Securely Managing Cisco IOS Devices

Out of Band Management

Out of Band Management Networks

  • Network dedicated for the management of network devices

  • Access in/out of network restricted by ACLas

    • Define which traffic will need to leave network

    • Some management networks will be completely self contained

  • Size of management network determined by size of the organization

Management Interfaces

  • Dedicated management interface

  • Logically divides router

  • Segments traffic

Configuration:

  • Create VRF

  • Assign interface to VRF

Globo-HQ#conf t
Globo-HQ(config)#vrf definition Mgmt-intf
Globo-HQ(config-vrf)#address-family ipv4
Globo-HQ(confiq-vrf-af#exit
Globo-HQ(config-vrf)#exit
Globo-HQ(config-if)#vrf forwarding Mgmt-intf
Globo-HO(confia-if)#ip add 172.20.1.57 255.255.255.0
Globo-HQ#show ip route vrf Mgmt-intf

Configuring SSH on an IOS Device

Globo-HQ#conf t
Globo-HQ(config)#ip domain-name globomantics.com
Globo-HQ(config)#crypto key generate rsa modulus 2048 label HQ-SSH
Globo-HQ(config)#
Globo-HQ(config)#ip ssh version 2
Globo-HQ(config)#username kinda privilege 15 secret Globo456
Globo-HQ(config)#enable password Globo123
Globo-HQ(config)#do show run include enable
enable password Globo123
Globo-HQ(config)#do show run include kinda
username kinda privilege 15 secret 5 $1$08Q0$71jkagYJdD2v9RTzgj2xs1
GLobo-HQ(config)#service password-encryption
Globo-HQ(config)#do show run include enable
enable password 7 080640410B16544541
Globo-HQ(config)#line vty 0 4
Globo-HQ(config-line)#transport input ssh
Globo-HQ(config-line)#exit
Globo-HQ(config)#aaa new-model

Configuring a Management ACL

Sample Management ACL Inbound Traffic

ip access-list extended Management-ACL-In
permit tcp host 172.20.1.15 host 172.20.1.57 eq 22
permit udp host 172.20.1.55 host 172.20.1.57 eq 1812
permit udp host 172.20.1.55 host 172.20.1.57 eq 1813
permit tcp host 172.20.1.55 host 172.20.1.57 eq 49
permit udp host 172.20.1.56 host 172.20.1.57 eq 161
permit udp host 172.20.1.56 host 172.20.1.57 eq 162
permit udp host 172.20.1.40 host 172.20.1.57 eq 123

Sample Management ACL - Logging

ip access-list extended Management-ACL-In
permit tcp host 172.20.1.15 host 172.20.1.57 eq 22
permit udp host 172.20.1.55 host 172.20.1.57 eq 1812
permit udp host 172.20.1.55 host 172.20.1.57 eq 1813
permit ip 172.20.1.0 0.0.0.255 host 172.20.1.57 log

Management Plane Protection

(config)#control-plane host
(config-cp-host)#management-interface gi 0/1 allow ssh snmp

Add Lines to In Band ACLs denying SSH to the Device

ip access-list extended INBAND-ACL-TEMPLATE
deny tcp any host 172.20.1.57 eq 22
deny tcp any host 192.168.1.15 eq 22