Securely Managing Cisco IOS Devices¶
Out of Band Management¶
Out of Band Management Networks¶
Network dedicated for the management of network devices
Access in/out of network restricted by ACLas
Define which traffic will need to leave network
Some management networks will be completely self contained
Size of management network determined by size of the organization
Management Interfaces¶
Dedicated management interface
Logically divides router
Segments traffic
Configuration:
Create VRF
Assign interface to VRF
Globo-HQ#conf t
Globo-HQ(config)#vrf definition Mgmt-intf
Globo-HQ(config-vrf)#address-family ipv4
Globo-HQ(confiq-vrf-af#exit
Globo-HQ(config-vrf)#exit
Globo-HQ(config-if)#vrf forwarding Mgmt-intf
Globo-HO(confia-if)#ip add 172.20.1.57 255.255.255.0
Globo-HQ#show ip route vrf Mgmt-intf
Configuring SSH on an IOS Device¶
Globo-HQ#conf t
Globo-HQ(config)#ip domain-name globomantics.com
Globo-HQ(config)#crypto key generate rsa modulus 2048 label HQ-SSH
Globo-HQ(config)#
Globo-HQ(config)#ip ssh version 2
Globo-HQ(config)#username kinda privilege 15 secret Globo456
Globo-HQ(config)#enable password Globo123
Globo-HQ(config)#do show run include enable
enable password Globo123
Globo-HQ(config)#do show run include kinda
username kinda privilege 15 secret 5 $1$08Q0$71jkagYJdD2v9RTzgj2xs1
GLobo-HQ(config)#service password-encryption
Globo-HQ(config)#do show run include enable
enable password 7 080640410B16544541
Globo-HQ(config)#line vty 0 4
Globo-HQ(config-line)#transport input ssh
Globo-HQ(config-line)#exit
Globo-HQ(config)#aaa new-model
Configuring a Management ACL¶
Sample Management ACL Inbound Traffic¶
ip access-list extended Management-ACL-In
permit tcp host 172.20.1.15 host 172.20.1.57 eq 22
permit udp host 172.20.1.55 host 172.20.1.57 eq 1812
permit udp host 172.20.1.55 host 172.20.1.57 eq 1813
permit tcp host 172.20.1.55 host 172.20.1.57 eq 49
permit udp host 172.20.1.56 host 172.20.1.57 eq 161
permit udp host 172.20.1.56 host 172.20.1.57 eq 162
permit udp host 172.20.1.40 host 172.20.1.57 eq 123
Sample Management ACL - Logging¶
ip access-list extended Management-ACL-In
permit tcp host 172.20.1.15 host 172.20.1.57 eq 22
permit udp host 172.20.1.55 host 172.20.1.57 eq 1812
permit udp host 172.20.1.55 host 172.20.1.57 eq 1813
permit ip 172.20.1.0 0.0.0.255 host 172.20.1.57 log
Management Plane Protection¶
(config)#control-plane host
(config-cp-host)#management-interface gi 0/1 allow ssh snmp
Add Lines to In Band ACLs denying SSH to the Device¶
ip access-list extended INBAND-ACL-TEMPLATE
deny tcp any host 172.20.1.57 eq 22
deny tcp any host 192.168.1.15 eq 22