This post is used to collect some small tips and tricks I found during my daily work. Since the list is getting longer and longer, I am splitting it into two posts:
1. Basic Troubleshooting Commands
Ping
Traceroute
Telnet
Show interfaces (show interfaces GigabitEthernet 3/6)
Show ip interface
Show ip route
Show running-config
Show startup-config
show ip sockets
show conn
show tcp brief
2. Archive Command
- Configuration Change Logging and Save a copy of current configuration on local when write memory
archive!!log all commands log config logging enable logging size 200 notify syslog contenttype plaintext hidekeys path flash:backup- maximum 8 write-memory
- Compare Startup-Configuration with Running-configuration
- Configuration Change Logging and Save a copy of current configuration on local when write memory
R1#show archive config differences
!Contextual Config Diffs:
!No changes were found
- show archive log config all
- show archive
3. Enable IPv6 on Cisco Switch 3550/3560- show archive log config all
- show archive
3560:
sdm prefer dual-ipv4-and-ipv6 routing
3550:
This link shows how to do it: http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ip6-ip4-gre-tunls-xe.html
Switch: interface f0/24 is connected to router P1R1
interface FastEthernet0/24
no switchport
ip address 172.17.255.1 255.255.255.254
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP-KEY
ipv6 address 2001:DB8:CAFE:201::/64 eui-64
ipv6 rip 1 enable
spanning-tree portfast
Tunnel 0:
interface Tunnel0
no ip address
ipv6 address 2001:DB8:CAFE:301::/64 eui-64
ipv6 enable
ipv6 rip 1 enable
tunnel source FastEthernet0/24
tunnel destination 172.17.255.0 !---> P1R1
P1R1
interface Tunnel0
no ip address
ipv6 address 2001:DB8:CAFE:301::/64 eui-64
ipv6 enable
ipv6 rip 1 enable
tunnel source Ethernet0/0
tunnel destination 172.17.255.1
4. Using ftp to transfer files to flashcopy ftp://test:test@192.168.2.27 flash:
5. Clear IOS configuraiton
write erase
6. Delete flash: folder
delete /force /recursive flash:/c2960-lanbase-mz.122-52.SE
7. Basic Commands to Enable Telnet/SSH on Cisco Devices
username test privilege 15 secret test
line vty 0 15
login local
no password
transport input telnet
ip domain-name test.com
crypto key generate rsa general-usage modulus 2048
ip ssh time-out 60
ip ssh version 2
line vty 0 15
transport input ssh
login local
exit
a. Telnet Access
no aaa new-modelusername test privilege 15 secret test
line vty 0 15
login local
no password
transport input telnet
b. SSH Access:
hostname Switch1ip domain-name test.com
crypto key generate rsa general-usage modulus 2048
ip ssh time-out 60
ip ssh version 2
line vty 0 15
transport input ssh
c. Console Access with username/password:
line con 0login local
exit
8. Debug IP Traffic based on Access-list
The debug procedure is the following:
1) Turn "on" process switching under both interfaces in the router.
Router(config)#interface g0/0
Router(config-if)#no ip route-cache
Router(config)#interface g0/1
Router(config-if)#no ip route-cache
2) Create an access-list. Define specific traffic you want to monitor between hosts.
Router(config)#access-list 199 permit tcp host 11.11.11.1 eq host 22.22.22.2
Router(config)#access-list 199 permit tcp host 22.22.22.2 eq host 11.11.11.1
3) If you are in a telnet session into the router turn "terminal monitor" on.
Router#term mon
If you are in a console session into the router, then the "logging console" command.
Router(config)#logging console
4)Finally the debug command.
Router#debug ip packet 199 detail
Where 199 is the access-list # we created.
*Jul 23 20:25:30.616: IP: s=11.11.11.1 (local), d=22.22.22.2, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
........
5)Use the "un all" command to turn it off.
Router#un all
9. Kron command
Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.
Following is an example to use it save configuration on a regular basis.
Accounting data age is 3w0d
11. Show configuration without break/pause @Cisco Router/Switch
terminal length 0
@ASA Firewall
terminal pager 0
12. Debug commands at Cisco ASA 9.1(2)
debug crypto ipsec 127
debug crypto ikev1 127
13. Display Cisco IOS Device Opened Ports
R#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:65110 *:0 IP SNMP LISTEN
udp *:1975 *:0 IPC LISTEN
The method how to close ports 23 from external scan is in my post: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning
14. Native VLAN mismatch
062275: May 12 00:09:37.207 EDT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/3 (1), with Swtch1 GigabitEthernet0/5 (56).
although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info. Solution would be one global command :
no cdp advertise-v2
Or
This solution: using different vtp domain name on those switches:
Switch(config)# vtp mode transparent
Switch(config)# vtp domain a_unique_name
15. IOS Password Recovery Procedures
Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.
Following is an example to use it save configuration on a regular basis.
Router# show kron schedule
Kron Occurrence Schedule
backup inactive, will run again in 2 days 22:03:46 at 22:00 on Mon
Router# show running-configuration
(truncated)
kron occurrence backup at 22:00 Mon recurring
policy-list backup
!
kron policy-list backup
cli write
Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
policy-list tclpol
kron policy-list tclpol
tclsh flash:/script.tcl
10. Enable IP Accounting on interface
IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.
interface GigabitEthernet0/1
ip address 100.199.48.15 255.255.255.0
ip accounting output-packets
duplex full
speed 100
end
R1#sh ip accounting
Source Destination Packets Bytes
100.199.48.10 100.199.3853 6 241
100.199.38.53 100.199.48.10 4 183
138.11.117.16 166.6.23.14 1 104
Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
policy-list tclpol
kron policy-list tclpol
tclsh flash:/script.tcl
10. Enable IP Accounting on interface
IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.
interface GigabitEthernet0/1
ip address 100.199.48.15 255.255.255.0
ip accounting output-packets
duplex full
speed 100
end
R1#sh ip accounting
Source Destination Packets Bytes
100.199.48.10 100.199.3853 6 241
100.199.38.53 100.199.48.10 4 183
138.11.117.16 166.6.23.14 1 104
Accounting data age is 3w0d
11. Show configuration without break/pause @Cisco Router/Switch
terminal length 0
@ASA Firewall
terminal pager 0
12. Debug commands at Cisco ASA 9.1(2)
terminal monitor
logging buffer-size 1048576
logging buffered 7
logging monitor 7
debug crypto condition peer 10.10.10.10
debug crypto ikev1 127
13. Display Cisco IOS Device Opened Ports
R#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:65110 *:0 IP SNMP LISTEN
udp *:1975 *:0 IPC LISTEN
The method how to close ports 23 from external scan is in my post: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning
14. Native VLAN mismatch
062275: May 12 00:09:37.207 EDT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/3 (1), with Swtch1 GigabitEthernet0/5 (56).
although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info. Solution would be one global command :
no cdp advertise-v2
Or
This solution: using different vtp domain name on those switches:
Switch(config)# vtp mode transparent
Switch(config)# vtp domain a_unique_name
15. IOS Password Recovery Procedures
- Shut down the router then Power on the router
- Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into Rommon. (In some Keyboards, Pause key is used to enter into Rommon mode. You may not need Fn+Pause, or CTRL+ Break)
- Once the Rommon1> prompt appears, enter this command: confreg 0x2142
Then type reset to reboot Cisco device. - When you are prompted to enter the initial configuration, type No, and press Enter.
At the Router> prompt, type enable. - At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration.
- Use the config t command in order to enter global configuration mode.
- Use this command in order to create a new user name and password:
router(config)#username test privilege 15 password test - Use this command in order to change the boot statement: config-register 0x2102
- Use this command in order to save the configuration: write memory
16. Reload Device in xx minutes
It is helpful for your remote work just in case you lost connection by mis-configuration
R-Test-Lab#reload in 1
Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
Reload reason: Reload Command
Proceed with reload? [confirm]
R-Test-Lab#
***
*** --- SHUTDOWN in 0:01:00 ---
***
R-Test-Lab##show reload
Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
Reload reason: Reload Command
R-Test-Lab#reload cancel
R-Test-Lab#
***
*** --- SHUTDOWN ABORTED ---
***
Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
Reload reason: Reload Command
Proceed with reload? [confirm]
R-Test-Lab#
***
*** --- SHUTDOWN in 0:01:00 ---
***
R-Test-Lab##show reload
Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
Reload reason: Reload Command
R-Test-Lab#reload cancel
R-Test-Lab#
***
*** --- SHUTDOWN ABORTED ---
***
17. Load-Interval 30
By default, the IOS calculate statistics by interval 5 minutes. The minimal interval is 30 seconds you can set.
interface GigabitEthernet0/0
ip flow ingress
load-interval 30
duplex auto
speed auto
end
Router#sh interfaces g0/018. Turn off IP Spoof Protection
GigabitEthernet0/0 is up, line protocol is up
Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
Description:
Internet address is
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 3/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 12706000 bits/sec, 1423 packets/sec 30 second output rate 966000 bits/sec, 957 packets/sec 7877466781 packets input, 4315500899841 bytes, 1023 no buffer
Received 345354184 broadcasts (0 IP multicasts)
0 runts, 0 giants, 13 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 520835 multicast, 2112 pause input
7120190572 packets output, 2103538386166 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
121793930 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
4 lost carrier, 0 no carrier, 58519 pause output
0 output buffer failures, 0 output buffers swapped out
ip verify reverse-path interface outside
"Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside"
19. Create Read only Account
method one.
username local1 secret Cisco1234method two.
username local1 privilege 15 autocommand show running
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
username local2 privilege 7 password Cisco1234
privilege exec level 7 show config
20. Upgrade Cisco Device IOS
Switch# delete /f /r flash1:c3750-ipbase-mz.122.35-35.SE5.bin Switch#copy tftp: flash:ios.tar Switch#verify /md5 flash:ios.tar .........................Done! verify /md5 (flash:ios.tar) = bb86b1de4eb8e37fd0710c40d891445c Switch#archive tar /xtract ios.tar flash: Switch(config)#boot system flash:/ios/ios.bin Switch#wr Switch#show boot BOOT path-list : flash:/ios/ios.bin Config file : flash:/config.text Private Config file : flash:/private-config.text ..... Switch#reload |
21. Set SSH/Telnet/Ping/Traceroute with a source ip or interface
- SSH
ip ssh source-interface <interface to use>
- Telnet
ip telnet source-interface <interface to use>
R1#telnet 10.9.38.3 22 /source-interface l0Trying 10.9.38.3, 22 ... OpenSSH-2.0-1.36 sshlib: GlobalScape
- Ping
ping <ip address> source <ip address / interface to use>
- Traceroute
using extended traceroute:
R1#traceroute
Protocol [ip]:
Target IP address: 10.10.10.10
Source address: 10.11.11.11Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
The list is getting longer , and I am splitting it to two posts:
- The Cisco Support Community
- How to Buy - Cisco Commerce Tools
- Cisco Tool - Check Device Coverage
- Cisco Tools and Resources
- Cisco Tool - My Devices
- Cisco Active Advisory
wow....just super ..
ReplyDelete