book

Cisco Cookbook

by Kevin Dooley, Ian Brown

July 2003

Intermediate to advanced

908 pages

25h 3m

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Preface
OrganizationWhat’s in This BookConventionsComments and QuestionsAcknowledgments
1. Router Configuration and File Management
1.0. Introduction1.1. Configuring the Router via TFTP1.2. Saving Router Configuration to Server1.3. Booting the Router Using a Remote Configuration File1.4. Storing Configuration Files Larger than NVRAM1.5. Clearing the Startup Configuration1.6. Loading a New IOS Image1.7. Booting a Different IOS Image1.8. Booting Over the Network1.9. Copying an IOS Image to a Server1.10. Copying an IOS Image Through the Console1.11. Deleting Files from Flash1.12. Partitioning Flash1.13. Using the Router as a TFTP Server1.14. Using FTP from the Router1.15. Generating Large Numbers of Router Configurations1.16. Changing the Configurations of Many Routers at Once1.17. Extracting Hardware Inventory Information1.18. Backing Up Router Configurations
2. Router Management
2.0. Introduction2.1. Creating Command Aliases2.2. Managing the Router’s ARP Cache2.3. Tuning Router Buffers2.4. Using the Cisco Discovery Protocol2.5. Disabling the Cisco Discovery Protocol2.6. Using the Small Servers2.7. Enabling HTTP Access to a Router2.8. Using Static Hostname Tables2.9. Enabling Domain Name Service2.10. Disabling Domain Name Lookups2.11. Specifying a Router Reload Time2.12. Creating Exception Dump Files2.13. Generating a Report of Interface Information2.14. Generating a Report of Routing Table Information2.15. Generating a Report of ARP Table Information2.16. Generating a Server Host Table File
3. User Access and Privilege Levels
3.0. Introduction3.1. Setting Up User IDs3.2. Encrypting Passwords3.3. Using Better Encryption Techniques3.4. Removing Passwords from a Router Configuration File3.5. Deciphering Cisco’s Weak Password Encryption3.6. Displaying Active Users3.7. Sending Messages to Other Users3.8. Changing the Number of VTYs3.9. Changing VTY Timeouts3.10. Restricting VTY Access by Protocol3.11. Enabling Absolute Timeouts on VTY Lines3.12. Implementing Banners3.13. Disabling Banners on a Port3.14. Disabling Router Lines3.15. Reserving a VTY Port for Administrative Access3.16. Restricting Inbound Telnet Access3.17. Logging Telnet Access3.18. Setting the Source Address for Telnet3.19. Automating the Login Sequence3.20. Using SSH for Secure Access3.21. Changing the Privilege Level of IOS Commands3.22. Defining Per-User Privileges3.23. Defining Per-Port Privileges
4. TACACS+
4.0. Introduction4.1. Authenticating Login IDs from a Central System4.2. Restricting Command Access4.3. Losing Access to the TACACS+ Server4.4. Disabling TACACS+ Authentication on a Particular Line4.5. Capturing User Keystrokes4.6. Logging System Events4.7. Setting the IP Source Address for TACACS+ Messages4.8. Obtaining Free TACACS+ Server Software4.9. Sample Server Configuration Files
5. IP Routing
5.0. Introduction5.1. Finding an IP Route5.2. Finding Types of IP Routes5.3. Converting Different Mask Formats5.4. Using Static Routing5.5. Floating Static Routes5.6. Using Policy-Based Routing to Route Based on Source Address5.7. Using Policy-Based Routing to Route Based on Application Type5.8. Examining Policy-Based Routing5.9. Changing Administrative Distances5.10. Routing Over Multiple Paths with Equal Costs
6. RIP
6.0. Introduction6.1. Configuring RIP Version 16.2. Filtering Routes with RIP6.3. Redistributing Static Routes into RIP6.4. Redistributing Routes Using Route Maps6.5. Creating a Default Route in RIP6.6. Disabling RIP on an Interface6.7. Unicast Updates for RIP6.8. Applying Offsets to Routes6.9. Adjusting Timers6.10. Configuring Interpacket Delay6.11. Enabling Triggered Updates6.12. Increasing the RIP Input Queue6.13. Configuring RIP Version 26.14. Enabling RIP Authentication6.15. RIP Route Summarization6.16. Route Tagging
7. EIGRP
7.0. Introduction7.1. Configuring EIGRP7.2. Filtering Routes with EIGRP7.3. Redistributing Routes into EIGRP7.4. Redistributing Routes into EIGRP Using Route Maps7.5. Creating a Default Route in EIGRP7.6. Disabling EIGRP on an Interface7.7. EIGRP Route Summarization7.8. Adjusting EIGRP Metrics7.9. Adjusting Timers7.10. Enabling EIGRP Authentication7.11. Logging EIGRP Neighbor State Changes7.12. Limiting EIGRP’s Bandwidth Utilization7.13. EIGRP Stub Routing7.14. Route Tagging7.15. Viewing EIGRP Status
8. OSPF
8.0. Introduction8.1. Configuring OSPF8.2. Filtering Routes in OSPF8.3. Adjusting OSPF Costs8.4. Creating a Default Route in OSPF8.5. Redistributing Static Routes into OSPF8.6. Redistributing External Routes into OSPF8.7. Manipulating DR Selection8.8. Setting the OSPF RID8.9. Enabling OSPF Authentication8.10. Selecting the Appropriate Area Types8.11. Summarizing Routes in OSPF8.12. Disabling OSPF on Certain Interfaces8.13. OSPF Route Tagging8.14. Logging OSPF Adjacency Changes8.15. Adjusting OSPF Timers8.16. Viewing OSPF Status with Domain Names8.17. Debugging OSPF

9. BGP
9.0. Introduction9.1. Configuring BGP9.2. Using eBGP Multihop9.3. Adjusting the Next-Hop Attribute9.4. Connecting to Two ISPs9.5. Connecting to Two ISPs with Redundant Routers9.6. Restricting Networks Advertised to a BGP Peer9.7. Adjusting Local Preference Values9.8. Load Balancing9.9. Removing Private ASNs from the AS Path9.10. Filtering BGP Routes Based on AS Paths9.11. Reducing the Size of the Received Routing Table9.12. Summarizing Outbound Routing Information9.13. Prepending ASNs to the AS Path9.14. Redistributing Routes with BGP9.15. Using Peer Groups9.16. Authenticating BGP Peers9.17. Putting It All Together
10. Frame Relay
10.0. Introduction10.1. Setting Up Frame Relay with Point-to-Point Subinterfaces10.2. Adjusting LMI Options10.3. Setting Up Frame Relay with Map Statements10.4. Using Multipoint Subinterfaces10.5. Configuring Frame Relay SVCs10.6. Simulating a Frame Relay Cloud10.7. Compressing Frame Relay Data on a Subinterface10.8. Compressing Frame Relay Data with Maps10.9. Viewing Frame Relay Status Information
11. Queueing and Congestion
11.0. Introduction11.1. Fast Switching and CEF11.2. Setting the DSCP or TOS Field11.3. Using Priority Queueing11.4. Using Custom Queueing11.5. Using Custom Queues with Priority Queues11.6. Using Weighted Fair Queueing11.7. Using Class-Based Weighted Fair Queueing11.8. Controlling Congestion with WRED11.9. Using RSVP11.10. Using Generic Traffic Shaping11.11. Using Frame-Relay Traffic Shaping11.12. Using Committed Access Rate11.13. Implementing Standards-Based Per-Hop Behavior11.14. Viewing Queue Parameters
12. Tunnels and VPNs
12.0. Introduction12.1. Creating a Tunnel12.2. Tunneling Foreign Protocols in IP12.3. Tunneling with Dynamic Routing Protocols12.4. Viewing Tunnel Status12.5. Creating an Encrypted Router-to-Router VPN12.6. Generating RSA Keys12.7. Creating a Router-to-Router VPN with RSA Keys12.8. Creating a VPN Between a Workstation and a Router12.9. Check IPSec Protocol Status
13. Dial Backup
13.0. Introduction13.1. Automating Dial Backup13.2. Using Dialer Interfaces13.3. Using an Async Modem on the AUX Port13.4. Using Backup Interfaces13.5. Using Dialer Watch13.6. Ensuring Proper Disconnection13.7. View Dial Backup Status13.8. Debugging Dial Backup
14. NTP and Time
14.0. Introduction14.1. Timestamping Router Logs14.2. Setting the Time14.3. Setting the Time Zone14.4. Adjusting for Daylight Saving Time14.5. Synchronizing the Time on All Routers (NTP)14.6. Configuring NTP Redundancy14.7. Setting the Router as the NTP Master for the Network14.8. Changing NTP Synchronization Periods14.9. Using NTP to Send Periodic Broadcast Time Updates14.10. Using NTP to Send Periodic Multicast Time Updates14.11. Enabling and Disabling NTP Per Interface14.12. NTP Authentication14.13. Limiting the Number of Peers14.14. Restricting Peers14.15. Setting the Clock Period14.16. Checking the NTP Status14.17. Debugging NTP
15. DLSw
15.0. Introduction15.1. Configuring DLSw15.2. Using DLSw to Bridge Between Ethernet and Token Ring15.3. Converting Ethernet and Token Ring MAC Addresses15.4. Configuring SDLC15.5. Configuring SDLC for Multidrop Connections15.6. Using STUN15.7. Using BSTUN15.8. Controlling DLSw Packet Fragmentation15.9. Tagging DLSw Packets for QoS15.10. Supporting SNA Priorities15.11. DLSw+ Redundancy and Fault Tolerance15.12. Viewing DLSw Status Information15.13. Viewing SDLC Status Information15.14. Debugging DSLw
16. Router Interfaces and Media
16.0. Introduction16.1. Viewing Interface Status16.2. Configuring Serial Interfaces16.3. Using an Internal T1 CSU/DSU16.4. Using an Internal ISDN PRI Module16.5. Using an Internal 56Kbps CSU/DSU16.6. Configuring an Async Serial Interface16.7. Configuring ATM Subinterfaces16.8. Setting Payload Scrambling on an ATM Circuit16.9. Configuring Ethernet Interface Features16.10. Configuring Token Ring Interface Features16.11. Connecting VLAN Trunks With ISL16.12. Connecting VLAN Trunks with 802.1Q
17. Simple Network Management Protocol
17.0. Introduction17.1. Configuring SNMP17.2. Extracting Router Information via SNMP Tools17.3. Recording Important Router Information for SNMP Access17.4. Extracting Inventory Information from a List of Routers with SNMP17.5. Using Access Lists to Protect SNMP Access17.6. Logging Unauthorized SNMP Attempts17.7. Limiting MIB Access17.8. Using SNMP to Modify a Router’s Running Configuration17.9. Using SNMP to Copy a New IOS Image17.10. Using SNMP to Perform Mass Configuration Changes17.11. Preventing Unauthorized Configuration Modifications17.12. Making Interface Table Numbers Permanent17.13. Enabling SNMP Traps and Informs17.14. Sending syslog Messages as SNMP Traps and Informs17.15. Setting SNMP Packet Size17.16. Setting SNMP Queue Size17.17. Setting SNMP Timeout Values17.18. Disabling Link Up/Down Traps per Interface17.19. Setting the IP Source Address for SNMP Traps17.20. Using RMON to Send Traps17.21. Enabling SNMPv317.22. Using SAA
18. Logging
18.0. Introduction18.1. Enabling Local Router Logging18.2. Setting the Log Size18.3. Clearing the Router’s Log18.4. Sending Log Messages to Your Screen18.5. Using a Remote Log Server18.6. Enabling Syslog on a Unix Server18.7. Changing the Default Log Facility18.8. Restricting What Log Messages Are Sent to the Server18.9. Setting the IP Source Address for Syslog Messages18.10. Logging Router Syslog Messages in Different Files18.11. Maintaining Syslog Files on the Server18.12. Testing the Syslog Sever Configuration18.13. Preventing the Most Common Messages from Being Logged18.14. Rate-Limiting Syslog Traffic
19. Access Lists
19.0. Introduction19.1. Filtering by Source or Destination IP Address19.2. Adding a Comment to an ACL19.3. Filtering by Application19.4. Filtering Based on TCP Header Flags19.5. Restricting TCP Session Direction19.6. Filtering Multiport Applications19.7. Filtering Based on DSCP and TOS19.8. Logging when an Access List Is Used19.9. Logging TCP Sessions19.10. Analyzing ACL Log Entries19.11. Using Named and Reflexive Access Lists19.12. Dealing with Passive Mode FTP19.13. Using Context-Based Access Lists
20. DHCP
20.0. Introduction20.1. Using IP Helper Addresses for DHCP20.2. Limiting the Impact of IP Helper Addresses20.3. Using DHCP to Dynamically Configure Router IP Addresses20.4. Dynamically Allocating Client IP Addresses via DHCP20.5. Defining DHCP Configuration Options20.6. Defining DHCP Lease Periods20.7. Allocating Static IP Addresses with DHCP20.8. Configuring a DHCP Database Client20.9. Configuring Multiple DHCP Servers per Subnet20.10. Showing DHCP Status20.11. Debugging DHCP
21. NAT
21.0. Introduction21.1. Configuring Basic NAT Functionality21.2. Allocating External Addresses Dynamically21.3. Allocating External Addresses Statically21.4. Translating Some Addresses Statically and Others Dynamically21.5. Translating in Both Directions Simultaneously21.6. Rewriting the Network Prefix21.7. Adjusting NAT Timers21.8. Changing TCP Ports for FTP21.9. Checking NAT Status21.10. Debugging NAT
22. Hot Standby Router Protocol
22.0. Introduction22.1. Configuring Basic HSRP Functionality22.2. Using HSRP Preempt22.3. Making HSRP React to Problems on Other Interfaces22.4. Load Balancing with HSRP22.5. Redirecting ICMP with HSRP22.6. Manipulating HSRP Timers22.7. Using HSRP on a Token Ring Network22.8. HSRP SNMP Support22.9. Increasing HSRP Security22.10. Showing HSRP State Information22.11. Debugging HSRP
23. IP Multicast
23.0. Introduction23.1. Configuring Basic Multicast Functionality with PIM-DM23.2. Routing Multicast Traffic with PIMSM and BSR23.3. Routing Multicast Traffic with PIM-SM and Auto-RP23.4. Configuring Routing for a Low Frequency Multicast Application23.5. Configuring CGMP23.6. Static Multicast Routes and Group Memberships23.7. Routing Multicast Traffic with MOSPF23.8. Routing Multicast Traffic with DVMRP23.9. DVMRP Tunnels23.10. Controlling Multicast Scope with TTL23.11. Using Administratively Scoped Addressing23.12. Exchanging Multicast Routing Information with MBGP23.13. Using MSDP to Discover External Sources23.14. Converting Broadcasts to Multicasts23.15. Showing Multicast Status23.16. Debugging Multicast Routing
A. External Software Packages
A.1. PerlA.2. ExpectA.3. NET-SNMPA.4. PuTTYA.5. OpenSSHA.6. Ethereal
B. IP Precedence, TOS, and DSCP Classifications
B.1. Combining TOS and IP Precedence to Mimic DSCPB.2. RSVPB.3. Queueing AlgorithmsB.4. Dropping Packets and Congestion Avoidance
Index
About the Authors
Colophon
Copyright

Content preview from Cisco Cookbook

Chapter 3. User Access and Privilege Levels

3.0. Introduction

Many network administrators do only the minimum when it comes to setting up user access to their routers. This is sufficient in networks where there are no serious security issues, and only a small number of people ever want or need to access the router. But, unfortunately, not every administrator can be quite so cavalier.

Most of the recipes in this chapter discuss methods for securing access to routers through important measures such as assigning usernames and passwords, controlling access-line parameters, handling remote access protocols, and affecting privileges of users and commands.

There are several important prerequisites for this discussion. You should understand what VTYs and access lines are. You should also have knowledge of user and command privilege levels. These topics are discussed in Chapters Chapter 4 and Chapter 13 of Cisco IOS In A Nutshell (O’Reilly).

We discuss best practices and provide a number of valuable recommendations in this chapter. We recommend referring to the National Security Agency (NSA) router security documents for more information. This extremely useful set of recommendations covers many different types of systems, including Cisco routers. You can download the Cisco section of this document from http://www.nsa.gov/snac/cisco.

Many examples in this chapter make limited use of Cisco’s advanced authentication methodology called Authentication, Authorization, and Accounting (AAA). In this ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596003676Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cisco Cookbook

by Kevin Dooley, Ian Brown

Chapter 3. User Access and Privilege Levels

3.0. Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.