Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
cisco [2006/01/30 22:56] 193.77.104.168 |
cisco [2015/05/21 15:01] (current) zagi [Cisco config tips] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Cisco stuff on need to know bases ====== | ||
+ | |||
+ | see also: **[[cisco: | ||
+ | |||
+ | |||
+ | |||
+ | ==== Related documents ==== | ||
+ | [[http:// | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
Line 6: | Line 14: | ||
Cisco pppoe [[http:// | Cisco pppoe [[http:// | ||
Password recovery[[http:// | Password recovery[[http:// | ||
+ | [[http:// | ||
+ | |||
+ | ==== Password reset and configuration reset ==== | ||
- Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON. | - Press Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON. | ||
Line 44: | Line 55: | ||
login | login | ||
password xxx | password xxx | ||
+ | | ||
+ | | ||
+ | === Corrupt/ | ||
+ | |||
+ | * set BAUD 115200 | ||
+ | * upload vix Xmodem | ||
+ | |||
+ | ==== Cisco security tips ==== | ||
+ | **Disable: | ||
+ | |||
+ | * BOOTP server | ||
+ | * Cisco Discovery Protocol (CDP) | ||
+ | * HTTP Configuration and Monitoring | ||
+ | * Domain Name System (DNS) | ||
+ | * Packet Assembler / Disassembler (PAD) | ||
+ | * Internet Control Message Protocol (ICMP) Redirects | ||
+ | * IP Source Routing | ||
+ | * Finger Service | ||
+ | * Proxy ARP | ||
+ | * IP Directed Broadcast | ||
+ | |||
+ | ==== Cisco config tips ==== | ||
+ | |||
+ | ** Cisco PIX *** | ||
+ | no fixup protocol smtp 25 | ||
- | General security template: | + | **General security template:** |
no service finger | no service finger | ||
Line 76: | Line 112: | ||
service tcp-keepalives-in | service tcp-keepalives-in | ||
service tcp-keepalives-out | service tcp-keepalives-out | ||
- | |||
- | ! Set time for UK | ||
- | clock timezone GMT 0 | ||
- | clock summer-time BST recurring | ||
! Do not allow packet to specify their own route | ! Do not allow packet to specify their own route | ||
Line 87: | Line 119: | ||
ip cef | ip cef | ||
- | NTP | + | **NTP** (see also: [[http:// |
+ | clock timezone CET 1 | ||
+ | clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 | ||
!ntp source Loopback0 | !ntp source Loopback0 | ||
!ntp master | !ntp master | ||
Line 94: | Line 128: | ||
!ntp broadcast | !ntp broadcast | ||
- | SNMP | + | **SNMP** |
snmp-server community NotTelling RO 1 | snmp-server community NotTelling RO 1 | ||
snmp-server location Somewhere | snmp-server location Somewhere | ||
Line 101: | Line 135: | ||
snmp-server host 220.144.159.130 SecretToo | snmp-server host 220.144.159.130 SecretToo | ||
- | DNS | + | **DNS** |
no ip domain-lookup | no ip domain-lookup | ||
ip domain-list domain.org | ip domain-list domain.org | ||
Line 132: | Line 166: | ||
- | General Interface Template: | + | **General Interface Template:** |
- | no ip redirect | + | no ip redirects |
no ip direct broadcast | no ip direct broadcast | ||
no ip proxy-arp | no ip proxy-arp | ||
no ip unreachables | no ip unreachables | ||
- | | + | no ip mask-reply |
- | + | no ip mroute-cache | |
- | General Security Template: | + | **General Security Template:** |
service password-encryption | service password-encryption | ||
Line 155: | Line 189: | ||
- | HSRP | + | **HSRP** |
- | Router 1: | + | //Router 1:// |
interface ethernet 0/0 | interface ethernet 0/0 | ||
description Server LAN | description Server LAN | ||
Line 163: | Line 197: | ||
standby 10 ip 169.223.10.254 | standby 10 ip 169.223.10.254 | ||
- | Router 2: | + | //Router 2:// |
interface ethernet 0/0 | interface ethernet 0/0 | ||
description Service LAN | description Service LAN | ||
Line 175: | Line 209: | ||
- | BGP | + | **BGP** |
router bgp 200 | router bgp 200 | ||
Line 206: | Line 240: | ||
neighbor 145.2.2.2 remove-private-AS | neighbor 145.2.2.2 remove-private-AS | ||
- | OSPF | + | ==DHCP== |
+ | ip dhcp excluded-address 192.168.10.1 | ||
+ | ip dhcp pool my.lan | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | lease 14 0 | ||
+ | |||
+ | **OSPF** | ||
router ospf 100 | router ospf 100 | ||
Line 218: | Line 261: | ||
| | ||
+ | == ACL renumbering == | ||
+ | |||
+ | Router(config)# | ||
+ | |||
+ | == vlan up/ | ||
+ | |||
+ | no autostate | ||
+ | no keepalive | ||
+ | |||
+ | == Wireless == | ||
+ | dot11 ssid TEST1 | ||
+ | mbssid guest-mode | ||
+ | |||
+ | dot11 ssid TEST2 | ||
+ | mbssid guest-mode | ||
+ | |||
+ | Then you have to enable mbssid globally on your radio-interface: | ||
+ | |||
+ | interface Dot11Radio0 | ||
+ | mbssid | ||
+ | ssid TEST1 | ||
+ | ssid TEST2 | ||
+ | | ||
+ | interface Dot11Radio1 | ||
+ | mbssid | ||
+ | ssid TEST1 | ||
+ | ssid TEST2 | ||
+ | | ||
+ | ==== Cisco bash policer script ==== | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | # tnt.aufbix.org | ||
+ | # | ||
+ | cir=$(($1*1024*1000)) | ||
+ | nburst=$(($cir*3/ | ||
+ | eburst=$(($nburst*2)) | ||
+ | echo " | ||
+ | echo "class class-default" | ||
+ | echo " | ||
+ | |||
+ | </ | ||