Академический Документы
Профессиональный Документы
Культура Документы
The proliferation of the Graphical User Interface (GUI) in general purpose operating systems such as
Windows, MacOS or iOS have not eradicated entirely its predecessor, the Command Line Interface
(CLI). This is particularly true when working with network operating systems implemented on switches
and routers, the best example of which would be Juniper Networks Junos and Cisco IOS.
When working with IOS,Cisco professionals and experts use a number of CLI techniques and shortcuts
which allow them to quickly collect information for diagnostic purposes. Assuming that you are familiar
with basic exec modes and context sensitive help of iOS, here is a list of five tips I find very useful while
working with Cisco network equipment.
1. Increase the size of the command history buffer.
2. Use CLI editing features and common shortcuts.
3. Use the do keyword in any context in combination with the show and debug commands in any IOS
context (config, interface, router, etc.)
4. Use pipe | with available arguments to display and/or redirect only required sections of your
configuration and/or show command output.
5. Use TCL script for ping connectivity test if multiple destination IP addresses are involved.
TIP 1 Command History Buffer Size
A router or a switch keeps your last issued commands in the buffer. By default, the system remembers
only the last 10 or 20 commands you type in (the size is contingent on the platform you use). Bear in
mind though, that the buffer will be cleared if you terminate your console/vty session. You can change
the buffer size for the duration of the session with your switch or router. The buffer can accept between
0-256 commands to be stored in order to invoke them later. In order to see what is in the buffer, use the
show history command. In order to verify what the current size of history buffer is, issue the
command: show terminal.
In order to be quick and use the CLI efficiently, an administrator must get familiar with basic navigation
techniques. The chart below lists the most commonly used shortcuts every professional must know:
Table 1 CLI Editing Shortcuts
Key Stroke
Function
CTRL-A
CTRL-E
ESC, B
ESC, F
Delete or Backspace
CTRL-D
CTRL-U or CTRL-X
CTRL-K
CTRL-W
ESC-D
CTRL-Y
Apart from these shortcuts, Cisco allows us to use following while using CLI:
1. Command Abbreviation
2. Command Auto-Completion
Command abbreviation allows an administrator to type in any command using only a few letters instead
of typing the whole keyword. However, the system must be able to uniquely identify the command in the
given context.
Lets see this IOS feature in a practical example. For instance, if I want to display the running
configuration of a router, I normally use the command show running-config, but I can also use the
abbreviated version: show run. The result is the same and I save a lot of time. However, if I type in:
show r, the system is going to display an error: % Ambiguous command: show r. This is due to the
fact that the router/switch has more than one command in the privileged exec mode that starts with
show r. Look at the screenshot below:
The command auto-completion is similar to the one you find on Unix/Linux and also on recent MS
Windows implementations. All you have to do is to type in enough letters to uniquely identify the
command in a given context and use the TAB key on your keyboard. IOS will then display the whole
keyword on your screen.
TIP 3 The do Keyword
Monitoring, maintaining and troubleshooting Cisco devices requires not only working knowledge of the
technologies, but also how to properly verify and interpret the output of show and debug commands
provided by Cisco IOS. Originally these two diagnostic commands, with hundreds of options available,
were executed in two IOS contexts: the user exec mode (prompt shows the > character) and
the privileged exec mode (prompt displays # character).
In IOS 12.1(11b)E version, Cisco added the do keyword allowing users to execute the show and
debug commands in the global configuration mode or in other configuration modes such as interface
(config-if)#, routing protocol (config-router)# etc. The same keyword can be applied when using tools
and utilities such as ping, telnet, ssh and others. All an administrator has to do is to precede the
commands with the do keyword.
Lets see how this works in practice. In my example I would like to display the running-configuration of
the router. In order to do it I must be in the the right context which is the privileged exec mode. Look
what happens when you use this keyword in other mode (here: global configuration mode):
As you can see, the system shows an invalid input at the ^ character. IOS can only recognize the first
two letters sh, for shutdown command. Now, look what happens when I use the do keyword with the
same command:
Daily network maintenance and occasional troubleshooting of Cisco devices often involves collecting a
lot of information from routers and switches. IOStools such as the show commands will, at times,
provide a tremendous amount of information, not all of which is necessarily useful in some situations.
The ability to filter the output in order to focus on the right pieces of information is the mark of a
networking professional.
Imagine that you are managing the BGP routers working for your local ISP. As of writing this article, a
BGP table contains around five hundred thousand entries. If your terminal displays twenty four (default)
or so lines at any given time, how long do you think it will take you to go to the bottom of the output to
find the appropriate prefixes? Also, your configurations may be several screens long. Pressing the
spacebar numerous times to get down to the interesting pieces of information can take some time.
What if you work as technical support engineer and must help your customer bring the network up after
some failure? You must be able to collect enough information by displaying only what is relevant in a
given situation.
Collecting the right information requires that a network engineer can do the following quickly:
1. Use the right show command(s).
2. Filter the output of the show command(s) in order to single out the relevant pieces of information.
As far as the second point is concerned, the show argument commands can be followed by the | (pipe)
character and available keywords. Here is how I can check what pipe options are allowed on my router
(in my example I will use show interface command, where interface is one of numerous arguments that
show can take):
10
Notice!
The pipe character is separated by space on both sides.Also, the words used for filtering are case
sensitive. You must provide them as shown in the unfiltered output.
Example 1: Display OSPF configuration of a router.
Pic. 7 Example 1
Example 2: Display only IP-enabled interfaces of a router.
Pic. 8 Example 2
Example 3: Display all switch interfaces with CRC and duplex keywords .
11
Pic. 9 Example 3
In example 3, notice that I have used additional pipe characters WITHOUT space. They serve as the
logical or statements. Well known regular expressions can also be used to further filter the output
of show commands.
Look at the summary of some commonly used regular expressions:
Table 2 Regular Expressions
Character
Special Meaning
. (dot)
_ (underscore)
[]
()
Example 4: Display all the interfaces with 172.16.215 addresses and 10.0 (compare with Example 2).
12
Pic. 10 Example 4
These are only a few examples illustrating how to use the feature. Other options such as append, tee,
redirect can be used to redirect the output of the commands to some external URL. This could
be ftp: or tftp: which indicates FTP and TFPT servers, respectively. These options may require
additional parameters such as the IP address of the destination server, and in the case of an FTP
server, user name and password will also need to be provided.
Tip 5 TCL Scripting for Ping Connectivity Test
IOS is also equipped with a scripting language called Tcl (Tool Command Language) pronounced as
tickle) created by John Ousterhout. It is a fully fledged scripting language but in this article, I am only
going to present a very simple script which is often used by administrators to check the connectivity
from a router to multiple destinations.
Lets imagine that you are about to introduce a new router into the existing network. After you have
configured basic security, routing protocol, etc., the router learns the entire destination network or
subnet addresses and populates its routing table. However, the number of prefixes in the routing table
is significant and we cannot be sure that all destinations have been learned properly. A good practice is
to create a file with all of the routers IP addresses to use for basic connectivity tests with the ping utility.
The easy way to create this file is to log in to every router in the network and issue the show ip
alias command. Take a look at the example below:
13
14
15
16
I hope you find the tips described useful and that they will contribute to a more efficient utilization of
your time and resources when using Cisco IOS.
TIP 6 Disabling domain lookup
Designers of IOS enabled domain name lookup by default. The command responsible for the name to
IP address resolution is configured in the global configuration mode: ip domain-lookup.
If you are a frequent IOS user, this feature can quickly become very annoying. In order to understand
how it affects your workflow, let me show you a practical example. In the picture below, I have
purposely mistyped the command. Look at the result:
17
return access to your console immediately if you mistype the command in the user or privileged exec
mode.
If you want to restore to factory default, just re-enable it by issuing: ip domain-lookup.
Below is another tip proposed by /u/CaptainIceman :
TIP 7 Preventing syslog messages from interrupting your typing.
Another feature a lot of users find a bit unfortunate is the fact that, by default, IOS sends all the
messages to the console and displays them in the current line of the cursor. System messages, also
known as syslog messages, are not sent to VTY line (your telnet/ssh connections). If you want to see
them on virtual terminal lines, you must issue terminal monitor command in the privileged mode like
shown below:
router#terminal monitor
Notice that the command is not used in the global configuration mode as you may expect. Sending
these unsolicited messages to the line of the cursor more often than not interferes with your typing. Let
me illustrate this below in picture 2. I have left the global configuration by using CTRL-Z (other
options: exit or end). Then, I immediately started typing the command: show run. However, this has
been interspersed with the system message.
18
19
20
you can use completely different aliases than mine below. On the left are the commands, and on the
right my proposed aliases:
showip interface brief | excluded unassigned = sib
showipospf interface brief = soi
show processes cpu sorted 5sec | exclude 0.00% 0.00% 0.00% = top
show archive config differences nvram:startup-configsystem:running-config | section exclude certificate
= dif
You can configure them as shown below (global config mode):
R1(config)#alias exec sib show ip interface brief | exclude unassigned
R1(config)#alias exec soi show ipospfint brief
R1(config)#alias exec top show processes cpu sort 5sec | ex 0.00% 0.00% 0.00%
R1(config)#
You are by no means limited to these commands. You can replace any long command this way. Look
how some of my aliases work now:
21
22
After collecting information, disable the debug. You can use the shortest available alias: u all, which
stands for undebug all.
Let me illustrate the idea in practice. Suppose I want to collect information about an RIP operation on
my router. After checking the utilization of CPU, which is not high (mine was 5% in the last five
minutes), I can do the following to safely obtain information from the debug:
23
24
25
The first file is usually the IOS image. In my output it is the file named:
c2800nm-adventerprisek9.mz.15.1-4.M5.bin
In order to copy IOS to a TFTP server (less recommended), you would need to perform few checks:
1. Ping the server to see if your device can reach it.
2. Ensure that the TFTP service is started.
3. Check if the server has enough disk space to store the image (here, the image is around 67MB in
size)
If all are true, begin the file transfer using the following command in the privileged mode:
copy flash:filename tftp:
The system is going to ask you about the address of your TFTP server (in my example: 10.1.1.100) and
the name of the file you want to store on the server. An example of this is depicted below (Pic. 2).
Pic. 2 Copy IOS onto TFTP server.
All you have to do is to hit ENTER to accept it. The transfer will begin momentarily.
26
However, a much better option is to use FTP server as the destination for IOS file. This requires some
additional configurations. The mandatory steps are as follows (these need to be added in the global
configuration mode):
Configure a username for FTP server authentication (here: username is admin):
ip ftp username admin
Configure a password for FTP server authentication (here the password is S3cr3t):
ip ftp password S3cre3t
Then the copy operation can be done using the command below and answering the questions
presented in Pic. 2.
copy flash:your_IOS_file_name tftp:
Do not forget to create the account on the FTP server that you have used in your IOS configuration.
Also make sure that the username has read/write permissions on the server!
If you wanted to do the opposite, copy a file from a TFTP or an FTP server, guess what would be the
command to use? In case of copying a file from TFTP server to FLASH:
copy tftp:here_file_name flash:
The command syntax is:
copy url:source_file
url:destination_file
The url can be flash:, tftp:, nvram:
ftp: etc. In order to learn the details Google for Cisco IOS file system.
Tip 12 Copy configuration using the terminal software logging capability.
There are situations in which you cannot resolve some network-related problems by yourself. Most
companies provide technical support to address those types of complex issues. This could be a Cisco
partner company that sold the equipment or a Cisco technical assistance center (TAC). Either way,
engineers who help resolve problems will require the running configuration of one or more of our
devices.
One way is to quickly create a copy of the running configuration is to use the show run command in
the privileged mode and copy the displayed output into a text editor.
The problem with this method is that IOS displays only 24 lines (paging) at a time. The
keyword more shows as soon as the terminal line reaches the page line limit. This makes the copy
operation a bit cumbersome. Also, another problem is the difficulty of highlighting the whole
27
configuration without any omissions while pasting it into a text editor. Both problems can be easily
solved!
First, ensure that your terminal software (CRT, TeraTerm, Putty, etc.) has the capability to log into a file
whatever is displayed in the terminal window. Most people use Putty terminal since it is free and reliable
and it does the job. I am going to show you how it is done using this free tool. If you use different
terminal software, please refer to the appropriate documentation.
First you should disable the IOS output paging by using the following command in the privileged mode:
terminal length 0
Pic. 3 Disable Output Paging.
Then, in your terminal software, enable logging to the file. Using Putty I am going to create a file on the
desktop called: R1-running-config.txt. By clicking the left-hand side corner of Puttys window, I access
the option: change settings. From there I choose: Logging under Session. And then I pick the All
session output and in theLog file name I browse to my computers desktop to name the file (here R1config.txt).
Pic. 4 Putty Session Logging.
28
29
30
or just type in the following and provide information about servers address and file location when
prompted:
R1#copy rcp: nvram:startup-config
or simply:
R1#copy rcp: startup-config
Copying configuration to and from FTP server
FTP server will require two extra parameters to work: an account on the server with a password
(read/write permissions are required on all types of servers).
The Cisco IOS mandatory commands will be to define the username and password matching the
account on the FTP server. An example of configuring the username and password for FTP transfer
below (username admin password S3cre3t):
R1(config)#ip ftp username admin
R1(config)#ip ftp password S3cr3t
Copying the file is the same as with TFTP with the exception of the destination url:
R1# copy running-config ftp:
The easy way to download the configuration from the FTP server into nvram could look like this:
R2#copy tftp: startup-config
Tip 14 Flash memory configuration archive.
An extremely useful option that IOS has is the configuration archive. It allows you to create an archive
where you will store up to 10 last configs (you can change this number using the maximum keyword
in the archive config mode), rollback configuration manually or using time specified. All available
parameters are beyond the scope of this short article. But let me show you few basics just to get you
started.
A configuration archive will be stored in the flash memory by default (make sure you have room there).
In order to enable this feature, you must at least create the path in the flash memory where your
configuration archived will be stored. Heres how you do it:
Pic. 5 Archive Basic Configurations
31
Now, the archive folder (my_files) has been created in the flash memory. In order to archive the
configuration file, type in the following command in the privileged mode:
R1#archive config
Heres what has happened:
Pic. 6 Archive Content.
System will keep up to 10 files in the archive (on this router it can go up to 14 files).
The next file archived will be: flash:my_files-<timestamp.>-1.
Lets modify my configuration by adding the description of the interface and creating a new file in the
archive:
R1#conf t
R1#(config)#interface fa0/0
R1#(config-if)#description === LAN CONNECTION ===
R1#(config-if)#end
R1#archive config
Pic. 7 Archive Content Modified
32
Now there are two files in the archive. The left arrow shows the most recent one.
Tip 15 Configuration Replacement.
Most CCNA candidates do not know that there is a nice option which allows replacing the configuration
in the RAM memory (running-configuration) using some external file. Let me demonstrate this, using our
newly created archive file.
Current configuration has the description on the Fa0/0 interface. Our previous version archived with the
name:
Flash:my_filesJun6-12-26.371-0 has no description on this interface.
Pic. 8 Current Configuration of Fa0/0 Interface.
33
Now, lets replace this running-configuration with the one from the archive:
Pic. 9 Configuration replaced.
34
This task makes you scowl because you think you will need to do the same configuration many times (many ports
will need it), but there is a method of implementing this configuration in one single action.! Instead of accessing
each individual port of the switch, you can use range command to access many of them simultaneously and
35
However, in Cisco implementation of this command, there are a few tricky things you must be aware of.
Lets assume that the switch ports that require configuration are: Fas0/1, Fas0/3, Fas0/5, Fas0/7.
Notice that the first three ports are consecutive ports (1, 2, and 3). If this is the case, Cisco IOS will use the
following syntax:
This will result in accessing all three ports at the same time. In the command prompt you will see:
Notice!
There are mandatory spaces between the numbers and the dash -. If you miss a space there, you will only
access one port.
Whatever commands you execute in the interface range will be applied on all the ports you have referred to
(here: 1 through ?). In our example, we also need to include ports Fas0/5 and Fas0/7 in the range but these are not
consecutive ports. You must use a comma as a separator in such situation. Remember to include spaces between
the ports and the comma. Lets configure our unused ports according to the policy now:
36
In order to verify your configuration, type in: show running-config. You will see that all the ports in question have
been configured as expected. Alternatively, you can use the following check:
The first one gives a user access to some basic monitoring commands (show), but does not allow them to see the
running configuration, perform debugging or configure a device.
37
As presented in the above picture, users operating at level 1, cannot do much. All configurations and full
diagnostics are reserved for users with privileged access (level 15), which we can enter using the enable
command.
However, there are other levels available between 1 and 15 that can allow users to access certain types of
commands but not others. In order to use them, an administrator has to configure what is going to be available at
these other access levels.
The best way to see how this might work is to create a fictitious problem and solve it. Our XYZ Industry Inc. is
hiring a junior network administrator. Initially, the person will be able to enable and disable interfaces, but will
not have full access to a device. Our new administrators username is going to be Joe.
The access level for Joe could be anything between 2 and 14. The higher the level, the more the user can do (it
inherits lower level capabilities). Lets tackle the problem using a few steps.
Firstly, let us define username Joe and assign him the password 0nlyJ03 (without quotes) and the level 3 access.
User Jane will have privileged level 15 access with password C1sc0.
R1(config)#username jane privilege 15 secret C1sc0 R1(config)#username joe privilege 3 secret 0nlyJ03
38
WARNING!
You must never forget to add a username with privilege access 15 if you plan on prompting for username and
password.
Next, we should specify what level 3 users can do with the interfaces. Do not forget to give the user access to
configure terminal command which allows them to enter the interface context.
R1(config)#privilege interface all level 3 shutdown R1(config)#privilege interface all level 3 no shutdown
R1(config)#privilege configure level 3 interface R1(config)#privilege exec level 3 configure terminal R1(config)#
The last thing to do is to configure the console and/or line vty lines to prompt for the user:
R1(config)#line console 0 R1(config-line)#login local R1(config-line)# R1(config-line)#line vty 0 4 R1(configline)#login local R1(config-line)#
Its a good idea to check if this configuration works. We can do this by accessing the routers CLI as presented
below:
Clearly, Joe is at the right privilege level but should not be able to display running configuration of the router
since we never gave him that privilege.
39
Notice that Joe can enter global configuration and interface context. He can shut the interface down (you granted
him that), but he cannot assign an IP address on the interface.
40
There are better ways of granting users access to specific tasks such as using role-based CLI access or using AAA
security but this is a topic for another article.
Tip 18 SmartPort Macros
Another excellent mechanism available on Cisco switches is the SmartPort Macros. They are a very convenient
way of saving and sharing configurations. An administrator can create some template configurations for the ports
and apply them on the interfaces. The existing commands will not be removed (they could be overwritten if
duplicated with another parameters), but they will be added instead. Also you should know that Cisco created a
few templates for us in order to facilitate some common deployments (check the link below for details):
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/smrtport.html
If the default templates do not meet our needs we can configure our own macros as well. My objective is to create
a macro which does the following on the interfaces:
* Security:
* Port-Security,
* Violation: Restrict,
* Max MAC Addresess: to be provided by the user during the macro execution
41
Now it is time to apply it on an interface (or range of interfaces). I will apply this on interface fas0/4 of my switch.
If I display the running configuration of the interface, I can verify that macro has worked like a charm.
42
Let us see how the old way worked first, and then apply named ACLs to see the difference in the speed of
operation as well as convenience of using the latter solution. Initially, my numbered ACL will block incoming
Telnet traffic, but will allow everything else. I will apply it on Fas0/0 interface.
Here are the ACL statements:
R1(config)#access-list 100 deny tcp any any eq telnet R1(config)#access-list 100 permit ip any any R1(config)#
Now imagine you must add the line which is going to block incoming ICMP echo messages.. You cant just add
this line into the existing ACL since it is going to be added after the last line which permits all other IP traffic.
43
So, how did we modify this ACL in the past? We used some text editor (notepad for instance) and we copied the
existing ACL, then modified the statement to fit our needs. Then we removed the existing ACL (no acccess-list
100) and pasted the modified statements into global configuration mode.
If you still have numbered ACLs configured on your device, it is not a lost cause. I will show you a nice trick on
how to modify the numbered ACL without using notepad. Before that, though, I will show you the benefits of
using named ACLs first.
I am going to create another ACL called FILTER and go through the same process as with ACL 100.
Take a look:
R1(config)#ip access-list extended FILTER R1(config-ext-nacl)#deny tcp any any eq telnet R1(config-extnacl)#permit ip any any R1(config-ext-nacl)#
The reference numbers that are placed next to the statements will allow us to squeeze lines between other lines:
44
Lets modify current statements by adding the deny ICMP echo statement above the last one so that it can take
effect:
R1(config)#ip access-list ext FILTER R1(config-ext-nacl)#15 deny icmp any any echo R1(config-ext-nacl)#
This way we can add statements without removing ACL from a router.
Removing statements is just as easy. If you wanted to remove line 15 you would need to enter the context of ACL
and simply type in:
In case you run out of the available room you can also re-sequence the ACL numbers as shown below:
R1(config)#ip access-list resequence FILTER 10 20 R1(config)#
45
This will change all the statement reference numbers starting at 10 with increments of 20.
Check it out:
Of course, you would need to apply the named ACL in the same way you have done with number one:
interface fas0/0 ip access-group FILTER in
Now let me show you a nice trick with the numbered ACL. As long as your IOS version supports named ACLs,
you can refer to the numbered ones as if they are named.
Extended IP access list 100 10 deny tcp any any eq telnet 20 permit ip any any 30 deny icmp any any echo
The order of statements is incorrect. The last entry should either be at the top or placed as a second line in the
ACL. Heres how easy it is to modify it using name ACL syntax:
R1(config)#ip access-list extended 100 R1(config-ext-nacl)#no 30 R1(config-ext-nacl)#15 deny icmp any any
echo R1(config-ext-nacl)#
46
A better way of doing it is to use the command reload in. Heres an example of how you would use it. You have
created ACL and saved it using wr (remember this is your older copy run start). Then before you use ip accessgroup command to apply it on the interface, you type the following in the privileged mode:
R1#reload in 10
The router is going to ask you to confirm this. If you hit Enter, your router will reload itself in exactly 10
minutes (give yourself as much time as you need). You can check the time left using: show reload command. If,
after you have applied ACL on the interface, you are still connected (you did not cut yourself off after all), you
can cancel that reload by typing in:
47
***
*** SHUTDOWN ABORTED
***
Your router informs you that the shutdown has been aborted.
TIP 21 Automated configuration backup using Command Scheduler utility (Kron).
In my previous article on IOS Speed Tips, I wrote about a method of archiving the configuration using the
archive command. Most network administrators will also need to create a backup configuration of their devices
at certain time intervals. For instance, the company policy may stipulate that configuration of all switches and
routers must be backed up on a TFTP or FTP server weekly and upon any configuration change saved in
NVRAM.
Once you know how to use archive command, you can augment this solution making an extra copy of the
configuration and store it on an external server. In order to illustrate how it can be automated, I am going to use
the following policy on my switch named SW1:
Backup Configuration: weekly (every 10080 minutes) or upon using write memory command
Destination: ftp://192.168.1.4/upload
FTP Server Credentials:
user: ftp,
password: cisco
Since I use FTP server, I will need to provide users name and password to upload my configuration onto it.
Step 1 Configure FTP credentials
SW1>enable
SW1#conf t
SW1(config)#ip ftp username ftp
SW1(config)#ip ftp password cisco
SW1(config)#
Of course, you must make sure that your FTP credentials (user name and password), as well as the permissions to
upload the files are configured properly on the server.
The next thing I am going to do is to configure the archive, but unlike using flash as the destination for our
configurations, this time I am going to specify FTP server as a storage place. This means that every time an
administrator issues write memory command, the running-configuration will be sent out to our FTP server. Also,
we are going to add an extra twist to this, by making sure that the file archive contains the host name and the time
of creation rather than using plain -1, -2, etc. as the names of our respective configurations. In order for this to
work, the time of our device must be properly set using either NTP service or a manually assigned clock set
command.
Step 2 Configure archive for configuration backup
48
SW1(config)# archive
SW1(config-archive)# path ftp://192.168.1.4/upload/$h-$t
SW1(config-archive)# write-memory
SW1(config-archive)# time-period 10080
Notice that in the path I have used in $h-$t parameters. If you think that they are variables that will be substituted
for the actual device host name and the file creation time respectively, you are right. The command writememory instructs the archive utility to be triggered whenever the admin saves configuration in NVRAM (write
memory) and also every week as stipulated by the last option (time-period 10080 minutes = 1 week).
If you are configuring your device while reading this article, at this point you should check if the FTP server is
receiving the file when you issue the write memory command.
In the image above, the time shows as 22:10:42. Then, I have saved the configuration in NVRAM using write
memory command. As per our archive configuration, the file should be stored on our FTP server using the
credentials configured before (user: ftp, password: cisco).
Indeed, the file has been created on the FTP server with the host name SW1, the time stamp and -1 number
identifying it as the first archived configuration.
Now, we need to make sure that a backup copy of our configuration is created on FTP server every week. We will
engage IOS kron utility to accomplish this goal.
In the step below, I want my kron to issue write memory command which, as per our archive configuration in
step 2, will also trigger configuration upload to our FTP server.
Step 3 Configure Kron Policy-List
SW1(config)# kron policy-list CONFIG-BACKUP
SW1(config-kron-policy)# cli write-memory
49
SW1(config-kron-policy)# exit
SW1(config)#
In my example, I am going to start kron every Wednesday at 22:45 (you can use any time of the week here).
SW1(config)# kron occurrence BACKUP at 22:45 wed recurring
SW1(config-kron-occurrence)# policy-list CONFIG-BACKUP
SW1(config-kron-occurrence)# exit
SW1(config)#
Now, all we have to do is wait until kron is triggered (here: in 5 minutes and 34 seconds) as depicted in the last
line of image below.
When the given time has elapsed, we can see that the new configuration file has been sent to our FTP server.
Kron has created another configuration backup on my FTP server (signified with -2 at the end of the file name).
Concluding this whole configuration, I made my kron utility run every Wednesday at 22:45. It will issue write
memory command. This will, in turn, trigger the archive to upload the configuration to my FTP server.
More information on using kron: http://www.cisco.com/en/US/docs/ios-xml/ios/cns/configuration/xe3s/asr1000/cns-cmd-sched.html
Tip 22 Using Syslog facility to store important system messages.
Syslog protocol is a transportation method allowing devices to send messages and alerts to a so-called syslog
server (message collector). Those messages use UDP as the transport protocol and are directed to port 514 by
default. Syslog messages typically use the following format:
Facility category of the message (Cisco will describe a device, protocol or a module generating the
message here and is not compliant with original syslog implementation described in RFC 3164).
50
Severity of the message is very important. System uses eight levels of severity ranked with a single digit number.
The lower the number, the more serious the situation has occurred on a device. Here are the severity numbers and
their brief explanation:
0 Emergency: System is unusable.
1 Alert: Action must be taken immediately.
2 Critical: Critical conditions.
3 Error: Error conditions.
4 Warning: Warning conditions.
5 Notice: Normal but significant condition.
6 Informational: Informational messages.
7 Debug: Debug-level messages.
Syslog message analysis helps administrators find out as to what happened and may also speed up the process of
finding what needs to be done to fix a problem. This is why collecting system messages are so important. The
easiest way to set up a collector is either to use some commercial software or implement free syslog collectors
such as Windows KIWI syslog server or use the one the Linux operating system comes with by default.
In case you want to use Linux, below is an example of how to set up an Ubuntu OS as a Cisco syslog collector.
Step 1 Enable UDP (port 514) message reception
Edit (as the root user) the file /etc/rsyslog.conf and uncomment the two lines as presented below (there are no
leading # which is there by default):
# provides UDP syslog reception
$ModLoadimudp
$UDPServerRun 514
Step 2 Specify the path for Cisco logs
Create the file named cisco.conf under /etc/rsyslog.d/ (full path: /etc/rsyslog.d/cisco.conf). And in the file create
the following content:
#
# Log from Cisco Clients
#
local7.* /var/log/cisco.log
Step 3 Enable log rotation
Create a file /etc/logrotate.d/cisco in which add the following lines:
/var/log/messages
{
rotate 4
51
weekly
missingok
notifempty\
compress
sharedscripts
postrotate
reloadrsyslog>/dev/null 2>&1 || true
endscript
}
rotate 4 = keep 4 files with log history (can be changed)
weekly = rotate weekly (can be changed to daily, monthly etc.)
More detailed explanation of the syslog server configuration is beyond the scope of this article.
Step 4 Restart the service for those changes to take effect (here Linux CLI is used).
$ sudo service rsyslog restart
Now, we need to configure Cisco devices to send all the messages to the syslog server. The configuration of my
Cisco switch could look like the one shown below:
SW1(config)# logging 192.168.1.3
SW1(config)# logging facility local7
SW1(config)# logging source-interface loopback0
SW1(config)# service timestamps log datetime
A brief explanation of the configuration:
logging 192.168.1.3 = send log messages to this address
logging facility local7 = Cisco devices use this facility by default allowing to place messages into the appropriate
file on the server (here: /var/log/cisco.log)
logging source-interface loopback0 = allows signed messages with the stable address (must have loopback0
interface configured with ip address to use it).
Service timestamps log datetime = nicely presented time stamp for each message.
I must mention that, by default, Cisco devices will log severity messages from 6 (informational) down to 0
(emergency). You can change it by using logging trapnumber command. The number will indicate which
severity level to log (level 0 up to the number inclusive). For instance:
SW1(config)# logging trap 5
This will log messages with severity 5, 4, 3, 2, 1, and 0.
52
In the output above, you may notice that my Server time (09:18:24) is off by almost a minute compared to my
switch (09:17:22). It is because it is manually set and I did not use NTP in this example.
Tip 23 Using Remote Monitoring (RMON) alarms
Routers interfaces get congested at times, CPU can be heavily utilized, but the problem is that a network
administrator does not get notified about it by default.
If you know the basics of SNMP protocol and have SNMP server which collects information from devices, it is
relatively easy to make your device speak when certain critical thresholds are reached.
Heres a typical example. There is a router connected to 172.16.12.0/24 (Vlan 12) in my lab network. It gets
congested now and then. I am the admin who wants to receive SNMP trap when that happens. A trap is an
unsolicited SNMP message sent by a device when something of importance happens.
Assuming that I have an SNMP server running in my network (I can easily install free server on Linux box), I
need to find out which Management Information Base (MIB) object ID collects information about packets
arriving on an interface of a router. This is where Google search engine shines. A quick search for cisco mib
interface incoming packets gives me few links. The one below seems informative enough:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_q_and_a_item09186a00800b69ac.shtml
It shows me that MIB object in question is called: ifInUcastPkts. I can use Google search again and look for
Cisco MIB Object Navigator. This tool will verify if the object name is correct.
53
Now, I need to configure the router to send alarm messages. Here s my setup:
As far as the scenario is concerned, let us assume that alarm should be sent to the SNMP server if the number of
packets arriving on routers interface has increased to 200 packets/min.. In such situation, an SNMP message
should be sent informing an operator about the congestion of the interface. In case the number of packets drops to
50 packets/min, another message should be sent letting the admin know that there is no more congestion on the
interface. Heres how you can go about it:
54
55
And now, lets send some traffic (ping with high repeat count) trying to trigger one of those events. While
pinging, I am going to enable debug snmp packet to see the messages being sent by RMON alarm. After about a
minute, the following shows in the debug:
56
I have stopped the traffic (sent 350 packets), and minute later the debug shows another event:
Tip 24 Using Role Based Access Control (RBAC) allowing restricted access to devices.
RBAC is a mechanism used to enhance the authorization model in IOS. It allows us to build user roles, referred to
as VIEWS, with very specific privilege levels. Views can also be grouped in order to create a hierarchical
structure in which one user can inherit the privileges assigned another user.
A simple example is the best way to describe the concept. Lets create three views on the router and give each one
of them a separate privilege level (what they are authorized to do).
View1: Admin1
Device: R1 (router)
Privileges: FastEthernet0/0 IP configuration
Password: cisco123
View2: Admin2
Device: R1 (router)
Privileges: FastEthernet0/0 IP configuration
Password: cisco456
View3: Super
Device: R2 (router)
Privileges: view Admin1 and view Admin2
Password: san-fran-cisco
Heres our configuration to accomplish the goal:
Step 1 Enable aaa new-model
R1#conf t
R1(config)#aaa new-model
R1(config)#exit
R1#
Notice!
For the next task, you must be in the privileged mode and not in the global config mode.
57
58
In order to verify what particular views can do, you must enter config mode using appropriate view name.
View Admin1 only has authority to configure IP on FastEthernet0/0. Accessing another interface mode
(FastEthernet0/1), will show a syntax error.
Tip 25 Using Menus in order to help less experienced administrators accomplish simple goals.
If the administrators responsible for implementing/maintaining are slowly introduced into IOS CLI, you may give
them access to a menu allowing them to issue command without knowing them initially.
Lets create an admin account with full privileges (privilege level 15), but make sure that upon telnet/ssh
connection to a device, the administrator (here we call her/him SYSOP, password is cisco123), will be presented
with the menu rather than regular CLI.
Step 1 Create username SYSOP, password cisco123 with access to the menu called SYSOP_MENU
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username SYSOP autocommand menu SYSOP_MENU
R2(config)#username SYSOP password cisco123
R2(config)#username SYSOP privilege 15
59
R2(config)#
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#exit
R2(config)#
Now, we need to create a menu called SYSOP_MENU (as per previous step).
Step 2 Create Menu for SYSOP user
R2(config)#menu SYSOP_MENU text 1 Display Interfaces
R2(config)#menu SYSOP_MENU command 1 show ip interface brief
R2(config)#menu SYSOP_MENU text 2 Display Running Config
R2(config)#menu SYSOP_MENU command 2 show run
R2(config)#menu SYSOP_MENU text 3 Display Routing Table
R2(config)#menu SYSOP_MENU command 3 show ip route
R2(config)#menu SYSOP_MENU text 4 Exit
R2(config)#menu SYSOP_MENU command 4 exit
R2(config)#menu SYSOP_MENU clear-screen
R2(config)#
It is not difficult to guess what is going to happen when SYSOP logs in to R2 via tty lines. Take a look at the
image below:
Upon successful log onto the device, the operator SYSOP is presented with the menu of choices.
60
Now, R2 is waiting for the users choice. After selecting the number in the menu, the router will display the
appropriate information and will clear the screen. The last option will terminate telnet/ssh session.
61