Transcript Exploration CCNA4 - Collin College Faculty Website Directory

Business Information &
Engineering
Technologies
Network Security
Accessing the WAN – Chapter 4: Part 2
Modified by Bill Bourgeois [from work by Cisco and
Tony Chen (College of DuPage)]
January 2011
ITE I Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Business Information & Engineering
Technologies
Logging Router Activity
 Logs allow verification that a router is operating
properly.
– Routers support 8 levels of logging ranging from:
• 0 - emergencies indicating that the system is
unstable
• To 7 for debugging messages.
– Logs must be reviewed regularly.
 Logs can be forwarded to a variety of locations,
The eight different logging
levels.
0—emergencies
1—alerts
2—critical
3—errors
4—warnings
5—notification
6—informational
7—debugging
– Router memory
– Syslog server.
• A syslog server provides a better solution
since all network devices can forward their
logs to one central station where an
administrator can review them.
• An example of a syslog server is the Kiwi
Syslog Daemon (installed on Collin College
Cisco lab computers).
2
Business Information & Engineering
Technologies
Logging Router Activity
 R2(config)#logging ?
Hostname or A.B.C.D
IP address of
the logging
host
.
.
---------- Output Omitted -------------.
trap
Set syslog
server logging
level
.
 Accurate time stamps are important to logging.
R2(config)#service timestamps ?
debug
Timestamp debug message
log
Timestamp log messages
<cr>
3
Business Information & Engineering
Technologies
Vulnerable Router Services and Interfaces
 Cisco routers support a large number of network services at layers
2, 3, 4, and 7.
– Some of these services are application layer protocols.
– Some are automatic processes and settings and are intended to
support legacy configurations
• May pose security risks in today’s environment.
 Some of these services can be restricted or disabled to improve
security without degrading the operational use of the router.
– Most of the services listed in this section are usually not required.
 Note: Cisco Discovery Protocol (CDP) is leveraged in some IP
Phone implementations. This must be considered before broadly
disabling the service.
4
Business Information & Engineering
Technologies
5
Business Information & Engineering
Technologies
Vulnerable Router Services and Interfaces
 Services which possibly should be disabled
are.
– Cisco Discovery Protocol (CDP) - Use
the no cdp run (if not used by IP
telephony).
– Source routing - Use the no ip sourceroute command.
– Classless routing - Use the no ip
classless command.
– Small services such as echo, discard,
and chargen - Use the no service tcpsmall-servers or no service udp-smallservers command.
– Finger - Use the no service finger
command.
– BOOTP - Use the no ip bootp server
command.
– HTTP - Use the no ip http server
command.
– Remote configuration - Use the no
service config.
– SNMP - Use the no snmp-server
command.
6
Business Information & Engineering
Technologies
Vulnerable Router Services and Interfaces
 The interfaces on the router can
be made more secure by using
certain commands in interface
configuration mode:
– Unused interfaces - Use the
shutdown command.
– Ad hoc routing - Use the no ip
proxy-arp command.
– No SMURF attacks - Use the no
ip directed-broadcast.
• Note: ip directed-broadcast is
disabled by default on IOS
12.0 and later
7
Business Information & Engineering
Technologies
Vulnerable Router Services and Interfaces
 SNMP
–
–
 NTP
–
–
–
 DNS
–
–
–
SNMP is the Internet protocol for automated remote monitoring and
administration.
Versions of SNMP prior to version 3 shuttle information in clear text.
Cisco routers and other hosts use NTP to keep their time-of-day clocks
accurate.
If an NTP hierarchy is not available on the network, disable NTP.
Disabling NTP on an interface does not prevent NTP messages from
traversing the router. To reject all NTP messages at a particular interface,
use an access list.
Cisco IOS software supports looking up hostnames with the DNS.
The basic DNS protocol offers no authentication or integrity assurance. By
default, name queries are sent to the broadcast address 255.255.255.255.
If one or more name servers are available on the network, and it is desirable
to use names in Cisco IOS commands, explicitly set the name server
addresses using the global configuration command “ip name-server
<addresses>”. Otherwise, turn off DNS name resolution with the command
“no ip domain-lookup”.
8
Business Information & Engineering
Technologies
Securing Routing Protocols
 Routing systems can be attacked in 2 ways:
– Disruption of peers
• Disruption of peers is the less critical of the two attacks
because routing protocols heal themselves.
– Falsification of routing information
• Falsified routing information may be used to cause
systems to misinform each other, cause a DoS, or cause
traffic to follow a path it would not normally follow.
• The possible consequences of falsifying routing
information are:
–
–
–
Redirect traffic to create routing loops
Redirect traffic so it can be monitored on an insecure link
Redirect traffic to discard it
9
Business Information & Engineering
Technologies
Securing Routing Protocols
 Attacking the routing protocols and
injecting false information is a way to
attack the routing system.
– The attacker injects false routing
information destined to router R1
only, indicating that R3 is the
preferred destination to the
192.168.10.10/32 host route.
– Although R1 has a routing table
entry to the directly connected
192.168.10.0/24 network, it will add
the injected route to its routing table
because of the longer subnet mask.
– When PC3 sends a packet to PC1
(192.168.10.10), R1 will not forward
the packet to the PC1 host. It will
route the packet to router R3,
because the best path to
192.168.10.10/32 is through R3.
When R3 gets the packet, it will look
in its routing table and forward the
packet back to R1, which creates
the loop.
10
Business Information & Engineering
Technologies
Securing Routing Protocols
 To protect routing information on the network
authenticate routing update packets using MD5.
– MD5 allows the routers to compare
signatures that should all be the same.
– The three components of such a system
include:
• 1. Encryption algorithm, which is public
knowledge
• 2. Key used in the encryption algorithm,
which is a secret shared by the routers
authenticating their packets
• 3. Contents of the packet itself
 The originator of the routing information produces a
signature using the key and routing data it is about
to send as inputs to the encryption algorithm.
– The routers receiving this data can then
repeat the process using the same key, the
data it has received, and the same routing
data.
– If the signature the receiver computes is the
same as the signature the sender computes,
the update is authenticated.
 RIPv2, EIGRP, OSPF, IS-IS, and BGP all
support various forms of MD5 authentication.
11
Business Information & Engineering
Technologies
Securing Routing Protocols
 RIPv2 with Routing Protocol Authentication
– To secure routing updates each router must be
configured to support authentication.
 The steps to secure RIPv2 updates are as follows:
– Prevent RIP routing update propagation on
selected interfaces
– Prevent processing of bogus RIP updates
– Verify the operation of RIP routing
 Preventing RIP Routing Update Propagation
– Prevents an intruder listening on the network
from receiving updates.
• Force all interfaces on the router into passive
mode, and then bring up only those interfaces
that are required for sending and receiving RIP
updates.
• An interface in passive mode receives updates
but does not send updates.
– The passive-interface default command disables
routing advertisements on all interfaces.
– The no passive-interface s0/0/0 command enables
the S0/0/0 interface to send and receive RIP
updates.
12
Business Information & Engineering
Technologies
Securing Routing Protocols
 Preventing processing of bogus RIP Updates
– The intruder is prevented from intercepting
RIP updates because MD5 authentication has
been enabled on routers.
– Example commands
•
create a key chain named RIP_KEY.
– Key 1 is configured to contain a key
string called cisco.
– The key string is similar to a
password and routers exchanging
authentication keys must configured
with the same key string.
•
Interface S0/0/0 is configured to support
MD5 authentication.
•
The RIP_KEY chain and the routing
update, are processed using the MD5
algorithm to produce a unique signature.
13
Business Information & Engineering
Technologies
Securing Routing Protocols
 Verify the Operation of RIP Routing
– Using the show ip route command the output
confirms that router R1 has authenticated with the
other routers and has been able to acquire the
routes from the routers R2 and R3.
14
Business Information & Engineering
Technologies
Securing Routing Protocols
 EIGRP
– The steps to configure EIGRP routing
protocol authentication on router R1 are
as follows:
• To create a key chain to be used by all
routers in the network.
– Create a key chain named
EIGRP_KEY
– Create a key number of 1 and a
key string of cisco.
• enable MD5 authentication in EIGRP
packets traversing an interface.
 OSPF
– The figure shows the commands used to
configure routing protocol authentication
for OSPF on router R1 on interface S0/0/0.
• The first command specifies the key
that will be used for MD5
authentication.
• The next command enables MD5
authentication.
15
Business Information & Engineering
Technologies
Locking Down a Router with Cisco auto secure
 Cisco auto secure uses a single
command to disable non-essential
system processes and services,
Tony Chen COD
eliminating potential security threats.
Cisco
Networking Academy
 Configure auto secure
in privileged
EXEC mode using the auto secure
command in one of two modes:
– Interactive mode - This mode prompts
for options to enable and disable
services and other security features.
This is the default mode.
– Non-interactive mode - This mode
automatically executes the auto secure
command with the recommended
Cisco default settings. This mode is
enabled with the no-interact command
option.
16
Business Information & Engineering
Technologies
Locking Down Router with Cisco Auto Secure
 Cisco AutoSecure will ask for for a
number of items:
– Interface specifics
Tony Chen COD
– Banners
– Passwords
– SSH
Cisco Networking Academy
– IOS firewall features
Router#auto secure ?
firewall
AutoSecure Firewall
forwarding
Secure Forwarding Plane
full
Interactive full session of AutoSecure
login
AutoSecure Login
management Secure Management Plane
no-interact
Non-interactive session of AutoSecure
ntp
AutoSecure NTP
ssh
AutoSecure SSH
tcp-intercept
AutoSecure TCP Intercept
<cr>
17
Business Information & Engineering
Technologies
Locking Down Router with Cisco Auto Secure
R2#show auto secure config
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
Tony Chen COD
.
. Cisco Networking Academy
---------- Output Omitted -------------.
ip verify unicast source reachable-via rx allow-default 100
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
18
Business Information & Engineering
Technologies
What is Cisco SDM?

The Cisco Router and Security Device
Manager (SDM) is a web-based devicemanagement tool designed for
configuring LAN, WAN, and security
features on Cisco IOS software-based
routers.
–
–
–

Cisco SDM ships preinstalled by default
on all new Cisco Integrated Services
Routers.
–
–

Provides easy-to-use smart wizards,
Automates router security management,
Assists through comprehensive online
help.
If not preinstalled, it must installed.
If SDM is pre-installed, Cisco
recommends using Cisco SDM to perform
the initial configuration
SDM files can be installed on a router, a
PC, or both.
–
An advantage of installing SDM on the PC
is that it saves router memory, and allows
SDM to manage other routers on the
network.
19
Business Information & Engineering
Technologies
Cisco SDM Features

Cisco SDM simplifies router and security
configuration through the use of intelligent
wizards to enable efficient configuration of key
router VPN and Cisco IOS firewall parameters.

Cisco SDM smart wizards
– guide users step-by-step through router and
security configuration workflow by
systematically configuring LAN and WAN
interfaces, firewall, IPS, and VPNs.
– intelligently detects incorrect configurations and
proposes fixes, such as allowing DHCP traffic
through a firewall if the WAN interface is
DHCP-addressed.

Online help embedded within Cisco SDM
contains appropriate background information.
20
Business Information & Engineering
Technologies
Configuring a Router to Support SDM
 Before installing SDM on an
operational router, ensure that
a few configuration settings
are present in the router
configuration file.
– Access the router's CLI
interface using Telnet/SSH
or the console connection
– Enable the HTTP and
HTTPS servers on the router
– Create a user account
defined with privilege level
15 (enable privileges).
– Configure SSH and Telnet
for local login and privilege
level 15.
21
Business Information & Engineering
Technologies
Starting Cisco SDM

To launch the Cisco
SDM use the HTTPS
protocol and put the IP
address of the router
into the browser.
–
The figure shows the
browser with an
address of
https://198.162.20.1
and the launch page
for Cisco SDM.
–
The http:// prefix can
be used if SSL is not
available.
22
Business Information & Engineering
Technologies
Starting Cisco SDM
 When the username and
password dialog box
appears (not shown), enter a
username and password for
the privileged (privilege level
15) account on the router.
 After the launch page
appears a signed Cisco SDM
Java applet appears which
must remain open while
Cisco SDM is running.
– Because it is a signed
Cisco SDM Java applet a
prompt to accept a
certificate may appear.
23
Business Information & Engineering
Technologies
Cisco SDM Home Page Overview
 After logging in, the Overview page displays
– the router model,
– total amount of memory,
– the versions of flash, IOS, and SDM,
– the hardware installed,
– a summary of security features, such as firewall status and the
number of active VPN connections.
24
Business Information & Engineering
Technologies
Cisco SDM Home Page Overview
 It provides basic information:
– Menu bar - The top of the screen has a typical menu bar
with File, Edit, View, Tools, and Help.
– Tool bar - Below the menu bar, it has the SDM wizards
and modes which may be selected.
– Router information - The current mode is displayed on
the left side under the tool bar.
– Configuration overview - Summarizes the configuration
settings.
25
Business Information & Engineering
Technologies
Locking Down a Router with Cisco SDM
 The one-step lockdown wizard is
accessed from the Configure
GUI interface by clicking the
Security Audit task.
– The Cisco SDM one-step
lockdown wizard
implements almost all of the
security configurations that
Cisco AutoSecure offers.
 Do not assume that the network
is secure simply because a onestep lockdown was done.
– Not all the features of Cisco
AutoSecure are
implemented in Cisco SDM.
26
Business Information & Engineering
Technologies
Locking Down a Router with Cisco SDM


The following features are not implemented in this version of Cisco SDM:
–
Disabling NTP—Based on input, AutoSecure will disable the Network Time Protocol (NTP)
if it is not necessary. Otherwise, NTP will be configured with MD5 authentication. Cisco
SDM does not support disabling NTP.
–
Configuring AAA—If the Authentication, Authorization, and Accounting (AAA) service is
not configured, AutoSecure configures local AAA and prompts for configuration of a local
username and password database on the router. Cisco SDM does not support AAA
configuration.
–
Setting SPD Values—Cisco SDM does not set Selective Packet Discard (SPD) values.
–
Enabling TCP Intercepts (syn flood DOS protection)—Cisco SDM does not enable TCP
intercepts.
–
Configuring anti-spoofing ACLs on outside interfaces—AutoSecure creates three named
access lists used to prevent anti-spoofing source addresses. Cisco SDM does not
configure these ACLs.
AutoSecure Features Implemented Differently in Cisco SDM
–
Disable SNMP: Cisco SDM will disable SNMP, but unlike AutoSecure, it does not provide
an option for configuring SNMP version 3.
–
Enable SSH for Access to the Router: Cisco SDM will enable and configure SSH on
crypto Cisco IOS images, but unlike AutoSecure, it will not enable Service Control Point
(SCP) or disable other access and file transfer services, such as FTP.
27
Business Information & Engineering
Technologies
Maintaining Cisco IOS Software Images
 There are certain guidelines that must be followed when
changing the Cisco IOS software on a router.
– Updates: An update replaces one release with
another without upgrading the feature set.
• The software might be updated to fix a bug
• Updates are free.
– Upgrades: An upgrade replaces a release with
one that has an upgraded feature set.
• Software is upgraded to add new features or
technologies
• Upgrades are not free.
– It is not always a good idea to upgrade to the
latest version of IOS software. Many times that
release is not stable.
 Cisco recommends a four-phase migration process to
simplify network operations and management.
– Plan - Set goals, identify resources, profile
network hardware and software, and create a
schedule for migrating to new releases.
– Design - Choose new Cisco IOS releases.
– Implement - Schedule and execute the migration.
– Operate - Monitor the migration progress and
make backup copies of images that are running
on the network.
28
Business Information & Engineering
Technologies
Maintaining Cisco IOS Software Images
 There are a number of tools available on Cisco.com to aid in migrating Cisco IOS
software.
– The following tools do not require a Cisco.com login:
• Cisco IOS Reference Guide - Covers the basics of the Cisco IOS software
family
• Cisco IOS software technical documents - Documentation for each release
of Cisco IOS software
• Cisco Feature Navigator - Finds releases that support a set of software
features and hardware, and compares releases
– The following tools require valid Cisco.com login accounts:
• Download Software - Cisco IOS software downloads
• Bug Toolkit - Searches for known software fixes based on software
version, feature set, and keywords
• Software Advisor - Compares releases, matches Cisco IOS software and
Cisco Catalyst OS features to releases, and finds out which software
release supports a given hardware device
• Cisco IOS Upgrade Planner - Finds releases by hardware, release, and
feature set, and downloads images of Cisco IOS software
• See: http://www.cisco.com/en/US/support/tsd_most_requested_tools.html.
29
Business Information & Engineering
Technologies
Cisco IOS File Systems and Devices
 Cisco IOS devices provide a
feature called the Cisco IOS
Integrated File System (IFS).
– The directories available
depend on the platform.
– The show file systems
command lists all file
systems.
• It provides information
such as the amount of
available and free
memory, type of file
system and its
permissions.
• Permissions include
read only (ro), write only
(wo), and read and write
(rw).
*
#
See for discussion of “opaque”
30
Business Information & Engineering
Technologies
Cisco IOS File Systems and Devices
 Flash
– The flash file system which has an
asterisk preceding it indicates that this
is the current default file system.
– the pound symbol (#) appended to the
flash listing (on previous chart)
indicates that this is a bootable disk.
– It contains the file of the current IOS
running in RAM.
 NVRAM
– To change the file system use the cd
command.
– The pwd command displays the
working directory
– The dir command lists the contents of
NVRAM.
• Contains the startup-configuration
file.
31
Business Information & Engineering
Technologies
URL Prefixes for Cisco Devices
 Administrators do not have visual
cues when working at a router CLI.
– File locations are specified in Cisco
IFS using the URL convention.
– The URLs used by Cisco IOS
platforms look similar to the format
from the web.
 The TFTP example in the figure is:
tftp://192.168.20.254/configs/backupconfigs.
– The expression "tftp:" is called the
prefix. The browser will use tftp protocol
vice http.
– Everything after the double-slash (//)
defines the location.
– 192.168.20.254 is the location of the TFTP
server.
– "configs" is the master directory.
– "backup-configs" is the filename.
32
Business Information & Engineering
Technologies
Commands for Managing Configuration Files
 The copy command is used to move
files from one device to another, such
as RAM, NVRAM, or a TFTP server.
– Copy the running configuration from
RAM to the startup configuration in
NVRAM:
• R2# copy running-config startupconfig
• R2# copy system:running-config
nvram:startup-config
– Copy running configuration from RAM to
a remote location:
• R2# copy running-config tftp:
• R2# copy system:running-config tftp:
33
Business Information & Engineering
Technologies
Commands for Managing Configuration Files
 Copy configuration from a remote
TFTP server to the running
configuration:
– R2# copy tftp: running-config
– R2# copy tftp: system:runningconfig
 Copy configuration from a remote
TFTP server to the startup
configuration:
– R2# copy tftp: startup-config
– R2# copy tftp: nvram:startup-config
34
Business Information & Engineering
Technologies
Cisco IOS File Naming Conventions
 The IOS image file is based on a special naming
convention. The name for the Cisco IOS image file
contains multiple parts, each with a specific meaning.
– The first part, c1841, identifies the platform on
which the image runs. In this example, it is a Cisco
1841.
– The second part, ipbase, specifies the feature set.
In this case, "ipbase" refers to the basic IP
internetworking image. Other feature set
possibilities:
• i - Designates the IP feature set
• j - Designates the enterprise feature set (all
protocols)
• s - Designates a PLUS feature set
c2691-adventerprisek9_sna-mz.124-13b.bin
• 56i - Designates 56-bit IPsec DES encryption
c2600-ik9s-mz.122-40a.bin
• 3 - Designates the firewall/IDS
• k2 - Designates the 3DES IPsec encryption
(168 bit)
– The third part, mz, indicates where the image runs
and if the file is compressed. For example, "mz"
indicates that the file runs from RAM and is
compressed.
– The fourth part, 12.3-14.T7, is the version number.
– The final part, bin, is the file extension. The .bin
extension indicates that this is a binary executable
file.
35
Business Information & Engineering
Technologies
IOS Resilient Configuration
 A new Cisco IOS software; resilient configuration
feature, enables a router to secure and maintain a
working copy of the running operating system image and
configuration so that those files can withstand malicious
attempts to erase the contents of persistent storage
(NVRAM and flash).
– This feature is available only on platforms that support a
Personal Computer Memory Card International Association
(PCMCIA) Advanced Technology Attachment (ATA) disk.
See: Cisco IOS Resilient Configuration
36
Business Information & Engineering
Technologies
Using TFTP Servers to Manage IOS Images
 Retain a backup copy of the IOS image in case the
image on the router becomes corrupted or
accidentally erased.
– A network TFTP server allows image and
configuration uploads and downloads over
the network.
– TFTP server can be another router or a
workstation.
 Before changing a Cisco IOS image on the router,
complete the following:
– Determine the memory required for the
update.
– Set up and test the file transfer capability.
– Schedule the required downtime.
 When ready to do the update:
– Shut down all interfaces not needed to
perform the update.
– Back up the current operating system and the
current configuration file to a TFTP server.
– Load the update for either the operating
system or the configuration file.
– Test to confirm that the update works
properly. If the tests are successful, re-enable
the interfaces which were disabled.
37
Business Information & Engineering
Technologies
Backing up IOS Software Images
 To copy a IOS image
software from flash to
the network TFTP
server:
– Ping the TFTP server
to make sure it is
accessible.
– Verify that the TFTP
server has sufficient
disk space for the
Cisco IOS image.
• Use the show flash:
command to
determine :
– Total amount of
flash memory on
the router
– Amount of flash
memory available
– Name of all the
files stored in the
flash memory
38
Business Information & Engineering
Technologies
Backing up IOS Software Images
 Copy current file from the
router to TFTP server, using
the copy flash: tftp: command.
– The command requires that the IP
address of the remote host and the
name of the source and destination
system image files be entered.
– During the copy process,
exclamation points (!) indicate the
progress. Each exclamation point
signifies that one UDP segment has
successfully transferred.
39
Business Information & Engineering
Technologies
Upgrade IOS Software Images
 Upgrading a system to a newer version
requires a different system image file to be
loaded.
– Use the copy tftp: flash: command to
download the new image from the
network TFTP server.
– The command prompts for the IP
address of the remote host and the
name of the source and destination
system image file.
– After these entries are confirmed, the
Erase flash: prompt appears.
• Erase flash memory if there is not
sufficient flash memory for more
than one Cisco IOS image. If no
free flash memory is available, the
erase routine is required before
new files can be copied.
– Each exclamation point (!) means that
one UDP segment has successfully
transferred.
 Note: Make sure that the Cisco IOS image
loaded is appropriate for the router platform.
If the wrong Cisco IOS image is loaded, the
router could be made unbootable, requiring
ROM monitor (ROMmon) intervention.
40
Business Information & Engineering
Technologies
Using tftpdnld to Restore an IOS Image
 When an IOS on a router is accidentally
deleted from flash, the router is
operational since the IOS is still running
in RAM.
– It is crucial that the router not be
rebooted since it would not find a valid
IOS in flash.
– If the router is rebooted and can no
longer load an IOS it boots into the
ROMmon prompt by default.
 The IOS on router R1 has accidentally
been deleted from flash. The router has
been rebooted and can no longer load an
IOS. Follow the steps below to restore
the IOS.
– Connect the devices.
•
•
•
Connect the PC to the console port on the
affected router.
Connect the TFTP server to the first Ethernet port
on the router.
Configure it with a static IP address
192.168.1.1/24.
41
Business Information & Engineering
Technologies
Using tftpdnld to Restore an IOS Image
 Set the ROMmon variables.
– The router boots into ROMmon mode
since it does not have a valid Cisco
IOS image.
– Enter all of the variables listed in the
figure. Be aware of the following:
• Variable names are case sensitive.
• Do not include any spaces before
or after the = symbol.
• Navigational keys are not
operational.
– The IP addresses, subnet mask, and
image name in the figure are only
examples. The actual variables vary
depending on the configuration.
42
Business Information & Engineering
Technologies
Using tftpdnld to Restore an IOS Image
 Enter the tftpdnld command at the
prompt.
–
–
–
–
The command displays the
required variables and warns
that all existing data in flash will
be erased.
Type y to proceed, and press
Enter.
When connected, the download
begins as indicated by the
exclamation mark (!) marks.
Use the reset command to reload
the router with the new Cisco
IOS image
 Using the tftpdnld command is a
quick way to copy the image file
via the first ethernet interface.
43
Business Information & Engineering
Technologies
Using xmodem to Restore an IOS Image
 Using Xmodem is another method
for restoring a Cisco IOS image to a
router.
– The file transfer is
accomplished using the
console cable and is very slow
when compared to the tftpdnld
command via the console.
 To restore the IOS using Xmodem.:
– Connect the PC to the console
port on the affected router.
– Boot the router and issue the
xmodem command at the
ROMmon command prompt.
• The command syntax is
xmodem [-cyr] [filename].
• The cyr option varies
depending on the
configuration. For
instance, -c specifies CRC16, y specifies the
Ymodem protocol, and r
copies the image to RAM.
44
Business Information & Engineering
Technologies
Using xmodem to Restore an IOS Image
 The figure shows the process for
sending a file using
HyperTerminal.
– Select Transfer > Send File.
 Browse to the location of the IOS
image to be transferred and
choose the Xmodem protocol.
– Click Send. A dialog box
appears displaying the
status of the download. It
takes several seconds before
the host and the router begin
transferring the information.
– The download time may be
dramatically improved if the
connection speed of
HyperTerminal and the
router is changed from 9600
b/s to 115000 b/s.
– When the transfer is
complete, the router
automatically reloads with
the new Cisco IOS.
45
Business Information & Engineering
Technologies
Troubleshooting Cisco IOS Configurations
 Two important commands that are used in network
administration
– Show command
• A show command lists the configured parameters and their values.
• Use the show command to verify configurations.
– Debug command
• The debug command allows tracing the execution of a process.
• Use the debug command to identify traffic flows through interfaces and
router processes.
46
Business Information & Engineering
Technologies
Using the show Command
 The show command displays
static information.
– Use show commands when
gathering facts for isolating
problems in an internetwork,
including problems with interfaces,
nodes, media, servers, clients, or
applications.
– Use it frequently to confirm that
configuration changes have been
implemented.
– When at the command prompt,
type show ? for a list of available
show commands for the level and
current mode of operation.
47
Business Information & Engineering
Technologies
Using the debug Command
 The debug command displays dynamic events.
– Use debug to check the flow of protocol
traffic for problems, protocol bugs, or
misconfigurations.
 By default, the router sends the output from
debug commands to the console.
– Redirect debug output to a syslog server if
desired.
 Debugging output is assigned high priority in
the CPU process queue and can therefore
interfere with normal production processes on a
network.
– use debug commands during quiet hours
and only to troubleshoot specific
problems.
 All debug commands are entered in privileged
EXEC mode.
– To list a brief description of all the
debugging command options, enter the
debug ? command.
 To ensure that there are no lingering debugging
operations running use the no debug all or un
all command.
48
Business Information & Engineering
Technologies
Considerations when using the debug Command
 Using debug commands to troubleshoot a lab network that lacks end-user
application traffic obviously does not impact production networks.
 Using debug commands on a production network that users depend on for data
flow must be very carefully considered. Without proper precautions, the impact
of a broadly focused debug command could have significant impact.
– With proper, selective, and temporary use of debug commands, one can
obtain potentially useful information without the need for a protocol analyzer
or other third-party tool.
49
Business Information & Engineering
Technologies
Commands Related to the debug Command
 To optimize the use of the debug command,
these commands can help:
– The service timestamps command
• is used to add a time stamp to a debug
message.
• This feature provide timing information
about when debug elements occurred.
– The show processes command
• displays the CPU use for each process.
• This data can influence decisions about
using a debug command if it indicates
that the system is too heavily used for
adding a debug command.
– The no debug all command
• disables all debug commands.
• This command can free up system
resources after debugging is complete.
– The terminal monitor command
• displays debug output and system error
messages for the current terminal and
session.
• When Telneting to a device and a debug
command is issued, the output is not
seen unless this commands is entered.
50
Business Information & Engineering
Technologies
Recovering a Lost Router Password
 Recovering a Lost Router Password
–
–
–
–
–
Requires physical access to the router.
Connect the PC to the router through a
console cable.
The enable password and the enable
secret password protect access to
privileged EXEC and configuration
modes.
The enable password may be recovered,
The enable secret password is encrypted
and must be replaced with a new
password.
 The configuration register is similar to
the PC BIOS settings, which control the
bootup process.
–
–
A configuration register, represented by
a hexadecimal value, tells the router
what specific steps to take when
powered on.
Configuration registers have many uses,
and password recovery is probably the
most used.
51
Business Information & Engineering
Technologies
Recovering a Lost Router Password
 Prepare the Device
– Connect to the console port.
– If still have access to user EXEC mode.
• Type show version at the prompt,
and record the configuration
register setting.
R>#show version
<show command output
omitted>
Configuration register is 0x2102
R1>
• Configuration register is usually
set to 0x2102.
• If the router can no longer be
accessed, assume it is set to
0x2102.
– Use the power switch to turn the router
off and then on.
– Press CTL+Break on the terminal
keyboard within 60 seconds of power
up to put the router into ROMmon.
52
Business Information & Engineering
Technologies
Recovering a Lost Router Password
 Bypass Startup
– rommon 1> confreg 0x2142
• This causes the router to bypass the
startup configuration where the
unknown enable password is stored.
– rommon 2> reset
• The router reboots and ignores the
saved configuration.
– Enter no after each setup question, or
press Ctrl-C to skip the initial setup
procedure.
– Router> enable
• This puts the router into enable mode,
and the Router# prompt will appear.
53
Business Information & Engineering
Technologies
Recovering a Lost Router Password
 Access NVRAM
– copy startup-config running-config to
copy the NVRAM into memory.
• Be careful! Do not type copy runningconfig startup-config or the startup
configuration will be over written.
– show running-config to view passwords.
• The shutdown command appears
under all interfaces because all the
interfaces are currently shut down.
• The passwords (enable password,
enable secret, vty, console
passwords) either in encrypted or
unencrypted format are now visible.
– Unencrypted passwords may be
reused if desired.
• Change encrypted passwords to a
new password of your choice.
54
Business Information & Engineering
Technologies
Recovering a Lost Router Password
 Reset Passwords
– configure terminal.
– Type enable secret password to
change the enable secret password.
• R1(config)# enable secret cisco
– Issue the no shutdown command on
every operational interface.
• Issue a show ip interface brief
command to confirm that the
interface configuration is correct.
– Type config-register
<configuration_register_setting>.
• R1(config)#config-register 0x2102
– Press Ctrl-Z or type end.
– copy running-config startup-config to
commit the changes.
55
Business Information & Engineering
Technologies
Chapter Summary
 In this chapter, we have discussed:
Tony Chen COD
– Identification of security threats to enterprise networks
Networking
Academy
– Described methodsCisco
to mitigate
security
threats to enterprise
networks
– Configured basic router security
– Disabled unused router services and interfaces
– Discussed the Cisco SDM one-step lockdown feature
– Discussed management of files and software images with the
Cisco IOS Integrated File System (IFS)
56