Cisco IOS Resilient Configuration

VN:F [1.9.6_1107]
Rating: 5.0/5 (2 votes cast)
By Anthony Sequeira on April 20th, 2011

Overview

Here is one of those Cisco User Service Security feature additions that quite a few people missed, and it can be a very important one for sure. This feature has a fancy name, but a very simple purpose. It aims to ensure we never have to suffer the embarrassment again that comes with an accidentally or maliciously erased IOS image or startup configuration on  one of our Cisco devices. The feature does this by taking your IOS image and your startup configuration and placing them in a protected area of memory. In fact, they will not even show up using the normal viewing methods of show flash and commands of that nature. You can see the secured files in ROMMON mode, however.

The Restrictions

  • The first restriction is the big one that might take the most out of this game that want to play it. The feature only functions on platforms that support a Personal Computer Memory Card International Association (PCMCIA) Advanced Technology Attachment (ATA) disk. Don’t have one in your old 700 series? When you attempt to enable the resilient configuration or IOS functionality (or both), you will see a message similar to this bummer:
    • “032788: APR 19 14:06:36.099 Boston: %IOS_RESILIENCE-5-NO_SUPPORTED_DEVICE : No ATA disk found for storing archives ios_resilience: failed to remove chkpt file”

  • You can activate the feature using any management access method, but you can only disable the feature from a console port.
  • The feature is vulnerable to a “downgrade” of the IOS in order to load an operating system that does not support the feature, thus providing visibility to the previously secured files.
  • Cisco IOS Resilient Configuration does not work in conjunction with network loaded IOS images.

The Configuration and Verification

Are you ready for this? It does not get much simpler. Enter global configuration mode, and then to secure the IOS, use:

secure boot-image

In order to also secure your startup configuration, use:

secure boot-config

Now remember, you will no longer be able to use show and dir commands that you are accustomed to in order to view these files. In order to display the status of this feature and see the files that you are protecting, you will not use:

show secure bootset

I am sure you will agree, this feature was a long time in coming to our critical Cisco network devices.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Cisco IOS Resilient Configuration, 5.0 out of 5 based on 2 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , ,

This entry was posted on Wednesday, April 20th, 2011 at 9:00 am and is filed under CCIE, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply