This is an old revision of the document!
CLI TRICKS & SHORTCUTS - CISCO JEDI CLI
http://etherealmind.com/series/cisco-ios-cli-tricks-tips/
This is to make OR:
show interface | include is up|BW|load
For example, this one will show us both sections
sh run | s policy|class|access
This one is useful to know in which object group the IP 199.242.6.15 is:
sh run | inc object-group | 199.242.6.15
Create vlans (old style (for gns3))
Switch# vlan database Switch(vlan)# vlan vlan_ID Switch(vlan)# vlan vlan_ID state active Switch# show vlan
Truly replace the running configuration with the startup configuration, just as if you had rebooted the router.
configure replace
To show all implicit commands in the configuration:
show run all
To make dangerous changes:
reload in 5 cancel reload
To control vty logging
# terminal monitor # to send log messages to the vty # terminal no monitor # to stop it
IOS NEW HARDWARE SETUP INITIAL CONFIGURATION
- If this is a used device, remove the configuration and the vlan database
- write erase ; reload without saving the configuration
- delete flash:vlan.dat # note that default location is flash:
- reload again
- Add IP in the mgmt interface. Normally g0/0
- Add a static route in mgmt interface. It needs to be in the mgmt vrf
- enable ssh:
- crypto key generate rsa modulus 1024
- ip ssh version 2 ; time-out 60 ; authentication-retries 2
- do not add any aaa configuration as yet
- Add the device to TACACS server (eg: to cisco ISE via the GUI)
COPY FILES FROM AND TO LINUX BOX
scp needs to be enabled in the switch. Also in some cases this aaa needs to be in for authentication
Regarding TFTP, remember that it uses udp-69 just for the initial message but then it uses 64001 through 65000 as ports are specific per each session (both in src and dst).
aaa new-model aaa authentication login default local aaa authorization exec default local if-authenticated
(IOS)#copy scp://sfuller@192.168.11.100//app/tftpboot/poap.py flash: (IOS)#cd ? ! To show available file systems (IOS)#delete flash:<file> ! To delete a file in flash LINUX# copy scp://10.50.254.204/var/tmp/n5000-uk9.7.0.3.N1.1.bin bootflash:
(linux)# scp test1 netrobot@10.8.90.21:flash:/test ! be sure router is scp server !!
To see contents of a file in IOS:
#more flash:Myconfig.txt
So from linux to cisco So basically the syntax is simplified, we can put user and password together and we don’t use the colon before the file location:
Configure R1 as an HTTP server, and set R8 to transfer the IOS image from R1, oversubscribing the shaped Ethernet sub-interface. Then, generate a flow of ICMP packets from R6 to R5, simulating the SCAVENGER class traffic. username admin privilege 15 password cisco
ip http authentication local ip http server ip http path bootflash:
TERMINAL SERVER:
Access a line:
telnet <lo> <specific.port> # define in corresponfing 'ip host'
Clear a busy line:
show line clear line <n> control-shift-6 then x ! disconnects session
SOFTWARE UPGRADES:
ASA UPGRADES: http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/
ASA: Apply lincense:
UK02-ASAVPN01(config)# activation-key b92afe7f 844fcec7 80a19dfc 8a240424 8d101598
FORCE FAILOVER:
failover active Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.
no failover active # Forces a failover when entered on the active unit To show just the ipsec config:
show run brief | s crypto|isakmp|access-list
IOS (ios-xe) UPGRADE: External Link\
Old way: upload the image and change the boot command
boot system switch all flash:c3750-ipbasek9-mz-122-55.SE1.bin
New way:
software install file flash:cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin
AAA RADIUS TACACS+
To verify AAA authentication:
# test aaa-server authentication MKTX_TACACS username jsantos password 55336802 Server IP Address or name: 10.50.254.200 INFO: Attempting Authentication test to IP address <10.50.254.200> (timeout: 17 seconds) INFO: Authentication Successful
BASIC AAA CONFIGURATION ON IOS
aaa authentication <process> [default|<NAME>] <List of Methods>
- Local method. Uses the local user database with their passwords. You populate the database by using the username command.
- Line method. Uses the password configured on the line used to access the router. This includes VTY lines as well.
- Enable method. Uses the globally configured list of enable passwords associated with their levels.
- Group TACACS+ or RADIUS method. Uses the remote AAA servers group configured globally in the router.
- None method. Do not attempt to validate user identity, just allow access.
http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/
- Create a backup user account
- Enabling AAA
- Configuring the TACACS+ servers
- Define the AAA method lists:
aaa authentication login ! user login authentication aaa authentication enable ! access the privileged command level aaa authentication http console ! AAA asdm aaa authentication ssh console ! aaa authentication enable serial console ! aaa authentication enable match !
And separatey:
aaa authorization exec VTY group tacacs+ if-authenticated # exec is to determined if the user is authorised to run an exec shell and how many/which commands
- Enforcing AAA authentication on terminal lines
CISCO USER MODES
- User EXEC mode ! privilege level 1 ( > ). Is like plain 'user mode'
- Privileged EXEC mode ! privilege level 15 ( #)
show privilege router(config)# username test password test privilege 3
SMMP On the client (if *nix) we can verify validity of a string with:
snmpwalk -v 2c -c {SNMPCOMMUNITY} 10.50.4.250
snmpwalk -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50
On the router/firewall, we can see the snmp value with:
more system://running-config | in snmp
—-
IOS NAMING CONVENTION
For the ios version: Train (SETM), Throttle (features), Build (fixes) :
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-release-1513t/200095-Understanding-Cisco-IOS-Naming-Conventio.html
For the ios file name!:Note letters/phrase for feature set and Run location/compression
- Platform. Diffe
- Feature set (base, service, advanced, enterprise). k9 means encryption included.
- Run location and compression. mz indicates 'compressed'
- Version
SHOW CONFIGURATION WITHOUT BREAKS - NO STOP SCROLL
terminal length 0 # For IOS pager 0 # for ASA
—-
MULTI-USE EXPLORING/TROUBLESHOOTING
Approach 1:
Go to the edge device. I know the flow belongs to mpls and also the source of my flow 10.30.143.71 therefore:
DC03-DMZR01#sh ip route vrf mpls-dmz01 10.30.143.71 Routing entry for 10.30.0.0/16
Known via "bgp 65103", distance 200, metric 0, type internal
Last update from 10.255.30.100 7w0d ago
Routing Descriptor Blocks:
* 10.255.30.100, from 10.255.30.100, 7w0d ago
Route metric is 0, traffic share count is 1
AS Hops 0
MPLS label: none
MPLS Flags: NSF
DC03-DMZR01#sh ip cef vrf mpls-dmz01 10.255.30.100 10.255.30.100/32
nexthop 10.30.165.8 Vlan165
!!! OR DC03-DMZR01#sh ip cef vrf mpls-dmz01 10.255.30.100 10.255.30.100/32
nexthop 10.30.165.8 Vlan165
!!!
DC03-DMZR01#sh run int Vlan165 Building configuration... Current configuration : 462 bytes ! interface Vlan165 description MPLS-FWALL-OUT interface <<<<< vrf forwarding mpls-dmz01 mac-address c000.0165.0011 mtu 8500 ip address 10.30.165.11 255.255.255.0 no ip redirects no ip proxy-arp ip flow ingress ip flow egress ip pim dr-priority 5 ip pim sparse-mode ip igmp version 3 glbp 165 ip 10.30.165.1 glbp 165 priority 105 glbp 165 preempt no glbp 165 load-balancing glbp 165 name MPLS-FWALL-OUT-GLBP mls netflow sampling no mop enabled end !! Not just we can check the description but also use cdp. Or: ! show mac address table ! sh arp vrf ! And follow the prefix until the destination ! if the device is behind a transparent firewall it'll show same mac address in two different vlans 1st column
Approach 2:
dc04-nx7k01-mktx-dr01# sh ip arp vrf all | inc 10.40.70.125 dc04-nx7k01-mktx-dr01# sh run int Vlan70 ! To see the description dc04-nx7k01-mktx-dr01# sh ip route vrf sysmgmt 10.8.70.125 ! To see the next hop. NOTE: DESTINATION!! dc04-nx7k01-mktx-dr01# sh ip bgp vrf sysmgmt ! To see the next hop
Now I know this is in the dmz, so I go to :
DC04-DMZR01#sh ip route vrf main-dmz01 10.8.70.125 DC04-DMZR01#sh ip arp vrf main-dmz01 10.40.185.8 DC04-DMZR01#sh mac-address-table | inc 001c.7f34.d54 ! This is telling the physical port i'm going out from
BUILDING SERVICE POLICIES
ciscoasa(config)# access-list icmp_inspect extended permit icmp 10.1.1.0 255.255.255.0 host 1.1.1.1 log ciscoasa(config)# access-list ratelimit_inside extended permit ip 10.1.1.0 255.255.255.0 any log
Now define the Layer 3-4 class map by referencing the above ACLs in it.
ciscoasa(config)# class-map ratelimit_class ciscoasa(config-cmap)# match access-list ratelimit_inside ciscoasa(config-cmap)# class-map icmp_class ciscoasa(config-cmap)# match access-list icmp_inspect
2. Define a Layer 3-4 policy-map
ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class icmp_class ciscoasa(config-pmap-c)# inspect icmp
ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class ratelimit_class ciscoasa(config-pmap-c)# police input 41943000 4194304 ciscoasa(config-pmap-c)# police output 41943000 4194304
3. Apply the policy-map to the appropriate interfaces
ciscoasa(config)# service-policy company_policy interface inside
CISCO 6500-E to 6807-XL
Status of each of the chassis (useful in vss)
sh module switch 1/2
To show basic VSS informations:
#show switch virtual
To identify the role/priority of the two switches:
#show switch virtual role
To find more informations about the VSS status:
#show switch virtual redundancy
http://www.ciscozine.com/cisco-vss-configuration/
Integrated Service Modules
- ACE: Application Control Engine (Load Balancer)
- NAM: Network Analysis Module
- ASASM: ASA FW
VSS
A useful analogy is: Catalyst VSS is like juniper VC. VSS operates on a unified control plane with a distributed forwarding architecture in which the active supervisor (or switch) is responsible for actively participating with the rest of the network and for managing and maintaining control plane information.
LOG INTO CARDS/SLOTS (we use this for the ASA)
session slot 9 processor 1
CONTEXTS (we use this for the ASA)
To enable multiple mode, enter the following command:
hostname(config):mode multiple
To change to a context, enter the following command (changeto..)
hostname# changeto context name
From the system execution space, view all contexts by entering the following command:
hostname# show context [name | detail| count]
We can Create a context and assign resources (eg interfaces) like this:
context qad-transfwall allocate-interface Port-channel10.2142-Port-channel10.2545 allocate-ips vsDIST config-url disk0:/qad-new.cfg
EtherChannels
Deterministic Hash-based Channel Load-Balancing
Load Sharing is always Per Flow (Not Per Packet).L2, L3 and / or L4 addresses.
vrf/mpls -
MP-BGP by RD. Show only vpn routes for this rd
show bgp vpnv4 unicat rd 10:10
Show all received MP-BGP routes. We can further limit this with the vrf where we consider they should end up
sh bgp vpnv4 neighbors 5.5.5.5 advertised-routes
Similar:
sh bgp vpnv4 unicast vrf ONE
UPGRADING THE 6500
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117564-technote-issu-00.html
- Copy from device to linux server:
UK02-CR01#copy bootdisk:s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin scp: Address or name of remote host []? 10.8.100.204 Destination username [jsantos]? Destination filename [s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin]? Writing s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin Password: ! Sink: C0644 118655448 s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin !!!!!!!!!!!
- Fast Software Upgrade. This process requires downtime corresponding to the RPR switchover time: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1169328
- From this 12.2(33)SXI supports enhanced fast software upgrade (eFSU) of the VSS using SSO:http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html
TROUBLESHOOTING Layer 2 table:
show mac address-table
IPv4 forwarding status:
show platform hardware capacity forwarding show platform hardware cef [IP]
Netflow status:
show platform hardware capacity netflow show mls sampling show ip flow export # To see see Netflow packets being exported from router show mls nde # Netflow Data Export show mls netflow table-contention summary # To see if there is excessive Netflow CAM Utilization (and potential buffer overflows)
CEF:
show cef state show ip cef summary show ip cef detail show ip cef <ip> ! ! To see interface for a route show ip cef <interface> ! To see routes pointing to a certain interface show ip cef exact-route <src> <dst> show ip cef 10.1.93.0/24 internal ! This shows the hash packets when the route has more than one equal cost path
http://packetlife.net/blog/2011/may/27/show-ip-cef/
- receive: for connected IP subnets for the base address of the IP subnet and for the local IP address in the IP subnet.
- attached
- drop
- just-the-ip
CAPTURE PACKETS PCAPS
monitor capture 1 interface eth1 both monitor capture 1 match any monitor capture 1 start show monitor capture 1 buffer monitor capture 1 export tftp
BGP
show ip bgp <prefix> !! EXPLAINED
x.x.x.x from y.y.y.y (z.z.z.z)
- x: NEXT HOP. inserted as next hop into the IP routing table, sent in the BGP update “next hop” field
- y: SOURCE INTERFACE (aka: taken from remote-as“ local)
- z: RID: learned through BGP setup messages.
note: With eBGP usually IPs 1 and 2 are identical and IP no.
JUNIPER JUNOS JEDI
Copy files between linecards:
file copy fpc2:/var/tmp/xxx.0.tgz fpc0:/var/tmp/xxx.0.tgz # to copy files between members
Connect to a different linecard:
request session <fpc-number>
CLI TRICKS & SHORTCUTS - JUNIPER JEDI CLI
CONFIGURATION MANAGEMENT:
To check Previous Commits. Current and past (50) configs are in /config/juniper.conf.x
show system commit > show system commit 0 2017-07-22 12:15:05 UTC by jaime_santos via cli commit synchronize show system rollback 2 compare 0 # to compare rollback 2 # to jump to the state in 2
show | compare rollback 3 # To see previous states (from the config mode):
Config files location: External Link. Current config in /config . Past configs in /config & /var/db/config
Apply configurations. See this Link for examples:
[edit] user@host# load (factory-default | merge | override | patch | replace | set | update) filename
# load patch terminal # load merge relative terminal # loads in the same hierarchical manner we see it in the config. # load merge ftp://username:password@172.30.36.59/switch_juniper.conf.gz_20080304_141543 # Loads it from a file. note it Requires to be zipped!
To make dangerous changes:
commit confirmed {minutes}
commit # to cancel the rollback
LINUX JEDI
for host in cc0{1..8}; do echo $host $(ssh $host '(ip r get 8.8.8.8; curl -s ipecho.net/plain)'); done
This is to check if a route is installed. If yes, do nothing, if not, install it. This can be set as a one liner in the cron file
(ip route show |grep -q '100.100.100.100 dev eno1') || ip route add 100.100.100.100 dev eno1 # grep -q means 'quiet'
This one liner goes though all servers and modifies the mtu (note use of 'seq' to generate a squence, read this for info about formatting:
for host in $(seq --format='cc%02.0f' 01 17); do ssh $host "/sbin/ip link show|egrep '(em|eth|bond)[0-9]:' | cut -d: -f 2"| xargs -n 1 ssh $host ip link set mtu 9000 dev ; done
TEMPLATE
for host in $(seq --format='sw-e%02.0f' 12 20); do sshh jaime_santos@"$host".dc.mycompany1.co.uk "sh config | match 401"; done
To send a bunch of commands (e.g.: edit, configuration and commit, contained in a file called 'commands'):
for host in $(seq --format='sw-e%02.0f' 12 20); do cat commands | sshh jaime_santos@"$host".dc.mycompany1.co.uk ; done
PIPE NOT AVAILABLE
Have a file with the symbol and do this
echo $(echo "sdh") $(cat /pipe)
Extract current IPs in dns server
ssh root@marrow "egrep "10.8.8" /var/named/db.dc.mycompany1.co.uk | awk '{print $4}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq"
ssh root@marrow "egrep "10.8.8" /var/named/db.dc.mycompany1.co.uk | awk '{print $1}' | egrep -v ";" | egrep -v '\$' | egrep -v mgt | sed -e 's/$/.dc.mycompany1.co.uk/'
ping jumbo from linux:
ping -M do -s 8972 [destinationIP]
BGP COMMUNITY:
1.- Set the communitity (node a)
ip bgp-community new-format route-map set_community 10 permit match ip address prefix-list LOOPBACK set community 109 route-map set_community 20 permit neighbor 5.5.5.5 send-community neighbor 5.5.5.5 route-map xxx out !
2.- Match on the other side (node b ):
ip community-list expanded AS100 100:[0-9]+ ! any community coming from asn100 route-map set_weight permit 10 match community AS100 set local-preference 120 route-map set_weight permit 20 neighbor 151.100.1.1 send-community neighbor 151.100.1.1 route-map xxx out ! 'out' is correct, basically the AS100 community is learnt via any (other neighbor)
3.- TO REMOVE/DELETE PART OF A COMMUNITY LIST
ip community-list expanded AS200 permit 200:[0-9]+_ route-map RESET_COMMUNITY permit 10 match as-path 1 set comm-list AS200 delete neighbor 192.168.1.1 route-map RESET_COMMUNITY in
4.- To show community
ISP1#show ip bgp 10.10.10.10
BGP routing table entry for 10.10.10.10/32, version 6
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
1 2
10
192.168.10.10 from 192.168.10.10 (10.10.10.10)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 4258791424 ! <<<
SERVICE INSERTION: WCCP: web cache control protocol (transparent web cache/old school best standard for service insertion)
CABLE TESTING:
test cable-diagnostics tdr interface ! it resets the state machine for that interface show cable-diagnostics tdr interface gigabitEthernet 1/0/1
