Chapter 5 – Using Cisco Configuration Professional to protect the network infrastructure
What is Cisco Configuration Professional (CCP)?
CCP = GUI device management tool for managing Cisco routers.
CCP enables administrators to easily organize and manage multiple routers at a single site by grouping those routers together into what CCP calls a device community.
Common task performed by CCP
- intrusion prevention systems (IPS),
- virtual private networks (VPN),
- unified communications, and
- many other features on an IOS router.
- monitoring functions,
- troubleshooting a router
- group routers to form device community
Configuration files of CCP:
- local on the computer (CCP)
- on the flash file system of the router (CCP express)
What is CCP Express
CCP Express is CCP GUI tool, it is a smaller version of the full CCP. This version may be preinstalled on flash, and may be run as a Java applet from the computer that is connecting to the router. This version is preinstalled from the factory on some Cisco routers.
Menu and Option Bars on CCP
Following are menu and option bars on CCP GUI. Best way to learn CCP is to play with these menu and option bars by performing different exercises. We will provide description for some option whenever we use it. For mastering all the options configuration in real labs using CCP is recommended.
- Menu Bar
- Manage Community
- Setup New Device
- Create User Profile
- Import User Profile
- Work offline
- Help Contents
- Home Button
- Configure Button
- Monitor Button
- Manage Community Icon
- Refresh Icon
- Provide Feedback to Cisco Icon
- Help Icon
- Search Icon
- Left Navigation Pane
- Content Pane
- Status Bar
Prerequisite for using CCP
- Router is powered on
- Router is reachable from your PC (simple ping test)
- CCP is installed on your PC
Use CCP Express preinstalled on router flash to manage router
On a router with CCP express preinstalled on the flash, use a crossover cable and connect directly from a PC Ethernet interface to the first Ethernet port on the router. Configure your PC to obtain an IP address via a Dynamic Host Configuration Protocol (DHCP)server, and then open a browser to 10.10.10.1. If your PC is not configured to use a DHCP server, you can assign a static address in that same 10.10.10.0/24 address space.
Use CCP installed on your PC to manage router
If you are going to manage an existing router that does not have CCP installed on the flash, you can download CCP from Cisco.com and install it on your local computer. You want to make sure the following items are in place (for configuration of below tasks view next section):
- The router should be enabled to support HTTP or HTTPS.
- The authentication for HTTP/S should be set to use the local database (the runningconfig) on the router.
- Username with privilege level 15 rights should be created on the router.
What is community?
A communityis a group of routers that share common things (single geographic location, all running firewall services) . The concept of having a community makes it easier for the administrator to work with a group of devices from one common interface.
Number of routers in a community
A single community can contain a maximum of 10 devices. So, if you have 15 routers that you want to manage, you must create at least two communities to support that many devices.
What are templates?
For same type of configuration over and over, do it once and then just copy/paste for the rest. This procedure of making reusable configuration is called template.
What is parameterizing?
You have the perfect router configuration that you want to replicate to five more routers. Following is a list of task you want to perform
- All routers should have different names.
- Template feature enables you to identify parts of a configuration that you need to change before putting the configuration on a second or third router.
- The elements you are going to change, such as the hostname, the template turns into a variable, then as you apply the template to new devices, you can just swap out those variables with the new values you want to use (for example, a new hostname for the third router and a different hostname again for the fourth router).
- Using this strategy, we could use the same template overand over again.
- The process of identifying the individual components that will change from router to router and converting them to variables is done through a process called parameterizing.
- Username with privilege level 15 rights should be created on the router.
What are applications of user profile features? Give some example
The user profile feature enables you to restrict which features show up as available in the left side navigation pane of CCP. The profile controls which options are shown, based on which devices the user is managing. For example, you might want to hide the configuration options for a group of Border Gateway Protocol (BGP)routers from the CCP installation that is running on the help desk computers.
Tasks we will perform in this tutorial using CCP
- Setting up your device (PC) with CCP installed to use router.
- Prepare the router to accept HTTP/HTTPs connections from CCP
- Community Tasks
- Create a community
- Add devices to community
- Discover all the devices in the community
- Create and apply a template
- Create a template
- Apply a template
- Create and implement a user profile
- Create a user profile
- Apply a user profile
- Perform a Security Audit
Setting up your device (PC) with CCP installed to use router.
Prepare the router to accept HTTP/HTTPs connections from CCP
- Enable HTTP services on the router to be managed and discovered (less secure)
- R1(config)#ip http server
- Enable HTTPS services on the router to be managed and discovered (more secure)
- R1(config)#ip http secure-server
- Create a local user account on the router with “Level 15” permissions (privileged mode), and creates an MD5 hashed password
- R1(config)#username admin privilege 15 secret cisco
- Tell the router that when people connect via HTTP or HTTPS, request a user name and password, and use the local running-configuration (also called the local database) to verify the username and password supplied during authentication to verify if the username and password are correct, before allowing access
- R1(config)# ip http authentication local
Create a community
- Use the Manage Community dialog box to create communities. The Manage Community dialog box automatically displays when you start CCP, and a community called New Community is created by default. You can change the default community name.
Add devices to community
- Open Manage Community Dialog Box
- Menu Bar -> Application -> Manage Community
- Tool Bar -> Manage Community
- In the Manage Community dialog box, enter the IP address or hostname and the username and password information for the devices to configure.
- To have CCP connect securely with the device, check the Connect Securelycheck box.
- To change the default port information, click the down arrowto the right of the device, and enter a new port value.
Discover all the devices in the community
- To have CCP discover all the devices in a community, check the Discover All Devicescheck box.
Create and apply a template
Create a template
- Menu Bar -> Application -> Template -> Create
- Choose one of your discovered routers from the Discovered Routerdropdown list, or select a file that that can be accessed from your PC to use as the source for the template that is being created. Click Nextto continue.
- Highlight the items that need to be replaced, before placing the configuration on another router, such as hostname and IP addresses. After highlighting each item, click the Parameterizebutton. This causes those items to be identified as a variable that would need to be replaced before applying the configuration to another router. Just delete any content you do not want included in part of the new template, and then click Finish.
- Save the file, using an extension of your choice on a file system that is reachable from your computer, such as the hard drive. You import this file in a later step.
Apply a template
- Menu Bar -> Application -> Template ->Apply
- Browse for and select the previously saved template file, and then click Next. Click the Find Parameterized Attributebutton to search for and identify the previously identified variables and replace them with the values you want to use for the router that will receive this configuration. Then click Next to continue.
- From the drop-down list, select the previously discovered router that youwant to apply this new configuration to. You can select to merge the configuration with the existing router configuration, or you can choose to completely override the existing configuration of the router receiving the template. Click Nextto continue, followed by the Finishbutton.
Create and implement a user profile
Create a user profile
- Application -> Create Use Profile
- Read the welcome screen and click Next.
- Using the check boxes, select the routers that this user profile will have an effect on, as to which features will be available for the administrator to configure. Figure 5-10 shows an example of this. Click Next.
- Expand the contents of the folders by clicking the triangle to the left of each item. Repeat this process to expand and see the items that make up the viewable options in the navigation pane. Select the navigation pane permissions you want to provide for each option by clicking the icon and select what level of permissions to this item you want to give to the user who will be using this profile. Figure 5-11 shows an example. When done with your selections, click Next.
- Click the Save User Profilebutton, and then specify where you want to save this profile. After the user profile is saved as a file, click Finish.
Apply a user profile
- On the computer where you want to apply the restrictive user profile for CCP, from the Application menu, choose Import User Profile.
- Click the Browsebutton and open the previously saved user template file. Click Next. From here, you can confirm your settings for this template, then click Nextto apply this user profile to this installation of CCP, and then click Finish.
Perform a Security Audit
- Toolbar -> Configure -> Security -> Security Audit
- Click Perform Security Audit, read the welcome page, and then click Next. If a one-step lockdown is desired, that option appears on this page
- For each interface listed, check either the Insideor Outsidecheck box to indicate where the interface connects, and then click Next.
- The Security Audit Wizard checks the router configuration to identify which possible security problems may exist. A screen showing the progress of this action appears, and it lists all the configuration options being tested for and whether the current router configuration passes those tests. The Security Audit Report Card screen appears, showing a list of possible security problems. Click Close to continue.
- Check the Fix Itboxes next to any problems that you want CCP to fix. After you have identified what to correct, click Next.
- The CCP Security Audit Wizard may display one or more screens requiring you to enter information to fix certain problems, such as a banner message or details about implementing a firewall, depending on which items are being corrected. Enter the information as required and click the Nextbutton for each of those screens.
- The Summary page of the wizard shows a list of all the configuration changes that Security Audit will make. Click Finishto deliver those changes to your router.
What is one step lock down?
Another option, you can use instead of using the interactive Security Audit Wizard, is the One-Step Lockdown feature. It addresses several features, particularly those that do not require the administrator to provide input. It provide only a subset of security measures that the full interactive Security Audit feature can perform.
Other Features of Security Audit
Following are other features of security audit. For mastering all these features we recommend performing these tasks using CCP in lab.
- Disable finger service
- Disable TCP and UDP small Servers Service
- Disable IP BOOTP Server Service
- Disable IP identification Service
- Disable CDP
- Disable IP source route
- Enable Password Encryption Service
- Enable TCP Keepalives for Inbound and Outbound Telnet Sessions
- Enable IP CEF
- Disable IP Gratuitous ARPs
- Set Minimum Password Length to More Than 6 Characters
- Set Authentication Failure Rate to Less Than 3 Retries
- Set TCP SYN-Wait Time to 10 Seconds
- Set Banner
- Enable Logging
- Set Enable Secret Password
- Disable SNMP
- Set Scheduler Interval
- Set Scheduler Allocate
- Set Users
- Enable Telnet Settings
- Disable IP Redirects
- Disable IP Proxy ARP
- Disable IP Directed Broadcast
- Disable MOP Service
- Disable IP Unreachables
- Disable IP Mask Reply
- Enable Unicast RPF on Outside Interfaces
- Enable Firewall on All of the Outside Interfaces
- Set Access Class on HTTP Server Service and vty Lines
- Enable SSH for Access to the Router
- Enable AAA