Stuff

config/network/cisco-ios-general.md

@@ -94,11 +94,12 @@ Software configuration for Cisco switches and routers running IOS or derivatives
 
 Note: Copying to the running config will merge it into it instead of overwriting it. Copying it to the startup config instead and restarting is one way around that.
 
-1. Enable SSH.
-1. Enable local authentication and authorization.
+1. Enable SSH, SCP, default login authentication and default exec authorization.
+1. Backup the old startup config: `copy startup-config flash:startup-config.backup`
 1. Copy from PC to device: `scp new-config.txt admin@10.10.10.10:flash:/new-config` (example)
-1. (Optional) Backup the old startup config: `copy startup-config flash:startup-config.backup`
-1. Copy new config to running config: `copy flash:new-config nvram:startup-config`
+1. Copy new config to running config to validate it: `copy flash:new-config running-config`
+    - Note that this will merge the two configs, which may lead to some new warnings or errors.
+1. Copy new config to startup config: `copy flash:new-config startup-config`
 1. Reload: `reload`
 
 ## Information

config/network/cisco-ios-routers.md

@@ -94,8 +94,8 @@ An example of a full configuration.
     1. (Optional) Set IPv4 address: `ip address <address> <mask>`
     1. (Optional) Set IPv6 address: `ipv6 address <address>/<prefix-length>`
     1. (Optional) Disable sending IPv6 RAs: `ipv6 nd ra suppress all`
-    1. Enable strict uRPF for IPv4: `ip verify unicast source reachable-via rx`
-    1. Enable strict uRPF for IPv6: `ipv6 verify unicast source reachable-via rx`
+    1. Enable strict uRPF for IPv4 (downlinks only): `ip verify unicast source reachable-via rx`
+    1. Enable strict uRPF for IPv6 (downlinks only): `ipv6 verify unicast source reachable-via rx`
     1. VLAN subinterfaces: See separate section.
     1. IPv6 router advertisements: See separate section.
 1. Setup default routes:

config/network/juniper-junos-switches.md

@@ -33,7 +33,9 @@ This page is super not done. Just random notes for now.
 1. Connect to the switch using serial (RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control).
 1. Login with username `root` and no password. You'll enter the shell.
 1. Enter the operation mode: `cli`
-1. Enter configuration mode (implicit hereafter, use `exit` to return to CLI): `configure`
+1. Enter configuration mode: `configure`
+    - Use `exit` to return to CLI.
+1. 
 1. Set hostname: `set system host-name <hostname>` (conf mode)
 
 **TODO**

config/network/linux.md

@@ -53,6 +53,7 @@ Issues may also be related to stupid things like which ports you're using on the
 - Enable or disable hardware offloading (needs testing):
     - Enable/disable large receive offload (LRO) or generic receive offload (LRO): `ethtool -K <if> <lro|gro> on` (temporary)
     - Enable/disable TX/RX checksum offload: `ethtool -K <if> tx on rx on`
+    - Enable/disable scatter/gather aka vectored I/O: `ethtool -K <if> sg on`
     - (And some others.)
 - Change NIC RX/TX buffer sizes:
     - Show supported and current sizes: `ethtool -g <if>`

config/network/security.md

@@ -54,11 +54,20 @@ breadcrumbs:
     - Should be handled somehow if possible.
     - May prevent spoofed IP addresses, especially
     - Can be done with firewall rules, reverse path forwarding (RPF), DHCP snooping-based verification, etc. based on scenario.
-- Reverse path filtering:
-    - Should be enabled. Use strict mode for most cases and loose mode if using asymmetric routing.
+- Reverse path filtering (RPF):
+    - Should be enabled for downlinks, but probably not for uplinks and transit links. For the latter two, use ACLs/firewall rules instead. Be especially careful for links with a default route pointing to it.
+    - Use strict mode most of the cases, but loose mode if assymmetrical routing may happen.
     - Filters packets from sources that are not reachable by the FIB (loose mode); or filter packets from sources that are not received on the interface that would be used to reach the source (strict mode).
     - Linux:
-        - Enable strict RPF (1) or loose RPF (2): `net.ipv4.conf.all.rp_filter=<0|1|2>` (default varies by distro, but generally disabled by default)
+        - Enable for IPv4 globally or per interface: `net.ipv4.conf.all.rp_filter=<0|1|2>`
+        - Status for IPv6: Unknown.
+        - Disabled (0), strict (1) or loose (2).
+    - Cisco IOS:
+        - Enable per interface: `<ip|ipv6> verify unicast source reachable-via <any|rx>`
+        - Loose ("any") or strict ("rx").
+    - VyOS (global):
+        - Enable globally: `firewall source-validation strict`
+        - TODO: Status for IPv6.
 - Directed broadcast forwarding:
     - Should be disabled.
     - Exploited by e.g. smurf and fraggle attacks.

config/network/vyos.md

@@ -81,6 +81,7 @@ An example of a full configuration. Except intuitive stuff I forgot to mention.
     - See the Linux router notes.
     - Enable GRO (example): `ethtool -K <if> gro on`
     - Increase RX/TX buffer sizes (example): `ethtool -K <if> gro on`
+    - Enable scatter/gather aka vectored I/O (example): `ethtool -K <if> sg on`
     - Make any ethtool (e.g.) commands permanent by adding them to `/config/scripts/vyos-postconfig-bootup.script`.
 1. Commit and save: `commit` and `save`.