As part of Configuraton Change Notification and Logging feature, Cisco IOS stores the most recent configuration commands in a circular buffer and (optionally) sends them to syslog streams.

This feature is configured under the archive configuration mode with the log config command, which brings you to yet another configuration mode where you can fine-tune the parameters (they are obvious, on-router help is sufficient), for example:

archive
 log config
  logging enable 100
  notify syslog
  hidekeys

After you've enabled configuration command logging, you can use the show archive log config all command to inspect the logging buffer. You can also display commands entered in a particular session or by a selected user.

The Cisco IOS’s AAA architecture contains many handy features, including authorizing and logging every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in RADIUS environments.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.

Although a bit outdated (and discussing older Cisco IOS releases), the article Cisco IOS from an Attacker's Point of View is still very relevant, as most vulnerabilities discussed in it arise from unsecure router configuration. Highly recommended reading!

Cisco IOS has the ability to define command aliases - short words that substitute a whole exec-mode or configuration command. These aliases can also be used in command execution URLs. For example, if you define alias exec showdefault show ip route 0.0.0.0 0.0.0.0, you can view the status of the default route with the http://router/exec/showdefault/CR URL.

Microsoft decided a while ago to disable the ability to send username and password encoded in URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS web server without explicit user login (IOS web server does not support anonymous access). However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most Cisco IOS images and download files to your web browser with the ftp://user:password@router/file URL.

To optimize the space utilizations and file transfer operations in flash: memory, Cisco IOS web server allows files to be served from tar archives stored on flash: (or any other) filesystem. The URL syntax to access a file in a tar archive is /archive/archive-name-without-tar-suffix/file-in-archive.

Cisco IOS supports the Unix tar format with the archive command. For example, to inspect the contents of the Secure Device Manager (SDM) that is present in Flash memory on most routers, use the archive tar /table flash:sdm.tar command.

You can also use the archive tar /xtract command to extract a tar file (local or external) into a directory (yet again local or external). For example, with the command archive tar /xtract flash:sdm.tar tftp://10.0.0.10 you'd extract the SDM tar archive to a TFTP server.

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:

1. The home.html file if it exists in any filesystem;
2. The home.shtml file if it exists in any filesystem;
3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

In Cisco IOS release 12.3T (integrated in 12.4), we've got an interesting (and quite understated) BGP feature: BGP peer-groups are no longer a performance feature (previously, IOS used them to reduce the time needed to compute outbound BGP updates). IOS now performs automatic grouping of BGP neighbors in dynamic update peer-groups that receive identical BGP updates based on per-neighbor outbound parameters.

Syslog has always been considered an undependable means of reporting network problems by serious network administrators as it runs over unreliable UDP transport. Sometime in the twilight zone between IOS releases 12.3T and 12.4, Cisco IOS got the capability to transport syslog messages over TCP with the logging host ip-address transport tcp port configuration command (the command is documented in 12.4 manuals but missing in 12.3T manuals).

Note: IOS implements standard syslog stream over TCP, not the more complex RFC 3195.