Secure Router Management


Managing Cisco IOS Software Image:
Periodically, the router requires updates to be loaded to either the operating system or the configuration file. These updates are necessary to fix known security vulnerabilities, support new features that allow more advanced security policies, or improve performance.
Note: It is not always a good idea to upgrade to the very latest version of Cisco IOS software. Many times that release is not stable.
There are certain guidelines that you must follow when changing the Cisco IOS software on a router. Changes are classified as either updates or upgrades. An update replaces one release with another without upgrading the feature set. The software might be updated to fix a bug or to replace a release that is no longer supported. Updates are free.
An upgrade replaces a release with one that has an upgraded feature set. The software might be upgraded to add new features or technologies, or replace a release that is no longer supported. Upgrades are not free. Cisco.com offers guidelines to assist in determining which method applies.
Cisco recommends following a four-phase migration process to simplify network operations and management. When you follow a repeatable process, you can also benefit from reduced costs in operations, management, and training. The four phases are:
Plan-Set goals, identify resources, profile network hardware and software, and create a preliminary schedule for migrating to new releases.
Design-Choose new Cisco IOS releases and create a strategy for migrating to the releases.
Implement-Schedule and execute the migration.
Operate-Monitor the migration progress and make backup copies of images that are running on your network.
There are a number of tools available on Cisco.com to aid in migrating Cisco IOS software. You can use the tools to get information about releases, feature sets, platforms, and images. The following tools do not require a Cisco.com login:
Cisco IOS Reference Guide-Covers the basics of the Cisco IOS software family
Cisco IOS software technical documents-Documentation for each release of Cisco IOS software
Software Center-Cisco IOS software downloads
Cisco IOS Software Selector-Finds required features for a given technology
The following tools require valid Cisco.com login accounts:
Bug Toolkit-Searches for known software fixes based on software version, feature set, and keywords
Cisco Feature Navigator-Finds releases that support a set of software features and hardware, and compares releases
Software Advisor-Compares releases, matches Cisco IOS software and Cisco Catalyst OS features to releases, and finds out which software release supports a given hardware device
Cisco IOS Upgrade Planner-Finds releases by hardware, release, and feature set, and downloads images of Cisco IOS software

C
isco IOS File Systems and Devices

The availability of the network can be at risk if a router configuration or operating system is compromised. Attackers who gain access to infrastructure devices can alter or delete configuration files. They can also upload incompatible IOS images or delete the IOS image. The changes are invoked automatically or invoked once the device is rebooted.
To mitigate against these problems, you have to be able to save, back up, and restore configuration and IOS images. To do so, you learn how to carry out a few file management operations in Cisco IOS software.
Cisco IOS devices provide a feature called the Cisco IOS Integrated File System (IFS). This system allows you to create, navigate, and manipulate directories on a Cisco device. The directories available depend on the platform.
For instance, the figure displays the output of the show file systems command which lists all of the available file systems on a Cisco 1841 router. This command provides insightful information such as the amount of available and free memory, the type of file system and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw).
Although there are several file systems listed, of interest to us will be the tftp, flash and nvram file systems. The remainder of the file systems listed are beyond the scope of this course.
Network file systems include using FTP, trivial FTP (TFTP), or Remote Copy Protocol (RCP). This course focuses on TFTP.
Notice that the flash file system also has an asterisks preceding it which indicates that this is the current default file system. Recall that the bootable IOS is located in flash, therefore the pound symbol (#) appended to the flash listing indicates that this is a bootable disk.
To view the contents of NVRAM, you must change the current default file system using the cd change directory command. The pwd present working directory command verifies that we are located in the NVRAM directory. Finally, the dir command lists the contents of NVRAM. Although there are several configuration files listed, of specific interest to us is the startup-configuration file.

URL Prefixes for Cisco Devices
When a network administrator wants to move files around on a computer, the operating system offers a visible file structure to specify sources and destinations. Administrators do not have visual cues when working at a router CLI. The show file systems command in the previous topic displayed the various file systems available on the Cisco 1841 platform.
File locations are specified in Cisco IFS using the URL convention. The URLs used by Cisco IOS platforms look similar to the format you know from the web.
For instance, the TFTP example in the figure is: tftp://192.168.20.254/configs/backup-configs.
The expression "tftp:" is called the prefix.
Everything after the double-slash (//) defines the location.
192.168.20.254 is the location of the TFTP server.
"configs" is the master directory.
"backup-configs" is the filename.
The URL prefix specifies the file system. Scroll over the various buttons in the figure to view common prefixes and syntax associated to each.

Commands for Managing Configuration Files
Good practice for maintaining system availability is to ensure you always have backup copies of the startup configuration files and IOS image files. The Cisco IOS software copy command is used to move configuration files from one component or device to another, such as RAM, NVRAM, or a TFTP server. The figure highlights the command syntax.
The following provides examples of common copy command use. The examples list two methods to accomplish the same tasks. The first example is a simple syntax and the second example provides a more explicit example.
Copy the running configuration from RAM to the startup configuration in NVRAM:
R2# copy running-config startup-config
copy system:running-config nvram:startup-config

Copy the running configuration from RAM to a remote location:
R2# copy running-config tftp:
R2# copy system:running-config tftp:

Copy a configuration from a remote source to the running configuration:
R2# copy tftp: running-config
R2# copy tftp: system:running-config

Copy a configuration from a remote source to the startup configuration:
R2# copy tftp: startup-config
R2# copy tftp: nvram:startup-config

Cisco IOS File Naming Conventions
The Cisco IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. It is important that you understand this naming convention when upgrading and selecting an IOS.
For example, the filename in the figure is explained as follows:
The first part, c1841, identifies the platform on which the image runs. In this example, the platform is a Cisco 1841.
The second part, ipbase, specifies the feature set. In this case, "ipbase" refers to the basic IP internetworking image. Other feature set possibilities include:

i - Designates the IP feature set
j - Designates the enterprise feature set (all protocols)s - Designates a PLUS feature set (extra queuing, manipulation, or translations)
56i - Designates 56-bit IPsec DES encryption
3 - Designates the firewall/IDS
k2 - Designates the 3DES IPsec encryption (168 bit)
The third part, mz, indicates where the image runs and if the file is compressed. In this example, "mz" indicates that the file runs from RAM and is compressed.
The fourth part, 12.3-14.T7, is the version number.
The final part, bin, is the file extension. The .bin extension indicates that this is a binary executable file.
Using TFTP Servers to Manage IOS Images

Production internetworks usually span wide areas and contain multiple routers. It is an important task of an administrator to routinely upgrade Cisco IOS images whenever exploits and vulnerabilities are discovered. It is also a sound practice to ensure that all of your platforms are running the same version of Cisco IOS software whenever possible. Finally, for any network, it is always prudent to retain a backup copy of the Cisco IOS software image in case the system image in the router becomes corrupted or accidentally erased.
Widely distributed routers need a source or backup location for Cisco IOS software images. Using a network TFTP server allows image and configuration uploads and downloads over the network. The network TFTP server can be another router, a workstation, or a host system.
As any network grows, storage of Cisco IOS software images and configuration files on the central TFTP server enables control of the number and revision level of Cisco IOS images and configuration files that must be maintained.
Before changing a Cisco IOS image on the router, you need to complete these tasks:
Determine the memory required for the update and, if necessary, install additional memory.
Set up and test the file transfer capability between the administrator host and the router.
Schedule the required downtime, normally outside of business hours, for the router to perform the update.
When you are ready to do the update, carry out these steps:
Shut down all interfaces on the router not needed to perform the update.
Back up the current operating system and the current configuration file to a TFTP server.
Load the update for either the operating system or the configuration file.
Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you disabled. If the tests are not successful, back out the update, determine what went wrong, and start again.


A great challenge for network operators is to minimize the downtime after a router has been compromised and the operating software and configuration data have been erased from persistent storage. The operator must retrieve an archived copy (if one exists) of the configuration and restore a working image to the router. Recovery must then be performed for each affected router, which adds to the total network downtime.
Bear in mind that the Cisco IOS software resilient configuration feature enables a router to secure and maintain a working copy of the running operating system image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).

Backing Up IOS Software Image
Basic management tasks include saving backups of your configuration files as well as downloading and installing upgraded configuration files when directed. A software backup image file is created by copying the image file from a router to a network TFTP server.
To copy a Cisco IOS image software from flash memory to the network TFTP server, you should follow these suggested steps.
Step 1. Ping the TFTP server to make sure you have access to it.
Step 2. Verify that the TFTP server has sufficient disk space to accommodate the Cisco IOS software image. Use the show flash: command on the router to determine the size of the Cisco IOS image file.
The show flash: command is an important tool to gather information about the router memory and image file. It can determine the following:
Total amount of flash memory on the router
Amount of flash memory available
Name of all the files stored in the flash memory
With steps 1 and 2 completed, now back up the software image.
Step 3. Copy the current system image file from the router to the network TFTP server, using the copy flash: tftp: command in privileged EXEC mode. The command requires that you to enter the IP address of the remote host and the name of the source and destination system image files.
During the copy process, exclamation points (!) indicate the progress. Each exclamation point signifies that one UDP segment has successfully transferred.

Upgrading IOS Software Images
Upgrading a system to a newer software version requires a different system image file to be loaded on the router. Use the copy tftp: flash: command to download the new image from the network TFTP server.
The command prompts you for the IP address of the remote host and the name of the source and destination system image file. Enter the appropriate filename of the update image just as it appears on the server.
After these entries are confirmed, the Erase flash: prompt appears. Erasing flash memory makes room for the new image. Erase flash memory if there is not sufficient flash memory for more than one Cisco IOS image. If no free flash memory is available, the erase routine is required before new files can be copied. The system informs you of these conditions and prompts for a response.
Each exclamation point (!) means that one UDP segment has successfully transferred.
Note: Make sure that the Cisco IOS image loaded is appropriate for the router platform. If the wrong Cisco IOS image is loaded, the router could be made unbootable, requiring ROM monitor (ROMmon) intervention.

Restoring IOS Software Images
A router cannot function without its Cisco IOS software. Should the IOS be deleted or become corrupt, an administrator must then copy an image to the router for it to become operational again
One method to accomplish this would be to use the Cisco IOS image that was previously saved to the TFTP server. In the example in the figure, the IOS image on R1 was backed up to a TFTP server connected to R2. R1 is not able to reach that TFTP server in its current state.
When an IOS on a router is accidentally deleted from flash, the router is still operational because the IOS is running in RAM. However, it is crucial that the router is not rebooted at this time since it would not be able to find a valid IOS in flash.
In the figure, the IOS on router R1 has accidentally been deleted from flash. Unfortunately, the router has been rebooted and can no longer load an IOS. It is now loading the ROMmon prompt by default. While in this state, router R1 needs to retrieve the IOS which was previously copied to the TFTP server connected to R2. In this scenario, the TFTP will be directly connected to router R1. Having made preparations with the TFTP server, carry out the following procedure.
Step 1. Connect the devices.
Connect the PC of the system administrator to the console port on the affected router.
Connect the TFTP server to the first Ethernet port on the router. In the figure, R1 is a Cisco 1841, therefore the port is Fa0/0. Enable the TFTP server and configure it with a static IP address 192.168.1.1/24.
Step 2. Boot the router and set the ROMmon variables.
Because the router does not have a valid Cisco IOS image, the router boots automatically into ROMmon mode. There are very few commands available in ROMmon mode. You can view these commands by typing ? at the rommon> command prompt.
You must enter all of the variables listed in the figure. When you enter the ROMmon variables, be aware of the following:
Variable names are case sensitive.
Do not include any spaces before or after the = symbol.
Where possible, use a text editor to cut and paste the variables into the terminal window. The full line must be typed accurately.
Navigational keys are not operational.
Router R1 must now be configured with the appropriate values to connect to the TFTP server. The syntax of the ROMmon commands is very crucial. Although the IP addresses, subnet mask, and image name in the figure are only examples, it is vital that the syntax displayed be followed when configuring the router. Keep in mind that the actual variables will vary depending on your configuration.
When you have entered the variables, proceed to the next step.
Step 3. Enter the tftpdnld command at the ROMmon prompt.
The command displays the required environment variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. The router attempts to connect to the TFTP server to initiate the download. When connected, the download begins as indicated by the exclamation mark (!) marks. Each ! indicates that one UDP segment has been received by the router.
You can use the reset command to reload the router with the new Cisco IOS image.

U
sing xmodem to Restore an IOS Image

Using the tftpdnld command is a very quick way of copying the image file. Another method for restoring a Cisco IOS image to a router is by using Xmodem. However, the file transfer is accomplished using the console cable and is therefore very slow when compared to the tftpdnld command.
If the Cisco IOS image is lost, the router goes into ROMmon mode when it boots up. ROMmon supports Xmodem. With that capability, the router can communicate with a terminal emulation application, such as HyperTerminal, on the PC of a system administrator. A system administrator who has a copy of the Cisco IOS image on a PC can restore it to the router by making a console connection between the PC and the router and running Xmodem from HyperTerminal.
The steps the administrator follows are shown in the figure.
Step 1. Connect the PC of the system administrator to the console port on the affected router. Open a terminal emulation session between the router R1 and the PC of the system administrator.
Step 2. Boot the router and issue the xmodem command at the ROMmon command prompt.
The command syntax is xmodem [-cyr] [filename]. The cyr option varies depending on the configuration. For instance, -c specifies CRC-16, y specifies the Ymodem protocol, and r copies the image to RAM. The filename is the name of the file to be transferred.
Step 3. The figure shows the process for sending a file using HyperTerminal. In this case, Select Transfer > Send File.
Step 4. Browse to the location of the Cisco IOS image you want to transfer and choose the Xmodem protocol. Click Send. A dialog box appears displaying the status of the download. It takes several seconds before the host and the router begin transferring the information.
As the download begins, the Packet and Elapsed fields increment. Take note of the estimated time remaining indicator. The download time could be dramatically improved if you change the connection speed of HyperTerminal and the router from 9600 b/s to 115000 b/s.
When the transfer is complete, the router automatically reloads with the new Cisco IOS.

Cisco IOS Troubleshooting Commands
When you have a valid Cisco IOS image running on all the routers in the network, and all the configurations are backed up, you can manually tune configurations for individual devices to improve their performance in the network.
Two commands that are extensively used in day-to-day network administration are show and debug. The difference between the two is significant. A show command lists the configured parameters and their values. The debug command allows you to trace the execution of a process. Use the show command to verify configurations. Use the debug command to identify traffic flows through interfaces and router processes.

Using the show Command
The show command displays static information. Use show commands when gathering facts for isolating problems in an internetwork, including problems with interfaces, nodes, media, servers, clients, or applications. You may also use it frequently to confirm that configuration changes have been implemented.
The example in the figure provides a sample output of the show protocols command. The Cisco IOS command guide lists 1,463 show commands. When you are at the command prompt, type show ? for a list of available show commands for the level and mode you are operating.

Using the debug Command
When you configure a router, the commands you enter initiate many more processes than you see in the simple line of code. Therefore, tracing your written configurations line-by-line does not reveal all the possibilities for error. Instead, you need some way of capturing data from the device as each step in a running process is initiated.
By default, the network server sends the output from debug commands and system error messages to the console. Remember that you can redirect debug output to a syslog server.
Note: Debugging output is assigned high priority in the CPU process queue and can therefore interfere with normal production processes on a network. For this reason, use debug commands during quiet hours and only to troubleshoot specific problems.
The debug command displays dynamic data and events. Use debug to check the flow of protocol traffic for problems, protocol bugs, or misconfigurations. The debug command provides a flow of information about the traffic being seen (or not seen) on an interface, error messages generated by nodes on the network, protocol-specific diagnostic packets, and other useful troubleshooting data. Use debug commands when operations on the router or network must be viewed to determine if events or packets are working properly.
All debug commands are entered in privileged EXEC mode, and most debug commands take no arguments. To list and see a brief description of all the debugging command options, enter the debug ? command in privileged EXEC mode.
Caution: It is important to turn off debugging when you have finished your troubleshooting. The best way to ensure there are no lingering debugging operations running is to use the no debug all command.
Considerations when using the debug Command
It is one thing to use debug commands to troubleshoot a lab network that lacks end-user application traffic. It is another thing to use debug commands on a production network that users depend on for data flow. Without proper precautions, the impact of a broadly focused debug command could make matters worse.
With proper, selective, and temporary use of debug commands, you can obtain potentially useful information without needing a protocol analyzer or other third-party tool.
Other considerations for using debug commands are as follows:
When the information you need from the debug command is interpreted and the debug (and any other related configuration setting, if any) is finished, the router can resume its faster switching. Problem-solving can be resumed, a better-targeted action plan created, and the network problem resolved.
Be aware that the debug commands may generate too much data that is of little use for a specific problem. Normally, knowledge of the protocol or protocols being debugged is required to properly interpret the debug outputs.
When using debug troubleshooting tools, be aware that output formats vary with each protocol. Some generate a single line of output per packet, others generate multiple lines of output per packet. Some debug commands generate large amounts of output; others generate only occasional output. Some generate lines of text, and others generate information in field format.

Commands Related to the debug Command

To effectively use debugging tools, you must consider the following:
Impact that a troubleshooting tool has on router performance
Most selective and focused use of the diagnostic tool
How to minimize the impact of troubleshooting on other processes that compete for resources on the network device
How to stop the troubleshooting tool when diagnosing is complete so that the router can resume its most efficient switching
To optimize your efficient use of the debug command, these commands can help you:
The service timestamps command is used to add a time stamp to a debug or log message. This feature can provide valuable information about when debug elements occurred and the duration of time between events.
The show processes command displays the CPU use for each process. This data can influence decisions about using a debug command if it indicates that the production system is already too heavily used for adding a debug command.
The no debug all command disables all debug commands. This command can free up system resources after you finish debugging.
The terminal monitor command displays debug output and system error messages for the current terminal and session. When you Telnet to a device and issue a debug command, you will not see output unless this commands is entered.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog