Climate, Technical Diving, Economics, System Engineering, IT Security
Archive for the ‘networking’ Category.
Its time. The idea that all your servers need to be by default ACL’d so that they can’t talk to the internet is an idea that is dying and needs to be put out of its misery.
Continue reading ‘The Heretical Sysadmin: Outbound ACLs need to die’ »
I’ve been a Unix SA/SE for about 16 years and my hands-on knowledge of IOS has always been limited due to limited console time on Cisco routers. However, now I’m studying to get a CCNA. Certificates are kinda lame, but I’ve run into times when it would be useful.
This is going to be a growing list of all the global configuration commands that I come up with that are useful for setting up a router/switch first-time (or for enforcing policy on all routers/switches). It is going to start out fairly sparse.
Basic
hostname <routername> ip domain-name <dns name>
Sets the hostname and domainname.
Convenience
line console 0 logging synchronous
Sets synchronous output on the console.
Security
enable password foo enable secret bar
Sets the enable password, only “enable secret” should be used since it encrypts the password in the config.
service password-encryption
Sets up weak password encryption to obscure passwords in router config.
line vty 0 4 login password foo logging synchronous
Set synchronous output on the first 5 telnet vtys and sets a login password for the terminal.
banner login #
Authorized uses only. All activity may be monitored and reported.
#
Set a multi-line banner displayed before the password prompt for telnet.
banner motd #
Authorized uses only. All activity may be monitored and reported.
#
Set a multi-line banner displayed before the password prompt for telnet *and* on console login (better).
Logging
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
Sets an archive history of router configuration commands
Time
clock timezone UTC 0
Set the timezone of the router manually.
clock set 02:11:25 Feb 15 2010 clock update-calendar
This is not entered in configuration mode, and sets the software clock and then writes to the hardware clock.
ntp server 10.1.1.1 ntp server 10.1.1.2 prefer ntp server 10.1.1.3 ntp update-calendar
Set the router to be an NTP client, and use NTP to sync the hardware clock.
DNS
ip nameserver 10.1.1.1 ip nameserver 10.1.1.2
Sets nameservers for DNS queries
ip domain-lookup
Enable DNS lookups. This may be disabled by NEs to avoid command typos from being looked up in DNS, but it globally disables DNS lookups inside commands as well.
Spanning Tree
spanning-tree mode rapid-pvst
Use Rapid-PVST by default everywhere.
SNMP
TACACS
MISC
ip subnet-zero
Allow subnet zero ip addresses.
system mtu jumbo 9000
Set jumbo frames on 3750/3560/49xx switches.