How can Cisco DNA and Cisco Prime Infrastructure provide integrity?

Maivoko · ‎03-08-2023

How can Cisco DNA and Cisco Prime Infrastructure provide integrity to prevent any one change running configuration on whole infrastructure devices?

How can Cisco DNA and Cisco Prime Infrastructure rewrite the last backup configuration back to network devices once detected changes in running configuration?

marce1000 · ‎03-09-2023

- Both products won't be able to fulfill your requirements completely , I advise to use logging of config changes on network equipment if there is a business requirement , as in (see below) , then of course the global syslog server must be watched and examined on a regular basis too. Check this document too : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-logger.html

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#archive
R1(config-archive)#log config
R1(config-archive-log-cfg)#logging enable
R1(config-archive-log-cfg)#logging size 500
R1(config-archive-log-cfg)#hidekeys
R1(config-archive-log-cfg)#notify syslog
R1(config-archive-log-cfg)#end
R1#

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Maivoko · ‎03-09-2023

I remember that configuration change can generate a configuration change log to syslog

but how to write a script once received this configuration change log this pattern, then Prime Infrastructure can overwrite existing configuration with specified date of configuration?

How can be done in Cisco DNA ?

Even if hackers edited configuration, new running configuration can be overwritten back to original configuration or special configuration to make IP address path to honey pot.

I have never found people done this until 2023. So I am curious about this.