This article provides information about the following topics:
Device Monitoring
Network administrators need to be able to perform more than just the configuration of network devices. They need to be able to monitor network devices to ensure that the network is operating as efficiently as possible and to identify potential bottlenecks or trouble spots. The following sections deal with protocols that can help monitor a network.
Configuration Backups
It is important to keep a copy of a router’s configuration in a location other than NVRAM. Automated jobs can be set up to copy configurations from the router at regular intervals to local or remote file systems.
Edmonton(config)# archive | Enters archive configuration mode |
Edmonton(config-archive)# path ftp://admin:cisco123@ 192.168.10.3/$h.cfg | Sets the base file path for the remote location of the archived configuration The FTP server is located at 192.168.10.3 The username to access the FTP server is admin The password is cisco123 The path can be a local or remote path Path options include flash, ftp, http, https, rcp, scp, or tftp Two variables can be used with the path command: $h will be replaced with the device host name $t will be replaced with the date and time of the archive If you do not use $t, the names of the new files will be appended with a version number to differentiate from the previous configurations from the same device |
Edmonton(config-archive)# time-period 1440 | Sets the period of time (in minutes) in which to automatically archive the running-config. This number can range from 1 to 525,600 minutes. 1440 minutes = 1 day. 525,600 minutes = 1 year |
Edmonton(config-archive)# write-memory | Enables automatic backup generation during write memory |
Edmonton# show archive | Displays the list of archives. This command also has a pointer to the most recent archive |
To create an archive copy manually, use the archive config command from EXEC mode:
Edmonton# archive config
When the write-memory command is enabled, the copy running-config startup-config command triggers an archive to occur.
Implementing Logging
Network administrators should implement logging to get insight into what is occurring in their network. When a router reloads, all local logs are lost, so it is important to implement logging to an external destination. These next sections deal with the different mechanisms that you can use to configure logging to a remote location.
Configuring Syslog
Edmonton(config)# logging on | Enables logging to all supported destinations |
Edmonton(config)# logging 192.168.10.53 | Sends logging messages to a syslog server host at address 192.168.10.53 |
Edmonton(config)# logging sysadmin | Sends logging messages to a syslog server host named sysadmin |
Edmonton(config)# logging trap x | Sets the syslog server logging level to value x, where x is a number between 0 and 7 or a word defining the level (Table 22-1 provides more detail) |
Edmonton(config)# service sequence-numbers | Stamps syslog messages with a sequence number |
Edmonton(config)# service timestamps log datetime | Includes a time stamp on syslog messages |
Edmonton(config)# service timestamps log datetime msec | Includes a time stamp measured in milliseconds on syslog messages |
Syslog Message Format
The general format of syslog messages generated on Cisco IOS Software is as follows:
seq no:timestamp: %facility-severity-MNEMONIC:description
Item in Syslog Message | Definition |
seq no | Sequence number. Stamped only if the service sequence-numbers global configuration command is configured |
timestamp | Date and time of the message. Appears only if the service timestamps log datetime global configuration command is configured |
facility | The facility to which the message refers (SNMP, SYS, and so on) |
severity | Single-digit code from 0 to 7 that defines the severity of the message (see Table 22-1 for descriptions of the levels) |
MNEMONIC | String of text that uniquely defines the message |
description | String of text that contains detailed information about the event being reported |
Syslog Severity Levels
Table 22-1 shows the eight levels of severity in logging messages.
Table 22-1 Syslog Severity Levels
Level # | Level Name | Description |
0 | Emergencies | System unusable |
1 | Alerts | Immediate action needed |
2 | Critical | Critical conditions |
3 | Errors | Error conditions |
4 | Warnings | Warning conditions |
5 | Notifications | Normal but significant conditions |
6 | Informational | Informational messages (default level) |
7 | Debugging | Debugging messages |
Setting a level means you will get that level and everything numerically below it. Level 6 means you will receive messages for levels 0 through 6.
Syslog Message Example
The easiest syslog message to use as an example is the one that shows up every time you exit from global configuration mode back to privileged EXEC mode. You have just finished entering a command, and you want to save your work, but after you type exit you see something like this:
Edmonton(config)# exit Edmonton# *Jun 23:22:45:20.878: %SYS-5-CONFIG_I: Configured from console by console Edmonton#
(Your output will differ depending on whether you have sequence numbers or time/date stamps configured.)
So what does this all mean?
No sequence number is part of this message.
The message occurred at June 23, at 22:45:20.878 (or 10:45 PM, and 20.878 seconds).
It is a sys message, and it is level 5 (a notification).
It is a config message; specifically, the configuration occurred from the console.
Device Hardening
Device security is critical to network security. A compromised device can cause the network to be compromised on a larger scale. The following sections deal with different ways to secure your Cisco IOS devices.
Configuring Passwords
These commands work on both routers and switches.
Edmonton(config)# enable password cisco | Sets the enable password to cisco. This password is stored as clear text |
Edmonton(config)# enable secret class | Sets the enable secret password to class. This password is stored using a cryptographic hash function (SHA-256) |
Edmonton(config)# line console 0 | Enters console line mode |
Edmonton(config-line)# password console | Sets the console line mode password to console |
Edmonton(config-line)# login | Enables password checking at login |
Edmonton(config)# line vty 0 4 | Enters the vty line mode for all five vty lines |
Edmonton(config-line)# password telnet | Sets the vty password to telnet |
Edmonton(config-line)# login | Enables password checking at login |
Edmonton(config)# line aux 0 | Enters auxiliary line mode |
Edmonton(config-line)# password backdoor | Sets auxiliary line mode password to backdoor |
Edmonton(config-line)# login | Enables password checking at login |
The enable password is not encrypted; it is stored as clear text. For this reason, recommended practice is that you never use the enable password command. Use only the enable secret password command in a router or switch configuration.
You can set both enable secret password and enable password to the same password. However, doing so defeats the use of encryption.
Line passwords are stored as clear text. They should be encrypted using the service password-encryption command at a bare minimum. However, this encryption method is weak and easily reversible. It is therefore recommended to enable authentication by the username command with the secret option because the password option to the username command still stores information using clear text.
The best place to store passwords is on an external authentication, authorization, and accounting (AAA) server.
Password Encryption
Edmonton(config)# service password-encryption | Applies a Vigenere cipher (type 7) weak encryption to passwords |
Edmonton(config)# enable password cisco | Sets the enable password to cisco |
Edmonton(config)# line console 0 | Moves to console line mode |
Edmonton(config-line)# password cisco | Continue setting passwords as above |
… | |
Edmonton(config)# no service password-encryption | Turns off password encryption |
If you have turned on service password encryption, used it, and then turned it off, any passwords that you have encrypted stay encrypted. New passwords remain unencrypted.
The service password-encryption command works on the following passwords:
Username
Authentication key
Privileged command
Console
Virtual terminal line access
BGP neighbors
Passwords using this encryption are shown as type 7 passwords in the router configuration:
Edmonton# show running-config <output omitted> enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts (4 signifies SHA-256 hash) <output omitted> line con 0 password 7 00271A5307542A02D22842 (7 signifies Vigenere cipher) line vty 0 4 password 7 00271A5307542A02D22842 (7 signifies Vigenere cipher) <output omitted> R1#
Password Encryption Algorithm Types
There are different algorithm types available to hash a password in Cisco IOS:
Type 4: Specified an SHA-256 encrypted secret string
Deprecated due to a software bug that allowed this password to be viewed in plaintext under certain conditions
Type 5: Specifies a message digest algorithm 5 (MD5) encrypted secret
Type 8: Specifies a Password-Based Key Derivation Function 2 with SHA-256 hashed secret (PBKDF2 with SHA-256)
Type 9: Specifies a scrypt hashed secret (SCRYPT)
Configure all secret passwords using type 8 or type 9.
Edmonton(config)# username demo8 algorithm-type shaw256 secret cisco | Generates password encrypted with a type 8 algorithm |
Edmonton(config)# username demo9 algorithm-type scrypt secret cisco | Generates password encrypted with a type 9 algorithm |
Type 5, 8, and 9 passwords are not reversible.
If you configure type 8 or type 9 passwords and then downgrade to an IOS release that does not support type 8 and type 9 passwords, you must configure the type 5 passwords before downgrading. If not, you are locked out of the device and a password recovery is required.
Configuring SSH
Although Telnet is the default way of accessing a router, it is the most unsecure way. Secure Shell (SSH) provides an encrypted alternative for accessing a router.
SSH Version 1 implementations have known security issues. It is recommended to use SSH Version 2 whenever possible.
The device name cannot be the default Switch (on a switch) or Router (on a router). Use the hostname command to configure a new host name of the device.
The Cisco implementation of SSH requires Cisco IOS Software to support Rivest, Shamir, Adleman (RSA) authentication and minimum Data Encryption Standard (DES) encryption (a cryptographic software image).
Edmonton(config)# username Roland password tower | Creates a locally significant username/password combination. These are the credentials you must enter when connecting to the router with SSH client software |
Edmonton(config)# username Roland privilege 15 secret tower | Creates a locally significant username of Roland with privilege level 15. Assigns a secret password of tower |
Edmonton(config)# ip domain-name test.lab | Creates a host domain for the router |
Edmonton(config)# crypto key generate rsa modulus 2048 | Enables the SSH server for local and remote authentication on the router and generates an RSA key pair. The number of modulus bits on the command line is 2048. The size of the key modulus is 360 to 4096 bits |
Edmonton(config)# ip ssh version 2 | Enables SSH version 2 on the device To work, SSH requires a local username database, a local IP domain, and an RSA key to be generated |
Edmonton(config)# line vty 0 4 | Moves to vty configuration mode for all five vty lines of the router Depending on the IOS release and platform, there may be more than five vty lines |
Edmonton(config-line)# login local | Enables password checking on a per-user basis. The username and password will be checked against the data entered with the username global configuration command |
Edmonton(config-line)# transport input ssh | Limits remote connectivity to SSH connections only—disables Telnet |
Verifying SSH
Edmonton# show ip ssh | Verifies that SSH is enabled |
Edmonton# show ssh | Checks the SSH connection to the device |
Restricting Virtual Terminal Access
Edmonton(config)# access-list 2 permit host 172.16.10.2 | Permits host from source address of 172.16.10.2 to telnet/SSH into this router based on where this ACL is applied |
Edmonton(config)# access-list 2 permit 172.16.20.0 0.0.0.255 | Permits anyone from the 172.16.20.x address range to telnet/SSH into this router based on where this ACL is applied The implicit deny statement restricts anyone else from being permitted to Telnet/SSH |
Edmonton(config)# access-list 2 deny any log | Any packets that are denied by this ACL are logged for review at a later time. This line is used instead of the implicit deny line |
Edmonton(config)# line vty 0 4 | Moves to vty line configuration mode Depending on the IOS release and platform, there may be more than five vty lines |
Edmonton(config-line)# access-class 2 in | Applies this ACL to all vty virtual interfaces in an inbound direction |
When restricting access on vty lines, use the access-class command rather than the access-group command, which is used when applying an ACL to a physical interface.
Do not apply an ACL intending to restrict vty traffic on a physical interface. If you apply it to a physical interface, all packets are compared to the ACL before it can continue on its path to its destination. This can lead to a large reduction in router performance. An ACL on a physical interface has to specify the SSH or Telnet port number that you are trying to deny, in addition to identifying all the router’s addresses that you could potentially SSH/Telnet to.
Disabling Unneeded Services
Services that are not being used on a router can represent a potential security risk. If you do not need a specific service, you should disable it.
If a service is off by default, disabling it does not appear in the running configuration.
Do not assume that a service is disabled by default; you should explicitly disable all unneeded services, even if you think they are already disabled.
Depending on the IOS Software release, some services are on by default; some are off. Be sure to check the IOS configuration guide for your specific software release to determine the default state of the service.
Table 22-2 lists the services that you should disable if you are not using them.
Table 22-2 Disabling Unneeded Services
Service | Command Used to Disable Service |
DNS name resolution | Edmonton(config)# no ip domain-lookup |
Cisco Discovery Protocol (CDP) (globally) | Edmonton(config)# no cdp run |
CDP (on a specific interface) | Edmonton(config-if)# no cdp enable |
Network Time Protocol (NTP) | Edmonton(config-if)# ntp disable |
BOOTP server | Edmonton(config)# no ip bootp server |
Dynamic Host Configuration Protocol (DHCP) | Edmonton(config)# no service dhcp |
Proxy Address Resolution Protocol (ARP) | Edmonton(config-if)# no ip proxy-arp |
IP source routing | Edmonton(config)# no ip source-route |
IP redirects | Edmonton(config-if)# no ip redirects |
HTTP service | Edmonton(config)# no ip http server |