Sunday, June 26, 2011

Top Ten Cisco IOS Commands - 8) debug

debug - is a fickle command that doesn't always give you the smoking gun you'd hope for. However, sometimes it really comes through. (This is a command that you really want to be careful with! It can bring a device to its knees in a hurry.) That said, there are hundreds of possible options for debugging, I not going to dive in that deep, but, here's a good example to get you off and running.


Let's debug our dhcp server...

router1# debug ip dhcp server packet detail
router1# sh log
....
Log Buffer (65534 bytes):
 CST:   DHCPD: htype 1 chaddr 0025.84a2.1b56
Oct 14 07:49:52.389 CST:   DHCPD: lease time remaining (secs) = 86400
Oct 14 07:50:11.641 CST: DHCPD: Sending notification of ASSIGNMENT:
Oct 14 07:50:11.641 CST:  DHCPD: address 192.168.64.193 mask 255.255.254.0
Oct 14 07:50:11.641 CST:   DHCPD: htype 1 chaddr 0025.8418.cb21
Oct 14 07:50:11.641 CST:   DHCPD: lease time remaining (secs) = 86400
Oct 14 07:50:13.405 CST: DHCPD: Sending notification of ASSIGNMENT:
Oct 14 07:50:13.405 CST:  DHCPD: address 192.168.62.123 mask 255.255.254.0
Oct 14 07:50:13.405 CST:   DHCPD: htype 1 chaddr 0025.84a2.1c7a
Oct 14 07:50:13.405 CST:   DHCPD: lease time remaining (secs) = 86400
Oct 14 07:50:21.677 CST: DHCPD: Sending notification of DISCOVER:
Oct 14 07:50:21.677 CST:   DHCPD: htype 1 chaddr 10d0.d812.83f1
Oct 14 07:50:21.677 CST:   DHCPD: remote id 020a00000a3c00fe00000384
Oct 14 07:50:21.677 CST:   DHCPD: circuit id 00000000
Oct 14 07:50:21.677 CST: DHCPD: Seeing if there is an internally specified pool class:
Oct 14 07:50:21.677 CST:   DHCPD: htype 1 chaddr 10d0.d812.83f1
Oct 14 07:50:21.677 CST:   DHCPD: remote id 020a00000a3c00fe00000384
Oct 14 07:50:21.677 CST:   DHCPD: circuit id 00000000
Oct 14 07:50:21.677 CST: DHCPD: there is no address pool for 192.168.0.254.
Oct 14 07:50:26.153 CST: %ISDN-6-CONNECT: Interface Serial0/0/0:0 is now connected to 4177666471 N/A
Oct 14 07:50:29.901 CST: DHCPD: Sending notification of DISCOVER:
Oct 14 07:50:29.901 CST:   DHCPD: htype 1 chaddr 10d0.d812.f606
Oct 14 07:50:29.901 CST:   DHCPD: remote id 020a00000a3c00fe00000384
Oct 14 07:50:29.901 CST:   DHCPD: circuit id 00000000
Oct 14 07:50:29.901 CST: DHCPD: Seeing if there is an internally specified pool class:
Oct 14 07:50:29.901 CST:   DHCPD: htype 1 chaddr 10d0.d812.f606
Oct 14 07:50:29.901 CST:   DHCPD: remote id 020a00000a3c00fe00000384
Oct 14 07:50:29.901 CST:   DHCPD: circuit id 00000000
Oct 14 07:50:29.901 CST: DHCPD: there is no address pool for 192.168.0.254.
Oct 14 07:50:32.153 CST: %ISDN-6-CONNECT: Interface Serial0/0/0:0 is now connected to 4177666471 N/A
Oct 14 07:50:34.557 CST: DHCPD: Sending notification of ASSIGNMENT:
Oct 14 07:50:34.557 CST:  DHCPD: address 192.168.64.138 mask 255.255.254.0
Oct 14 07:50:34.557 CST:   DHCPD: htype 1 chaddr 0025.84a0.f328
Oct 14 07:50:34.557 CST:   DHCPD: lease time remaining (secs) = 86400



This is what you'd expect to see, discovery of MACs and assignment of IP addresses. Good stuff.


Don't forget to stop the debugging when you're done with it. Otherwise you're just chewing up valuable resources...

router1# undebug all
All possible debugging has been turned off



Also, you can check to see what debugging you or someone else has turned on...

router1# sh debug
DHCP server packet detail debugging is on


Wednesday, June 22, 2011

Top Ten Cisco IOS Commands - 9) sh ver, sh inventory, sh platform

sh ver - sh inventory - sh platform
I couldn't help but throw these all in together as they are equally informative Cisco commands. The show platform command is quite different when run on a switch compared to the router's output, but, it's still a handy command.


Sh ver -
This seemingly harmless command will give you a ton of info:


Uptime
IOS image version
Hardware model
Modules installed
Memory info
Serial number
Switch stack info
Current configuration register setting
How the system was last started (reload command, power-on, etc.)
What, you wanted more?? Sheesh!


router1# s ver
Cisco IOS Software, 2800 Software (C2800NM-IPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 21-Jul-10 08:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

router1 uptime is 19 hours, 21 minutes
System returned to ROM by reload at 16:03:11 CDT Tue Jun 21 2011
System restarted at 16:07:38 CDT Tue Jun 21 2011
System image file is "flash:c2800nm-ipservicesk9-mz.124-24.T3.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Blah, blah, blah....

If you require further assistance please contact us by sending email toexport@cisco.com.

Cisco 2821 (revision 53.50) with 237568K/24576K bytes of memory.
Processor board ID FDX1398A2GD
2 Gigabit Ethernet interfaces
1 Serial interface
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102





Sh inventory -
Obviously, this command gives you some great detailed info about your hardware, too:

router1# sh inventory
NAME: "2821 chassis", DESCR: "2821 chassis"
PID: CISCO2821         , VID: V03 , SN: FDX1398A2GD

NAME: "WAN Interface Card - DSU/CSU T1 Fractional (V2) on Slot 0 SubSlot 2", DESCR: "WAN Interface Card - DSU/CSU T1 Fractional (V2)"
PID: WIC-1DSU-T1-V2      , VID: 1.2, SN: FO730343CHD

NAME: "WAN Interface Card - DSU/CSU T1 Fractional (V2) on Slot 0 SubSlot 3", DESCR: "WAN Interface Card - DSU/CSU T1 Fractional (V2)"
PID: WIC-1DSU-T1-V2      , VID: 1.2, SN: FO730380RTG

NAME: "Virtual Private Network (VPN) Module on Slot 0", DESCR: "Encryption AIM Element"
PID: AIM-VPN/SSL-2     , VID: V01, SN: FOC1104K58T



Sh platform -
I do use this command more on the router than the switches. Notice how you can see that Dimm 1 slot is empty? That could be handy when you are needing to upgrade multiple devices:


router1# sh platform
 2821 Network IO Interrupt Throttling:
 throttle count=1040, timer count=1
 throttle counts= 1040 0 0 0 0
 active=0, configured=1
 netint usec=20000, netint mask usec=1000
 real netint usec=4000, real netint mask usec=200
 IO Mask is F34F
 Per Slot Intr Mask is F34F

2821 Backplane EEPROM:
        PCB Serial Number        : FOC11090U7R
        Hardware Revision        : 1.0
        Top Assy. Part Number    : 800-26921-02
        Board Revision           : A0
        Deviation Number         : 0
        Fab Version              : 03
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Processor type           : 87
        Hardware date code       : 20070302
        Chassis Serial Number    : FTX1111A3FV
        Chassis MAC Address      : 001b.534f.7d98
        MAC Address block size   : 32
        CLEI Code                : COM3D00BRA
        Product (FRU) Number     : CISCO2821     
        Part Number              : 73-8853-04
        Version Identifier       : V03
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF C1 8B 46 4F 43 31 31 30 39 30 55 37 52 40
          0x10: 03 E8 41 01 00 C0 46 03 20 00 69 29 02 42 41 30
          0x20: 88 00 00 00 00 02 03 03 00 81 00 00 00 00 04 00
          0x30: 09 87 83 01 32 3F 9E C2 8B 46 54 58 31 31 31 31
          0x40: 41 33 46 56 C3 06 00 1B 53 4F 7D 98 43 00 20 C6
          0x50: 8A 43 4F 4D 33 44 30 30 42 52 41 CB 8F 43 49 53
          0x60: 43 4F 32 38 32 31 20 20 20 20 20 20 82 49 22 95
          0x70: 04 89 56 30 33 20 D9 02 40 C1 FF FF FF FF FF FF

TLB entries :
Size  Virt Address range      Phy Address range       Attributes
 16M  0x40000000:0x41FFFFFF   0x00000000:0x01FFFFFF   CacheMode=3, RO, Valid
 16M  0x42000000:0x43FFFFFF   0x02000000:0x03FFFFFF   CacheMode=3, RO, Valid
 256K 0x44000000:0x4407FFFF   0x04000000:0x0407FFFF   CacheMode=3, RO, Valid
 256K 0x44080000:0x440FFFFF   0x04080000:0x040FFFFF   CacheMode=3, RO, Valid
 256K 0x44100000:0x4417FFFF   0x04100000:0x0417FFFF   CacheMode=3, RO, Valid
 64K  0x44180000:0x4419FFFF   0x04180000:0x0419FFFF   CacheMode=3, RO, Valid
 64K  0x441A0000:0x441BFFFF   0x041A0000:0x041BFFFF   CacheMode=3, RW, Valid
 64K  0x441C0000:0x441DFFFF   0x041C0000:0x041DFFFF   CacheMode=3, RW, Valid
 64K  0x441E0000:0x441FFFFF   0x041E0000:0x041FFFFF   CacheMode=3, RW, Valid
 1M   0x44200000:0x443FFFFF   0x04200000:0x043FFFFF   CacheMode=3, RW, Valid

Dimm 0 SPD data :
Size of dimm                 = 256 Megabytes
Memory Type                  = 0x7
Row Addresses                = 0xD
Column Address               = 0xA
Module Rows                  = 0x1
Data Width                   = 0x48 
Voltage Interface            = 0x4
Cycle Time                   = 0x75
Access Time                  = 0x75
Configuration Type           = 0x2
Refresh Rate/Type            = 0x82
Primary Width                = 0x8
Error Width                  = 0x8
Minimum Clock Delay          = 0x1
Burst Lengths                = 0xE
Number of Banks              = 0x4
Cas Latencies                = 0xC
Write Latency                = 0x2
Module Attributes            = 0x20
General Attributes           = 0x0
Min Cycle Time, CAS of 2     = 0xA0
Access Clock Cycle, CAS of 2 = 0x75
Min Cycle Time, CAS of 1     = 0x0
Access Clock Cycle, CAS of 2 = 0x0
Row Precharge                = 0x50
Row Active to Row Active     = 0x3C
RAS CAS Delay                = 0x50
Ras Pulse Width              = 0x2D
Row Density                  = 0x40
Vendor Id                    = 7FA8000000000000
Module Part Number           = CIS00-21077-414IC
Module Revision Code         = 0100
        SPD contents (hex):
         0x00: 80 08 07 0D 0A 01 48 00 04 75 75 02 82 08 08 01
         0x10: 0E 04 0C 01 02 20 00 A0 75 00 00 50 3C 50 2D 40
         0x20: 90 90 50 50 00 00 00 00 00 41 4B 34 32 75 00 00
         0x30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38
         0x40: 7F A8 00 00 00 00 00 00 01 43 49 53 30 30 2D 32
         0x50: 31 30 37 37 2D 34 31 34 49 43 20 01 00 06 48 10
         0x60: D7 11 00 53 69 6D 70 6C 65 54 65 63 68 00 00 00
         0x70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Dimm 1 SPD data :
Memory Slot Empty

System RTC device  = DS1337



How about this one, ever wish you could see the LEDs on your router miles away? Try this:


router1# sh platform led
LED    :       SYSTEM   AUX      ACT      CF
STATUS :  GREEN    BLACK    GREEN    BLACK  

LED    :        AIM0     AIM1
STATUS :  GREEN    BLACK  

LED    :      PVDM0    PVDM1    PVDM2
STATUS :  BLACK    BLACK    BLACK  

Ethernet LEDs :    GE0/0    GE0/1
Link          :         GREEN    BLACK  
Speed 10      :      BLACK    BLACK  
Speed 100     :    GREEN    BLACK  
Speed 1000    :   BLACK    BLACK  
Duplex        :     GREEN    BLACK



Some of the acronyms from above:
SYSTEM= power
AUX= rps power
ACT= activity
CF= flash memory being accessed
AIM0= advanced integration modules (i.e.,T1 card)
PVDM0= packet voice data modules



Monday, June 20, 2011

Backup Cisco Config with HyperTerminal

Many times I've had to backup from a serial connection for many different reasons. Test labs, upgrades, etc. Hyperterminal is great for this. Most Cisco device consoles can be connected to with these settings: 9600 baud, 8 data bits, no parity, 1 stopbit, flow control none.
Once connected I'll set the terminal screen length to 0 so that it doesn't prompt me page by page. Do this with the "term len 0" command. Next type in the show run" command, but, don't press enter yet...

Now click on Transfer > Capture Text and then select where to save the config and what you want to name it and click Start...
At this point, any input/output from HyperTerminal will show up in your txt file. This is why I had you type in the "show run" command and wait. Spaces and commands will show up cluttering your config file. Now press enter in your HyperTerminal window and let the running-config scroll to the bottom until it stops. Now click on Transfer > Capture Text > Stop...
You now have your config backed up in the directory you specified earlier. Congrats!
If you didn't already love HyperTerminal, you do now, right? Hope this helps.

Send this link to a friend if you liked it. Thanks!

Thursday, June 16, 2011

Top Ten Cisco IOS Commands -10) Show Run

Let's face it...there's nothing sexy about this command. However, that being said, you may not know as much as you should about this command. I'm sure you've ran a "sh run" or two in your day, but how about these variances....
How about looking at just the config of one interface?

router1# sh run int G0/0

Building configuration...
Current configuration : 279 bytes
!
interface GigabitEthernet0/0
description to Master Switch
bandwidth 10000000
ip address 10.10.10.13 255.255.255.0
ip flow egress
ip nat inside
ip route-cache same-interface
ip route-cache flow
ip policy route-map SendThisWay
duplex auto
speed auto
end


Or, maybe you want to see the running-config starting at the auxiliary line...

router1# sh run | begin line aux

line aux 0
session-timeout 10
password 7 03F44C1E1A4A0E58D2
login
modem Dialin
stopbits 1
flowcontrol hardware
line vty 0 2
access-class ITGuys in
exec-timeout 0 0
password 7 03F44C1E1A4A0E58D2
logging synchronous
login
line vty 3 4
access-class ITGuys in
password 7 03F44C1E1A4A0E58D2
logging synchronous
login
line vty 5 15
access-class ITGuys in
password 7 03F44C1E1A4A0E58D2
login
!
ntp logging
ntp clock-period 17179769
ntp source GigabitEthernet0/3
ntp master
ntp server 10.10.10.10
.....
.....


If you need to remove an old ACL you'd better check to see what the ramifications might be.
Here I did an "include" to show me all the places this ACL was being used...

router1# sh run | i MyAcl

ip access-list extended MyAcl
remark ACL MyAcl
match ip address MyAcl


It looks like my access list is being used in a route-map!
I'd better use the "section" argument to look at sections in the running-config with MyAcl in them...

router1# sh run | sec MyAcl

ip access-list extended MyAcl
remark ACL MyAcl ver 4a
permit ip any host 1.2.3.4
permit ip any host 1.2.3.5
permit ip any host 1.2.3.6
permit ip any host 1.2.3.7
deny ip any any
route-map MyAcl permit 1
description Traffic for SQL
match ip address MyAcl
set ip next-hop verify-availability 61.62.63.259 10 track 1


Also, did you know the show run command tells the last time a write mem was performed...

router1# sh run

Building configuration...
Current configuration : 31823 bytes
!
! Last configuration change at 15:56:22 EST Tue Feb 15 2011
!
version 12.7
!


So as you can see, this command is pretty useful when you know which argument to use!
I almost hated to put this on the list, but, I use it on a daily basis.
Thanks for reading!


Tuesday, June 14, 2011

ASA Firewall Packet-Tracer Command

One of my favorite Cisco commands is the "packet-tracer" command of the Cisco ASA Firewall. Haven't you ever wanted to know if the ACL you just wrote will  accomplish what you intended? And, how many times has somebody asked you, "Am I being blocked by the firewall?" Well, until now you just took an educated  guess based on your running-config or looked in the log for their IP address while scratching your head. (You know I'm right, I know I'm right, heck we've  all been there!)

Enough blabity blab, let's cut to the chase.
I've been tasked with finding out if tcp port 88 (Kerberos) is allowed out of the network. Since I know the source port and the IP of my webserver I can  start to walk through the "packet-tracer" command. (Let's pretend like we've never used the command...)

ASA1# packet-tracer ?    


  input  Ingress interface on which to trace packet

ASA1# packet-tracer input ?


Current available interface(s):
  DMZ     Name of interface Ethernet0/0
  INSIDE  Name of interface Ethernet0/1
  GUESTS    Name of interface Ethernet0/2
  DMZ_2   Name of interface Ethernet0/3


ASA1# packet-tracer input INSIDE ?


  icmp   Enter this keyword if the trace packet is ICMP
  rawip  Enter this keyword if the trace packet is RAW IP
  tcp    Enter this keyword if the trace packet is TCP
  udp    Enter this keyword if the trace packet is UDP


ASA1# packet-tracer input INSIDE tcp ?


  A.B.C.D     Enter the Source address if ipv4
  X:X:X:X::X  Enter the Source address if ipv6

ASA1# packet-tracer input INSIDE tcp 10.10.10.10 ?


  <0-65535>        Enter port number (0 - 65535)
  aol             
  bgp             
  chargen         
  cifs            
  citrix-ica      
  cmd             
  ctiqbe          
  daytime         
  discard         
  domain          
  echo            
  exec            
  finger          
  ftp             
  ftp-data        
  gopher 
  .....
  .....
        
ASA1# packet-tracer input INSIDE tcp 10.10.10.10 88 ?


  A.B.C.D  Enter the destination ipv4 address

ASA1# packet-tracer input INSIDE tcp 10.10.10.10 88 155.155.155.155 3028


Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         DMZ


Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN_INCOMING in interface INSIDE
access-list LAN_INCOMING extended permit tcp host 10.10.10.10 any
Additional Information:


Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map classdefault
 match any
policy-map global_policy
 class classdefault
  set connection decrement-ttl
service-policy global_policy global
Additional Information:
             
Phase: 4     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 5     
Type: NAT    
Subtype:     
Result: ALLOW
Config:      
nat (INSIDE,DMZ) source dynamic 10.10.10.10 262.1.2.3
Additional Information:
Dynamic translate 10.10.10.10/88 to 262.1.2.3/415
             
Phase: 6     
Type: ACCESS-LIST
Subtype: log 
Result: ALLOW
Config:      
access-group DMZ_LEAVING out interface DMZ
access-list DMZ_LEAVING extended permit tcp host 10.10.10.10 any
Additional Information:
             
Phase: 7     
Type: IP-OPTIONS
Subtype:     
Result: ALLOW
Config:      
Additional Information:
             
Phase: 8     
Type: FLOW-CREATION
Subtype:     
Result: ALLOW
Config:      
Additional Information:
New flow created with id 54311482, packet dispatched to next module
             
Result:      
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow       
ASA1#

The bottom line is yes, 88 is allowed out from the 10.10.10.10 address.
Look at all the juicy info we can see, what access-lists and access-groups it had to traverse, the NAT statement in play, and the dynamic translation. Sweet!
(If you really want some verbose output try adding "detailed" to the end of the command.)
If we had failed it would have shown something like this...

ASA1# packet-tracer input INSIDE tcp 10.10.10.10 22 155.155.155.155 3028
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         DMZ


Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:


Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

See the "Implicit Rule" in the above output? This is the "implicit deny" that catches things you don't "explicitly allow." You've just seen it in play here.

Well, there you go. Have fun with this baby!

Please email this link to a pal. Thanks!

Sunday, June 12, 2011

Cisco's IOS Embedded Event Manager Example

Here's the lowdown-quick-n-dirty way to get an email notification sent to you via Cisco IOS Embedded Event Manager applet.
Basically, I've setup a couple variables that will be used by the "action" that gets triggered by a certain "event detector". In this scenario I've selected a syslog event.
There are many event detectors and actions that can be used in these scripts. See this Cisco document for reference. I thought you'd appreciate this quick easy example:

First set the variables:

router1# config term
router1(config)# event manager environment email_to someITguy@123.com
router1(config)# event manager environment email_from router1@.123.com
router1(config)# event manager environment email_server 1.2.3.4

Then configure your applet:

router1(config)# event manager applet SLA_1_down
router1(config-applet)# event syslog severity-notification pattern "state Up->Down"
router1(config-applet)# action 1 syslog msg "SLA 1 DOWN - Sending email to Support"
router1(config-applet)# action 2 mail server "$email_server" to "$email_to" from "$email_from" subject "SLA 1 state changed to DOWN" body "Check to see if Webserver is functional."
router1(config-applet)# end
router1# sh run | begin event manager
!
!
event manager environment email_to someITguy@123.com
event manager environment email_from router1@.123.com
event manager environment email_server 1.2.3.4
event manager applet SLA_1_down
 event syslog severity-notification pattern "state Up->Down"
 action 1 syslog msg "SLA 1 DOWN - Sending email to Support"
 action 2 mail server "$email_server" to "$email_to" from "$email_from" subject "SLA 1 state changed to DOWN" body "Check to see if Webserver is functional."
!
!
That should do it! So long as you have some sort of smtp relay allowed from your router's IP/subnet you will receive an email if the state of IP SLA 1 changes.

Please email this link to a friend. Thanks!

Thursday, June 9, 2011

How to add a single line entry to a Cisco router ACL

You've got an existing acl (access control list) that is otherwise working fine. But, you need to add or remove an entry. Here's how you'll proceed, after you've backed up your config!! FYI, I'm working with a Cisco 3825 router here, IOS version 12.4T.

Here's what you see when you do a show run. You can see I've filtered my search to include only the "extended MyACL" section.

cisco3825# sh run | sec extended MyACL
ip access-list extended MyACL
 permit tcp any host 10.10.20.20 eq www
 permit tcp any host 10.10.40.40 eq www
 .....
 .....

I need to add a web server entry (10.10.30.30) to this acl. So, I need to find out the line numbers and insert one in between the existing ones...

cisco3825# sh access-lists extended MyACL
Extended IP access list MyACL
  10 permit tcp any host 10.10.20.20 eq www (342879 matches)
  20 permit tcp any host 10.10.40.40 eq www (365501 matches)

 .....
 .....

Good, now I can insert any line number from 11-19 with my new entry....

cisco3825# config term
cisco3825(config)# ip access-list extended MyACL
cisco3825(config-ext-nacl)# 15 permit tcp any host 10.10.30.30 eq www
cisco3825(config-ext-nacl)# end
cisco3825#
cisco3825# sh access-lists extended MyACL
Extended IP access list MyACL
  10 permit tcp any host 10.10.20.20 eq www (342879 matches)
  15 permit tcp any host 10.10.30.30 eq www (16 matches)
  20 permit tcp any host 10.10.40.40 eq www (365501 matches)

  .....
  .....

Voila!!
Now what if you want to remove an entry?

cisco3825# config term
cisco3825(config)# ip access-list extended MyACL
cisco3825(config-ext-nacl)# no 15
cisco3825(config-ext-nacl)# end
cisco3825# write mem

Now it's true that older IOS versions didn't allow such easy management and would require you to remove the entire acl and add it back. First you'd work up your new acl in a text file and copy and paste it into your telnet/ssh session. Something like the following...

cisco3825# config term
cisco3825(config)# no ip access-list extended MyACL
cisco3825(config)# ip access-list extended MyACL
cisco3825(config-ext-nacl)# <paste entries from text file here>
cisco3825(config-ext-nacl)#
cisco3825(config-ext-nacl)#end
cisco3825# write mem

Hope I helped.
If you liked this post please email it to a friend!

Saturday, June 4, 2011

What is that device attached to my Cisco switch?

The other day our Cisco Unity admin was inquiring about a device that had picked up an IP address, but wasn't registering with the system like a typical Cisco phone.  He asked me to find out what the device was. Ooohhh....I do like a good mystery!!

First of all we need either the MAC or IP. In this case we knew the IP. Great! I can ping the address from my switch and maybe create an arp entry if there's not already one.

Access1# ping 10.11.12.13                
Sending 5, 100-byte ICMP Echos to 10.11.12.13, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 67/68/75 ms

Access1#
Access1# s arp | i 10.11.12.13
Access1#

No arp entry for that IP?? Maybe it's on a different vlan?

Access1# s arp                 
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.168.1         129   0025.8e38.2390  ARPA   Vlan1
Internet  10.44.66.10                -     0010.12bd.9c41  ARPA   Vlan2
Internet  10.44.55.1                 18   0025.8e38.2390  ARPA   Vlan2

Access1#

I see two of these MACs are the same, that must be our gateway device. Hopefully you already know what that is. I'll try the arp entry there...

DistroLayer1# s arp | i 10.11.12.13
Internet  10.11.12.13           0   dc22.03f8.362f  ARPA   Vlan3

DistroLayer1#

Yes!!! Got the IP, the MAC, now we need to find the port. (Notice it was on a different vlan. ) Back to our access layer switch. It didn't have an arp entry, but, it will have a port associated with the MAC address....

Access1# show mac address-table | i dc22.03f8.362f
 vlan3   
dc22.03f8.362f    STATIC      Fa3/0/41
Access1#
Access1# s run int Fa3/0/41                      
Building configuration...
!
interface FastEthernet3/0/41
 description Non-Power Device
 switchport access vlan 3
 switchport mode access
 switchport port-security
 switchport port-security violation restrict
 power inline never
....
----
----

Well, if it is a phone, it will need to have that "power inline never" command removed.
Let's run this command to see if it is a Cisco POE device...

Access1# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
----

----
SEPDC2203F8362F    Fas 3/0/41        179               H    ATA 186   Port 1
SEP0026CADF1D40  Fas 2/0/38        120             H P M  IP Phone  Port 1
SEP0023EC86AE60   Fas 1/0/44        169               H    ATA 186   Port 1
.....
----
----

Eureka!!! It's an ATA (analog telephone adapter). At long last we've found our mystery device and we didn't even have to pick up the phone!

Now you're probably asking, "Why didn't the arp entry exist on the access layer switch if the device is plugged in there?" Don't forget that the arp broadcast domain stops at the gateway, which in my case is a distribution layer switch doing layer 3 (ip route command). So, if you need to ping or otherwise communicate with a device on another subnet or vlan the packets will have to get routed. The arp entry will exist on the device doing the routing.
That's why if you ping multiple devices on your network and look in your arp table (arp -a) you'll often see multiple IPs listed with the same MAC address listed. That's your local gateway.

Another tip, don't get fooled by a trunk ports to other switches. As in our case here, once I found the MAC on the distro layer switch, I could have started tracing it back to the source...

DistroLayer1# show mac address-table | i dc22.03f8.362f
 vlan 3    dc22.03f8.362f    DYNAMIC     Gi0/2
DistroLayer1#
DistroLayer1# show cdp neighbors | i Gi0/2
DistroLayer1#

(Sometimes commands have different interface syntax...)


DistroLayer1# show cdp neighbors | i Gig 0/2
Device ID        Local Intrfce     Holdtme    Capability  Platform        Port ID
3825.domain.com   Gig 0/22          176            R S I      3825            Gig 0/0.1
Access1                   Gig 0/2           154              S I       WS-C3750-  Gig 1/0/4
DistroLayer1#

This shows me that Gig 1/0/4 on my distro layer switch is connected to Gig 0/2 on my access layer switch. You can guess that these are trunk ports, but, "show interface trunk" would have shown us the trunk ports on each switch. I didn't bother doing this earlier since I knew no end devices were plugged into the distro layer switch.

Hope this helps! Email this link to a friend, thx.

Wednesday, June 1, 2011

Cisco Router Commands Bail Me Out of BGP Issue


When I got to work this morning I was hearing the all to frequent "Internet is down."
My first knee-jerk reaction to this question is always "Does Al Gore know about this?" I digress. Email confirmed that our carrier had opened a ticket on our circuits (we have 2 T1's in a bundle) because they noticed an issue with an upstream DS3 card and replaced it. The ticket comments said they saw both circuits testing clean. Anyway, a quick console into our Cisco router showed me some interesting info...

2821# show int multilink 1
Multilink1 is up, line protocol is up
  Hardware is multilink group interface
  Description: Verizon MPLS BCFG3BK0001
  Internet address is 68.139.69.194/30
  MTU 1500 bytes, BW 3000 Kbit, DLY 100000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open, multilink Open
  Listen: CDPCP
  Open: IPCP, loopback not set
  Keepalive set (10 sec)
  .....
  .....

2821# s ppp multilink

Multilink1
  Bundle name: blah1
  Remote Endpoint Discriminator: [1] blah1
  Local Endpoint Discriminator: [1] p1234567-1765432
  Bundle up for 1w0d, total bandwidth 1544, load 4/255
  Receive buffer limit 12000 bytes, frag timeout 1000 ms
    0/0 fragments/bytes in reassembly list
    18 lost fragments, 1627759 reordered
    0/0 discarded fragments/bytes, 1 lost received
    0x660BB1 received sequence, 0x77660C sent sequence
  Member links: 1 active, 1 inactive (max not set, min 1)
    Se0/2/0, since 00:05:56
    Se0/3/0 (inactive)
No inactive multilink interfaces

That's odd, the logical bundle is up, up.

2821# s int se0/2/0
Serial0/2/0 is up, line protocol is up
  Hardware is GT96K with integrated T1 CSU/DSU
  Description: M1/HCGS/415028/SC
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open, multilink Open
  Link is a member of Multilink bundle Multilink1, loopback not set
  Keepalive set (10 sec)

2821# s int se0/3/0
Serial0/3/0 is up, line protocol is up
  Hardware is GT96K with integrated T1 CSU/DSU
  Description: M1/HCGS/415029/SC
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open, multilink Open
  Link is a member of Multilink bundle Multilink1, loopback not set

Both physical T1's in the bundle are up, up.

2821# show service-module  
Interface Serial0/2/0
Module type is T1/fractional
    Hardware revision is 1.2, Software revision is 20090205,
    Image checksum is 0x4144A7, Protocol revision is 0.1
Receiver has no alarms.
Framing is ESF, Line Code is B8ZS, Current clock source is line,
Fraction has 24 timeslots (64 Kbits/sec each), Net bandwidth is 1536 Kbits/sec.
Last module self-test (done at startup): Passed
Last clearing of alarm counters 41w1d
    loss of signal        :    3, last occurred 24w6d
    loss of frame         :   77, last occurred 03:18:58
    AIS alarm             :   73, last occurred 03:18:58
    Remote alarm          :   74, last occurred 03:18:35
    Module access errors  :    0,
Total Data (last 96 15 minute intervals):
    0 Line Code Violations, 64 Path Code Violations
    4 Slip Secs, 415 Fr Loss Secs, 0 Line Err Secs, 25 Degraded Mins
    73 Errored Secs, 4 Bursty Err Secs, 415 Severely Err Secs, 0 Unavail Secs
Data in current interval (848 seconds elapsed):
    0 Line Code Violations, 0 Path Code Violations
    0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
    0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

Interface Serial0/3/0
Module type is T1/fractional
    Hardware revision is 1.2, Software revision is 20090205,
    Image checksum is 0x4144A7, Protocol revision is 0.1
Receiver has no alarms.
Framing is ESF, Line Code is B8ZS, Current clock source is line,
Fraction has 24 timeslots (64 Kbits/sec each), Net bandwidth is 1536 Kbits/sec.
Last module self-test (done at startup): Passed
Last clearing of alarm counters 41w1d
    loss of signal        :    3, last occurred 24w6d
    loss of frame         :   75, last occurred 03:18:59
    AIS alarm             :   70, last occurred 03:18:59
    Remote alarm          :   72, last occurred 03:18:36
    Module access errors  :    0,
Total Data (last 96 15 minute intervals):
    0 Line Code Violations, 42 Path Code Violations
    2 Slip Secs, 415 Fr Loss Secs, 0 Line Err Secs, 40 Degraded Mins
    70 Errored Secs, 1 Bursty Err Secs, 415 Severely Err Secs, 0 Unavail Secs
Data in current interval (810 seconds elapsed):
    0 Line Code Violations, 0 Path Code Violations
    0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
    0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs


Lots of alarms and errors, but, that was several hours ago.
Can I ping our MPLS gateway?

2821# ping 46.144.32.271

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 46.144.32.271, timeout is 2 seconds:
!!!!!
Success rate is 100 per
Publish Post
cent (5/5), round-trip min/avg/max = 20/20/20 ms

Yep, that's really weird. Layer 2 is good. Time to check routing info...

2821# s ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       .....
       .....

Gateway of last resort is not set

"This is a problem!"

2821# show bgp neighbor
BGP neighbor is 46.144.32.271,  remote AS 65000, external link
  BGP version 4, remote router ID 0.0.0.0

"Zoiks!!! Carrier hasn't programmed their side of the circuit to advertise BGP info. Quick, to the Bat-phone, time to call the carrier. These simple commands can show you a wealth of information if you just slow down and look. Hope this helped!