HSRP (Hot Standby Router Protocol) is the Cisco proprietary protocol for providing redundancy in router networks. The standard router redundancy protocol which is used by other vendors is VRRP (Virtual Router Redundancy Protocol), however Cisco has created its own proprietary protocol (HSRP) which works very well on Cisco routers.

In a Local Area Network (LAN), all hosts (PC, Servers etc) have a single default gateway address configured which is used to route packets outside the LAN. If that single default gateway fails, then communication outside the LAN is not possible. With HSRP we can have two gateway routers, one active and one standby, which will provide resiliency regarding the default gateway address. Using HSRP, the two routers will have a physical IP address configured on their LAN-facing interface, but they will have also a Virtual (HSRP address) which will be used as the default gateway address for hosts on the LAN. No matter which router gateway is up and running (either the primary or the secondary), the virtual HSRP address will stay the same.

Let’s see a diagram below to explain this functionality.

First of all, HSRP must be configured between interfaces that have Layer2 connectivity between them. From the diagram above, HSRP will be running between interfaces FE0/1 on the two LAN routers. Interface FE0/1 on RTR-A will have a physical IP address 10.10.10.1 and interface FE0/1 on RTR-B will have a physical IP address 10.10.10.2. An HSRP address 10.10.10.3 will be also configured on both routers. This address will serve as the default gateway address for all hosts on the LAN. RTR-A will be configured as the Active HSRP router by setting a higher hsrp priority.

With HSRP, we can also track a specific interface. This means that if the tracked interface of the active router fails, then HSRP will trigger a failover to the standby router.

Let’s see an actual configuration below:

Configuration

Router RTR-A
RTR-A(config)# int fa0/1
RTR-A(config-if)# ip address 10.10.10.1 255.255.255.0

! enable HSRP group 1 and set the virtual address to 10.10.10.3
RTR-A(config-if)# standby 1 ip 10.10.10.3

! preempt allows the router to become the active router when its priority is higher
RTR-A(config-if)# standby 1 preempt

! increase its priority to 110 to make it active (default priority  is 100)
RTR-A(config-if)# standby 1 priority 110

! track the WAN interface FE0/0
RTR-A(config-if)# standby 1 track fa0/0

Router RTR-B
RTR-B(config)# int fa0/1
RTR-B(config-if)# ip address 10.10.10.2 255.255.255.0

! enable HSRP group 1 and set the virtual address to 10.10.10.3
RTR-B(config-if)# standby 1 ip 10.10.10.3

! preempt allows the router to become the active router when its priority is higher
RTR-B(config-if)# standby 1 preempt

! set priority to 100 to make it the standby router (this is the default value)
RTR-B(config-if)# standby 1 priority 100

! track the WAN interface FE0/0
RTR-B(config-if)# standby 1 track fa0/0

That’s it. Now configure a default gateway address of 10.10.10.3 for your LAN hosts.

One of the most frustrating moments as a network administrator is when you desperately want to log on to a Cisco router and you try all possible passwords you have with no success. Fortunately there is a Cisco password recovery procedure for IOS routers which you can follow and bypass password control in order to get access to the device. The bad thing is that this procedure will cause network downtime since you have to reboot the router a couple of times. Follow the steps below to recover (or change) the forgotten router password:

The following procedure is applicable for virtually any Cisco router, such as 800, 2600, 3600, 1800,2800,3800 etc.

Step1: 
Connect to the router with a serial console cable and open your terminal emulation software (I personally use secureCRT). Use the normal terminal settings (9600 baud, no parity, 8 data bits, 1 stop bit, no flow control). After that, you should get the command prompt.

Step2:
Now you have to power OFF the router from the power switch. Get ready on your keyboard and turn the power switch to ON. Immediately press the CTRL+BREAK keys on your keyboard several times until the router goes into ROMMON mode. You will see the rommon 1> prompt on your terminal window.

Step3:
Now you need to change the configuration register of your router. This register is responsible to control several boot-up and hardware parameters on the device. The normal value of this register is 0×2102. We will need to change it to 0×2142. This new value tells the router to bypass the startup-configuration (where the password is stored) and boot with the factory default configuration (i.e no password request).

At the rommon prompt type the following:

rommon 1> confreg 0×2142
rommon 2> reset

The “reset” command will reboot the device.

Step4:
After the router reboots, it will ignore the startup configuration and will behave like the very first time that you switched on the device. It will therefore run the initial setup script. Type “no” at the setup request or press “Ctrl-C” to terminate the initial setup procedure.

Step5:
Now you will get the Router> prompt. Type “enable” to get into privilege mode.

Router> enable
Router#  

Step6:
Now we need to load the “Startup-Config” into the “Running-Config”.

Router# copy startup-config running-config

IMPORTANT: DO NOT copy the running config into the startup config because now the running config is basically empty (factory default) so it will erase all of your startup config.

Step7:
Now we are ready to change our passwords. Change the enable password as below.

Router#config t
Router(config)# enable secret newpassword

Step8:
Another important step now is to change the configuration register back to its normal value which is 0×2102

Router(config)#config-register 0×2102

Step9:
Now save the configuration and reboot.

Router(config)#exit
Router# write
Router# reload

Step10:
After the router boots up, log on with your new password and enable all interfaces (using “no shutdown”) because during the recovery procedure the interfaces get shut down.
 
What we have done in the above 10 steps is that we bypassed the original configuration that has the forgotten password, and then we got to the privileged mode without the need to know the password. Then we loaded the original configuration into RAM (so we don’t loose it) and imposed a new password and saved things back to the NVRAM. And then we got back to the original boot sequence.

By default, when you access a Cisco router for management purposes (using Console, Telnet or SSH) there is no username/password authentication required. You only need to supply the “privileged EXEC” password (i.e the “enable” password) in order to gain access to the full configuration mode of the router. Employing an additional level of authentication (i.e requiring the user to supply an additional username/password credential in addition to the “enable” password) will make the router device more resistant to unauthorized access. Moreover, configuring local usernames on the device gives you the flexibility to add granularity regarding the levels of management privileges for different users. For example, you can configure a username on the router with full privileges (privilege level 15) who can configure anything on the router, or you can configure a username with unprivileged access (privilege level 1) who can only see a few things on the router and nothing else.

There are two steps involved to configure local usernames. The first one is to create the username/password and assign it a privilege level (from 1 to 15, with 15 being the most privileged level). If you don’t specify a privilege level number, it gets the full privilege 15 by default. The second step is to configure your VTY lines (0 to 4) to require a local login access (i.e only a configured user with a valid password can access the router).

Configuration

Router# config t
Router(config)# username Mynetworkadmin privilege 15 secret $Str0ngP@ss$
Router(config)# username Onlymonitoring privilege 1 secret An0ther!Pass34

Router(config)# line vty 0 4
Router(config-line)# login local
Router(config-line)# exit
Router(config)# wr

Just a security tip here, for username select something difficult to guess or something that will not be found in dictionary attacks. For example, words like “admin”, “administrator”, “cisco” etc are not good usernames. A simple dictionary attack from a hacker will find those easily.

I was reading an interesting presentation the other day, taken from BlackHat USA 2009 Briefings from Felix Lindner, and thought about sharing the main points here. The guy presents a reasonable analysis of the current situation regarding Router security and exploitation. As we all know, routers are exploitable of course, but not as easy as some “security Gurus” wants us to believe.

Some of the main points of the presentation are shown below:

• There is not much research going on from the general security community regarding Router vulnerabilities. In 2008 there were only 14 vulnerabilities reported for Cisco and some open ssl and memory leak issues for Juniper.
• Routers expose little functionality to remote attackers.
• Attackers prefer to focus on servers rather than the network infrastructure.
• Although router vendors started to implement more and more services on routers (such as VoIP, IPv6, SIP, H323, Lawful Intercept, SSL VPN, Web Service Routing etc) fortunately network engineers are slow in adopting all those new services. This means less vulnerabilities.
• Routers are rarely used as clients, so client site attacks are very rare.
• Router operating systems based on UNIX flavors are easier to exploit.
• Cisco is a monolithic architecture and IOS runs as a single large binary program running directly on the CPU. IOS is harder to exploit.

The presentation then continues with some useful recommendations for protecting Routers as described below:

Router Protection:

• Block traffic destined to any interface of the router itself. Only exception is traffic from management stations.
• Use MD5 on routing protocols
• Avoid running network services on your routers (such as HTTP,FTP,TFTP etc)
• Avoid running VoIP services on border or exposed routers.
• Monitor the router’s service modules independently.
• Use a configuration monitoring tool to observe any changes in IOS configuration. An excellent tool for this is RANCIT (Really Awesome New Cisco Config Differ) from http://www.shrubbery.net/rancid/
• Configure Core Dumping