Difference between revisions of "InfoInfo - Cisco"
PeterHarding (talk | contribs) |
PeterHarding (talk | contribs) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Extracted from [http://articles.techrepublic.com.com/5100-1035-5890434.html?tag=nl.e115 Cisco administration 101: Learn 10 commands to configure on a new router] by David David | |||
When it comes to configuring a new Cisco router, much of the configuration depends on what type of router it is as well as the purpose it will serve. However, there are certain things you should configure on every new Cisco router. | When it comes to configuring a new Cisco router, much of the configuration depends on what type of router it is as well as the purpose it will serve. However, there are certain things you should configure on every new Cisco router. | ||
Line 13: | Line 15: | ||
Here's an example: | Here's an example: | ||
< | <pre> | ||
Router(config)# username root secret My$Password | Router(config)# username root secret My$Password | ||
</ | </pre> | ||
After you've configured the username, you must enable the lines to use that name. Here's an example: | After you've configured the username, you must enable the lines to use that name. Here's an example: | ||
<pre> | |||
Router(config)# line con 0 | Router(config)# line con 0 | ||
Router(config-line)# login local | Router(config-line)# login local | ||
Line 26: | Line 28: | ||
Router(config)# line vty 0 4 | Router(config)# line vty 0 4 | ||
Router(config-line)# login local | Router(config-line)# login local | ||
</pre> | |||
= Set a hostname on your router = | = Set a hostname on your router = | ||
Line 32: | Line 34: | ||
The default hostname on a router is—you guessed it—router. You can leave this default, and the router will still work. However, it only makes sense to rename the router to something that will uniquely identify it. Here's an example: | The default hostname on a router is—you guessed it—router. You can leave this default, and the router will still work. However, it only makes sense to rename the router to something that will uniquely identify it. Here's an example: | ||
<pre> | |||
Router(config)# hostname Router-Branch-23 | Router(config)# hostname Router-Branch-23 | ||
</pre> | |||
In addition, you can configure a domain name on the router so it knows which DNS domain it's in. Here's an example: | In addition, you can configure a domain name on the router so it knows which DNS domain it's in. Here's an example: | ||
<pre> | |||
Router-Branch-23(config)# ip domain name TechRepublic.com | Router-Branch-23(config)# ip domain name TechRepublic.com | ||
</pre> | |||
= Set a password to enter Privileged Mode = | = Set a password to enter Privileged Mode = | ||
When it comes to setting a password to enter Privileged Mode, many people think of using the enable password command. However, instead of using this command, I highly recommend using the enable secret command instead. | When it comes to setting a password to enter Privileged Mode, many people think of using the enable password command. However, instead of using this command, I highly recommend using the [http://articles.techrepublic.com.com/5100-1035-5596832-2.html enable secret command] instead. | ||
This command encrypts the password with strong MD5 encryption so the prompt won't display it in clear text. Here's an example: | This command encrypts the password with strong MD5 encryption so the prompt won't display it in clear text. Here's an example: | ||
<pre> | |||
Router(config)# enable secret My$Password | Router(config)# enable secret My$Password | ||
</pre> | |||
= Encrypt router passwords = | = Encrypt router passwords = | ||
Cisco routers don't encrypt passwords in their configuration by default. However, you can easily change this. Here's an example: | Cisco routers [http://articles.techrepublic.com.com/5100-1035_11-5634475.html don't encrypt passwords] in their configuration by default. However, you can easily change this. Here's an example: | ||
<pre> | |||
Router(config)# service password-encryption | Router(config)# service password-encryption | ||
</pre> | |||
= Disable the Web server = | = Disable the Web server = | ||
Line 64: | Line 66: | ||
Cisco routers also enable the Web server by default, which is a security risk. If you aren't going to use it, it's better to just turn it off. Here's an example: | Cisco routers also enable the Web server by default, which is a security risk. If you aren't going to use it, it's better to just turn it off. Here's an example: | ||
<pre> | |||
Router(config)# no ip http server | Router(config)# no ip http server | ||
</pre> | |||
= Configure DNS, or disable DNS lookup = | = Configure DNS, or disable DNS lookup = | ||
Line 76: | Line 78: | ||
One option is to disable DNS. Here's how: | One option is to disable DNS. Here's how: | ||
<pre> | |||
Router(config)# no ip domain-lookup | Router(config)# no ip domain-lookup | ||
</pre> | |||
Or, you can configure DNS properly to go to a real DNS server. Here's an example: | Or, you can configure DNS properly to go to a real DNS server. Here's an example: | ||
<pre> | |||
Router(config)# ip name-server 1.11.1 | Router(config)# ip name-server 1.11.1 | ||
</pre> | |||
= Configure command aliases = | = Configure command aliases = | ||
Many network administrators have standard router command shortcuts (i.e., aliases) that they configure on every router. Here's an example: | Many network administrators have [http://articles.techrepublic.com.com/5100-1035_11-5855141.html standard router command shortcuts] (i.e., aliases) that they configure on every router. Here's an example: | ||
<pre> | |||
Router(config)# alias exec s sh run | Router(config)# alias exec s sh run | ||
</pre> | |||
This means you can now enter s rather than typing the entire show running-configuration command. | This means you can now enter s rather than typing the entire show running-configuration command. | ||
Set the router's clock, or configure an NTP server | |||
= Set the router's clock, or configure an NTP server = | |||
Most Cisco devices don't have an internal clock. When they boot up, they don't know what time it is. Even if you set the time, the router won't retain the information if you turn it off or reload it. | Most Cisco devices don't have an internal clock. When they boot up, they don't know what time it is. Even if you set the time, the router won't retain the information if you turn it off or reload it. | ||
Line 101: | Line 104: | ||
First, however, set your time zone and Daylight Saving Time. Here's an example: | First, however, set your time zone and Daylight Saving Time. Here's an example: | ||
<pre> | |||
Router(config)# clock timezone CST -6 | Router(config)# clock timezone CST -6 | ||
Router(config)# clock summer-time CDT recurring | Router(config)# clock summer-time CDT recurring | ||
</pre> | |||
Then, to ensure a router's event messages display the right time, either set the clock on the router, or configure an NTP server. Here's an example of setting the clock: | Then, to ensure a router's event messages display the right time, either set the clock on the router, or [http://articles.techrepublic.com.com/5100-1035_11-5712046.html configure an NTP server]. Here's an example of setting the clock: | ||
<pre> | |||
Router# clock set 10:54:00 Oct 5 2005 | Router# clock set 10:54:00 Oct 5 2005 | ||
</pre> | |||
If you already have an NTP server on your network (or the router has access to the Internet), you can instruct the router to use that as the time source. This is your best option—when the router boots, it will always set the clock by the NTP server. Here's an example: | If you already have an NTP server on your network (or the router has access to the Internet), you can instruct the router to use that as the time source. This is your best option—when the router boots, it will always set the clock by the NTP server. Here's an example: | ||
<pre> | |||
Router(config)# ntp server 132.163.4.101 | Router(config)# ntp server 132.163.4.101 | ||
</pre> | |||
= Stop logging messages from interrupting your configuration = | = Stop logging messages from interrupting your configuration = | ||
Line 126: | Line 129: | ||
So, on every line, I use the logging synchronous command. Here's an example: | So, on every line, I use the logging synchronous command. Here's an example: | ||
<pre> | |||
Router(config)# line con 0 | Router(config)# line con 0 | ||
Router(config-line)# logging synchronous | Router(config-line)# logging synchronous | ||
Line 133: | Line 136: | ||
Router(config)# line vty 0 4 | Router(config)# line vty 0 4 | ||
Router(config-line)# logging synchronous | Router(config-line)# logging synchronous | ||
</pre> | |||
In addition, you can change the exec-timeout on these interfaces while you're at it. For example, let's say you want to disable the default 10-minute timeout on the VTY lines. To do so, use the exec-timeout 0 0 command when in Line Configuration Mode. This keeps the router from disconnecting after 10 minutes of inactivity. | In addition, you can change the exec-timeout on these interfaces while you're at it. For example, let's say you want to disable the default 10-minute timeout on the VTY lines. To do so, use the exec-timeout 0 0 command when in Line Configuration Mode. This keeps the router from disconnecting after 10 minutes of inactivity. | ||
Line 142: | Line 145: | ||
However, you can configure the router to send buffered logging of its events to the memory. Here's an example: | However, you can configure the router to send buffered logging of its events to the memory. Here's an example: | ||
<pre> | |||
Router(config)# logging buffered 16384 | Router(config)# logging buffered 16384 | ||
</pre> | |||
You could also send the router's events to a syslog server. Since it's external to the router, there's an added benefit: It preserves events even if the router loses power. | You could also send the router's events to a syslog server. Since it's external to the router, there's an added benefit: It preserves events even if the router loses power. | ||
Miss a column? | Miss a column? | ||
= Show Mac Addresses of Connections = | |||
The easiest way to see which Ethernet MAC address is on which port is to use the show mac-address-table command. Here is an example: | |||
<pre> | |||
switch# show mac-address-table | |||
Mac Address Table | |||
----------------- | |||
Vlan Mac Address Type Ports | |||
---- ----------- ---- ----- | |||
1 0007.e9e2.2d7d DYNAMIC Fa0/5 | |||
1 0009.0f30.07e9 DYNAMIC Fa0/48 | |||
1 0009.5bbc.af04 DYNAMIC Fa0/28 | |||
1 00e0.bb2c.30d1 DYNAMIC Gi0/1 | |||
1 00e0.bb2c.3e5f DYNAMIC Gi0/1 | |||
Total Mac Addresses for this criterion: 5 | |||
</pre> | |||
See [http://blogs.techrepublic.com.com/networking/?p=382&tag=nl.e115] | |||
= Show Cisco IOS ACL Port Numbers = | |||
See [http://blogs.techrepublic.com.com/networking/?p=326&tag=nl.e115] | |||
<pre> | |||
Router(config)# access-list 151 permit tcp any any eq ? | |||
<0-65535> Port number | |||
bgp Border Gateway Protocol (179) | |||
chargen Character generator (19) | |||
cmd Remote commands (rcmd, 514) | |||
daytime Daytime (13) | |||
discard Discard (9) | |||
domain Domain Name Service (53) | |||
drip Dynamic Routing Information Protocol (3949) | |||
echo Echo (7) | |||
exec Exec (rsh, 512) | |||
finger Finger (79) | |||
ftp File Transfer Protocol (21) | |||
ftp-data FTP data connections (20) | |||
gopher Gopher (70) | |||
hostname NIC hostname server (101) | |||
ident Ident Protocol (113) | |||
irc Internet Relay Chat (194) | |||
klogin Kerberos login (543) | |||
kshell Kerberos shell (544) | |||
login Login (rlogin, 513) | |||
lpd Printer service (515) | |||
nntp Network News Transport Protocol (119) | |||
pim-auto-rp PIM Auto-RP (496) | |||
pop2 Post Office Protocol v2 (109) | |||
pop3 Post Office Protocol v3 (110) | |||
smtp Simple Mail Transport Protocol (25) | |||
sunrpc Sun Remote Procedure Call (111) | |||
syslog Syslog (514) | |||
tacacs TAC Access Control System (49) | |||
talk Talk (517) | |||
telnet Telnet (23) | |||
time Time (37) | |||
uucp Unix-to-Unix Copy Program (540) | |||
whois Nicname (43) | |||
www World Wide Web (HTTP, 80) Router(config)# access-list 151 permit tcp any any eq | |||
</pre> | |||
You’ll notice some familiar and frequently used ports in this list, including: | |||
<pre> | |||
* WWW — port 80 | |||
* Telnet — port 23 | |||
* SMTP — port 25 | |||
* FTP and FTP-data — ports 21 and 20 | |||
* Domain (actually DNS) — port53 | |||
* BGP — port 179 | |||
</pre> | |||
= Basics of Switch Port Security = | |||
See [http://blogs.techrepublic.com.com/security/?p=320&tag=nl.e115] | |||
Check out the [http://techrepublic.com.com/1200-1035-5685066.html Cisco Routers and Switches Archive], and catch up on David Davis' most recent columns. | Check out the [http://techrepublic.com.com/1200-1035-5685066.html Cisco Routers and Switches Archive], and catch up on David Davis' most recent columns. |
Latest revision as of 19:45, 20 December 2007
Extracted from Cisco administration 101: Learn 10 commands to configure on a new router by David David
When it comes to configuring a new Cisco router, much of the configuration depends on what type of router it is as well as the purpose it will serve. However, there are certain things you should configure on every new Cisco router.
Hasn't there been a command that you wished Cisco would make standard on every router? Every administrator has his or her own list of commands they use to configure a router "just right."
Here's my list of 10 commands that I think you should configure on every router (in no particular order). After you read through them, post your own favorites in this article's discussion.
Configure a login account on the router, and use it on lines
I highly recommend configuring a real username and password account on routers and switches. By doing so, that means someone needs both a password and a username to gain access.
In addition, I recommend using a secret password for the username—not just a regular password. This encrypts the password with strong MD5 encryption and enhances security.
Here's an example:
Router(config)# username root secret My$Password
After you've configured the username, you must enable the lines to use that name. Here's an example:
Router(config)# line con 0 Router(config-line)# login local Router(config)# line aux 0 Router(config-line)# login local Router(config)# line vty 0 4 Router(config-line)# login local
Set a hostname on your router
The default hostname on a router is—you guessed it—router. You can leave this default, and the router will still work. However, it only makes sense to rename the router to something that will uniquely identify it. Here's an example:
Router(config)# hostname Router-Branch-23
In addition, you can configure a domain name on the router so it knows which DNS domain it's in. Here's an example:
Router-Branch-23(config)# ip domain name TechRepublic.com
Set a password to enter Privileged Mode
When it comes to setting a password to enter Privileged Mode, many people think of using the enable password command. However, instead of using this command, I highly recommend using the enable secret command instead.
This command encrypts the password with strong MD5 encryption so the prompt won't display it in clear text. Here's an example:
Router(config)# enable secret My$Password
Encrypt router passwords
Cisco routers don't encrypt passwords in their configuration by default. However, you can easily change this. Here's an example:
Router(config)# service password-encryption
Disable the Web server
Cisco routers also enable the Web server by default, which is a security risk. If you aren't going to use it, it's better to just turn it off. Here's an example:
Router(config)# no ip http server
Configure DNS, or disable DNS lookup
Let's talk about one of my personal pet peeves about Cisco routers: By default, if you mistype a command in Privileged Mode, the router thinks you're trying to Telnet to a remote host. So it performs a DNS lookup on what you entered.
If you haven't configured DNS on the router, the command prompt will hang until the DNS lookup fails. For that reason, I recommend one of two approaches.
One option is to disable DNS. Here's how:
Router(config)# no ip domain-lookup
Or, you can configure DNS properly to go to a real DNS server. Here's an example:
Router(config)# ip name-server 1.11.1
Configure command aliases
Many network administrators have standard router command shortcuts (i.e., aliases) that they configure on every router. Here's an example:
Router(config)# alias exec s sh run
This means you can now enter s rather than typing the entire show running-configuration command.
Set the router's clock, or configure an NTP server
Most Cisco devices don't have an internal clock. When they boot up, they don't know what time it is. Even if you set the time, the router won't retain the information if you turn it off or reload it.
First, however, set your time zone and Daylight Saving Time. Here's an example:
Router(config)# clock timezone CST -6 Router(config)# clock summer-time CDT recurring
Then, to ensure a router's event messages display the right time, either set the clock on the router, or configure an NTP server. Here's an example of setting the clock:
Router# clock set 10:54:00 Oct 5 2005
If you already have an NTP server on your network (or the router has access to the Internet), you can instruct the router to use that as the time source. This is your best option—when the router boots, it will always set the clock by the NTP server. Here's an example:
Router(config)# ntp server 132.163.4.101
Stop logging messages from interrupting your configuration
Another personal Cisco IOS annoyance I have is when I'm configuring the router, and console messages just pop up on the line (which could be a console, auxiliary, or VTY port). To prevent this, you have some options.
If you're on the console, you can either disable console logging with the global configuration no logging console command. Or, you can synchronize the logging messages with your command prompt. (I personally prefer the latter—I want to see what's going on with the router.)
So, on every line, I use the logging synchronous command. Here's an example:
Router(config)# line con 0 Router(config-line)# logging synchronous Router(config)# line aux 0 Router(config-line)# logging synchronous Router(config)# line vty 0 4 Router(config-line)# logging synchronous
In addition, you can change the exec-timeout on these interfaces while you're at it. For example, let's say you want to disable the default 10-minute timeout on the VTY lines. To do so, use the exec-timeout 0 0 command when in Line Configuration Mode. This keeps the router from disconnecting after 10 minutes of inactivity. Log system messages to the router's buffer or a syslog server
Capturing errors and events on a router and monitoring the console can be critical to problem-solving. By default, the router doesn't send buffered logging of its events to the router's memory.
However, you can configure the router to send buffered logging of its events to the memory. Here's an example:
Router(config)# logging buffered 16384
You could also send the router's events to a syslog server. Since it's external to the router, there's an added benefit: It preserves events even if the router loses power. Miss a column?
Show Mac Addresses of Connections
The easiest way to see which Ethernet MAC address is on which port is to use the show mac-address-table command. Here is an example:
switch# show mac-address-table Mac Address Table ----------------- Vlan Mac Address Type Ports ---- ----------- ---- ----- 1 0007.e9e2.2d7d DYNAMIC Fa0/5 1 0009.0f30.07e9 DYNAMIC Fa0/48 1 0009.5bbc.af04 DYNAMIC Fa0/28 1 00e0.bb2c.30d1 DYNAMIC Gi0/1 1 00e0.bb2c.3e5f DYNAMIC Gi0/1 Total Mac Addresses for this criterion: 5
See [1]
Show Cisco IOS ACL Port Numbers
See [2]
Router(config)# access-list 151 permit tcp any any eq ? <0-65535> Port number bgp Border Gateway Protocol (179) chargen Character generator (19) cmd Remote commands (rcmd, 514) daytime Daytime (13) discard Discard (9) domain Domain Name Service (53) drip Dynamic Routing Information Protocol (3949) echo Echo (7) exec Exec (rsh, 512) finger Finger (79) ftp File Transfer Protocol (21) ftp-data FTP data connections (20) gopher Gopher (70) hostname NIC hostname server (101) ident Ident Protocol (113) irc Internet Relay Chat (194) klogin Kerberos login (543) kshell Kerberos shell (544) login Login (rlogin, 513) lpd Printer service (515) nntp Network News Transport Protocol (119) pim-auto-rp PIM Auto-RP (496) pop2 Post Office Protocol v2 (109) pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25) sunrpc Sun Remote Procedure Call (111) syslog Syslog (514) tacacs TAC Access Control System (49) talk Talk (517) telnet Telnet (23) time Time (37) uucp Unix-to-Unix Copy Program (540) whois Nicname (43) www World Wide Web (HTTP, 80) Router(config)# access-list 151 permit tcp any any eq
You’ll notice some familiar and frequently used ports in this list, including:
* WWW — port 80 * Telnet — port 23 * SMTP — port 25 * FTP and FTP-data — ports 21 and 20 * Domain (actually DNS) — port53 * BGP — port 179
Basics of Switch Port Security
See [3]
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.