Every time a network engineer opens a TAC case or asks an AI assistant to help debug a routing issue, the same thing happens: the support engineer says "can you share your running-config?" And then you have a decision to make.
The problem is that show running-config on a Cisco IOS device doesn't just show you interfaces and routes. It shows you everything — the enable password, SNMP community strings, VPN pre-shared keys, RADIUS shared secrets, BGP neighbor passwords. All of it, in one paste.
Sharing that config unmodified is a credential leak waiting to happen.
What a Cisco IOS Config Actually Contains
A typical Cisco IOS running-config includes several categories of sensitive data that most people don't think twice about when copying:
- Enable password / enable secret — the hash of your privileged mode password
- SNMP community strings — often set to
publicor a site-wide string used across dozens of devices - VPN pre-shared keys —
crypto isakmp keylines with the actual passphrase - RADIUS and TACACS+ shared secrets —
radius-server keyandtacacs-server key - Username/password pairs — local user accounts with password hashes or type-7 encoded passwords
- BGP neighbor passwords — MD5 authentication keys for BGP sessions
Type-7 passwords are particularly dangerous because they use a reversible Cisco-specific encoding, not a real hash. Anyone with the encoded string and a decoder tool can recover the original password in seconds.
Before and After: What Sanitization Looks Like
Here's a snippet from a typical Cisco IOS config before and after passing through a config sanitizer:
Notice that [COMMUNITY_1] appears twice in the sanitized output — the same token for the same original value. That consistency is critical: a support engineer can see that both SNMP entries use the same community string without knowing what it is. The logical structure of the config is fully preserved.
How to Sanitize Your Cisco Config with ScrubForge
ScrubForge is a Chrome extension that processes configuration text locally in your browser. Nothing is uploaded. Here's the workflow:
-
1Install ScrubForgeAdd ScrubForge from the Chrome Web Store. Free, no account required. Pin the icon to your toolbar so it's one click away.
-
2Run
show running-configConnect to your Cisco device via SSH or terminal. Runshow running-config(orshow run) and copy the full output. -
3Open ScrubForge and pasteClick the ScrubForge icon in your browser toolbar. Paste the config into the input area. ScrubForge processes the text immediately — no submit button, no server call.
-
4Review the sanitized outputScan through the output for any remaining sensitive values. ScrubForge targets known patterns — review the result before sharing, especially if your config uses custom secret formats.
-
5Copy and shareCopy the sanitized text and paste it into your TAC ticket, vendor email, or AI assistant. The support engineer gets everything they need to help you. Your credentials stay on your machine.
Why Local Processing Matters
Most "sanitizer" tools you find online work by sending your text to a server, processing it there, and sending back the cleaned version. That's fine for stripping markdown — it's not fine for network configs with active credentials.
ScrubForge processes everything in your browser tab. The extension has no server component. The config text you paste into it doesn't travel anywhere. This matters especially for:
- Production device configs that contain credentials used across your entire network
- Configs shared in TAC tickets stored in Cisco's support systems indefinitely
- AI assistant sessions that may be logged or used for model training
- Slack or Teams messages where configs get pasted and forgotten
What to Do After Sanitizing
Sanitizing before you share is a good habit. But it's also worth building it into your team's standard operating procedure for any support engagement. A few things worth documenting in your runbook:
- Always sanitize before opening external tickets — even "just to check" shares
- After a TAC case closes, rotate any credentials that appeared in shared configs (sanitized or not)
- Keep a note of which placeholder maps to which original value in case the support team needs clarification — the original file on your workstation is the mapping
If you share configs with external vendors frequently, see also: How to sanitize network configs before sharing with AI assistants for a broader look at multi-vendor workflows including FortiGate and AWS.
Sanitize Cisco configs before they leave your machine
ScrubForge is free to install. Paste your config, strip the credentials locally, and share safely — no upload, no account required.
Install ScrubForge — Free