Tuesday, July 8, 2008

Maintain Cisco IOS

Over time, a router will need update or updgrade. Either an update or updgrade for the IOS image or the configuration file. an update replaces one release with another without upgrading the feature set. it may fix a bug or replace a release that is no longer supported. an upgrade replaces one release with another with an upgraded feature set. the upgrade might include additional technologies or new features. updates are free while updgrades are not.

NOTE: IT'S NOT ALWAYS GOOD TO REPLACE A ROUTER IOS IMAGE WITH THE NEWEST RELEASE. SOMETIMES THE NEWEST RELEASE IS NOT A STABLE RELEASE.

Cisco provides guidelines on updating/upgrading IOS version. Following the guideline can

reduce operational, planning and management cost. The phases that cisco reccomends are:

  • Plan, set goals, resources, hardware and software and create schedule
  • Design, choose IOS releases to be used and the migrating strategy.
  • Implement, execute the migration plan.
  • Operate, monitor the migration progress and backup copies of old images and configuration.

Cisco also provides a number of tools on cisco.com. some of the tools are:
  • Cisco IOS reference guide, cover basics of cisco IOS software family.
  • Cisco IOS software technical documents, documentation of each IOS release.
  • Software Center, place to download IOS images.

an attacker who has compromised a router can delete its IOS image or configuration file. to mitigate from this attack, a network administrator must know how to maintain a device file systems.

each Cisco IOS device has a feature called the Cisco IOS IFS (Integrated File System) which can be used to see, navigate and manipulate directories in a Cisco device. you can enter the command "show file systems" at privileged EXEC mode to see available directories in the device. each directory and files in the file system has its own permission mode, read only (ro), write only (wo) and read and write (rw). Then you can see files in each directory ("dir"), change working directory ("cd dir_name") and print current working directory("pwd").

if you want to copy a file in IOS, you can specify the file that you want to copy. File location in IOS devices is specified using the URL convention. in my opinion, as like other OS, IOS has as much the same way to locate a file except that in IOS you first specify the prefix of the file location. the prefix can be tftp, flash, system (RAM) and nvram. for example if you want to specify the "backup-config" file which is located in the "configs" folder in a tftp server of which ip address is 192.168.20.30 you enter "tftp://192.168.20.30/configs/backup-config", file in flash memory you enter "flash:configs/backup-config", in ram "system:running-config", while in nvram "nvram:startup-config".

after specifying the file location, then you can copy the file using the command
copy source-url destination-url

instead of providing the full url, we can also use the simple syntax to copy a file. for example to copy running-configuration in RAM to startup-configuration in NVRAM
copy running-config startup-config
instead of
copy system:running-config nvram:startup-config

to copy running-configuration to a remote location
copy running-config tftp:

to copy a configuration file from a remote location to the ram
copy tftp: running-config


**************************
Cisco IOS Naming Convetion
**************************
knowing the convention of the file can help a network administrator in upgrading and selecting new IOS images. let's see an example of an IOS image name
c1841-ipbase-mz.123-14.T7.bin

the name can be divided into some parts.
  • the first part is "c1841", this means that the image runs on 1841 seri platform.
  • the second part contains the feature set. in this case is "ipbase", this means basic IP internetworking. some other possibilities are:
- "i", ip feature set.
                    - "j", enterprise feature set (all protocols), PLUS feature set (extra queueing, manipulation or translations).
                    - "56i", 56-bit IPSec DES encryption.
                    - "k2", 3DES IPSec encryption (168 bit)                                
  • the third part indicates where the image run and wether it's compressed or not. in this case "mz" means that the file runs on RAM and is compressed.
  • the fourth part is the version number, "123-14.T7".
  • the last part is the file extention. "bin" indicates that the file is binary executable.


you can use TFTP to maintain IOS images and configuration files for routers in a network.  with TFTP you can have a central place to upload and download IOS images and configuration files. The TFTP server can be another router, a workstation or a host.

things to do before changing IOS image on a router:
  • Determine memory required for the update, install additional memory if current one is not enough
  • Set up and test file transfer capability between the router and the file server
  • Schedule the update/upgrade, because it needs some downtime. usually updates are performed out of peak hour.

When you are ready to perform the update:
  • shutdown all interface not participating in the update process.
  • backup old IOS image and configuration file.
  • Load the update and neccessary configuraiton file to the router.
  • Test the update to confirm that it has been done successfully. if Test failed, check what went wrong and start over again.

Backing up IOS Image
it's recommended the you follow the step bellow if you want to back up an IOS image to an TFTP server.
  • step 1. ping the TFTP server to determine there's a connectivity between router and the TFTP server, and that the server is alive.
  • step 2. Check wether the TFTP server has sufficient memory for the IOS image. you must know the available memory in the TFTP server, and you can check the size of the router's IOS image by entering the command "show flash:".
  • step 3. Copy the current IOS image to the TFTP server using the command "copy flash: tftp:". during the progress there will be some exclamation marks "!", one exclamation mark shows you that a UDP packet has been successfully transferred.


Upgrading IOS Image
you can update a router's IOS image by transferring the new one from the TFTP server to the router. this can be done with the command "copy tftp: flash:". after entering this command you'll be prompted for TFTP ip address, and the new IOS file name (you're required to enter the appropriate file name). Once this is done, you'll be prompted wether you want to erase flash memory. erase flash memory when the router doesn't have enough memory fot the new IOS
image. during the progress there will be some exclamation marks "!", one exclamation mark
shows you that a UDP packet has been successfully transferred.


***************************************
TroubleShooting Cisco IOS Configuration
***************************************
after having all devices in a network the right IOS Image and configuration, we can tune configuration for individual devices to improve their performance in the network. There two common commands that most used in daily activity, "show" and "debug". "show" will lists the
parameter onfiguration while "debug" will show you traffic flow through interface, that is allowing you to trace the execution of process.

we use the "debug" command when troubleshooting, finding bugs, etc. when you enter a command to a router, actually there you initiate many more process than just the command you've just entered. therefore just tracing the configuration line by line sometimes won't help finding the error. using the "debug" command will help you to show the flow of packets, and check wether everything is working properly. all "debug" commands are entered at the privileged EXEC mode. some note on using "debug" command:
  • plan debugging properly. without proper precautions, debugging can make things worse
  • debugging can generate too much output. Know what you're looking for before start debugging things.
  • debugging's output can vary between each protocol. some generate a single output for a single packet, while others may generate multiline output for a packet. a basic understanding of how the protocol works usually needed on debugging the protocol.

some other tools that can help to optimize the usage of "debug" are:
  • "service timestamps" command will give a timestamp to each debug messages or log messages. this can give you the idea of when an event happened and the duration between events.
  • "show processes" will show you the CPU used for each process. this information can help you determine wether the CPU has the sufficient process time for debugging or not.
  • "no debug all" this will turn of every debugging process that has been started.
  • "terminal monitor", displays debug outputs and system error messages for the current terminal and session. when you telnet to a device, and use the "debug" command, you won't see the debug output unless you've entered this command.

NOTE:output from debugging is given high priority by the CPU. it's a good choice to use "debug"during quiet hours so that is doesn't interfere with the production traffic. and always turn off debugging by entering the command "no debug all" when debuggin process has been finished

Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

  © Blogger templates The Professional Template by Ourblogtemplates.com 2008

Back to TOP