What should have been default on Cisco devices

Some things on Cisco switches and routers never should have been on by default. Other things should have been turned on or set differently. This is not how I want them to be configured in the end (I like CDP for example), just how I think they should have been configured from the factory.

(not all commands are supported on all switches/routers. Just ignore error messages from those settings) 

vtp mode transparent
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service sequence-numbers
service password-encryption 

snmp-server ifindex persist
no service dhcp
logging buffered 1048576 debugging
spanning-tree portfast default
spanning-tree extend system-id
no ip domain-lookup
no ip source-route
no ip bootp server
no ip finger
no cdp run
no ip http server
no ip http secure-server
no ip https server
no https server
vlan dot1q tag native

int range fa0/1 - 24
  switchport mode access
  switchport nonegotiate
  load-interval 30
  flowcontrol receive off
  flowcontrol send off
  no shutdown

int vlan 1
  load-interval 30

line console 0
  escape-character 3
  transport preferred none
  history size 256
  logging sync
line vty 0 4
  escape-character 3
  transport preferred none
  history size 256
  logging sync
line vty 5 15
  escape-character 3
  history size 256
  logging sync
  transport preferred none

Feel free to cut and paste (change according to port configuration). Suggestions to more defaults are welcome.

Comments

Post a Comment

Popular posts from this blog

TPM chip protecting SSH keys - properly

Not long after getting my TPM chip to protect SSH keys in a recent blog post , it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need. So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution. Why not Opencryptoki? It generates at least some keys in software. As I've explained earlier, I want to generate the keys in hardware . It generates migratable keys. This is hardcoded, and some people obviously want migratable keys (for backup purposes). So a fix would have to involve supporting both. Opencryptoki has no way to send such parameters from the command line key generator to the PKCS11 library. So not only would I have to implement the setting , but the whol...
Read more

Next-hop resolution and point-to-point

Image
I had this blog post lying around as a draft for a long time. I didn't think it was was "meaty" enough yet, but since I'm no longer a network consultant I don't think it'll become any meatier. So here it goes. Here I will describe the process of L3-to-L2 mapping, or next-hop resolution and how it works with point-to-point circuits like PPP, ATM and Frame relay. It's the process of finding out what to actually do with a packet once the relevant routing table entry has been identified. It's deceptively simpler than on a LAN segment, but since people generally learn Ethernet before they learn point-to-point nowadays I'm writing it anyway. When a packet is to be sent to an address on the same subnet a L3-to-L2 mapping is done to look up the L2 destination address (if any) to apply. The packet is then encapsulated in a L2 frame and sent out the interface. On a normal Ethernet LAN segment ARP is use...
Read more

OpenSSH certificates

The documentation for OpenSSH certificates (introduced in OpenSSH 5.4) are, shall we say, a bit lacking. So I'm writing down the essentials of what they are and how to use them. What they are NOT They're not SSH PubkeyAuthentication In other words if your .pub file doesn't end in -cert.pub and you haven't used ssh-keygen -s, then you aren't using certificates. They're not SSL Still the same SSH protocol. They're not PEM, x509 ASN.1 or any other insane format This means you cannot get your keys signed by Verisign or any other root CA. And you cannot use multiple levels of CA. They're not easy to google for Most hits will be about normal pubkey authentication. Some will be about older patches to one SSH implementation or another that added some form of PKI, even x509 support. You'll probably have the most luck googling for "ssh-keygen -s" (with quotes). What they do Sign host keys ...
Read more