Cisco Configuration Cheat Sheet - Part 2: More security

 h/t Omar Noory

Security is important (no, critical) to the success of a network. The cartoon on the right is the first image macro stating what is now known as an axiom of Internet life:

"Haters gonna hate"

 The phrase is used to dismiss hateful speech (often called trolling) on the Internet, especially in anonymous forums. But it's implications go much further. More people connected to the Internet means greater diversity and flow of ideas and possibly greater Democracy. It also means a greater diversity of bad behavior like trolling and hacking. People that have been into computers for a long time wish for the old days when everyone on the Internet could be trusted. Those days are gone and that's for the better.

The complexity of networks makes them resemble living things. Like living things they are constantly under threat and those threats will test their defenses and adapt. Networks, therefore, must be adaptable, resilient and self-healing. Our bodies have developed immunity to viruses in order to preserve our lives and our genes, but the defense isn't perfect and, as we now know, viruses are key drivers of human evolution. Without the viruses (and the damage they cause) we would not grow. That's true for networks, too.

So in celebration of hackers, here's something you can do to keep them out. Keep your sessions secure by doing some basic configuration:

// Make sure passwords are good passwords 
// (8 is not enough!)
(config)# security password min-length 12 

// Don't let people guess at will or they 
// will use automated bots to guess
(config)# login block-for 120 attempts 3 within 60

// Logout after a while so someone can't hijack your 
// terminal while you're at lunch
(config)# line vty 0 15

(config-line)# exec-timeout 10 

Cisco Configuration Cheat Sheet - Part 1

I'm teaching CIS-81 Fundamentals of Networking next semester (with the great Rick Graziani). The class is taught using Cisco equipment. Until this summer I've never touched a piece of Cisco hardware in my life. What an eye opener! The CLI is very strange and primitive compared to Linux. But it's a CLI, therefor I like it.

I've been using Packet Tracer (AMAZING!) to do my labs and it's really incredibly fun. So here are the first tasks I do when setting up a network. The network is pictured on the left.

I'm going to start by configuring the router. I don't use the default configuration dialog because I want to do everything myself.

// Step 0: Basics 
> enable
# config t 
(config)# hostname ginsu
(config)# ip domain name lifealgorithmic.com // Need for SSH
(config)# banner login \

(config)# banner motd \

// Step 1: Security 

// Set the "enable" password. Never use enable password!
(config)# enable secret cisco 

// Set the password to login to the console
(config)# username cisco secret cisco 
(config)# line console 0 

(config-line)# login local
(config-line)# logging synchronous // I don't actually like this

// Make sure the login password is "encrypted"
(config)# service password-encryption

// Enable SSH (and disable evil Telnet)
(config)# crypto key generate rsa 
(config)# line vty 0 15
(config-line)# transport input ssh

(config-line)# login local

// Step 2: Interfaces (on the Router)
(config)# interface GigabitEthernet 0/1

(config-if)# ip address 10.0.0.1 255.0.0.0

(config-if)# ipv6 address 2001:db8:fade:1::1/64

(config-if)# ipv6 address fe80::1 link-local

(config-if)# description MyInterface

(config-if)# no shutdown

// Step 3: Management Interface (on the Switch)
(config)# interface Vlan 1

(config-if)# ip address 10.0.0.2 255.0.0.0

(config-if)# ipv6 address 2001:db8:fade:1::2/64

(config-if)# no shutdown

// Step 4: Configure DHCP on the router

(config)# ip dhcp excluded-address 10.0.0.1

(config)# ip dhcp excluded-address 10.0.0.2

(config)# ip dhcp pool mynet

(dhcp-config)# default-router 10.0.0.1

(dhcp-config)# dns-server 8.8.8.8

(dhcp-config)# network 10.0.0.0 255.0.0.0

// Step 5: Make it stick

# copy running-config startup-config

# reload

Can you spot the differences?

Of course you never go into production on revision A. Lesson learned: Never use autosensing level shifters for transmission applications. They just don't have enough drive strength for a long wire. They have a very counterintuitive property when they're driving a load that's too big: they go into oscillation. When the driver cannot bring the output level above threshold before the one-shot timeout it will switch directions. Then it will try to overwhelm the driver on the Teensy (it can't) and switch directions again. Repeat.

I also had to pick different capacitors for C1 and C5. The ones I had were to big to fit into the tube. The new ones have smaller values and less voltage margin. I really hope I get away with that.

There's one more thing different. Can you spot it?