Monday, April 4, 2011

Cisco Best Practice - Turn off http, telnet and enable https, ssh

ip domain-name cisco.local
ip ssh version 2
no ip http server
ip http secure-server
line vty 0 15
transport input ssh

Configuring Cisco EtherChannel Load Balancing Method

- Use soure and destination IP address when calculating which link to send traffic across

Switch(config)#port-channel load-balance src-dst-ip

Unidirectional Link Detection (UDLD) Cisco Switch Configuration

- Unidirectional links can cause problems such as spanning-tree loops, black holes, and non-deterministic forwarding
- Unidirectional Link Detection (UDLD) detects a Unidirectional link and disables the interface

Switch(config)#udld enable

Rapid Per-VLAN Spanning-Tree (PVST+) Cisco Switch Configuration

- Instance of RSTP per VLAN
- Improves detection of indirect failures over classic spanning tree (802.1D)
- Even if network doesn't have any layer 2 loops you still should enable spanning tree for protection against unexpected layer 2 loops

Switch(config)#spanning-tree mode rapid-pvst

Virtual Trunk Protocol (VTP) Cisco Switch Configuration Best Practices

Virtual Trunk Protocol (VTP) allows you to configure a VLAN on one switch and have it propogate to all the other switches in the network. Cisco Best Practice is to not use VTP because of the potential issues it can cause and to put the switch in transparent mode.

Switch(config)#vtp mode transparent

Enable Stateful Switchover (SSO) on Cisco Switch Supervisor Modules

Stateful Switchover (SSO) synchronizes process and configuration information between supervisor modules to enable a fast transparent failover.

Router(config)# redundancy
Router(config-red)# mode sso
Router(config-red)# end
Router# show redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit = Primary
Unit ID = 5

Redundancy Mode (Operational) = sso
Redundancy Mode (Configured) = sso
Split Mode = Disabled
Manual Swact = Enabled
Communications = Up

client count = 29
client_notification_TMR = 30000 milliseconds
keep_alive TMR = 9000 milliseconds
keep_alive count = 1
keep_alive threshold = 18
RF debug mask = 0x0
Router#

Set Cisco Stack Master Placement in Switch Stack

- Multiple Catalyst 2960-S or 3750-X switches configured in stack
- One switch in stack (Master Switch) controls operation of stack
- When 3 or more switches in stack configure switch that does not have uplinks as master switch

Set Stack Master Switch:
switch [switch number] priority 15

Ensure original master MAC address remains stack MAC address after failure:
stack-mac persistent timer 0

Sunday, April 3, 2011

Configure QoS Rate Limiting and Priority Queuing Cisco ASA/PIX Firewall

Note: Only packets with normal priority can be policed. Packets with high priority are not policed.

- Maximum rate for tcp_traffic class is 56,000 bits/second, maximum burst size is 10,500 bytes/second
- Traffic in the voice class has no policed maximum speed or burst rate because it belongs to a priority class
- Priority queue on interface outside queue-limit is 2048 packets, and tx-ring-limit is 256 packets

hostname(config)#access-list tcp_traffic permit tcp any any
hostname(config)#class-map tcp_traffic
hostname(config-cmap)#match access-list tcp_traffic

hostname(config)#class-map voice
hostname(config-cmap)#match dscp ef

hostname(config)#policy-map qos
hostname(config-pmap)#class tcp_traffic
hostname(config-pmap-c)#police output 56000 10500
hostname(config-pmap-c)#class voice
hostname(config-pmap-c)#priority

hostname(config)#service-policy qos interface outside

hostname(config)#priority-queue outside
hostname(config-priority-queue)#queue-limit 2048
hostname(config-priority-queue)#tx-ring-limit 256

Configuring Loopback Interfaces on a Cisco Router

- Primarily used for troubleshooting, router management, and protocol enhancement

router#(config)interface loopback0
router#(config-int)

The "Do" Command on a Cisco Router

The "do" Command allows you to run "show" commands while in config mode so that you don't have to exit back to privileged mode to chech your work when you are configuring a router.

Example:

router(config)#do show interface f0/1

router(config-if)#do show run

Saturday, April 2, 2011

Netgear WNDR3700 Dual Band Wireless-N Gigabit Router default login username password

Default IP address: 192.168.1.1
Default username: "admin"
Default password: "password"

D-Link DIR-655 Xtreme N Gigabit Router default login username password

Default IP address: 192.168.0.1
Default username: "admin"
Default password: Blank

Cisco Linksys e3000 High Performance Wireless-N Router default login username password

Default IP address: 192.168.1.1
Default username: Blank
Default password: "admin"

Buffalo NFiniti WZR-HP-G300NH default login username password

Default IP address: 192.168.11.1
Username and password: Set on first access

Belkin N600 HD default login username password

Default IP address: 192.168.1.1
Default username and password: None

2-Wire 2701HGV-B (AT&T) default login username password

Default IP address: 192.168.1.25
Default username: None
Default password: Printed on the bottom of the modem

Dynamic Multipoint VPN (DMVPN) Cisco Router Configuration Example

How to Configure Dynamic Multipoint VPN (DMVPN) on a Cisco Router:

DMVPN uses a hub and spoke configuration to build site-to-site VPNs with a full mesh topology. I often use DMVPN as a backup solution for MPLS.

DMVPN Hub Router Configuration:

ip vrf INET-PUBLIC
rd 65512:1

interface GigabitEthernet0/0/4
ip vrf forwarding INET-PUBLIC
ip address 10.4.32.33 255.255.255.248
no shutdown
!
ip route vrf INET-PUBLIC 0.0.0.0 0.0.0.0 10.4.32.35

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 espsha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC

interface Tunnel10
bandwidth 10000
ip address 10.4.34.1 255.255.254.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 200 35
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
ip tcp adjust-mss 1360
no ip split-horizon eigrp 200
tunnel source GigabitEthernet0/0/3
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE

DMVPN Spoke Router Configuration:

ip vrf INET-PUBLIC
rd 65512:1

interface GigabitEthernet0/1
ip vrf forwarding INET-PUBLIC
ip address dhcp
ip access-group ACL-INET-PUBLIC in
no shutdown

ip access-list extended ACL-INET-PUBLIC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit icmp any any echo
permit icmp any any echo-reply
permit udp any any eq bootpc

crypto keyring DMVPN-KEYRING vrf INET-PUBLIC
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
!
crypto isakmp keepalive 30 5
!
crypto isakmp profile FVRF-ISAKMP-INET-PUBLIC
keyring DMVPN-KEYRING
match identity address 0.0.0.0 INET-PUBLIC
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256 espsha-hmac
mode transport
!
crypto ipsec profile DMVPN-PROFILE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC


interface Tunnel10
bandwidth 1500
ip address 10.4.34.201 255.255.254.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map 10.4.34.1 172.16.130.1
ip nhrp map multicast 172.16.130.1
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp nhs 10.4.34.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
ip summary-address eigrp 200 10.5.40.0 255.255.248.0
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE

Friday, April 1, 2011

Configure IP Multicast Routing on Cisco Router

Rendezvous Point Routers (two):

ip multicast-routing
!
interface Loopback0
ip pim sparse-mode
!
interface Loopback1
ip address 10.4.40.252 255.255.255.255
ip pim sparse-mode
!
interface Port-Channel1
ip pim sparse-mode
!
interface GigabitEthernet0/0/4
ip pim sparse-mode
!
ip pim rp-address 10.4.40.252 10
access-list 10 permit 239.1.0.0 0.0.255.255

Other Routers:

ip multicast-routing
!
interface Loopback0
ip pim sparse-mode
!
interface Port-Channel1
ip pim sparse-mode
!
interface GigabitEthernet0/0/4
ip pim sparse-mode
!
ip pim rp-address 10.4.40.252 10
ip pim register-source Loopback0
access-list 10 permit 239.1.0.0 0.0.255.255

- The access-list limits the network size the RP is responsible for.
- IP PIM sparse-mode (Protocol Independent Multicast) is enabled on all interfaces.
- Rendezvous Point (RP) should be placed close to IP Multicast sources in core.
- Two or more RPs are configured with the same IP address on loopback interfaces.

Configure SNMP on Cisco Router

snmp-server community cisco RO
snmp-server community cisco123 RW
snmp-server trap-source Loopback0