Blog: Router

We have struggled with CRC errors on routers with 2 frame relay circuits connected to a dual channel T1 card.  The CRC errors seemed to only occur on the newly added secondary port on the card, and the connectivity would act intermittently.  In working with Cisco, I have learned that both ports’ default clock is set to ‘line’ which gets the clocking from the ISP.  When both ports are set at ‘line’, they both battle to keep up with the clocking.  To fix this problem, set one of the T1 controller’s clock source to ‘internal’.  This tells the port to get clocking from the other port configured as ‘line’.


 

Be careful that if you are setting up a new router to use SSH, not all of them come with pre-generated RSA keys.  If you set the input on the router to use SSH and do not have an RSA Key generated, then you will be unable to connect to the router unless you can physically console in.  We had a router returned to us from Cisco that had basic IP feature set that did not have SSH capability.  When we loaded the advanced IP feature set IOS, it did not create an RSA key for us.


 

I needed to upgrade a Cisco IOS on a 2691 Router from a 12.3 track requiring 32 MB of flash memory to a 12.4 track requiring 64 MB of flash memory.  When I looked for the current flash memory installed on the device, it reported 62592K bytes of ATA System CompactFlash (Read/Write) which divided by 1024 came out to be 61.125 MB of RAM. 

I sent in a ticket to Cisco asking if I would be able to use the new image since my Flash memory showed less than what was required.  They told me that "The router has 64MB of flash memory.  Sometimes the router does not recognize the total amount of Compact Flash.  The compact flash sizes you can find for Cisco routers are: 2, 4, 8, 16, 32, 64, and 128MB.  Although the 12.4 version's minimum requirement is 64MB, the total size of the code itself does not exceed 60 MB".

The code was actually around 34 MB, so it wouldn't fit on a 32 MB flash card.  You would have to have the next available amount which is 64.


 

As of IOS 12.3(1), Cisco introduced support for enforcing a minimum number of password characters and sending a syslog message after a specified number of failed login attempts.  Enabling these commands will help banks comply with regulations and their own policies as well as improve the security of their Cisco IOS devices.  I have not found similar commands for CatOS or PIX OS yet. [more]

security passwords min-length <length>

  • global command that sets the minimum password length for user, enable, and line passwords.
  • Default is six, but it should be configured according to bank policies.


security authentication failure rate <threshold-rate> log

  • global command that sets the number of failed login attempts (without at least a 15-second delay) before a syslog message is generated
  • Threshold value can be 2-1024.  A value of 1 will not generate any syslog messages.  Default is 10, but should comply with bank policies.