Month: January 2015

Cisco IOS Configuration Change Logging

Someone or something caused your router to reboot. You want to log configuration changes to rule that out without using TACACS. Here’s what it looks like.


router(config)# archive
router(config-archive)# log config
router(config-archive-log-cfg)# logging enable
router(config-archive-log-cfg)# logging size 1000
router(config-archive-log-cfg)# notify syslog
router(config-archive-log-cfg)#

To display configuration log entries by record numbers starting with the first recorded command
show archive log config 1

To display all configuration log files as they would appear in a configuration file rather than in a tabular format
show archive log config all provisioning

To view statistics
show archive log config statistics


router# show archive log config statistics
Config Log Session Info:
        Number of sessions being tracked: 1
        Memory being held: 3909 bytes
        Total memory allocated for session tracking: 187657 bytes
        Total memory freed from session tracking: 183748 bytes

Config Log log-queue Info:
        Number of entries in the log-queue: 63
        Memory being held by the log-queue: 16356 bytes
        Total memory allocated for log entries: 16356 bytes
        Total memory freed from log entries: 0 bytes

For more information: http://www.cisco.com/c/en/us/td/docs/ios/fundamentals/configuration/guide/15_1s/cf_15_1s_book/cf_config-logger.html

Filed under: Cisco, IOS

Configure SSH v2 in Cisco IOS

Set the device’s hostname
hostname hercules

Set the device’s membership to a domain. Generating an RSA key requires a domain name.
ip domain-name routers.eltonoverip.com

Check to see if SSH is already running
show ip ssh

Generate an RSA key
crypto key generate rsa

You will get something like the following:


hercules(config)#crypto key generate rsa
The name for the keys will be hercules.routers.eltonoverip.com
Choose the size of key modules in the range of 360 to 4096 for your
General Purpose Keys.  Choosing a key modulus greater than 512 may take a few minutes

How many bits in the modulus [512]: 2048
%Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

hercules(config)#

If you skipped the ip domain-name whateverdomain.com, you will get the following:
% Please define a domain-name first.

Or you could do a more specific command
crypto key generate rsa general-keys modulus 2048


hercules(config)#crypto key generate rsa general-keys modulus 2048
The name for the keys will be: hercules.eltonoverip.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

*Apr 12 05:12:36.775: %SSH-5-ENABLED: SSH 2.0 has been enabled

At this point, when you check the output of show ip ssh and it shows version 1.99, that means that it is supports or run both versions 1 and 2. Note that 1.99 is not an actual version but a method to identify backwards compatibility.

http://en.wikipedia.org/wiki/Secure_Shell#Version_1.99

To run only version 2
ip ssh version 2

Set up a local user
username elton privilege 15 secret cisco

Few more commands


line vty 0 4
  login local

Allow only SSH
transport input ssh

Allow both SSH and telnet
transport input ssh telnet

Few ways to verify

Check if the SSH service is running on the device
show ip ssh

Check who are logged in
who

Check the SSH port
show control-plane host open-ports


hercules#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN

Check active TCP sessions. These are not TCP traffic through the router but those terminated at this router.
show tcp


hercules#show tcp

tty194, virtual tty from host Achilles
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host: 10.42.21.109, Local port: 22
Foreign host: 10.42.21.81, Foreign port: 2326
Connection tableid (VRF): 0

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0x1838E4):
Timer          Starts    Wakeups            Next
Retrans            13          0             0x0
TimeWait            0          0             0x0
AckHold             9          0             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0
Linger              0          0             0x0
ProcessQ            0          0             0x0

iss: 1184651233  snduna: 1184653125  sndnxt: 1184653125     sndwnd:  17104
irs: 3330383746  rcvnxt: 3330385707  rcvwnd:       3800  delrcvwnd:    328

SRTT: 247 ms, RTTO: 663 ms, RTV: 416 ms, KRTT: 0 ms
minRTT: 4 ms, maxRTT: 300 ms, ACK hold: 200 ms
Status Flags: passive open, active open
Option Flags: 0x1000000
IP Precedence value : 6

TCB is waiting for TCP Process (55)

Datagrams (max data segment is 1460 bytes):
Rcvd: 20 (out of order: 0), with data: 12, total data bytes: 1960
Sent: 17 (retransmit: 0, fastretransmit: 0, partialack: 0, Second Congestion: 0), with data: 14, total data bytes: 1891
 Packets received in fast path: 0, fast processed: 0, slow path: 0
 fast lock acquisition failures: 0, slow path: 0
hercules#
Filed under: Cisco, IOS