Control Break Cisco

This is a list of the Cisco IOS CLI shortcuts that I need to reference. I really need to practice using the Delete Buffer commands and Ctrl-R Refesh as part of my muscle memory / daily practice.

  1. Cisco Control Break
  2. Control Break Cisco Router
  3. Control Break Cisco Webex
  4. Control Break Cisco Anyconnect

The Cisco page on terminal break shows a lot of break sequences. The break sequence for “screen” is to use Ctrl-A and then Ctrl-B. The Ctrl-A shifts the focus back to the screen process (away from the serial console) and the Ctrl-B issues the break sequence. You may need to break more than once. Cisco IOS CLI Regex: sh ip bgp in (2nd May 2012) IOS CLI Tip: More accurate pipe commands (1st May 2012) Cisco Nexus NXOS and Fixing broken “switchto” syntax with alias (18th December 2011) show ip eigrp topology all (22nd May 2011) Cisco IOS CLI Shortcuts (6th February 2011) The poor man's IOS Traffic Generator (19th September 2009).

Cursor Movement Shortcuts
ShortcutDescriptionMnemonic
Ctrl+AMove cursor to the beginning for the lineAlpha, First letter beginning
Ctrl+EMove cursor to the end of the lineE for End
Ctrl+FMove cursor forward one characterF for Forward
Ctrl+BMove cursor backwardB for Backward
Esc+FMoves forward one wordAlways forget the escape version
Esc+BMoves backwards one wordDitto
Ctrl+PPrevious commandP for Previous – also up arrow
Ctrl+NNext commandN for Next – also down arrow
Editing Shortcuts
ShortcutDescriptionMnemonic
Ctrl+WDelete the word to the left from the cursorW for Word
Ctrl+UDelete the whole line??
Ctrl+TSwap or transpose the current character with the one before itT for Transpose
Ctrl+KErase characters from the cursor to end of the line??
Ctrl+XErase characters from the cursor to beginning of the line??
Esc+DDelete from Cursor to end of word
DeleteRemoves the character to the right of the cursor
BackspaceRemoves the character to the left of the cursor
Up ArrowAllows you to scroll forward through previous commands
Down ArrowAllows you to scroll backwards through previous commands
Functional Shortcuts
ShortcutDescriptionMnemonic
Ctrl+LReprint the lineL for Line
Ctrl+RRefreshR for Repeat – starts a new line, with the same command shown (If the system sends a message to the screen while a command is being entered and your are not using line synchonisation
TabCommand autocompleteNo Comment
Ctrl+CExit. Exit from config mode
Ctrl+ZApply the command line and exit from config mode ie. return to privileged EXEC mode.
Ctrl+Shift+6 (X)CTRL-SHIFT-6 is one action, the X is the second action
Less Common Shortcuts
ShortcutDescriptionMnemonic
Esc, CMakes the letter at the cursor uppercase.C for Capital
Esc, LChanges the word at the cursor to lowercaseL for Lower
Esc, UMakes letters from the cursor to the end of the word uppercase.U for Uppercase
Using the Delete Buffer
ShortcutDescriptionMnemonic
The buffer stores the last ten items that have been deleted using Ctrl-K, Ctrl-U, or Ctrl-X
Ctrl-YPaste the most recent entry in the delete bufferY for “Yank” as in Yank from buffer
Esc-YPaste the Previous entry in the history bufferY for “Yank” as in Yank from buffer

Note that the delete buffer is very useful for times when you have created complex and difficult names in IOS. If you use a naming convention for QoS CLI such as 100M-5Mpri-15mbAF21 then this is a hugely useful feature for show and configuration commands.

Other Posts in This Series

  1. Cisco IOS CLI Regex: sh ip bgp in (2nd May 2012)
  2. IOS CLI Tip: More accurate pipe commands (1st May 2012)
  3. Cisco Nexus NXOS and Fixing broken “switchto” syntax with alias (18th December 2011)
  4. show ip eigrp topology all (22nd May 2011)
  5. Cisco IOS CLI Shortcuts (6th February 2011)
  6. The poor man's IOS Traffic Generator (19th September 2009)
  7. IOS: 'terminal monitor' on, off - logging to your terminal (17th September 2009)
  8. IOS: Console, Terminal, Monitor, VTY - what is what ? (16th September 2009)
  9. IOS: Clearing an interface configuration (13th September 2009)
  10. IOS: Setting Terminal Window Length (10th September 2009)
  11. IOS CLI: show run linenum (9th September 2009)
  12. IOS: Setting the TCP timeout on IOS (14th August 2008)
  13. IOS: enable and .... disable ? (20th July 2008)
  14. IOS: Reverse SSH console access - Part 2 (25th June 2008)
  15. IOS:Open Source Lab DNS and IP addressing (2nd June 2008)
  16. IOS: Reverse SSH console access (29th May 2008)
  17. ip tcp timestamp (14th April 2008)
  18. Cisco ASA and IOS command tip - test aaa-server (18th February 2008)

Contents

Introduction
Secure Network Operations
Monitor Cisco Security Advisories
Using Authentication, Authorization, and Accounting
Centralize Log Collection and Monitoring
Use of Secure Protocols
Configuration Management
Management Plane
General Management Plane Hardening
Password Management
Password Strength
User Management and Administrative Access
Securing Interactive Management Sessions
Disable Unused Services
Limit Network Access with ACLs on Routers and Firewalls
Control and Encrypt Management Sessions
User Management
Local Users and Passwords
Password Profile
Role-Based Access Control
Authentication Domains
SSL Key Management
Logging Best Practices
Communications
Cisco UCS Manager Web Client
Managing the Equipment
Conclusion
Additional Information


This document provides information to help users secure Cisco Unified Computing System (Cisco UCS) platform devices to improve network security. Structured around the three planes by which the functions of a network device are categorized, this document provides an overview of each Cisco UCS Software feature and references related documentation.

The three functional planes of a network, the management, control, and data planes, each provide a different functionality that must be protected.

The modular, physically, and logically distributed architecture of Cisco UCS offers tremendous advantages in creating a highly available, secured computing platform and network. Discrete software components (subsystems) are implemented as separate software processes that run in their own protected memory address spaces. This implementation enables true fault isolation and compartmentalization in the event of a security incident by preventing faults in one subsystem from negatively affecting others.

The logical distribution of processes across three planes, each with its own access control for secure network operation, is the means to the deep fault isolation and implementation of security instrumentation within Cisco UCS Software and hardware.

Management Plane: The management plane contains the logical group of all traffic that supports provisioning, maintenance, and monitoring functions for the Cisco UCS. Traffic in this group includes, HTTP/HTTPS, SSH, FTP, Simple Network Management Protocol (SNMP), Syslog, TACACS+ and Remote Authentication Dial-In User Service (RADIUS), DNS, and Cisco Discovery Protocol. Management plane traffic is always destined to the local Cisco UCS.

Control Plane: The control plane contains the logical group of all switching, signaling, link-state, and other control protocols that are used to create and maintain the state of the network and interfaces such as Link Layer Discovery Protocol (LLDP), Fiber Channel over Ethernet (FCoE) and Address Resolution Protocol (ARP), and Layer 2 keepalive. Control plane traffic is always destined to the local Cisco UCS device.

Data Plane: The data plane contains the logical group of customer application traffic generated by hosts, clients, servers, and applications that are sourced from and destined to other similar devices supported by the network. Data plane traffic is mainly forwarded in the fast path and is never destined to the local Cisco UCS device.

The security features discussed in this document often provide enough detail for a network administrator (or operator) to configure the feature. However, in cases where it does not, the feature is explained to allow administrators to evaluate whether additional attention to the feature is required. Where possible and appropriate, this document contains recommendations that, if implemented, will help secure a Cisco UCS deployment. Figure 1 shows the structure of a Cisco UCS device.

Figure 1. Cisco UCS Structure

Secure network operations is a substantial topic. Although most of this document is devoted to the secure configuration of a Cisco UCS device, configurations alone do not completely secure a network. The operational procedures in use on the network, as well as the people who administer the network, contribute as much to security as the configuration of the underlying devices.

The following sections contain operational recommendations that Cisco UCS administrators are advised to implement. These sections highlight specific critical areas of network operations and are not comprehensive.

Monitor Cisco Security Advisories

The Cisco Product Security Incident Response Team (PSIRT) creates and maintains publications, commonly referred to as Cisco Security Advisories, for security-related issues in Cisco products. Security advisories are available at http://www.cisco.com/go/psirt.

For information about Cisco PSIRT vulnerability reporting, see the Cisco Security Vulnerability Policy.

To maintain a secure system, Cisco UCS administrators should be aware of the information communicated in Cisco Security Advisories. Detailed knowledge of the vulnerability is required before evaluating the threat that the vulnerability can pose to a network. For assistance with this evaluation process, see Risk Triage for Security Vulnerability Announcements.

Using Authentication, Authorization, and Accounting

The Authentication, Authorization, and Accounting (AAA) framework is vital to securing network devices. The AAA framework provides authentication of management sessions, limits users to specific, administrator-defined commands, and logs all commands entered by all users.

RADIUS and TACACS+ are both supported on the UCS system. TACACS+ encrypts the entire TCP payload, which includes both the username and password. Radius only encrypts the password. Therefore, it is suggested to use TACACS+ for maximum authentication security.

Additionally, LDAP can be used for user authentication. To encrypt the LDAP authentication exchange, use the CLI option to use SSL.

Centralize Log Collection and Monitoring

Cisco

To gain an understanding of existing, emerging, and historic events that are related to security incidents, an organization should have a unified strategy for event logging and correlation. This strategy must leverage logging from all network devices and use prepackaged and customizable correlation capabilities.

After centralized logging is implemented, a structured approach must be developed to log analysis and incident tracking. Based on the needs of the organization, this approach can range from a simple diligent review of log data to an advanced rule-based analysis.

For more information on how to implement logging on Cisco UCS network devices, see the 'Logging Best Practices' section of this guide.

Use of Secure Protocols

Many protocols are used to carry sensitive network management data. Secure protocols should be used whenever possible. A secure protocol choice includes the use of SSH instead of Telnet so that both authentication data and management information are encrypted.

For more information about the secure management of Cisco UCS, see the 'Securing Interactive Management Sessions' section of this document.

Configuration Management

Configuration management is a process by which configuration changes are proposed, reviewed, approved, and deployed. In the context of a Cisco UCS, there are configure commit point records for each configuration change. These records can be used to determine what security changes were made and when these changes occurred. In conjunction with AAA log data, this information can assist in the security audit of network devices.

Control Break Cisco

The configuration of a Cisco UCS device contains many sensitive details, including usernames, passwords, and the contents of access control lists (ACLs). The repository used to archive Cisco UCS device configurations should be secured and access should be restricted to only those roles and functions that require access. Insecure access to this information can undermine the security of the entire network.

The management plane consists of functions that achieve the management goals of the network. These goals include interactive management sessions using SSH, as well as statistics gathering with SNMP or NetFlow. When considering the security of a network device, it is critical that the management plane is protected. If a security incident undermines the functions of the management plane, network recovery or stabilization may not be possible.

The following sections detail the security features and configurations available in Cisco UCS Software that help fortify the management plane.

General Management Plane Hardening

The management plane is used to access, configure, and manage a device, as well as monitor its operations and the network on which it is deployed. The management plane receives and sends traffic for operations of these functions. Both the management plane and control plane of a device must be secured, because operations of the control plane directly affect operations of the management plane. The following list includes protocols that are used by the management plane:

  • SNMP
  • Telnet
  • SSH
  • SFTP
  • FTP
  • TFTP
  • HTTP/HTTPS
  • XLM API
  • Secure Copy Protocol (SCP)
  • TACACS+
  • RADIUS
  • NetFlow (also used by the Data Plane as that is where the traffic comes from)
  • Network Time Protocol (NTP)
  • Syslog

Administrators should take measures to ensure the survival of the management and control planes during security incidents. If one of these planes is successfully exploited, all planes can be compromised.

Password Management

Control Break Cisco

Passwords control access to resources or devices, and administrators define passwords to authenticate requests. When a request is received for access to a resource or device, the request is challenged for verification of the password and identity, and access can be granted, denied, or limited based on the result. Security best practices dictate that passwords should be managed with an LDAP, TACACS+ or RADIUS authentication server. However, a locally configured password for access is still required in the event that LDAP, TACACS+ or RADIUS services fail. A device can also have other password information present within its configuration, such as an NTP key, a SNMP community string.

Cisco Control Break

Password Strength

Break

Control Break Cisco Router

The Password Strength option is used to require strong passwords. Ensure Password Strength Check is enabled and do not disable it. The passwords are stored securely on the Cisco UCS using password hashing. Figure 2 shows the configuration settings for locally authenticated users.

Control Break Cisco Webex

Figure 2. Locally Authenticated Users

Control Break Cisco Anyconnect

To determine whether password strength is enabled, issue the show security detail command from the command-line interface (CLI).