Leading Cisco networking products distributor-3network.com

1. Top 10 commands of Cisco IOS
Common Cisco IOS Configuration Mistakes
1. Password Verification
One easily made mistake comes with the way that passwords are configured with IOS.
Unlike almost every other password configuration tool available, the password
commands on IOS do not confirm the password being entered. Imagine getting a new
piece of equipment configured and put into the field, then later when remote
management is required, attempting to access the device only to learn that the password
was entered incorrectly. In most cases, the only way to fix this is to have you or someone
else physically on-site. Take care when configuring IOS passwords to ensure the
password is entered correctly.
2. Wildcard Masks
Of the many people that learn IOS, a large number don’t quite understand the concept of
a wildcard mask (or a mask generally). It can be difficult enough to learn the
fundamentals of a simple subnet mask; add in access lists (ACL) and Open Shortest
Path First (OSPF) configurations, and throw in wildcard masks. The thing to remember
about wildcard masks is, like subnet masks, they are easier to grasp when using binary.
A wildcard in binary is just the inverse of the subnet mask; e.g. the subnet mask
255.255.255.0 uses an inverse mask of 0.0.0.255.
3. Clock Rate vs Bandwidth
Another topic that is often the center of confusion when learning IOS is the difference
between clock rate and bandwidth. While practically these two would seem to mean the
same thing, but when configuring IOS they are used for two different tasks. The clock
rate command is used to set the physical speed of an interface (typically serial
interfaces). The bandwidth command is used to set the bandwidth of the interface as
used by a couple of system processes, including interface statistics and routing protocol
metrics. This command is not used in any way to affect the physical speed of an
interface.
4. Telnet vs SSH
For those new to networking, they may not know the major difference between using
Telnet or SSH (Secure Shell) to manage a device. For many IOS devices, Telnet is used
as the default remote management method. The problem with this is that Telnet is not a
secure management method -- often IOS devices are placed into easily accessed
networks and the use of Telnet makes the capture of management passwords very
simple (as they are transmitted in cleartext). Always take the time to implement SSH on
any production IOS device that is going to be accessed remotely.
5. Ethernet Duplex
It can be easy to overlook the Ethernet duplex setting since on many devices it is
configured to be automatically selected. But when using devices that have been statically
1

2. configured it is important to note that half and full duplex Ethernet connections are not
compatible.
6. Process-ID vs Autonomous System Number
When learning about dynamic routing protocols, there is a common mistake that is made
between the configuration of OSPF and EIGRP. When configuring OSPF, a process-id is
used to identify the routing process. This process-id is only locally significant. When
configuring EIGRP, an autonomous system number (ASN) is used to identify the routing
process. This ASN is globally significant and must match between configured EIGRP
devices.
7. EIGRP Auto-Summary
When configuring EIGRP on IOS pre-15 it was the default for EIGRP auto-summary to be
enabled. This can cause routing problems in networks where the IP addressing is not
contiguous and/or hieratical. With the release of IOS 15 the default changed so that
EIGRP auto-summary was disabled. If implementing EIGRP on IOS pre-15; ensure that
the auto-summary is configured as expected on all devices.
8. Split Horizon
A problem that can often be seen by new network engineers on multipoint WAN networks
is a problem that resulted from the default setting of split horizon. Split horizon is a loop
prevention mechanism that is used by both RIP and EIGRP on WAN interfaces. Basically,
what it does is restrict the advertisement of a network out the same interface on which it
was learned -- as long as the "best" route (for a specific network) exists out that same
interface. The problem here lies in interfaces that connect to multiple remote devices: In
this case, the setting of split horizon can prevent the advertisement of routes between
devices out the same interface. For example, if R1 connects to R2 and R3 off of the
serial0/0/0 interface; if R2 sends an advertisement to a network, R1 will not advertise this
network to R3 because it sees the advertisement coming in the serial0/0/0 interface.
9. Simple Management Network Protocol (SNMP) Communities
A common security problem occurs when someone sets up the Simple Management
Network Protocol (SNMP) with the default communities (public – Read/Only, private –
Read/Write). The alteration of these default settings is essential to maintain the security
of SNMP (versions 1 and 2c), as the community is the only real security feature built into
these versions of the protocol.
10. Switchport Security
When configuring Switchport port-security, it is important to know that the default
maximum number of hosts off of a switchport is 1. What this means is that the first host
that sends traffic will be allowed and that all other hosts traffic will be dropped by default.
Be sure to customize these default settings to the reader’s expectations before leaving
your management session
2

3. 3Anetwork.com is a world leading Cisco networking products wholesaler, we wholesale original new
Cisco networking equipments, including Cisco Catalyst switches, Cisco routers, Cisco firewalls, Cisco
wireless products, Cisco modules and interface cards products at competitive price and ship to
worldwide.
Our website: http://www.3anetwork.com
Telephone: +852-3069-7733
Email: info@3Anetwork.com
Address: 23/F Lucky Plaza, 315-321 Lockhart Road, Wanchai, Hongkong
3