IOS Resilient Configuration

By stretch | Monday, October 18, 2010 at 2:10 a.m. UTC

Last week, we looked at Recovering a Router with the Password Recovery Service Disabled. Today we're going to examine a related Cisco IOS security feature, dubbed resilient configuration. This feature enables critical router files, namely the IOS image and configuration, to persist despite destructive events such as deletion of the startup configuration or a format of the Flash filesystem. The feature does not require any external services; all persistent files are stored locally on the router.

Enabling Resilient Configuration

First, a quick review of how Cisco ISR (x800 series) routers work. The binary IOS image used to boot the router is stored on the Flash filesystem, which is a type of memory very similar to that found inside a USB thumbdrive. The startup configuration file is stored on a separate filesystem, NVRAM. The contents of both filesystems can be viewed with the dir command.

Router# dir flash:
Directory of flash:/

    1  -rw-    23587052   Jan 9 2010 17:16:58 +00:00  c181x-advipservicesk9-mz.124-24.T.bin
    2  -rw-         600  Sep 26 2010 07:28:12 +00:00  vlan.dat

128237568 bytes total (104644608 bytes free)
Router# dir nvram:
Directory of nvram:/

  189  -rw-        1396                      startup-config
  190  ----          24                      private-config
  191  -rw-        1396                      underlying-config
    1  -rw-           0                      ifIndex-table
    2  -rw-         593                      IOS-Self-Sig#3401.cer
    3  ----          32                      persistent-data
    4  -rw-        2945                      cwmp_inventory
   21  -rw-         581                      IOS-Self-Sig#1.cer

196600 bytes total (130616 bytes free)

The resilient image and configuration features are enabled with one command each.

Router(config)# secure boot-image
Router(config)#
%IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image
Router(config)# secure boot-config
Router(config)#
%IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20101017-020040.ar]

The combination of the secured IOS image and configuration file is referred to as the bootset. We can verify the secure configuration with the command show secure bootset.

Router# show secure bootset
IOS resilience router id FHK110913UQ

IOS image resilience version 12.4 activated at 02:00:30 UTC Sun Oct 17 2010
Secure archive flash:c181x-advipservicesk9-mz.124-24.T.bin type is image (elf) []
  file size is 23587052 bytes, run size is 23752654 bytes
  Runnable image, entry point 0x80012000, run from ram

IOS configuration resilience version 12.4 activated at 02:00:41 UTC Sun Oct 17 2010
Secure archive flash:.runcfg-20101017-020040.ar type is config
configuration archive size 1544 bytes

At this point, we notice that our IOS image file on Flash is now hidden.

Router# dir flash:
Directory of flash:/

2  -rw-         600  Sep 26 2010 07:28:12 +00:00  vlan.dat

128237568 bytes total (104636416 bytes free)

Restoring an Archived Configuration

Now suppose that the router's startup configuration file is erased (accidentally or otherwise) and the router is reloaded. Naturally, it boots with a default configuration. The resilient configuration feature will even appear to be disabled.

Router# erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router# show startup-config
startup-config is not present
Router# reload

System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
...
Router> enable
Router# show secure bootset
%IOS image and configuration resilience is not active

To restore our original configuration, we simply have to extract it from the secure archive and save it to Flash. Next, we can replace the current running configuration with the archived config using the configure replace command.

Router(config)# secure boot-config restore flash:archived-config
ios resilience:configuration successfully restored as flash:archived-config
Router(config)# ^C
Router# configure replace flash:archived-config
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y
Total number of passes: 1
Rollback Done

Router#

Don't forget to save the running configuration once the restoration is complete (copy run start).

Be aware that the resilient configuration file is not automatically updated along with the startup configuration. To update it, you must first delete the existing resilient configuration and issue the secure boot-config command again.

Router(config)# no secure boot-config
%IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed
 flash:.runcfg-20101017-020040.ar]
Router(config)# secure boot-config
%IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive
 [flash:.runcfg-20101017-024745.ar]

Finally, note that the secure bootset features can only be disabled from the console line.

Router(config)# no secure boot-config
%You must be logged on the console to apply this command

In fact, attempting to disable either part of the secure bootset generates a handy syslog message to alert administrators:

%IOS_RESILIENCE-5-NON_CONSOLE_ACCESS: Non console configuration request denied for command "no secure boot-config "

What About the IOS Image?

It turns out that the secure boot image feature works pretty well too. Here we can see that it persists even when the Flash filesystem appears to have been formatted.

Router# format flash:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "flash:".  Continue? [confirm]
Writing Monlib sectors...
Monlib write complete

Format: All system sectors written. OK...

Format: Total sectors in formatted partition: 250848
Format: Total bytes in formatted partition: 128434176
Format: Operation completed successfully.

Format of flash: complete
Router# dir
Directory of flash:/

No files in directory

128237568 bytes total (104640512 bytes free)
Router# reload
Proceed with reload? [confirm]

*Oct 17 02:37:37.127: %SYS-5-RELOAD: Reload requested  by console. Reload Reason
: Reload Command.
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled

Upgrade ROMMON initialized
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0

Initializing ATA monitor library.......

program load complete, entry point: 0x80012000, size: 0x167e724
Self decompressing the image : #################################################
################################################################################
################################################################ [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706

Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,
 RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 03:22 by prod_rel_team
...
Router> enable
Password:
Router# dir
Directory of flash:/

No files in directory

128237568 bytes total (104640512 bytes free)
Router# show version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T,
 RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 26-Feb-09 03:22 by prod_rel_team
...

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Security

Comments


Shahid Mushtaq (guest)
October 18, 2010 at 8:24 a.m. UTC

Thanks,

Good to know the secrets.

Regards,

Shahid (Bxperts)


xinhui0424
October 18, 2010 at 1:26 p.m. UTC

perfect! amazing tricks!thanks!


JL (guest)
October 18, 2010 at 3:34 p.m. UTC

Good stuff, just tested the feature on 15.1(2)T1


Marco Rizzi (guest)
October 18, 2010 at 7:02 p.m. UTC

Nice one Jeremy ! This feature is extremely useful to protect against the always tricky question: "Erase flash: before copying? [confirm]" :-)

Anyway, it worked for me on 1841s, with the same 12.4-24T as you, but on the 2811s I had:

Press RETURN to get started!

Router>ena
Router#sh ver | i bin
System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T3.bin"
Router#conf t 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#secure boot-image
Router(config)#
*Oct 18 18:52:48.515: %IOS_RESILIENCE-5-IMAGE_NOTFOUND: Running image not found on removable disk

Then I have the filesystem locked:

Router#copy flash:WLE flash:TEST 
Destination filename [TEST]? 
Erase flash: before copying? [confirm]n
%Error opening flash:TEST (Device in exclusive use)
Router#

On the doc-cd it seems that the boot-image filename is the same as listed in the show ver but...Any clue about this ?

thanks for the interesting topic
Marco


JohnB
October 25, 2010 at 2:19 p.m. UTC

Finally, note that the secure bootset features can only be disabled from the console line.

So that means unless you have some kind of physical console access to a remote router (terminal/console server, modem, etc), you can't really save configuration changes so they survive being erased from nvram?


jsicuran
October 25, 2010 at 7:20 p.m. UTC

good stuff 15.x is neat too. Has anyone played with the output parser sh run partition?


James (guest)
March 13, 2011 at 3:09 p.m. UTC

Great explanation...
Very much fairly that in the Cisco page.

Thank you.


moha (guest)
June 8, 2011 at 1:45 p.m. UTC

*Mar 1 00:05:53.415: %IOS_RESILIENCE-5-NO_SUPPORTED_DEVICE: No ATA disk found for storing archivesios resilience:failed to remove chkpt file

i am using gns3 i after issue secure boot-config i use to get this message, any one know what i have to do. Thanks in advance


pipalica
August 23, 2011 at 10:12 p.m. UTC

Tx, great explanation, simply


wolowitz (guest)
December 21, 2011 at 1:49 p.m. UTC

great stuff!


CANSignal (guest)
February 16, 2012 at 5:21 p.m. UTC

This is a great post!! I had a problem with a hacker within and if only I knew this existed, I could have saved myself weeks worth of work!!! Now I know.


0vidiu
February 22, 2012 at 9:36 a.m. UTC

i wonder what happends if you combine with boot config flash:startup nvbypass ?


A guest
August 7, 2012 at 12:22 p.m. UTC

I don't know if it was just my box or if I hit a bug or something buuuuut, when I reloaded a box with this feature enabled (881) it didn't find the IOS image. That was 12.4(24)T7.

Doing a dir of flash in rommmon showed only the DHCP static bindings file I had created. I expected not to see the config file but not that the IOS file wouldn't be seen. I tried to boot from rommon but it failed. I DIDN'T try to boot and specifiy the filename. It didn't occur to me at the time.

I did a tftpdnld -r and once the image loaded into memory (not written to flash) it came up with the correct config. Caveat emptor.


Pawel (guest)
March 18, 2013 at 12:54 p.m. UTC

Hi Jeremy,

I really like your site. I often look for your interesting explantions.

Regarding the topic you mentioned in this article: the bootset survives the 'format flash:' command, but in my case it died with 'erase flash:' :-). The flash was cleaned up completely and I welcomed rommon after reload. c2851, 15.0(1)XA

Pawel


JustAGuest (guest)
October 13, 2016 at 6:33 p.m. UTC

You're the best! Thanks.

Comments have closed for this article due to its age.