Jaycee's Networking

May 3, 2009

IOS Tips

Filed under: IOS, Security — Tags: — Jaycee @ 6:29 am

1. For lab convenience:

no service timestamps
line con 0
logg sync
exec-t 0 0

(1) no service timestamps disables time stamps for both debug and log messages.
(2) line con 0 is the console port, in the output of the show line command as cty.
(3) To synchronize unsolicited(未經請求的) messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty, use the logging synchronous command in line configuration mode.
(4) To set the interval that the EXEC command interpreter waits until user input is detected.
minutes [seconds]

2. Use reload command to get out of a jam:

Router#reload in 3
Reload scheduled in 3 minutes
Proceed with reload? [confirm]y
Router#reload cancel

3. Stopping the router from trying to telnet:

Translating "shwo"...domain server (
% Unknown command or computer name, or unable to find computer address

line con 0
transport preferred none
line vty 0 5
transport preferred none

% Invalid input detected at '^' marker.

4. Allow important ICMP traffic on ACL, and deny others:

    ! allow pings into the network
    access-list 110 permit icmp any any echo
    ! allow ping responses
    access-list 110 permit icmp any any echo-reply
    ! allow ICMP source-quench 
    access-list 110 permit icmp any any source-quench
    ! allow path MTU discovery
    access-list 110 permit icmp any any packet-too-big
    ! allow time-exceeded, which is useful for traceroute
    access-list 110 permit icmp any any time-exceeded
    ! deny all other ICMP packets
    access-list 110 deny icmp any any

*Source Quench requests the sender to decrease the traffic rate of messages to a router or host. This message may be generated if the router or host does not have sufficient buffer space to process the request, or may occur if the router or host’s buffer is approaching its limit.

5. Allow DNS access from your hosts to the outside DNS server:

    access-list 110 permit udp host eq domain any gt 1023
    access-list 110 permit udp host eq domain any gt 1023

*Outside DNS servers: and

6. Editing keys for command-line:

Ctrl-A      Goes to the beginning of the line
Ctrl-E      Goes to the end of the line
Ctrl-K      Deletes everything to the right of the cursor

7. Always set the bandwidth on serial link:

Since the default bandwidth is 1.544Mps (T1), thus set bandwidth on serial links is always a good idea if it’s not a T1.

    interface serial0
        description This is a 56k link
        bandwidth 56

8. Set timezone:

clock timezone PST -8
clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00



Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.

%d bloggers like this: