Archive for the ‘Cisco configuration’ Category

« Older Entries
Newer Entries »

5 Magic Cisco tips & tricks aka magic IOS commands

Monday, September 15th, 2008

I have been working a lot for several years, and now I want to share some of my best tips for working faster and more efficient on Cisco routers in Cisco IOS.

I posted earlier about the ‘do’ command, but I am going to include it here because it is so darn practical.

So with no further mess – here is the list, not sorted after any specific order.

  1. ‘do’ in config mode
    This is one of the most time saving ones that few people seem to know about, use it!
    It lets you run exec commands in global configuration mode.
  2. include, exclude and begin
    Ever wanted to find something in the configuration? Or maybe you want to see some info, and not some?
    Use include or exclude, for example you can do

    Router1(config)# do show running-config | include ip_address

    This will include every occurance of ‘ip address’ in your running configuration file, the underscore works for spaces, and as such you can also do

    Router1(config)# do show running-config | exclude password

    This will exclude every line that has the word ‘password’ in it, can be usefull if you are listing the configuration file to someone, or you can even do

    Router1(config)# do show running-config | exclude (password|secret)

    This will exclude every line containing EITHER password or secret, and you can use regular expressions here.
    This means that even show interfaces | include (^Vlan|Internet_address|packets\/sec) is valid, which will give you a list of your Vlan interfaces.

  3. alias ps
    Use aliases, do you ever run the same commands a thousand times?
    I have at least these aliases in place on all my equipment:

    alias exec sb show ip int brief
    alias exec ps sh proc cpu | excl 0.00%__0.00%__0.00%

  4. time-range command

    time-range Workhours
    periodic weekdays 8:00 to 16:00
    !
    ip access-list extended permit Permission-To-Internal-Server-In-Work-Hours
    permit tcp any host 10.0.0.5 eq www time-range Workhours
    deny tcp any host 10.0.0.5 eq www
    permit ip any any

    This will allow access to 10.0.0.5 within 8am and 4pm

  5. Redistribute default gateway route into OSPF
    A lot of people are wondering about this one too.

    Router1(config-rtr)# default-information originate always

    This is done under the ‘router ospf’ in global configuration.

Tags: , , , , , ,
Posted in Cisco configuration | 1 Comment »

Configuring a Cisco 7200 as a DNS server

Saturday, September 13th, 2008

I noticed some commands that insinuating that I can use a 7200 as a DNS server and managed to use the Cisco 7200 as a DNS server for my .lan domain. :)

This is how I configured it

ISP(config)#ip dns primary lan soa ns.nic.lan holm.blackedge.org 30 30 30
ISP(config)#ip dns server
ISP(config)#ip host ns.nic.lan 172.16.1.200
ISP(config)#ip host ns2.nic.lan 172.16.1.1

The ip dns primary command defines the zone.
The ip dns server enables the DNS server.
The ip host commands adds records to the zone.

To verify the configuration on another router:

IXPeer(config)#ip name-server 172.16.1.200
IXPeer#ping ns.nic.lan
Translating “ns.nic.lan”…domain server (172.16.1.200) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.200, timeout is 2 seconds:
!!!!!
IXPeer#ping ns2.nic.lan
Translating “ns2.nic.lan”…domain server (172.16.1.200) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
IXPeer#

This is a simple way to get local DNS resolution enabled on a Cisco 7200 router!

Tags: , ,
Posted in Cisco configuration | No Comments »

Configuration registers on Cisco IOS

Thursday, September 11th, 2008

Oh man, I forget these all the time – so I will summarize them here:
This is a boring post for all of you not in need of this information, feel free to skip! ;)

  • 0×102
    Ignores break, 9600 baud
  • 0×1202
    1200 baud
  • 0×2101
    Boots into bootstrap, Ignores break, Boots into ROM if initial boot fails, 9600 baud
  • 0×2102
    Ignores break, boots into ROM if intial boot fails, 9600 baud default for most platforms
  • 0×2120
    Boots into ROM, 19200 baud
  • 0×2122
    Ignores break, boots into rom if initial boot fails, 19200 baud
  • 0×2124
    Netboot, ignores break, boots into ROM if initial boot fails, 19200 baud
  • 0×2142
    Ignores break, boots into ROM if initial boot fails, 4800 baud
  • 0×2922
    Ignores break, boots into ROM if initial boot fails, 38400 baud
  • 0×3122
    Ignores break, boots into ROM if initial boot fails, 57600 baud
  • 0×3902
    Ignores break, boots into ROM if initial boot fails, 115200 baud

To find your configuration register just type (funny one): show ver | include ion_reg
To set it from IOS just type in global config mode: config-register <new register>

Tags: ,
Posted in Cisco configuration | No Comments »

Configuring IPv6 OSPF routing in Cisco IOS

Wednesday, September 10th, 2008

Hi guys! it’s time for me to write about configuration of OSPF IPv6 routing in Cisco IOS.
I will use example addresses from my workplace for this tutorial.
This is really simple, first configure the IPv6 addresses on the interfaces.

Router1
Router1(config)# interface fastethernet 0/0
Router1(config-if)#ipv6 address 2001:1ad8::1/126

Router2
Router2(config)#int fa 0/0
Router2(config-if)#ipv6 address 2001:1ad8::2/126

Verify the IPv6 connectivity with ping:
Router2#ping ipv6 2001:1ad8::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:1AD8::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/20 ms

Set a nullroute to redistribute to IPv6 OSPF, and configure IPv6 OSPF routing on Router1:
Router1(config)#ipv6 route 2001:1ad8:500::/64 null 0
Router1(config)# interface fa 0/0
Router1(config-if)#ipv6 ospf 1 area 0
Router1(config-if)#ipv6 router ospf 1
Router1(config-rtr)#redistribute static

Do the same thing on Router2, except for the static route and redistribution.
Router2(config)#int fastethernet 0/0
Router2(config-if)#ipv6 ospf 1 area 0

Now verify the IPv6 OSPF router neighborship
Router2#show ipv6 ospf neighbor
Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
172.16.1.1        1   FULL/BDR        00:00:31    4               FastEthernet0/0

Check for the route
Router2#sh ipv6 route ospf  | include ^O
OE2  2001:1AD8:500::/64 [110/20]

As always, seems like you are afraid of the comment box, I know you’re there, now speak! ;)

Tags: , ,
Posted in Cisco configuration | 2 Comments »

Configuring Cisco redistribution of OSPF to BGP with community filtering route-map

Tuesday, September 9th, 2008

I was wondering about something to write about, and I hope this is an interesting subject.
If there is anything you want me to write about, or something you wonder about or think I am mistaking about – please don’t be shy.. Just use the comment box! :-)

Quick overlook:

Router1
ASN: 1
Prefix from OSPF: 192.168.0.0/24
IP for BGP: 172.16.1.1/24

Router2
ASN: 2
IP for BGP: 172.16.1.200/24

Verify OSPF route
Router1#sh ip route | include ^O
O E2 192.168.0.0/24 [110/20] via 10.0.10.2, 00:02:10, FastEthernet0/0

Redistribute OSPF route to BGP table with a community
I created a prefix-list to match the prefixes in the route-map:
ip prefix-list ourPrefixes seq 5 permit 192.168.0.0/24

Then I went on and created the route-map that matches this prefix-list and set the community 1:150 (65686)
route-map ospfTag permit 10
match ip address prefix-list ourPrefixes
set community 65686

Then I did redistribution of OSPF into BGP with this command (in config-router (bgp configuration)):
redistribute ospf 1 route-map ospfTag

So I go on and verify the prefix is in the BGP table with the right community:
Router1#sh ip bgp 192.168.0.0/24 | i Comm
Community: 65686

Perfect!  Now I went on to create a community list for matching the communities in a route-map
ip community-list 1 permit 1:150

As you can see, the router converted this number to the long format number again for me:
Router1(config)#do sh run | i community-list
ip community-list 1 permit 65686

Current announcement to Router2:
Router2(config)#do sh ip bgp | i \*\>
*> 10.20.30.0/24    172.16.1.1               0             0 1 ?
*> 192.168.0.0      172.16.1.1               0             0 1 ?

So far, so good!   The 10.20.30.0/24 network is added as a twist, and it should disappear when the route-map outbound is working!  It is my test to see if things got applied.
Then I went on to create a route-map to match with this community list:
Router1(config)#route-map communityFilter permit 10
Router1(config-route-map)# match community 1

Then I applied the route map on to the BGP peer
Router1(config-route-map)#router bgp 1
Router1(config-router)#neighbor 172.16.1.200 route-map communityFilter out

Okay, after clearing the peer, do we have one less address in BGP then?
Router2#sh ip bgp | i \*\>
*> 192.168.0.0      172.16.1.1              20             0 1 ?
Router2#

Voila!  Please use the comment box if you spot errors, this tutorial was written kind of in a jiffy!

Tags: , , , , ,
Posted in Cisco configuration | No Comments »

Understanding Cisco BGP Best Path Selection Algoritm

Sunday, September 7th, 2008

Do you completely understand the BGP Best Path Selection?

I know I have to look it up from time to time…

In BGP running on a Cisco router, this is the process:

  • Use paths with the highest Weight
  • Use paths with the highest Local Preference
  • Use paths sourced with the network or redistribute command over paths sourced from the aggregate-address command.
  • Choose the route with the shortest AS-Path
  • Use paths origined from (in this order) IGP, EGP and Unknown. (IGP paths are prefered over EGP, EGP over unknown)
  • Choose the path with the lowest MED (‘MED is cost’, so the path with the lowest MED is prefered)
  • Choose eBGP paths over iBGP
    If there are multiple prefered iBGP paths, use the one with the lowest IGP metric.
  • Now see if there are multiple paths , and if the router is running with the bgp-multipath command. (then they will be installed)
  • If there are multiple eBGP paths for the destination, choose the oldest one (the one first received).
    If there are no current best path, or you run the bgp best path compare-routerid command.
  • Choose the route originating from the router with the lowest router-id.
  • (Route Reflectors) If paths originate from the same router, choose the path with the lowest cluster list length.
  • At last, choose the route that originates from the lowest neighbor address

Why isn’t the prefix received and installed to the routing table?
This happens from time to time, this is often because there are no IGP route to the NEXT_HOP in the BGP UPDATE.  It can also occur if the local-as is present in the AS_PATH attribute.

How can I see which prefixes are filtered, and which are received?
You can use the command neighbor 10.20.30.40 soft-reconfiguration inbound to make the router store rejected, filtered and other routing information in memory for you. You can then use the show ip bgp neighbor 10.20.30.40 received-routes and show ip bgp neighbor 10.20.30.40 advertised-routes to see you received and advertised routes.

Please use the comment box if you have any additions or find any mistakes, or simply just want to say hi! :)

Tags: , , ,
Posted in Cisco configuration | No Comments »

Enabling SSH in Cisco IOS

Saturday, September 6th, 2008

Have you ever wanted to use SSH to reach your Cisco router?

Please follow these steps to enable SSH on a Cisco 7200 router.

Router(config)#hostname myrouter
myrouter(config)#ip domain-name gho.no
myrouter(config)#crypto key generate rsa general-keys
The name for the keys will be: myrouter.gho.no
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
*Sep  6 16:00:27.417: %SSH-5-ENABLED: SSH 1.99 has been enabled

SSH version 1 is prone to a lot of vulnerabilities, you should use SSH version 2.

Router(config)#ip ssh version 2

To verify that you are indeed running SSH version 2, you can issue the show ip ssh command in exec mode.

myrouter#sh ip ssh
SSH Enabled – version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

Tags: ,
Posted in Cisco configuration | No Comments »

Saving time with the cisco ‘do’ command

Saturday, September 6th, 2008

This is probably the most usefull and most overlooked command in Cisco IOS.

Have you ever been annoyed from having to leave config mode because you wanted to run exec commands?
Like if you are configuring an interface, and you want to look at that interface configuration?

Well, look no longer!
do To run exec commands in config mode

You can now use do show running-config interface fastethernet 2/0 while you are configuring fa 2/0!

Do you have other time saving commands?   Leave a comment!

Tags: ,
Posted in Cisco configuration | 2 Comments »

Cisco Configuring BGP With Peer-group and Filtering Routing in IOS

Saturday, September 6th, 2008

We are going to setup a peering session from AS 65500 with 65000, and we are going to announce the prefix 10.0.0.0/8

We have the IP address 172.16.1.200, while our peer have the IP address 172.16.1.1

There are different ways of filtering routes in IOS, but we’re going to focus on filtering with prefix-lists.

First enter global configuration mode by entering: ISP# conf t

To create a BGP process with AS number 65500 enter: ISP(config)# router bgp 65500

The following commands will create a peer group named IXPeers which will use the prefix-list announceAS65500 for outbound announcements.

ISP(config-router)#neighbor IXPeers peer-group
ISP(config-router)#neighbor IXPeers prefix-list announceAS65500 out

You should at best use an individual prefix-list for each and one of your peer to control inbound announcements to your autonomous system, but as this also means large administrative overhead, you can use a max prefix for the peers IXPeers.

Config: ISP(config-router)#neighbor IXPeers maximum-prefix 10

Set this to a number of prefixes you are comfortable with accepting from your peers, this is also a judgement of how much you trust your peers.

You can set a individual maximum-prefix for each peer by entering it in the neighbor statement for the peer in question.

(for example: Config: neighbor 10.20.30.40 maximum-prefix 50)

Now we are going to enter a static nullroute for the prefix 10.0.0.0/8, and redistribute it to BGP and also create the prefix-list announceAS65500

This static route to the virtual Null interface will also effectively blackhole any traffic destined for a not existing subnet in your network.

We are also going to add a static route for two more prefixes, so we can verify that the filtering works. (PS! You can apply a route map on the redistribute command to filter which prefixes that should enter the BGP table at all.)

ISP(config)#ip route 10.0.0.0 255.0.0.0 null 0
ISP(config)#ip route 192.168.0.0 255.255.255.0 null 0
ISP(config)#ip route 192.168.8.0 255.255.254.0 null 0
ISP(config)#ip prefix-list announceAS65500 seq 5 permit 10.0.0.0/8
ISP(config)#router bgp 65500
ISP(config-router)#redistribute static

You can now verify that the prefix 10.0.0.0/8 exists in your local BGP table.

ISP#sh ip bgp 10.0.0.0/8
BGP routing table entry for 10.0.0.0/8, version 4
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0×820
Not advertised to any peer
Local
0.0.0.0 from 0.0.0.0 (172.16.1.200)
Origin incomplete, metric 0, localpref 100, weight 32768, valid, sourced, best

Enter BGP configuration again with router bgp 65500 in global configuration mode, and configure the peering session:

ISP(config-router)#neighbor 172.16.1.1 remote-as 65000
ISP(config-router)#neighbor 172.16.1.1 peer-group IXPeers
*Sep 6 04:43:21.207: %BGP-5-ADJCHANGE: neighbor 172.16.1.1 Up

The peering session is now established, let us verify on the IXPeer side which prefixes that are announced. (PS! This only works with the neighbor 172.16.1.200 soft-reconfiguration inbound command in BGP configuration.)

IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>
*> 10.0.0.0 172.16.1.200 0 0 65500 ?

Voila, the only network announced from 65500 is now 10.0.0.0/8!

You can now modify the prefix-list to allow other prefixes to be announced:

ISP(config)#ip prefix-list announceAS65500 seq 10 permit 192.168.0.0/24
ISP#clear ip bgp 172.16.1.1 soft out

And verification from the IXPeer

IX-Peer#sh ip bgp neighbor 172.16.1.200 received-routes | include *>

*> 10.0.0.0 172.16.1.200 0 0 65500 ?
*> 192.168.0.0 172.16.1.200 0 0 65500 ?

Tags: ,
Posted in Cisco configuration | 2 Comments »

Working with SDM templates on Cisco 3750 or 3560

Friday, September 5th, 2008

Sometimes we want different functionality from our layer 3 switches, someone may want a lot of VLANS, someone wants the switch to be able to have lots of routes, and someone wants to do IPv6 routing.

Luckily, Cisco have thought about this. You are able to use different SDM templates to achieve different usage of the memory.

To change the SDM template on the 3750, just use the following command:
switch(config)# sdm prefer (default|routing|vlan)
Here is a link to the specs: Table

On the 3560 you can also choose from access and dual-ipv4-and-ipv6
 Link to specs here: Table

What you want to choose depends on what you want to do, now you know there exists a choice!

Tags: , , ,
Posted in Cisco configuration | No Comments »

« Older Entries
Newer Entries »