Cisco IOS Resilient Configuration: Speed up the recovery process

Has anyone ever hacked into your router and erased the operating system and configuration file from its persistent storage? I hope no 🙂 But if you had a case like this; the total downtime experienced is the most important challenge for network operators. The operator needs to retrieve archived copy (if any 🙂 ) of the configuration and a working image to restore the router. Recovery must then be performed for each affected router, adding to the network downtime.

The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).

The Cisco IOS Resilient Configuration feature is intended to speed up the recovery process. The feature maintains a secure working copy of the router image and the startup configuration at all times. These secure files cannot be removed by the user. This set of image and router running configuration is referred to as the primary bootset.

The following factors were considered in the design of Cisco IOS Resilient Configuration:

• The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.
• The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
• The feature automatically detects image or configuration version mismatch.
• Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers. The feature can be disabled only through a console session.

 

How to Use Cisco IOS Resilient Configuration:

Archiving a Router Configuration
This task describes how to save a primary bootset to a secure archive in persistent storage.

SUMMARY STEPS
1. enable
2. configure terminal
3. secure boot-image
4. secure boot-config
5. end
6. show secure bootset

Examples:
Router# show secure bootset
IOS resilience router id JMX0704L5GH
IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002
Secure archive slot0:c3745-js2-mz type is image (elf) []
file size is 25469248 bytes, run size is 25634900 bytes
Runnable image, entry point 0x80008000, run from ram
IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002
Secure archive slot0:.runcfg-20020616-081702.ar type is config
configuration archive size 1059 bytes

Restoring an Archived Router Configuration
This task describes how to restore a primary bootset from a secure archive after the router has been tampered with (by an NVRAM erase or a disk format).

Note: To restore an archived primary bootset, Cisco IOS image resilience must have been enabled and a primary bootset previously archived in persistent storage.

SUMMARY STEPS
1. reload
2. dir [filesystem:]
3. boot [partition-number:][filename]
4. no
5. enable
6. configure terminal
7. secure boot-config [restore filename]
8. end
9. copy filename running-config