2. Використання Cisco sdm.

Для виконання початкової конфігурації маршрутизаторів Cisco можна використовувати і Security Device Manager (SDM), який являє собою простий у використанні інструмент управління пристроями за допомогою веб-інтерфейсу. SDM призначений для налаштування LAN та WAN інтерфейсів, а також безпеки маршрутизаторів на основі Cisco IOS.

Cisco SDM спрощує налаштування безпеки на маршрутизаторі за допомогою декількох інтелектуальних майстрів для забезпечення ефективної конфігурації віртуальних приватних мереж та параметрів Cisco IOS Firewall. Ця можливість дозволяє адміністраторам швидко і легко розгортати, конфігурувати і контролювати маршрутизатори.

3. Управління безпекою маршрутизаторів.

Періодично, маршрутизатор потребує оновлення операційної системи або файлу конфігурації. Ці оновлення необхідні для виправлення відомих вразливостей безпеки, підтримки нових можливостей з політики безпеки, або для підвищення продуктивності.

Хоча перехід на останню версію програмного забезпечення Cisco IOS не завжди є хорошою ідеєю. Досить часто останні оновлення є нестабільними.

При зміні програмного забезпечення Cisco IOS на маршрутизаторі необхідно дотримуватись певних принципів. Зміни класифікуються як коректування (update) та оновлення (upgrade). Коректування замінює один реліз іншим без оновлення функціональності. Програмне забезпечення може бути оновлено для виправлення помилок або заміни релізу, що більше не підтримується. Апдейти безкоштовні.

Оновлення замінює реліз з новим оновленим набором функцій. Програмне забезпечення може бути оновлене для додавання нових функцій або технологій, або заміни релізу, що більше не підтримується. Оновлення не є безкоштовним. Cisco.com пропонує керівні принципи для надання допомоги у визначенні того, який метод застосовується.

Cisco рекомендує чотири фази процесу міграції для спрощення експлуатації та управління мережею:

• План – визначити цілі, визначити ресурси, профілювати мережеве обладнання, ПЗ, а також створити попередній графік переходу на нові випуски.

• Дизайн – вибрати нові релізи Cisco IOS та створити стратегію для переходу на них.

• Реалізація – скласти графік переходу та виконати міграцію.

• Експлуатація – моніторинг процессу міграції та виконання резервних копій образів, які працюють в мережі.

Є ряд інструментів, доступних на сайті Cisco.com для надання допомоги в міграції програмного забезпечення Cisco IOS. Також можна використовувати інструменти для отримання інформації про релізи, набори функцій та образи.

Cisco IOS File Systems and Devices

The availability of the network can be at risk if a router configuration or operating system is compromised. Attackers who gain access to infrastructure devices can alter or delete configuration files. They can also upload incompatible IOS images or delete the IOS image. The changes are invoked automatically or invoked once the device is rebooted.

To mitigate against these problems, you have to be able to save, back up, and restore configuration and IOS images. To do so, you learn how to carry out a few file management operations in Cisco IOS software.

Cisco IOS devices provide a feature called the Cisco IOS Integrated File System (IFS). This system allows you to create, navigate, and manipulate directories on a Cisco device. The directories available depend on the platform.

For instance, the figure displays the output of the show file systems command which lists all of the available file systems on a Cisco 1841 router. This command provides insightful information such as the amount of available and free memory, the type of file system and its permissions. Permissions include read only (ro), write only (wo), and read and write (rw).

Although there are several file systems listed, of interest to us will be the tftp, flash and nvram file systems. The remainder of the file systems listed are beyond the scope of this course.

Network file systems include using FTP, trivial FTP (TFTP), or Remote Copy Protocol (RCP). This course focuses on TFTP.

Notice that the flash file system also has an asterisks preceding it which indicates that this is the current default file system. Recall that the bootable IOS is located in flash, therefore the pound symbol (#) appended to the flash listing indicates that this is a bootable disk.

Cisco IOS File Naming Conventions

The Cisco IOS image file is based on a special naming convention. The name for the Cisco IOS image file contains multiple parts, each with a specific meaning. It is important that you understand this naming convention when upgrading and selecting an IOS.

For example, the filename in the figure is explained as follows:

The first part, c1841, identifies the platform on which the image runs. In this example, the platform is a Cisco 1841.

The second part, ipbase, specifies the feature set. In this case, "ipbase" refers to the basic IP internetworking image. Other feature set possibilities include:

i - Designates the IP feature set

j - Designates the enterprise feature set (all protocols)

s - Designates a PLUS feature set (extra queuing, manipulation, or translations)

56i - Designates 56-bit IPsec DES encryption

3 - Designates the firewall/IDS

k2 - Designates the 3DES IPsec encryption (168 bit)

The third part, mz, indicates where the image runs and if the file is compressed. In this example, "mz" indicates that the file runs from RAM and is compressed.

The fourth part, 12.3-14.T7, is the version number.

The final part, bin, is the file extension. The .bin extension indicates that this is a binary executable file.

Widely distributed routers need a source or backup location for Cisco IOS software images. Using a network TFTP server allows image and configuration uploads and downloads over the network. The network TFTP server can be another router, a workstation, or a host system.

As any network grows, storage of Cisco IOS software images and configuration files on the central TFTP server enables control of the number and revision level of Cisco IOS images and configuration files that must be maintained.

Before changing a Cisco IOS image on the router, you need to complete these tasks:

Determine the memory required for the update and, if necessary, install additional memory.

Set up and test the file transfer capability between the administrator host and the router.

Schedule the required downtime, normally outside of business hours, for the router to perform the update.

When you are ready to do the update, carry out these steps:

Shut down all interfaces on the router not needed to perform the update.

Back up the current operating system and the current configuration file to a TFTP server.

Load the update for either the operating system or the configuration file.

Test to confirm that the update works properly. If the tests are successful, you can then re-enable the interfaces you disabled. If the tests are not successful, back out the update, determine what went wrong, and start again.

A great challenge for network operators is to minimize the downtime after a router has been compromised and the operating software and configuration data have been erased from persistent storage. The operator must retrieve an archived copy (if one exists) of the configuration and restore a working image to the router. Recovery must then be performed for each affected router, which adds to the total network downtime.

Backing Up IOS Software Image

Basic management tasks include saving backups of your configuration files as well as downloading and installing upgraded configuration files when directed. A software backup image file is created by copying the image file from a router to a network TFTP server.

To copy a Cisco IOS image software from flash memory to the network TFTP server, you should follow these suggested steps.

Click the Topology and Config buttons in the figure as you progress through each step.

Step 1. Ping the TFTP server to make sure you have access to it.

Step 2. Verify that the TFTP server has sufficient disk space to accommodate the Cisco IOS software image. Use the show flash: command on the router to determine the size of the Cisco IOS image file.

The show flash: command is an important tool to gather information about the router memory and image file. It can determine the following:

Total amount of flash memory on the router

Amount of flash memory available

Name of all the files stored in the flash memory

With steps 1 and 2 completed, now back up the software image.

Step 3. Copy the current system image file from the router to the network TFTP server, using the copy flash: tftp: command in privileged EXEC mode. The command requires that you to enter the IP address of the remote host and the name of the source and destination system image files.

During the copy process, exclamation points (!) indicate the progress. Each exclamation point signifies that one UDP segment has successfully transferred.

Restoring IOS Software Images

A router cannot function without its Cisco IOS software. Should the IOS be deleted or become corrupt, an administrator must then copy an image to the router for it to become operational again

One method to accomplish this would be to use the Cisco IOS image that was previously saved to the TFTP server. In the example in the figure, the IOS image on R1 was backed up to a TFTP server connected to R2. R1 is not able to reach that TFTP server in its current state.

When an IOS on a router is accidentally deleted from flash, the router is still operational because the IOS is running in RAM. However, it is crucial that the router is not rebooted at this time since it would not be able to find a valid IOS in flash.

In the figure, the IOS on router R1 has accidentally been deleted from flash. Unfortunately, the router has been rebooted and can no longer load an IOS. It is now loading the ROMmon prompt by default. While in this state, router R1 needs to retrieve the IOS which was previously copied to the TFTP server connected to R2. In this scenario, the TFTP will be directly connected to router R1. Having made preparations with the TFTP server, carry out the following procedure.

Step 1. Connect the devices.

Connect the PC of the system administrator to the console port on the affected router.

Connect the TFTP server to the first Ethernet port on the router. In the figure, R1 is a Cisco 1841, therefore the port is Fa0/0. Enable the TFTP server and configure it with a static IP address 192.168.1.1/24.

Step 2. Boot the router and set the ROMmon variables.

Because the router does not have a valid Cisco IOS image, the router boots automatically into ROMmon mode. There are very few commands available in ROMmon mode. You can view these commands by typing ? at the rommon> command prompt.

You must enter all of the variables listed in the figure. When you enter the ROMmon variables, be aware of the following:

Variable names are case sensitive.

Do not include any spaces before or after the = symbol.

Where possible, use a text editor to cut and paste the variables into the terminal window. The full line must be typed accurately.

Navigational keys are not operational.

Router R1 must now be configured with the appropriate values to connect to the TFTP server. The syntax of the ROMmon commands is very crucial. Although the IP addresses, subnet mask, and image name in the figure are only examples, it is vital that the syntax displayed be followed when configuring the router. Keep in mind that the actual variables will vary depending on your configuration.

When you have entered the variables, proceed to the next step.

Step 3. Enter the tftpdnld command at the ROMmon prompt.

The command displays the required environment variables and warns that all existing data in flash will be erased. Type y to proceed, and press Enter. The router attempts to connect to the TFTP server to initiate the download. When connected, the download begins as indicated by the exclamation mark (!) marks. Each ! indicates that one UDP segment has been received by the router.

You can use the reset command to reload the router with the new Cisco IOS image.

Cisco IOS Troubleshooting Commands

When you have a valid Cisco IOS image running on all the routers in the network, and all the configurations are backed up, you can manually tune configurations for individual devices to improve their performance in the network.

Two commands that are extensively used in day-to-day network administration are show and debug. The difference between the two is significant. A show command lists the configured parameters and their values. The debug command allows you to trace the execution of a process. Use the show command to verify configurations. Use the debug command to identify traffic flows through interfaces and router processes.

The figure summarizes the characteristics of the show and debug commands. The best time to learn about the output generated by these commands is when a network is fully operational. This way you will be able to recognize what is missing or incorrect when using the commands to troubleshoot a problem network.

Відновлення паролю (Password Recovery)

Іноді виникає ситуація, коли потрібно відновити пароль для маршрутизатора. Для цього необхідно мати фізичний доступ до маршрутизатора (з міркувань безпеки) і підключитись через консольний кабель.

Паролі enable password та enable secret password захищають доступ доступ до привілейованого режиму EXEC та режимів конфігурації. Пароль enable password може бути відновлений, а пароль enable secret password зберігається в зашифрованому вигляді і повинен бути замінений новим паролем.

Router Password Recovery Procedure

To recover a router password, do the following:

Prepare the Device

Step 1. Connect to the console port.

Step 2. If you have lost the enable password, you would still have access to user EXEC mode. Type show version at the prompt, and record the configuration register setting.

R>#show version

<show command output omitted>

Configuration register is 0x2102

R1>

The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router (because of a lost login or TACACS password), you can safely assume that your configuration register is set to 0x2102.

Step 3. Use the power switch to turn off the router, and then turn the router back on.

Step 4. Issue a Break signal from the terminal within 60 seconds of power up to put the router into ROMmon. A Break signal is sent using a break key sequence appropriate for the terminal program and the operating system.

Click Bypass Startup in the figure.

Step 5. Type confreg 0x2142 at the rommon 1> prompt. This causes the router to bypass the startup configuration where the forgotten enable password is stored.

Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration.

Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.

Step 8. Type enable at the Router> prompt. This puts you into enable mode, and you should be able to see the Router# prompt.

Click Access NVRAM in the figure.

Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful! Do not type copy running-config startup-config or you will erase your startup configuration.

Step 10. Type show running-config. In this configuration, the shutdown command appears under all interfaces because all the interfaces are currently shut down. Most importantly though, you can now see the passwords (enable password, enable secret, vty, console passwords) either in encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.

Click Reset Passwords in the figure.

Step 11. Type configure terminal. The R1(config)# prompt appears.

Step 12. Type enable secret password to change the enable secret password. For example:

R1(config)# enable secret cisco

Step 13. Issue the no shutdown command on every interface that you want to use. You can issue a show ip interface brief command to confirm that your interface configuration is correct. Every interface that you want to use should display up up.

Step 14. Type config-register configuration_register_setting. The configuration_register_setting is either the value you recorded in Step 2 or 0x2102 . For example:

R1(config)#config-register 0x2102

Step 15. Press Ctrl-Z or type end to leave configuration mode. The R1# prompt appears.

Step 16. Type copy running-config startup-config to commit the changes.

You have now completed password recovery. Entering the show version command will confirm that the router will use the configured config register setting on the next reboot.