VMS Mobifone

IP Network Optimization
Summary of Best Practices Configuration Analysis

Cisco Advanced Services

Truong Le (truole@cisco.com)

September 2014
Agenda

Executive Summary
Management
Security
IP Routing
IP Applications
LAN

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Executive Summary

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Report Overview

Configuration Best Practice analysis is the process of identifying device configuration

issues in the VMS Mobifone IPBB network.
This helps to reduce the likelihood of unexpected network behaviour and helps to reduce the
cost of ownership and increase network availability.
Best practice configuration analysis can also help improve the security of a network, decrease
resource utilization, improve manageability, and reduce complexity.

Cisco Advanced Services CCIEs have identified hundreds of common configuration

issues and created rules to identify those issues in customer networks. These rules are
divided into several areas, including security, management, campus switching, routing
protocols, IP multicast, and other technologies.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Analysis Summary
There are total 5075 best-practice configuration issues were identified. It is recommended that
VMS Mobifone take corrective action in the near future regarding the high-impact exceptions
identified.
High and Medium exceptions are more critical and need to be addressed with high priority. The
Low exceptions are not very critical, but its good to have and they have been included more as
Information-Only.
VMS Mobifone should work to better disseminate standard best-practice configuration templates
for device roll-outs in the IPBB network. Unused configuration should be reviewed to remove.

Exceptions per
Total Network Network Element Total Rules with
Total Network
Date Total Rules Applied Elements With Total Exceptions (Global Exceptions Exceptions
Elements
Exceptions per Network
Element)

2014-Aug-07 1111 98 98 5075 51.79 (27.74) 230

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Top 10 Exception

76 76 76 76 76

75 75 75

74 74

SNMP access ICMP SSH Not Used IP options No interface Cisco IOS Redistribute SNMPv3 traps NTP not NTP
for IPv4 is not redirects not or Not Used allowed description Image connected not used protected by authentication
protected disabled on Exclusively for Verification command ACL not enabled
with an an Interface Remote configured
access-list. Access. without filters

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Category Summary
90
80 77
70
70
60
50
40
30 20
20 13 16
7 9 6
10 5
1 1 1 1
0

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Risk Summary

120
106
97
100

80

60

40 28
20

0
High Medium Low
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Management

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Logging
Logging is a valuable monitoring mechanism that
Exceptions IOS Elements
proactively captures chronic issues affecting a
network. It can identify many more exceptions and Timestamping for debugging not set for datetime XR 13

network degradation warnings than other forms of Timestamping for logging not set for datetime XR 13

monitoring metrics, such as SNMP traps. Logging to the console is enabled IOS 66
Logging to the console is enabled XR 16
Its advised to send logging information to remote Syslog level not set to informational IOS 40
syslog servers. Logging configuration template logging suppress duplicates not configured XR 20
should be developed with following leading practices: ssh server logging not enabled XR 3

Configure redundant syslog servers which collect logs down Logging to a syslog server not enabled IOS 2
to the informational level. There should not be more than No redundant syslog server IOS 7
four syslog servers on any given device. No redundant syslog server XR 4
Utilize a logging source as loopback 0 on routers. Syslog facility changed from default IOS 2

Configure logging timestamps (with timezone) to help for Syslog facility default not configured XR 6
correlating events across network devices. Syslog source interface not defined IOS 5

Logging to console and logging to monitor should be Syslog source interface not defined XR 4
disabled to avoid impacting to CPU by intensive logging Too many syslog servers IOS 12
messages. logging hostnameprefix not configured XR 19
Logging buffered and logging persistence (or archives) can Logging to monitor enabled IOS 9
be configured for local message storage.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
SNMP
SNMP configuration is required in order to enable SNMP configuration templates for all Cisco devices to
fault management systems to monitor the general be developed, with following best practices:
status of network elements. Configure redundant SNMP hosts (SNMP collector). There
should not be a need to have more than four SNMP trap
Exceptions (*) IOS Elements receivers on any given device.
SNMP Interface Index Persistence not enabled XR 14 Utilize password security guidelines for creating and
SNMP Interface Index Persistence not enabled IOS 38
changing community strings.
SNMP access for IPv4 is not protected with an access-list. IOS 76 Configure SNMP views and access-lists to restrict
'snmp-server ifmib stats cache' Not Enabled XR 20
unauthorized SNMP access.
EnvMon SNMP Traps Not Enabled IOS 17 Utilize a TRAP source as loopback 0 on routers.
No redundant SNMP trap receiver XR 5 Configure SNMP contacts and locations
No snmp-server community string configured with Configure SNMP traps with a minimum of WarmStart,
'SystemOwner' privileges XR 20
ColdStart, Linkup, Linkdown, Module, Config, EnvMon,
SNMP server memory traps not enabled IOS 53 Authentication, Memory, CPU. Their use should be carefully
SNMP traps enabled without snmp-server host IOS 2 considered as the intention should not be to overwhelm the
SNMP traps enabled without snmp-server host XR 2 NOC staff with too much information.
WarmStart SNMP Traps Not Enabled IOS 3 Configure SNMP ifindex and cbqosindex persistence to
snmp-server view Not Implemented XR 20 ensure that interface index (ifindex) and CBQoS index
values are retained during reloads.
SNMPv3 traps not used IOS 75
Using SNMP (default) public community string IOS 6
(*) Only High and Medium exceptions are shown. Refer to the report for a complete list of all exceptions.
2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
NTP
NTP is one of critical IP applications for network
management, and operations. It synchronizes time- NTP Exceptions IOS Elements
stamping among from a server to a number of routers NTP Update Calendar Disabled XR 6
configured for NTP. The synchronization of time- NTP not protected by ACL IOS 74
stamps allows events from multiple routers to be clock enabled without time zone XR 20
NTP Update Calendar Disabled IOS 14
correlated when system logs are created.
NTP authentication not enabled IOS 74
NTP authentication not enabled XR 18
NTP configuration templates should be developed for
NTP enabled without time zone IOS 4
all Cisco routers following best practices:
NTP not enabled IOS 2
Design hierarchical NTP with server redundancy. NTP not enabled XR 2
Use a minimum of two reference clocks. Peer time between NTP source interface not defined IOS 31
reference clocks. No redundant NTP server IOS 6

Utilize NTP update source as loopback 0 on routers. No redundant NTP server XR 9

Configure NTP with authentication and ACL protection for

security.
Configure to periodically update the hardware clock with the
time learned from NTP.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Device Management
IOS device management exceptions, especially High & Restricting management access to devices to internal
Medium, should be addressed by developing sources (trusted networks) is critical. The Management
configuration templates. Plane Protection (MPP) feature in Cisco IOS XR
provides the capability to restrict the interfaces on
IOS Management Exceptions Elements which network management packets are allowed to
boot system statement not configured 2 enter a device.
Cisco IOS Image Verification 75
Power Redundancy Not Configured 2 IOS XR Management Exceptions Elements
Bandwidth not configured on interface 8 Management Plane Protection (MPP) not configured 14
CDP disabled globally 8 diagnostic monitor syslog not configured 20
CDP disabled on a GRE interface 3 fpd auto-upgrade feature not enabled in admin configuration 20
CDP disabled on an interface 12 ipv4 virtual address not configured 20
CPU Thresholding Notification is not enabled. 15 online diagnostics scheduled not enabled 20
Memory Threshold Notifications (I-O) Not Enabled 63 NSR Process-failures Switchover Not Enabled 4
Memory Threshold Notifications (Processor) Not Enabled 63 ipv4 conflict-policy not configured 18
Nagle service disabled 51 ssh server logging not enabled 3
No controller description 26 MPP Address IPv4 Not Enabled 20
No interface description 76 Interface Preconfiguration present 9
The Call Home feature is not configured 58 Interface is shutdown, has interface configuration applied. 1
The Enhanced Crashinfo File Collection feature is not configured. 37 No interface description 18

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Security

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
AAA Exceptions IOS Elements
AAA authentication enable is not configured optimally. IOS 60
AAA authentication login aaa group is not used XR 3
The Authentication, Authorization, and AAA authorization for administrative user (commands 15) is not
Accounting (AAA) framework is critical to set optimally. IOS 24
AAA not configured IOS 16
securing interactive access to network AAA not configured XR 9
devices. Console not protected by AAA IOS 27
The aaa authentication login command(s) is/are not configured
TACACS+ should be used in preference to optimally. IOS 16

RADIUS when TACACS+ is supported by the aaa authentication login not configured
AAA Accounting Commands not enabled
XR
XR
9
4
AAA server. AAA Accounting Connection not enabled IOS 16
AAA Accounting EXEC not enabled IOS 16
Due to the importance of AAA systems, AAA Accounting for command level 15 not configured properly IOS 16
centralised servers with redundancy is highly AAA authorization for command level 1 is not configured properly IOS 60

recommended. AAA system accounting disabled

SNMPv3 traps not used
IOS 16
IOS 75
AAA Accounting for command level 1 not configured properly IOS 60
AAA configuration template should be AAA authorization not properly set for EXEC shell IOS 7
developed for all Cisco devices for the Redundant AAA server unavailable IOS 15
consistence. TACACS+ packets not being sourced from a specifically defined
interface IOS 6
The aux not protected by AAA IOS 16
'no tacacs-server directed-request' is configured or command
line does not exist IOS 1

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Device Hardening
Exceptions IOS Elements Exceptions IOS Elements
Banner login not configured IOS XR 20 VTY exec timeout too high IOS 10
Enable password not adequately protected IOS 33 VTY lines not protected with an access list IOS 65
No Username with group root-system or cisco-support IOS XR 20 ssh client source-interface not defined IOS XR 3
Banner not configured IOS 44 A user account is not protected with MD5 IOS 70
Exec timeout disabled IOS XR 14 BOOTP server is enabled IOS 50
DHCP server enabled IOS 55 CDP is enabled globally and active on all interfaces. IOS 64
FTP source interface not defined IOS 1 Console exec timeout too high IOS 1
ICMP redirects not disabled on an Interface IOS 76 Exec enabled on line aux IOS 16
IOS Software Resilient Configuration secure boot-config disabled IOS 16 ICMP unreachables enabled on all interfaces of this device. IOS 74
Local user account is not protected against potential brute-force IP Source Routing enabled IOS 53
attacks IOS 43 IP options allowed IOS 76
PAD service enabled IOS 37 IPv4 ICMP Unreachables Enabled on All Interfaces IOS XR 20
Password encryption not enabled IOS 16 Incorrectly entered commands will generate a DNS lookup. IOS 15
SSH Not Used or Not Used Exclusively for Remote Access. IOS 76 MOP is enabled on one or more interface. IOS 17
SSH V2 not used for device Access IOS 34 Password recovery is Enabled IOS 16
Security Password Minimum Length Less Than 8 IOS 16 Proxy ARP is enabled IOS 75
TFTP server is enabled. IOS 3 SSH Timeout High IOS XR 1
Use FTP for Core Dumps IOS 6 Security authentication failure rate disabled IOS 16
VTY Lines Not Protected with an Access List IOS XR 20 Service sequence-numbers not enabled IOS 56
VTY exec timeout disabled IOS 1 TCP keepalives not enabled in both directions IOS 56
HTTP server enabled IOS 1 vty telnet access to router is only enabled for management port IOS XR 20

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
IP Routing

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
IP Routing OSPF
router ospf nsf disabled
IOS
XR
Elements
2
More than one OSPF process IOS 6
NSR (OSPFv2) Not Enabled XR 20
BGP IOS Elements No Redistribution Metrics Defined for OSPF IOS 53
BGP Deterministic MED Not Configured IOS 42 OSPF interface not configured or not present or no IPv4
No BGP Authentication for eBGP Peers IOS 1 address assigned XR 10

No BGP Authentication for iBGP Peers IOS 1 OSPF is not protected with MD5 authentication IOS 24

No Maximum Prefix Defined for External BGP Peer IOS 1 OSPF router ID not explicitly configured XR 1

BGP graceful-restart is not enabled IOS 2 Redistribution into OSPF without subnets keyword IOS 4

BGP Neighbor Description Missing SPF minimum hold time set to high value IOS 54
IOS 9
BGP SNMP Traps Not Enabled auto cost reference bandwidth not configured IOS 14
IOS 2
OSPF router ID not explicitly configured IOS 12
OSPF SNMP Traps are Not Enabled IOS 4
OSPF advertises network using the redistribute connected
IP Routing IOS Elements command IOS 52
NSR Isolation enable is not configured XR 16 Prefix-supression not enabled IOS 15
Interface Dampening Does Not Have Optimum Value Configured XR 20 Unused OSPF process configured IOS 5
Interface Dampening not configured XR 17 Unused OSPFv2 process configured IOS XR 1
IOS Static Route Missing Parameters IOS 52
Keepalive not set on GRE Tunnel IOS 1 MPLS IOS Elements
Recursive static routes are present IOS 63 Logging (l2vpn) pseudowire has not been enabled XR 6
Redistribute connected command configured without filters IOS 75 MPLS LDP Authentication not enabled XR 20
Route map missing or incorrect IOS 1 MPLS LDP neighbor authentication is not enabled. IOS 2
Static route pointed to broadcast interface only. IOS 4 no mpls ldp advertise-labels not configured IOS 3
Unused EIGRP process IOS 1 MPLS Graceful Restart Disabled IOS 10
Unused ISIS process IOS 3 LDP interfaces not present OR no IPV4 address assigned XR 14

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
IP Routing (cont)

IP routing and MPLS configuration on each router should be reviewed

and changed accordingly to rectify exceptions following the design
documents and recommendations & guidelines from Cisco design
review report.
Unused or improper configuration should be reviewed to remove
(static routing, ISIS, EIGRP, etc.).

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IP Applications

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
IP Applications
First Hop Routing Protocols (HSRP, VRRP, Exceptions IOS Elements
GLBP) are to allow hosts to appear to use a HSRP Preempt delay not configured IOS 65

single gateway router and to maintain HSRP Updates not authenticated IOS 66
Standby delay minimum reload not configured IOS 18
connectivity even if the actual first hop router HSRP Virtual MAC Address not modified IOS 66
they are using fails. Preempt delay not configured for GLBP IOS 2
Preempt delay not configured for VRRP IOS 17
HSRP version 1 with default hello/hold timers tcp mss is enabled XR 4
(3s/10s) is used commonly on PE routers in tcp path-mtu-discovery disabled XR 2
tcp selective-ack not enabled XR 20
VMS network, with several configuration tcp timestamp not enabled XR 20
exceptions.
Best practices for TCP should be included in
configuration templates for all Cisco routers.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
HSRP
HSRP version 2 is highly recommended as it provides
improved stability, management and troubleshooting.
It also supports a greater group number range (0-
4095), advertises and learns millisecond timer values.
Authentication for HSRP messages, together with
change of virtual MAC address, is recommended,
especially on VLANs over public networks (e.g.
external Carrier Ethernet network) to protect against
security attacks and misconfiguration.
Hello and Hold timers should be fine-tuned to obtain
a better convergence. However, care must be taken
to balance with the CPU processing of devices.
500/1500ms hello and hold timers (*) can be
considered for initial setting. These are subjected to
testing on VMS network for most appropriate values.
(*) Some Cisco tests showed that Cisco 7600 can support up to 2000 HSRP groups
with timers 500ms for hello and 1500ms for holdtime. This limitation still depends on
features configured on the routers.
2013-2014 Cisco and/or its affiliates. All rights reserved.
Configuration of all hosts should use HSRP virtual IP
address as the default-gateway if applicable in the
way that the default gateways of half the interfaces in
each end-system (e.g. MGW) should be pointed to
HSRP Group 1 Virtual IP addresses, and another half
to the HSRP Group 2 Virtual IP address. Active PE
routers for HSRP groups are also in that way by
configuring of standby priority.
Pre-empt delay of 30s can be used after interface
recovers, delay minimum reload of 180s delay can be
used after router is reloaded for BGP router to
establish peering and for routes to converge.
Priority with Interface tracking should be configured
so that Active PE abandon its role if all uplinks
become down.
Cisco Confidential 22
LAN

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
VTP
VTP is a Layer 2 messaging protocol that maintains Exceptions IOS Elements
VLAN configuration consistency by managing the
Spanning-tree disabled on one or more VLANs IOS 4
addition, deletion, and renaming of VLANs on a BPDU Guard Not Enabled IOS 2
network-wide basis. Loopguard not configured IOS 18
MAC address move notification not enabled IOS 34
There are positives and negatives to VTP being able Portfast not enabled on access or edge port IOS 41
to make changes easily on a network, and most Rapid PVST+ disabled IOS 58
service providers prefer a cautious approach of using Service Internal should not be configured IOS 1
VTP transparent mode. In this mode, VTP updates are UDLD Globally Disabled IOS 18
ignored. VLANs not cleared from trunk IOS 5
VTP domain name not set IOS 39
VTP domain name and transparent mode should be VTP not configured in transparent mode IOS 4
set for all Cisco devices with switching function. Channel Protocol Negotiation Disabled IOS 2
Dynamic trunking is enabled on a static access port IOS 21
Other LAN configuration best practices (UDLD, LACP,
trunking, etc.) should be followed where applicable.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
STP
Spanning-Tree Protocol (STP) prevents loops from
Exceptions IOS Elements
being formed when switches or bridges are
Spanning-tree disabled on one or more VLANs
interconnected via multiple paths. IOS 4
BPDU Guard Not Enabled IOS 2
Loopguard not configured
Rapid Spanning Tree Protocol (RSTP) is an evolution IOS 18
MAC address move notification not enabled IOS 34
of the Spanning Tree Protocol (802.1D standard) and
Portfast not enabled on access or edge port IOS 41
provides for faster spanning tree convergence after a Rapid PVST+ disabled IOS 58
topology change. Service Internal should not be configured IOS 1
UDLD Globally Disabled IOS 18
MISTP (802.1s) is an IEEE standard which allows VLANs not cleared from trunk IOS 5
several VLANs to be mapped to a reduced number of VTP domain name not set IOS 39
spanning-tree instances. VTP not configured in transparent mode IOS 4
Channel Protocol Negotiation Disabled IOS 2
MST scales better with many VLANs and trunks Dynamic trunking is enabled on a static access port IOS 21
which allows mapping multiple VLANs to a single
spanning tree instance, reducing the load on the CPU
required to maintain the Layer 2 topology when many
VLANs are configured.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
STP (cont)
As L2 switching function and STP have their own Exceptions IOS Elements
risks, its recommended to move those functions out
Spanning-tree disabled on one or more VLANs IOS 4
of PE routers to external switches in design review BPDU Guard Not Enabled IOS 2
report. Loopguard not configured IOS 18
MAC address move notification not enabled IOS 34
MST (IEEE 802.1s) or Rapid PVST+ (Cisco Portfast not enabled on access or edge port IOS 41
proprietary) should be used for fast convergence Rapid PVST+ disabled IOS 58
where applicable, in accordance with STP Service Internal should not be configured IOS 1
capability/support of connected switches to minimize UDLD Globally Disabled IOS 18
possible incompatible issues. VLANs not cleared from trunk IOS 5
VTP domain name not set IOS 39
Where STP exits, following configuration best VTP not configured in transparent mode IOS 4
practices should be followed: Channel Protocol Negotiation Disabled IOS 2
Dynamic trunking is enabled on a static access port IOS 21
Enable Port Fast on access or edge ports Port Fast
transitions the port directly into forwarding after linkup rather
than slowing down the convergence time by 30 seconds.
Enable BPDU Guard/ Loop Guard to prevent any mis-
configuration of L2 switching devices.

2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Thank you.