This is an old revision of the document!
CLI TRICKS & SHORTCUTS - CISCO JEDI CLI
http://etherealmind.com/series/cisco-ios-cli-tricks-tips/
This is to make OR:
show interface | include is up|BW|load
For example, this one will show us both sections
sh run | s policy|class|access
This one is useful to know in which object group the IP 199.242.6.15 is:
sh run | inc object-group | 199.242.6.15
Create vlans (old style (for gns3))
Switch# vlan database Switch(vlan)# vlan vlan_ID Switch(vlan)# vlan vlan_ID state active Switch# show vlan
Truly replace the running configuration with the startup configuration, just as if you had rebooted the router.
configure replace
To show all implicit commands in the configuration:
show run all
To make dangerous changes:
reload in 5 cancel reload
To control vty logging
# terminal monitor # to send log messages to the vty # terminal no monitor # to stop it
COPY FILES FROM AND TO NIX BOX
(IOS)#copy scp://sfuller@192.168.11.100//app/tftpboot/poap.py flash: (IOS)#cd ? ! To show available file systems (IOS)#delete flash:<file> ! To delete a file in flash CP02-N5K-SW01# copy scp://10.50.254.204/var/tmp/n5000-uk9.7.0.3.N1.1.bin bootflash:
(linux)# scp test1 netrobot@10.8.90.21:flash:/test ! be sure router is scp server !!
To see contents of a file in IOS:
#more flash:Myconfig.txt
So from linux to cisco So basically the syntax is simplified, we can put user and password together and we don’t use the colon before the file location:
Configure R1 as an HTTP server, and set R8 to transfer the IOS image from R1, oversubscribing the shaped Ethernet sub-interface. Then, generate a flow of ICMP packets from R6 to R5, simulating the SCAVENGER class traffic. username admin privilege 15 password cisco
ip http authentication local ip http server ip http path bootflash:
TERMINAL SERVER:
Access a line:
telnet <lo> <specific.port> # define in corresponfing 'ip host'
Clear a busy line:
show line clear line <n>
SOFTWARE UPGRADES:
ASA: http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/
ASA: Apply lincense:
UK02-ASAVPN01(config)# activation-key b92afe7f 844fcec7 80a19dfc 8a240424 8d101598
FORCE FAILOVER:
failover active Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.
no failover active # Forces a failover when entered on the active unit To show just the ipsec config:
show run brief | s crypto|isakmp|access-list
AAA RADIUS TACACS+
To verify AAA authentication:
# test aaa-server authentication MKTX_TACACS username jsantos password 55336802 Server IP Address or name: 10.50.254.200 INFO: Attempting Authentication test to IP address <10.50.254.200> (timeout: 17 seconds) INFO: Authentication Successful
BASIC AAA CONFIGURATION ON IOS
aaa authentication <process> [default|<NAME>] <List of Methods>
- Local method. Uses the local user database with their passwords. You populate the database by using the username command.
- Line method. Uses the password configured on the line used to access the router. This includes VTY lines as well.
- Enable method. Uses the globally configured list of enable passwords associated with their levels.
- Group TACACS+ or RADIUS method. Uses the remote AAA servers group configured globally in the router.
- None method. Do not attempt to validate user identity, just allow access.
http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/
- Create a backup user account
- Enabling AAA
- Configuring the TACACS+ servers
- Define the AAA method lists:
aaa authentication login ! user login authentication aaa authentication enable ! access the privileged command level aaa authentication http console ! AAA asdm aaa authentication ssh console ! aaa authentication enable serial console ! aaa authentication enable match !
And separatey:
aaa authorization exec VTY group tacacs+ if-authenticated # exec is to determined if the user is authorised to run an exec shell and how many/which commands
- Enforcing AAA authentication on terminal lines
CISCO USER MODES
- User EXEC mode ! privilege level 1 ( > ). Is like plain 'user mode'
- Privileged EXEC mode ! privilege level 15 ( #)
show privilege router(config)# username test password test privilege 3
SMMP On the client (if *nix) we can verify validity of a string with:
snmpwalk -v 2c -c {SNMPCOMMUNITY} 10.50.4.250
snmpwalk -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50
On the router/firewall, we can see the snmp value with:
more system://running-config | in snmp
—-
IOS NAMING CONVENTION
For the ios version: Train (SETM), Throttle (features), Build (fixes) :
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-release-1513t/200095-Understanding-Cisco-IOS-Naming-Conventio.html
For the ios file name!:Note letters/phrase for feature set and Run location/compression
- Platform. Diffe
- Feature set (base, service, advanced, enterprise). k9 means encryption included.
- Run location and compression. mz indicates 'compressed'
- Version
SHOW CONFIGURATION WITHOUT BREAKS - NO STOP SCROLL
terminal length 0 # For IOS pager 0 # for ASA
—-
MULTI-USE EXPLORING/TROUBLESHOOTING
Approach 1:
Go to the edge device. I know the flow belongs to mpls and also the source of my flow 10.30.143.71 therefore:
DC03-DMZR01#sh ip route vrf mpls-dmz01 10.30.143.71 Routing entry for 10.30.0.0/16
Known via "bgp 65103", distance 200, metric 0, type internal
Last update from 10.255.30.100 7w0d ago
Routing Descriptor Blocks:
* 10.255.30.100, from 10.255.30.100, 7w0d ago
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: none
MPLS Flags: NSF
DC03-DMZR01#sh ip cef vrf mpls-dmz01 10.255.30.100 10.255.30.100/32
nexthop 10.30.165.8 Vlan165
!!! OR DC03-DMZR01#sh ip cef vrf mpls-dmz01 10.255.30.100 10.255.30.100/32
nexthop 10.30.165.8 Vlan165
!!!
DC03-DMZR01#sh run int Vlan165 Building configuration... Current configuration : 462 bytes ! interface Vlan165 description MPLS-FWALL-OUT interface <<<<< vrf forwarding mpls-dmz01 mac-address c000.0165.0011 mtu 8500 ip address 10.30.165.11 255.255.255.0 no ip redirects no ip proxy-arp ip flow ingress ip flow egress ip pim dr-priority 5 ip pim sparse-mode ip igmp version 3 glbp 165 ip 10.30.165.1 glbp 165 priority 105 glbp 165 preempt no glbp 165 load-balancing glbp 165 name MPLS-FWALL-OUT-GLBP mls netflow sampling no mop enabled end !! Not just we can check the description but also use cdp. Or: ! show mac address table ! sh arp vrf ! And follow the prefix until the destination ! if the device is behind a transparent firewall it'll show same mac address in two different vlans 1st column
Approach 2:
dc04-nx7k01-mktx-dr01# sh ip arp vrf all | inc 10.40.70.125 dc04-nx7k01-mktx-dr01# sh run int Vlan70 ! To see the description dc04-nx7k01-mktx-dr01# sh ip route vrf sysmgmt 10.8.70.125 ! To see the next hop. NOTE: DESTINATION!! dc04-nx7k01-mktx-dr01# sh ip bgp vrf sysmgmt ! To see the next hop
Now I know this is in the dmz, so I go to :
DC04-DMZR01#sh ip route vrf main-dmz01 10.8.70.125 DC04-DMZR01#sh ip arp vrf main-dmz01 10.40.185.8 DC04-DMZR01#sh mac-address-table | inc 001c.7f34.d54 ! This is telling the physical port i'm going out from
BUILDING SERVICE POLICIES
ciscoasa(config)# access-list icmp_inspect extended permit icmp 10.1.1.0 255.255.255.0 host 1.1.1.1 log ciscoasa(config)# access-list ratelimit_inside extended permit ip 10.1.1.0 255.255.255.0 any log
Now define the Layer 3-4 class map by referencing the above ACLs in it.
ciscoasa(config)# class-map ratelimit_class ciscoasa(config-cmap)# match access-list ratelimit_inside ciscoasa(config-cmap)# class-map icmp_class ciscoasa(config-cmap)# match access-list icmp_inspect
2. Define a Layer 3-4 policy-map
ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class icmp_class ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class ratelimit_class ciscoasa(config-pmap-c)# police input 41943000 4194304 ciscoasa(config-pmap-c)# police output 41943000 4194304
3. Apply the policy-map to the appropriate interfaces
ciscoasa(config)# service-policy company_policy interface inside
CISCO 6500-E to 6807-XL
Status of each of the chassis (useful in vss)
sh module switch 1/2
To show basic VSS informations:
#show switch virtual
To identify the role/priority of the two switches:
#show switch virtual role
To find more informations about the VSS status:
#show switch virtual redundancy
http://www.ciscozine.com/cisco-vss-configuration/
Integrated Service Modules
- ACE: Application Control Engine (Load Balancer)
- NAM: Network Analysis Module
- ASASM: ASA FW
VSS
A useful analogy is: Catalyst VSS is like juniper VC. VSS operates on a unified control plane with a distributed forwarding architecture in which the active supervisor (or switch) is responsible for actively participating with the rest of the network and for managing and maintaining control plane information.
http://networkphil.com/2016/01/18/short-and-sweet-cisco-vss/?utm_content=bufferd7644&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117564-technote-issu-00.html
LOG INTO CARDS/SLOTS (we use this for the ASA)
session slot 9 processor 1
CONTEXTS (we use this for the ASA)
To enable multiple mode, enter the following command:
hostname(config):mode multiple
To change to a context, enter the following command (changeto..)
hostname# changeto context name
From the system execution space, view all contexts by entering the following command:
hostname# show context [name | detail| count]
We can Create a context and assign resources (eg interfaces) like this:
context qad-transfwall allocate-interface Port-channel10.2142-Port-channel10.2545 allocate-ips vsDIST config-url disk0:/qad-new.cfg
EtherChannels
Deterministic Hash-based Channel Load-Balancing
Load Sharing is always Per Flow (Not Per Packet).L2, L3 and / or L4 addresses.
vrf/mpls -
MP-BGP by RD. Show only vpn routes for this rd
show bgp vpnv4 unicat rd 10:10
Show all received MP-BGP routes. We can further limit this with the vrf where we consider they should end up
sh bgp vpnv4 neighbors 5.5.5.5 advertised-routes
Similar:
sh bgp vpnv4 unicast vrf ONE
UPGRADING THE 6500
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117564-technote-issu-00.html
- Copy from device to linux server:
UK02-CR01#copy bootdisk:s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin scp: Address or name of remote host []? 10.8.100.204 Destination username [jsantos]? Destination filename [s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin]? Writing s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin Password: ! Sink: C0644 118655448 s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin !!!!!!!!!!!
- Fast Software Upgrade. This process requires downtime corresponding to the RPR switchover time: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1169328
- From this 12.2(33)SXI supports enhanced fast software upgrade (eFSU) of the VSS using SSO:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html
TROUBLESHOOTING Layer 2 table:
show mac address-table
IPv4 forwarding status:
show platform hardware capacity forwarding show platform hardware cef [IP]
Netflow status:
show platform hardware capacity netflow
CEF:
show cef state show ip cef summary show ip cef detail show ip cef <ip> ! ! To see interface for a route show ip cef <interface> ! To see routes pointing to a certain interface show ip cef exact-route <src> <dst>
http://packetlife.net/blog/2011/may/27/show-ip-cef/
- receive: for connected IP subnets for the base address of the IP subnet and for the local IP address in the IP subnet.
- attached
- drop
- just-the-ip
CAPTURE PACKETS PCAPS
monitor capture 1 interface eth1 both monitor capture 1 match any monitor capture 1 start show monitor capture 1 buffer monitor capture 1 export tftp
BGP
show ip bgp <prefix> !! EXPLAINED
x.x.x.x from y.y.y.y (z.z.z.z)
- x: NEXT HOP. inserted as next hop into the IP routing table, sent in the BGP update “next hop” field
- y: SOURCE INTERFACE (aka: taken from remote-as“ local)
- z: RID: learned through BGP setup messages.
note: With eBGP usually IPs 1 and 2 are identical and IP no.
TERMINAL SERVER\\#
Disconnect session:
control-shift-6 then x
JUNIPER JUNOS JEDI
Copy files between linecards:
file copy fpc2:/var/tmp/xxx.0.tgz fpc0:/var/tmp/xxx.0.tgz # to copy files between members
Connect to a different linecard:
request session <fpc-number>
CLI TRICKS & SHORTCUTS - JUNIPER JEDI CLI
CONFIGURATION MANAGEMENT:
To check Previous Commits. Current and past (50) configs are in /config/juniper.conf.x
show system commit > show system commit 0 2017-07-22 12:15:05 UTC by jaime_santos via cli commit synchronize show system rollback 2 compare 0 # to compare rollback 2 # to jump to the state in 2
show | compare rollback 3 # To see previous states (from the config mode):
Config files location: External Link. Current config in /config . Past configs in /config & /var/db/config
Apply configurations. See this Link for examples:
[edit] user@host# load (factory-default | merge | override | patch | replace | set | update) filename
# load patch terminal # load merge relative terminal # loads in the same hierarchical manner we see it in the config. # load merge ftp://username:password@172.30.36.59/switch_juniper.conf.gz_20080304_141543 # Loads it from a file. note it Requires to be zipped!
To make dangerous changes:
commit confirmed {minutes}
commit # to cancel the rollback
LINUX JEDI
for host in cc0{1..8}; do echo $host $(ssh $host '(ip r get 8.8.8.8; curl -s ipecho.net/plain)'); done
This is to check if a route is installed. If yes, do nothing, if not, install it. This can be set as a one liner in the cron file
(ip route show |grep -q '100.100.100.100 dev eno1') || ip route add 100.100.100.100 dev eno1 # grep -q means 'quiet'
This one liner goes though all servers and modifies the mtu (note use of 'seq' to generate a squence, read this for info about formatting:
for host in $(seq --format='cc%02.0f' 01 17); do ssh $host "/sbin/ip link show|egrep '(em|eth|bond)[0-9]:' | cut -d: -f 2"| xargs -n 1 ssh $host ip link set mtu 9000 dev ; done
TEMPLATE
for host in $(seq --format='sw-e%02.0f' 12 20); do sshh jaime_santos@"$host".dc.grapeshot.co.uk "sh config | match 401"; done
To send a bunch of commands (e.g.: edit, configuration and commit, contained in a file called 'commands'):
for host in $(seq --format='sw-e%02.0f' 12 20); do cat commands | sshh jaime_santos@"$host".dc.grapeshot.co.uk ; done
PIPE NOT AVAILABLE
Have a file with the symbol and do this
echo $(echo "sdh") $(cat /pipe)
Extract current IPs in dns server
ssh root@marrow "egrep "10.8.8" /var/named/db.dc.grapeshot.co.uk | awk '{print $4}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq"
ssh root@marrow "egrep "10.8.8" /var/named/db.dc.grapeshot.co.uk | awk '{print $1}' | egrep -v ";" | egrep -v '\$' | egrep -v mgt | sed -e 's/$/.dc.grapeshot.co.uk/'
ping jumbo from linux:
ping -M do -s 8972 [destinationIP]
BGP COMMUNITY:
1.- Set the communitity (node a)
ip bgp-community new-format route-map set_community 10 permit match ip address prefix-list LOOPBACK set community 109 route-map set_community 20 permit neighbor 5.5.5.5 send-community neighbor 5.5.5.5 route-map xxx out !
2.- Match on the other side (node b ):
ip community-list expanded AS100 100:[0-9]+ ! any community coming from asn100 route-map set_weight permit 10 match community AS100 set local-preference 120 route-map set_weight permit 20 neighbor 151.100.1.1 send-community neighbor 151.100.1.1 route-map xxx out ! 'out' is correct, basically the AS100 community is learnt via any (other neighbor)
3.- TO REMOVE/DELETE PART OF A COMMUNITY LIST
ip community-list expanded AS200 permit 200:[0-9]+_ route-map RESET_COMMUNITY permit 10 match as-path 1 set comm-list AS200 delete neighbor 192.168.1.1 route-map RESET_COMMUNITY in
4.- To show community
ISP1#show ip bgp 10.10.10.10
BGP routing table entry for 10.10.10.10/32, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
1 2
10
192.168.10.10 from 192.168.10.10 (10.10.10.10)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 4258791424 ! <<<
SERVICE INSERTION: WCCP: web cache control protocol (transparent web cache/old school best standard for service insertion)
