Home Blog Common IOS Best Practices

Blog

Nov 6
Common IOS Best Practices
Posted by Michael Lorincz

Hi People, welcome to another exciting edition of my blog. Today I will be covering IOS best practices (some of them at least). While these will be specific to Cisco IOS they’re also applicable to other types of Cisco devices. You’ll also find many of these best practices are also seen on IOS-XE/NX-OS platforms, however the syntax may differ (please verify before attempting to apply).

So why is implementing and following IOS best practices important anyway? That’s a valid question, you may even already have some general ideas already. “Best Practices” is a industry term, and not really specific to a single industry, it’s more general and broad. What that really translates to; it’s the established optimal setting or condition for a feature or a subset of features and functions. Defined by either by the manufacturer, the user community, or both. Typically, they provide optimal yet balanced function and security.

Often, Best Practice suggestions are identified and published by the hardware vendor, Cisco in our case. Out of the box, most hardware will work with minimal setup and that’s typical because they’re designed to be easy to use out of the box. Unboxed and online with minimal configuration by someone onsite who may or may not have a network background.

This ease of use helps network engineers with a range of experience work with the new hardware, and hopefully reduce downtime. However, the minimal configuration approach leaves much to be desired.  Often making something easier makes it less secure. As one might expect security concerns abound with the minimal approach. Many of the Best Practices I will suggest today will revolve around security and were suggested by Cisco directly.

Being the organizational snob that I am, I appreciate the approach Cisco took to the classification of the Best Practices into the planes for which they enhance. If you recall, traditional routers and switches use a management, control, and data plane. Each with its own specific area of purpose in the greater picture of networking. The management plane will be the plane of focus in this blog. As one might assume, this plane governs how the device itself handles management related functions, enhanced security in this area is crucial.

If you like the idea of applying Best Practices to your environment but don’t have the time or the in-house resources to address please ask us about how we can help! We have a team of highly experienced engineers who are ready to apply these and many other best practices. It’s worth noting that Lookingpoint is also developing a tool to automate this process, this and many more new enhancements are planned for our exciting cloud-based Acela management and Monitoring tool. If interested, please ask your account manager for more details.

This is an incomplete list of some popular Management Plane Best Practices, for a complete Best Practices Assessment across all your device’s networking planes please reach out to your Lookingpoint Account Manager and request an assessment today or email us at sales@lookingpoint.com!

 

Category

Sub Category

Description of Best Practice

Remediation Example

Mgmt Plane

Password Mgmt

The enable secret command is used in order to set the password that grants privileged administrative access to the Cisco IOS system. The enable secret command must be used, rather than the older enable password command. The enable password command uses a weak encryption algorithm.
If no enable secret is set and a password is configured for the console tty line, the console password can be used in order to receive privileged access, even from a remote virtual tty (vty) session. This action is almost certainly unwanted and is another reason to ensure configuration of an enable secret.

!
no enable password
enable secret <enable_secret>
!

Mgmt Plane

Password Mgmt

The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they look at the screen over the muster of an administrator.

!
service password-encryption
!

Mgmt Plane

Disable Unused Services

The HTTP server can be disabled with the no ip http server command in global configuration mode, and Secure HTTP (HTTPS) server can be disabled with the no ip http secure-server global configuration command.

!
no ip http
no ip https
!

Mgmt Plane

EXEC Timeout

In order to set the interval that the EXEC command interpreter waits for user input before it terminates a session, issue the exec-timeout line configuration command. The exec-timeout command must be used in order to logout sessions on vty or tty lines that are left idle. By default, sessions are disconnected after ten minutes of inactivity.

!
line con 0
 exec-timeout <minutes> [seconds]
line vty 0 4
 exec-timeout <minutes> [seconds]
!

Mgmt Plane

Keepalives for TCP Sessions

The service tcp-keepalives-in and service tcp-keepalives-out global configuration commands enable a device to send TCP keepalives for TCP sessions. This configuration must be used in order to enable TCP keepalives on inbound connections to the device and outbound connections from the device. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local Cisco IOS device.

!
service tcp-keepalives-in
service tcp-keepalives-out
!

Mgmt Plane

Management Interface Use

The management plane of a device is accessed in-band or out-of-band on a physical or logical management interface. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages.

One of the most common interfaces that is used for in-band access to a device is the logical loopback interface. Loopback interfaces are always up, whereas physical interfaces can change state, and the interface can potentially not be accessible. It is recommended to add a loopback interface to each device as a management interface and that it be used exclusively for the management plane. This allows the administrator to apply policies throughout the network for the management plane. Once the loopback interface is configured on a device, it can be used by management plane protocols, such as SSH, SNMP, and syslog, in order to send and receive traffic.

!
interface Loopback0
 ip address <IP> <MASK>
!

Mgmt Plane

Memory Threshold Notifications

The feature Memory Threshold Notification, added in Cisco IOS Software Release 12.3(4)T, allows you to mitigate low-memory conditions on a device. This feature uses two methods in order to accomplish this: Memory Threshold Notification and Memory Reservation.

Memory Threshold Notification generates a log message in order to indicate that free memory on a device has fallen lower than the configured threshold. This configuration example shows how to enable this feature with the memory free low-watermark global configuration command. This enables a device to generate a notification when available free memory falls lower than the specified threshold, and again when available free memory rises to five percent higher than the specified threshold.

!
memory free low-watermark processor <threshold>
memory free low-watermark io <threshold>
!

Mgmt Plane

Reserve Memory for Console Access

In Cisco IOS Software Release 12.4(15)T and later, the Reserve Memory for Console Access feature can be used in order to reserve enough memory to ensure console access to a Cisco IOS device for administrative and troubleshooting purposes. This feature is especially beneficial when the device runs low on memory. You can issue the memory reserve console global configuration command in order to enable this feature. This example configures a Cisco IOS device to reserve 4096 kilobytes for this purpose.

!
memory reserve console 4096
!

Mgmt Plane

Disable Smart Install

Disable the Smart Install client functionality after the zero-touch installation is complete or use the no vstack command.

!
no vstack
!

 

 

As always if you have any questions on Management Plane Best Practices and would like to schedule a free consultation with us, please reach out to us at sales@lookingpoint.com and we’ll be happy to help!

Contact Us

 

Written By:

Michael Lorincz, Network Engineer

subscribe to our blog

Get New Unique Posts