Friday, July 29, 2011

Top Ten Cisco IOS Commands

Here are some invaluable commands to master when dealing with Cisco IOS devices. Please realize that choosing the actual numbered order is an excercise in futility. The most important IOS command is the one that helps you put out the current fire. Also, the options that can be used with these presents a ginormous number of possible commands. I've just compiled some of my favorites.
  1. sh interface
  2. packet-tracer
  3. sh line
  4. sh cdp neighbor
  5. sh archive log config all
  6. "netstat"
  7. sh arp
  8. debug
  9. sh ver
  10. sh run 

Top Ten Cisco IOS Commands - 1) sh int

The Cisco IOS "show interface" command is an invaluable command to know. Also, it is probably one you have used before. With this command you can see the following info and more:

  • IP address & mask
  • Speed & duplex
  • MAC address
  • Status
  • Errors
  • Utilization
  • Last clear counter time

You may know this already, but, what can be difficult is how to extract the precise data you want in a format that you can use. Here are some forms of the "sh int" command that I've found very useful:
Obviously, the basic first...



Ok, I cheated on this one. "Show ip interface brief" displays management IPs and up/down status...


Same command from a router...


 A summary of interfaces and their utilization...


The description field can be handy. If you use it when programming ports, it can come back to help you later...



Also, errors can be seen. Here you'll see I've got some collisions and a receive error...



Another variation on errors...



Trunk info...


I use this a lot when setting up a new printer or workstation...


Need to check on the status of your gbics?...


As you can see, the data that can be extracted from this root command "sh int" is only limited by your ability to understand the options and some experience with the cli.

Check this out. It is a Cisco page giving the field descriptions...
Cisco 12.2 docs "interface" command


Wednesday, July 20, 2011

Top Ten Cisco IOS Commands - 4) sh cdp neighbor

CDP (Cisco discovery protocol) is a layer 2 proprietary protocol for Cisco devices. It sends announcements (default is every 60 seconds) about IOS version, IP address, hostname, etc. to multicast address 0100-0ccc-cccc on each connected interface. The type of information that you receive from the "show cdp neighbors" command varies depending on the version of IOS you are running. CDP can be enabled on a per-interface basis and I would recommend disabling it on external facing interfaces. (You may not want devices outside your network to glean anything from the CDP protocol running on your router!) Also, it is often used in conjunction with snmp by some monitoring software to map networks, poll IOS versions, etc.


Here are some examples...


R1# sh cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID                   Local Intrfce     Holdtme    Capability    Platform     Port ID
SEPE9CA70FB2479  Fas 3/0/11        125             H P M        IP Phone     Port 1
2821.local.com            Fas 1/0/48        134             R S I          2821            Gig 0/0.1


R1# sh cdp neighbors ?
  Async                     Async interface
  Auto-Template      Auto-Template interface
  BVI                          Bridge-Group Virtual Interface
  CTunnel                 CTunnel interface
  Dialer                      Dialer interface
  FastEthernet         FastEthernet IEEE 802.3
  Filter                       Filter interface
  Filtergroup            Filter Group interface
  GigabitEthernet   GigabitEthernet IEEE 802.3z
  GroupVI                Group Virtual interface
  Lex                        Lex interface
  Port-channel        Ethernet Channel of interfaces
  Portgroup             Portgroup interface
  Pos-channel        POS Channel of interfaces
  Tunnel                  Tunnel interface
  Vif                          PGM Multicast Host interface
  Virtual-Template Virtual Template interface
  Virtual-TokenRingVirtual TokenRing
  Vlan                      Catalyst Vlans
  detail                    Show detailed information
  fcpa                      Fiber Channel
  |                            Output modifiers
  <cr>


R1# sh cdp neighbors detail
-------------------------
Device ID: SEPE9CA70FB2479
Entry address(es):
  IP address: 10.22.1.10
Platform: Cisco IP Phone 7975,  Capabilities: Host Phone Two-port Mac Relay
Interface: FastEthernet3/0/11,  Port ID (outgoing port): Port 1
Holdtime : 178 sec
Second Port Status: Up


advertisement version: 2
Duplex: full
Power drawn: 12.000 Watts
Power request id: 31097, Power management id: 3
Power request levels are:12000 0 0 0 0
Management address(es):
-------------------------
Device ID: 2821.local.com
Entry address(es):
  IP address: 10.16.1.1
Platform: Cisco 2821,  Capabilities: Router Switch IGMP
Interface: FastEthernet1/0/48,  Port ID (outgoing port): GigabitEthernet0/0.1
Holdtime : 127 sec


advertisement version: 2
VTP Management Domain: ''
Duplex: full
Management address(es):


R1# sh cdp traffic
CDP counters :
        Total packets output: 393013, Input: 15743
        Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
        No memory: 0, Invalid packet: 0,
        CDP version 1 advertisements output: 0, Input: 0
        CDP version 2 advertisements output: 393013, Input: 15743


R1# sh cdp interface Fa1/0/48
FastEthernet1/0/48 is up, line protocol is up
  Encapsulation ARPA
  Sending CDP packets every 60 seconds
  Holdtime is 180 seconds


As I mentioned, you can and should disable it on some interfaces...


R1# config t
R1(config)# int fa0/0
R1(config-if)# no cdp enable


Top Ten Cisco IOS Commands - 3) sh line, sh users

A good understanding of terminal connections is important when administering Cisco devices.
The Cisco IOS command "show line" gives you a snapshot of which terminal "lines" are in use...

R1# sh line
   Tty Line   Typ     Tx/Rx    A Modem  Roty  Uses  Noise Overruns  Int
        0    0    CTY              -    -      -    -    -         0      0    0/0      -
*      1    1    AUX 115200/115200- inout     -    3      0   53/0      -
*   514  514 VTY              -    -      -    -    -    80     0    0/0      -
    515  515 VTY              -    -      -    -    -     2      0    0/0      -
    516  516 VTY              -    -      -    -    -     0      0    0/0      -
    517  517 VTY              -    -      -    -    -     0      0    0/0      -
    518  518 VTY              -    -      -    -    -     0      0    0/0      -
    519  519 VTY              -    -      -    -    -     0      0    0/0      -
    520  520 VTY              -    -      -    -    -     0      0    0/0      -
    521  521 VTY              -    -      -    -    -     0      0    0/0      -
    522  522 VTY              -    -      -    -    -     0      0    0/0      -
    523  523 VTY              -    -      -    -    -     0      0    0/0      -
    524  524 VTY              -    -      -    -    -     0      0    0/0      -
    525  525 VTY              -    -      -    -    -     0      0    0/0      -
    526  526 VTY              -    -      -    -    -     0      0    0/0      -
    527  527 VTY              -    -      -    -    -     0      0    0/0      -
    528  528 VTY              -    -      -    -    -     0      0    0/0      -
    529  529 VTY              -    -      -    -    -     0      0    0/0      -

Line(s) not in async mode -or- with no hardware support:
2-513

The terminal types are CTY=console, AUX=auxilliary, and VTY=virtual terminal.
The console and auxilliary ports are serial connections and the vty lines are for remote connections over the network using telnet or ssh.

The console port is typically used when setting up the device for the first time or in disaster recovery type scenarios when an IOS image upgrade isn't cooperating, or the device doesn't have a valid IOS image, for example.

The auxiliary port is typically used by a modem for "out-of-band" access as a backup connection for when the network is having issues. It's almost as good as the console port, but, doesn't give you rommon access.

You can manually disconnect any of these lines with the following command...

R1# clear line <x>
[confirm] <------------press enter here
 [OK]

Additionally, sometimes you'll want to know what IP addresses are connected. Use the "sh users" command for this...

R1# sh users
    Line       User       Host(s)              Idle           Location
  514    vty 0                idle                    2d00h   10.10.0.2
  515    vty 1                idle                 00:01:01  10.10.11.23
*516    vty 2                idle                 00:00:00  10.10.11.12

  Interface    User               Mode         Idle             Peer Address
  Se0/2/0:0                       Sync PPP     00:00:00
  Se0/2/1:0                       Sync PPP     00:00:00
  Se0/2/2:0                       Sync PPP     00:00:00
  Mu1                               Sync PPP     00:00:00    192.168.101.20

Here the asterisk by line 516 shows my IP address. Also, try the command "who" on some IOS versions. It does pretty much the same thing.

Monday, July 11, 2011

Top Ten Cisco IOS Commands - 5) sh archive log config all

This will be one of your favorites if you ever have to use it to roll back changes to a Cisco router or switch.

First, setup the configuration change logging:

R1# config term

Enter archive config mode:
R1(config)# archive

Enter logger config mode:
R1(config-archive)# log config

Enable logging of config changes:
R1(config-archive-log-config)# logging enable

Set the max number of entries to retain in the log:
R1(config-archive-log-config)# logging size 500

Suppress displaying passwords in the log file:
R1(config-archive-log-config)# hidekeys

Enable sending config changes to a syslog server:
R1(config-archive-log-config)# notify syslog

In order to view the log entries:
R1# sh archive log config all
  ...
  ...
  387    28   unknown user@vty0     |ip access-list standard GoodIP
  388    28   unknown user@vty0     | remark Internal Servers
  389    28   unknown user@vty0     | permit 10.22.65.10
  390    28   unknown user@vty0     | permit 10.22.22.10
  391    28   unknown user@vty0     | permit 10.24.97.10
  392    28   unknown user@vty0     | permit 10.25.17.10
  393     0    unknown user@vty2     |!exec: enable
  394     0    unknown user@vty0     |!exec: enable
  395    31   unknown user@vty0     |interface Tunnel200
  396    31   unknown user@vty0     | shutdown
  ...
  ...

That's pretty useful if you need to know the last command(s) you or someonelse issued on the device. But, for larger entries or pastes wouldn't it be great if you could see that same data in a format ready to copy into a text editor? Try this...

sh archive log config all provisioning

Saturday, July 2, 2011

Top Ten Cisco IOS Commands - 6) "netstat"

These are your Cisco "netstat" commands. Basic protocol, IP, and port info can be seen with this IOS command on your switch...

Switch1# sh ip sockets
Proto    Remote      Port      Local            Port     In    Out    Stat    TTY    OutputIF
 17   --listen--                10.65.128.14    10000     0        0       11         0
 17   --listen--                10.65.128.14      1975     0        0       11         0
 17 0.0.0.0                  0 10.65.128.14      2228     0        0     211         0
 17 0.0.0.0                  0 10.65.128.14          67     0        0   2211         0
 17 10.60.18.66    2603 10.65.128.14        161     0        0   1001         0
 17   --listen--                10.65.128.14        162     0        0   1011         0
 17   --listen--                10.65.128.14    60839     0        0   1011         0
 17   --listen--          --any--                        161     0        0 20001         0
 17   --listen--          --any--                        162     0        0 20011         0
 17   --listen--          --any--                    65150     0        0 20001         0
 17   --listen--                10.65.128.14        123     0        0         1         0
 17 10.40.9.64        162 10.65.128.14    49391     0        0         0         0

Here is the Cisco router equivalent...

R1# sh tcp brief
TCB                   Local Address                       Foreign Address                     (state)
48C0AD3C     80.64.160.1.20969                   sql.domain.local.445              TIMEWAIT
48BF3818       80.64.160.1.31238                   domain.web.local.1433          TIMEWAIT
4AD39ED8     60.136.65.230.42744               60.136.65.19.179                   ESTAB
4AB25F74      25-149-211-185-TX.39937      82.22.144.71.443                 TIMEWAIT
4908FBA0      80.64.169.1.2000                     80.11.169.86.444                    ESTAB
4896967C       25-149-211-185-TX.58906      79.202.72.7.443                     TIMEWAIT
4A7B74F4      25-149-211-185-TX.32817       www.hosting.domain.443     TIMEWAIT
4A4298F0      80.64.169.1.2000                      80.64.169.137.32726             ESTAB
48C0C658      60.136.65.230.33956                43.220.116.71.443                 TIMEWAIT
4AC486D0     80.64.169.1.2000                      80.64.169.132.20257             ESTAB
4A7CA068     80.64.169.1.2000                      80.64.169.16.16777               ESTAB
4A29B594      60.136.65.29.32424                  domain.web.local.1120         TIMEWAIT
497F0088       80.64.160.1.23                          80.60.18.66.2552                   ESTAB

And lastly, the firewall equivalent...

ASA1#sh conn all
683 in use, 5678 most used
TCP OUTSIDE 82.66.52.251:1334 DMZ 93.39.11.88:443, idle 0:00:02, bytes 5797, flags UIOB
TCP OUTSIDE 40.62.183.137:7686 DMZ 93.39.11.88:443, idle 0:00:04, bytes 6596, flags UIOB
TCP OUTSIDE 64.58.31.86:65248 DMZ 93.39.11.88:443, idle 0:00:06, bytes 6951, flags UIOB
TCP OUTSIDE 70.248.216.190:60370 DMZ 93.39.11.88:443, idle 0:00:08, bytes 4121, flags UIOB
TCP OUTSIDE 62.25.17.1:2220 DMZ 93.39.11.66:443, idle 0:00:08, bytes 22512, flags UIOB
TCP OUTSIDE 64.126.13.254:27426 DMZ 93.39.11.88:443, idle 0:00:14, bytes 36091, flags UIOB
TCP OUTSIDE 66.124.99.125:1318 DMZ 93.39.11.88:443, idle 0:00:24, bytes 3944, flagsUIOB
TCP OUTSIDE 70.157.5.177:50653 DMZ 93.39.11.88:443, idle 0:00:34, bytes 10785, flags UIOB
TCP OUTSIDE 99.189.255.7:60222 DMZ 93.39.11.88:443, idle 0:00:03, bytes 26135, flags UIOB
TCP OUTSIDE 99.189.255.7:60221 DMZ 93.39.11.88:443, idle 0:00:29, bytes 103690, flags UIOB
TCP OUTSIDE 99.189.255.7:60219 DMZ 93.39.11.88:443, idle 0:00:05, bytes 86075, flags UIOB
TCP OUTSIDE 173.22.186.97:51866 DMZ 93.39.11.88:443, idle 0:00:04, bytes 6565, flags UIOB
TCP OUTSIDE 173.22.186.97:51865 DMZ 93.39.11.88:443, idle 0:00:03, bytes 72144, flags UIOB

If you are looking for a specific IP address within any of the above commands, filter the results by adding 'pipe' and 'include' to the end of the command...

sh conn | i <ip address>
sh tcp brief | i <ip address>
sh ip sockets | i <ip address>

Friday, July 1, 2011

Top Ten Cisco IOS Commands - 7) sh arp

A brief into to ARP:

In order for a node to communicate with another node on an Ethernet network they must know 2 things, the IP address and the MAC address. Arp is the liason between layer 2 (the MAC address) and layer 3 (the IP address). First, the DNS protocol is used to resolve the host name to an IP address. Then, ARP takes over by sending a broadcast to all nodes on the local subnet (aka, broadcast domain) to resolve the IP to a MAC address.

Arp broadcasts only go as far as the local subnet before being replied to. Usually there are only 2 things that can happen here, 1) the destination node responds with its MAC address (through a switch). Or, 2) a router or other gateway device responds with its MAC address because it knows a route to the destination node on a different subnet (this is referred to as proxy-arp, it forwards the broadcast for you to the non-local subnet). Knowing these two possible results is an important concept to remember when looking up IP or MAC info on your Cicso routers and switches.

The requesting node doesn't care who responds as long as it gets the MAC address, so there are some obvious security concerns with this protocol.

If you run the "sh arp" on your switch or router you can see the results are about the same. You get info about devices that are communicating directly with interfaces on the device (i.e., IP, MAC, interface name, aging timer)...

Switch1# s arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.0.45             41   0025.13f7.0141  ARPA   Vlan333
Internet  192.168.0.43              -   0025.13f6.c041  ARPA   Vlan333
Internet  192.168.9.25             98   0025.77c2.6dc1  ARPA   Vlan333
Internet  192.168.0.1             140   0025.77c2.6dc1  ARPA   Vlan333
Internet  192.168.18.66             0   0025.77c2.6dc1  ARPA   Vlan333
Internet  192.168.0.65              7   00e0.d812.77f1  ARPA   Vlan333


Router1# s arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.44.0.1               43   da30.9171.834a  ARPA   GigabitEthernet0/0
Internet  10.44.0.2               19   f4ac.c178.f442  ARPA   GigabitEthernet0/0
Internet  10.44.0.10             227   0026.77c2.6bc1  ARPA   GigabitEthernet0/0
Internet  10.44.0.44             156   001f.bd8b.3545  ARPA   GigabitEthernet0/0
Internet  10.44.0.66             266   001b.044c.1280  ARPA   GigabitEthernet0/0
Internet  10.44.0.13              64   0024.c4d5.4cf0  ARPA   GigabitEthernet0/0
Internet  10.44.0.12             157   001b.2acc.2b50  ARPA   GigabitEthernet0/0
Internet  10.44.0.18              86   001d.9d13.55c1  ARPA   GigabitEthernet0/0
Internet  10.44.0.130              -   001d.2abb.2a36  ARPA   GigabitEthernet0/0
Internet  266.243.123.25          5   001f.9e58.c0d3  ARPA    GigabitEthernet0/1
Internet  266.243.123.26          -   001b.2abb.3337  ARPA    GigabitEthernet0/1


Now that you know the IPs and MACs you just need the port numbers associated with them and you'll have a pretty decent port mapping of the switch. Try this...

Switch1# sh mac address-table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0200.0ccc.cccc    STATIC      CPU
 All    0200.0ccc.cccd    STATIC      CPU
 All    0162.c200.0000    STATIC      CPU
 All    0162.c200.0001    STATIC      CPU
 All    0162.c200.0002    STATIC      CPU
 All    0162.c200.0003    STATIC      CPU
 All    0162.c200.0004    STATIC      CPU
 All    0162.c200.0005    STATIC      CPU
 All    0162.c200.0006    STATIC      CPU
 All    0162.c200.0007    STATIC      CPU
 All    0162.c200.0008    STATIC      CPU
 All    0162.c200.0009    STATIC      CPU
 All    0162.c200.000a    STATIC      CPU
 All    0162.c200.000b    STATIC      CPU
 All    0162.c200.000c    STATIC      CPU
 All    0162.c200.000d    STATIC      CPU
 All    0162.c200.000e    STATIC      CPU
 All    0162.c200.000f    STATIC      CPU
 All    0162.c200.0010    STATIC      CPU
 All    ffff.ffff.ffff    STATIC      CPU
   1    0025.8386.9034    DYNAMIC     Gi1/0/3
   1    0025.83f0.e52a    DYNAMIC     Gi3/0/4
 300    001b.2abb.2f90    DYNAMIC     Gi1/0/3
 300    001b.2abb.25c0    DYNAMIC     Gi1/0/3
 300    001b.d44c.9277    DYNAMIC     Gi1/0/3
 300    001e.bd8b.2145    DYNAMIC     Gi1/0/3
 300    0024.c4c5.4df0    DYNAMIC     Gi1/0/3
 300    0025.8206.9085    DYNAMIC     Gi1/0/3
 300    0025.83c2.5ac1    DYNAMIC     Gi1/0/3
 300    ec30.9171.8322    DYNAMIC     Gi1/0/3
 333    001b.d44c.1180    DYNAMIC     Gi1/0/3
 333    0025.5586.9485    DYNAMIC     Gi1/0/3
 333    0015.83c2.6dc4    DYNAMIC     Gi1/0/3
 333    0fe0.d810.ba7f    DYNAMIC     Gi1/0/3
 333    0fe0.d812.83d1    DYNAMIC     Gi1/0/3
 333    0fe0.d812.644f    STATIC      Fa1/0/47


Looking at MAC addresses associated with IP addresses can be confusing at first. For example, you may be wondering why there are so many MAC addresses assigned to one port, Gi1/0/3 above. This port happens to be a trunk port which carries all inter-vlan traffic. So, some of these are other switches, routers, etc.
 

When looking at your devices arp cache, you'll sometimes see multiple IP addresses with the same MAC entry. This is because of the proxy-arp mentioned above. The MAC you see is your gateway device. Run an "arp -a" command on your Windows pc you'll only see your gateway device's MAC for anything you ping outside your local subnet.

Additional notes:


Arp cache timeout defaults vary by vendor. Windows is sometimes 10 minutes, while Cisco devices are often 4 hours!

Most newer switches today have layer 3 (routing) capability, so, they may be the gateway device and perform the inter-vlan routing that used to require a router.

Also, sometimes you'll see "bia" in front of the MAC address on cisco routers and switches, this means "burned in address."