24th March 2016

Cisco IOS Reference

Applicable to IOS 12.4 on a Cisco 837 with Plus image (for IPv6 support), YMMV. The configuration details herein are mostly fictional (concrete addresses, interfaces).

Basics

Switching modes:

router> enable
router# conf t
router(config)# exit
router# disable
router>

Saving configuration:

router# copy running-config startup-config
router# copy startup-config tftp://192.168.0.100/path/file

Installing new image:

router# copy tftp://192.168.0.100/path/image flash:
router# conf t
router(config)# no boot system flash [oldimage]
router(config)# boot system flash [newimage]
router(config)# exit
router# copy running-config startup-config
router# reload

Debugging:

router# terminal monitor
router# debug ipv6 dhcp
router# no debug ipv6 dhcp
router# no terminal monitor

Identity

Hostname:

router(config)# hostname router
router(config)# ip domain-name example.net

Enable secret:

router(config)# service password-encryption
router(config)# enable secret 0 xxx

Banner/MOTD:

router(config)# banner motd #Authorized Access Only!#

SSH

Set up local authentication:

router(config)# aaa new-model
router(config)# username admin password 0 xxx

Configure SSH daemon:

router(config)# ip ssh version 2
router(config)# ip ssh port 22222

Limit remote logins to SSH from a certain IP ranges:

router(config)# access-list 1 permit 192.168.0.0 0.0.0.255
router(config)# access-list 1 permit host 172.16.0.2
router(config)# ipv6 access-list ssh6
router(config-ipv6-acl)# permit 2001:41E0:FF17:BABE::/64 any
router(config-ipv6-acl)# deny ipv6 any any
router(config-ipv6-acl)# exit
router(config)# line vty 0 4
router(config-line)# transport input SSH
router(config-line)# access-class 1 in
router(config-line)# ipv6 access-class ssh6 in
router(config-line)# exit

Enable/disable and key generation/deletion:

router(config)# crypto key generate rsa
router(config)# crypto key zeroize rsa

Monitoring settings and connections:

router(config)# show ip ssh
router(config)# show ssh

ADSL/PPPoA

ADSL configuration for Switzerland using PPPoA:

router(config)# interface ATM0
router(config-if)# no ip address
router(config-if)# atm vc-per-vp 64
router(config-if)# no atm ilmi-keepalive
router(config-if)# dsl operating-mode auto
router(config-if)# pvc 8/35
router(config-if-atm-vc)# encapsulation aal5snap
router(config-if-atm-vc)# protocol ppp dialer
router(config-if-atm-vc)# dialer pool-member 1
router(config-if-atm-vc)# exit
router(config-if)# exit
router(config)# interface Dialer1
router(config-if)# ip address negotiated
router(config-if)# no ip proxy-arp
router(config-if)# ip virtual-reassembly
router(config-if)# encapsulation ppp
router(config-if)# dialer pool 1
router(config-if)# dialer-group 1
router(config-if)# no keepalive
router(config-if)# ppp authentication chap callin
router(config-if)# ppp chap hostname r.u.serious@example.net
router(config-if)# ppp chap password 0 xxx
router(config-if)# ppp ipcp dns request accept
router(config-if)# exit

Default route:

router(config)# ip route 0.0.0.0 0.0.0.0 Dialer1

NTP

Synchronize clock with NTP servers (and implicitly enable NTP service on all interfaces):

router(config)# ntp server swisstime.ethz.ch
router(config)# ntp server ntp.metas.ch

Disable the NTP service on a specific interface:

router(config)# interface Dialer1
router(config-if)# ntp disable
router(config-if)# exit

SNMP

Read-only community xyz limited by access list 1:

router(config)# access-list 1 permit 192.0.2.0 0.0.0.255
router(config)# snmp-server community xyz ro 1

NAT

Mark interfaces as inside or outside:

router(config)# interface Ethernet0
router(config-if)# ip nat outside
router(config-if)# exit
router(config)# interface Ethernet2
router(config-if)# ip nat inside
router(config-if)# exit
router(config)# interface Dialer1
router(config-if)# ip nat outside
router(config-if)# exit

Map inside source addresses onto Dialer1 external address using NAT overload:

router(config)# ip nat inside source list 1 interface Dialer1 overload
router(config)# access-list 1 permit 192.168.0.0 0.0.0.255

IPv6

Tunnel to Swiss SixXS PoP:

router(config)# ipv6 unicast-routing
router(config)# interface Tunnel0
router(config-if)# description IPv6 uplink to SixXS
router(config-if)# no ip address
router(config-if)# ipv6 enable
router(config-if)# ipv6 nd suppress-ra
router(config-if)# ipv6 address 2001:41E0:FF00:42::2/64
router(config-if)# tunnel source interface Dialer1
router(config-if)# tunnel destination 194.1.163.40
router(config-if)# tunnel mode ipv6ip
router(config-if)# exit
router(config)# ipv6 route 2000::/3 2001:41E0:FF00:42::1
router(config)# ipv6 route 2001:41e0:ff17::/48 Null0

Native IPv6 over ADSL:

router(config)# interface Dialer1
router(config-if)# ipv6 address autoconfig default
router(config-if)# ipv6 enable
router(config-if)# exit
router(config)# interface Loopback0
router(config-if)# ipv6 address 2001:1620:98f::1/64
router(config-if)# exit
router(config)# ipv6 route ::/0 Dialer1
router(config)# ipv6 route 2001:1620:98f::/48 Null0

Configure IPv6 /48 subnets on local interfaces:

router(config)# interface Ethernet0
router(config-if)# ipv6 address 2001:41e0:ff17:face::1/64
router(config-if)# exit
router(config)# interface Ethernet2
router(config-if)# ipv6 address 2001:41e0:ff17:babe::1/64
router(config-if)# exit

Set IPv6 router advertisements interval to 10 seconds:

router(config)# interface Ethernet2
router(config-if)# ipv6 nd ra-interval 10
router(config-if)# exit

Stateful IPv6 firewalling, with Eth2 as inside-out only segment:

router(config)# ipv6 inspect name ipv6all icmp timeout 60
router(config)# ipv6 inspect name ipv6all tcp timeout 600
router(config)# ipv6 inspect name ipv6all udp timeout 600
router(config)# ipv6 inspect name ipv6all ftp timeout 600
router(config)# ipv6 access-list ipv6ingress
router(config-ipv6-acl)# permit icmp any any router-advertisement
router(config-ipv6-acl)# permit icmp any any router-solicitation
router(config-ipv6-acl)# permit icmp any any nd-na
router(config-ipv6-acl)# permit icmp any any nd-ns
router(config-ipv6-acl)# permit icmp any any echo-request
router(config-ipv6-acl)# permit icmp any any echo-reply
router(config-ipv6-acl)# deny ipv6 any any
router(config-ipv6-acl)# exit
router(config)# interface Ethernet2
router(config-if)# ipv6 traffic-filter ipv6ingress out
router(config-if)# ipv6 inspect ipv6all in
router(config-if)# exit

Same with reflexive access lists:

router(config)# ipv6 access-list ipv6ingress
router(config-ipv6-acl)# permit icmp any any router-advertisement
router(config-ipv6-acl)# permit icmp any any router-solicitation
router(config-ipv6-acl)# permit icmp any any nd-na
router(config-ipv6-acl)# permit icmp any any nd-ns
router(config-ipv6-acl)# permit icmp any any echo-request
router(config-ipv6-acl)# permit icmp any any echo-reply
router(config-ipv6-acl)# evaluate ipv6sessions
router(config-ipv6-acl)# deny ipv6 any any
router(config-ipv6-acl)# exit
router(config)# ipv6 access-list ipv6egress
router(config-ipv6-acl)# permit ipv6 2001:1620:98F:BABE::/64 any reflect ipv6sessions
router(config-ipv6-acl)# exit
router(config)# interface Ethernet2
router(config-if)# ipv6 traffic-filter ipv6egress in
router(config-if)# ipv6 traffic-filter ipv6ingress out
router(config-if)# exit

Note that the above settings are too permissive for ICMPv6 and should be locked down to permit only desired ICMPv6 traffic (esp. ND/RA).

Hardening

Disable unwanted services:

router(config)# no cdp run
router(config)# no ip http server
router(config)# no ip http secure-server

Disallow IPv6 routing headers: (command removed?)

router(config)# interface Tunnel0
router(config-if)# no ipv6 source-route
router(config-if)# exit

Filter IPv6 type 0 routing headers but allow other routing headers:

router(config)# ipv6 access-list deny-sourcerouted
router(config-ipv6-acl)# deny ipv6 any any routing-type 0
router(config-ipv6-acl)# permit ipv6 any any
router(config-ipv6-acl)# exit
router(config)# interface Ethernet0
router(config-if)# ipv6 source-route
router(config-if)# ipv6 traffic-filter deny-sourcerouted in
router(config-if)# exit

To be verified (old releases):

no ip redirects
no ip directed-broadcast
no ip route-cache
no ip mroute-cache

Anti-Spoofing

Router(config-if)# ip verify unicast rpf

Directed Broadcasts

Router(config-if)# no ip directed-broadcast

No IP Source Routing

Router(config)# no ip source-route

Remove Unnecessary services

no service tcp-small-servers
no service udp-small-servers
no service finger

To Be Documented

  • Syslog
  • zone based firewalling
  • IPsec
  • best current practice re: ingress/egress filtering (antispoof, bogons)
  • DHCP

Back to Knowledge Base.

Ƿ