Hi People, welcome to another exciting edition of my blog. Today I will be covering IOS best practices (some of them at least). While these will be specific to Cisco IOS they’re also applicable to other types of Cisco devices. You’ll also find many of these best practices are also seen on IOS-XE/NX-OS platforms, however the syntax may differ (please verify before attempting to apply).
So why is implementing and following IOS best practices important anyway? That’s a valid question, you may even already have some general ideas already. “Best Practices” is a industry term, and not really specific to a single industry, it’s more general and broad. What that really translates to; it’s the established optimal setting or condition for a feature or a subset of features and functions. Defined by either by the manufacturer, the user community, or both. Typically, they provide optimal yet balanced function and security.
Often, Best Practice suggestions are identified and published by the hardware vendor, Cisco in our case. Out of the box, most hardware will work with minimal setup and that’s typical because they’re designed to be easy to use out of the box. Unboxed and online with minimal configuration by someone onsite who may or may not have a network background.
This ease of use helps network engineers with a range of experience work with the new hardware, and hopefully reduce downtime. However, the minimal configuration approach leaves much to be desired. Often making something easier makes it less secure. As one might expect security concerns abound with the minimal approach. Many of the Best Practices I will suggest today will revolve around security and were suggested by Cisco directly.
Being the organizational snob that I am, I appreciate the approach Cisco took to the classification of the Best Practices into the planes for which they enhance. If you recall, traditional routers and switches use a management, control, and data plane. Each with its own specific area of purpose in the greater picture of networking. The management plane will be the plane of focus in this blog. As one might assume, this plane governs how the device itself handles management related functions, enhanced security in this area is crucial.
If you like the idea of applying Best Practices to your environment but don’t have the time or the in-house resources to address please ask us about how we can help! We have a team of highly experienced engineers who are ready to apply these and many other best practices. It’s worth noting that Lookingpoint is also developing a tool to automate this process, this and many more new enhancements are planned for our exciting cloud-based Acela management and Monitoring tool. If interested, please ask your account manager for more details.
This is an incomplete list of some popular Management Plane Best Practices, for a complete Best Practices Assessment across all your device’s networking planes please reach out to your Lookingpoint Account Manager and request an assessment today or email us at sales@lookingpoint.com!
Category |
Sub Category |
Description of Best Practice |
Remediation Example |
Mgmt Plane |
Password Mgmt |
The enable secret command is used in order to set the password that grants privileged administrative access to the Cisco IOS system. The enable secret command must be used, rather than the older enable password command. The enable password command uses a weak encryption algorithm. |
! |
Mgmt Plane |
Password Mgmt |
The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the screen over the muster of an administrator. |
! |
Mgmt Plane |
Disable Unused Services |
The HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure-server global configuration command. |
! |
Mgmt Plane |
EXEC Timeout |
In order to set the interval that the EXEC command interpreter waits for user input before it terminates a session, issue the exec-timeout line configuration command. The exec-timeout command must be used in order to logout sessions on vty or tty lines that are left idle. By default, sessions are disconnected after ten minutes of inactivity. |
! |
Mgmt Plane |
Keepalives for TCP Sessions |
The service tcp-keepalives-in and service tcp-keepalives-out global configuration commands enable a device to send TCP keepalives for TCP sessions. This configuration must be used in order to enable TCP keepalives on inbound connections to the device and outbound connections from the device. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local Cisco IOS device. |
! |
Mgmt Plane |
Management Interface Use |
The management plane of a device is accessed in-band or out-of-band on a physical or logical management interface. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages. |
! |
Mgmt Plane |
Memory Threshold Notifications |
The feature Memory Threshold Notification, added in Cisco IOS Software Release 12.3(4)T, allows you to mitigate low-memory conditions on a device. This feature uses two methods in order to accomplish this: Memory Threshold Notification and Memory Reservation. |
! |
Mgmt Plane |
Reserve Memory for Console Access |
In Cisco IOS Software Release 12.4(15)T and later, the Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low on memory. You can issue the memory reserve console global configuration command in order to enable this feature. This example configures a Cisco IOS device to reserve 4096 kilobytes for this purpose. |
! |
Mgmt Plane |
Disable Smart Install |
Disable the Smart Install client functionality after the zero-touch installation is complete or use the no vstack command. |
! |
As always if you have any questions on Management Plane Best Practices and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!
Michael Lorincz, Network Engineer