Cisco
From OzmoWiki
The following is a list of Cisco IOS Tips gathered throughout the ages from various sources.
Contents
|
IOS Common
Commands Take Effect Right Away
If you are an experienced Cisco router user, you probably just groaned. However, I find that this concept escapes new users. As you type commands into the configuration mode, they immediately take effect. For example, if we change the router's name, we see that the very next line contains the new router name:
Router1# config terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)# hostname MyRouter MyRouter(config)# ^Z MyRouter#
As you can see, we changed the router's name to MyRouter, which was immediately processed. This concept applies to everything in the router's configuration mode.
Filtering the Output of Commands
What if you want to see the configuration for your routing protocol? That’s listed near the end of the router's configuration, after all the interfaces. Typing the command "show run" would likely result in your needing to page through several screens of configuration before getting to the part you need. The "show run" and "show start" command have several modifiers. We looked at the "interface" modifier above. In this section, we look at using the pipe command to filter what is displayed on the console.
Pipe Character
The pipe character is typically found above the backslash on the keyboard, and looks like this:
"|". Many of the show commands can be modified this way. There are three options when using the pipe—begin, include, and exclude. You then specify a value the router must search for. Note: Any words used as values in this command are case-sensitive.
Begin Keyword
Begin causes the router to search through the output for whatever keyword you specify and begins displaying from there. This is especially useful when you are looking for something that falls near the end of the configuration. For Example:
MyRouter# show run | begin ospf router ospf 1 router-id 100.100.100.100 log-adjacency-changes redistribute connected metric 50 subnets network 172.31.0.0 0.0.255.255 area 0 neighbor 172.31.8.2 [further output omitted]
However, be careful because the "begin" option may start the display sooner than you wanted.
For instance, in the above example, we wanted to see only the commands under OSPF router configuration. But if the word "ospf" appeared earlier in the config, such as under an interface, then the router would have displayed the configuration beginning there. You might still end up paging through several screens to get to where you wanted. In cases like that, you may want to use a combination of keywords that gets you to the unique location you desire. For Example:
Router# show run | begin ospf ip ospf network non-broadcast cdp enable
That command resulted in the router beginning the display at an interface’s configuration—the first place it found the word "ospf". To make it skip down to the router ospf section, you can use the following command. You could also have used "show run | begin ospf 1".
Router# show run | begin router ospf router ospf 1 log-adjacency-changes redistribute connected metric 50 subnets network 172.31.0.0 0.0.255.255 area 0 [further output omitted]
Include Keyword
Include displays any line that includes the value specified. This can be useful in displaying parts of the configuration but is probably most useful when displaying the output from more dynamic show commands. Following are two examples of possible uses for this command. In the first example, you want to see all of your frame-relay map statements. Without using the pipe, your options would be to look at the configuration for each interface or to look at the output from the "show frame-relay map" command. But neither would give you the information as succinctly as the following command:
Router# show run | include frame-relay map frame-relay map ip 172.31.1.1 111 broadcast frame-relay map ip 172.31.1.2 112 broadcast frame-relay map ip 172.31.2.1 121 broadcast
As another example, suppose you need to see how much memory has been allocated to all the various OSPF processes. To avoid scrolling through pages of output, modify the command so that the router displays only the OSPF information (note that the word OSPF is in capitals in the output of the show command, and so it must be in capitals following the pipe.)
Router# show memory allocating-process totals | include OSPF 0x034C7652 65580 1 OSPF lsdb 0x034C76B8 20044 1 OSPF path 0x034D28AA 10368 24 OSPF Router 0x034D406A 3324 29 OSPF Router [some output omitted]
Exclude Keyword
Exclude is the opposite of include.
Grep Keyword
Grep is available for regular expression matches. grep -v regexp will exclude matches to regexp
Do Commands under Config
A wonderful command introduced in version 12.2(8)T is the do command. The do command allows you to execute EXEC commands (such as show, clear, and debug commands) while configuring your router. You can do EXEC-level commands from global configuration mode or any configuration submode. After the EXEC command is executed, the system will return to the configuration mode you were using.
The following shows us using a derivative of the show running-config command in interface running-config command configuration mode. This command is normally done in privileged mode without the do command.
Router(config-if)# do show run interface atm2/0 Building configuration... Current configuration : 133 bytes ! interface ATM2/0 ip address 192.1.3.254 255.255.255.0 no atm ilmi-keepalive pvc 0/50 protocol ip 192.1.3.1 broadcast ! end Router(config-if)#
Alias Commands
A neat little IOS feature that is worth writing about is the alias command. The alias command allows us to convert those long, frequently-used commands to just a few keystrokes. In the following example, we have created an alias that executes the command "show ip interface brief" by simply typing sb.
Router(config)# alias exec sb show ip interface brief Router(config)# exit Router# sb FastEthernet0/0 10.1.1.1 YES NVRAM up up Serial0/0 unassigned YES NVRAM up up Serial0/0.1 10.1.2.1 YES NVRAM up up FastEthernet0/1 10.2.2.1 YES NVRAM up up Serial0/1 unassigned YES manual down down Ethernet1/0 10.3.3.1 YES NVRAM up up
Use Descriptions and Remarks
In the router's configuration, there are certain commands that let you document various portions of a configuration. For example, the interface description command, an access-list remark command, or a banner message. All of these commands stay within the router configuration, which helps greatly when you are trying to configure or troubleshoot a router.
Here's an example of a description on an interface:
! Here is an interface description. ! Document as much about the interface as possible interface Serial0 description Connection To Irvine: Wan ID [23499]
The available banner messages are the message of the day, or MOTD, login, incoming, and exec. Consult the documentation or Cisco IOS in a Nutshell for a description of each. Here is an example of the MOTD banner, which is the first message a person sees when connecting to the device:
MyRouter(config)# banner motd #
Enter TEXT message. End with the character '#'.
Welcome to MyRouter.
Some legalese should go here about unauthorized access.
#
The remark statement in an access-list is a relatively new feature. It first appeared in version 12.0(2)T of the IOS. This handy command allows you to make an entry in your access-list that describes what you are trying to accomplish. The comment can be up to 100 characters in length. statements work for both numbered and named access-lists.
access-list 1 remark Permit our private network through the list access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 remark Just deny everything else access-list 1 deny any
You might be wondering about commenting a configuration with the "!" symbol. Yes, you can comment a configuration with a "!" as I have done in the above examples. However, these comments do not stay in the router configuration. They are great when you are working on a configuration offline in a text editor. (Where you plan to upload the configuration to a router.) However, these "!" comments will get lost when you send the configuration to the router because the router ignores them.
Reload In The Future
No matter how well you plan an upgrade, you are eventually going to need to change a router configuration remotely. If you make a mistake and can no longer get to the router because of the change you made, you have to make the embarrassing call to someone to go "hit the power." The power cycle takes the router back to the original starting configuration because your change was never saved. In other words, since you lost connection, you couldn't type "copy run start" to save your changes.
One of the classic mistakes (I know because I have done it myself a number of times) is to incorrectly update an access-list on an interface when you are connected to the device remotely. And suddenly, the Telnet connection is dropped to the router because of a forgotten list entry that would permit your incoming connection.
There is another way. When you are doing something tricky, you can use the following feature of the reload command, which causes the router to reboot in a certain number of minutes. For example, let's tell the router to reboot in three minutes.
MyRouter# reload in 3 Reload scheduled in 3 minutes Proceed with reload? [confirm]y
Now, we have three minutes to do what we need to do. Let's say we are applying an access-list to serial0.
MyRouter# config terminal Enter configuration commands, one per line. End with CNTL/Z. MyRouter(config)# interface serial0 MyRouter(config-if)# ip access-group 110 in MyRouter(config-if)# ^Z MyRouter#
We made the change and everything still works. (Well, at least our connection wasn't dropped.) Now all we have to do cancel the impending reload with the following command:
MyRouter# reload cancel
Or, if our access-list update did destroy our connection to the router, all we need to do is wait three minutes (plus the router's reload time) before the router is back online. After the reload, the router uses the original saved configuration before our access-list change.
Limiting EXEC Interruptions
If the router has a message for you, it will display the message, even if that means interrupting something you were typing. Then you’re stuck having to finish your command at the end of the router’s message. The command logging synchronous under the console line configuration mode corrects this. The router still displays its message but will redisplay the command you were typing on the line when it’s done. To turn off logging messages to the console altogether, give the command no logging console under global configuration mode. Note: This may cause you to miss some important messages from the router. You can modify this command by specifying the severity level of the message you want to turn off.
Router(config)# ^Z Router# clo 00:07:31: %SYS-5-CONFIG_I: Configured from console by console router is at the next character waiting for your input, user presses [Enter] % Incomplete command. Router(config)# line con 0 Router(config-line)# logging synchronous Router(config-line)# ^Z Router# clo 00:08:39: %SYS-5-CONFIG_I: Configured from console by console Router# clo router retyped this waiting for your input
Stopping Domain Lookups
This is often an annoying problem. Mistype a command and the router thinks you just typed a hostname. For example:
MyRouter# shwo Translating "shwo"...domain server (10.1.1.1) % Unknown command or computer name, or unable to find computer address MyRouter#
Here, we just mistyped the word show. We didn't want to telnet to a device named "shwo." You can turn off the DNS request with the command no ip domainlookup at the global config mode.
MyRouter(config)# no ip domain-lookup
The output shows the lack of a failed connection based on our mistyped keyword:
MyRouter# shwo
^
% Invalid input detected at '^' marker.
Other useful show commands
Configuration of a router is only half the battle. Without a good toolbox of show commands, configuring your router properly will be very difficult. Throughout the tutorial section of my book, I tried to include the appropriate show commands for each topic.
Here are some of the most useful show commands that you should have at a minimum. Of course, the bias here is towards IP.
Displays the entire ARP (Address Resolution Protocol)table, which is the MAC-to-IP resolution table.
# show ip arp
This command gives a good amount of information; the IOS version you are running, the available interfaces, the system uptime, the last reload reason, and the configuration register setting.
# show version
Displays information about the currently running routing protocols.
# show ip protocols
The old standby, which displays the entire IP route table.
# show ip route
Gives a very useful summary of the IP route table.
# show ip route summary
Gives a summary of each interface from the IP level.
# show ip interface
A very brief summary of each interface.
# show ip interface brief
An extensive summary of IP traffic statistics on the router.
# show ip traffic
This useful command not only shows the all the currently configured access-lists, but it also shows you the number of hits each line has received. You can use this information to better troubleshoot your access-lists.
# show access-list
Assuming you have CDP enabled, this command gives you a report of all Cisco devices that the current device is connected to. CDP stands for Cisco Discovery Protocol, which can be an invaluable tool.
# show cdp neighbors
This command gives even more information about CDP neighbors.
# show cdp neighbors detail
This gives you a list of current translations if you are using NAT or PAT.
# show xlate
A list of current connections your router is making. Combined with the previous command if you using NAT/PAT, you can trace which machine is making which connection.
# show conn
Router/Firewall
PPPoE
Stolen from http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00801055dd.shtml
Enable PPPoE client functionality on the interface. It is off by default. The setroute option creates a default route if no default route exists.
ip address outside pppoe setroute
Define the VPDN group that you use for PPPoE. Configure this first.
vpdn group pppoex request dialout pppoe
Associate the username that the ISP assigns to the VPDN group.
vpdn group pppoex localname cisco
Define authentication protocol.
vpdn group pppoex ppp authentication pap
Create a username and password pair for the PPPoE connection (which your ISP provides).
vpdn username cisco password *********
When VPN Fails
Purposely clears security associations. Usually used during debugging operations where you wish to clear SA's, generate interesting traffic, then using debugging watch the tunnel endpoints attempt to reconnect. Aids in spotting problems.
Switch(config)# clear crypto ipsec sa
IP ARP Problems
If you move an IP to a new machine the arp cache needs to be cleared for that IP. This is very easy. Figure out which interface it is on and what name it has. IP is probably ok though.
Switch# show arp
Then config it and remove the entry for the IP.
Switch(config)# no arp dmz 12.47.219.32
Instantly the host will start pinging again.
Switch
Monitoring Ports
Configuring SPAN is pretty simple. Keep in mind that there are a number of "rules" for source and destination ports. You also need to understand how SPAN works with other protocols, such as STP, VTP, and CDP. I recommend reading the Cisco IOS documentation listed below before you begin.
Here's an example for configuring SPAN. Let's say we want to mirror all traffic going to and from the first 23 Ethernet ports on a 24-port switch. Then we want to send copies of all that traffic to port 24 for protocol analysis. Here's what we would do:
Switch(config)# monitor session 1 source interface FastEthernet 0/1 - 23 both Switch(config)# monitor session 1 destination interface FastEthernet0/24
Keep in mind that port mirroring a lot of traffic can be very performance intensive to the switch. Make sure you disable all monitoring when you're finished. Here's an example:
Switch(config)# no monitor session 1
You can use the show monitor command to check the status of monitoring. Here's an example:
Switch# show monitor
Just about everyone uses switching today. That's why it's important that you know how to perform port mirroring by enabling SPAN on Cisco switches so you can monitor traffic.
NOTE: Commands prefaced with # are to be run in EXEC mode, while commands prefaced with (config)# should be run in CONFIG mode.
Allow ICMP in your access-lists
The first common access-list problem I have seen is not allowing some ICMP (Internet Control Message Protocol) traffic through a gateway firewall.
For example, you just configured an access-list on your DSL link for your home router. All of the sudden, when you send big transmissions like a large email attachment, you find your connections timing out or closing unexpectedly. Unsure, you take the access-list off and the problem goes away. When you put the access-list back on, the problem reappears. You ask yourself what happened as you review the access-list. Well, the problem is as simple as not permitting ICMP through your list.
As I say in Cisco IOS in a Nutshell, people often think of ICMP as the hacker's tool. But in reality, it plays a very important role. In the problem I just described, it sounds like an MTU (Maximum Transmission Unit) or source-quench problem, which means the ICMP information isn't getting through the access-list. Either way, add the following commands to your access-list and your problems might go away:
! allow pings into the network access-list 110 permit icmp any any echo ! allow ping responses access-list 110 permit icmp any any echo-reply ! allow ICMP source-quench access-list 110 permit icmp any any source-quench ! allow path MTU discovery access-list 110 permit icmp any any packet-too-big ! allow time-exceeded, which is useful for traceroute access-list 110 permit icmp any any time-exceeded ! deny all other ICMP packets access-list 110 deny icmp any any
Allow DNS through your firewall
A second common access-list pitfall is when people forget to allow DNS (Domain Name Servers) from their internal network to the provider's DNS servers. Mainly this is a problem on home or small office routers where you might not have an internal DNS server running.
The following command allows DNS access from your hosts to the outside DNS server. In this example, our outside DNS servers are 172.16.1.1 and 172.30.1.1
access-list 110 permit udp host 172.16.1.1 eq domain any gt 1023 access-list 110 permit udp host 172.30.1.1 eq domain any gt 1023
IP ARP Problems
If you move an IP to a new machine the arp cache needs to be cleared for that IP. This is very easy. Figure out which interface it is on and what name it has. IP is probably ok though.
MyRouter# show arp MyRouter(config)# no arp dmz 12.47.219.32
Instantly the host will start pinging again.
Erasing an Interface Config
When you need to change the configuration of an interface, you typically have to remove the unwanted parts of the existing configuration line by line by putting a “no” in front of each line. If you have a lot of changes, or if you need to completely redo the configuration, it’s faster to just reset the interface to its original, default configuration. This removes all existing commands and shuts down the interface.
MyRouter# show run interface s1/0 interface Serial1/0 no ip address encapsulation frame-relay clock rate 800000 frame-relay intf-type dce frame-relay route 102 interface Serial2 201 frame-relay route 103 interface Serial3 301
Use the command default interface to restart from a clean state.
MyRouter(config)# default interface s1 Building configuration... Interface Serial1 set to default configuration *Feb 28 19:04:56: %LINK-3-UPDOWN: Interface Serial1, changed state to down MyRouter# show run interface s1/0 interface Serial1 no ip address end
Set Trunking Mode on a Port
Switch(config)# int Fa0/0 Switch(config-if)# sw trunk encapsulation dot1q Switch(config-if)# sw mode trunk Switch(config-if)# exit
Set ISL Trunking Mode for IP Phones
Switch(config)#int Fa0/0 Switch(config-if)# no sw mode acc Switch(config-if)# sw trunk enc isl Switch(config-if)# sw voice vlan x Switch(config-if)# sw acc vlan y Switch(config-if)# exit
Daylight Saving Time (DST) Changes
Starting in calendar year 2007, daylight savings summer-time rules may cause Cisco IOS to generate timestamps (such as in syslog messages) that are off by one hour. Most routers and switches are setup to automatically change for current DST rules using clock summer-time ZONE recurring.
Switch(config)# clock summer-time EDT recurring 2 Sunday March 02:00 1 Sunday November 02:00 60
