Configuring for Manageability II -- Best Practices
Configure ipx ping-default novell, so you can ping both routers and recent Novell servers using user-mode IPX PING.
ISL VLAN Subinterface Numbering
When you configure ISL VLAN's on a FastEthernet sub-interface on a router, set the sub-interface number to match the VLAN number. That makes one less pair of numbers to keep track of.
IP GRE Tunnels
The routers do "sanity checking" in some form. The tunnel source at one end must match the destination address configured at the other end, or the tunnel will not operate. Suggestion: when you configure a tunnel, use the source address not an interface -- it is easier to visually pair this with the destination address configured at the other end of the tunnel, easier to troubleshoot.
To prevent some simple Denial of Service (DoS) attacks, configure:
no service tcp small-servers
no service udp small-servers
The interface command
no ip directed-broadcasts
blocks directed broadcasts to directly connected subnets on that interface only. Directed broadcasts that are being routed to remote subnets are still forwarded through that same interface.
The default in IOS 12.0 has changed so that this command is now enabled by default (no local directed broadcasts).
To simplify managing routers, use structured description lines on interfaces. This information (and the name of the interface) can easily be retrieved from the Cisco MIB via SNMP, so you can use it as a on-line database of router-related information (circuit descriptions, circuit id's, cities the circuit connects, LAN port function, serial numbers, whatever). If you pull the info back and clean up extraneous script output, the "|" character imports nicely into Excel, allowing you to use Excel as the database engine for viewing/searching/reporting this information.
interface ethernet 0
description field1 | field2 | field3 ...
It's a good idea to configure
ip default-gateway a.b.c.d
in case your router wakes up in RX-BOOT mode sometime. The only time the IP default gateway is used is when the router is a host computer, not routing, namely, when you've turned off IP routing or are in RX boot mode. This will allow you remote access to the router on a bad Monday morning.
To stifle unwanted SNMP link up/down traps, for example on dial interfaces, configure:
int bri 0
no snmp trap link-status
That saves you from having to filter the unwanted traps out on the management station end.
If you're using OSPF, it's nice to have DNS used to convert addresses to names in show command output:
ip ospf name-lookup host
Filter broadcast as well as "uninteresting" packets wherever possible, to reduce unnecessary traffic on the dial link.
From Subodh Nijsure:
HP OpenView can tie up Internet BGP speaking routers with large routing tables for quite a while transferring the IP routing table. This happens every 24 hours and is at the very least an unnecessary annoyance: HPOV won't have to explore past the Internet gateway; you're not going to discover and manage the Internet.
If you want OpenView to stop getting the ipRoute table, create a view that excludes ipRoutingTable on the BGP speaking router:
snmp-server community foobar view viewForOV RO
Configure HP OpenView so that it polls this router with community string 'foobar'.
snmp-server view viewForOV internet included
snmp-server view viewForOV ip.21 excluded
snmp-server view viewForOV ip.22 excluded
snmp-server view viewForOV ifMIB excluded
Catalyst 5xxx Series Switches
Separate Management VLAN
Create a separate management VLAN and put SC0 in it. This keeps unnecessary user broadcast traffic off the SC0 management port, where it ties up the CPU. It also keep users from possibly snooping on SNMP community strings.
Small VLAN's and UplinkFast
For rapid troubleshooting, localize VLAN's: avoid "spaghetti vlan's" that go through many switches. The point is, not having to figure out where your VLAN runs to and what the current spanning tree is greatly speeds up problem resolution.
The new Cisco Layer 2 / Layer 3 model suggests small pockets of switching (building distribution layer out to wiring closets) with triangular VLAN's (closet switch and the redundant pair of distribution and Layer 3 switches, also the trunk between them). This topology allows use of the uplinkfast command as well, which greatly speeds uplink cutover time.
For similar reasons, not using port security and not using dynamic port VLAN assignment (VMPS) greatly speeds up troubleshooting. This is a design decision: do you require these features, or do you value fast troubleshooting more.
The issue with both port security and VMPS is that you have to figure out what you have, down to the IP and MAC address levels, and compare that with what's supposed to be happening. Not terrible if you keep consistent records and have a single user unable to communicate. But it's one more thing to check in an outage, particularly if a number of users report problems.
Use the portfast command where appropriate, namely, on ports that are connected strictly to host computers. There's no point to using portfast if a hub or repeater is connected to a switch port. But on direct connects, port fast allows desktop protocols to make the connections they require without timing out (and without your having to adjust the timeout on a lot of desktops).
Lock the Ports Down
Auto-negotiation of speed and duplicity (duplexness?) between devices and cross-vendors is not reliable. Specify (hardcode) trunking (desired/on/off/auto) and duplicity (full/half) and speed (10/100) on switch ports. That way auto-negotiation won't cause occasional outages. The trade-off is more management hassle when you make changes, but it beats occasionally having to run around and fix things when a port comes up at odds with the attached device.
Switches default to VTP server mode.
Caution: When configuring a new switch, be sure to attach it to an existing switch before configuring the VTP domain name. If you do this in the other order, the new switch configuration (namely, none) may get fed out to the other switches via VTP, wiping out existing VLAN's.
In mission critical networks, such as hospital client to server farm networks, put switches into VTP transparent mode to avoid any chance of nasty surprises. The cost of doing this is that CWSI won't be usable, at least in release 2.1 or earlier.
If you are using VTP, use CWSI for a graphical topology view and one additional tool to shed light on what's going on.
If you have multicast traffic, use CGMP to remove the traffic from ports that are uninterested in the multicast traffic.
Name ports to help in troubleshooting.
Give meaningful names to VLAN's.
Use SNMP traps.
Turn on timestamps and NTP.
Consider using TACACS+ (5000 series only).
Catalyst 5000 and 5500: spread cards across the three/multiple busses (if present) for best performance.
Localize VLAN's on a single bus or card, to avoid cross-bus traffic. This is especially important with the 3 and 9 Gigabit Ethernet port cards: switching capacity is a lot better on a card than across the bus. (Consider the new 4000 models?)
Multi-Layer Switching (MLS)
Catalyst 5000 with MLS and NFFC's: inbound ACL's disable the ability to do MLS on an interface. Use the equivalent outbound access list(s) instead. Note that discarded packets (deny in an ACL) are not MLS cached/switched, because the NFFC never sees an outbound packet from the Route Processor.
IOS 12.0 allows you to force MLS despite an inbound ACL. Be aware that the inbound ACL is ignored when you do this -- you might as well have just removed the ACL from the interface.
Note MLS has unsupported topologies. If no enabler packet flows back through the switch, because the routed path bypasses the switch, then MLS is not possible. An external router across a FDDI, ATM, or Token Ring cloud also is not suitable: the router cannot do MLSP (to notify the SP that it is present, and what its MAC address is) over these media.
Both Routers and Switches
A host table (alias table in a switch) maps names to IP addresses. Maintaining a current host table in routers and switches is a bit of a nuisance. But when your network is broken and you can't get to the DNS server, having names for routers, switches, and key servers can be very handy. It sure beats having to find a map, dig out ip addresses, troubleshoot with addresses you're not that familiar with, etc.
Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has eleven CCIE's (4 of whom are double-CCIE's, R&S and Security). NetCraftsmen has expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. Pete's links start at http://www.netcraftsmen.net/about-us/bios/staff-articles-and-blogs/pete-welcher.html . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to
Copyright (C) 1999, Peter J. Welcher