Global
Technology Consulting Services
|
Global
Technology Consulting Services
|
|
CellStream
Intranet
FOR SALE!
Technical
Training
Our Quick Links
|
Cisco Technical Tips PageThis page contains a growing number of Cisco Router Technical Tips for folks who work in networking. There is a quick pick list at the top. For a list of frequently used Cisco IOS commands that we like, click here. For QoS IOS Tech tips visit Our Quality of Service Tech Tips (its own page!) If you would like to submit a technical tip for inclusion here - simply send it to us. Quick Pick List
Cisco Reload Procedure to By-Pass System PasswordThis procedure is used regularly by CellStream consultants. Step 1: Connect via serial cable to the console port of the router
Step 2: Power Cycle the router
During the boot process hit <CTRL-BREAK>
Should get the > prompt
Step 3: Enter the following commands:
Step 4: After the reload, return the router to normal boot sequence
Router# configure terminal Router(config)# config-register 0x2102
Return to Quick Pick List at the top. Some Basic Cisco Configuration Best PracticesWhen it comes to configuring a new Cisco router, much of the configuration depends on what type of router it is as well as the purpose it will serve. However, there are certain things you should configure on every new Cisco router. Hasn't there been a command that you wished Cisco would make standard on every router? Every administrator has his or her own list of commands they use to configure a router "just right." Here's my list of 10 commands that I think you should configure on every router (in no particular order). After you read through them, post your own favorites in this article's discussion. Configure a login account on the router, and use it on linesI highly recommend configuring a real username and password account on routers and switches. By doing so, that means someone needs both a password and a username to gain access. In addition, I recommend using a secret password for the username—not just a regular password. This encrypts the password with strong MD5 encryption and enhances security. Here's an example: Router(config)# username root secret My$Password After you've configured the username, you must enable the lines to use that name. Here's an example: Router(config)# line con 0 Router(config-line)# login local Router(config)# line aux 0 Router(config-line)# login local Router(config)# line vty 0 4 Router(config-line)# login local Set a hostname on your routerThe default hostname on a router is—you guessed it—router. You can leave this default, and the router will still work. However, it only makes sense to rename the router to something that will uniquely identify it. Here's an example: Router(config)# hostname cell_pe01
In addition, you can configure a domain name on the router so it knows which DNS domain it's in. Here's an example: cell_pe01(config)# ip domain name cellstream.com Set a password to enter Privileged ModeWhen it comes to setting a password to enter Privileged Mode, many people think of using the enable password command. However, instead of using this command, I highly recommend using the enable secret command instead. This command encrypts the password with strong MD5 encryption so the prompt won't display it in clear text. Here's an example: Router(config)# enable secret My$Password Encrypt router passwordsCisco routers don't encrypt passwords in their configuration by default. However, you can easily change this. Here's an example: Router(config)# service password-encryption Disable the Web serverCisco routers also enable the Web server by default, which is a security risk. If you aren't going to use it, it's better to just turn it off. Here's an example: Router(config)# no ip http server Configure DNS, or disable DNS lookupLet's talk about one of my personal pet peeves about Cisco routers: By default, if you mistype a command in Privileged Mode, the router thinks you're trying to Telnet to a remote host. So it performs a DNS lookup on what you entered. If you haven't configured DNS on the router, the command prompt will hang until the DNS lookup fails. For that reason, I recommend one of two approaches. One option is to disable DNS. Here's how: Router(config)# no ip domain-lookup Or, you can configure DNS properly to go to a real DNS server. Here's an example: Router(config)# ip name-server 1.11.1 Configure command aliasesMany network administrators have standard router command shortcuts (i.e., aliases) that they configure on every router. Here's an example: Router(config)# alias exec s sh run This means you can now enter s rather than typing the entire show running-configuration command. Set the router's clock, or configure an NTP serverMost Cisco devices don't have an internal clock. When they boot up, they don't know what time it is. Even if you set the time, the router won't retain the information if you turn it off or reload it. First, however, set your time zone and Daylight Saving Time. Here's an example: Router(config)# clock timezone CST -6 Router(config)# clock summer-time CDT recurring Then, to ensure a router's event messages display the right time, either set the clock on the router, or configure an NTP server. Here's an example of setting the clock: Router# clock set 10:54:00 Oct 5 2005 If you already have an NTP server on your network (or the router has access to the Internet), you can instruct the router to use that as the time source. This is your best option—when the router boots, it will always set the clock by the NTP server. Here's an example: Router(config)# ntp server 132.163.4.101 Stop logging messages from interrupting your configurationAnother personal Cisco IOS annoyance I have is when I'm configuring the router, and console messages just pop up on the line (which could be a console, auxiliary, or VTY port). To prevent this, you have some options. If you're on the console, you can either disable console logging with the global configuration no logging console command. Or, you can synchronize the logging messages with your command prompt. (I personally prefer the latter—I want to see what's going on with the router.) So, on every line, I use the logging synchronous command. Here's an example: Router(config)# line con 0 Router(config-line)# logging synchronous Router(config)# line aux 0 Router(config-line)# logging synchronous Router(config)# line vty 0 4 Router(config-line)# logging synchronous In addition, you can change the exec-timeout on these interfaces while you're at it. For example, let's say you want to disable the default 10-minute timeout on the VTY lines. To do so, use the exec-timeout 0 0 command when in Line Configuration Mode. This keeps the router from disconnecting after 10 minutes of inactivity. Log system messages to the router's buffer or a syslog serverCapturing errors and events on a router and monitoring the console can be critical to problem-solving. By default, the router doesn't send buffered logging of its events to the router's memory. However, you can configure the router to send buffered logging of its events to the memory. Here's an example: Router(config)# logging buffered 16384 You could also send the router's events to a syslog server. Since it's external to the router, there's an added benefit: It preserves events even if the router loses power. By David Davis who has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. Return to Quick Pick List at the top. How to Configure SSH on a Cisco RouterWe recommend you verify you have the correct IOS version that supports triple-DES and SSH. First, make sure your router has a hostname by using the hostname command. Here's an example: Router(config)# hostname cell_pe01
cell_pe01(config)#
Next, configure a domain name on your router using the ip domain-name command. Here's an example: cell_pe01(config)# ip domain-name cellstream.com
cell_pe01(config)#
Then, create an RSA encryption key pair for the router to use for authentication and encryption of the SSH data. One of the questions you must answer during this process is the modulus size of the key. Make sure the key modulus is at least 768 bits. Here's an example: cell_pe01(config)# crypto key generate rsa
The name for the keys will be: cell_pe01.cellstream.com
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater than
512 may take a few minutes.
How many bits in the modulus [512]: 768
% Generating 768 bit RSA keys ...[OK]
cell_pe01(config)#
*Mar 1 00:17:13.337: %SSH-5-ENABLED: SSH 1.5 has been enabled
cell_pe01(config)#
As you can see from this example, after the system generates the key, you'll receive a message that it has automatically enabled SSH 1.5 on the router. To clarify, SSH 1.5 is Cisco's way of saying this router is running SSH1. If the system has enabled support for both SSH1 and SSH2, this message would say SSH 1.99. If the system has only enabled support for SSH2, the message would say SSH 2.0. You can also configure SSH settings if you choose. To do so, use the ip ssh command with whichever parameters you choose to set. (Different IOS versions have different options because they support different versions of SSH.) Here's an example: cell_pe01(config)# ip ssh ?
authentication-retries Specify number of authentication retries
Port Starting (or only) port number to listen
on
Rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
cell_pe01(config)# ip ssh
Configuring optional SSH settings completes the process of configuring SSH on the router. Now, let's take a look at showing the SSH status. To view the status of SSH, you can use the following commands:
Here's an example: cell_pe01# show ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 cell_pe01# show ssh %No SSH server connections running. cell_pe01# SSH debug commands are also available by using the debug ip ssh command. You can use a device's built-in SSH client to connect to other SSH servers. The Privileged Mode command is ssh. Here's an example: cell_pe01# ssh ? -c Select encryption algorithm -l Log in using this username -o Specify options -p Connect to this port WORD IP address or hostname of a remote system cell_pe01# ssh One word of caution: In May 2005, researchers discovered vulnerabilities in a number of Cisco IOS versions with SSH capabilities. For more information—and to make sure the IOS version you're using isn't vulnerable—check out "Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server." Return to Quick Pick List at the top. Using Cisco Command Alias Capability to Speed Up Configuration and Monitoring TasksEveryone knows that constantly entering commands on Cisco routers and switches can become uncomfortably repetitive. To make life easier, Cisco offers the alias command, which can help dispel part of this repetition. This is a Global Configuration command. To use it, enter the alias command and identify which privilege level you want to specify the alias for. Here are some examples:
After specifying the privilege level, enter the alias you want to create and the command you want it to stand for. You can configure an alias to do anything that you can do at the command line. Of course, there's a catch: An alias can't move between modes, type in passwords, or do anything interactive for you. Some 'alias' examplesBelow are the aliases and the necessary command to create that alias: srb - Show Running-Config | Begin Router(config)# alias exec srb show running-config | begin sre - Show Running-Config | Exclude Router(config)# alias exec sre show running-config | exclude sri - Show Running-Config | Include Router(config)# alias exec sri show running-config | include srint - Show Running-Config Interface Router(config)# alias exec srint show running-config interface From these examples, you can see that the aliases you create don't have to be complete commands. You can specify parameters for a command after entering the alias. For example, to use the shortcut for the show running-config interface command—srint—you can specify the interface for which you want to view configuration information after that command. Here's an example: srint fa0/0 IOS Has Default 'aliases'Here are the default command aliases:
You can view these aliases by using the show alias command—whether you've actually configured any aliases of your own. CellStream Consultant's Selected FavoritesAlias: s
Short for: show running-configuration
Command: alias exec s sh run
Alias: c Command: configure terminal Command: alias exec c conf t Alias: sir Command: show ip route Command: alias exec sir sh ip ro You can use the above alias to specify parameters, such as sir bor sir o, to show all BGP routes or all OSPF routes. Or, to see a specific route, you could use sir 10.1.1.1. Alias: i
Short for: show ip interface brief
Command: alias exec i sh ip int brie
When using frame relay, you can use aliases like the following: Alias: pvc
Short for: show frame-relay pvc
Command: alias exec pvc show fram pvc
Alias: dwn
Short for: show frame-relay map | include down
Command: alias exec dwn sh fram map | inc down
If you go into a certain router configuration a lot (for example, BGP AS 1234), you can use the following: Alias: b
Short for: router bgp 1234
Command: alias configure b router bgp 1234
If you often have to use the no shutdown command on an interface, you can use this alias: Alias: ns
Short for: no shutdown
Command: alias interface ns no shutdown
Return to Quick Pick List at the top. Finding Configuration Information Quickly in Router Config FilesFinding the right piece of information that you need from a Cisco router can often be a challenge. For example, if you use the show running-config command on a large production router, you can easily end up with 25 pages of text output. Locating that one piece of information you're looking for can take a lot of time. Once you find it, you might need to make a change, only to have to rerun the command and go through the whole process again. However, there are some shortcuts you can take to find this information more quickly. Let's looks at some filtering options you can use when maneuvering through long command output on a Cisco router. Filter output using line numbersYou can use the show running-config linenum command to configure the system to include line numbers at the start of each line in the output. Here's an example: Current configuration : 59161 bytes 1 : ! 2 : ! Last configuration change at 09:25:35 CDT Tue Aug 16 2005 by root 3 : ! NVRAM config last updated at 09:25:36 CDT Tue Aug 16 2005 by root 4 : ! 5 : version 12.3 6 : service tcp-keepalives-in 7 : service tcp-keepalives-out 8 : service timestamps debug datetime msec localtime show-timezone 9 : service timestamps log datetime msec localtime show-timezone 10 : service password-encryption Once you have line numbers to use as reference points, you can then filter the output by starting at a certain line or only returning a specified line. Here's an example of starting the output at a specific line: Router# show running-config linenum | begin 6 : 6 : service tcp-keepalives-in 7 : service tcp-keepalives-out 8 : service timestamps debug datetime msec localtime show-timezone 9 : service timestamps log datetime msec localtime show-timezone 10 : service password-encryption Here's an example of requesting only one line returned in the output: Router# show running-config linenum | include ( 6 : ) 6 : service tcp-keepalives-in Filter output using Include, Exclude, or BeginYou can also use certain commands to help filter your output. For example, you can use the include command to see only lines that include the word service. Here's an example: Router# show running-config | include service service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption You can use the begin command to start the output at a certain line (such as an interface). Here's an example: Router# show running-config | begin interface Serial3/0 interface Serial3/0 description MPLS T-1 bandwidth 1544 ip address 10.0.100.2 255.255.255.252 no ip proxy-arp (truncated) In addition, you can use the exclude command in the same way if there's something particularly long that you don't need to see in the output. The best thing about these three commands is that they work with almost any output on the router. For example, let's say I wanted to see all routes that begin with the IP address 10.83.x.x. But it doesn't work if I use this: Router# show ip route 10.83.0.0 % Subnet not in table However, if I use something like the following example, I can see all of the routes that begin with 10.83.x.x: Router# show ip route | include 10.83. O 10.83.100.8/30 [110/2370] via 10.83.100.2, 05:32:27, Serial1/2:0.83 O 10.83.100.4/30 [110/2115] via 10.20.100.2, 05:32:27, Serial1/2:0.2 C 10.83.100.0/30 is directly connected, Serial1/2:0.83 O 10.83.103.0/24 [110/2195] via 10.83.100.2, 05:32:27, Serial1/2:0.83 Filter output by interfaceOn the other hand, if you only need to see the output of one specific interface, you can also filter output in that way. Here's an example: Router# show running-config interface Serial3/0 Building configuration... Current configuration : 209 bytes ! interface Serial3/0 description MPLS T-1 bandwidth 1544 ip address 10.0.100.2 255.255.255.252 no ip proxy-arp no ip mroute-cache no fair-queue no cdp enable end Start searching your outputDid you know that you can search directly from the show running-config command's output? If you use the show running-config command, you should see a –More– prompt at the end of each page of output (depending on your page length). If you enter a forward slash [/] at this prompt, it will replace the prompt with the slash, and you can then type in whatever you want to search for. Press [Enter], and it will say filtering and then begin showing you the results of your search. (This is exactly how the UNIX pg command works.) Here's an example: /interface Serial3/0 filtering... interface Serial3/0 description MPLS T-1 bandwidth 1544 ip address 10.0.100.2 255.255.255.252 Return to Quick Pick List at the top. The 'Show Version' CommandShow Version is a great command for routers, switches or PIX firewalls. Here is a look at all the things you can verify with the show version command starting with routers:
The show version also works on Cisco switches:
And on PIX firewalls:
Return to Quick Pick List at the top. Stopping the router from trying to telnetMistype a command on a Cisco router and the router thinks you just typed a hostname. This is often an annoying problem. For example: Here, we just mistyped the word The output shows the lack of a failed connection based on our mistyped keyword: Return to Quick Pick List at the top. Administrative Distances for IP Routes
ip route 154.4.55.0 255.255.255.0 195.23.55.1 85 (where 85 is the administrative distance)
Here are the default administrative distances:
Return to Quick Pick List at the top. Cisco IOS Order of OperationsThe order of operations is hard coded into Cisco IOS and tells the router how to process traffic according to the configuration of different router functions and features. While we cant' make you think like a router, it is likely you have already picked up on some of these. When configuring features such as Network Address Translation (NAT), Quality of Service (QoS), and encryption, it's essential to understand the order of operations in order to configure these features successfully.
QoS Order of Operations Here's the order of operations for inbound traffic to the router:
Here's the order of operations for outbound traffic from the router:
NAT Order of Operations We assume understanding of NAT basic operations. If the packet is from a NAT inside-designated interface, it uses the inside-to-outside list. If the packet is from an outside-to-inside interface, it uses that list. Here's the order of operations for the inside-to-outside list:
Here's the order of operations for the outside-to-inside list:
Let's say that you have an IP packet coming in from an outside-to-inside interface. When translating that packet, you want to use an access control list to block traffic from certain IP addresses. Which IP address should you put in the ACL—the IP address before the packet's translation (i.e., the public IP address), or the IP address after the packet's translation (i.e., the private address)?
By checking the order of operations, you can determine that the "NAT outside to inside" operation occurs after the "Check input access list" task. Therefore, you would use the public IP address in the ACL because the packet hasn't gone through NAT.
On the other hand, what if you want to create a static route for traffic going through NAT? In this case, you would use the private (inside) IP address because the traffic has already gone through NAT when it gets to the "Routing" operation. Return to Quick Pick List at the top.
Keeping your
VPN SAs refreshed
|
| Interface Function | Command to disable |
| Unused interfaces | shutdown |
| No Smurf attacks | no ip directed-broadcast |
| Mask replies | no ip mask-reply |
| Ad-hoc routing | no ip proxy-arp |
| Server Name | Command to disable |
| HTTP | no ip http server |
| BOOTP | no ip bootp server |
| Finger | no service finger |
| Small services (echo, discard, chargen, etc.) |
no service tcp-small-servers no service udp-small-servers |
| SNMP | no snmp-server |
Router(config)# no snmp community public ro
Router(config)# no snmp community private rw
Router(config)# no access-list 20
Router(config)# access-list 20 permit 10.10.10.1
Router(config)# snmp community 1tacot2go! ro 20
| Services Name | Command to disable |
| CDP | no cdp run |
| Remote config. | no service config |
| Source routing | no ip source-route |
| Line | Suggested Config |
| Console Line | line con 0 |
| exec-timeout 5 0 | |
|
login |
|
| Auxiliary Line | line aux 0 |
| no exec | |
| exec-timeout 0 10 | |
|
transport input none |
|
| VTY lines | line vty 0 4 |
| exec-timeout 5 0 | |
| login | |
| transport input telnet ssh |
| Line | Suggested Config |
| Console Line | line con 0 |
| password 1taco2go! | |
| Auxiliary Line | line aux 0 |
| password 1burrito2go! | |
| VTY lines | line vty 0 4 |
| password 1burrito2go! | |
| Basic protection | service password-encryption |
Router(config)# no access-list 90
Router(config)# access-list 90 permit 14.2.10.1
Router(config)# access-list 90 permit 14.2.9.1
Router(config)# line vty 0 4
Router(config-line)# access-class 90 in
Suggested Logging Configuration
Router(config)# logging on
Router(config)# logging 10.10.10.5
Router(config)# logging buffered
Router(config)# logging console critical
Router(config)# logging trap informational
Router(config)# logging facility local1
Suggested Time Clock Configuration (use two NTP sources)
Router(config)# service timestamps log
datetime localtime show-timezone msec
Router(config)# clock timezone GMT 0
Router(config)# ntp server 10.1.1.1
Router(config)# ntp server 10.1.1.254
Router(config)# no access-list 20
Router(config)# access-list 20 permit host 10.10.10.1
Router(config)# access-list 20 deny any log
The following are a list of what we think are great "base level" ACL protection.
A. Log access list port messages properly to the log and ensure that logs contain correct port number information, by using the port range arguments shown below at the end of an access list.
access-list 100 deny udp any range 1 65535
any range 1 65535 log
access-list 100 deny tcp any range 1 65535
any range 1 65535 log
access-list 100 deny ip any any log
The last line is suggested to ensure that rejected packets of protocols other than TCP and UDP are properly logged.
B. Another best practice (if you can support it in your network) is to constrain / enforce traffic address restrictions, particularly on the border points of the network and also log this when something fails. For instance, allow only internal addresses to enter the router from the internal interfaces, and allow only traffic destined for internal addresses to enter the router from the outside (external interfaces). At the same time, it is good practice to block illegal addresses at the outgoing interfaces. Besides preventing an attacker from using the router to attack other sites, it helps identify poorly configured internal hosts or networks [also see RFC 2827]. Below are some examples:
Router(config)# no access-list 100
Router(config)# access-list 100 permit ip 10.10.10.0 0.0.0.255 any
Router(config)# access-list 100 deny ip any any log
Router(config)# no access-list 101
Router(config)# access-list 101 permit ip any 10.20.10.0 0.0.0.255
Router(config)# access-list 101 deny ip any any log
Router(config)# interface ethernet 0/1
Router(config-if)# ip access-group 100 in
Router(config-if)# exit
Router(config)# interface ethernet 0/2
Router(config-if)# ip access-group 100 out
Router(config-if)# ip access-group 101 in
C. Packets that are sourced from an untrusted network or that have obvious incorrect source networks (i.e. private addresses on the public network - also see RFC 1918)should be immediately filtered. Example networks are 0.0.0.0/8, 127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/20, 192.168.0.0/16. A word of caution here. Filtering through traffic can be processor impacting on some routing platforms. By blocking incoming packets that claim to have a source address of any internal (trusted) networks impedes TCP sequence number guessing and other attacks. If the network doesn’t need IP multicast, then block multicast packets. Also block broadcast packets. (Note that this may block DHCP and BOOTP services, but these services should not be used on external interfaces and certainly shouldn’t cross border routers.) Know that a number of remote probes and attacks use ICMP echo, redirect, and mask request messages, block them. (A superior but more difficult approach is to permit only necessary ICMP packet types.) Also, as we have stated above, you want to log these events. So lets look at some implementations of ACLs to cover the above issues:
Router(config)# no access-list 100
Router(config)# ! block our internal addresses
Router(config)# access-list 100 deny ip 15.1.0.0 0.0.255.255 any log
Router(config)# access-list 100 deny ip 15.2.0.0 0.0.255.255 any log
Router(config)# ! block special/reserved addresses
Router(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Router(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
Router(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
Router(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
Router(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
Router(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
Router(config)# ! block multicast (if not used)
Router(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
Router(config)# ! block some ICMP message types
Router(config)# access-list 100 deny icmp any any redirect log
Router(config)# access-list 100 deny icmp any any echo log
Router(config)# access-list 100 deny icmp any any mask-request log
Router(config)# access-list 100 permit ip any 15.2.0.0 0.0.255.255
Router(config)# access-list 100 permit ip any 15.1.0.0 0.0.255.255
Router(config)# interface ethernet 0/0
Router(config-if)# description External interface
Router(config-if)# ip access-group 100 in
D. Finally using Access Lists to block incoming packets that claim to have the same destination and source address (i.e. a ‘Land’ attack on the router itself) is highly recommended. You should incorporate this protection into the access list used to restrict incoming traffic into each interface, using a rule like the one shown below.
access-list 100 deny ip host 192.168.10.1
host 192.168.10.1 log
interface Ethernet 0/1
ip address 192.168.10.1 255.255.0.0
ip access-group 100 in
Return to Quick Pick List at the top.
Many clients ask about redundancy in Cisco routers. Our answer is usually the always the same. If your uptime has to be high, and the thought of having a failure and suffering the downtime that it will take to make the correction is simply unacceptable, you have to use something called Cisco HSRP (Hot Standby Router Protocol). Plus, you will usually benefit from two interfaces to the network that protects the network connection as well as the router itself. This Cisco tech tip discusses the simplest configuration for HSRP. There are many more options tan we discuss, but this is a quick start.
Fundamentally, HSRP is a Cisco proprietary protocol for router redundancy. It can provide nearly 100 percent router availability and redundancy so, if one router goes down, a backup router takes over the routing functions of the primary one. However, there are other available industry protocols supported by Cisco. One industry standard is the Virtual Router Redundancy Protocol (VRRP). Another HSRP alternative is the Gateway Load Balancing Protocol (GLBP), another Cisco proprietary solution.
The basic configuration we discuss below is based on the following network design:
/-----Router
A (10.0.0.1/24)---\
Internet -------< >--Switch C----USER
\-----Router B (10.0.0.2/24)---/ (def gateway
10.0.0.3)
You note that the PC's default gateway to IP address 10.0.0.3. However, that IP address doesn't point to a real device; instead, it serves as the virtual IP address you will see configured in the routers A and B for whichever router is the primary.
Either Router can be primary or standby. If the primary router doesn't send out the HELLO packet to the standby router for a period of time, the standby router assumes the primary router is down and takes over as primary. The standby router then assumes responsibility for the virtual IP address and begins responding to the virtual Ethernet MAC address to which the virtual IP address is pointing. The primary and standby routers exchange HSRP HELLO packets so that each knows the other router is there. These HELLO packets use a registered multicast address of 224.0.0.2 and registered UDP port 1985. The most basic form of HSRP has been available since IOS 10.0, but there have been newer features released in the 11 and 12 versions of the IOS.
You can configure a priority as to which router is primary using a number to determine it, and then it's by the highest IP address. The default priority number is 100; a higher priority number signifies the preferred router. Of course, when setting up router redundancy, you aren't limited to just two routers. In fact, you can set up groups of routers that work together and have multiple "standby" routers.
You can accomplish almost all HSRP configuration in the router's Interface Configuration Mode using the standby command. For Router A:
Configure the IP address on the Ethernet interface.
Configure the standby IP address.
Configure standby preempt. (With preempt, Router A will always be the primary router as long as it's available.)
For Router B follow the exact same step, except for step 3: configure standby priority to be less than 100 (in this case, it's 90). Now, let's look at the configuration for our sample network.
Router A
interface Ethernet0/0
ip address 10.0.0.1 255.255.255.0
standby ip 10.0.0.3
standby preempt
RouterA# show standby
Ethernet0/0 - Group 0
State is Active
3 state changes, last state change 00:00:15
Virtual IP address is 10.0.0.3
Active virtual MAC address is 0000.0b02.ac07
Local virtual MAC address is 0000.0b02.ac07 (default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.714 secs
Preemption enabled
Active router is local
Standby router is 10.0.0.2, priority 90 (expires in 5.714 sec)
Priority 100 (default 100)
IP redundancy name is "hsrp-Et0/0-0" (default)
Router B
interface Ethernet0/0
ip address 10.0.0.2 255.255.255.0
standby ip 10.0.0.3
standby priority 90
RouterB# show standby
Ethernet0/0 - Group 0
Local state is Standby, priority 90
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.514
Virtual IP address is 10.0.0.3 configured
Active router is 10.0.0.1, priority 100 expires in 5.959
Standby router is local
5 state changes, last state change 00:15:01
As we show you above, the show standby command (when in Privileged Mode) allows you to check the status of HSRP. On the PC, the default IP address should point to 10.0.0.3—not either of the routers. This way, if one of the routers goes down, the other will take over. And you may even be able to use this redundancy to take production routers down during the day because the HSRP failover time is usually less than 10 seconds. For more details on HSRP usage, check the Cisco web site at Cisco HSRP FAQ.
Return to Quick Pick List at the top.
Cisco SNAT allows two or more routers performing the NAT function as a group. This is really handy for redundancy purposes, and can be used in conjunction with Cisco's HSRP function (click on the link to see how that is configured in our tech tips).
So the NAT routers are going to exchange information in their NAT translation databases with each other. Whenever a new NAT connection occurs via one of the NAT routers, the router relays that information to the others in the SNAT group. But these routers aren't just exchanging the IP addresses of the NAT IP flows; they're also exchanging the TCP state of those flows. The standby routers have already created the NAT translation table and are waiting for a failure on the active router. In other words, the purpose for this exchange of NAT flow information is to ensure one of the standby NAT routers can take over if the active NAT router goes down. While you can configure SNAT in its own primary/backup mode, it works best when configured with HSRP.
Cisco has released SNAT in phases. In the first phase, released in Cisco in IOS 12.2(13)T, it only worked with protocols that didn't contain IP information in the application layer. But as of Cisco IOS 12.3(7)T, SNAT supports applications that have IP information embedded in the application layer, such as FTP. In addition, Cisco released some scalability enhancements for SNAT in IOS 12.4(4)T.
We are going to show you how to configure SNAT with HSRP. Start by using the regular HSRP standby commands on your HSRP interfaces. You will also need to configure an HSRP router with a group name of SNATHSRP to use the SNAT HSRP API.
Your standby command might look something like this:
standby name SNATHSRP standby ip 10.0.0.3 secondary
You also need to ensure the full exchange of NAT state information between the routers in the SNAT group. Here's an example:
standby delay reload 60 standby 1 preempt delay minimum 60 reload 60 sync 60
After exiting Interface Configuration Mode, enter the ip nat stateful command; make sure it includes the same SNATHSRP group name. Here's an example:
ip nat stateful id 1
redundancy SNATHSRP
mapping-id 10
Now, you can enter your standard NAT commands to create your translation pools. Here's an example:
ip nat pool snatpool1 10.0.0.5 10.0.0.15 prefix-length 24 ip nat inside source route-map snatrtmap1 pool snatpool1 mapping-id 10 overload
Now, create your access control list and route map, according to the network for which you're configuring NAT. Here's an example:
access-list 101 permit ip 10.10.10.0 0.0.0.255 1.1.1.0 0.0.0.255
route-map snatrtmap1 permit 10
match ip address 101
Finally, configure the other routers in your SNAT and HSRP pools to communicate. After that, you can use the traditional NAT commands such as show ip nat translations and show ip nat statistics, as well as the show ip snat command.
The combination of SNAT and HSRP working together preserves NAT translations when a failure occurs. A standby router can step in and take over the active role—possibly without users ever realizing there was a failure. Even better, you can be home asleep when it happens. Here are some other helpful links at Cisco:
Return to Quick Pick List at the top.
GLBP is a new protocol similar in function to HSRP (discussed in tech tips by clicking here). It has been available since IOS version 12.2(14)S and you cen read more at the cisco site on Gateway Load Balancing Protocol. GLBP and HSRP are both Cisco proprietary solutions, but VRRP is an open standard based on RFC 3768. Of course, that means you'll find HSRP and GLBP on Cisco routers only and VRRP on almost all enterprise routers (including Cisco).
The difference with GLBP is that instead of one router being primary and the others in standby (protect) mode, with GLBP all routers that are part of the redundancy group are available to forward packets in a load sharing process. Regardless of the approach, all three protocols provide this redundancy using a virtual IP address that serves as the default gateway. The virtual IP address points to the primary or secondary routers in the case of HSRP and VRRP or to the group of routers forwarding traffic in the case of GLBP. (On a side note, while HSRP acts as an active/passive router redundancy protocol by design, you can now use Multigroup HSRP—MHSRP—to perform load-sharing, much like GLBP does.)
In the GLBP world, however, there's still an election between the multiple active routers in the redundancy group. The router that wins that election becomes the active virtual gateway (AVG). The AVG assigns virtual MAC addresses to the other routers in the group, which are active virtual forwarders (AVFs). GLBP routers communicate using the registered multicast IP address 224.0.0.102 and registered UDP port 3222.
Now that you've got a basic understanding of GLBP, let's look at a basic GLBP configuration. If you've configured HSRP or VRRP before, you'll find that this configuration is very similar. You can configure GLBP in Interface Configuration Mode. Here's an example of a basic configuration on a single router:
Router(config)# interface FastEthernet 0/0 Router(config-if)# ip address 10.1.1.5 Router(config-if)# glbp 1 ip 10.1.1.1 Router(config-if)# glbp 1 priority 150 Router(config-if)# glbp 1 authentication md5 key-string 0 MySecretPassword
Note: Cisco didn't introduce GLBP MD5 authentication until Cisco IOS version 12.3(2)T.
The default priority for a GLBP router is 100 (just like HSRP). By setting the priority in this configuration to 150, we give this router a higher priority than a router at the default priority of 100. This should force the election of the router as AVG.
By default, GLBP uses round-robin load balancing for routers in the group. However, you can change this by using the glbp 1 load-balancing command. This repeats the above configuration on the other routers in the group, with varying priority. To check the status of GLBP redundancy and configuration, you can use the show glbp command.
Return to Quick Pick List at the top.
Whenever we teach our Hands-On courses, we always have a section of the course that discusses troubleshooting the network or technology the class is learning. A key part of troubleshooting any network is knowing the technology, no argument. But even the masters of technologies like Multicasting, or IP Networking, or MPLS, still can benefit from having a record of the events that led up to a given point in time, or provide us with a sequence of steps that may have relevance with regard to what has to be corrected or modified during the troubleshooting process. Cisco IOS supports this ability via its Logging function. Even so, few network operators or network administrators properly configure and utilize logging to their advantage.
The good news is it is simple to use. Also, it is fairly feature rich. So let's look at how you configure and utilize Cisco Logging. The "logging" command itself can be found in global configuration mode. The 'show logging' command can be used in priviledged mode only.
To start, look at the logging command. The options are displayed below:
router(config)# logging ?
Hostname or A.B.C.D IP address of the logging host
buffered
Set buffered logging parameters
buginf
Enable buginf logging for debugging
cns-events
Set CNS Event logging level
console
Set console logging parameters
count
Count every log message and timestamp last occurrence
exception
Limit size of exception flush output
facility
Facility parameter for syslog messages
history
Configure syslog history table
host
Set syslog server IP address and parameters
monitor
Set terminal line (monitor) logging parameters
on
Enable logging to all supported destinations
origin-id
Add origin ID to syslog messages
rate-limit
Set messages per second limit
reload
Set reload logging level
server-arp
Enable sending ARP requests for syslog servers when
first configured
source-interface Specify interface for
source address in
logging transactions
trap
Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
router(config)# logging
Here are a few key tips on using logging:
0-emergencies
1-alerts
2-critical
3-errors
4-warnings
5-notification
6-informational
7-debugging
Router(config)# logging buffered 16384
Router(config)# logging 192.168.10.1 <--- where the IP Address is the Server IP
router# show logging
Syslog logging: enabled (0 messages dropped, 207 messages rate-limited,
35 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: level debugging, 1693825 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 436 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1693825 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level debugging, 2103254 message lines logged
Logging to 192.168.10.1, 2103254 message lines logged, xml disabled,
filtering disabled
Log Buffer (10000000 bytes):
Note that this router has enabled syslog logging and is sending it to host 192.168.10.1. In addition, console logging is at the debugging level, and the setting for local buffered logging is 10,000,000 bytes.
The following are common issues with logging and their fixes.
If you Telnet into a router and can't see some of the logging you're expecting, check to see if you've set your terminal to monitor the logging. You can enable this with the terminal monitor command. To disable it, use the terminal no monitor command. To determine whether you've enabled monitoring, use the show terminal command, and look for the following:
Capabilities: Receives Logging Output
If you see this, you're monitoring logging output. If it returns None for capabilities, then the monitoring is off.
If you can't see logging output, you should also check whether you've set the level correctly. For example, if you've set the console logging to emergencies but you're running debugging, you won't see any debugging output on the console. To determine the set level, use the show logging command. Keep in mind that you need to set the level to a higher number to see all levels below it. For example, setting logging at debugging shows you every other level. In addition, make sure you match the type of logging that you want to see with the level you're configuring. If you configure monitor logging to debug but you're on the console and you've set it to informational, you won't see the debug output on the console.
You may see log messages that don't exhibit the correct date and time. There are a variety of options to control the date and time that appear on logging output (either to the screen or to the buffer). To control this, use the following command:
Router(config)# service timestamps debug ?
datetime
Timestamp with date and time
uptime
Timestamp with system uptime
Return to Quick Pick List at the top.
A common missunderstanding with configuring Cisco routers is the meaning of the 'bandwidth' command. Following a recent discussion we had with a client we thought it appropriate to add some specifics to our Tech Tips area.
Let's say you have a serial intrerface between two Cisco routers and the interface is up and running with IP addresses properly configured on both routers.
If you then add the command:
bandwidth 128000
The incorrect assumption here is that the interface is running at 128kb/sec. The particular serial interface was connected to a T1 CSU providing a network interface speed of 1.544Mb/sec. When we pointed out the incorrect assumption, our client then said "Well right - the line speed is running at 1.544 MB/sec, but the bandwidth command is limiting it to 128kb/sec. We advised this was also incorrect!
The purpose of the bandwidth command in Cisco IOS is to communicate the speed of the interface to the control plane (routing) protocols like OSPF, EIGRP, IGRP or BGP. This information is then used to select the best route and/or perform load balancing calculations and it overrides whatever the line speed of the interface is.
OSPF default bandwidth is the interface speed divided by 100Mb (rounded). So if the interface is a 1.544 Mb T1, the answer is a cost of 64. If you set the bandwidth command to 10,000,000 (10 Mb) then the OSPF metric cost will be 10.
The other thing that will be affected by the bandwidth command is TCP. Based on the banwidth command, TCP will adjust its session parameters (MSS, retransmission, etc.) based on this command.
If you do not set bandwidth, the Cisco routers will use the interface bandwidth by default. You can always view this as follows:
cell_ce03#show int serial 0
Serial0 is up, line protocol is up
Hardware is HD64570
Internet address is 142.0.0.1/16
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
The output above was redacted for brevity. You can see that this is a 1.544 Mb default. But imagine if this was actually connected to a CSU/DSU that had only a Nx64kbit or fractional T1 speed. This default would be incorrect, and the bandwidth command would correct the situation.
If you do not set bandwidth, the Cisco routers will use the interface bandwidth by default. You can always view this as follows:
Here are a couple of references we suggest if you need more information.
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hif_r/int_a1h.htm>
<http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hif_c/icfgenrh.htm>.We hope this helps with clarifying the proper use of the bandwidth command.
Return to Quick Pick List at the top.
Routine maintenance is the underpinning of any well run network. Through routine maintenance, consistency, predictability and standardization all result allowing the network to operate as expected and in times of fault, makes a better troubleshooting environment.
As part of any routine maintenance activity, Cisco provides several commands to help. One less known command is the SHOW DIAG command. This command provides diagnostic information about the router and its controllers and interfaces.
The show diag command returns the following information about a router and its interfaces/adaptors/modules:
In the day-to-day maintenance plan, this information is useful in answering the following questions:
Lets look at some sample output:
cell_pe1#show diag
Slot 0:
C2610 1E Mainboard Port adapter, 5 ports
Port adapter is analyzed
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 2.3
PCB Serial Number : JAD03428879 (3059475211)
Part Number : 73-2839-13
RMA History : 00
RMA Number : 0-0-0-0
Board Revision : A0
Deviation Number : 0-16418
EEPROM format version 4
EEPROM contents (hex):
0x00: 04 FF 40 00 91 41 02 03 C1 18 4A 41 44 30 33 34
0x10: 32 38 38 37 39 20 28 33 30 35 39 34 37 35 32 31
0x20: 31 29 82 49 0B 17 0D 04 00 81 00 00 00 00 42 41
0x30: 30 80 00 00 40 22 FF FF FF FF FF FF FF FF FF FF
0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
WIC Slot 0:
Serial 2T (12in1)
Hardware revision 1.0 Board revision D0
Serial number 23855958 Part number 800-03181-01
Test history 0x0 RMA number 00-00-00
Connector type PCI
EEPROM format version 1
EEPROM contents (hex):
0x20: 01 12 01 00 01 6C 03 56 50 0C 6D 01 00 00 00 00
0x30: 68 00 00 00 00 11 10 00 FF FF FF FF FF FF FF FF
WIC Slot 1:
Serial 2T (12in1)
Hardware revision 1.0 Board revision D0
Serial number 22420112 Part number 800-03181-01
Test history 0x0 RMA number 00-00-00
Connector type PCI
EEPROM format version 1
EEPROM contents (hex):
0x20: 01 12 01 00 01 56 1A 90 50 0C 6D 01 00 00 00 00
0x30: 68 00 00 00 00 09 11 00 FF FF FF FF FF FF FF FF
From the sample output above, you can see that the show diag command generates a lot of valuable information. However, you can save some time by paring down this information to tell you just what you need. To do so, you have a couple of options. Your first option is to specify a certain slot. For example, let's say you know that your interface of interest is in slot 0, and you only want diagnostics information for that slot. You would enter the following:
cell_pe1# show diag 0
Your second option is to use the pipe character [|] to include, exclude, or begin output at a specified point. Let's say you want to view all serial numbers:
cell_pe1#sh diag | inc Serial
PCB Serial Number : JAD03428879 (3059475211)
Serial 2T (12in1)
Serial number 23855958 Part number 800-03181-01
Serial 2T (12in1)
Serial number 22420112 Part number 800-03181-01
We hope you find this helpful.
Return to Quick Pick List at the top.
The primary purpose of the show interfaces command is for displaying the equipped interfaces and their status. Here's the information you can