[[cisco]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
cisco [2006/01/30 21:55]
193.77.104.168 		cisco [2015/05/21 15:00]
zagi
Line 1: Line 1:
 +====== Cisco stuff on need to know bases ======
 +
 +see also: **[[cisco:bgp|Cisco BGP stuff]]**, **[[networking]]**, **[[http://www.cymru.com/Documents/secure-ios-template.html|Secure IOS Template]]**
 +
 +
 +
 +==== Related documents ====
 +[[http://www.netconfigs.com/tools/bgp.htm]]\\
 +[[http://www.cisco.com/warp/public/459/bgp-toc.html]]\\
 +[[http://www.caida.org/tools/measurement/cflowd/]]\\ 
 +[[http://www.nanog.org/mtg-0510/pdf/deleskie.pdf]]\\
 +[[http://www.dslreports.com/faq/8979]]\\
 +[[http://www.dslreports.com/faq/cisco]]\\
 +Cisco pppoe [[http://www.dslreports.com/faq/8199]]\\
 +Password recovery[[http://www.cisco.com/warp/public/474/]]\\
 +[[http://phx-cisco-users.org/index.php|Phoenix Cisco User Group (PCUG)]] Cisco tips [[http://www.ciscoblog.com/docstore/PCUGTips.pdf|presentation]] (local mirror:{{pcugtips.pdf|Cisco tips}})
 +
 +==== Password reset and configuration reset ====
 +
 +  - Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON.
 +  - If the break sequence does not work, see Standard Break Key Sequence Combinations During Password Recovery for other key combinations.
 +  - Type confreg 0x2142 at the rommon 1> prompt to boot from Flash without loading the configuration.
 +  - Type reset at the rommon 2> prompt.
 +  - The router reboots but ignores its saved configuration.
 +  - Type no after each setup question or press Ctrl-C to skip the initial setup procedure.
 +  - Type enable at the Router> prompt.You are taken to the enable mode, and the Router# prompt appears.
 +  - Important: Type configure memory or copy startup-config running-config to copy the nonvolatile RAM (NVRAM) into memory.\\
 +    Do not type configure terminal .
 +  - Type write terminal or show running-config .
 +
 +The show running-config and write terminal commands show the configuration of the router. In this configuration you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords (enable password, enable secret, vty, console passwords, and so on) either in encrypted or unencrypted format. The unencrypted passwords can be re-used, the encrypted ones will have to be changed with a new one.
 +#
 +
 +  - Type configure terminal and make the changes.
 +  - The prompt is now hostname(config)#.
 +  - Type enable secret <password> to change the enable secret password, for example.
 +  - Issue the no shutdown command on every interface that is used.
 +  - If you issue a show ip interface brief command, every interface that you want to use should be "up up".
 +  - Type config-register 0x2102, or the value you recorded in step 2.
 +  - Press Ctrl-Z or end to leave the configuration mode.
 +  - The prompt is now changed to hostname#.
 +  - Type write memory or copy running-config startup-config to commit the changes.
 +
 +
   line console/vty x y   line console/vty x y
   exec timeout 0 0   exec timeout 0 0
Line 11: Line 55:
   login   login
   password xxx   password xxx
 +  
 +  
 +=== Corrupt/missing IOS image ===
 +
 +   * set BAUD 115200
 +   * upload vix Xmodem
 +
 +==== Cisco security tips ====
 +**Disable:**
 +
 +    * BOOTP server
 +    * Cisco Discovery Protocol (CDP)
 +    * HTTP Configuration and Monitoring
 +    * Domain Name System (DNS)
 +    * Packet Assembler / Disassembler (PAD)
 +    * Internet Control Message Protocol (ICMP) Redirects
 +    * IP Source Routing
 +    * Finger Service
 +    * Proxy ARP
 +    * IP Directed Broadcast
 +
 +==== Cisco config tips ====
 +
 +** Cisco PIX ***
 +  no fixup protocol smtp 25
  
-General security template:+**General security template:**
  
   no service finger   no service finger
Line 43: Line 112:
   service tcp-keepalives-in   service tcp-keepalives-in
   service tcp-keepalives-out   service tcp-keepalives-out
- 
-  ! Set time for UK 
-  clock timezone GMT 0 
-  clock summer-time BST recurring 
  
   ! Do not allow packet to specify their own route   ! Do not allow packet to specify their own route
Line 54: Line 119:
   ip cef   ip cef
  
-  ntp master+**NTP** (see also: [[http://www.nil.com/ipcorner/SecTimeManagement/]]) 
 +  clock timezone CET 1 
 +  clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 
 +  !ntp source Loopback0 
 +  !ntp master
   ntp update-calendar   ntp update-calendar
-  ntp server +  ntp server x.x.x.x 
 +  !ntp broadcast
  
 +**SNMP**
 +  snmp-server community NotTelling RO 1
 +  snmp-server location Somewhere
 +  snmp-server contact Network Operations Centre <noc@net.galaxy>
 +  snmp-server enable traps snmp
 +  snmp-server host 220.144.159.130 SecretToo
 +
 +**DNS**
   no ip domain-lookup   no ip domain-lookup
   ip domain-list domain.org   ip domain-list domain.org
Line 88: Line 166:
  
  
-General Interface Template: +**General Interface Template:** 
-  no ip redirect+  no ip redirects
   no ip direct broadcast   no ip direct broadcast
   no ip proxy-arp   no ip proxy-arp
   no ip unreachables   no ip unreachables
-  no ip mask-reply +  no ip mask-reply 
- +  no ip mroute-cache
    
  
  
-General Security Template:+**General Security Template:**
  
   service password-encryption   service password-encryption
Line 111: Line 189:
  
  
-HSRP+**HSRP**
  
-Router 1:+//Router 1://
   interface ethernet 0/0   interface ethernet 0/0
   description Server LAN   description Server LAN
Line 119: Line 197:
   standby 10 ip 169.223.10.254   standby 10 ip 169.223.10.254
  
-Router 2:+//Router 2://
   interface ethernet 0/0   interface ethernet 0/0
   description Service LAN   description Service LAN
Line 131: Line 209:
  
  
-BGP+**BGP**
  
   router bgp 200   router bgp 200
   neighbor 215.17.3.1 remote-as 210   neighbor 215.17.3.1 remote-as 210
   neighbor 215.17.3.1 soft-reconfiguration in   neighbor 215.17.3.1 soft-reconfiguration in
 +  neighbor x.x.x.x ebgp-multihop 255
 +  no bgp dampening
  
  
Line 142: Line 222:
   bgp dampening [[route-map map-name] | [half-life-time reuse-value suppress-value maximumsuppress-time]]   bgp dampening [[route-map map-name] | [half-life-time reuse-value suppress-value maximumsuppress-time]]
  
-*  half-life-time – range is 1 – 45 minutes; current default is 15 minutes. +  *  half-life-time – range is 1 – 45 minutes; current default is 15 minutes. 
-*  reuse-value – range is 1 – 20000; default is 750. +  *  reuse-value – range is 1 – 20000; default is 750. 
-*  suppress-value – range is 1 – 20000; default is 2000. +  *  suppress-value – range is 1 – 20000; default is 2000. 
-*  max-suppress-time – maximum duration a route can be suppressed. Range is 1 – 255; default is four times half-life time (60 minutes). +  *  max-suppress-time – maximum duration a route can be suppressed. Range is 1 – 255; default is four times half-life time (60 minutes). 
-*  show ip bgp dampened-routes – Display all the damped routes with the time remaining to unsuppress. Very useful for find out which sites are having instability problems.+  *  show ip bgp dampened-routes – Display all the damped routes with the time remaining to unsuppress. Very useful for find out which sites are having instability problems. 
 + 
 +   
 +  clear ip bgp dampening [<address> <mask>]  
 + 
 +Clear the damping related information. This will also unsuppress the suppressed routes.\\  
 +Very useful when one of your customers call you about a “unreachable” network that has been suppressed. 
 + 
 +Some ISPs use private ASes within their network (typically but not exclusively for customers who multihome onto their 
 +backbone). There is a BGP option (CSCdi64489) which prevents any private ASes from being leaked to the Internet: 
 + 
 +  router bgp 109 
 +  neighbor 145.2.2.2 remove-private-AS 
 + 
 +==DHCP== 
 +ip dhcp excluded-address 192.168.10.1 
 +  ip dhcp pool my.lan 
 +     network 192.168.10.0 255.255.255.0 
 +     domain-name my.net 
 +     dns-server 212.18.X.X 
 +     default-router 192.168.10.1 
 +     lease 14 0 
 + 
 +**OSPF** 
 + 
 +  router ospf 100 
 +   network 219.50.10.0 0.0.0.3 area 0 
 +   network 219.10.1.0 0.0.0.3 area 0 
 +   network 220.144.159.64 0.0.0.7 area 0 
 +   network 220.144 159.192 0.0.0.0 area 0 
 +   passive-interface Serial1/0 
 +   passive-interface Serial1/1 
 +   passive-interface Loopback0 
 +   log-adjacency-changes 
 + 
 +== ACL renumbering ==  
 + 
 +Router(config)#ip access-list resequence MyACL 10 10\\ 
 + 
 +== vlan up/interface down == 
 + 
 +no autostate 
 +no keepalive 
 + 
 +== Wireless == 
 +  dot11 ssid TEST1 
 +  mbssid guest-mode 
 + 
 +  dot11 ssid TEST2 
 +  mbssid guest-mode 
 + 
 +Then you have to enable mbssid globally on your radio-interface: 
 + 
 +  interface Dot11Radio0 
 +  mbssid 
 +  ssid TEST1 
 +  ssid TEST2  
 +   
 +  interface Dot11Radio1 
 +  mbssid 
 +  ssid TEST1 
 +  ssid TEST2  
 +   
 +== Cisco bash policer script == 
 + 
 +<code bash> 
 +#!/bin/bash 
 +# tnt.aufbix.org 
 +#cir=$(($1*1024*1024)) 
 +cir=$(($1*1024*1000)) 
 +nburst=$(($cir*3/16)) 
 +eburst=$(($nburst*2)) 
 +echo "policy-map $1M" 
 +echo "class class-default" 
 +echo "police cir $cir bc $nburst be $eburst conform-action set-dscp-transmit default exceed-action drop  violate-action drop" 
 + 
 +</code> 
cisco.txt · Last modified: 2015/05/21 15:01 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready