Monitoring Cisco Router Devices

Overview

TOS monitors router devices for policy revision changes. For TOS to show full accountability details (who made the policy changes and when the changes were made), you must also configure the device to send syslogs.

To see which TOS features are supported for your device, review the SecureTrack Features by Vendor.

Prerequisites

Make sure that the device user account that you use for TOS monitoring has permission to run these commands:

  • Retrieve revision:

    terminal no exec prompt timestamp
    (use one of these commands) show running-config OR show configuration OR show startup-config
    show ip route connected
    show ip route static
    show clock
    show version
    show access-lists

  • Retrieve dynamic topology:

    show ip vrf detail

  • SD-WAN:

    show sdwan omp services
    show sdwan ip fib

    For each VRF run:

    show ip route vrf <vrf name>
    show ip interface
    show mpls interface detail
    show ip bgp | inc ID

    If BGP is used, run:

    show ip bgp neighbors | inc BGP
    show ip bgp vpnv4 all labels
    show standby

  • Provisioning:

    exit
    configure terminal
    end
    write memory

Recommendations

  • TOS and the monitored devices must be synchronized with the correct date and time, either manually or automatically. We recommend that you also configure the devices to resolve DNS queries.

    If the device is a standby member in a high availability cluster, monitor the device as a standalone device with usage analysis collection and topology disabled. This will prevent the standby member from appearing on the Map, and ensure that routing is correct.

Add a Device

  1. Select Cisco > Router:

    Add Cisco

  2. Configure the device settings:

    • Name for Display

    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • Get revisions from: One of the following:

      • IP Address: Revisions are retrieved automatically
      • Offline File: (If available) Revisions are manually uploaded to TOS for Offline Analysis
    • Support for zone based policy: Select this option if the router uses the zone-based policy firewall feature

    • ST server: In a distributed deployment, select which TOS cluster monitors this device (not shown in image)

    • Router Operating system: IOS or IOS-XE

    • Collect counters for rule usage analysis: Required for Rule Usage reports

    • Enable Topology: Collects routing information for building the network Map.
      Topology options for Advanced management mode are configured when you import managed devices.

      If the device uses dynamic addressing (such as DHCP) or dynamic routing protocols (such as OSPF), also select Collect dynamic topology information. You can specify in the next stage to retrieve the dynamic topology information using SNMP v2 or v3.

    • Inter-AS MPLS L3VPN Option B: Select this option if this router is an autonomous system boundary router (ASBR) in an MPLS option B environment. This option retrieves VPNv4 labels associated with inter-AS communication.

    Click Next.

  3. Configure the TOS connection to the Cisco device, according to the parameters required by the device:

    New Cisco stage 2

    • Enter the authentication details needed to connect to the Cisco device.

      • Username and password: The device username and password

      • Enable password: If your device requires sending the Enable command, select this option and enter the password to give TOS elevated privileges on the device (required if automated Provisioning to the device will be used)

      • Login password: If your device requires the Login password, select this option and enter the username and password that is required for the login command

    • Select whether to use SSH (preferred) or Telnet: The device can be configured to use either SSH version 1 or 2

    • To use default settings (recommended in most cases), leave the Port number and both Override options clear.

    • If TOS is configured to automatically replace the SSH host key when a new SSH host key is detected for a device, you can Override SSH host key settings to prevent the host key from being replaced for this device.

      You can then set TOS to Replace SSH host key automatically for this specific device.

      Warning: Automatic replacement of the SSH host key can expose your server to security risks and is not recommended.

    • Override SSH Version: Select this option to force the device to use SSH-1 or SSH-2

    • Override Cipher: Select this option to force the device to use DES or 3DES encryption

    • SNMP: Select this option to retrieve dynamic topology change information with SNMP instead of SSH, then enter the port number and SNMP community name to use for the SNMP connection to the device

    Click Next.

  4. In Monitoring Settings, do one of the following:

    • To use real-time monitoring and timing settings from the Timing page, select Default.

    Otherwise, select Custom and configure the monitoring mode and settings.

    Real-Time Monitoring: (Not shown in image) Applies only if syslogs (Configuring Devices to Send Logs) are configured. Select Custom settings and configure:

    • 'Install policy' interval: When two or more Install Policy events for the same policy occur within this time interval, TOS combines the events into a single Install Policy revision (Default: 60 seconds)
    • Automatic fetch frequency: Frequency (in minutes) for automatic fetch 

    • Periodic Polling, select Custom settings and configure the Polling frequency: How often TOS fetches the configuration from each device.

      If you select 1 day, you can then select the exact time (hour and minute) for the daily polling.

    Click Next

  5. Save the configuration.

The Cisco device now appears in the Monitored Devices tree.

Configure a Monitored Device

After you add a device, further configuration options are available.

Options vary depending on your environment.

Example

  • Edit configuration: Use the wizard to modify selected device settings. See Add a Device in this topic.

  • Delete this device: Type yes to confirm that you want to delete the device.

  • Migrate (ST servers): Available in distributed deployments. Select the server where the device will be monitored and click Migrate.

  • Migrate (Domains): Available in multi-domain deployments. Select the domain where the device will be monitored and click Migrate.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices