Cisco stuff

Cisco basic Config

username cisco privilege 15 password 0 cisco

Reasonable defaults for the router console

parser config cache interface

no ip domain lookup

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

transport preferred none

line vty 0 4

exec-timeout 600 0

logging synchronous

login local

transport preferred none

transport input telnet ssh

Introduction

Viewing the configuration of a Cisco router is usually pretty painful. The old show running configuration command displays the complete configuration of the router. If you happen to have anything more than a trivial configuration, the output can run on for quite a long time and it's all too easy to miss that vital line (or even section!).

There's two major tricks for dealing with show running configuration which means you'll never have to put up with the screen dump nightmare: Using Internet Explorer, and mastering some CLI options.

Using Internet Explorer to show running configuration

Useful Information

If ip http server is enabled, you can configure a Cisco router using HTTP. Just click on the hyperlinks and away you go!

You can also view show running configuration from Internet Explorer. The IMMEDIATE benefit of this is that your can simply refresh the page (CTRL-R) to update the command output. If you have a telnet client running at the same time you can make a change in configuration mode, then refresh the browser to see the command added to the configuration. Internet Explorer will automatically scroll to the same lines you were viewing before so you can see the change easily. You can even use the Google toolbar to highlight or search for terms.

The trick is to go to the URL http://routerIP/level/15/exec/-/show/run/CR. Don't just type http://routerIP because this will probably start up SDM.

Also, don't forget you can book mark these pages for even easier access. You could add buttons to your links toolbar, or if you have a lot of commands you can show the bookmarks in the sidebar (CTRL-I). Heck, you could even create a simple GUI to the router by using a custom web page!

It's best to use Internet Explorer. For some reason, Firefox doesn't maintain the last position of the web page, so when you refresh it pops back up to the top of the configuration.

Using Internet Explorer to show running configuration is probably the easiest way to track changes to the configuration.

Using the CLI

Effectively filter Cisco router command output

August 25, 2005

The following is entirely from Techrepublic: http://techrepublic.com.com/5100-1035-5842782.html

Takeaway

Locating the right piece of information from a Cisco router can often be a challenge. Particularly, the show running-config command can return pages and pages of output. David Davis introduces you to some filtering options you can use to find the information you need more quickly.

Finding the right piece of information that you need from a Cisco router can often be a challenge. For example, if you use the show running-config command on a large production router, you can easily end up with 25 pages of text output.

Locating that one piece of information you're looking for can take a lot of time. Once you find it, you might need to make a change, only to have to rerun the command and go through the whole process again.

However, there are some shortcuts you can take to find this information more quickly. Let's looks at some filtering options you can use when maneuvering through long command output on a Cisco router.

Filter output using line numbers

You can use the show running-config linenum command to configure the system to include line numbers at the start of each line in the output. Here's an example:

Current configuration : 59161 bytes

1 : !

2 : ! Last configuration change at 09:25:35 CDT Tue Aug 16 2005 by root

3 : ! NVRAM config last updated at 09:25:36 CDT Tue Aug 16 2005 by root

4 : !

5 : version 12.3

6 : service tcp-keepalives-in

7 : service tcp-keepalives-out

8 : service timestamps debug datetime msec localtime show-timezone

9 : service timestamps log datetime msec localtime show-timezone

10 : service password-encryption

Once you have line numbers to use as reference points, you can then filter the output by starting at a certain line or only returning a specified line. Here's an example of starting the output at a specific line:Router# show running-config linenum | begin 6 :

6 : service tcp-keepalives-in

7 : service tcp-keepalives-out

8 : service timestamps debug datetime msec localtime show-timezone

9 : service timestamps log datetime msec localtime show-timezone

10 : service password-encryption

Here's an example of requesting only one line returned in the output:Router# show running-config linenum | include ( 6 : )

6 : service tcp-keepalives-in

Filter output using Include, Exclude, or Begin

You can also use certain commands to help filter your output. For example, you can use the include command to see only lines that include the word service . Here's an example:Router# show running-config | include service

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

You can use the begin command to start the output at a certain line (such as an interface). Here's an example:

Router# show running-config | begin interface Serial3/0

interface Serial3/0

description MPLS T-1

bandwidth 1544

ip address 10.0.100.2 255.255.255.252

no ip proxy-arp

(truncated)

In addition, you can use the exclude command in the same way if there's something particularly long that you don't need to see in the output.

The best thing about these three commands is that they work with almost any output on the router. For example, let's say I wanted to see all routes that begin with the IP address 10.83.x.x. But it doesn't work if I use this:

Router# show ip route 10.83.0.0

% Subnet not in table

However, if I use something like the following example, I can see all of the routes that begin with 10.83.x.x:

Router# show ip route | include 10.83.

O 10.83.100.8/30 [110/2370] via 10.83.100.2, 05:32:27, Serial1/2:0.83

O 10.83.100.4/30 [110/2115] via 10.20.100.2, 05:32:27, Serial1/2:0.2

C 10.83.100.0/30 is directly connected, Serial1/2:0.83

O 10.83.103.0/24 [110/2195] via 10.83.100.2, 05:32:27, Serial1/2:0.83

Filter output by interface

On the other hand, if you only need to see the output of one specific interface, you can also filter output in that way. Here's an example:Router# show running-config interface Serial3/0

Building configuration...

Current configuration : 209 bytes

!

interface Serial3/0

description MPLS T-1

bandwidth 1544

ip address 10.0.100.2 255.255.255.252

no ip proxy-arp

no ip mroute-cache

no fair-queue

no cdp enable

end

Start searching your output

Did you know that you can search directly from the show running-config command's output? If you use the show running-config command, you should see a - More - prompt at the end of each page of output (depending on your page length).

If you enter a forward slash [/] at this prompt, it will replace the prompt with the slash, and you can then type in whatever you want to search for. Press [Enter], and it will say filtering and then begin showing you the results of your search. (This is exactly how the UNIX pg command works.) Here's an example:

/interface Serial3/0

filtering...

interface Serial3/0

description MPLS T-1

bandwidth 1544

ip address 10.0.100.2 255.255.255.252

Configuring Etherswitch Modules

This section first provides an introduction to Cisco Etherswitch modules. It then covers issues particular to their configuration. In particular, it addresses configuring SVIs and VLANS, configuring switched and routed ports, etsablishing a SPAN session and outlines cable constraints.

Introduction to Cisco Etherswitch Modules

Cisco Etherswitch modules allow the convenience of having Layer 2 switching and Layer 3 routing in the one package, namely Cisco 2600, 2800, 3700 and 3800 series routers. In essence they can be considered mini-catalyst switches. For instance, we could use the following Etherswitch/Router configurations:

    • NM-16ESW 16 Port Etherswitch Module, installed on 2610MX Router (x4)

    • NMD-36-ESW 36 Port High Density Etherswitch Module, installed on 2851 Router (x4).

SVIs and VLANS

When working with the Etherswitch modules, Switched Virtual Interfaces (SVIs) and Virtual LANS (VLANS) are two concepts that you should become familiar with. An SVI is a logical interface representing many ports on the switch which collectively are assigned to a VLAN. The SVI is given an IP address just like any other Cisco interface. For example, by default all ports on an Etherswitch module are assigned to VLAN 1. The interface, also called VLAN 1, is the SVI for that VLAN. If assigned an address such as 192.168.0.1/24, then hosts attached to any port also with an IP address in that subnet range will be able to access the switch and other hosts. Typically, the SVI for the VLAN acts as the default gateway for hosts.

However, in this case an SVI is not completely necessary. If all hosts only access one another, then this can be accomplished at layer 2.

An SVI is only needed...

...when routing between VLANS is required, or when you wish to allow hosts access to the switch/router.

For example, you could assign half the ports to VLAN 1 and the other half to VLAN 2. If hosts on either VLAN only communicate amongst themselves, then SVIs are not required. If however, there is a need for hosts on VLAN 1 to talk to hosts on VLAN 2, then SVIs are configured for their corresponding subnet ranges. Packets from a host on VLAN 1 are sent to its SVI. The router then routes the packet to the SVI for VLAN 2, finally reaching its intended host on VLAN 2.

So, while closely linked it is important to remember that VLAN configuration, port assignment and SVI creation are independent configuration tasks from the Cisco IOS CLI. To illustrate this, let's walk through the example just mentioned, whereby we wish to assign half of the Etherswitch ports to one VLAN, the other half to another VLAN and allow the router to route packets between them using SVIs.

First, let's look at creating an additional VLAN and reallocating half of the switch's ports to it. Remember, by default all ports are assigned to VLAN 1. Let's assume we're working with an NM-16ESW module.

Creating a VLAN and Assigning Ports

Step 1

From the Cisco IOS CLI enter: vlan database. This will take you into VLAN configuration mode. It is here that you add, delete and modify VLAN information.

Step 2

Create a new VLAN, VLAN 2. Enter: vlan 2 media ethernet name second_vlan. In this command, media specifies this VLAN uses ethernet media, and the name command gives it a more user friendly name. Often this is set to the function the VLAN will serve, such as "Finance" in the commercial world.

Step 3

The VLAN is only added once you leave VLAN configuration mode. Enter: exit.

Step 4

Verify that the VLAN has been added. Enter: show vlan-switch brief. This will output the currently enabled VLANs and their port allocations. Now, you should see a VLAN called default with lots of ports listed next to it. Following this will be second_vlan with no ports listed next to it.

Step 5

Once verified, we can assign ports to our new VLAN. This is achieved through standard interface configuration commands. IOS supports specifying a range of switch ports such that all subsequent commands apply to the entire range given. This saves us having to enter the command repeatedly for every interface. We'll leave ports 0 - 7 on VLAN 1 and reassign ports 8 - 15 to VLAN 2, our new VLAN.

From configuration mode: interface range FastEthernet1/8 - 15. This allows us to configure all ports in the range simultaneously.

Then:

switchport mode access

switchport access vlan 2

no shutdown

The preceding commands set all the ports in the range into access mode (or switched mode), assign them to VLAN 2 and brings them online.

Step 6

Exit from configuration mode: end. Then issue another: show vlan-switch brief. Now you should see the ports listed against the entry second_vlan .

Now we have defined our VLANS we need to create an additional SVI for VLAN 2. By default, an SVI for VLAN 1 exists for administration purposes. Additional SVIs must be created explicitly.

Creating an SVI for a VLAN

Step 1

Enter configuration mode. From there, specify VLAN2 as the interface to configure: interface vlan2. This will take you to interface configuration mode and create the SVI. Assign it an IP address as per usual: ip address X.X.X.X Y.Y.Y.Y where X.X.X.X is the desired IP and Y.Y.Y.Y is the desired mask.

Step 2

Check that the SVI has been created by enumerating the router interfaces: show ip interface brief. Typically, VLAN SVIs will appear at the end of the list.

Step 3

If you haven't already done so, assign an IP address to VLAN1 as per Step 1. Then, the router will happily route packets between hosts on each VLAN.

Switched and Routed Ports

The previous section illustrated how to assign switch ports to VLANs. These ports do not have any associated IP address information. Indeed, a show running-config will reveal they have no ip address as part of their config.

At times, it is convenient to use the extra ports as additional router interfaces, rather than in this switch mode and assign them IP addresses. This way we can use them to connect to other routers and participate and interact with dynamic routing protocols such as OSPF. When an Etherswitch port is assigned an IP address we refer to that port as a routed port .

Converting a Switched Port to a Routed Port

Step 1

Enter interface configuration mode for the port you wish to convert to a routed port. Then enter: no switchport.

Step 2

Assign it an IP address in the normal manner: ip address X.X.X.X Y.Y.Y.Y.

Note!

    • The no switchport command is dependent upon the routing platform.This will work on the 2851 routers, yet not on the 2610XM routers. In this later case, you can get around this by creating a VLAN and corresponding SVI and assigning a single switch port.

    • Although it has an IP address, routing decisions are still performed by platform hardware. Hence more routed ports will result in higher router CPU utilisation.

    • Also, routed ports do not support sub interfaces.

Establishing a SPAN Session

A Switched Port Analyser or SPAN session is a convenient and highly useful monitoring mechanism. It allows us to monitor ingress and egress traffic on multiple switched ports.

Recall that in a switched environment, a host attached to a switch only sees traffic that is destined for it. There is no way it can see other traffic destined for other hosts. Yet sometimes we want to check and see what traffic is being switched on a particular port. This is where SPAN comes in. A SPAN session consists of one ore more source interfaces and a single destination interface. We can configure the switch such that incoming, outgoing or both incoming and outgoing traffic for a source interface are copied to the destination interface. If we attach a packet analyser to the destination port, such as Ethereal, we can see what traffic is being switched on our source interfaces.

Here's how to configure a SPAN session to monitor both incoming and outgoing traffic on two ports on the switch module.

Configuring a SPAN Session

Step 1

Specify the source ports. We can again take advantge of IOS' ability to reference multiple ports. From global configuration mode, enter: monitor session 1 source interface FastEthernet1/33 - 34.

This tells the switch to monitor ports 33 and 34. By default, both incoming and outgoing traffic will be copied to our destination port.

Step 2

Specify the destination port. For convenience, we'll use the first switch port: monitor session 1 destination interface FastEthernet1/0.

Now if we plug a laptop with Ethereal installed to FastEthernet1/0, we can monitor traffic on ports 33 and 34 respectively. Currently this is how we are monitoring traffic to and from the

Cabling Constraints

For switch to host connectivty, standard direct CAT5 cables are used. However to inter-connect two Etherswitch modules cross-over CAT5 cables are required! Cisco Etherswitch modules, which can be thought of as mini Catalyst switches unfortunately don't have the Auto-MDI feature of their bigger brothers which allows you to connect either type of cable to inter-connect switches.

Configuring Optimal Edge Routing

Optimal Edge Routing (OER) is a Cisco specific method of controlling routing to multiple redundant WAN interfaces to make the best use of the available bandwidth.

Routing protocols like OSPF select only the best WAN interface, or only do rudimentary load balancing without regard for the utilisation and delay of the links.

Cisco OER works by injecting static routes into the routing table. This overrides the default gateways set, forcing traffic down the most appropriate WAN interface. Cisco OER monitors the traffic to determine whether some traffic should be off-loaded to another WAN interface.

For instance, say traffic is normally routed via FastEthernet 1/0. But FastEthernet 0/1 has more bandwidth. OER will realise this and send the traffic down this path. Here is an example of this occurring:

ed1#debug oer border routes static

*Mar 1 01:39:54.839: OER STATIC: Static route changed, 192.168.2.2 255.255.255.

255 flags 8020000 event 1

*Mar 1 01:39:54.839: OER STATIC: Add route: 192.168.2.2/32 0x6444536C

ed1#sh ip route

Gateway of last resort is 220.0.2.2 to network 0.0.0.0

C 220.0.1.0/24 is directly connected, FastEthernet0/1

2.0.0.0/32 is subnetted, 1 subnets

C 2.2.2.2 is directly connected, Loopback0

C 220.0.2.0/24 is directly connected, FastEthernet1/0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

192.168.2.0/32 is subnetted, 1 subnets

S 192.168.2.2 [1/0] via 220.0.1.2

S* 0.0.0.0/0 [1/0] via 220.0.2.2

[1/0] via 220.0.1.2

Note that the 192.168.2.2 route was injected by OER, forcing traffic down FastEthernet 0/1.

Cisco OER can use other metrics such as delay and jitter to determine the best path. Passive monitoring of throughput can be used. It also understands some TCP data to determine the delay of the link. Cisco OER can also use active probing (ICMP/UDP/TCP ping) to determine the state of a link.

Note that Cisco has renamed OER recently to Performance Routing (PfR) for IOS 12.4T versions and added in extra commands for even finer grained controls.

This configuration guide only uses IOS 12.4 commands to configure OER.

Topology

The following image is the topology used in the following OER configuration.

OER was tested using GNS3 to emulate the two routers and two switches shown. OER was implemented on the top router (ed1) while the second router (ed2) used only static routes.

The two clouds represent the two virtual PCs that were used to connect to the two routers. These virtual PCs used IPerf and ping to generate traffic. These are on the "internal side" of the network.

The two WAN links are via 220.0.1.0 and 220.0.2.0. These are on the "external side" of the network.

Configuration of ed1

Both routers were running the c3725-adventerprisek9-mz.124-18.bin image.

!

hostname ed1

!

! Cisco Express Forwarding is required to be on for CEF

ip cef

!

! A key is needed for authentication purposes

key chain key1

key 1

key-string border1

!

! The Master Controller resides on the same router in this example

oer master

! The monitored IP addresses are specified later as an OER map named "OER"

policy-rules OER

max-range-utilization percent 10

! The links are monitored using traceroute every 1001 seconds

traceroute probe-delay 1001

! Check the Border Router every 1 second

keepalive 1

! Define which interfaces that the Master Controller will control

border 2.2.2.2 key-chain key1

interface FastEthernet1/0 external

interface FastEthernet0/1 external

interface FastEthernet0/0 internal

! Define what metrics will be measured for OER

learn

throughput

delay

periodic-interval 0

monitor-period 1

prefixes 200

expire after time 1

! Monitor every IP address separately by specifying a prefix of 32

aggregation-type prefix-length 32

max prefix total 2500

holddown 301

backoff 90 90

! Inject static routes

mode route control

! Choose the best WAN link

mode select-exit best

periodic 180

resolve utilization priority 1 variance 1

resolve loss priority 2 variance 1

resolve range priority 3

resolve delay priority 4 variance 1

!

! Configure the Border Router

oer border

local Loopback0

master 2.2.2.2 key-chain key1

!

!

interface Loopback0

description OER Master Controller and Border

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

description To Intranet

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/1

description To WAN #1

! The bandwidth number is used in OER

bandwidth 100

ip address 220.0.1.1 255.255.255.0 10

! The traffic throughput should be monitored every 30 seconds

load-interval 30

!

interface FastEthernet1/0

description To WAN #2

bandwidth 10

ip address 220.0.2.1 255.255.255.0 2

load-interval 30

!

! The default gateways pointing to both WANs

ip route 0.0.0.0 0.0.0.0 220.0.2.2 10

! Without OER, traffic goes down WAN #2 as its metric is lower.

ip route 0.0.0.0 0.0.0.0 220.0.1.2 5

!

! The monitored IP addresses (all!) are now specified

ip prefix-list OER seq 10 permit 0.0.0.0/0

!

oer-map OER 10

match ip address prefix-list OER

! Activate traceroute to check if the WAN link is up

set traceroute reporting policy unreachable

!

Configuration of ed2

ed2 was not configured to do OER. Instead simple static routes were used. Of course, OER must be set up on both ends for OER to work in both directions - but in this example only one direction of traffic was optimised with OER.

!

hostname ed2

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

!

interface FastEthernet0/1

ip address 220.0.1.2 255.255.255.0

!

interface FastEthernet1/0

ip address 220.0.2.2 255.255.255.0

!

ip route 192.168.1.0 255.255.255.0 220.0.1.1

ip route 192.168.1.0 255.255.255.0 220.0.2.1

!

Managing OER

The following commands are the most useful for managing OER:

clear oer master * and clear oer master border *

These commands restart the OER processes

clear ip cef epoch full

Sometimes Cisco CEF contains bad entries after reconfiguring the router. This forces a rebuild of the CEF FIB table.

show ip route

This shows the current routing table that is being used.

show oer master prefix

This shows the traffic that is being monitored by OER, and whether the traffic conforms to the policies set.

show oer border routes static

This shows which static routes were injected into the routing table by OER.

terminal monitor

This command enables the display of debug messages on a terminal session.

debug oer border routes static

This displays a debug message whenever a static route is injected.

debug oer master exit

This displays a debug message whenever a change occurs due to a policy.

Problems with OER

    • In IOS 12.4, the show oer commands do not work from the http server interface.

    • Changes made to OER do not occur immediately. Typically the learning process only occurs every 5 minutes. OER observes these IP addresses for a further 3 minutes before it begins to inject routes. Long term averages are refreshed every hour, which are used to calculate delay variation etc. These are the minimum times. Hence OER is not suited for environments where the link data fluctuates.

    • If a WAN link goes down, OER will still route traffic to the WAN interface unless there are active TCP connections (as OER can use TCP to determine reachibility) or traceroute reporting is enabled (as per the example above).

    • Because OER manipulates routing tables, it directs traffic according to IP destination address. It cannot direct traffic using DSCP values or markings (although it can use these to make a decision on where to direct the entire IP destination address).

    • OER works with static routes and BGP only. OSPF and other dynamic routing protocols won't work with OER unless there is an underlying static route.

Automatically archiving the configuration at set intervals

Here is an example of the configuration commands used to save the configuration to flash:myconfig (with automatically appended incremental version number), with up to 10 configurations in the archive, every 60 minutes.

archive

path flash:myconfig

maximum 10

time-period 60

Archiving the configuration manually

This command archives the configuration.

archive config

Restoring an archived configuration

Router# show archive

There are currently 1 archive configurations saved.

The next archive file will be named disk0:myconfig- 2

0

1 disk0:myconfig- 1 <- Most Recent 2

3

4

5

6

7

8

9

10

Router# configure replace disk0:myconfig- 1

How to recover from remote router lockouts

Method 1: Use Reload functionality

When configuring a router remotely, it is always a danger that you might issue a command that disconnects you. If you don't have physical console access through an out of band interface, you'll be locked out.

Fortunately there is a way to make sure that the router restores itself to the previous working config automatically, BUT you need to issue this command first BEFORE making any dangerous changes.

1. Save your known good running config: Router# write memory

2. Issue the following command: Router# reload in 10

3. Make your config changes

4. Test your changes within the 10 minute interval

5. If things are good, cancel the reload: Router# reload cancel

6. If things are bad, just wait 10 minutes and the previously saved configuration will be restored once the router reboots automatically.

Method 2: Performing a Configuration Replace or Configuration Rollback Operation

Perform this task to replace the current running configuration file with a saved Cisco IOS configuration file.

You must create a configuration archive before performing this procedure (see above). The following procedure details how to return to that archived configuration in the event of a problem with the current running configuration.

1. Save your known config: Router# archive config

2. Replace the config with the new config and set 10 minute time limit: Router# configure terminal revert time 10

3. Test your changes within the 10 minute interval

4. If things are good, cancel the reload: Router# configure confirm

5. If things are bad, just wait 10 minutes and the previously saved configuration will be restored without rebooting.

Overwriting the config on a router

    1. On the Server, from Putty, log into the router.

    2. Save the existing config using the following command (just in case):

    3. copy start flash:2019-10-21_old.cfg

    4. Enable SCP:

      1. conf t

      2. ip scp server enable

      3. exit

    5. On the Server, copy the config file to "c:\temp" (make the folder if it doesn't exist)

    6. Rename the config file to "2019-10-21.cfg"

    7. SCP over the file:

    8. "c:\program files (x86)\putty\pscp.exe" -scp c:\temp\2019-10-21.cfg cisco@router:flash:2019-10-21_old.cfg

    9. From Putty, overwrite the startup config:

      1. copy flash:2019-10-21.cfg startup-config

    10. Reboot the router by power cycling. NOTE: Do not type "reload" as this will save the running-config back to the startup-config and you'll be back to square 1.