The first one was about the macro capabilities of the IOS. What it is, is basically, giving a user-defined name to a group of commands (usually for the same privilege level) which can then be executed repeatedly by only using that macro name.
Below is what the newsletter says about the IOS macro capabilities:
------------------------------------------------------------------------------------------------------------------
What is Cisco's macro implementation?
The smartport macro feature was introduced in IOS version 12.1(20)EA1. Default templates are stored on your device, to view the commands stored in the macros execute the following command:
show parser macro
Each macro is a set of CLI commands that are defined and "wrapped-up". When a macro is applied the commands are simply dumped at that level. Global and interface specific macro's can be created but we are going to focus on creating custom interface macro's.
General guidelines:
Creating a macro is very similar to creating a banner, a character has to be used to identify the start and end of the macro - for example "@" is used by default.
Names are case sensitive. When a macro is applied all existing configuration is maintained, if more than one macro is applied a description is amended to record a basic history. Macros are stored in running-configuration until saved to startup-configuration, if a macro is amended the changes aren't sent to interfaces which have the macro applied - the macro would need re-applying.
How to create a custom macro:
configure terminal
!=== Enter global configuration mode
macro name macro-name
!=== Create macro
"Enter macro commands one per line. End with the character '@'."
cli command 1
cli command 2
cli command 3
!=== Enter commands
@
!=== Finish macro
Apply macro:
configure terminal
interface FastEthernet0/1
!=== Enter interface configuration
macro apply macro-name
!=== Apply macro
Verify:
show running-configuration | be macro
!=== Shortcut to first instance of the string "macro"
macro name macro-name
cli command 1
cli command 2
cli command 3
@
!=== Verify macro exists in config
/FastEthernet0/1
!=== Shortcut to string "FastEthernet0/1"
cli command 1
cli command 2
cli command 3
!=== Verify commands exist on interface
Parameters:
Not all IOS commands are fixed, for example when applying the command "switchport access vlan ?" ? represents a value which can change depending on the individual switchport. Cisco included the ability to define a parameter in a macro which when applied can be used to specify what the variable is.
For example:
configure terminal
macro name changevlan
switchport access vlan $access
@
!=== Create macro
interface FastEthernet 0/1
macro apply changevlan $access 100
!=== Apply macro - variable = 100 - put interface in vlan 100
Handy custom macro templates:
If some of the commands below don't make any sense whatsoever don't panic, a layer 2 security ebook covering many of them is in the first stages of creation.
macro name data
switchport
switchport mode access
switchport access vlan $access
switchport port-security
switchport port-security maximum 1
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation protect
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
ip dhcp snooping limit rate 10
storm-control broadcast level 20.00
storm-control multicast level 50.00
storm-control unicast level 30.00
storm-control action trap
no cdp enable
no snmp trap link-status
@
macro name datavoice
switchport
switchport mode access
switchport access vlan $access
switchport voice vlan $voice
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security violation protect
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree bpdufilter enable
ip dhcp snooping limit rate 10
storm-control broadcast level 20.00
storm-control multicast level 50.00
storm-control unicast level 30.00
storm-control action trap
cdp enable
no snmp trap link-status
@
macro name uplink
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan $native
switchport trunk allowed vlan all
switchport nonegotiate
auto qos voip trust
mls qos trust dscp
spanning-tree link-type point-to-point
ip arp inspection trust
ip dhcp snooping trust
ip dhcp snooping limit rate 100
ip dhcp relay information trusted
flowcontrol receive desired
udld port
cdp enable
snmp trap link-status
@
Handy tips
A macro may contain the entire configuration wanted on an interface, if this is the case and you want to ensure that the interface configuration is blank use the default command first:
configure terminal
default interface FastEthernet0/1
interface FastEthernet0/1
macro apply data $access 100
To apply a macro to more than one interface simply use the interface range command:
configure terminal
interface range FastEthernet 0/1 - 24
macro apply data $access 100
If AAA is offloaded to a TACACS server for config-command authorization applying a macro to an interface range can fail due to the delay created by the request and approval procedure for each command. I have found that although it's a little naughty the following can get around this:
configure terminal
no aaa new-model
default interface range FastEthernet0/1 - 24
interface range FastEthernet0/1 - 24
macro apply data $access 100
exit
aaa new-model
Macro descriptions can be managed like a normal interface description:
configure terminal
interface FastEthernet0/1
no macro description
macro description data
"macro trace macro-name" instead of "macro apply macro-name" will display commands as they are entered
Modifying of macro's isn't possible, creating a macro with the same name will overwrite the existing macro (ensure all commands are present)
Don't use exit or end within a macro, this can cause commands to be executed at a different level.
I have found that macro configuration cannot be rolled out to devices using certain management tools so bear this in mind.
-----------------------------------------------------------------------------------------------------------------------------------------
The second interesting command that the newsletter talks about is the command to force a minimum password length on the Cisco IOS.
Here is what it says:
To set a minimum password length, enter the following commands:
Router>enable
Router#configure terminal
Router(config)#security passwords min-length 8
If a user now attempts to set the enable password to cisco for example, the following happens:
Router(config)#enable password cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#
OR
Router(config)#username david password cisco
% Password too short - must be at least 8 characters. Password configuration failed
Router(config)#
Nice commands to know, in some weird scenario's you might want to go with any of them!
Posts
No comments:
Post a Comment