RSS
|
  Cisco IOS: It's Not Just for Routing Anymore May 31, 1999 Administrators can also use NAT for single-host mappings, pool-based mappings and a number of other configurations. Although NAT will not solve all address-conflict dilemmas (any application-level protocol placing IP addresses in the protocol--not just the header--will create problems), it provides administrators with flexibility lacking in basic routers. ACL and VPN in IOS IOS also includes expanded ACL functionality, as it now monitors standard ACLs (for IP addresses only) for violations. Previous versions of IOS were limited to logging extended (for IP addresses and port numbers) ACLs. However, administrators should be aware of the performance implications of implementing ACLs, which require a substantial amount of CPU overhead.
Once the router and receiving syslog host are configured, the building blocks for centralized logging and parsing are in place. Even if you aren't using ACLs, it's quite valuable to have your routers' log connection attempts, configuration changes, link-state changes and other auditing information. However, be cautious when using this feature: You can very easily saturate your syslogs if you enable detailed logging. Security Add-Ons IOS 12's added VPN options let you securely extend the enterprise. It provides a strong set of VPN additions, including CA (Certificate Authority) interoperability, IKE (Internet Key Exchange) and a secure tunneling capability via IPSec (IP Security). And while Cisco now supports "Kerberized" telnet, IOS 12's IPSec functionality also serves as a transport method for administering routers that don't operate in a Kerberos environment. Both of these options fix the clear-text password threats inherent in the standard telnet-based configuration method. Another useful--but often unused--feature in some IOS builds is the router's ability to serve as a DHCP server. Rather than request IP addresses over WAN links, remote offices lacking DHCP service can use DHCP pools configured within their local router. This approach eases remote IP-address-management pains.
IOS also keeps your enterprise time-synced using NTP (Network Time Protocol). Enabling NTP within IOS is straightforward: With a hierarchical approach to time distribution, an office's router can reside at the top of the chain. Servers pull time from the router; workstations pull time from the servers. By creating NTP peers, routers cut off from their external time source(s) can maintain their own synchronization. (For more on NTP, see "Getting in Sync: A Look at NTP," www.networkcomputing.com/1002/1002ws1.html.) With regard to services on the router, Cisco IFS, the IOS File System, is another welcome addition to IOS 12. Forget about being limited to and confused by "write term" and "write conf" commands; IOS has no dependencies on TFTP because it now supports both RCP and FTP on all platforms. Using a more comprehensible syntax, such as copy running-config ftp, IOS provides better options for managing flash images and configuration files. Version 12 adds a set of familiar file-system commands--dir, pwd, cd, more, delete, undelete and fsck--that you can combine on a single command line. For example, copy ftp://username:password@ ftp.domain.com/cisco/c3640-is40-mz_120-3. bin flash lets you copy a new IOS image via FTP for upgrading the flash RAM. Some versions of IOS can also serve as FTP and TFTP servers. It's probably not economically feasible to store multiple flash images on one router, but storing configuration files on other routers for fast, reliable retrieval reduces recovery time during a router failure. Storing multiple images on a router also makes it easier to break in a new version of IOS; it lets you simply revert to the older version. The rapid rate at which Cisco is deploying new IOS technology has a price: Early releases of IOS 12 had a fair share of bugs, and crashed after being port scanned by nmap. As with any upgrade, thoroughly test this release before you invest in a complete implementation. Greg Shipley is a Chicago-based consultant. Send your comments on this article to him at gshipley@neohapsis.com.
|
Combining granular logging capabilities with syslog functionality, IOS 12 lets administrators use their routers to monitor attempted perimeter violations, service violations and strange network anomalies. For example, an administrator can configure routers to forward messages to a single syslog-capable server, creating a centralized logging point (see "Centralized Event Logging," To the right). You can enable ACL monitoring (among other types of message logging) by using the following info in the global configuration mode:Page 1 | 2 | 3 | Next |
 Print This Page E-mail this URL |
