Penguin
Blame: CiscoBestPractices
EditPageHistoryDiffInfoLikePages
Annotated edit history of CiscoBestPractices version 3, including all changes. View license author blame.
Rev Author # Line
1 LindsayDruett 1 !!!CiscoBestPractices
2
3 This guide is designed to give you better performance and security out of any Cisco device that uses IOS.
4
5 It is assumed that the reader has some knowlege with configuring CiscoIOS devices.
6
7 ----
8 !!Basic Setup
9
10 The first things that need to be configured should be the following...
11
12 service timestamps debug datetime localtime
13 service timestamps log datetime localtime
14 service password-encryption
15
16 By default the timestamps are set to uptime, and if you don't set the timestamps to localtime, the default will be EST (Eastern Standard Time).
17
18 Service password-encryption will encrypt passwords with the hash algorithm which is designed to prevent eavesdropping. By default, passwords are not encrypted.%%%
19 %%%
20
21 Other things to configure...
22
23 service tcp-keepalives-in
24 no service tcp-small-servers
25 no service udp-small-servers
26 !
27 ip subnet-zero
28 ip classless
29 !
30 ! For earlier versions of IOS
31 no service finger
32 ! For later versions of IOS
33 no ip finger
34
35 Depending on the IOS version will depend on whether above settings are default or not, for IOS version 12.3 all of the above are default, nonetheless, enter them all in to be sure.
36
37 ----
38 !!Device Authentication
39
40 Because service password-encryption enables the hash algorithm to prevent eavesdropping, it is highly recommend to use __''secret''__ rather than __''password''__ because __''secret''__ uses MD5 encryption. The privileged password has had this feature all along, and as from some releases of IOS version 12.2, the usernames also offer __''secret''__ rather than password.
41
42 no enable password
43 enable secret <<privileged password>>
44 !
45 ! Create some local users, if you can, use "secret" otherwise use "password"
46 !
47 username lindsay secret <<lindsay's password>>
48 username lindsay password <<lindsay's password>>
49 !
50 ! Let's get authentication underway
51 !
52 aaa new-model
53 aaa authentication login default local
54 !
55 ! Older RADIUS/TACACS+ Logins
56 aaa authentication login default {tacacs+} {radius} local
57 !
58 ! Newer RADIUS/TACACS+ Logins
59 aaa authentication login default group {tacacs+} {radius} local
60
61 This configuration will allow telnet (VTY) and console access without having to configure __line con0__, __line aux0__, or __line vty 0 x__. The alternative is to create passwords on each of those areas.
62
2 LindsayDruett 63 Always a good idea to allow local login when allowing tacacs or radius login. If you don't allow local login and the radius or tacacs server either fails or can't be seen by the Cisco device, you will be locked out.
64
65 ----
3 LindsayDruett 66 !!VTY Access Control (and enabling SSH)
67
68 Depending on the device, it will either allow 5 VTY sessions or 15 VTY sessions. Normally routers will allow 5 VTY sessions whereas the Catalyst switches will allow 15 VTY sessions. The best way to find out is to do the following...
69
70 router(config)#line vty 0 ?
71 <1-4> Last Line number
72 <cr>
73
74 router(config)#line vty 0
75
76 In this example there are 5 VTY sessions (0-4). With the following examples, we will work with 5 VTY sessions.%%%
77 %%%
78 To control access to the VTY sessions is done using access-lists, both named and numbered access-lists can be used. The numbered access-lists can be standard (1-99), extended (100-199), and expanded (1300-2699). The named access-lists is not supported on all IOS images.
79
80 On more recent versions of IOS, __remark__ has also been included with __permit__ and __deny__. If the IOS version supports __remark__, it's worthwhile using it, if not so be it.
81
82 access-list 101 remark ACLs for VTY Access
83 access-list 101 permit ip <<first authorised network address>> <<wildcard-mask>> any
84 access-list 101 permit ip <<second authorised network address>> <<wildcard-mask>> any
85 access-list 101 permit ip host <<authorised host>> any
86 access-list 101 deny ip any any
87 !
88 line vty 0 4
89 access-class 101 in
1 LindsayDruett 90
91 ----
92 CategoryBestPractices