CoNetrix

Blog: Cisco

Be careful that if you are setting up a new router to use SSH, not all of them come with pre-generated RSA keys.  If you set the input on the router to use SSH and do not have an RSA Key generated, then you will be unable to connect to the router unless you can physically console in.  We had a router returned to us from Cisco that had basic IP feature set that did not have SSH capability.  When we loaded the advanced IP feature set IOS, it did not create an RSA key for us.

Networking, Cisco, Router,
 

When adding portchannels to a switch configuration that span more than one stacked switch, it is advisable to upgrade to the latest IOS version.  The most current is:  12.2(25)SEE3

This feature is a very robust way of aggregating links between switch ports on the same subnet.  This configuration not only allows for port redundancy, but switch redundancy, as well.
Networking, switch, Cisco,
 

We recently started having trouble with our voicemail system failing after we rebooted our Cisco Unity server.  It turned out that every time we would reboot the Unity server, the Microsoft Message Queuing Service would hang on startup causing the voicemail to fail.  While on the phone with Cisco technical support, We were informed that if the MSMQ folder (located on Unity at C:\WINNT\System32\msmq) gets larger than 1.5 GB, then the service will never start. [more]We looked at it, and sure enough, it was 1.56 GB. After some trial and error of removing the files in the folder, trying to start the service, failing, and putting the files back in, he finally informed us that we would probably have to reinstall the service.

We reinstalled the Microsoft Message Queuing Service, and the voicemail system started right up. Since then, we have not any high CPU usage problems, no extreme lagging in the voicemail system (that I know about), and hardly any delays in the administration website.

Networking, Cisco, VoIP, Cisco Unity,
 

I needed to upgrade a Cisco IOS on a 2691 Router from a 12.3 track requiring 32 MB of flash memory to a 12.4 track requiring 64 MB of flash memory.  When I looked for the current flash memory installed on the device, it reported 62592K bytes of ATA System CompactFlash (Read/Write) which divided by 1024 came out to be 61.125 MB of RAM. 

I sent in a ticket to Cisco asking if I would be able to use the new image since my Flash memory showed less than what was required.  They told me that "The router has 64MB of flash memory.  Sometimes the router does not recognize the total amount of Compact Flash.  The compact flash sizes you can find for Cisco routers are: 2, 4, 8, 16, 32, 64, and 128MB.  Although the 12.4 version's minimum requirement is 64MB, the total size of the code itself does not exceed 60 MB".

The code was actually around 34 MB, so it wouldn't fit on a 32 MB flash card.  You would have to have the next available amount which is 64.

Networking, Cisco, Router,
 

Dynamic users get deleted whenever there is any change in the Windows Database Configuration.  In order to recalculate group membership after a mapping change SecureACS must purge dynamic users.  This is a problem when you have set user-specific properties.  One workaround is to create manually-defined users – they can still use Windows AD authentication, but won’t be deleted if you reconfigure database mappings.

Networking, Cisco,
 

The match statement is used in route-maps and policy-maps in IOS to define criteria that a packet must meet in order to be classified as part of the permit or deny action of a route-map statement.  Route-maps can be roughly compared to an IF… THEN clause in programming.  Some match statements can have multiple conditions, like: [more]

match ip dscp af31 af32 af33

In which case each condition is OR’d with the one before it.  If any condition is true (in the above statement af31 af32 af33 are all possible DSCP values that an IP packet might have), then the match is true.  The other scenario is having multiple match statements:

match ip dscp af31
match ip dscp af32

In this case both statements have to be true for the packet to be classified in the given route-map entry.  In this case an IP packet could never be both af31 AND af32, so the route-map (or policy-map) will never match anything.

Networking, Cisco,
 

As of IOS 12.3(1), Cisco introduced support for enforcing a minimum number of password characters and sending a syslog message after a specified number of failed login attempts.  Enabling these commands will help banks comply with regulations and their own policies as well as improve the security of their Cisco IOS devices.  I have not found similar commands for CatOS or PIX OS yet. [more]

security passwords min-length <length>

  • global command that sets the minimum password length for user, enable, and line passwords.
  • Default is six, but it should be configured according to bank policies.


security authentication failure rate <threshold-rate> log

  • global command that sets the number of failed login attempts (without at least a 15-second delay) before a syslog message is generated
  • Threshold value can be 2-1024.  A value of 1 will not generate any syslog messages.  Default is 10, but should comply with bank policies.
Networking, Security and Compliance, Cisco, Router,