Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
13
Helpful
8
Replies

Cisco 2501 to 1841 Questions

brenteverett
Level 1
Level 1

‎08-15-2008 12:10 PM - edited ‎03-03-2019 11:09 PM

Howdy all, sorry to post again but I've got a few more additional questions in regards to this migration. Firstly here's the existing config off our current router (2501):

version 11.1

service slave-log

service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname router

!

clock timezone EST -5

enable password 7 ******

!

ip subnet-zero

ip domain-list *****

ip domain-list *****

ip dhcp-server 10.1.1.50

ip dhcp-server 10.1.1.17

!

stun peer-name 10.4.0.1

stun protocol-group 9 basic

location ******

!

interface Loopback0

ip address 10.4.0.1 255.255.0.0

!

interface Ethernet0

ip address 10.1.1.110 255.255.0.0

ip helper-address 10.1.1.50

ip helper-address 10.1.1.17

no ip mroute-cache

no ip route-cache

!

interface Serial0

description point-to-point T1 CH 1-23

ip address 10.2.1.110 255.255.0.0

ip helper-address 10.1.1.50

ip helper-address 10.1.1.17

no ip mroute-cache

no ip route-cache

!

interface Serial1

description DLCI 100 PVC=T1 CIR=768

no ip address

no ip mroute-cache

encapsulation frame-relay

no ip route-cache

shutdown

!

interface Serial1.1 point-to-point

description DLCI 110 PVC=256 CIR=128

ip address 10.6.1.110 255.255.0.0

no ip mroute-cache

no ip route-cache

shutdown

frame-relay interface-dlci 110

!

interface Serial1.2 point-to-point

description DLCI 120 PVC=512 CIR=256

ip address 10.7.1.110 255.255.0.0

no ip mroute-cache

no ip route-cache

bandwidth 256

shutdown

frame-relay interface-dlci 120

!

interface Serial1.3 point-to-point

description DLCI 977 Frame Relay CNMS

ip address 204.159.60.166 255.255.255.0

no ip mroute-cache

no ip route-cache

shutdown

frame-relay interface-dlci 977

!

router rip

network 10.0.0.0

!

ip host siteb 10.3.1.110

ip domain-name *****

ip name-server 10.1.1.26

ip name-server 10.1.1.27

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.1.120

ip route 10.3.0.0 255.255.0.0 10.2.1.111

ip route 10.9.0.0 255.255.0.0 10.1.1.120

ip route 10.20.0.0 255.255.0.0 10.1.1.120

ip route 10.30.0.0 255.255.0.0 10.1.1.120

ip http server

logging console critical

logging trap notifications

logging 10.1.1.40

!

snmp-server community public RO

snmp-server chassis-id *****

banner motd

This is an official computer system of ******. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

!

line con 0

password 7

login

line aux 0

transport input all

line vty 0 4

password 7

login

line vty 5 15

password 7

login

!

end

I edited out some of the sensitive stuff but everything else is the same. First question, I notice that all of our possible routes are defined statically, is there still a need for RIP to be enabled? Is it a "big deal" to leave it on if it's in essence not being used?

Second question is in regards to the "no ip mroute-cache" and "no ip-route-cache" statements on most of the interfaces, I've read some generic descriptions of them I'm just not sure why they would be turned off, more SNA compatibility?

Third Question, I've read a little about the upd & tcp small servers commands and most of it referred to exploits with them. Is this something I should turn off?

Thanks for you time and help with this!

Labels:
0 Helpful
8 Replies 8

johnakeating
Level 1
Level 1

‎08-15-2008 02:40 PM

Hello,

I edited out some of the sensitive stuff but everything else is the same. First question, I notice that all of our possible routes are defined statically, is there still a need for RIP to be enabled? Is it a "big deal" to leave it on if it's in essence not being used?

That is up to you do the network change or are is their multiple routes to one destination? If so you might want to look into using a routing protocol like opsf or eigrp here are some quick step by step you could do.

ospf

http://www.learnios.com/viewtopic.php?f=13&t=76

EIGRP

http://www.learnios.com/viewtopic.php?f=14&t=38

Second question is in regards to the "no ip mroute-cache" and "no ip-route-cache" statements on most of the interfaces, I've read some generic descriptions of them I'm just not sure why they would be turned off, more SNA compatibility?

I would just leave them off and give it a try I bet its an really old concern dealing with the route being out dated but still in cache.

Third Question, I've read a little about the upd & tcp small servers commands and most of it referred to exploits with them. Is this something I should turn off?

Yes if you don't plan on using it turn it off

joseph.derrick
Level 1
Level 1

‎08-18-2008 09:37 PM

Hi Brenteverett,

For some security reasons the following services should be turned off:

1. service tcp small-servers (no service tcp small-servers)

2. service udp small-servers (no service udp small-servers)

3. http server (no ip http server)

With regards to route propagation, RIP isnt very good in propagating routes. As reference to your configuration, static route is preferable since there are discontigous networks.

Please let me know if it helps.

Thanks,

k0rg

brenteverett
Level 1
Level 1
In response to joseph.derrick

‎08-22-2008 05:53 AM

Thanks for your help (and the other poster too), I've disabled tcp and upd small servers on the new config as well as disableing the http server (didn't use it anyways). I'm still not sure about the route-cache and mroute-cache question. I'm struggling to find a good description of it.

0 Helpful

brenteverett
Level 1
Level 1
In response to brenteverett

‎08-22-2008 05:56 AM

Woops! Anybody know where the serial number is located on these things? (1841 that is) I ran a "show ver, show run, show hardware, and show inventory", the only one that returned serial numbers was show inventory however there were several listed. Which is the real one?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to brenteverett

‎08-22-2008 07:41 AM

Allen

When I do show inventory on an 1841 the second line of output starts with PID:CISCO1841 and has SN that gives the serial number that agrees with the SN on the external sticker.

HTH

Rick

HTH

Rick
0 Helpful

brenteverett
Level 1
Level 1
In response to Richard Burts

‎08-22-2008 07:49 AM

It's the same for me as well, thanks!

0 Helpful

brenteverett
Level 1
Level 1

‎08-28-2008 01:16 PM

Sorry guys, another "stupid" question in regards to this. With my "default" (for lack of a better word) route statement it points to my firewall, does that sound correct?

ip route 0.0.0.0 0.0.0.0 10.1.1.120

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to brenteverett

‎08-28-2008 04:59 PM

Brent

It is pretty common to have the default route on a router use as the next hop the address of the firewall.

When you think about it, what the default route does for the router is to say that if you have a packet to forward and you do not know exactly how to forward it, then here is an address to send it to and perhaps they will know better how to route it. And from the perspective of most routers the default would have its next hop be the path that goes to the Internet. And the path to the Internet frequently goes through the firewall.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card