Describes how to mask sensitive information such as strings, usernames, passwords, comments, and IP addresses in the show running-configuration command output by enabling sanitization on the nonvolatile generation (NVGEN) process.
The configuration output sanitization is a security feature that
-
masks sensitive information within the running configuration output
-
replaces sensitive strings with a placeholder, and
-
protects sensitive data such as passwords and IP addresses from unauthorized exposure.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| Excluding Sensitive Information in Show Running Configurations Command Output |
Release 7.5.4 |
You can now exclude sensitive information such as strings, usernames, passwords, comments, or IP addresses within the show running-configuration command output by enabling sanitization on the nonvolatile generation (NVGEN) process. With this feature, you can achieve better data protection to prevent cybersecurity risks compared to regular router algorithms. This feature introduces the nvgen default-sanitize command. |
The show running configuration command uses the nonvolatile generation (NVGEN) process in Cisco IOS-XR software to collect configuration information from every system component and construct a running configuration file. Because this file often contains sensitive information that poses a security threat, this feature provides a mechanism to sanitize the output. When you enable sanitization, the NVGEN process replaces the corresponding information with the <removed> string to prevent unauthorized access to critical data.
The feature allows you to mask these types of sensitive information in the show running configuration output:
-
Strings
-
Usernames
-
Passwords
-
Comments
-
IP Addresses
On enabling the sanitization in show running configurations, the NVGEN process replaces the corresponding information with <removed> string. For example, if you enable sanitization for IP Addresses, the show running configuration includes the <removed> string in place of all the IP Addresses in the output.
This feature introduces the nvgen default-sanitize command.
Configure sanitization
Use these tasks to configure sanitization for each category of sensitive information: