If you’ve ever had to manage and configure more than a few routers in a production environment, you’ve probably stumbled across questions like these:
Who changed the configuration on a router that stopped working? What was changed?
What’s the difference between the current configuration and the startup configuration?
Do we have a backup of a working configuration?
What was the router configuration before the last mistake was committed to the startup configuration?
Do I have a copy of the configuration that was used a month ago?
How do I rollback from the current mess to the startup configuration without reloading the router?
For the last 20 years, Cisco did almost nothing to help us, so router configuration management was a lucrative niche market for network management vendors offering more and more complex tools with fancy graphic user interfaces. The landscape seemed to change radically with Cisco IOS release 12.4, which includes a number of router configuration management features, including Contextual Configuration Diff utility, Configuration Change Notification and Logging, Configuration archive and Configuration Replace and Rollback. They sounded almost too good to be true, so I decided to give them a few hard tasks. This article describes two of these features: the abilities of the Configuration Change Notification feature and the usage guidelines for the Contextual Configuration Diff feature, their benefits as well as their shortcomings and current limitations.
What’s Going On?
Network managers who implemented centralized Authentication, Authorization and Accounting (AAA) with Cisco’s proprietary TACACS+ protocol long had the ability to log any command executed on the routers in their network; the rest of us could only guess what someone configuring our routers did to them. The Configuration Change Notification feature first introduced in IOS release 12.3(14)T and integrated in mainstream release 12.4 solves this problem – after you configure it, all the configuration commands entered on the router are stored in a circular buffer (you can even specify its length) and optionally sent to syslog server. A typical configuration is shown in Listing 1; you can get the description of individual commands in Cisco IOS documentation.
LISTING 1
Configuration commands for Configuration Change Notification and Logging feature
archive
log config
logging enable
logging size 200
notify syslog
hidekeys
NOTE
The hidekeys command hides the passwords and other sensitive information in log buffer and syslog messages.
After you’ve configured the configuration change logging, all configuration commands are stored in a circular buffer in router’s memory. You can inspect the commands with the show archive log config command, which displays all configuration commands recently entered on the router, or commands entered by a particular user or even within a particular configuration session (from the moment you enter configure terminal to the time you exit the configuration mode). A sample printout of this command is shown in Listing 2.
LISTING 2
Display of logged configuration commands
fw#show archive log config all
idx sess user@line Logged command
1 1 console@console | logging enable
2 1 console@console | logging size 200
3 1 console@console | notify syslog
4 2 console@console |archive
5 2 console@console | log config
6 2 console@console | hidekeys
If you’ve also configured the notify syslog option of the log config configuration command, all configuration commands entered on a router are also sent to the logging subsystem, which delivers them to various logging destinations, including console and syslog hosts. The syslog messages usually contain the username and the configuration command, but they could also report changes in significant data structures. For example, if you add a local user with the username command, the router will generate the two syslog messages in Listing 3.
LISTING 3
Syslog messages generated by security-relevant configuration command
fw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
fw(config)#user x password y
01:43:06: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:username x password *****
01:43:06: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:!config: USER TABLE MODIFIED
No comments:
Post a Comment