582 Appendix C: Cisco IOS to IOS XR Security Transition Syslog Support Logging Commands Logging Commands logging: Configure various syslog attributes. (config)# logging 10.1.1.1 (config)# logging facility local7 (config)# logging buffered debug (config)# logging buffered 64000 (config)# no logging console (config)# logging source-interface Loopback0 logging: Configure various syslog attributes. (config)# logging buffered 2000000 (config)# logging buffered debug (config)# logging 10.1.1.1 (config)# logging facility local7 (config)# logging source-interface Loopback0 (config)# logging trap debugging (config)# logging hostname prefix ThisRouter (config)# logging history warning (config)# logging history size 2 (config)# logging console disable bgp log-neighbor-changes: Enable logging of BGP neighbor status changes (up or down) and resets. (config)# router bgp 65001 (config-router)# bgp log-neighbor- changes bgp log neighbor changes: Enable logging of BGP neighbor status changes (up or down) and resets. (config)# router bgp 65001 (config-bgp)# no bgp log neighbor changes disable Note that the default is to log BGP neighbor changes. If logging is disabled, it may be re- enabled as shown here. log-adjacency-changes: Enable logging of IS-IS adjacency change events and other non-IIH events. (config)# router is-is Core (config-router)# log-adjacency- changes log adjacency changes: Configure the generation of a log message when an IS-IS adjacency states change (up or down). (config)# router is-is Core (config-is-is)# log adjacency changes — Logging Correlator Commands No directly comparable command exists in IOS 12.0S. logging correlator: Configure various logging correlation rules. (config)# logging events threshold 10 (config)# logging events buffer-size 10000 (config)# logging events level errors (config)# logging correlator rule alarm1 timeout 600000 PKT_INFRA LINK UPDOWN L2 SONET ALARM (config)# logging correlator apply-rule alarm1 location all-of-router Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR Management Plane Security Commands 583 TCP Support Services Commands — service nagle: Enable the Nagle congestion control algorithm. (config)# service nagle No directly comparable command exists in IOS XR. Nagle is turned on by default (on a per- service basis) within IOS XR and is not user- configurable. service tcp-keepalive [in | out]: Enable TCP keepalives. (config)# service tcp-keepalives in (config)# service tcp-keepalives out No directly comparable command exists in IOS XR. In Cisco IOS XR, each application decides whether to use keepalives or not. This is not user- configurable. The Telnet server sends keepalives every 5 minutes. The Telnet client does not send them. Other TCP-based protocols (BGP, SSH, etc.) have similar built-in keepalive values. IP TCP Commands TCP Commands ip tcp: Configure various TCP attributes. (config)# ip tcp path-mtu-discovery age-timer 30 (config)# ip tcp window-size 32768 (config)# ip tcp synwait-time 5 tcp: Configure various TCP attributes. (config)# tcp path-mtu-discovery age-timer 30 (config)# tcp window-size 32768 (config)# tcp synwait-time 5 SSH Support IP SSH Commands SSH Commands ip ssh: Configure various SSH attributes. (config)# ip ssh time-out 20 (config)# ip ssh authentication- retries 3 (config)# ip ssh version 2 (config)# ip ssh source-interface Loopback0 ssh: Configure various SSH attributes. (config)# ssh server v2 (config)# ssh timeout 20 (config)# ssh client source-interface Loopback0 (config)# ssh client To configure a router for SSH, a host name and domain name must first be specified. In addition, an RSA key pair must be generated. (config)# hostname RouterA (config)# ip domain-name cisco.com (config)# crypto key generate rsa SSH Version 2 (SSHv2) uses Digital Signature Algorithm (DSA) keys. To configure a router for SSH, a host name and domain name must first be specified. In addition, a DSA key pair must be generated. (config)# hostname RouterA (config)# domain-name cisco.com (config)# exit # crypto key generate dsa continues Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR 584 Appendix C: Cisco IOS to IOS XR Security Transition HTTP/HTTPS Support IP HTTP Commands HTTP Commands ip http: Configure various HTTP server attributes. IOS 12.0S does not support running HTTP over SSL. (config)# ip http access-class 10 (config)# ip http authentication tacacs (config)# ip http port 8088 (config)# ip http server http server: Configure various HTTP server attributes. IOS XR supports running HTTP over SSL when enabled. (config)# http server ssl access-group NOC FTP/TFTP/SCP/SFTP/rcmd Support IP FTP Commands FTP Commands ip ftp: Configure various FTP client attributes. (config)# ip ftp source-interface Loopback0 (config)# ip ftp username ftpsess (config)# ip ftp password s3cr3t Note that the FTP feature is being removed from IOS 12.0S and the above functionality should be replaced by the Secure Copy (SCP) feature. ftp: Configure various FTP attributes. (config)# ftp client anonymous-password s3cr3t (config)# ftp client source-interface Loopback0 IP TFTP Commands TFTP Commands ip tftp source-interface: Configure a TFTP source interface. (config)# ip tftp source-interface Loopback0 tftp: Configure various TFTP attributes. (config)# tftp ipv4 server access-list NOC homedir disk0 (config)# tftp client source-interface Loopback0 IP SCP Commands SFTP Commands ip scp server enable: Configure the Secure Copy functionality. (config)# ip scp server enable Before enabling SCP, you must correctly configure SSH, authentication, and authorization on the router. SFTP is a feature that provides a secure and authenticated method for copying router configuration or router image files. The SFTP client functionality is provided as part of the SSH component and is always enabled on the router. No additional configurations are required beyond SSH, authentication, and authorization in order to use SFTP services. Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR Management Plane Security Commands 585 IP RCMD Commands RCP Commands ip rcmd source-interface: Configure rcmd source interface. (config)# ip rcmd source-interface Loopback0 rcp: Configure various rcp attributes. (config)# rcp client source-interface Loopback0 (config)# rcp client username netadmin1 VTY/Console/Aux Line Support Line Console Commands Line Console Commands line con 0: Configure various console line attributes. (config)# line con 0 (config-line)# access-class 10 in (config-line)# exec-timeout 60 0 (config-line)# password s3cr3t line console: Configure various console line attributes. (config)# line console (config-line)# access-class 10 in (config-line)# exec-timeout 60 0 (config-line)# password s3cr3t Line VTY Commands Line Default Commands line vty 0 4: Configure various terminal line attributes. (config)# line vty 0 4 (config-line)# access-class 10 in (config-line)# exec-timeout 60 0 (config-line)# password s3cr3t (config-line)# transport preferred ssh line default: Configure various terminal (VTY) line attributes. (config)# line default (config-line)# access-class 20 in (config-line)# exec-timeout 60 0 (config-line)# password s3cr3t (config-line)# transport preferred ssh Line Auxiliary Port Commands Line Template Commands line aux 0: Configure various auxiliary port attributes. (config)# line aux 0 (config-line)# access-class 10 in (config-line)# exec-timeout 60 0 (config-line)# password s3cr3t line template: Configure various auxiliary port attributes. (config)# line template Use-for-Aux (config-line)# exec-time-out 60 0 (config-line)# password s3cr3t Note that the line template command replaces the deprecated aux command. continues Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR 586 Appendix C: Cisco IOS to IOS XR Security Transition Banner Support Banner Commands Banner Commands banner exec: Define a customized banner that is displayed whenever the EXEC process is initiated. banner incoming: Define a customized banner that is displayed when there is an incoming connection to a terminal line from a host on the network. banner exec: Define a customized banner that is displayed whenever the EXEC process is initiated. banner incoming: Define a customized banner that is displayed when there is an incoming connection to a terminal line from a host on the network. banner login: Define a customized banner that is displayed before the username and password login prompts. banner motd: Define a customized message-of-the-day banner. (config)# banner motd “ Unauthorized Access Is Prohibited Contact support: 800.555.1212 “ banner login: Define a customized banner that is displayed before the username and password login prompts. banner motd: Define a customized message-of- the-day banner. banner prompt-timeout: Define a customized banner that is displayed when there is a login timeout. (config)# banner motd “ Unauthorized Access Is Prohibited Contact support: 800.555.1212 ” Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR Management Plane Security Commands 587 NetFlow Support IP Flow Commands Global Flow Commands ip [flow-export | flow-sampling-mode]: Configure various NetFlow attributes. (config)# ip flow-export version 9 (config)# ip flow-export destination 10.10.10.1 9999 (config)# ip flow-sampling-mode packet-interval 100 flow: Configure various NetFlow attributes. (config)# sampler-map Sample1 (config-sm)# random 1 out-of 1 (config-sm)# exit (config)# flow exporter-map FlowEx1 (config-fem)# version v9 (config-fem-ver)# options interface-table timeout 120 (config-fem-ver)# options sampler-table timeout 120 (config-fem-ver)# template timeout 30 (config-fem-ver)# template data timeout 30 (config-fem-ver)# template options timeout 30 (config-fem-ver)# exit (config-fem)# transport udp 9999 (config-fem)# source TenGigE0/2/0/0 (config-fem)# destination 10.10.10.1 (config-fem)# exit (config)# flow monitor-map FlowMon1 (config-fmm)# cache permanent (config-fmm)# record ipv4-raw (config-fmm)# exporter FlowEx1 (config-fmm)# exit IP Route-Cache Commands Interface Flow Commands ip route-cache flow [input | output | sampled]: Configure NetFlow on the selected interface. (config)# interface POS0/0 (config-if)# ip route-cache flow input sampled flow: Configure NetFlow on the selected interface. (config)# interface POS0/0/0/0 (config-if)# flow ipv4 monitor FlowMon1 sampler Sample1 ingress (config-if)# exit continues Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR 588 Appendix C: Cisco IOS to IOS XR Security Transition Fault Services Support Embedded Event Manager Commands Fault Manager Commands event manager: Configure various Embedded Event Manager (EEM) attributes. (config)# event manager applet linkfail (config-applet)# event syslog pattern ".*UPDOWN.*“ (config-applet)# action 1.0 syslog priority warnings msg “FLIPFLOP: $_syslog_msg“ # show logging <output skipped> 4w3d: %HA_EM-5-LOG: linkfail: FLIPFLOP: 4w3d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10, changed state to down fault manager: Configure various Fault Manager attributes. (config)# fault manager environment _cron_entry 0-59/2 0-23/1 * * 0-7 (config)# fault manager environment _email_server alpha@cisco.com (config)# fault manager environment _email_from beta@cisco.com (config)# fault manager environment _email_to beta@cisco.com (config)# fault manager environment _email_cc (config)# fault manager user-policy- directory disk1:user_policy_dir (config)# fault manager policy gw2_proc_avail.tcl username Bob (config)# fault manager policy term0_diag_cmds.tcl username Bob IP Source Tracker IP Source Tracker — ip source-track: Gather information about traffic flows to a host that is suspected of being under attack. (config)# ip source-track address- limit 2 ! configure syslog interval (minutes) (config)# ip source-track syslog- interval 2 ! configure export interval (seconds) (config)# ip source-track export- interval 5 ! configure victim ip address (config)# ip source-track 192.168.0.10 # show ip source-track 192.168.0.10 summary # execute slot 0 show ip source-track cache # show ip source-track export flows Caveat: IP Source Tracker supports native IPv4 packets only, not MPLS encapsulated IPv4 packets. No directly comparable command exists in IOS XR. IP Source Tracker is not available in IOS XR at the time of this writing. Similar capabilities are provided by telemetry-based instrumentation such as NetFlow data export and other management plane tools. Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR Management Plane Security Commands 589 Global Process Controls Scheduler Allocate Command — scheduler allocate {interrupt-time} {process-time}: Configure guaranteed CPU time for processes (in microseconds). (config)# scheduler allocate 4000 400 There is no equivalent configuration in IOS XR. IOS XR uses a microkernel architecture and underlying Real Time Operating System (RTOS) design that is preemptive, and the scheduler is priority based. This ensures that context switching between processes is very fast, and the highest-priority threads always have access to CPU when required. Boot System Commands — boot system flash : Specify the system image to boot at startup. (config)# boot system flash disk0:gsr- k4p-mz.120-27.S5.bin There is no equivalent configuration in IOS XR. Memory Free Command — memory free low-watermark processor {threshold}: Configure a router to issue a syslog message when available memory falls below the specified threshold. (config)# memory free low-watermark processor 100000 No directly comparable command exists in IOS XR. Similar functionality is accomplished with IOS XR Fault Manager. Process CPU Threshold Command — process cpu threshold : Configure the router to issue a syslog message when configured CPU utilization thresholds are crossed. (config)# process cpu threshold type total rising 30 interval 5 falling 20 interval 5 No directly comparable command exists in IOS XR. Similar functionality is accomplished with IOS XR Fault Manager. continues Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR 590 Appendix C: Cisco IOS to IOS XR Security Transition Service Commands Service Password Command — service password-encryption: Enable encrypted password storage. (config)# service password-encryption No such configuration. Passwords are always encrypted in IOS XR. Service Compress Config Command — service compress-config: Compress startup configuration files. (config)# service compress-config No such configuration. IOS XR has a different configuration file management model. Service PAD Command — no service pad: Disable the X.25 packet assembler/disassembler (PAD) service. (Enabled by default.) (config)# no service pad No such configuration. IOS XR does not support PAD. Service tcp-small-servers Command Service ipv4 tcp-small-servers Command no service tcp-small-servers: Disable the minor TCP servers for Echo, Discard, Chargen, and Daytime services. When disabled, IOS discards the initial incoming packet (TCP SYN request) and sends a TCP RST packet to the source. (Enabled by default,) (config)# no service tcp-small- servers no service ipv4 tcp-small-servers: Disable the minor TCP servers for Echo, Discard, and Chargen services. TCP small-servers are disabled by default. (config)# no service ipv4 tcp-small- servers Service udp-small-servers Command Service ipv4 udp-small-servers Command Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR Management Plane Security Commands 591 no service udp-small-servers: Disable the minor UDP servers for Echo, Discard, and Chargen services. When disabled, IOS discards the initial incoming packet and sends an ICMP Port Unreachable message (Type 3, Code 3) to the source. (Enabled by default.) (config)# no service udp-small- servers no service ipv4 udp-small-servers: Disables the minor UDP servers for Echo, Discard, and Chargen services. UDP small-servers are disabled by default. (config)# no service ipv4 udp-small- servers Service Timestamp Commands Service Timestamp Commands service timestamps debug : Configure the system to apply a time stamp to debugging messages. (config)# service timestamp debug datetime msec localtime service timestamps debug: Configure the system to apply a time stamp to debugging messages. (config)# service timestamp debug datetime msec localtime service timestamps log : Configure the system to apply a time stamp to system logging messages. (config)# service timestamp log datetime msec localtime service timestamps log: Configure the system to apply a time stamp to system logging messages. (config)# service timestamp log datetime msec localtime Other Global Security Best Practices IP Finger Command — no ip finger: Disable the finger protocol. (Disabled by default.) (config)# no ip finger No such configuration is available or required. IOS XR does not support the finger service. no service finger: Newer versions of IOS 12.0S may also use this form of the command to disable the finger service. (config)# no service finger continues Table C-3 Management Plane Security Commands (Continued) IOS 12.0S IOS XR [...]... routing), 69, 238 Cisco 12000, CoPP implementation, 260–264 Cisco Catalyst 6500 /Cisco 7600 CoPP implementation, 264–269 Cisco Discovery Protocol See CDP Cisco Express Forwarding See CEF Cisco IOS XR Software, 59 Cisco NetFlow See NetFlow Cisco Product Security Incident Response Team (PSIRT), 602–604 Cisco Security Center, 603 Cisco Security IntelliShield Alert Manager Service, 603 Cisco Security Vulnerability... http://www .cisco. com/en/US/products/ products _security_ vulnerability_policy.html Cisco Computer and Network Security If you want to report a computer or network security- related incident involving the Cisco corporate network, please contact the Cisco Computer Security Incident Response Team (CSIRT) by sending an e-mail to infosec @cisco. com Cisco Safety and Security To report an issue or inquire about Cisco s... physical security program, including the protection of company employees, property, and information, please call 408 525-1111 or send an e-mail to safetyandsecurity @cisco. com Cisco IPS Signature Pack Updates and Archives Cisco IPS Active Update Bulletins are posted at http://www .cisco. com /security Cisco Security Center Visit the Cisco Security Center site for information on emerging threats and the Cisco. .. any active Cisco. com registration Information for subscribing to RSS feeds is found at http://www .cisco. com/en/US/products/products_psirt_rss_feed.html Major Cisco Security Announcements are also available at http://www .cisco. com /security/ announcements.html Cisco Product Security 603 Cisco Security Vulnerability Policy Cisco s policy for receiving and responding to products and services security vulnerabilities... protect your network The Cisco Security Center is available at http://www .cisco. com /security/ center/home.x You can also find Cisco Applied Intelligence Response documents at the Cisco Security Center site Cisco Applied Intelligence Responses (AIRs) provide identification and mitigation techniques that can be deployed on Cisco network devices As applicable, Cisco IOS access control lists, Cisco Intrusion Prevention... Security. ” Cisco white paper http://www .cisco. com/web/about /security/ intelligence/sp_infrastruct_scty.html Stewart, J “Vulnerability Disclosure.” Cisco Executive Thought Leadership Research Perspective http://tools .cisco. com/dlls/tln/page/media/perspectives/detail/ep/2006/johnstewart-01 “How to Build a Security Operations Center.” Cisco white paper http://www .cisco. com/en/US/netsol/ns341/ns121/ns 310/ ... Converting Cisco IOS Configurations to Cisco IOS XR Configurations, Release 3.4 Cisco Documentation http://www .cisco. com/en/US/products/ps5845/ products_technical_reference_book09186a00806b9204.html Cisco IOS XR Security Configuration Guide, Release 3.4 Cisco Documentation http://www .cisco. com/en/US/products/ps5845/ products_configuration_guide_book09186a00806b66d2.html Cisco IOS XR Software Command References Cisco. .. Cisco Product Security The Cisco Product Security Incident Response Team (PSIRT) is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerabilityrelated information, related to Cisco products and networks PSIRT works with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security. .. networking_solutions_white_paper0900aecd80598c16.shtml “ISACs.” Cisco Incident Response Support http://www .cisco. com/web/about /security/ security_ services/ciag/incident_response_support/ISACs.html “NANOG Security Curriculum.” NANOG http://www.nanog.org/ispsecurity.html “New Rapid Response Strategy Helps Security Services Firm Block Emerging Network.” Cisco Case Study http://www .cisco. com/en/US/products/ps6542/ products_case_study0900aecd803fc82a.shtml... Cisco products, send an e-mail to psirt @cisco. com for nonemergency issues or security- alert @cisco. com for urgent matters Cisco PSIRT may also be contacted via the PSIRT Security Hotline by dialing 877 228-7302 or 408 525-6532 Alternatively, if you are under active security attack or have more general security concerns about your Cisco network, you can contact the Cisco Technical Assistance Center at 408 . Reading Converting Cisco IOS Configurations to Cisco IOS XR Configurations, Release 3.4. Cisco Documentation. http://www .cisco. com/en/US/products/ps5845/ products_technical_reference_book09186a00806b9204.html. Cisco. References. Cisco Documentation. http://www .cisco. com/en/US/products/ps5845/prod_command_reference_list.html. Cisco IOS XR Software Configuration Guides. Cisco Documentation. http://www .cisco. com/en/US/partner/products/ps5845/ products_installation_and_configuration_guides_list.html. Converting. information on this topic can be found in the Cisco white paper “How to Build a Cisco Security Operations Center,” available on Cisco. com. For more information on security incident handling, see the