Techinvasion.net » ios

Replace a running config without reloading!

john — Sat, 04 Oct 2008 17:03:20 +0000

The new Cisco IOS 12.4 train has many new features that any engineer will find useful; one of the features that fix a pain point for me is the new config options available in 12.4. Have you ever been in a situation where an entered configuration does not work as expected? Now usually you have to back out the configuration one command at a time and hope for the best. Sometimes you may even reach a point where you can not completely remove a configuration without reloading the device, this is the case sometimes when trying to remove sub interfaces. Now if this is a datacenter or work environment then you may not be able to reload the router.

It is for situations just like these that Cisco changed the configure command. If you have ever used the copy startup-config running-config command you know that this command does not replace what is running but instead merges the two configurations which often times will create a bigger mess.
Cisco has added the “configure replace” command. This command will go through the configuration line by line and replace your configuration with the configuration you specify and it will go through the config as many times as it takes to back out all of the differences and replace them with the file specified. The amazing thing about this command is that it does not interrupt the operation of the router, so you can rollback changes without affecting business continuity.
Here is an excerpt from my router running the command to replace the running configuration with the startup configuration:

Lord_Yu# configure replace ?
  archive:  URL of config file that will replace running-config
  cns:      URL of config file that will replace running-config
  flash:    URL of config file that will replace running-config
  ftp:      URL of config file that will replace running-config
  http:     URL of config file that will replace running-config
  https:    URL of config file that will replace running-config
  null:     URL of config file that will replace running-config
  nvram:    URL of config file that will replace running-config
  pram:     URL of config file that will replace running-config
  rcp:      URL of config file that will replace running-config
  scp:      URL of config file that will replace running-config
  snmp:     URL of config file that will replace running-config
  system:   URL of config file that will replace running-config
  tftp:     URL of config file that will replace running-config
  xmodem:   URL of config file that will replace running-config
  ymodem:   URL of config file that will replace running-config

Lord_Yu# configure replace nv
Lord_Yu# configure replace nvram:?
nvram:ifIndex-table   nvram:persistent-data  nvram:private-config
nvram:startup-config

Lord_Yu# configure replace nvram:sta
Lord_Yu# configure replace nvram:startup-config ?
  force       Forcibly replace without prompting for user input
  ignorecase  Ignore case
  list        List the commands applied in each pass
  time        Time for which to wait for confirmation

Lord_Yu# configure replace nvram:startup-config
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y
Total number of passes: 0
Rollback Done

Encrypting GRE tunnels!

john — Mon, 08 Sep 2008 19:21:11 +0000

In our Last article we looked at creating GRE tunnels between networks to allow non-routable traffic to pass between remote offices. GRE tunnels are a great solution however the traffic passing inside these tunnels is not encrypted and thus could be intercepted by unauthorized parties. In this article we are going to look at tunneling GRE inside of IPSEC. This will allow us to get the benefits of GRE and the security of IPSEC.

!
crypto isakmp policy 10        #create crypto policy file
authentication pre-share      #use pre shared key
crypto isakmp key integer address 192.168.1.2 #address of remote tunnel
!
!
!
#use aes encryption and comp-lzs conpression. use transport mode.
crypto ipsec transform-set myset esp-aes esp-md5-hmac comp-lzs
!
mode transport   # transport mode tells IPSEC not to create a tunnel,
                       # this is used when you are using IPSEC for
                       # encryption only and not for tunneling.
!
crypto map mymap 10 ipsec-isakmp   # create the crypto map
set peer 192.168.1.2                      # the peer must match the ISAKMP statement
set transform-set myset                  # use the encyption we defined above
match address match-gre                # encrypt only packets in GRE tunnel
!
!
!
!
interface Tunnel0
ip address 172.20.1.1 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination 192.168.1.2
tunnel path-mtu-discovery
crypto map mymap              # crypto map must be applied to tunnel
!
!
!
!
interface FastEthernet0/1
description LAN INTERFACE
ip address 10.0.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
!
!
!
interface FastEthernet0/0
description Internet Interface
ip address 192.168.1.1 255.255.255.0
ip access-group allow-gre in
ip nat inside
duplex auto
speed auto
crypto map mymap   # crypto map must be applied to tunnel and public interface
!
!
!
!
ip access-list extended allow-gre
permit gre any any               # allow gre through the firewall
permit esp any any              #allow esp for ipsec through the firewall
permit udp any any eq 500    #allow udp port 500 through which ipsec also uses
!
!
#access-list to match tunnel traffic.
#This access list must be in the form (my public ip) (destination public ip)
ip access-list extended match-gre
 permit gre host 192.168.1.1 host 192.168.1.2 log

An overview of CISCO IOS Security features as related to packet filtering.

john — Wed, 30 Jan 2008 03:30:27 +0000

The Cisco IOS has many powerful security features that enable network engineers to protect their internal network. The Cisco IOS is capable of intrusion detection, deep packet inspection, and stateful firewall features. Setting up IPS allows the admin to push intrusion detection to the network edge. The Cisco IPS feature set can scan for spyware, viruses, worms, Trojans, and network intrusions by receiving updated signature files from Cisco. If a packet or series of packets matches a particular signature the router can, send an alert, drop the packet, or reset the connection of the offending user. In this way the network engineer can better protect the network by acting on suspicious packets before they can pose a risk to the network infrastructure, another advantage of pushing IPS duties to the network edge is it allows offending packets to be dropped before they take up finite network resources. In large networks as much as 10 percent of network resources could be consumed by packets that ultimately will be dropped for security reasons deeper in the network.

A lot of engineers prefer to use dedicated systems for network security such as Pix and ASA devices. However the Cisco recommended methodology is to filter packets as close to the egress point as possible thus saving network resources and enhancing security. In times past it was considered better to apply security features on dedicated devices deeper in the network while putting as few strains on the edge routers as possible. This methodology used to be a necessity as routers typically had much less horse power and a significant amount of CPU cycles and memory was used just routing and switching packets, add to that the wide spread use of Port address translation which requires a large amount of CPU cycles and memory to maintain the port translation state table and the situation was dire. It was not uncommon to see a branch office level router such as a 2500, or 2600 series overloaded by P2P programs which open up thousands of ports for connections. In these situations a single user could easily destabilize the network and cause the router to drop packets from the load. Cisco realizing the changing world of networking and the relative cheapness of CPU power released the XM series routers as a stopgap measure until the new integrated services platform routers were available such as the 2800 and 3800 series routers. These new routers are more powerful than ever and allow IPS, stateful firewall features, and deep packet inspection to be performed at the network edge thus enhancing security and availability of network resources.

Besides the IPS features the Cisco routers can also perform CBAC or Content Based Access Control. With CBAC the router can inspect TCP, UDP, and ICMP packets for fragments and irregularities. The IOS can also inspect sever layer 7 protocols, and with the latest 12.4 IOS and current generation of routers this list has expanded to many many layer 7 protocols. When using CBAC the router monitors the outgoing packets on an interface, and dynamically creates holes in the inbound access list to allow only packets that match up to the outgoing request. This means that CBAC enables the IOS to perform true stateful Firewalling. In the 12.4 IOS CBAC uses deep packet inspection to determine the true protocol of the packet and better protect the network from intrusion. With deep packet inspection the router will recognize an FTP packet and scan it for known issues even if the packet arrives on a port other than the standard FTP control port. The IOS also uses access lists to secure interfaces and drop unwanted traffic at the network edge which will prevent network resources from being wasted.

I hope this brief overview of the Cisco IOS security methodology as it relates to packet filtering was informative. I will follow up later with a more technical article on how to configure CBAC stateful firewalling, and IPS signatures on the Cisco router.