Wednesday, 29 November 2017

Voice Over WLAN Best Practices

VoWLAN deployments can be challenging - VoIP already imposses strict criteria on the network conditions to facilite good call quality & WiFi itself poses additional challenges. Given that a wireless channel is a shared medium, potentially subject to interference from other devices & that the transmit time on a WiFi device is highly variable due to the nature of CSMA/CA, this is a recipe for jitter & packet loss.
Cisco publish a number of guidelines for VoWLAN success, albeit spread across multiple documents, so below is a summary of some of the main points:

  • Maximum of 15 or 20 associated devices per AP.
  • 5GHz is strongly preferred.
  • Noise levels should not exceed -92 dBm with a signal-to-noise ratio (SNR) of 25 dB.
  • Signal strength should be -67 dBm or better per AP.
  • Minimum 20 to 30 percent overlap of adjacent access points with non-overlapping channels must be considered during design site survey.
  • Packet error rate (PER) should not exceed 1%, jitter should be <100 ms & retries should be < 20%.
  • To avoid one-way audio issues resulting from different power settings between Wi-Fi IP phones & access points, World mode (IEEE 802.11d) should be configured.
  • Traffic Specification (TSPEC) must be enabled for CAC on APs & Platinum QoS for the VoWLAN SSID.
  • Channel utilization levels should be kept below 50 percent.
  • Cisco Compatible Extensions (CCX) should be enabled on wireless infrastructure, where possible.
  • Set the Beacon interval to 100 ms.
  • A DTIM of 2 is recommended where possible to save battery life on the IP phones.
  • WPA2/AES Enterprise with CCKM or 802.11r is recommended for 792x phones to avoid the need for a complete 802.1x re-authentication when roaming.
Some further useful Cisco documentation can be found in the Enterprise Mobility 8.1 Design Guide, Voice Over Wireless LAN (VoWLAN) Troubleshooting Checklist & the excellent Cisco Live presentation Voice over WiFi - Deployment Recommendations and Best Practices (BRKEWN-2000).

Monday, 13 November 2017

CUBE Template

This is the last of a planned series of templates. It provides a baseline template for a CUBE handling a SIP trunk from CUCM to the PSTN. Given that different vendor's SIP implementations vary, adjustments are likely to be needed, such as altering the headers via sip-profiles. Inline commentary explains various settings.

!
! Disable unnecessary services
no ip source-route
!
! Don't use ip options drop if you're using RSVP
! Don't use no service dhcp if you're using DHCP Relay
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
!
! Enable password encryption, TCP keepalives & faster config viewing
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
parser config cache interface
!
! Enable buffer overflow detection & correction
exception memory ignore overflow io
exception memory ignore overflow processor
!
! Optimise TFTP transfers
ip tftp blocksize 8192
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable voice Internal Error Codes to syslog
voice iec syslog
!
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.

This device may be used only for the authorized business purposes
of [COMPANY]. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! Enable DSP farm
voice-card 0
 dsp services dspfarm
!
voice rtp send-recv
!
voice service voip
 !
 ! Restrict call setup messages to trusted IP addresses
 ip address trusted list
  ipv4 1.2.3.4 255.255.255.255
  ipv4 1.2.3.5 255.255.255.255
 !
 ! Best practice settings
 mode border-element license capacity 100
 address-hiding
 dtmf-interworking standard
 allow-connections sip to sip
 supplementary-service h450.12
 no supplementary-service sip moved-temporarily
 no supplementary-service sip refer
 !
 ! T38 fax relay
 fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw
 fax-relay sg3-to-g3
 h323
  h225 display-ie ccm-compatible
  call preserve
 sip
  asserted-id pai
  no update-callerid
  header-passing error-passthru
  early-offer forced
  privacy-policy passthru
  mid-call-signaling passthru
  sip-profiles 100
!
voice class codec 1
 codec preference 1 g711alaw
 codec preference 2 g711ulaw
!
!
! Normalise SIP messages to remove display names & remove video attributes
voice class sip-profiles 100
 request ANY sip-header From modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
 request ANY sip-header Remote-Party-ID modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
 request ANY sip-header P-Asserted-Identity modify "\"(.*)\" <sip:(.*)@(.*)>" "\"\2\" <sip:\2@\3>"
 request ANY sdp-header Connection-Info remove
 response ANY sdp-header Connection-Info remove
 request ANY sdp-header Video-Attribute remove
 request ANY sdp-header Video-Session-Info remove
 request ANY sdp-header Video-Bandwidth-Info remove
 request ANY sdp-header Video-Connection-Info remove
 request ANY sdp-header Video-Media modify "m=video(.*)" ""
!
! Strip outside dialling prefix
voice translation-rule 1
 rule 1 /^9\(.+\)/ /\1/
!
!
voice translation-profile SIP-OUT
 translate called 1
!
! Simple QoS configuration
class-map match-any VoIP-Signal
 match ip dscp cs3  af31
class-map match-any VoIP-Media
 match ip dscp ef
!
policy-map VoIP
 class VoIP-Media
  priority percent 33
 class VoIP-Signal
  bandwidth percent 5
 class class-default
  fair-queue
!
interface GigabitEthernet0/0
 description ## WAN Interface ##
 ip address x.x.x.x 255.255.255.192
 duplex auto
 speed auto
 service-policy output VoIP
!
interface GigabitEthernet0/1
 description ## LAN Interface ##
 ip address y.y.y.y 255.255.255.0
 duplex auto
 speed auto
 service-policy output VoIP
!
! Required to receive multicast MoH
ccm-manager music-on-hold
!
mgcp profile default
!
! Template dial-peers
dial-peer voice 1 voip
 description ## SIP Trunk ##
 translation-profile outgoing SIP-OUT
 destination-pattern 9.+
 session protocol sipv2
 session target ipv4:1.2.3.4
 incoming called-number 0.+
 voice-class codec 1 
 voice-class sip dtmf-relay force rtp-nte
 voice-class sip bind control source-interface GigabitEthernet0/0
 voice-class sip bind media source-interface GigabitEthernet0/0
 !
 ! Use keepalives if the SIP trunk supports it
 voice-class sip options-keepalive
 dtmf-relay rtp-nte
 ip qos dscp cs3 signaling
 no vad
!
dial-peer voice 2 voip
 description ## DIDs to Subscriber ##
 destination-pattern 0.+
 session protocol sipv2
 session target ipv4:1.2.3.4
 incoming called-number 9.+
 voice-class codec 1 
 voice-class sip bind control source-interface GigabitEthernet0/1
 voice-class sip bind media source-interface GigabitEthernet0/1
 !
 ! Solves problems with SCCP phones that don't support RFC2833
 dtmf-relay rtp-nte sip-kpml
 ip qos dscp cs3 signaling
 no vad
!
dial-peer voice 3 voip
 description ## DIDs to Publisher ##
 destination-pattern 0.+
 preference 1
 session protocol sipv2
 session target ipv4:1.2.3.5
 incoming called-number 9.+
 voice-class codec 1 
 voice-class sip bind control source-interface GigabitEthernet0/1
 voice-class sip bind media source-interface GigabitEthernet0/1
 !
 ! Solves problems with SCCP phones that don't support RFC2833
 dtmf-relay rtp-nte sip-kpml
 ip qos dscp cs3 signaling
 no vad
!
! Set SIP timers & retries
sip-ua
 no remote-party-id
 retry invite 3
 retry register 3
 retry bye 3
 retry cancel 3
 !
 ! connection-reuse seems to break SIP CME/SRST, disable if necessary
 connection-reuse
 host-registrar
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
 permit x.x.x.x x.x.x.x
line con 0
 logging synchronous
 transport preferred none
 exec-timeout 15
line vty 0 15
 logging synchronous
 transport preferred none
 transport input ssh
 access-class VTY-IN in
 exec-timeout 15

Monday, 23 October 2017

MGCP / SRST Template

This is the fourth in a planned series of templates. It provides a baseline template for an MGCP gateway with basic SRST (i.e. not CME in SRST mode). The MGCP configuration in CUCM should match, so be sure to update both the CLI & GUI with the correct switch type, framing, cptone/network locale, etc. for your deployment. Inline commentary explains various settings.
 
!
! Disable unnecessary services
no ip source-route
!
! Don't use ip options drop if you're using RSVP
! Don't use no service dhcp if you're using DHCP Relay
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
!
! Enable password encryption, TCP keepalives & faster config viewing
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
parser config cache interface
!
! Enable CDP & LLDP
cdp run
lldp run global
!
! Optimise TFTP transfers
ip tftp blocksize 8192
!
! Enable buffer overflow detection & correction
exception memory ignore overflow io
exception memory ignore overflow processor
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable voice Internal Error Codes to syslog
voice iec syslog
!
! Enable SSH v2, reduce SSH session establish timeout & create 2048 bit SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.

This device may be used only for the authorized business purposes
of [COMPANY]. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! ISDN settings
card type e1 0 0
!
! ISR G1 & G2 clocking commands
network-clock-participate wic 0
network-clock-select 1 e1 0/0/0
!
! 4000 series clocking commands
network-clock synchronization automatic
network-clock input-source 1 controller E1 0/1/0
!
isdn switch-type primary-net5
!
controller E1 0/0/0
 pri-group timeslots 1-31 service mgcp
 !
 ! 4000 series clocking command
 clock source line primary
!
! Enable B channel negotiation
interface Serial 0/0/0:15
 isdn negotiate-bchan
!
! Example 6-digit translations
voice translation-rule 1
 rule 1 /^25\(2...\)/ /\1/
 rule 2 /^75\(3...\)/ /\1/
!
voice translation-rule 2
 rule 1 /^\(2...\)$/ /0130525\1/
 rule 2 /^\(3...\)$/ /0130575\1/
 rule 3 /^....$/ /01305252600/
!
voice translation-rule 3
 rule 1 /\(.*\)/ /90\1/
!
voice translation-rule 4
 rule 1 /^9/ //
!
voice translation-profile PSTN_In
 translate calling 3
 translate called 1
!
voice translation-profile PSTN_Out
 translate calling 2
!
voice-port 0/0/0:15
 translation-profile outgoing PSTN_Out
 translation-profile incoming PSTN_In
 echo-cancel coverage 64
 bearer-cap Speech
 cptone GB
!
! Enable MGCP fallback & related settings
application
 global
  service alternate Default
 !
!
ccm-manager fallback-mgcp
ccm-manager redundant-host 10.10.10.240
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager switchback graceful
!
! Tweaked MGCP parameters, such a QoS & DTMF relay
mgcp
mgcp dtmf-relay voip codec all mode out-of-band
mgcp call-agent 10.10.10.243 2427 service-type mgcp version 0.1
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
mgcp package-capability sst-package
mgcp package-capability pre-package
no mgcp package-capability res-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp ip qos dscp cs3 signaling
!
! Improves T38 reliability
no ccm-manager fax protocol cisco
no mgcp fax t38 inhibit
mgcp package-capability fxr-package
mgcp default-package fxr-package
no mgcp fax t38 ecm
mgcp fax t38 nsf 000000
!
mgcp profile default
!
! Enable SIP to SIP calls and SIP registrar
voice service voip
 allow-connections sip to sip
 sip
  bind control source-interface x
  bind media source-interface x
  registrar server
!
sip-ua
 host-registrar
!
! Minimal dial plan
dial-peer voice 1 pots
 description Calls to or from the PSTN
 destination-pattern 9T
 incoming called-number .T
 direct-inward-dial
 port 0/0/0:15
!
dial-peer voice 2 pots
 description Emergency services
 destination-pattern 9999
 port 0/0/0:15
 forward-digits 3
!
dial-peer voice 3 pots
 description Emergency services
 destination-pattern 9112
 port 0/0/0:15
 forward-digits 3
!
! Minimal SCCP SRST config
call-manager-fallback
 secondary-dialtone 9
 max-conferences 4 gain -6
 transfer-system full-consult
 timeouts interdigit 5
 ip source-address x.x.x.x port 2000
 max-ephones 52
 max-dn 104 dual-line
 keepalive 20
 time-zone 21
 time-format 24
 date-format dd-mm-yy
 transfer-pattern .T
 call-forward pattern .T
!
! Minimal SIP SRST config
voice register global
 timeouts interdigit 5
 max-dn 104
 max-pool 52
 timezone 21
 time-format 24
 date-format D/M/Y
 network-locale GB
!
! Allow SIP phones from specified network to register
voice register pool 1
 id network x.x.x.x mask 255.255.255.0
 dtmf-relay sip-kpml
 codec g711ulaw
 no vad
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
 permit x.x.x.x x.x.x.x
line con 0
 logging synchronous
 transport preferred none
 exec-timeout 15
line vty 0 15
 logging synchronous
 transport preferred none
 transport input ssh
 access-class VTY-IN in
 exec-timeout 15

Thursday, 21 September 2017

Troubleshooting Causes of "host not found" Error When Using Extension Mobility or Phone Services

There's several common causes for a phone to display "host not found" when pressing the Services or Directories buttons, or accessing Extension Mobility. Contrary to what the error message implies, often it's not actually a DNS issue that's the cause. Phone services rely on HTTP or HTTPS, with services hosted by CUCM handled by the Tomcat web server & using TCP ports 8080 or 8443.

First of all it's important to understand which server the phone is trying to access, as the default services built into CUCM use a load balancing mechanism by default, a detailed explanation of which can be found in the SRND. In summary by default built in services (i.e. service URLs starting Application:) use HTTPS & use a load balancing mechanism so that the phone will rewrite the service URL to point to the CUCM server with which it is currently registered.

DNS
DNS is only an issue if the service URL contains an FQDN or hostname, or in the case of built in services, if the Servers in CUCM are defined as an FQDN or hostname. Confirm that the phone actually has DNS servers configured, that these DNS servers are reachable & can resolve the FQDN or hostname.

SSL
You can confirm whether a service will be accessed via HTTPS by looking at the configuration to see if a Secure Service URL has been set, or for built in services, if the phone's configuration file contains <phoneServices useHTTPS="true">. This will allow you to confirm which port the phone will try to use to access the service.

Web Server
Check if the web server is inaccessible, try telnetting to the relevant port or viewing the service URL. For CUCM's built in services, also confirm that the Tomcat service is running on the relevant server.

Certificate Trust
If the web server's certificate isn't present in the phone's ITL/CTL file, the inability to verify the certificate can cause the host not found error.
Confirm that the phone has learnt TFTP server addresses via DHCP option 150 or manual configuration, otherwise it won't be able to update its configuration & may be caching out of date ITL/CTL files.
For certificates that aren't in the ITL/CTL, the phone should attempt to contact the Trust Verification Service on CUCM via TCP port 2445. If the TVS service isn't enabled or isn't running, or cannot be reached then certificate verification will fail. Note that the TVS service also uses a certificate that must in the ITL for the phone to trust it.

Phone Logs
The phone's logs provide insight into what's happening, for example failure to access the TVS service will show up in the logs. Accessing these logs requires that the phone's web server is enabled, which isn't the case by default in CUCM. Also network settings, such as DNS or TFTP server(s) can be verified via the phone's web server.

Thursday, 17 August 2017

ASA Template

This is the third in a planned series of templates. It provides a baseline template for ASA configuration prior to customisation, such as ACLs, routing protocols, NAT, VPNs, etc. Not all commands will apply, such as tweaking the TCP MSS if you're using VPNs, or disabling denied connection logging. So don't just copy & paste the whole lot without confirming. Inline commentary explains various settings.

!
! Enable jumbo frames support (requires reboot), then tweak  MTU on interface where jumbo frame are to be used
jumbo-frame reservation
mtu inside 1500
!
! Enable SSH v2 & restrict admin access
hostname [name]
domain-name [domain name]
crypto key generate rsa modulus 2048
ssh version 2
ssh x.x.x.x y.y.y.y [interface name]
http x.x.x.x y.y.y.y [interface name]
!
! Enable management access across a VPN
management-access INSIDE
!
! Disable deprecated SSL encryption
no ssl encryption des-sha1  rc4-sha1
!
! Define an admin user, configure local authentication (ideally use RADIUS/TACACS+) & set 15 minute session timeout
username [user] password [password] privilege 15
aaa authentication ssh console LOCAL 
aaa authentication serial console LOCAL
telnet timeout 15
ssh timeout 15
console timeout 15
!
! Set correct time zone & configure multiple NTP servers via DNS
dns domain-lookup [outside interface]
dns server-group DefaultDNS
 name-server 208.67.220.220
 name-server 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org prefer
ntp server 1.uk.pool.ntp.org
!
! Enable logging to syslog server & adjust ASDM logging to reduce CPU load
logging enable
logging timestamp
logging buffer-size 16384
logging host [interface name] x.x.x.x
logging trap critical
logging history errors
logging queue 2048 
logging asdm warning 
logging asdm-buffer-size 512 
asdm history enable
!
! Define a login banner
banner login ************************************************************************
banner login You have logged on to a [COMPANY] proprietary device.
banner login This device may be used only for the authorized business purposes 
banner login of [COMPANY]. Anyone found using this device or its information for 
banner login any unauthorized purpose may be subject to disciplinary action 
banner login and/or prosecution.
banner login ************************************************************************
!
! Disable high volume logging to reduce CPU load:
! Build TCP Connection
no logging message 302013
! Teardown TCP Connection
no logging message 302014
! Deny udp reverse path check
no logging message 106021
! Bad TCP hdr length
no logging message 500003
! Denied ICMP type=0, no matching session
no logging message 313004
! No matching connection for ICMP error message
no logging message 313005
! Inbound TCP connection denied outside Firewall Access
no logging message 106001
! Inbound UDP connection denied outside Firewall Access
no logging message 106006
no logging message 106007
!
! Enable basic threat detection but disable statistics
threat-detection basic-threat
no threat-detection statistics
!
! Enable ICMP echo & unreachable, but rate limit unreachables
icmp unreachable rate-limit 10 burst-size 5
icmp permit any echo [outside interface]
icmp permit any echo-reply [outside interface]
icmp permit any unreachable [outside interface]
icmp permit any echo [inside interface]
icmp permit any echo-reply [inside interface]
icmp permit any unreachable [inside interface]
!
! Allow tracert & MTU path discovery to work through the ASA + RFC2827 anti-spoofing for outside interface (note 224.0.0.0/4 used by IGP routing protocols)
access-list OUTSIDE-IN extended deny ip 10.0.0.0 0.0.0.255 any
access-list OUTSIDE-IN extended deny ip 172.16.0.0 0.0.15.255 any
access-list OUTSIDE-IN extended deny ip 192.168.0.0 0.0.255.255 any
access-list OUTSIDE-IN extended deny ip 0.0.0.0 0.0.0.255 any
access-list OUTSIDE-IN extended deny ip 127.0.0.0 0.0.0.255 any
access-list OUTSIDE-IN extended deny ip 169.254.0.0 0.0.255.255 any
access-list OUTSIDE-IN extended deny ip 224.0.0.0 0.0.0.15 any
access-list OUTSIDE-IN extended deny ip 239.0.0.0 0.0.0.255 any
access-list OUTSIDE-IN extended deny ip 240.0.0.0 0.0.1.255 any
access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-list OUTSIDE-IN extended permit icmp any any parameter-problem
access-list OUTSIDE-IN extended permit icmp any any source-quench
access-list OUTSIDE-IN extended permit ip any any
access-group OUTSIDE-IN in interface [outside interface]
!
! Adjust TCP maximum segment size (default is 1380, depends on VPN encapsulations in use) & disable TCP resets
sysopt connection tcpmss 1420
sysopt connection tcpmss minimum 0
no service resetinbound
no service resetoutside
!
! Permit ARP for subnets there aren't interfaces for (to present them via NAT)
arp permit-nonconnected
!
! Set ISAKMP identity to ASA's IP address, don't use if using certificate authenticated site to site VPNs
crypto isakmp identity address
!
! Allow hairpin NAT
same-security-traffic permit intra-interface
!
! Discard routes for RFC1918 summary addresses so as not to forward out via default route
route Null0 10.0.0.0 255.0.0.0
route Null0 172.16.0.0 255.240.0.0
route Null0 192.168.0.0 255.255.0.0
!
! Enable reverse path filtering, may cause some routing headaches
ip verify reverse-path interface [outside interface]
ip verify reverse-path interface [inside interface]
!
! ASA 5500-X kludge so the IPS can use an IP address from the inside interface subnet via the Management0/0 interface (which must be connected to the inside switch)
interface Management0/0
 no nameif
 security-level 0
 no ip address
 management-only
!
! Tune DNS inspection parameters
policy-map type inspect dns custom_dns_map
 parameters
  message-length maximum 1280
  dns-guard
  protocol-enforcement
  no nat-rewrite
  no id-randomization
  no tsig enforced
  no id-mismatch
!
! Consider disabling unnecessary inspects
policy-map global_policy
 class inspection_default
! These inspects are the bare minimum
  inspect dns custom_dns_map
  inspect ftp
  inspect icmp
  inspect icmp error
  inspect pptp
  inspect ipsec-pass-thru
  inspect ip-options
! These may not be needed, SIP inspect is very commonly required though
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp

Sunday, 6 August 2017

Internet Facing Router Template

This is the second in a planned series of templates. It provides a baseline template for router configuration prior to customisation, such as ACLs, routing protocols, QoS etc. Not all commands will work on all models of routers or all versions of IOS, so don't just copy & paste the whole lot without confirming. Inline commentary explains various settings.

!
! Disable unnecessary services, including CDP/LLDP (alternatively only enable them on the inside interface)
no ip source-route
!
! Don't use ip options drop if you're using RSVP
! Don't use no service dhcp if you're using DHCP Relay
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no service dhcp
no ip bootp server
no ip finger
no ip identd
no service config
no lldp run global
no cdp run
no mop enabled
no service pad
!
! Enable password encryption, TCP keepalives & faster config viewing
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
parser config cache interface
!
! Optimise TFTP transfers
ip tftp blocksize 8192
!
! RFC2827 anti-spoofing for outside interface (note 224.0.0.0/4 used by IGP routing protocols)
ip acccess-list extended OUTSIDE-IN
 deny ip 10.0.0.0 0.0.0.255 any
 deny ip 172.16.0.0 0.0.15.255 any
 deny ip 192.168.0.0 0.0.255.255 any
 deny ip 0.0.0.0 0.0.0.255 any
 deny ip 127.0.0.0 0.0.0.255 any
 deny ip 169.254.0.0 0.0.255.255 any
 deny ip 224.0.0.0 0.0.0.15 any
 deny ip 239.0.0.0 0.0.0.255 any
 deny ip 240.0.0.0 0.0.1.255 any
 permit ip any any
!
! Rate limit ICMP unreachables, disable ICMP redirects & directed broadcasts on the outside interface
ip icmp rate-limit unreachable 100
interface GigabitEthernet0/0
 description ## Outside interface ##
 no ip redirects
 no ip directed-broadcast
 ip access-group OUTSIDE-IN in
!
! Discard routes for RFC1918 summary addresses, so as not to forward out the default route
ip route 10.0.0.0 255.0.0.0 null0
ip route 172.16.0.0 255.240.0.0 null0
ip route 192.168.0.0 255.255.0.0 null0
!
! Enable buffer overflow detection & correction
exception memory ignore overflow io
exception memory ignore overflow processor
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.

This device may be used only for the authorized business purposes
of [COMPANY]. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
 permit x.x.x.x x.x.x.x
line con 0
 logging synchronous
 transport preferred none
 exec-timeout 15
line vty 0 15
 logging synchronous
 transport preferred none
 transport input ssh
 access-class VTY-IN in
 exec-timeout 15

Thursday, 13 July 2017

Switch Configuration Template

This is the first in a planned series of templates. It provides a baseline template for switch configuration prior to customisation, such as port-security, routing protocols, QoS etc. Not all commands will work on all models of switches or all versions of IOS, so don't just copy & paste the whole lot without confirming. Inline commentary explains various settings.

!
! For switches that support it, set SDM template to match intended role. Templates vary between models & a reboot is required
sdm prefer {access | default | routing | vlan} 
!
! Disable unnecessary services
no ip source-route
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
no ip bootp server
no ip finger
no ip identd
no service config
no mop enabled
no service pad
!
! Enable CDP & LLDP
cdp run
lldp run
!
! Enable routing if required
ip routing 

no ip source-route
!
! Enable password encryption & faster config viewing
service password-encryption
parser config cache interface
!
! Optimise TFTP transfers & EtherChannel load balancing
ip tftp blocksize 8192
port-channel load-balance src-dst-ip
!
! If using DHCP Snooping disable DHCP option 82 insertion
no ip dhcp snooping information option
!
! Enable log time stamps with the timezone & logging to a syslog server
service timestamps debug datetime msec
service timestamps log datetime localtime msec show-timezone
logging buffered 16384
logging host x.x.x.x
!
! Enable SSH v2, reduce SSH session establish timeout & create SSH key
hostname [name]
ip domain-name [domain name]
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
!
! Block logins for 5 minutes after 4 failed attempts within 2 minutes, also log login attempts
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
! Define a login banner
banner login ^
************************************************************************
You have logged on to a [COMPANY] proprietary device.

This device may be used only for the authorized business purposes 
of [COMPANY]. Anyone found using this device or its information for 
any unauthorized purpose may be subject to disciplinary action 
and/or prosecution.
************************************************************************
^
!
! Define an admin user, configure local authentication & authorisation (ideally use RADIUS/TACACS+)
username [user] privilege 15 secret [password]
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
!
! Set VTP to transparent unless the LAN uses VTP
vtp domain UNUSED
vtp mode transparent
!
! Match the LAN's STP settings
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree pathcost method long
!
! BPDU Guard on by default & create parking VLAN
spanning-tree portfast bpduguard default
vlan 999
 name PARKING
!
! Enable notification of MAC address flapping
mac address-table notification mac-move
!
! Assign unused ports as access ports to VLAN 999
interface range Ethernet0/0 - Ethernet0/2
 description ## Unused Port ##
 switchport access vlan 999
 switchport mode access
 speed auto
 duplex auto
!
! Assign trunks' native VLAN to 999 & disable DTP
interface Ethernet0/3
 description ## Trunk to Something ##
 switchport mode trunk
 switchport trunk native vlan 999
 switchport nonegotiate
 speed auto
 duplex auto
!
! Set correct time zone & configure multiple NTP servers via DNS
ip name-server 208.67.220.220 208.67.222.222
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp update-calendar
!
! Restrict vty access to SSH & set 15 minute timeout on console & vty
ip access-list standard VTY-IN
 permit x.x.x.x x.x.x.x
line con 0
 logging synchronous
 transport preferred none
 exec-timeout 15
line vty 0 15
 logging synchronous
 transport preferred none
 transport input ssh
 access-class VTY-IN in
 exec-timeout 15