cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1720
Views
10
Helpful
11
Replies

Default configurations you ALWAYS put in your devices

dyop.geop
Level 1
Level 1

Hi fellow engineers,

 

May I just ask for tips or guides or advice regarding the commands you enter in almost all of your devices. (i.e. routers,switches).

Like for `example, no http server, execute service password encryption, no telnet, etc. 

I hope y'all get what i mean :)

 

Thanks in advance!

11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

No one can give you this answer because this will depend entirely upon the organization you're working for.  

 

We all have our own "favorite" configuration lines but we all have a legitimate reason when to use it and when not to use it.  

 

If this was a job interview and you gave me a bunch of commands, I'll immediately respond with, "that's nice.  Now DEFEND your responses and tell me WHY you have those commands".

oh. okay. got you.

But cmon, maybe there are like best practices to follow regarding setting up for the first time a router or switch. what are like the configs that should be there. 

So far from my experience, here are the commands i always put, no question asked.

hostname

logging synchronous

exec timeout

enable secret

login local

transport input ssh telnet

banner

ip domain name

crypto key generate

ip ssh version 2

username secret

no ip http server

ntp server

clock

 

there... maybe there a few I can add?

 

Or this is REALLY a very BROAD question :D

 

I try to use the Cisco Validated Design template commands as a starting point (assuming there is one for the use case I am implementing). Any variation from that, I document and convey my reasoning to the customer.

For example, here's a link to the current Campus CVDs.

If it's a security review / audit I would supplement that with some standard, according to the environment. For general purpose, I'd use the Center for Internet Security (CIS) guides - they combine vendor and external (government and regulatory) guidelines.

If the environment is more specific (say needing to be PCI DSS, HIPAA, etc. compliant), I'd tailor it a bit more drawing from any available guides for the specific regime I need to comply with.

Hi Sir Marvin, thanks for the links, definitely checking them out.

Like I said, it depends on the organization you work for.   For example:

transport input ssh telnet

For remote access, I will never enable telnet.  Everything has to be SSH.  

username secret

I don't care how "poor" an organization is.  I will NEVER use a simple username/password login account like this.  It's either TACACS or RADIUS.  

 

The commands I will use in my generic configurations will include something like:  

ip tftp blocksize 8192
ip device tracking
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year

yes, that's exactly what I'm talking about.
That's why I'm asking you guys what are your "generic" configurations, then I could pattern mine from yours.

ip tftp blocksize 8192
ip device tracking
service timestamps debug datetime localtime show-timezone year
service timestamps log datetime localtime show-timezone year

These commands are definitely new to me, so I'd study these and maybe I can use them.

Hope you can share more :D

 

Thanks sir.

Scott Plank
Level 1
Level 1

While I echo both Leo and Marvin's posts - I've found the following IOS hardening guide to be helpful in establishing configuration standards for our Cisco devices:

http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

 

I did not follow the guide command-for-command, but went through each recommendation one-by-one to determine whether it made sense for my environment or not. It was a long a process (a couple of weeks), but paid off with the end result of a standard config (that varies to some degree by device model due to different supported features, IOS, etc.) that is easily & quickly deployed.

We're currently looking at how Prime can help us deploy this even quicker with the 0- & 1-touch deployment options, though we're not very far along in our analysis yet.

Good point, Scott.

Actually the CIS Cisco router hardening guide I mentioned cites that very Cisco reference.

PI 2.2 broke the Compliance feature and it's supposed to be back with the next release. That would be really really useful to have it analyze all the supported devices' configurations and give you a report and remediation option specific to the devices and their OS revision.

People generally bad-mouth the old Cisco Configuration Professional (router GUI) but it did have the one touch hardening button that was quite useful. There's also the "autosecure" feature on some platforms although it doesn't seem to get much love from Cisco.

That's a looong guide. but thanks Sir.

I was just hoping for a sample configuration from you guys, then I'll just pick commands which I can use for my environment. :D

Here are some of the more general commands we use that are not necessarily platform-dependent:

Configure services & disable unused services - Obviously if you use your IOS devices as DHCP servers, you don't want to disable the DHCP service

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

service linenumber

no service dhcp

no service pad

no service config

 

Set Timezone & Daylight Savings Time, Show full date/time in logs/debugs w/timezone

clock timezone CST -6 !US Central Timezone

clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 !Daylight Savings Time

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

 

Misc

no ip domain lookup

no ip http server

no ip http secure-server

ip dhcp bootp ignore

no logging console

Hey Sir Scott, thaanksss!! 

Exactly what I need :D thanks sir!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: