Last week, we looked at Recovering a Router with the Password Recovery Service Disabled. Today we're going to examine a related Cisco IOS security feature, dubbed resilient configuration. This feature enables critical router files, namely the IOS image and configuration, to persist despite destructive events such as deletion of the startup configuration or a format of the Flash filesystem. The feature does not require any external services; all persistent files are stored locally on the router.

Enabling Resilient Configuration

First, a quick review of how Cisco ISR (x800 series) routers work. The binary IOS image used to boot the router is stored on the Flash filesystem, which is a type of memory very similar to that found inside a USB thumbdrive. The startup configuration file is stored on a separate filesystem, NVRAM. The contents of both filesystems can be viewed with the dir command.

Router# dir flash: Directory of flash:/ 1 -rw- 23587052 Jan 9 2010 17:16:58 +00:00 c181x-advipservicesk9-mz.124-24.T.bin 2 -rw- 600 Sep 26 2010 07:28:12 +00:00 vlan.dat 128237568 bytes total (104644608 bytes free) Router# dir nvram: Directory of nvram:/ 189 -rw- 1396 startup-config 190 ---- 24 private-config 191 -rw- 1396 underlying-config 1 -rw- 0 ifIndex-table 2 -rw- 593 IOS-Self-Sig#3401.cer 3 ---- 32 persistent-data 4 -rw- 2945 cwmp_inventory 21 -rw- 581 IOS-Self-Sig#1.cer 196600 bytes total (130616 bytes free)

The resilient image and configuration features are enabled with one command each.

Router(config)# secure boot-image Router(config)# %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image Router(config)# secure boot-config Router(config)# %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20101017-020040.ar]

The combination of the secured IOS image and configuration file is referred to as the bootset. We can verify the secure configuration with the command show secure bootset .

Router# show secure bootset IOS resilience router id FHK110913UQ IOS image resilience version 12.4 activated at 02:00:30 UTC Sun Oct 17 2010 Secure archive flash:c181x-advipservicesk9-mz.124-24.T.bin type is image (elf) [] file size is 23587052 bytes, run size is 23752654 bytes Runnable image, entry point 0x80012000, run from ram IOS configuration resilience version 12.4 activated at 02:00:41 UTC Sun Oct 17 2010 Secure archive flash:.runcfg-20101017-020040.ar type is config configuration archive size 1544 bytes

At this point, we notice that our IOS image file on Flash is now hidden.

Router# dir flash: Directory of flash:/ 2 -rw- 600 Sep 26 2010 07:28:12 +00:00 vlan.dat 128237568 bytes total (104636416 bytes free)

Restoring an Archived Configuration

Now suppose that the router's startup configuration file is erased (accidentally or otherwise) and the router is reloaded. Naturally, it boots with a default configuration. The resilient configuration feature will even appear to be disabled.

Router# erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete Router# show startup-config startup-config is not present Router# reload System configuration has been modified. Save? [yes/no]: n Proceed with reload? [confirm] ... Router> enable Router# show secure bootset %IOS image and configuration resilience is not active

To restore our original configuration, we simply have to extract it from the secure archive and save it to Flash. Next, we can replace the current running configuration with the archived config using the configure replace command.

Router(config)# secure boot-config restore flash:archived-config ios resilience:configuration successfully restored as flash:archived-config Router(config)# ^C Router# configure replace flash:archived-config This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter Y if you are sure you want to proceed. ? [no]: y Total number of passes: 1 Rollback Done Router#

Don't forget to save the running configuration once the restoration is complete ( copy run start ).

Be aware that the resilient configuration file is not automatically updated along with the startup configuration. To update it, you must first delete the existing resilient configuration and issue the secure boot-config command again.

Router(config)# no secure boot-config %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed flash:.runcfg-20101017-020040.ar] Router(config)# secure boot-config %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20101017-024745.ar]

Finally, note that the secure bootset features can only be disabled from the console line.

Router(config)# no secure boot-config %You must be logged on the console to apply this command

In fact, attempting to disable either part of the secure bootset generates a handy syslog message to alert administrators:

%IOS_RESILIENCE-5-NON_CONSOLE_ACCESS: Non console configuration request denied for command "no secure boot-config "

What About the IOS Image?

It turns out that the secure boot image feature works pretty well too. Here we can see that it persists even when the Flash filesystem appears to have been formatted.

Router# format flash: Format operation may take a while. Continue? [confirm] Format operation will destroy all data in "flash:". Continue? [confirm] Writing Monlib sectors... Monlib write complete Format: All system sectors written. OK... Format: Total sectors in formatted partition: 250848 Format: Total bytes in formatted partition: 128434176 Format: Operation completed successfully. Format of flash: complete Router# dir Directory of flash:/ No files in directory 128237568 bytes total (104640512 bytes free) Router# reload Proceed with reload? [confirm] *Oct 17 02:37:37.127: %SYS-5-RELOAD: Reload requested by console. Reload Reason : Reload Command. System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. C1800 platform with 131072 Kbytes of main memory with parity disabled Upgrade ROMMON initialized program load complete, entry point: 0x80012000, size: 0xc0c0 Initializing ATA monitor library....... program load complete, entry point: 0x80012000, size: 0xc0c0 Initializing ATA monitor library....... program load complete, entry point: 0x80012000, size: 0x167e724 Self decompressing the image : ################################################# ################################################################################ ################################################################ [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 26-Feb-09 03:22 by prod_rel_team ... Router> enable Password: Router# dir Directory of flash:/ No files in directory 128237568 bytes total (104640512 bytes free) Router# show version Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2009 by Cisco Systems, Inc. Compiled Thu 26-Feb-09 03:22 by prod_rel_team ...