ios-cli-tips
DESCRIPTION
Cisco IOS CLI TipsTRANSCRIPT
2
Table of Contents TIP 1 – Command History Buffer Size ................................................................................................. 3
TIP 2 – CLI Editing Features and Common Shortcuts ..................................................................... 5
TIP 3 – The ‘do’ Keyword ......................................................................................................................... 7 TIP 4 – Filtering and Redirecting Output with the Pipe Character ‘|’ ....................................... 9
Tip 5 – TCL Scripting for Ping Connectivity Test ........................................................................... 13 TIP 6 – Disabling domain lookup ....................................................................................................... 17
TIP 7 – Preventing syslog messages from interrupting your typing. ............................................. 18
Tip 8 – Faster way of saving your configuration in NVRAM. ..................................................... 19 Tip 9 – Creating command aliases. .................................................................................................... 20
Tip 10 – Using ‘debugs’ the way experts do. .................................................................................. 22 Tip 11 – Copy IOS using TFTP and FTP (recommended) servers. .......................................... 25 Tip 12 – Copy configuration using the terminal software logging capability. .................... 27 Tip 13 – Copy configuration to and from a TFTP/RCP/FTP server. ....................................... 29 Tip 14 – Flash memory configuration archive. ............................................................................. 31 Tip 15 – Configuration Replacement. .............................................................................................. 33 Tip 16 – Cisco Switch Interface “Range” Command ..................................................................... 35 Tip 17 – User Privilege Levels ............................................................................................................ 37 Tip 18 – SmartPort Macros .................................................................................................................. 41 Tip 19 – Named ACLs ............................................................................................................................. 43 Tip 20 – ‘Reload in’ Command ............................................................................................................ 47 TIP 21 – Automated configuration backup using Command Scheduler utility (Kron). .. 48 Tip 22 – Using Syslog facility to store important system messages. ...................................... 50 Tip 23 – Using Remote Monitoring (RMON) alarms .................................................................... 53
Tip 24 – Using Role Based Access Control (RBAC) allowing restricted access to devices. ....................................................................................................................................................................... 57
Tip 25 – Using Menus in order to help less experienced administrators accomplish simple goals. ............................................................................................................................................. 59
3
The proliferation of the Graphical User Interface (GUI) in general purpose operating systems such as
Windows, MacOS or iOS have not eradicated entirely its predecessor, the Command Line Interface
(CLI). This is particularly true when working with network operating systems implemented on switches
and routers, the best example of which would be Juniper Networks’ Junos and Cisco IOS.
When working with IOS,Cisco professionals and experts use a number of CLI techniques and shortcuts
which allow them to quickly collect information for diagnostic purposes. Assuming that you are familiar
with basic exec modes and context sensitive help of iOS, here is a list of five tips I find very useful while
working with Cisco network equipment.
1. Increase the size of the command history buffer.
2. Use CLI editing features and common shortcuts.
3. Use the ‘do’ keyword in any context in combination with the ‘show’ and ‘debug’ commands in any IOS
context (‘config’, ‘interface’, ‘router’, etc.)
4. Use pipe ‘|’ with available arguments to display and/or redirect only required sections of your
configuration and/or ‘show’ command output.
5. Use TCL script for ping connectivity test if multiple destination IP addresses are involved.
TIP 1 – Command History Buffer Size
A router or a switch keeps your last issued commands in the buffer. By default, the system remembers
only the last 10 or 20 commands you type in (the size is contingent on the platform you use). Bear in
mind though, that the buffer will be cleared if you terminate your console/vty session. You can change
the buffer size for the duration of the session with your switch or router. The buffer can accept between
0-256 commands to be stored in order to invoke them later. In order to see what is in the buffer, use the
‘show history’ command. In order to verify what the current size of history buffer is, issue the
command: show terminal.
4
Pic. 1 – Command History Buffer Size (default)
If you want your system to store more than 10 or 20 commands (with a maximum of 256 commands
that could be stored), use the command presented in Pic. 2.
5
Pic. 2 – Command History Buffer Size Configuration
If you store more commands, in some situations it is easier to re-create what you have done with the
device during a particular session. This may come in handy when you have already forgotten what you
have done since some configurations involve a lot of commands to enable or disable certain features.
The caveat with changing the buffer size is that it only works for the duration of your console or vty
session. If you log in to your device again, the buffer size goes back to the default value.
TIP 2 – CLI Editing Features and Common Shortcuts
Cisco IOS uses CLI as the primary user interface for configuring, monitoring and maintaining devices.
Commands are typed one per line and will be executed in RAM memory as long as the following are
both true:
1. It has proper syntax, which means that the spelling and all mandatory arguments are specified by the
administrator.
2. It is accepted by hitting the Enter key.
6
In order to be quick and use the CLI efficiently, an administrator must get familiar with basic navigation
techniques. The chart below lists the most commonly used shortcuts every professional must know:
Table 1 – CLI Editing Shortcuts
Key Stroke Function
Left Arrow or CTRL-B Moves the character one character to the left.
Right Arrow or CTRL-F Moves the character one character to the right.
CTRL-A
Moves the cursor to the beginning of the line (helpful
when you want to remove the statement and need to use
the ‘no’ keyword.
CTRL-E Moves the cursor to the end of the line.
ESC, B Moves the cursor back one word.
ESC, F Moves the cursor forward one word.
Delete or Backspace Deletes the character to the left of the cursor.
CTRL-D Deletes the character at the cursor.
CTRL-U or CTRL-X Deletes all characters from the cursor to the beginning of
the command line.
CTRL-K Deletes all characters from the cursor to the end of the
command line.
CTRL-W Deletes the word to the left of the cursor.
ESC-D Deletes from the cursor to the end of the word.
CTRL-Y Recalls the most recent entry in the buffer.
Apart from these shortcuts, Cisco allows us to use following while using CLI:
1. Command Abbreviation
2. Command Auto-Completion
Command abbreviation allows an administrator to type in any command using only a few letters instead
of typing the whole keyword. However, the system must be able to uniquely identify the command in the
given context.
Let’s see this IOS feature in a practical example. For instance, if I want to display the running
configuration of a router, I normally use the command ‘show running-config’, but I can also use the
abbreviated version: ‘show run‘. The result is the same and I save a lot of time. However, if I type in:
7
‘show r’, the system is going to display an error: % Ambiguous command: “show r”. This is due to the
fact that the router/switch has more than one command in the privileged exec mode that starts with
‘show r’. Look at the screenshot below:
Pic. 3 – Command Abbreviation Error
Here, the system does not know if we mean ‘show radius’, or ‘show region’ or perhaps ‘show resources’,
which all start with ‘show r’. However, if I type in ‘show run’, IOS has only one command in this context
starting with ‘run’.
The command auto-completion is similar to the one you find on Unix/Linux and also on recent MS
Windows implementations. All you have to do is to type in enough letters to uniquely identify the
command in a given context and use the TAB key on your keyboard. IOS will then display the whole
keyword on your screen.
TIP 3 – The ‘do’ Keyword Monitoring, maintaining and troubleshooting Cisco devices requires not only working knowledge of the
technologies, but also how to properly verify and interpret the output of ‘show’ and ‘debug’ commands
provided by Cisco IOS. Originally these two diagnostic commands, with hundreds of options available,
were executed in two IOS contexts: the user exec mode (prompt shows the ‘>’ character) and
the privileged exec mode (prompt displays ‘#’ character).
8
In IOS 12.1(11b)E version, Cisco added the ‘do’ keyword allowing users to execute the ‘show’ and
‘debug’ commands in the global configuration mode or in other configuration modes such as interface
‘(config-if)#’, routing protocol ‘(config-router)#’ etc. The same keyword can be applied when using tools
and utilities such as ping, telnet, ssh and others. All an administrator has to do is to precede the
commands with the do keyword.
Let’s see how this works in practice. In my example I would like to display the running-configuration of
the router. In order to do it I must be in the the right context which is the ‘privileged exec mode‘. Look
what happens when you use this keyword in other mode (here: global configuration mode):
Pic. 4 – Example of ‘show’ command without the ‘do’ keyword
As you can see, the system shows an invalid input at the ‘^‘ character. IOS can only recognize the first
two letters ‘sh’, for ‘shutdown’ command. Now, look what happens when I use the ‘do’ keyword with the
same command:
9
Pic. 5 – The ‘’do’ command
This time, the system obliges and displays the running configuration as requested.
What is wrong with going back to privileged mode to check the results of our configurations?
Applying configurations using CLI will typically require numerous steps to be carried out. It is essential
to check your configuration every step of the way rather than implement the whole solution and then
realize that things are not working as expected. After typing in thirty or more commands, it will be much
harder to find out what we have missed or misconfigured in the process. If we use the appropriate
‘show’ commands more often and without moving back to privileged mode, we can isolate a potential
problem much faster, and as a result of that, decrease downtime and save money for our company.
TIP 4 – Filtering and Redirecting Output with the Pipe Character ‘|’
10
Daily network maintenance and occasional troubleshooting of Cisco devices often involves collecting a
lot of information from routers and switches. IOStools such as the ‘show’ commands will, at times,
provide a tremendous amount of information, not all of which is necessarily useful in some situations.
The ability to filter the output in order to focus on the right pieces of information is the mark of a
networking professional.
Imagine that you are managing the BGP routers working for your local ISP. As of writing this article, a
BGP table contains around five hundred thousand entries. If your terminal displays twenty four (default)
or so lines at any given time, how long do you think it will take you to go to the bottom of the output to
find the appropriate prefixes? Also, your configurations may be several screens long. Pressing the
spacebar numerous times to get down to the interesting pieces of information can take some time.
What if you work as technical support engineer and must help your customer bring the network up after
some failure? You must be able to collect enough information by displaying only what is relevant in a
given situation.
Collecting the right information requires that a network engineer can do the following quickly:
1. Use the right ‘show’ command(s).
2. Filter the output of the show command(s) in order to single out the relevant pieces of information.
As far as the second point is concerned, the ‘show argument’ commands can be followed by the ‘|’ (pipe)
character and available keywords. Here is how I can check what pipe options are allowed on my router
(in my example I will use ‘show interface’ command, where interface is one of numerous arguments that
show can take):
Pic. 6 – Router Redirection Options
Let’s look at some practical examples of using some of the options listed.
11
Notice!
The pipe character is separated by space on both sides.Also, the words used for filtering are case
sensitive. You must provide them as shown in the unfiltered output.
Example 1: Display OSPF configuration of a router.
Pic. 7 – Example 1
Example 2: Display only IP-enabled interfaces of a router.
Pic. 8 – Example 2
Example 3: Display all switch interfaces with ‘CRC’ and ‘duplex’ keywords .
12
Pic. 9 – Example 3
In example 3, notice that I have used additional pipe characters WITHOUT space. They serve as the
logical ‘or’ statements. Well known regular expressions can also be used to further filter the output
of show commands.
Look at the summary of some commonly used regular expressions:
Table 2 – Regular Expressions
Character Special Meaning
. (dot) Matches any single character, including white space.
* Matches 0 or more sequences of the pattern.
+ Matches 1or more sequence of the pattern.
? Matches 0 or 1 occurrence of the pattern.
^ Matches the beginning of the string.
$ Matches the end of the string
_ (underscore)
Matches a comma (,), left brace ({), right brace (}), left parenthesis ( (
), right parenthesis ( ) ), the beginning of the string, the end of the
string, or a space.
[] Matches any single character in the brackets.
() Matches the multi-character expression in the parenthesis.
Example 4: Display all the interfaces with 172.16.215 addresses and 10.0 (compare with Example 2).
13
Pic. 10 – Example 4
These are only a few examples illustrating how to use the feature. Other options such as ‘append’, ‘tee’,
‘redirect’ can be used to redirect the output of the commands to some external URL. This could
be ftp: or tftp: which indicates FTP and TFPT servers, respectively. These options may require
additional parameters such as the IP address of the destination server, and in the case of an FTP
server, user name and password will also need to be provided.
Tip 5 – TCL Scripting for Ping Connectivity Test
IOS is also equipped with a scripting language called Tcl (Tool Command Language) pronounced as
tickle) created by John Ousterhout. It is a fully fledged scripting language but in this article, I am only
going to present a very simple script which is often used by administrators to check the connectivity
from a router to multiple destinations.
Let’s imagine that you are about to introduce a new router into the existing network. After you have
configured basic security, routing protocol, etc., the router learns the entire destination network or
subnet addresses and populates its routing table. However, the number of prefixes in the routing table
is significant and we cannot be sure that all destinations have been learned properly. A good practice is
to create a file with all of the router’s IP addresses to use for basic connectivity tests with the ping utility.
The easy way to create this file is to log in to every router in the network and issue the ‘show ip
alias’ command. Take a look at the example below:
14
Pic. 11 – The ‘show ip alias’ command
If your terminal software supports marking of columns (mine uses the CTRL key to accomplish that),
you can highlight the addresses as shown in the picture above (pic. 11) and copy these to a text file.
Repeat the same process on all routers in your network to save all the addresses. Then, use Tcl to ping
multiple IP addresses in one shot in order to test if the router can reach them all. Your test could look
like the one presented below (in my example, only a few addresses are added to the script).
Tcl – Ping Test Script
foreach address {
10.0.1.1
172.16.12.1
172.16.111.1
172.16.123.1
172.16.215.1
192.0.2.1
} { ping $address}
In order to apply the script and test connectivity, you must first enter the Tcl shell on your router. The
command that allows it is: tclsh. You must enter this command in the privileged exec mode. Pay
attention to the prompt change!
15
Pic. 12 – Enter Tcl Shell
Once you have entered the Tcl shell, all you have to do is to paste it in the script and hit Enter. If the
destination addresses are reachable, you will see the success output (exclamation marks) on your
screen. In case of failure, dots are displayed.
Take a look at the example below. Once the test has finished, it is imperative that you leave the Tcl
shell by typing in: R1(tcl)#tclquit.
16
Pic. 13. – Ping Test Results
17
I hope you find the tips described useful and that they will contribute to a more efficient utilization of
your time and resources when using Cisco IOS.
TIP 6 – Disabling domain lookup
Designers of IOS enabled domain name lookup by default. The command responsible for the name to
IP address resolution is configured in the global configuration mode: ‘ip domain-lookup‘.
If you are a frequent IOS user, this feature can quickly become very annoying. In order to understand
how it affects your workflow, let me show you a practical example. In the picture below, I have
purposely mistyped the command. Look at the result:
Pic.1 – Domain-lookup (default).
Notice what happened. Mistyped commands are an invitation to open telnet sessions using the name
you have provided that was not an actual command (simple typo). In order to do so, IP address must be
learned via ip domain-lookupwhich means finding the DNS server and asking it about the address that
represents your mistyped command. This happens if your switch or router has at least one IP address
configured and the interface is active. It only works this way in the user exec mode (prompt: ‘>’)
or privileged exec mode (prompt: ‘#’).
In my example, the router did not have the name-server’s address configured. Therefore, it tried to find
any DNS server and resolved ‘showrun’ on the IP address using broadcast. After a few unsuccessful
attempts it finally gave up and told me that the command was unknown and it could not resolve it to IP
address. Here’s the worst part: this froze my console for more than 40 seconds!
If you are under time pressure (i. e. your boss is breathing at your neck) and you are in the middle of
doing some troubleshooting in order to bring the network up, losing console/telnet or SSH access for
more than five seconds seems like eternity, never mind forty or more seconds.
A quick solution to this problem, at least temporarily, is to disable this domain lookup. After you have
finished diagnostics, you can always turn it back on. In order to disable it, type the following command
in the global configuration mode: no ip domain-lookup. With this command in place, IOS is going to
18
return access to your console immediately if you mistype the command in the user or privileged exec
mode.
If you want to restore to factory default, just re-enable it by issuing: ip domain-lookup.
Below is another tip proposed by /u/CaptainIceman :
TIP 7 – Preventing syslog messages from interrupting your typing.
Another feature a lot of users find a bit unfortunate is the fact that, by default, IOS sends all the
messages to the console and displays them in the current line of the cursor. System messages, also
known as ‘syslog’ messages, are not sent to VTY line (your telnet/ssh connections). If you want to see
them on virtual terminal lines, you must issue terminal monitor command in the privileged mode like
shown below:
router#terminal monitor
Notice that the command is not used in the global configuration mode as you may expect. Sending
these unsolicited messages to the line of the cursor more often than not interferes with your typing. Let
me illustrate this below in picture 2. I have left the global configuration by using CTRL-Z (other
options: exit or end). Then, I immediately started typing the command: show run. However, this has
been interspersed with the system message.
Pic. 2 – Logging Synchronous disabled.
In such situations, you can repeat what you have already typed by pressing CTRL-R(press CTRL and
still holding it, press the letter ‘r’). Alternatively, you can press TAB to have the system auto-complete
the command.
There is a better solution still. You can instruct IOS to keep its unsolicited messages separate from the
line where the cursor is currently located. This command works on both IOS enabled switches and
routers. In the picture below you will find the configuration on the console and VTY lines.
19
Pic. 3– Logging Synchronous.
The second iteration of the command (on VTY 0 4 lines) in the above picture is only needed when you
are remotely accessing your device through telnet or SSH and want to see the messages sent to the
console by default (terminal monitor).
Another tip comes from /u/Detective_Colephelps :
Tip 8 – Faster way of saving your configuration in NVRAM.
IOS command designers have changed the syntax of certain commands. One such command was
introduced in IOS to save the running configuration kept in RAM memory into Non-Volatile RAM
(NVRAM). This configuration is activated after the device is rebooted and is referred to as ‘startup-
config’.
The command that saves the currently executed configuration into NVRAM looks like this:
router#copy running-config startup-config
There is another way of accomplishing the same goal:
router#copysystem:running-confignvram:startup-config
I rarely use the latter option though. A much faster way of doing it is simply typing this:
router#wr
The ‘wr‘ shortcut is an abbreviation of the older command that predates the famous ‘copy run start‘.
Originally, we used the ‘write memory‘ command to achieve the same result. The simplest form of using
this command is just ‘wr’. Notice that if you use it, IOS does not ask you if you want to name the file in
NVRAM (the name must be ‘startup-config’). It names it startup-config by default.
/u/Justinsaccount proposed another useful IOS feature:
20
Tip 9 – Creating command aliases.
This is one of my favorite features in IOS. Creating your own short names for some particularly long
commands can be a huge time saver. Consider the following commands that most use very often:
router(config)# do show ip interface brief
or
router(config)#do show ipospf interface brief
Depending what IOS features you have enabled on your switch or router, you may deal with plenty of
such commands. Consider two more examples which almost all network admins use very often:
router#show processes cpu sorted 5sec | exclude 0.00% 0.00% 0.00%
router#show archive config differences nvram:startup-configsystem:running-config | section exclude
certificate
The first one shows all the processes affecting the CPU, which is similar to the ‘top’ command used on
Unix/Linux platforms. The second compares configurations between RAM and NVRAM. If there are
discrepancies between them, for example, if the admin did not save them, they will be reported.
Instead of typing all these keywords which is a time consuming and error-prone task, you can replace
them with your own short aliases. First, I recommend that you check what aliases IOS uses by default
so you do not change them accidentally:
Pic. 4 – IOS Default Command Aliases.
Now that we know which keywords to avoid (left hand side column), we can create our own. For
instance, I would like to have the following aliases for the commands we have already used; of course,
21
you can use completely different aliases than mine below. On the left are the commands, and on the
right my proposed aliases:
showip interface brief | excluded unassigned = sib
showipospf interface brief = soi
show processes cpu sorted 5sec | exclude 0.00% 0.00% 0.00% = top
show archive config differences nvram:startup-configsystem:running-config | section exclude certificate
= dif
You can configure them as shown below (global config mode):
R1(config)#alias exec sib show ip interface brief | exclude unassigned
R1(config)#alias exec soi show ipospfint brief
R1(config)#alias exec top show processes cpu sort 5sec | ex 0.00% 0.00% 0.00%
R1(config)#
You are by no means limited to these commands. You can replace any long command this way. Look
how some of my aliases work now:
Pic. 5 – Alias: Top.
22
Pic. 6 – Alias: Sib.
If you are excited by this feature, try not to overdo it by creating too many aliases. They could become
hard to remember and may start to defeat their purpose.
And the last one in this article is from yours truly:
Tip 10 – Using ‘debugs’ the way experts do.
There are two major diagnostic commands: show and debug. The former is safe to use in any situation,
except for ‘show tech-support‘ which should be used after office hours. The latter can require extra
power from the CPU. In other words, debug commands can be quite dangerous on production devices.
However, some of them can be extremely useful, especially when your network or a part of it is down
and you must bring it back up as soon as possible.
In order to use debugs in these rare situations, it is imperative that you learn these commands in the lab
first. You must see what kind of output they produce and how to interpret it. Also, you must pay
attention to how much information they send to the console. Some of them can be really lengthy. If you
decide to use them, you should follow the method used by the majority of Cisco experts and
professionals.
The general recommendation is that a debug command should not be logged to the console. The
console is a high priority IOS process and sending a large output to it can impair the operation of the
device. In addition to this, the output can amount to hundreds of lines sent every second and disabling
debug may require an extra telnet or SSH session. Remember: the messages are not sent to VTY lines
by default.
Here’s the list of steps before debug should be used:
– Check the utilization of CPU. If highly utilized, do not use debug commands.
– Disable logging to the console. Log the debug messages to the RAM memory (buffer).
23
– After collecting information, disable the debug. You can use the shortest available alias: u all, which
stands for undebug all.
Let me illustrate the idea in practice. Suppose I want to collect information about an RIP operation on
my router. After checking the utilization of CPU, which is not high (mine was 5% in the last five
minutes), I can do the following to safely obtain information from the debug:
Pic. 7 – Disabling Logging to the Console.
Pic. 8 – Logging to the Buffer.
Pic. 9 – Enable Debug/Collect Info/Disable Debug.
24
Pic. 10 – Display the debug.
While logging debug messages to the buffer, make sure you let it run for some time. Some technologies
will log information immediately and running it for just few seconds will do. Others may require a bit
more time to collect the required information. For instance, RIP protocol sends and receives updates
every 30 seconds. Once you think enough information has been logged, disable the debug and bring
the previous configuration.
R1(config)# no logging buffered
The above command is going to flush the information stored previously.
R1(config)# logging console
This will resume logging messages to the console 0 port as per default.
25
Tip 11 – Copy IOS using TFTP and FTP (recommended) servers.
If you want to back up your IOS, Cisco training often mentions trivial file transfer protocol (TFTP) as the
backup server. However, this server is only suitable for small file transfers, such as configurations or
small IOS files. It is not the best solution to create a copy of larger files. In recent years, Cisco has
made large improvements in their IOS and, as a result of that, the size of the file is as small as it was 10
years ago. In order to create a backup copy of these, I would recommend is using a more reliable
server, such as an FTP one. There are three major reasons for doing so:
1. A TFTP server uses UDP as the transport protocol. It is an unreliable and connectionless protocol.
FTP uses TCP protocol, which is reliable (it can retransmit what is not properly delivered and it
establishes the communication with the server before it starts transmitting data).
2. A TFTP server does not use any credential for the access (such as username and password). All the
user needs to know is the exact address of the server, the path to a file, and its name to be able to
access the file. FTP provides the authentication phase before a file can be accessed.
3. TFTP servers are not the most reliable ones. I have tried numerous solutions and many of them
tended to crash unexpectedly in the middle of the transmissions. The ones that I have found relatively
stable and free are Linux-based, with the exception of the Solarwinds TFTP server, written for MS
Windows.
Let’s see how you can make a backup of our IOS file using both solutions.
First, let’s try to copy IOS onto a TFTP server with the address of 10.1.1.100. In order to do that, you
first need to know the name of the IOS file in the flash. In the privilege mode you use “show
flash“ command in order to learn the name of IOS file (it is case sensitive). Take a look at the example
presented in the picture below:
Pic. 1 – Content of Flash Memory.
26
The first file is usually the IOS image. In my output it is the file named:
c2800nm-adventerprisek9.mz.15.1-4.M5.bin
In order to copy IOS to a TFTP server (less recommended), you would need to perform few checks:
1. Ping the server to see if your device can reach it.
2. Ensure that the TFTP service is started.
3. Check if the server has enough disk space to store the image (here, the image is around 67MB in
size)
If all are true, begin the file transfer using the following command in the privileged mode:
copy flash:filename tftp:
The system is going to ask you about the address of your TFTP server (in my example: 10.1.1.100) and
the name of the file you want to store on the server. An example of this is depicted below (Pic. 2).
Pic. 2 – Copy IOS onto TFTP server.
All you have to do is to hit ENTER to accept it. The transfer will begin momentarily.
27
However, a much better option is to use FTP server as the destination for IOS file. This requires some
additional configurations. The mandatory steps are as follows (these need to be added in the global
configuration mode):
Configure a username for FTP server authentication (here: username is “admin“):
ip ftp username admin
Configure a password for FTP server authentication (here the password is “S3cr3t“):
ip ftp password S3cre3t
Then the copy operation can be done using the command below and answering the questions
presented in Pic. 2.
copy flash:your_IOS_file_name tftp:
Do not forget to create the account on the FTP server that you have used in your IOS configuration.
Also make sure that the username has read/write permissions on the server!
If you wanted to do the opposite, copy a file from a TFTP or an FTP server, guess what would be the
command to use? In case of copying a file from TFTP server to FLASH:
copy tftp:here_file_name flash:
The command syntax is:
copy url:source_file
url:destination_file
The “url“ can be flash:, tftp:, nvram:
ftp: etc. In order to learn the details Google for “Cisco IOS file system.“
Tip 12 – Copy configuration using the terminal software logging capability.
There are situations in which you cannot resolve some network-related problems by yourself. Most
companies provide technical support to address those types of complex issues. This could be a Cisco
partner company that sold the equipment or a Cisco technical assistance center (TAC). Either way,
engineers who help resolve problems will require the running configuration of one or more of our
devices.
One way is to quickly create a copy of the running configuration is to use the “show run“ command in
the privileged mode and copy the displayed output into a text editor.
The problem with this method is that IOS displays only 24 lines (paging) at a time. The
keyword “more“ shows as soon as the terminal line reaches the page line limit. This makes the copy
operation a bit cumbersome. Also, another problem is the difficulty of highlighting the whole
28
configuration without any omissions while pasting it into a text editor. Both problems can be easily
solved!
First, ensure that your terminal software (CRT, TeraTerm, Putty, etc.) has the capability to log into a file
whatever is displayed in the terminal window. Most people use Putty terminal since it is free and reliable
and it does the job. I am going to show you how it is done using this free tool. If you use different
terminal software, please refer to the appropriate documentation.
First you should disable the IOS output paging by using the following command in the privileged mode:
terminal length 0
Pic. 3 – Disable Output Paging.
Then, in your terminal software, enable logging to the file. Using Putty I am going to create a file on the
desktop called: R1-running-config.txt. By clicking the left-hand side corner of Putty’s window, I access
the option: “change settings.“ From there I choose: “Logging“ under “Session.“ And then I pick the “All
session output“ and in the“Log file name“ I browse to my computer’s desktop to name the file (here R1-
config.txt).
Pic. 4 – Putty Session Logging.
29
All that remains to be done is for you to issue:
show running-configuration
and the content will be copied to the file you have chosen.
Ones you have finished logging, you should disable this feature in your terminal software (“Session
logging: none“) and bring the paging back in IOS by typing:
terminal no length
It will restore the previous 24-line paging. Alternatively, you can disconnect from the terminal.
Tip 13 – Copy configuration to and from a TFTP/RCP/FTP server.
If you read tip 11, there will be no surprises as to what the commands below really do. Assuming that
we have those three server running (for instance, the address will be 10.1.1.100) and they are
reachable, let’s configure each option.
30
Copying configuration to and from TFTP server.
This option is the easiest to accomplish. You can send either the running-configuration or startup-
configuration (copy running-config, or copy startup-config respectively). The command syntax is
copy url:src_file
url:dst_file.
R1#copy running-config tftp:
The above statement will copy the running configuration (“running-config“ is an alias and not real url) of
the device onto the TFTP server. Do not forget to answer the system’s questions (host name or IP
address and the name of the file you want to store on the server) when prompted for those.
If you want to copy the configuration from the TFTP server to a running-config, you would use the
following command (here: run is abbreviation of running-config):
R1#copy tftp: run
You can also use the following command. Try to guess what it will do:
R1#copy tftp://10.1.1.100/my-files/r1-config1.txt system:startup-config
If you think it is going to copy the r1-config1.txt file into running-config, you are right. The TFTP server’s
IP address here is 10.1.1.100 and the folder where the ‘r1-config1.txt’ file is stored is in the
“my-files“ folder of the main TFTP server folder.
There is one thing you need to be aware of, though. If you copy running-configuration onto some
external device (tftp, ftp, rcp, nvram etc.), the exact copy of your configuration will be stored there. The
converse is NOT true, though. Copying the configuration from the external device into RAM memory
(system:) will merge the current, running-configuration with the file being downloaded. There is a way
around that which I am going to show you in tip 15.
Copying configuration to and from RCP server
Remote copy protocol (RCP) is an old Unix/Linux admin alternative to TFTP. In order to enable RCP
support, you must define the user’s name that is used on the RCP server to authenticate incoming file
transfer:
R1(config)#ip rcmd remote-username admin
where “admin“ is the account name used on the RCP server. As for the command to copy your
configuration to RCP server, it is the following statement:
R1#copy run rcp:
If you want to copy the configuration from the RCP server (10.1.1.100/my-files/r1-config1.txt) into the
startup-config (nvram:), here are two alternatives:
R1#copy rcp://[email protected]/my-files/r1-config.txt nvram:startup-config
31
or just type in the following and provide information about server’s address and file location when
prompted:
R1#copy rcp: nvram:startup-config
or simply:
R1#copy rcp: startup-config
Copying configuration to and from FTP server
FTP server will require two extra parameters to work: an account on the server with a password
(read/write permissions are required on all types of servers).
The Cisco IOS mandatory commands will be to define the username and password matching the
account on the FTP server. An example of configuring the username and password for FTP transfer
below (username “admin“ password “S3cre3t“):
R1(config)#ip ftp username admin
R1(config)#ip ftp password S3cr3t
Copying the file is the same as with TFTP with the exception of the destination url:
R1# copy running-config ftp:
The easy way to download the configuration from the FTP server into nvram could look like this:
R2#copy tftp: startup-config
Tip 14 – Flash memory configuration archive.
An extremely useful option that IOS has is the configuration archive. It allows you to create an archive
where you will store up to 10 last configs (you can change this number using the “maximum“ keyword
in the archive config mode), rollback configuration manually or using time specified. All available
parameters are beyond the scope of this short article. But let me show you few basics just to get you
started.
A configuration archive will be stored in the flash memory by default (make sure you have room there).
In order to enable this feature, you must at least create the path in the flash memory where your
configuration archived will be stored. Here’s how you do it:
Pic. 5 – Archive Basic Configurations
32
Now, the archive folder (my_files) has been created in the flash memory. In order to archive the
configuration file, type in the following command in the privileged mode:
R1#archive config
Here’s what has happened:
Pic. 6 – Archive Content.
System will keep up to 10 files in the archive (on this router it can go up to 14 files).
The next file archived will be: flash:my_files-<timestamp.>-1.
Let’s modify my configuration by adding the description of the interface and creating a new file in the
archive:
R1#conf t
R1#(config)#interface fa0/0
R1#(config-if)#description === LAN CONNECTION ===
R1#(config-if)#end
R1#archive config
Pic. 7 – Archive Content Modified
33
Now there are two files in the archive. The left arrow shows the most recent one.
Tip 15 – Configuration Replacement.
Most CCNA candidates do not know that there is a nice option which allows replacing the configuration
in the RAM memory (running-configuration) using some external file. Let me demonstrate this, using our
newly created archive file.
Current configuration has the description on the Fa0/0 interface. Our previous version archived with the
name:
Flash:my_filesJun—6-12-26.371-0 has no description on this interface.
Pic. 8 – Current Configuration of Fa0/0 Interface.
34
Now, let’s replace this running-configuration with the one from the archive:
Pic. 9 – Configuration replaced.
35
Tip 16 – Cisco Switch Interface “Range” Command
One day your boss may ask you to introduce a new switch to the existing infrastructure. You do so and make sure
this new device does not become a new ‘root bridge’ in your spanning-tree domain. You also sure that VTP
protocol is not going to push wrong information about the existing VLANs and create mayhem in your network.
After taking care of everything that your company’s policy stipulates, you read the last step in the procedure that
you forgot was there:
XYZ Industry Inc.: Unused Switch Port Configuration.
• * Port VLAN ID: 999
• * Port Administrative Mode: Access
• * Port Description: UNUSED
• * Port Status: Shutdown
This task makes you scowl because you think you will need to do the same configuration many times (many ports
will need it), but there is a method of implementing this configuration in one single action.! Instead of accessing
each individual port of the switch, you can use ‘range’ command to access many of them simultaneously and
36
apply required configuration on all of them only once.
However, in Cisco implementation of this command, there are a few tricky things you must be aware of.
Let’s assume that the switch ports that require configuration are: Fas0/1, Fas0/3, Fas0/5, Fas0/7.
Notice that the first three ports are consecutive ports (1, 2, and 3). If this is the case, Cisco IOS will use the
following syntax:
interface range fas0/1 – 3.
This will result in accessing all three ports at the same time. In the command prompt you will see:
Notice!
There are mandatory ‘spaces’ between the numbers and the dash “-“. If you miss a space there, you will only
access one port.
Whatever commands you execute in the ‘interface range’ will be applied on all the ports you have referred to
(here: 1 through ?). In our example, we also need to include ports Fas0/5 and Fas0/7 in the range but these are not
consecutive ports. You must use a comma as a separator in such situation. Remember to include spaces between
the ports and the comma. Let’s configure our unused ports according to the policy now:
37
In order to verify your configuration, type in: show running-config. You will see that all the ports in question have
been configured as expected. Alternatively, you can use the following check:
Tip 17 – User Privilege Levels
CCNAs are most often taught about two major CLI modes:
1. User Exec Mode also known as level 1 (prompt: ‘>’)
2. Privileged Exec Mode also known as level 15 (prompt: ‘#’)
The first one gives a user access to some basic monitoring commands (show), but does not allow them to see the
running configuration, perform debugging or configure a device.
38
As presented in the above picture, users operating at level 1, cannot do much. All configurations and full
diagnostics are reserved for users with privileged access (level 15), which we can enter using the ‘enable’
command.
However, there are other levels available between 1 and 15 that can allow users to access certain types of
commands but not others. In order to use them, an administrator has to configure what is going to be available at
these other access levels.
The best way to see how this might work is to create a fictitious problem and solve it. Our XYZ Industry Inc. is
hiring a junior network administrator. Initially, the person will be able to enable and disable interfaces, but will
not have full access to a device. Our new administrator’s username is going to be Joe.
The access level for Joe could be anything between 2 and 14. The higher the level, the more the user can do (it
inherits lower level capabilities). Let’s tackle the problem using a few steps.
Firstly, let us define username Joe and assign him the password ‘0nlyJ03′ (without quotes) and the level 3 access.
User Jane will have privileged level 15 access with password C1sc0.
R1(config)#username jane privilege 15 secret C1sc0 R1(config)#username joe privilege 3 secret 0nlyJ03
39
WARNING!
You must never forget to add a username with privilege access 15 if you plan on prompting for username and
password.
Next, we should specify what level 3 users can do with the interfaces. Do not forget to give the user access to
‘configure terminal’ command which allows them to enter the interface context.
R1(config)#privilege interface all level 3 shutdown R1(config)#privilege interface all level 3 no shutdown
R1(config)#privilege configure level 3 interface R1(config)#privilege exec level 3 configure terminal R1(config)#
The last thing to do is to configure the console and/or line vty lines to prompt for the user:
R1(config)#line console 0 R1(config-line)#login local R1(config-line)# R1(config-line)#line vty 0 4 R1(config-
line)#login local R1(config-line)#
It’s a good idea to check if this configuration works. We can do this by accessing the router’s CLI as presented
below:
Clearly, Joe is at the right privilege level but should not be able to display running configuration of the router
since we never gave him that privilege.
40
However, he is able to change the status of the router’s interfaces:
Notice that Joe can enter global configuration and interface context. He can shut the interface down (you granted
him that), but he cannot assign an IP address on the interface.
41
There are better ways of granting users access to specific tasks such as using role-based CLI access or using AAA
security but this is a topic for another article.
Tip 18 – SmartPort Macros
Another excellent mechanism available on Cisco switches is the SmartPort Macros. They are a very convenient
way of saving and sharing configurations. An administrator can create some template configurations for the ports
and apply them on the interfaces. The existing commands will not be removed (they could be overwritten if
duplicated with another parameters), but they will be added instead. Also you should know that Cisco created a
few templates for us in order to facilitate some common deployments (check the link below for details):
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/smrtport.html
If the default templates do not meet our needs we can configure our own macros as well. My objective is to create
a macro which does the following on the interfaces:
• * Macro Name: ACCESS_PORTS
• * STP Enhancement: Portfast
• * STP Protection: BPDU Guard Enabled
• * Security:
• * Port-Security,
• * Violation: Restrict,
• * Max MAC Addresess: to be provided by the user during the macro execution
• * VLAN ID: to be provided by the user during the macro execution
Here’s a solution to this problem:
42
Don’t forget to finish your macro with ‘@‘.
Now it is time to apply it on an interface (or range of interfaces). I will apply this on interface fas0/4 of my switch.
SW1(config)#interface fas0/4 SW1(config-if)#macro apply ACCESS_PORTS VLANID 99 MAXHOSTS 2
If I display the running configuration of the interface, I can verify that macro has worked like a charm.
43
Tip 19 – Named ACLs
Access Control Lists have been out there for ages. With the IOS 12.3 version Cisco introduced, they address the
issues with awkward ways of modifying numbered access lists.
Let us see how the old way worked first, and then apply named ACLs to see the difference in the speed of
operation as well as convenience of using the latter solution. Initially, my numbered ACL will block incoming
Telnet traffic, but will allow everything else. I will apply it on Fas0/0 interface.
Here are the ACL statements:
R1(config)#access-list 100 deny tcp any any eq telnet R1(config)#access-list 100 permit ip any any R1(config)#
Statements must be applied on the appropriate interface:
R1(config)#interface fas0/0 R1(config-if)#ip access-group 100 in R1(config-if)#
Now imagine you must add the line which is going to block incoming ICMP echo messages.. You can’t just add
this line into the existing ACL since it is going to be added after the last line which permits all other IP traffic.
44
This way ICMP will never be blocked. Take a look:
So, how did we modify this ACL in the past? We used some text editor (notepad for instance) and we copied the
existing ACL, then modified the statement to fit our needs. Then we removed the existing ACL (no acccess-list
100) and pasted the modified statements into global configuration mode.
If you still have numbered ACLs configured on your device, it is not a lost cause. I will show you a nice trick on
how to modify the numbered ACL without using notepad. Before that, though, I will show you the benefits of
using named ACLs first.
I am going to create another ACL called FILTER and go through the same process as with ACL 100.
The syntax is similar:
ip access-list [standard | extended] name
Take a look:
R1(config)#ip access-list extended FILTER R1(config-ext-nacl)#deny tcp any any eq telnet R1(config-ext-
nacl)#permit ip any any R1(config-ext-nacl)#
The reference numbers that are placed next to the statements will allow us to squeeze lines between other lines:
45
Let’s modify current statements by adding the deny ICMP echo statement above the last one so that it can take
effect:
R1(config)#ip access-list ext FILTER R1(config-ext-nacl)#15 deny icmp any any echo R1(config-ext-nacl)#
This way we can add statements without removing ACL from a router.
Removing statements is just as easy. If you wanted to remove line 15 you would need to enter the context of ACL
and simply type in:
R1(config)#ip access-list ext FILTER R1(config-ext-nacl)#no 15
In case you run out of the available ‘room’ you can also re-sequence the ACL numbers as shown below:
R1(config)#ip access-list resequence FILTER 10 20 R1(config)#
46
This will change all the statement reference numbers starting at 10 with increments of 20.
Check it out:
Of course, you would need to apply the named ACL in the same way you have done with number one:
interface fas0/0 ip access-group FILTER in
Now let me show you a nice trick with the numbered ACL. As long as your IOS version supports named ACLs,
you can refer to the numbered ones as if they are named.
Remember our old good access-list 100? It looks like this:
Extended IP access list 100 10 deny tcp any any eq telnet 20 permit ip any any 30 deny icmp any any echo
The order of statements is incorrect. The last entry should either be at the top or placed as a second line in the
ACL. Here’s how easy it is to modify it using name ACL syntax:
R1(config)#ip access-list extended 100 R1(config-ext-nacl)#no 30 R1(config-ext-nacl)#15 deny icmp any any
echo R1(config-ext-nacl)#
The result should be satisfactory:
47
All other mechanisms such as re-sequencing work here as well.
Tip 20 – ‘Reload in’ Command
The last tip in this article is sometimes referred to as a ‘life saver’. Imagine that you must implement ACL on a
router that is in some distant location. Perhaps it works in a different town and if you make a mistake while
applying ACL, you can terminate your own connection (you are applying ACL on the very interface you are using
to access the router). What would you do then? The answer is to ask somebody at that location to reload the router
for you in case you terminate your connection. This way, all the configuration you have applied will be removed
since you have never saved it in NVRAM.
What if there is nobody there to assist you?
A better way of doing it is to use the command ‘reload in’. Here’s an example of how you would use it. You have
created ACL and saved it using ‘wr’ (remember this is your older copy run start). Then before you use ‘ip access-
group’ command to apply it on the interface, you type the following in the privileged mode:
R1#reload in 10
The router is going to ask you to confirm this. If you hit ‘Enter,’ your router will reload itself in exactly 10
minutes (give yourself as much time as you need). You can check the time left using: ‘show reload’ command. If,
after you have applied ACL on the interface, you are still connected (you did not cut yourself off after all), you
can cancel that reload by typing in:
R1#reload cancel R1#
48
***
*** — SHUTDOWN ABORTED —
***
Your router informs you that the shutdown has been aborted.
TIP 21 – Automated configuration backup using Command Scheduler utility (Kron).
In my previous article on IOS Speed Tips, I wrote about a method of archiving the configuration using the
‘archive’ command. Most network administrators will also need to create a backup configuration of their devices
at certain time intervals. For instance, the company policy may stipulate that configuration of all switches and
routers must be backed up on a TFTP or FTP server weekly and upon any configuration change saved in
NVRAM.
Once you know how to use ‘archive’ command, you can augment this solution making an extra copy of the
configuration and store it on an external server. In order to illustrate how it can be automated, I am going to use
the following policy on my switch named SW1:
– Backup Configuration: weekly (every 10080 minutes) or upon using ‘write memory’ command
– Destination: ftp://192.168.1.4/upload
– FTP Server Credentials:
• user: ftp,
• password: cisco
Since I use FTP server, I will need to provide user’s name and password to upload my configuration onto it.
Step 1 – Configure FTP credentials
SW1>enable
SW1#conf t
SW1(config)#ip ftp username ftp
SW1(config)#ip ftp password cisco
SW1(config)#
Of course, you must make sure that your FTP credentials (user name and password), as well as the permissions to
upload the files are configured properly on the server.
The next thing I am going to do is to configure the archive, but unlike using flash as the destination for our
configurations, this time I am going to specify FTP server as a storage place. This means that every time an
administrator issues ‘write memory’ command, the running-configuration will be sent out to our FTP server. Also,
we are going to add an extra twist to this, by making sure that the file archive contains the host name and the time
of creation rather than using plain ‘-1′, ‘-2′, etc. as the names of our respective configurations. In order for this to
work, the time of our device must be properly set using either NTP service or a manually assigned ‘clock set’
command.
Step 2 – Configure archive for configuration backup
49
SW1(config)# archive
SW1(config-archive)# path ftp://192.168.1.4/upload/$h-$t
SW1(config-archive)# write-memory”
SW1(config-archive)# time-period 10080
Notice that in the path I have used in $h-$t parameters. If you think that they are variables that will be substituted
for the actual device host name and the file creation time respectively, you are right. The command ‘write-
memory’ instructs the archive utility to be triggered whenever the admin saves configuration in NVRAM (‘write
memory’) and also every week as stipulated by the last option (time-period 10080 minutes = 1 week).
If you are configuring your device while reading this article, at this point you should check if the FTP server is
receiving the file when you issue the ‘write memory command.
In the image above, the time shows as 22:10:42. Then, I have saved the configuration in NVRAM using ‘write
memory’ command. As per our ‘archive’ configuration, the file should be stored on our FTP server using the
credentials configured before (user: ftp, password: cisco).
Indeed, the file has been created on the FTP server with the host name SW1, the time stamp and ‘-1′ number
identifying it as the first archived configuration.
Now, we need to make sure that a backup copy of our configuration is created on FTP server every week. We will
engage IOS ‘kron’ utility to accomplish this goal.
In the step below, I want my kron to issue ‘write memory’ command which, as per our archive configuration in
step 2, will also trigger configuration upload to our FTP server.
Step 3 – Configure Kron Policy-List
SW1(config)# kron policy-list CONFIG-BACKUP
SW1(config-kron-policy)# cli write-memory
50
SW1(config-kron-policy)# exit
SW1(config)#
In my example, I am going to start kron every Wednesday at 22:45 (you can use any time of the week here).
SW1(config)# kron occurrence BACKUP at 22:45 wed recurring
SW1(config-kron-occurrence)# policy-list CONFIG-BACKUP
SW1(config-kron-occurrence)# exit
SW1(config)#
Now, all we have to do is wait until kron is triggered (here: in 5 minutes and 34 seconds) as depicted in the last
line of image below.
When the given time has elapsed, we can see that the new configuration file has been sent to our FTP server.
Kron has created another configuration backup on my FTP server (signified with ‘-2′ at the end of the file name).
Concluding this whole configuration, I made my kron utility run every Wednesday at 22:45. It will issue ‘write
memory’ command. This will, in turn, trigger the ‘archive’ to upload the configuration to my FTP server.
More information on using kron: http://www.cisco.com/en/US/docs/ios-xml/ios/cns/configuration/xe-
3s/asr1000/cns-cmd-sched.html
Tip 22 – Using Syslog facility to store important system messages.
Syslog protocol is a transportation method allowing devices to send messages and alerts to a so-called syslog
server (message collector). Those messages use UDP as the transport protocol and are directed to port 514 by
default. Syslog messages typically use the following format:
Look at the brief explanation of the message fields:
• Time stamp – local time when the message was generated.
• Facility – category of the message (Cisco will describe a device, protocol or a module generating the
message here and is not compliant with original syslog implementation described in RFC 3164).
51
• Severity – describes how serious event is.
• Mnemonic – device specific code identifying the message.
• Message-text – actual message the device is sending.
Severity of the message is very important. System uses eight levels of severity ranked with a single digit number.
The lower the number, the more serious the situation has occurred on a device. Here are the severity numbers and
their brief explanation:
0 – Emergency: System is unusable.
1 – Alert: Action must be taken immediately.
2 – Critical: Critical conditions.
3 – Error: Error conditions.
4 – Warning: Warning conditions.
5 – Notice: Normal but significant condition.
6 – Informational: Informational messages.
7 – Debug: Debug-level messages.
Syslog message analysis helps administrators find out as to what happened and may also speed up the process of
finding what needs to be done to fix a problem. This is why collecting system messages are so important. The
easiest way to set up a collector is either to use some commercial software or implement free syslog collectors
such as Windows KIWI syslog server or use the one the Linux operating system comes with by default.
In case you want to use Linux, below is an example of how to set up an Ubuntu OS as a Cisco syslog collector.
Step 1 – Enable UDP (port 514) message reception
Edit (as the root user) the file /etc/rsyslog.conf and uncomment the two lines as presented below (there are no
leading ‘#’ which is there by default):
# provides UDP syslog reception
$ModLoadimudp
$UDPServerRun 514
Step 2 – Specify the path for Cisco logs
Create the file named cisco.conf under /etc/rsyslog.d/ (full path: /etc/rsyslog.d/cisco.conf). And in the file create
the following content:
#
# Log from Cisco Clients
#
local7.* /var/log/cisco.log
Step 3 – Enable log rotation
Create a file /etc/logrotate.d/cisco in which add the following lines:
/var/log/messages
{
rotate 4
52
weekly
missingok
notifempty\
compress
sharedscripts
postrotate
reloadrsyslog>/dev/null 2>&1 || true
endscript
}
rotate 4 = keep 4 files with log history (can be changed)
weekly = rotate weekly (can be changed to daily, monthly etc.)
More detailed explanation of the syslog server configuration is beyond the scope of this article.
Step 4 – Restart the service for those changes to take effect (here Linux CLI is used).
$ sudo service rsyslog restart
Now, we need to configure Cisco devices to send all the messages to the syslog server. The configuration of my
Cisco switch could look like the one shown below:
SW1(config)# logging 192.168.1.3
SW1(config)# logging facility local7
SW1(config)# logging source-interface loopback0
SW1(config)# service timestamps log datetime
A brief explanation of the configuration:
logging 192.168.1.3 = send log messages to this address
logging facility local7 = Cisco devices use this facility by default allowing to place messages into the appropriate
file on the server (here: /var/log/cisco.log)
logging source-interface loopback0 = allows signed messages with the stable address (must have loopback0
interface configured with ip address to use it).
Service timestamps log datetime = nicely presented time stamp for each message.
I must mention that, by default, Cisco devices will log severity messages from 6 (informational) down to 0
(emergency). You can change it by using ‘logging trapnumber‘ command. The number will indicate which
severity level to log (level 0 up to the number inclusive). For instance:
SW1(config)# logging trap 5
This will log messages with severity 5, 4, 3, 2, 1, and 0.
53
In the output above, you may notice that my Server time (09:18:24) is off by almost a minute compared to my
switch (09:17:22). It is because it is manually set and I did not use NTP in this example.
Tip 23 – Using Remote Monitoring (RMON) alarms
Router’s interfaces get congested at times, CPU can be heavily utilized, but the problem is that a network
administrator does not get notified about it by default.
If you know the basics of SNMP protocol and have SNMP server which collects information from devices, it is
relatively easy to make your device ‘speak’ when certain critical thresholds are reached.
Here’s a typical example. There is a router connected to 172.16.12.0/24 (Vlan 12) in my lab network. It gets
congested now and then. I am the admin who wants to receive SNMP trap when that happens. A trap is an
unsolicited SNMP message sent by a device when something of importance happens.
Assuming that I have an SNMP server running in my network (I can easily install free server on Linux box), I
need to find out which Management Information Base (MIB) object ID collects information about packets
arriving on an interface of a router. This is where Google search engine shines. A quick search for ‘cisco mib
interface incoming packets‘ gives me few links. The one below seems informative enough:
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_q_and_a_item09186a00800b69ac.shtml
It shows me that MIB object in question is called: ifInUcastPkts. I can use Google search again and look for
Cisco MIB Object Navigator. This tool will verify if the object name is correct.
54
Now, I need to configure the router to send alarm messages. Here’ s my setup:
• – SNMP Server IP address: 10.0.1.1
• – SNMP Server Community: cisco123
• – Router’s IP address (R1, in my case): 172.16.12.1/24 (Vlan12 gateway)
As far as the scenario is concerned, let us assume that alarm should be sent to the SNMP server if the number of
packets arriving on router’s interface has increased to 200 packets/min.. In such situation, an SNMP message
should be sent informing an operator about the congestion of the interface. In case the number of packets drops to
50 packets/min, another message should be sent letting the admin know that there is no more congestion on the
interface. Here’s how you can go about it:
Step 1 – Configure destination for SNMP messages
R1(config)# snmp-server host 10.0.1.1 cisco123
R1(config)# snmp-server ifindex persist
Explanation:
SNMP server IP address is 10.0.1.1, it will expect all messages signed with the community of ‘cisco123′
(community is a sort of like a password).
snmp-server ifindex persist = this ensures that the router is not going to change the MIB index of the interface
upon re-boot.
Step 2 – Configure RMON events with the message descriptions.
55
Verify which interface will be monitored (Vlan 12 gateway).
Now configure two events with appropriate descriptions.
R1(config)# rmon event 1 log trap cisco123 description “Interface Fas0/0″ owner test
R1(config)# rmon event 2 log trap cisco123 description “Interface Fas0/0 Not Congested” owner test
Explanation:
rmon event 1 = the reference event number that will be used by the rmon alarm (here event number = 1).
trap = unsolicited message sent by the device to SNMP server.
cisco123 = community (string cisco123) expected by the server in order to accept the message.
description = what message will be sent (message in inverted quotes).
owner test = optional command, the owner of the event is called test.
Step 3 – Create the alarm referencing the two trap messages created in step 2.
In order to create the alarm, you must know which interface it is going to be monitored. Here’s how you can
check this:
The final command triggering messages:
R1(config)# rmon alarm 1 ifInUcastPkts.1 60 delta rising-threshold 200 1 falling-threshold 50 2 owner test
Explanation:
rmon alarm 1 = alarm number 1.
ifInUcastPkts.1 = the MIB object name I found on the internet. The .1 stands for the interface in question.
60 = number of seconds (1 min) over which the counter will measure the traffic rate.
delta = used to sample data that change frequently (others such as memory or CPU utilization should use
‘absolute‘ keyword instead.
56
200 = number of packets by which the alarm needs to be triggered.
1 – event no. 1 needs to be used (interface congested).
50 – the number by which the number of packets needs to fall in order to send message.
2 – event no. 2 needs to be used (interface not congested).
owner test – optional command specifying the owner of the event.
As always, let’s do few tests to see the configuration operational:
And now, let’s send some traffic (ping with high repeat count) trying to trigger one of those events. While
pinging, I am going to enable ‘debug snmp packet’ to see the messages being sent by RMON alarm. After about a
minute, the following shows in the debug:
57
I have stopped the traffic (sent 350 packets), and minute later the debug shows another event:
Tip 24 – Using Role Based Access Control (RBAC) allowing restricted access to devices.
RBAC is a mechanism used to enhance the authorization model in IOS. It allows us to build user roles, referred to
as VIEWS, with very specific privilege levels. Views can also be grouped in order to create a hierarchical
structure in which one user can inherit the privileges assigned another user.
A simple example is the best way to describe the concept. Let’s create three views on the router and give each one
of them a separate privilege level (what they are authorized to do).
View1: Admin1
Device: R1 (router)
Privileges: FastEthernet0/0 IP configuration
Password: cisco123
View2: Admin2
Device: R1 (router)
Privileges: FastEthernet0/0 IP configuration
Password: cisco456
View3: Super
Device: R2 (router)
Privileges: view Admin1 and view Admin2
Password: san-fran-cisco
Here’s our configuration to accomplish the goal:
Step 1 – Enable ‘aaa new-model’
R1#conf t
R1(config)#aaa new-model
R1(config)#exit
R1#
Notice!
For the next task, you must be in the privileged mode and not in the global config mode.
58
Step 2 – Enter the view context
R1#enable view
Password:
R1#
*Mar 1 00:14:45.775: %PARSER-6-VIEW_SWITCH: successfully set to view ‘root’.
R1#
The ‘enable view’ command is going to ask you for the password set up for enabled mode (privilege level 15).
The system is going to switch you to so-called ‘root’ view (which is the same privilege level as enabled mode).
Step 3 – Create VIEWS with the appropriate privileges
R1#conf t
R1(config)#
R1(config)#parser view Admin1
R1(config-view)#secret cisco123
R1(config-view)#commands exec include configure terminal
R1(config-view)#commands configure include interface
R1(config-view)#commands configure include interface FastEthernet0/0
R1(config-view)#commands interface include all ip
R1(config-view)#exit
R1(config)#
Notice!
‘exec’ – refers to privileged mode
‘configure’ – refers to global config mode
‘interface’ – refers to interface mode (config-if)
R1#conf t
R1(config)#
R1(config)#parser view Admin2
R1(config-view)#secret cisco456
R1(config-view)#commands exec include debug ipospf events
R1(config-view)#commands exec include undebugipospf events
R1(config-view)#exit
R1(config)#
R1(config)#parser view Super superview
R1(config-view)#secret san-fran-cisco
R1(config-view)#view Admin1
R1(config-view)#view Admin2
R1(config-view)#exit
R1(config)#
59
In order to verify what particular views can do, you must enter config mode using appropriate view name.
View Admin1 only has authority to configure IP on FastEthernet0/0. Accessing another interface mode
(FastEthernet0/1), will show a syntax error.
Tip 25 – Using Menus in order to help less experienced administrators accomplish simple goals.
If the administrators responsible for implementing/maintaining are slowly introduced into IOS CLI, you may give
them access to a menu allowing them to issue command without knowing them initially.
Let’s create an admin account with full privileges (privilege level 15), but make sure that upon telnet/ssh
connection to a device, the administrator (here we call her/him SYSOP, password is cisco123), will be presented
with the menu rather than regular CLI.
Step 1 – Create username SYSOP, password cisco123 with access to the menu called SYSOP_MENU
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#username SYSOP autocommand menu SYSOP_MENU
R2(config)#username SYSOP password cisco123
R2(config)#username SYSOP privilege 15
60
R2(config)#
R2(config)#line vty 0 4
R2(config-line)#login local
R2(config-line)#exit
R2(config)#
Now, we need to create a menu called SYSOP_MENU (as per previous step).
Step 2 – Create Menu for SYSOP user
R2(config)#menu SYSOP_MENU text 1 Display Interfaces
R2(config)#menu SYSOP_MENU command 1 show ip interface brief
R2(config)#menu SYSOP_MENU text 2 Display Running Config
R2(config)#menu SYSOP_MENU command 2 show run
R2(config)#menu SYSOP_MENU text 3 Display Routing Table
R2(config)#menu SYSOP_MENU command 3 show ip route
R2(config)#menu SYSOP_MENU text 4 Exit
R2(config)#menu SYSOP_MENU command 4 exit
R2(config)#menu SYSOP_MENU clear-screen
R2(config)#
It is not difficult to guess what is going to happen when SYSOP logs in to R2 via tty lines. Take a look at the
image below:
Upon successful log onto the device, the operator SYSOP is presented with the menu of choices.
61
Now, R2 is waiting for the user’s choice. After selecting the number in the menu, the router will display the
appropriate information and will clear the screen. The last option will terminate telnet/ssh session.