Lesser known IOS Commands

The latest edition of the newsletter from Configureterminal.com had a couple of commands in IOS which I was not aware of & I think might be useful in some scenarios.

The first one was about the macro capabilities of the IOS. What it is, is basically, giving a user-defined name to a group of commands (usually for the same privilege level) which can then be executed repeatedly by only using that macro name.

Below is what the newsletter says about the IOS macro capabilities:

------------------------------------------------------------------------------------------------------------------

What is Cisco's macro implementation?

The smartport macro feature was introduced in IOS version 12.1(20)EA1. Default templates are stored on your device, to view the commands stored in the macros execute the following command:

show parser macro

Each macro is a set of CLI commands that are defined and "wrapped-up". When a macro is applied the commands are simply dumped at that level. Global and interface specific macro's can be created but we are going to focus on creating custom interface macro's.

General guidelines:

Creating a macro is very similar to creating a banner, a character has to be used to identify the start and end of the macro - for example "@" is used by default.
Names are case sensitive. When a macro is applied all existing configuration is maintained, if more than one macro is applied a description is amended to record a basic history. Macros are stored in running-configuration until saved to startup-configuration, if a macro is amended the changes aren't sent to interfaces which have the macro applied - the macro would need re-applying.

How to create a custom macro:

configure terminal
!=== Enter global configuration mode

macro name macro-name
!=== Create macro

"Enter macro commands one per line. End with the character '@'."
cli command 1
cli command 2
cli command 3
!=== Enter commands
@
!=== Finish macro

Apply macro:

configure terminal
interface FastEthernet0/1
!=== Enter interface configuration
macro apply macro-name
!=== Apply macro

Verify:

show running-configuration | be macro
!=== Shortcut to first instance of the string "macro"

macro name macro-name
cli command 1
cli command 2
cli command 3
@
!=== Verify macro exists in config
/FastEthernet0/1
!=== Shortcut to string "FastEthernet0/1"
cli command 1
cli command 2
cli command 3
!=== Verify commands exist on interface

Parameters:

Not all IOS commands are fixed, for example when applying the command "switchport access vlan ?" ? represents a value which can change depending on the individual switchport. Cisco included the ability to define a parameter in a macro which when applied can be used to specify what the variable is.

For example:

configure terminal
macro name changevlan
switchport access vlan $access
@
!=== Create macro

interface FastEthernet 0/1
macro apply changevlan $access 100
!=== Apply macro - variable = 100 - put interface in vlan 100


Handy custom macro templates:

If some of the commands below don't make any sense whatsoever don't panic, a layer 2 security ebook covering many of them is in the first stages of creation.

macro name data
switchport
switchport mode access
switchport access vlan $access
switchport port-security
switchport port-security maximum 1
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation protect
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
ip dhcp snooping limit rate 10
storm-control broadcast level 20.00
storm-control multicast level 50.00
storm-control unicast level 30.00
storm-control action trap
no cdp enable
no snmp trap link-status
@

macro name datavoice
switchport
switchport mode access
switchport access vlan $access
switchport voice vlan $voice
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation protect
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
ip dhcp snooping limit rate 10
storm-control broadcast level 20.00
storm-control multicast level 50.00
storm-control unicast level 30.00
storm-control action trap
cdp enable
no snmp trap link-status
@

macro name uplink
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan $native
switchport trunk allowed vlan all
switchport nonegotiate
auto qos voip trust
mls qos trust dscp
spanning-tree link-type point-to-point
ip arp inspection trust
ip dhcp snooping trust
ip dhcp snooping limit rate 100
ip dhcp relay information trusted
flowcontrol receive desired
udld port
cdp enable
snmp trap link-status
@

Handy tips

A macro may contain the entire configuration wanted on an interface, if this is the case and you want to ensure that the interface configuration is blank use the default command first:

configure terminal
default interface FastEthernet0/1
interface FastEthernet0/1
macro apply data $access 100

To apply a macro to more than one interface simply use the interface range command:

configure terminal
interface range FastEthernet 0/1 - 24
macro apply data $access 100

If AAA is offloaded to a TACACS server for config-command authorization applying a macro to an interface range can fail due to the delay created by the request and approval procedure for each command. I have found that although it's a little naughty the following can get around this:

configure terminal
no aaa new-model
default interface range FastEthernet0/1 - 24
interface range FastEthernet0/1 - 24
macro apply data $access 100
exit
aaa new-model

Macro descriptions can be managed like a normal interface description:

configure terminal
interface FastEthernet0/1
no macro description
macro description data

"macro trace macro-name" instead of "macro apply macro-name" will display commands as they are entered

Modifying of macro's isn't possible, creating a macro with the same name will overwrite the existing macro (ensure all commands are present)

Don't use exit or end within a macro, this can cause commands to be executed at a different level.

I have found that macro configuration cannot be rolled out to devices using certain management tools so bear this in mind.

-----------------------------------------------------------------------------------------------------------------------------------------

The second interesting command that the newsletter talks about is the command to force a minimum password length on the Cisco IOS.

Here is what it says:

To set a minimum password length, enter the following commands:

Router>enable
Router#configure terminal
Router(config)#security passwords min-length 8

If a user now attempts to set the enable password to cisco for example, the following happens:

Router(config)#enable password cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#

OR

Router(config)#username david password cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#

Nice commands to know, in some weird scenario's you might want to go with any of them!

Cisco dealing with the slowdown

A few posts collated from networkworld.com showing what Cisco has been doing to deal with the economic slowdown

The cold evidence of Cisco's hiring freeze

Cisco workers told to rein in holiday spending

Cisco shutting down for the end-of-year holidays

Cisco options for your firefox search box

Came across this post on 6200networks.com

This link on Cisco.com has some really nice options for adding to the search box in your IE or Firefox browser.

Honestly after looking at all the options I added the following to my firefox search box:

• Command Lookup Tool
• Search Cisco
• Search Netpro Discussions

You might add more as required from this link: http://www.cisco.com/web/tsweb/searchplugins/plugin_homepage.html#

OSPF distance command

Me & my friend were having some discussion today & reached to the conclusion of ODCS (OSPF Distance Command Sucks). There seems to be some problem with the command.

I did a small recreate with a very simple setup with R2 & R3 as the spokes & R1 as the hub. I had OSPF adjacency going between R1 & R2, R1 & R3. I had 1 loopback on R2 (2.2.2.2/32) & 1 loopback on R3 (3.3.3.3/32) both advertised in OSPF area 0. So, obviously, both the loopbacks were being learnt correctly on the hub as OSPF intra area routes with the default AD of OSPF (110).

Now my objective was to decrease the AD of the loopback being learnt from one router to 109. So I went ahead & added the following command under the OSPF configuration on the hub "distance 109 192.168.1.3 0.0.0.0" (192.168.1.3 being the IP of R3). As soon as I did that as expected the "show ip route ospf" command was showing me that the AD of 3.3.3.3 (loopback from R3) to be 109 while the AD of 2.2.2.2 (loopback from R2) was still 110.

Now, Just for the sake of it I thought of adding an acl at the end of that 'distance' command to test it. So, I took out the command "distance 109 192.168.1.3 0.0.0.0" from the hub R1, & instead added the following commands:

router ospf 1
distance 109 192.168.1.3 0.0.0.0 10
!
access-list 10 permit 3.3.3.3 0.0.0.0
!

As soon as I did this & checked the "show ip route ospf" I saw that both the loopbacks 2.2.2.2 & 3.3.3.3 were being learnt with an AD of 110. Wierd!!

This in turn means if you want to change the AD of all the intra-area routes coming from a neighbor, you can do it easily using the 'distance' command, but if you want to selectively change the AD of some routes coming from a particular neighbor it might be a pain in the wrong place if you try to do it using the 'distance' command in OSPF. Of course you can use the 'distance ospf' command to easily to that for all the intra/inter/external area routes.

I searched to see if there is any bug related to this & found a few which were internal/junked. So, as per the documentation it should work but it does not looks like :-)

Note: "distance" command in OSPF needs you to use the neighbor's router-id instead of the next-hop id.

Mandatory list of book for CCIE R&S written exam

A nice article has been published on the IP experts blog about the list of books which are mandatory to be read before you appear for your CCIE R&S written exam. Nice list of books, below is a little excerpt from the article. For the complete article head to the IPexpert Blog

From the start of your CCIE the first book to read is a general book to create a mental frame work to put your theory in. When studying, always begin by reading something that covers all the topics - don't delve into a particular topic in detail first. This is because your brain formulates information from data based on context - so you'll gather more information from reading the same book if you have a context to put it in.

So, book one is your overall theory book:

CCIE Routing and Switching Exam Certification Guide, 3rd Edition By Wendell Odom, Rus Healy, Naren Mehta.

This book, once finished, will give you a good overview of the topics that you'll need to learn for your CCIE. Read it as the first book, then re-read it (as required) before your written exam.

Book two is your routing book:

Routing TCP/IP, Volume 1, 2nd Edition By Jeff Doyle, Jennifer Carroll.

This book is like the bible for the R&S CCIE student (but without the internal contradictions). It's a tough read but superbly written with an elegant logical sequence. It will teach you all you need to know about the operation of your IGP routing protocols for IPv4 and IPv6. It's also my favorite textbook of all time.

Book three is your switching book:

CCNP BCMSN Official Exam Certification Guide, 4th Edition By Dave Hucaby.

This book isn't on the Cisco CCIE reading list, which astounds me. The Cisco list prefers "Cisco LAN Switching" but that is almost 10 years old and the information (whilst well written and detailed) is too old to be a useful reference due to massive technology improvements. This book is the latest exam certification guide for BCMSN (the CCNP switching course). Feel free to skip any topics that aren't relevant to your lab, but ensure you read all the switching material as well as material on high availability protocols and multicast (it'll serve as a good primer for the sixth book).

Book four and five are your BGP books:

Internet Routing Architectures, 2nd Edition by Sam Halabi

and

Routing TCP/IP, Volume II By Jeff Doyle, Jennifer DeHaven Carroll.

Sam's book is an excellent book covering BGP in many situations. It is dated a little bit, but BGP hasn't changed much in that time. Routing TCP/IP Vol 2 has a good BGP section too, so between them you should be able to learn most if not all of the theory you need to understand the protocol.

Book six is your multicast book:

Developing IP Multicast Networks, Volume I By Beau Williamson.

It's unfortunate that Beau has never had the time to update this masterpiece, but read it anyway as it explains multicast better than any other book to date. Supplement it with the information from books three and five if you need to get a bit of extra information.

Book seven is your QOS book:

Cisco QOS Exam Certification Guide (IP Telephony Self-Study), 2nd Edition By Wendell Odom, Michael J. Cavanaugh.

This book (again not on the list from Cisco) is the best written QOS book that you'll find. What it doesn't cover (or that Wendell didn't add to in book one) you should gather from the Cisco website 3550 and 3560 Configuration Guide QOS sections.

So that's seven books cover-to-cover to have *expert* level knowledge. Seem fair? The only major areas I haven't covered are WAN technologies and IPv6, but they are better covered later in your studies due to their less theoretical and more practical nature (what you need to know for the written is in book one).

Hope that helps aspirants beginning with their CCIE R&S studies!

OSPF - "discard-route"

I came across a nice little command to remember in OSPF. In fact I would have to admit that I knew this command but it completely flew off my mind, hence, today when one of my friends preparing for his CCIE R&S reminded me of this command, I decided to put it down on my blog so that I never forget it again

So here is a little explanation from the command reference on Doc-cd:

To reinstall an external or internal discard route that was previously removed, use the discard-route command in router address family topology or router configuration mode. To remove an external or internal discard route, use the no form of this command.

discard-route [external [distance]] [internal [distance]]

no discard-route [external [distance]] [internal [distance]]

External and internal discard-route entries are installed in routing tables by default. During route summarization, routing loops may occur when data is sent to a nonexisting network that appears to be a part of the summary, and the router that is performing the summarization has a less specific route (pointing back to the sending router) for this network in its routing table. To prevent the routing loop, a discard route entry is installed in the routing table of the ABR or ASBR.

If for any reason you do not want to use the external or internal discard route, remove the discard route by entering the no discard-route command with the external or internal keyword.

Examples

The following display shows the discard-route functionality installed by default. When external or internal routes are summarized, a summary route to Null0 will appear in the router output from the show ip route command. See the router output lines that appear in bold font:

Router# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/24 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.128/25 is directly connected, Loopback1
O 172.16.0.0/24 is a summary, 00:00:14, Null0
C 172.16.0.0/25 is directly connected, Loopback0
172.31.0.0/24 is variably subnetted, 3 subnets, 2 masks
C 172.31.0.128/25 is directly connected, Loopback3
O 172.31.0.0/24 is a summary, 00:00:02, Null0
C 172.31.0.0/25 is directly connected, Loopback2
C 192.168.0.0/24 is directly connected, Ethernet0/0

Router# show ip route ospf

172.16.0.0/24 is variably subnetted, 3 subnets, 2 masks
O 172.16.0.0/24 is a summary, 00:00:29, Null0
172.16.0.0/24 is variably subnetted, 3 subnets, 2 masks
O 172.16.0.0/24 is a summary, 00:00:17, Null0

When the no discard-route command with the internal keyword is entered, notice the following route change, indicated by the router output lines that appear in bold font:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# router ospf 1
Router(config-router)# no discard-route internal
Router(config-router)# end

Router# show ip route ospf


172.31.0.0/24 is variably subnetted, 3 subnets, 2 masks
O 172.16.0.0/24 is a summary, 00:04:14, Null0

Next, the no discard-route command with the external keyword is entered to remove the external discard route entry:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# router ospf 1
Router(config-router)# no discard-route external
Router(config-router)# end

The following router output from the show running-config command confirms that both the external and internal discard routes have been removed from the routing table of the router. See the router output lines that appear in bold font.

Router# show running-config

Building configuration...

Current configuration : 1114 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
.
.
.
router ospf 1
log-adjacency-changes
no discard-route external
no discard-route internal
area 1 range 172.16.0.0 255.255.255.0
summary-address 172.31.0.0 255.255.255.0
redistribute rip subnets
network 192.168.0.0 0.0.0.255 area 0
network 172.16.0.0 0.0.0.255 area 1
!

So in simpler terms if you want the Null0 routes not to be inserted in the OSPF routing table of the router that is summarizing an area or external routes, you can use this command.

Nice one to remember!

What is epoch time?

There was a nice contest on Packetlife. It had a packet capture uploaded & the contestants had to look at the packet capture to tell what day the router at 10.0.12.1 thinks it is. The packet capture had some OSPF hello packets originating from the 10.0.12.1 device.

The answer to the contest included reading the OSPF hello packets. The OSPF hello packets carry a "Auth Crypto Sequence Number" which increases by one hex digit for every second that passes.



Realizing that the OSPF sequence number increases at a rate of 1 per second, the next step was to determine the counter's reference point. The sequence number is a hexadecimal count of the number of seconds since the UNIX epoch.

So the final step was to convert the hex value into decimal & then add it to the reference time/date to arrive at the date/day the router thinks is.

• 0x48994f42 hex = 1218006850 decimal
• 00:00:00 1 Jan 1970 UTC + 1218006850 seconds = 07:14:10 6 Aug 2008 UTC

The post also lists a very useful website by the name of epochconverter.com for conversions from "epoch time" to "human readable" format.

All in all post to learn something from. Nice packetlife, will love to see more of such contests.