Cisco IOS Command Tips and Tricks - Part 2 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, August 23, 2018

Cisco IOS Command Tips and Tricks - Part 2

Cisco IOS command list is getting longer , and it has been split into two posts:


    1. Auto secure

    Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

    auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]



    2. Change Site-to-Site VPN Idle time out to 5 minutes

    For IOS Router

    R1(config)#crypto ipsec security-association idle-time 300


    For ASA

    ASA1(config)#group-policy GP_1.1.1.2 attributes
    ASA1(config-group-policy)#vpn-idle-timeout 300

    ASA1(config-group-policy)#vpn-session-timeout none

    3. Find Cisco Devices Serial Number
    Usually we could use 'show version' command to find out SN , but for Nexus you will have to use 'show inventory' to get Chassis SN

    Nexus1# show inventory
    NAME: "Chassis", DESCR: "Nexus5548 Chassis"
    PID: N5K-C5548UP       , VID: V01 , SN: SSI163604J

    NAME: "Module 1", DESCR: "O2 32X10GE/Modular Universal Platform Supervisor"
    PID: N5K-C5548UP       , VID: V01 , SN: FOC1645D5F

    NAME: "Fan 1", DESCR: "Chassis fan module"
    PID: N5548P-FAN        , VID: N/A , SN: N/A

    NAME: "Fan 2", DESCR: "Chassis fan module"
    PID: N5548P-FAN        , VID: N/A , SN: N/A

    NAME: "Power supply 1", DESCR: "AC power supply"
    PID: N55-PAC-750W      , VID: V02 , SN: ART16310D6

    NAME: "Power supply 2", DESCR: "AC power supply"
    PID: N55-PAC-750W      , VID: V02 , SN: ART16310SQ

    NAME: "Module 3", DESCR: "O2 Daughter Card with L3 ASIC"
    PID: N55-D160L3-V2     , VID: V01 , SN: FOC1637NT8

    NAME: "FEX 101 CHASSIS", DESCR: "N2K-C2248TP-1GE  CHASSIS"
    PID: N2K-C2248TP-1GE   , VID: V03 , SN: SSI1637FHK

    NAME: "FEX 101 Module 1", DESCR: "Fabric Extender Module: 48x1GE, 4x10GE Supervi
    sor"
    PID: N2K-C2248TP-1GE   , VID: V03 , SN: FOC1645WH9

    NAME: "FEX 101 Fan 1", DESCR: "Fabric Extender Fan module"
    PID: N2K-C2248-FAN     , VID: N/A , SN: N/A

    NAME: "FEX 101 Power Supply 1", DESCR: "Fabric Extender AC power supply"
    PID: N2200-PAC-400W    , VID: V04 , SN: LIT16390H9

    NAME: "FEX 101 Power Supply 2", DESCR: "Fabric Extender AC power supply"
    PID: N2200-PAC-400W    , VID: V04 , SN: LIT16390HH

    NAME: "FEX 102 CHASSIS", DESCR: "N2K-C2248TP-1GE  CHASSIS"
    PID: N2K-C2248TP-1GE   , VID: V03 , SN: SSI16390DJ

    4. Show Commands Information

    Show Version / Show Flash / Show Interfaces
    Show processes CPU / Show memory / Show stacks / Show buffers
    Show running-config / Show startup-config


    Flash: IOS
    RAM: All tables and configuration when router is running. Info will be lost when power off.
    ROM: POST, Bootstrap, Mini-IOS
    NVRAM:Startup-config


    5. SYSLOG Writing to Local Disk or Flash Card


    Router(config)# logging persistent url disk0:/syslog size 134217728 filesize 16384        
    %Warning: the ratio between logging persistent size and logging persistent filesize is 134217728/16384, suggested ratio is less than 196 in order to achieve good system performace

    Router(config)# logging persistent url disk0:/syslog size 134217728 filesize 1342177  


    Router#sh log 

    Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

    No Active Message Discriminator.




    No Inactive Message Discriminator.



        Console logging: disabled

        Monitor logging: level debugging, 0 messages logged, xml disabled,
                         filtering disabled
        Buffer logging:  level debugging, 8665 messages logged, xml disabled,
                        filtering disabled
        Exception Logging: size (4096 bytes)
        Count and timestamp logging messages: disabled
        Persistent logging: enabled, url disk0:/syslog, disk space 134217728 bytes, file size 1342177 bytes, batch size 4096 bytes

    No active filter modules.


        Trap logging: level debugging, 8669 message lines logged

            Logging to 10.2.2.3  (udp port 514, audit disabled,
                  link up),
                  8668 message lines logged, 
                  0 message lines rate-limited, 
                  0 message lines dropped-by-MD, 
                  xml disabled, sequence number disabled
                  filtering disabled
            Logging Source-Interface:       VRF Name:
            Loopback0                       

    Log Buffer (8192 bytes):


    12 EST: %C7600_PLATFORM-SP-3-LOW_BATT: Low Voltage detected for NVRAM Battery
    ........[Omitted]

    Router# copy disk0:/syslog ftp://myuser:[email protected]/syslog




    6. Check Routers Power Supply Status


    Router#show environment 
    SYSTEM POWER SUPPLY STATUS
    ==========================
     Internal Power Supply 1 Type: AC
     Internal Power Supply 1 12V Output Status: Normal

     Internal Power Supply 2 Type: AC

     Internal Power Supply 2 12V Output Status: Fail

    SYSTEM FAN STATUS

    =================
     Fan 1 OK, Low speed setting
     Fan 2 OK, Low speed setting
     Fan 3 OK, Low speed setting
     Fan 4 OK, Low speed setting
     Fan 5 OK, Low speed setting

    SYSTEM TEMPERATURE STATUS

    =========================
     Intake Left temperature: 25 Celsius, Normal
     Intake Right temperature: 22 Celsius, Normal
     Exhaust Right temperature: 29 Celsius, Normal
     Exhaust Left temperature: 31 Celsius, Normal
     CPU temperature: 24 Celsius, Normal
     Power Supply Unit 1 temperature: 24 Celsius, Normal
              
    REAL TIME CLOCK BATTERY STATUS
    ==============================
     Battery OK (checked at power up)

    CPU CORE TEMPERATURE STATUS

    ===========================
      CPU Core current reading, target = 24, reading = 62 : Normal
      CPU Core out of target history in past 1045868.0 mins:
         Consecutive out-of-range mins high water mark: 0.0
         Total minutes out-of-range: 0.0
         Last 5 minutes out-of-range: 0.0
         Last 5 minutes consecutive out-of-range: 0.0
         Last 5 minutes read failure count: 0


    SYSTEM WATTAGE

    ===============
     Motherboard, EHWIC, PVDM, Power Supply and Fan Power consumption = 123.1 W
     Total System Power consumption is: 123.1 W

     Environmental information last updated 00:00:11 ago


    7. Portchannel Adding vlan without downtime

    For trunk links, it is best to take out portfast and bpduguard from interface configuration.

    no spanning-tree portfast
    no spanning-tree bpduguard enable
    

    Always add or remove VLANs from the port-channel interface since the individual physical links will inherit the VLAN set automatically.  If added a VLAN to a phyiscal  layer2 interface instead of the logical layer2 port-channel, it will bring the etherchannel down.

    For example, to add vlan 50 to etherchannel 3:
    conf t
    interface port-channel 3
    switchport trunk allowed vlan add 50
    end
    
    
    
    
    
    show run interface gi0/3
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 2-49
    switchport mode trunk
    channel-group 3 mode on
    
    

    The last line "channel-group 1 mode on" indicates that this port is part of etherchannel 3.  If you try to add a VLAN 50 to the etherchannel by  adding the VLAN 50 to the physical port g0/3, this port will be removed from  the etherchannel 3 and this will cause spanning tree to throw a wobbly.


    8. Cisco Switch Lights Meaning

    SYSTEM(SYST) Light

    Overall status of the switch.
    • Off: Switch is not powered on
    • Green: Switch is working fine
    • Amber: Switch is powered on but faulty

    REDUNDANT POWER SUPPLY(RPS) Light

    Provides backup power to the switch if the main supply goes off.
    • Off: No RPS available,
    • Green: RPS is working fine
    • Blinking Green: Providing backup to some other device
    • Amber: RPS is faulty
    • Flashing Amber: RPS is providing backup(primary power off)

    DUPLEX
    Duplex status of the switch ports.
    • Off: Switch port is half duplex
    • Green: Switch port is full duplex

    UTIL
    Utilization status of the switch ports.

    SPEED
    Speed status of the switch ports.
    • Off: Switch port is operating at 10Mbps
    • Green: Switch port is operating at 100Mbps
    • Flashing green: Switch port is operating at 1000Mbps
    STAT
    Status of the switch ports.
    • Off: No device connected/port is administratively down.
    • Green: Device is connected.
    • Blinking green: Port is sending/receiving data.
    • Alternating green amber: Fault in link/Frames experiencing error
    • Amber: Port is blocked by Spanning Tree Protocol

    9. Log Cisco Device Configuration Change 

    9.1 Cisco Switches and Routers Commands:
    enable
    configure terminal
    archive
    log config
    logging enable
    logging size 200
    hidekeys
    notify syslog
    end
    Output from command 'show log':

    000430: *Mar  9 22:28:47.046 EST: %SYS-5-CONFIG_I: Configured from console by john on vty0 (192.168.0.176)
    000431: *Mar  9 22:29:49.936 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john  logged command:archive
    000432: *Mar  9 22:29:52.738 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john  logged command:log config
    000433: *Mar  9 22:29:56.966 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john  logged command:logging enable
    000434: *Mar  9 22:30:04.188 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john  logged command:logging size 200
    000435: *Mar  9 22:30:10.832 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john  logged command:hidekeys
    000436: *Mar  9 22:30:15.035 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john  logged command:notify syslog
    000437: *Mar  9 22:30:22.727 EST: %SYS-5-CONFIG_I: Configured from console by john on vty0 (192.168.0.176)
    
    


    9.2 Cisco ASA

    The syslog number 111008 and 111010 will log the command that is entered by user. 111010 is for configuration changes.Here is the syslog for your information:

    111008: Message: %ASA-5-111008: User user executed the command string
    Explanation: The user entered any command, with the exception of a show command.
    https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html?bookSearch=true#con_8587071

    111010: Message: %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd
    Explanation: A user made a configuration change.

    • username —The user making the configuration change
    • application-name —The application that the user is running
    • ip addr —The IP address of the management station
    • cmd —The command that the user has executed

    https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html?bookSearch=true#con_8586950

    You need to enable syslog, and severity level 5, and if you don't want to see any other logging, you can only log the above 2 syslog numbers.

    Also rather than send level 5 messages, it sends level 3 messages.
    logging list notif-cfg-changes message 111008-111010
    logging list notif-cfg-changes level errors
    logging trap notif-cfg-changes
    
    

    Note: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1064820









    No comments:

    Post a Comment