miércoles, 30 de octubre de 2013

Mejores practicas configuraciones Cisco - No Redistribution Metrics Defined for EIGRP

No Redistribution Metrics Defined for EIGRP






ExcepciónNo Redistribution Metrics Defined for EIGRP
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónWhen configuring redistribution into EIGRP always define the metrics that EIGRP should use with the metric or default-metric keywords. Each protocol uses different metrics so it is important to define the parameters the EIGRP should use. EIGRP needs five metrics defined when redistributing other protocols: bandwidth, delay, reliability, load, and MTU. The redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.
Recomendación"For example, when configuring rip redistribution into EIGRP, add metrics in one of the following two ways:

router eigrp 1
redistribute rip metric 10000 100 255 1 1500

or

router eigrp 1
redistribute rip default-metric 10000 100 255 1 1500

Note: Values ""10000 100 255 1 1500"" were used as an example. Other values may be used in your environment. The general formats under EIGRP are:

redistributemetric

 or

 default-metric
URL de referenciaRedistributing Routing Protocols
Acción correctivaDefine metrics when redistributing into EIGRP with the metric or default-metric keywords.
AdvertenciaThe redistribution of IGRP/EIGRP into another IGRP/EIGRP process does not require any metric conversion, so there is no need to define metrics or use the default-metric command during redistribution in these cases.





Sígueme también en:



Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco - No EIGRP router-id configured

No EIGRP router-id configured





ExcepciónNo EIGRP router-id configured
CategoriaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónThe router ID is set to the IP address of a loopback interface if one is configured. If no loopback interfaces are configured, the router ID is set to the highest IP address configured on a physical interface. To ensure deterministic behavior the EIGRP router-id should be configured to a chosen address. If a router id isn't set for EIGRP, it is possible that duplicate router ids will prevent external EIGRP routes from being installed in the topology table. To have deterministic behavior, an EIGRP router id should be created on all EIGRP speaking devices.
URL de ReferenciaPreventing Duplicate Router Ids
Acción correctivaConfigure the router id, with the "eigrp router-id" command.


Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco-EIGRP MD5 Disabled on Interface

EIGRP MD5 Disabled on Interface






ExcepciónEIGRP MD5 Disabled on Interface
CategoriaEIGRP;Security
Tipo OSIOS
RiesgoMedio
DescripciónThis rule detects if EIGRP authentication is configured on an EIGRP enabled interface.
RecomendaciónIt is recommended to apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts on each EIGRP interface.
Referencia URLConfiguring EIGRP Route Authentication
Acción correctivaEnable EIGRP authentication.
AdvertenciaIn some scenarios, there may be many EIGRP-enabled interfaces that do not have EIGRP neighbors.
MD5 authentication is not required in this situation but the interfaces should be passive.


Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco - Default EIGRP Passive Interface not configured

Default EIGRP Passive Interface not configured




ExcepciónDefault EIGRP Passive Interface not configured.
CategotiaEIGRP
Tipo OSIOS
RiesgoMedio
DescripciónIn large service provider and Enterprise networks, some distribution-layer routers often have a large number of interfaces, for example, at the WAN edge. A common practice to facilitate the configuration of a routing protocol on such routers is to enable the routing processes on a network range matching several of the interfaces. While this technique facilitates the configuration of the routing protocol, enabling routing indiscriminately on several or all interfaces may increase the chances for the insertion of unauthorized routing peers. Also, unnecessary routing protocol exchanges increase CPU overhead on the router. To prevent these problems, one can set all interfaces as passive by default with the 'passive-interface default' command. This command changes the configuration logic to a default passive; therefore, interfaces where router adjacencies are expected need to be configured with the 'no passive-interface' command. Setting an interface as passive disables the sending of routing updates on that interface; hence, adjacencies will not be formed in Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). However, the particular subnet will continue to be advertised to other interfaces.
Acciones correctivas"Under the 'router eigrp' block of configuration, configure the following. The parameters in front of the 'no passive-interface' command are those interfaces that need to participate in EIGRP and form router adjacencies.

   passive-interface default
   no passive-interface
   no passive-interface
   no passive-interface 

AdvertenciaIn routers that have a small number of interfaces, you can choose to manually set the 'passive-interface' command on the interfaces where adjacency is not desired, instead of using the 'passive-interface default' command. Also, the rule does not apply if all layer 3 interfaces are designed to participate in the EIGRP domain.


Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco - EIGRP auto summarization enabled (default enabled)

EIGRP auto summarization enabled (default enabled)




ExcepciónEIGRP auto summarization enabled (default enabled)
CategoriaEIGRP
Tipo OSIOS
RiesgoAlto
Descripción"EIGRP will automatically summarize on classful routing boundaries. Auto summarization can cause a routing partition under certain circumstances particularly with classful IP routing and where IP addresses are split.
The default behavior of EIGRP auto-summarization changed in Cisco IOS Releases 15.0(1)M, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI4 and later releases to be disabled by default."
Acción correctiva
router eigrp no auto-summary

 URL de referencia: EIGRP auto summarization enabled


Publicado por en No hay comentarios:
Etiquetas: ,

Mejores practicas configuraciones Cisco - BGP Consistency Check not enabled

BGP Consistency Check not enabled
ExcepciónBGP Consistency Check not enabled
CategoriaBGP;IP routing
Tipo OSIOS
RiesgoMedio
Descripción"A BGP route inconsistency with a peer occurs when an update or withdraw is not sent to a peer, resulting in black-hole routing. BGP Consistency checker will check for inconsistencies in a configurable interval.

 Once the process identifies such an inconsistency, it will report the inconsistency with a syslog message, and optionally take action if the auto-repair keyword is specified.

 Three options are available:

  • Next-Hop Label Consistency Check
  • RIB-Out Consistency Check
  • Aggregation Consistency Check

Next Hop Label Consistency Check:

When two paths have the same next hop because they are advertised by the same provider edge router (PE), they should also have the same next-hop label. If the labels are different, there is an inconsistency. If the auto-repair keyword is specified, the system will send a route-refresh request.

RIB-Out Consistency Check:

If a network passes an outbound policy and is not sent, or if a network does not pass an outbound policy and is sent, there is an inconsistency. If the auto-repair keyword is specified, the system will send a route-refresh request.

Aggregation Consistency Check:

f specific routes and the aggregated route become out of sync, an inconsistency can occur. Either the error-message keyword or the auto-repair keyword will trigger aggregation reevaluation."


Acción Correctiva!
bgp consistency-checker {error-message | auto-repair} [interval minutes]
!
error-message :System to generate an error message when an inconsistency is observed.
auto-repair : System generates a syslog and also takes an action based on the inconsistency found.
interval : Range is from 5 to 1440 minutes. Interval defaults to 1440 (One Day)

Advertencia"This is applicable for IOS

  • 15.1(2)S
  • Cisco IOS XE 3.3S."


Publicado por en No hay comentarios:
Etiquetas: , ,

Análisis de las mejores prácticas en configuraciones Cisco

Introducción:

Este apartado, va referido a las recomendaciones que hace Cisco en cuanto a las mejores prácticas en cuanto a las configuraciones de equipamiento Cisco.



CategoriaRiesgoExcepciónOS
BGPMedioBGP Consistency Check not enabledIOS
EIGRPAltoEIGRP auto summarization enabled (default enabled)IOS
EIGRPMedioDefault EIGRP Passive Interface not configured.IOS
EIGRPMedioEIGRP MD5 Disabled on InterfaceIOS
EIGRPMedioNo EIGRP router-id configuredIOS
EIGRPMedioNo Redistribution Metrics Defined for EIGRPIOS
IP ApplicationsMedioHSRP Preempt delay not configuredIOS
IP ApplicationsMedioNTP not protected by ACLIOS
IP ApplicationsMedioStandby delay minimum reload not configuredIOS
IP ApplicationsBajoNTP Update Calendar DisabledIOS
IP ApplicationsBajoNTP authentication not enabledIOS
IP ApplicationsBajoNTP enabled without time zoneIOS
IP ApplicationsBajoNTP source interface not definedIOS
IP ApplicationsBajoNTP summertime not enabledIOS
IP ApplicationsBajoNo redundant NTP serverIOS
IP RoutingMedioIOS Static Route Missing ParametersIOS
IP RoutingMedioRecursive static routes are presentIOS
IP RoutingBajoIP Classless disabledIOS
IP RoutingBajoName Parameter Missing from Static RoutesIOS
IP RoutingBajoNetBIOS UDP broadcasts enabledIOS
InfrastructureAltoCisco IOS Image VerificationIOS
InfrastructureLowExec enabled on line auxIOS
LANAltoSpanning-tree disabled on one or more VLANsIOS
LANMedioBPDU Guard Not EnabledIOS
LANMedioLoopguard not configuredIOS
LANMedioMAC address move notification not enabledIOS
LANMedioPortfast not enabled on access or edge portIOS
LANMedioUDLD Globally DisabledIOS
LANMedioVLANs not cleared from trunkIOS
LANMedioVTP domain name not setIOS
LANBajoComplete Power-on Diagnostics DisabledIOS
LANBajoDynamic trunking is enabled on a static access portIOS
LANBajoStackWise SNMP Traps Not EnabledIOS
ManagementMedioCDP disabled on an interfaceIOS
ManagementMedioLogging to the console is enabledIOS
ManagementMedioLoopback interface not usedIOS
ManagementMedioSNMP server memory traps not enabledIOS
ManagementMedioSyslog level not set to informationalIOS
ManagementMedioWarmStart SNMP Traps Not EnabledIOS
ManagementBajoCPU Thresholding Notification is not enabled.IOS
ManagementBajoColdStart SNMP Traps Not EnabledIOS
ManagementBajoConfiguration Management SNMP Traps Not EnabledIOS
ManagementBajoInterface level syslog events not disabledIOS
ManagementBajoInterface traps not disabled on at least one interfaceIOS
ManagementBajoLinkup and Linkdown SNMP Traps Not EnabledIOS
ManagementBajoMemory Threshold Notifications (I-O) Not EnabledIOS
ManagementBajoMemory Threshold Notifications (Processor) Not EnabledIOS
ManagementBajoNagle service disabledIOS
ManagementBajoNo interface descriptionIOS
ManagementBajoNo redundant SNMP trap receiverIOS
ManagementBajoNo redundant syslog serverIOS
ManagementBajoSNMP Interface Index Persistence not enabledIOS
ManagementBajoSNMP contact not definedIOS
ManagementBajoSNMP location not definedIOS
ManagementBajoSNMP trap source not definedIOS
ManagementBajoSNMP traps not enabledIOS
ManagementBajoSyslog source interface not definedIOS
ManagementBajoThe Call Home feature is not configuredIOS
ManagementBajoThe Enhanced Crashinfo File Collection feature is not configured.IOS
ManagementBajoTimestamping for debugging not set for datetimeIOS
ManagementBajoTimestamping for logging not set for datetimeIOS
ManagementBajoUnnecessary Syslog SNMP trap configuredIOS
SecurityAltoEnable password not adequately protectedIOS
SecurityAltoSNMP access for IPv4 is not protected with an access-list.IOS
SecurityAltoThe aaa authentication login command(s) is/are not configured optimally.IOS
SecurityAltoVlan 1 interface usedIOS
SecurityMedioAAA connection accounting disabledIOS
SecurityMedioAAA system accounting disabledIOS
SecurityMedioDHCP server enabledIOS
SecurityMedioHSRP Updates not authenticatedIOS
SecurityMedioHSRP Virtual MAC Address not modifiedIOS
SecurityMedioHTTP secure-server is enabled.IOS
SecurityMedioHTTP server enabledIOS
SecurityMedioICMP redirects not disabled on an InterfaceIOS
SecurityMedioIOS Software Resilient Configuration secure boot-config disabledIOS
SecurityMedioLocal user account is not protected against potential brute-force attacksIOS
SecurityMedioPAD service enabledIOS
SecurityMedioSNMPv3 not usedIOS
SecurityMedioSSH Not Used or Not Used Exclusively for Remote Access.IOS
SecurityMedioSSH V2 not used for device AccessIOS
SecurityMedioSecurity Password Minimum Length Less Than 8IOS
SecurityMedioUnicast reverse path disabledIOS
SecurityMedioVTY line timeout disabledIOS
SecurityMedioVTY line timeout is longer than 30 minsIOS
SecurityMedioVTY lines not protected with an access listIOS
SecurityBajoA user account is not protected with MD5IOS
SecurityBajoAuthentication SNMP Traps Not EnabledIOS
SecurityBajoBOOTP server enabledIOS
SecurityBajoCDP is enabled globally and active on all interfaces.IOS
SecurityBajoDHCP lease time low or infiniteIOS
SecurityBajoICMP unreachables enabled on all interfaces of this device.IOS
SecurityBajoIP Source Routing enabledIOS
SecurityBajoIP options allowedIOS
SecurityBajoIncorrectly entered commands will generate a DNS lookup.IOS
SecurityBajoPassword recovery is EnabledIOS
SecurityBajoProxy ARP is enabledIOS
SecurityBajoRedundant AAA server unavailableIOS
SecurityBajoSecurity authentication failure rate disabledIOS
SecurityBajoService sequence-numbers not enabledIOS
SecurityBajoTACACS+ packets not being sourced from a specifically defined interfaceIOS
SecurityBajoTCP keepalives not enabled in both directionsIOS

Publicado por en No hay comentarios:
Etiquetas: ,
Suscribirse a: Entradas (Atom)