08-15-2008 12:10 PM - edited 03-03-2019 11:09 PM
Howdy all, sorry to post again but I've got a few more additional questions in regards to this migration. Firstly here's the existing config off our current router (2501):
version 11.1
service slave-log
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router
!
clock timezone EST -5
enable password 7 ******
!
ip subnet-zero
ip domain-list *****
ip domain-list *****
ip dhcp-server 10.1.1.50
ip dhcp-server 10.1.1.17
!
stun peer-name 10.4.0.1
stun protocol-group 9 basic
location ******
!
interface Loopback0
ip address 10.4.0.1 255.255.0.0
!
interface Ethernet0
ip address 10.1.1.110 255.255.0.0
ip helper-address 10.1.1.50
ip helper-address 10.1.1.17
no ip mroute-cache
no ip route-cache
!
interface Serial0
description point-to-point T1 CH 1-23
ip address 10.2.1.110 255.255.0.0
ip helper-address 10.1.1.50
ip helper-address 10.1.1.17
no ip mroute-cache
no ip route-cache
!
interface Serial1
description DLCI 100 PVC=T1 CIR=768
no ip address
no ip mroute-cache
encapsulation frame-relay
no ip route-cache
shutdown
!
interface Serial1.1 point-to-point
description DLCI 110 PVC=256 CIR=128
ip address 10.6.1.110 255.255.0.0
no ip mroute-cache
no ip route-cache
shutdown
frame-relay interface-dlci 110
!
interface Serial1.2 point-to-point
description DLCI 120 PVC=512 CIR=256
ip address 10.7.1.110 255.255.0.0
no ip mroute-cache
no ip route-cache
bandwidth 256
shutdown
frame-relay interface-dlci 120
!
interface Serial1.3 point-to-point
description DLCI 977 Frame Relay CNMS
ip address 204.159.60.166 255.255.255.0
no ip mroute-cache
no ip route-cache
shutdown
frame-relay interface-dlci 977
!
router rip
network 10.0.0.0
!
ip host siteb 10.3.1.110
ip domain-name *****
ip name-server 10.1.1.26
ip name-server 10.1.1.27
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.120
ip route 10.3.0.0 255.255.0.0 10.2.1.111
ip route 10.9.0.0 255.255.0.0 10.1.1.120
ip route 10.20.0.0 255.255.0.0 10.1.1.120
ip route 10.30.0.0 255.255.0.0 10.1.1.120
ip http server
logging console critical
logging trap notifications
logging 10.1.1.40
!
snmp-server community public RO
snmp-server chassis-id *****
banner motd
This is an official computer system of ******. It is for authorized users only. Unauthorized users are prohibited. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
!
line con 0
password 7
login
line aux 0
transport input all
line vty 0 4
password 7
login
line vty 5 15
password 7
login
!
end
I edited out some of the sensitive stuff but everything else is the same. First question, I notice that all of our possible routes are defined statically, is there still a need for RIP to be enabled? Is it a "big deal" to leave it on if it's in essence not being used?
Second question is in regards to the "no ip mroute-cache" and "no ip-route-cache" statements on most of the interfaces, I've read some generic descriptions of them I'm just not sure why they would be turned off, more SNA compatibility?
Third Question, I've read a little about the upd & tcp small servers commands and most of it referred to exploits with them. Is this something I should turn off?
Thanks for you time and help with this!
08-15-2008 02:40 PM
Hello,
I edited out some of the sensitive stuff but everything else is the same. First question, I notice that all of our possible routes are defined statically, is there still a need for RIP to be enabled? Is it a "big deal" to leave it on if it's in essence not being used?
That is up to you do the network change or are is their multiple routes to one destination? If so you might want to look into using a routing protocol like opsf or eigrp here are some quick step by step you could do.
ospf
http://www.learnios.com/viewtopic.php?f=13&t=76
EIGRP
http://www.learnios.com/viewtopic.php?f=14&t=38
Second question is in regards to the "no ip mroute-cache" and "no ip-route-cache" statements on most of the interfaces, I've read some generic descriptions of them I'm just not sure why they would be turned off, more SNA compatibility?
I would just leave them off and give it a try I bet its an really old concern dealing with the route being out dated but still in cache.
Third Question, I've read a little about the upd & tcp small servers commands and most of it referred to exploits with them. Is this something I should turn off?
Yes if you don't plan on using it turn it off
08-18-2008 09:37 PM
Hi Brenteverett,
For some security reasons the following services should be turned off:
1. service tcp small-servers (no service tcp small-servers)
2. service udp small-servers (no service udp small-servers)
3. http server (no ip http server)
With regards to route propagation, RIP isnt very good in propagating routes. As reference to your configuration, static route is preferable since there are discontigous networks.
Please let me know if it helps.
Thanks,
k0rg
08-22-2008 05:53 AM
Thanks for your help (and the other poster too), I've disabled tcp and upd small servers on the new config as well as disableing the http server (didn't use it anyways). I'm still not sure about the route-cache and mroute-cache question. I'm struggling to find a good description of it.
08-22-2008 05:56 AM
Woops! Anybody know where the serial number is located on these things? (1841 that is) I ran a "show ver, show run, show hardware, and show inventory", the only one that returned serial numbers was show inventory however there were several listed. Which is the real one?
08-22-2008 07:41 AM
Allen
When I do show inventory on an 1841 the second line of output starts with PID:CISCO1841 and has SN that gives the serial number that agrees with the SN on the external sticker.
HTH
Rick
08-22-2008 07:49 AM
It's the same for me as well, thanks!
08-28-2008 01:16 PM
Sorry guys, another "stupid" question in regards to this. With my "default" (for lack of a better word) route statement it points to my firewall, does that sound correct?
ip route 0.0.0.0 0.0.0.0 10.1.1.120
08-28-2008 04:59 PM
Brent
It is pretty common to have the default route on a router use as the next hop the address of the firewall.
When you think about it, what the default route does for the router is to say that if you have a packet to forward and you do not know exactly how to forward it, then here is an address to send it to and perhaps they will know better how to route it. And from the perspective of most routers the default would have its next hop be the path that goes to the Internet. And the path to the Internet frequently goes through the firewall.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: