Penguin

CiscoBestPractices

This guide is designed to give you better performance and security out of any Cisco device that uses IOS.

It is assumed that the reader has some knowlege with configuring CiscoIOS devices.


Basic Setup

The first things that need to be configured should be the following...

service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption

By default the timestamps are set to uptime, and if you don't set the timestamps to localtime, the default will be EST (Eastern Standard Time).

Service password-encryption will encrypt passwords with the hash algorithm which is designed to prevent eavesdropping. By default, passwords are not encrypted.

Other things to configure...

service tcp-keepalives-in no service tcp-small-servers no service udp-small-servers

ip subnet-zero ip classless

For earlier versions of IOS

no service finger

For later versions of IOS

no ip finger

Depending on the IOS version will depend on whether above settings are default or not, for IOS version 12.3 all of the above are default, nonetheless, enter them all in to be sure.


Device Authentication

Because service password-encryption enables the hash algorithm to prevent eavesdropping, it is highly recommend to use secret rather than password because secret uses MD5 encryption. The privileged password has had this feature all along, and as from some releases of IOS version 12.2, the usernames also offer secret rather than password.

no enable password enable secret <<privileged password>>

Create some local users, if you can, use "secret" otherwise use "password"

username lindsay secret <<lindsay's password>> username lindsay password <<lindsay's password>>

Let's get authentication underway

aaa new-model aaa authentication login default local

Older RADIUS/TACACS+ Logins

aaa authentication login default {tacacs+} {radius} local

Newer RADIUS/TACACS+ Logins

aaa authentication login default group {tacacs+} {radius} local

This configuration will allow telnet (VTY) and console access without having to configure line con0, line aux0, or line vty 0 x. The alternative is to create passwords on each of those areas.

Always a good idea to allow local login when allowing tacacs or radius login. If you don't allow local login and the radius or tacacs server either fails or can't be seen by the Cisco device, you will be locked out.


VTY Access Control (and enabling SSH)

Depending on the device, it will either allow 5 VTY sessions or 15 VTY sessions. Normally routers will allow 5 VTY sessions whereas the Catalyst switches will allow 15 VTY sessions. The best way to find out is to do the following...

router(config)#line vty 0 ?

<1-4> Last Line number <cr>

router(config)#line vty 0

In this example there are 5 VTY sessions (0-4). With the following examples, we will work with 5 VTY sessions.

To control access to the VTY sessions is done using access-lists, both named and numbered access-lists can be used. The numbered access-lists can be standard (1-99), extended (100-199), and expanded (1300-2699). The named access-lists is not supported on all IOS images.

On more recent versions of IOS, remark has also been included with permit and deny. If the IOS version supports remark, it's worthwhile using it, if not so be it.

access-list 101 remark ACLs for VTY Access access-list 101 permit ip <<first authorised network address>> <<wildcard-mask>> any access-list 101 permit ip <<second authorised network address>> <<wildcard-mask>> any access-list 101 permit ip host <<authorised host>> any access-list 101 deny ip any any

line vty 0 4

access-class 101 in


CategoryBestPractices