Experimental Switch Configuration
The following is the commented output of the command "show derived-config". Some commands we entered do not show up in the configuration output, e.g.:no service udp-small-servers no service tcp-small-servers no ip icmp redirect no service finger no ip finger no ip host-routingPlease refer to the switch configuration how-to for more details on obtaining this configuration and managing it.
| Setting | Comments |
|---|---|
version 12.2 | Current as of Sept. 2005 |
no service pad | The packet assembler/disassembler is disabled (used for x.25 connections) |
service timestamps debug datetime | to timestamp debug messages |
service timestamps log datetime | to timestamp the log messages |
service password-encryption | set with "service password-encryption"(!) |
service compress-config | |
hostname exp_switch_1 | Name of the switch. As the switch will not have an IP address, it would not make sense to give it a valid DNS name. |
enable secret 5 zzzzz | encrypted enable password (level 5) |
vtp mode transparent | This switch does not participate in VTP. We control VLANs through the serial port. Hence, we don't have to worry about vulnerabilities in VTP. |
no ip subnet-zero | "subnet-zero" refers to networks whose addresses contain zero bits at the end (e.g., 128.10.0/24). This option decides if they are allowed or not, and is completely irrelevant to the configuration of a switch without an IP address and that doesn't perform any L3 (routing) functions. We put it to "no" for the principle of it. There is a discussion of this on the CISCO web site. |
no ip source-route | Layer 3 functions of this switch need to be turned off. |
no ip domain-lookup | |
spanning-tree mode pvst spanning-tree extend system-id no spanning-tree vlan 1-4094 | Spanning tree is disabled for all VLANs. There's no point in having it in an isolated switch, and it can be exploited (see Phrack for example) |
vlan 100 private-vlan isolated name unused_interfaces ! | VLAN for unused interfaces |
vlan 4094 name MANAGEMENT ! | reassigned Management VLAN to a number different from 1 |
interface GigabitEthernet1/1 switchport access vlan 100 switchport mode access switchport port-security switchport port-security maximum 64 switchport port-security violation restrict ! | All interfaces are configured in this manner. They initially belong to the unused_interfaces VLAN, and do not support trunking. Port security will drop packets if more than 64 different MAC addresses are detected. This is to prevent the filling of the CAM table (if you wonder "why 64", see the switch configuration how-to), and interference between experiments. |
interface Vlan1 no ip address shutdown ! | We don't want or need VLAN 1, as it is used by defaults and to support protocols we don't want to use. However we can't delete it... |
interface Vlan4094 no ip address ! | We don't want the switch to be reachable over IP from the presumably malicious experimental computers, even if there is a VLAN bug. |
no ip http server ! | Without an IP address this service makes no sense. |
no cdp advertise-v2 no cdp run ! | We don't need the Cisco Discovery Protocol, and we won't forward advertisements. |
mac-address-table aging-time 100000 | Cables determine which NIC is connected to which interface. Is it possible to spoof MAC addresses from within a virtual machine like VMWare, with a bridged interface? |