Top 10 Cisco IOS Configuration Mistakes
When first becoming familiar with Cisco’s Internetwork Operating System (IOS) there are a number of different things to learn, and with this learning process there are a number of common mistakes that are made. The purpose of this article is to cover the largest of these misconfigurations (from my perspective). This list is of course subjective, but it should provide a good reference for those learning Cisco IOS.
Common Cisco IOS Configuration Mistakes
1. Password Verification
One easily made mistake comes with the way that passwords are configured with IOS. Unlike almost every other password configuration tool available, the password commands on IOS do not confirm the password being entered. Imagine getting a new piece of equipment configured and put into the field, then later when remote management is required, attempting to access the device only to learn that the password was entered incorrectly. In most cases, the only way to fix this is to have you or someone else physically on-site. Take care when configuring IOS passwords to ensure the password is entered correctly.
2. Wildcard Masks
Of the many people that learn IOS, a large number don’t quite understand the concept of a wildcard mask (or a mask generally). It can be difficult enough to learn the fundamentals of a simple subnet mask; add in access lists (ACL) and Open Shortest Path First (OSPF) configurations, and throw in wildcard masks. The thing to remember about wildcard masks is, like subnet masks, they are easier to grasp when using binary. A wildcard in binary is just the inverse of the subnet mask; e.g. the subnet mask 255.255.255.0 uses an inverse mask of 0.0.0.255.
3. Clock Rate vs Bandwidth
Another topic that is often the center of confusion when learning IOS is the difference between clock rate and bandwidth. While practically these two would seem to mean the same thing, but when configuring IOS they are used for two different tasks. The clock rate command is used to set the physical speed of an interface (typically serial interfaces). The bandwidth command is used to set the bandwidth of the interface as used by a couple of system processes, including interface statistics and routing protocol metrics. This command is not used in any way to affect the physical speed of an interface.
4. Telnet vs SSH
For those new to networking, they may not know the major difference between using Telnet or SSH (Secure Shell) to manage a device. For many IOS devices, Telnet is used as the default remote management method. The problem with this is that Telnet is not a secure management method — often IOS devices are placed into easily accessed networks and the use of Telnet makes the capture of management passwords very simple (as they are transmitted in cleartext). Always take the time to implement SSH on any production IOS device that is going to be accessed remotely.
5. Ethernet Duplex
It can be easy to overlook the Ethernet duplex setting since on many devices it is configured to be automatically selected. But when using devices that have been statically configured it is important to note that half and full duplex Ethernet connections are not compatible.
6. Process-ID vs Autonomous System Number
When learning about dynamic routing protocols, there is a common mistake that is made between the configuration of OSPF and EIGRP. When configuring OSPF, a process-id is used to identify the routing process. This process-id is only locally significant. When configuring EIGRP, an autonomous system number (ASN) is used to identify the routing process. This ASN is globally significant and must match between configured EIGRP devices.
7. EIGRP Auto-Summary
When configuring EIGRP on IOS pre-15 it was the default for EIGRP auto-summary to be enabled. This can cause routing problems in networks where the IP addressing is not contiguous and/or hieratical. With the release of IOS 15 the default changed so that EIGRP auto-summary was disabled. If implementing EIGRP on IOS pre-15; ensure that the auto-summary is configured as expected on all devices.
8. Split Horizon
A problem that can often be seen by new network engineers on multipoint WAN networks is a problem that resulted from the default setting of split horizon. Split horizon is a loop prevention mechanism that is used by both RIP and EIGRP on WAN interfaces. Basically, what it does is restrict the advertisement of a network out the same interface on which it was learned — as long as the “best” route (for a specific network) exists out that same interface. The problem here lies in interfaces that connect to multiple remote devices: In this case, the setting of split horizon can prevent the advertisement of routes between devices out the same interface. For example, if R1 connects to R2 and R3 off of the serial0/0/0 interface; if R2 sends an advertisement to a network, R1 will not advertise this network to R3 because it sees the advertisement coming in the serial0/0/0 interface.
9. Simple Management Network Protocol (SNMP) Communities
A common security problem occurs when someone sets up the Simple Management Network Protocol (SNMP) with the default communities (public – Read/Only, private – Read/Write). The alteration of these default settings is essential to maintain the security of SNMP (versions 1 and 2c), as the community is the only real security feature built into these versions of the protocol.
10. Switchport Security
When configuring Switchport port-security, it is important to know that the default maximum number of hosts off of a switchport is 1. What this means is that the first host that sends traffic will be allowed and that all other hosts traffic will be dropped by default. Be sure to customize these default settings to the reader’s expectations before leaving your management session.
These are 10 of common misconfigurations that I’ve seen over the years. Hopefully this article will help prevent young network engineers from making these same mistakes when working on production equipment.