal . | ||
+ | - Type write terminal or show running-config . | ||
+ | |||
+ | The show running-config and write terminal commands show the configuration of the router. In this configuration you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords (enable password, enable secret, vty, console passwords, and so on) either in encrypted or unencrypted format. The unencrypted passwords can be re-used, the encrypted ones will have to be changed with a new one. | ||
+ | # | ||
+ | |||
+ | - Type configure terminal and make the changes. | ||
+ | - The prompt is now hostname(config)# | ||
+ | - Type enable secret < | ||
+ | - Issue the no shutdown command on every interface that is used. | ||
+ | - If you issue a show ip interface brief command, every interface that you want to use should be "up up". | ||
+ | - Type config-register 0x2102, or the value you recorded in step 2. | ||
+ | - Press Ctrl-Z or end to leave the configuration mode. | ||
+ | - The prompt is now changed to hostname#. | ||
+ | - Type write memory or copy running-config startup-config to commit the changes. | ||
+ | |||
+ | |||
line console/vty x y | line console/vty x y | ||
exec timeout 0 0 | exec timeout 0 0 | ||
Line 12: | Line 56: | ||
password xxx | password xxx | ||
- | General security template: | + | ==== Cisco security tips ==== |
+ | **Disable: | ||
+ | |||
+ | * BOOTP server | ||
+ | * Cisco Discovery Protocol (CDP) | ||
+ | * HTTP Configuration and Monitoring | ||
+ | * Domain Name System (DNS) | ||
+ | * Packet Assembler / Disassembler (PAD) | ||
+ | * Internet Control Message Protocol (ICMP) Redirects | ||
+ | * IP Source Routing | ||
+ | * Finger Service | ||
+ | * Proxy ARP | ||
+ | * IP Directed Broadcast | ||
+ | |||
+ | ==== Cisco config tips ==== | ||
+ | |||
+ | ** Cisco PIX *** | ||
+ | no fixup protocol smtp 25 | ||
+ | |||
+ | **General security template:** | ||
no service finger | no service finger | ||
Line 43: | Line 106: | ||
service tcp-keepalives-in | service tcp-keepalives-in | ||
service tcp-keepalives-out | service tcp-keepalives-out | ||
- | |||
- | ! Set time for UK | ||
- | clock timezone GMT 0 | ||
- | clock summer-time BST recurring | ||
! Do not allow packet to specify their own route | ! Do not allow packet to specify their own route | ||
Line 54: | Line 113: | ||
ip cef | ip cef | ||
- | | + | **NTP** (see also: [[http:// |
+ | clock timezone CET 1 | ||
+ | clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 | ||
+ | !ntp source Loopback0 | ||
+ | !ntp master | ||
ntp update-calendar | ntp update-calendar | ||
- | ntp server | + | ntp server |
+ | !ntp broadcast | ||
+ | **SNMP** | ||
+ | snmp-server community NotTelling RO 1 | ||
+ | snmp-server location Somewhere | ||
+ | snmp-server contact Network Operations Centre < | ||
+ | snmp-server enable traps snmp | ||
+ | snmp-server host 220.144.159.130 SecretToo | ||
+ | |||
+ | **DNS** | ||
no ip domain-lookup | no ip domain-lookup | ||
ip domain-list domain.org | ip domain-list domain.org | ||
Line 88: | Line 160: | ||
- | General Interface Template: | + | **General Interface Template:** |
- | no ip redirect | + | no ip redirects |
no ip direct broadcast | no ip direct broadcast | ||
no ip proxy-arp | no ip proxy-arp | ||
no ip unreachables | no ip unreachables | ||
- | | + | no ip mask-reply |
- | + | no ip mroute-cache | |
- | General Security Template: | + | **General Security Template:** |
service password-encryption | service password-encryption | ||
Line 107: | Line 179: | ||
rate-limit input access-group 110 2048000 8000 8000 conform-action transmit exceed-action drop | rate-limit input access-group 110 2048000 8000 8000 conform-action transmit exceed-action drop | ||
+ | |||
+ | access-list 103 deny tcp any host 10.0.0.1 established | ||
+ | |||
+ | |||
+ | **HSRP** | ||
+ | |||
+ | //Router 1:// | ||
+ | interface ethernet 0/0 | ||
+ | description Server LAN | ||
+ | ip address 169.223.10.1 255.255.255.0 | ||
+ | standby 10 ip 169.223.10.254 | ||
+ | |||
+ | //Router 2:// | ||
+ | interface ethernet 0/0 | ||
+ | description Service LAN | ||
+ | ip address 169.223.10.2 255.255.255.0 | ||
+ | standby 10 priority 150 | ||
+ | standby 10 preempt | ||
+ | standby 10 ip 169.223.10.254 | ||
+ | |||
+ | The preempt directive tells router1 and router2 that router2 should be used as default gateway whenever possible.\\ | ||
+ | For example, if router2 were temporarily out of service, it would take over from router1 when it is returned to normal operation. | ||
+ | |||
+ | |||
+ | **BGP** | ||
+ | |||
+ | router bgp 200 | ||
+ | neighbor 215.17.3.1 remote-as 210 | ||
+ | neighbor 215.17.3.1 soft-reconfiguration in | ||
+ | neighbor x.x.x.x ebgp-multihop 255 | ||
+ | no bgp dampening | ||
+ | |||
+ | |||
+ | “clear ip bgp neighbor 215.17.3.1 soft”. | ||
+ | |||
+ | bgp dampening [[route-map map-name] | [half-life-time reuse-value suppress-value maximumsuppress-time]] | ||
+ | |||
+ | * half-life-time – range is 1 – 45 minutes; current default is 15 minutes. | ||
+ | * reuse-value – range is 1 – 20000; default is 750. | ||
+ | * suppress-value – range is 1 – 20000; default is 2000. | ||
+ | * max-suppress-time – maximum duration a route can be suppressed. Range is 1 – 255; default is four times half-life time (60 minutes). | ||
+ | * show ip bgp dampened-routes – Display all the damped routes with the time remaining to unsuppress. Very useful for find out which sites are having instability problems. | ||
+ | |||
+ | | ||
+ | clear ip bgp dampening [< | ||
+ | |||
+ | Clear the damping related information. This will also unsuppress the suppressed routes.\\ | ||
+ | Very useful when one of your customers call you about a “unreachable” network that has been suppressed. | ||
+ | |||
+ | Some ISPs use private ASes within their network (typically but not exclusively for customers who multihome onto their | ||
+ | backbone). There is a BGP option (CSCdi64489) which prevents any private ASes from being leaked to the Internet: | ||
+ | |||
+ | router bgp 109 | ||
+ | neighbor 145.2.2.2 remove-private-AS | ||
+ | |||
+ | ==DHCP== | ||
+ | ip dhcp excluded-address 192.168.10.1 | ||
+ | ip dhcp pool my.lan | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | lease 14 0 | ||
+ | |||
+ | **OSPF** | ||
+ | |||
+ | router ospf 100 | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | == ACL renumbering == | ||
+ | |||
+ | Router(config)# |