Building Network Automation Solutions
6 week online course starting in September 2017

Configuration rollback fails completely with IP SLA

The Configuration Rollback feature (first available in IOS release 12.3(7)T) fails completely when handling configurations containing active IP SLA probes.For example, if you want to rollback from ...

ip sla 100
icmp-echo 172.16.25.1 source-interface Serial0/0/0.100
timeout 200
frequency 10
ip sla schedule 100 life forever start-time now
... to ...
ip sla 100
icmp-echo 172.16.25.1 source-interface Serial0/0/0.100
timeout 200
frequency 5
ip sla schedule 100 life forever start-time now
... the Configuration Replace tries to execute ...
ip sla 100
frequency 5
... which fails as you cannot change parameters of a running SLA probe. Since the Configuration Replace feature contains no special provisions for IP SLA commands (which is the actual bug), it tries the same (failing) configuration sequence a number of times and then reports an error.

Did I report this bug? Of course not :)

Per-destination or per-packet CEF load sharing?

Cisco Express Forwarding (CEF) can perform per-packet or per-destination (actually source/destination IP address pair) load-sharing with no performance degradation (without CEF, per-packet load-sharing requires process switching). Even though there is no performance impact on the router, per-packet load sharing will almost always result in out-of-order packets. The packet reordering might degrade TCP throughput in high-speed environments (in low-speed/few-flows scenarios, per-packet load-sharing actually improves the per-flow throughput) or severely impact applications that cannot survive out-of-order packet delivery, such as Fast Sequenced Transport for SNA over IP or voice/video streams.

To configure per-packet load-sharing, use the ip load-sharing per-packet interface configuration command (default is per-destination). This command has to be configured on all outgoing interfaces over which the traffic is load-shared.

The switch between the load-sharing modes is not immediate; sometimes you have to wait a few seconds for the ip load-sharing command to take effect, worst case a manual clearing of the CEF table (clear ip cef address) is required.

Configuration Change Logging ignores the configuration downloads

The Configuration Change Notification and Logging feature is supposed to log changes to the router's configuration. While it does a great job of logging commands entered in the router configuration mode, it completely ignores configuration changes due to configuration download (for example, with configure network or copy tftp running-config command).Here is an example:

fw#configure terminal
fw(config)#archive
fw(config-archive)#log config
fw(config-archive-log-cfg)#logging enable
fw(config-archive-log-cfg)#^Z
fw#
fw#configure network
Host or network configuration file [host]?
This command has been replaced by the command:
'copy system:/running-config'
Address or name of remote host [10.0.0.2]?
Source filename [fw-confg]?
Configure using tftp://10.0.0.2/fw-confg? [confirm]
Loading fw-confg from 10.0.0.2 (via FastEthernet0/0): !
[OK - 858 bytes]
fw#
%SYS-5-CONFIG_I: Configured from tftp://10.0.0.2/fw-confg by console
fw#show archive log config all
idx sess [email protected] Logged command
1 1 [email protected] logging enable

Which switching path does an IOS feature use

I've got an excellent question recently: Which switching path is used in Zone-based firewalls when a packet is dropped? As usual, IOS documentation was not very helpful (which is understandable as the answer might depend on hardware platform, interface encapsulation, other features configured on the router etc.). However, there is a great tool to use - the show interface stats command.

Fine-tuning CEF load-sharing

In environments with a low number of IP hosts you have to fine-tune the CEF load-sharing algorithm to ensure that the traffic is spread between all parallel paths. A typical scenario is a primary-backup data center setup with pairs of replicating servers, as shown in the figure below.


In these cases, you have to try different values of seed parameter of the CEF universal algorithm.
For example, if you have two equal-cost paths between networks 10.0.0.0/24 and 192.168.0.0/24 ...
a1#show ip cef 192.168.0.0 detail
192.168.0.0/24, version 33, epoch 0, per-destination sharing
0 packets, 0 bytes
via 172.16.1.6, Serial0/0/0.200, 0 dependencies
traffic share 1
next hop 172.16.1.6, Serial0/0/0.200
valid adjacency
via 172.16.1.2, Serial0/0/0.100, 0 dependencies
traffic share 1
next hop 172.16.1.2, Serial0/0/0.100
valid adjacency
... you might want the traffic between 10.0.0.1 and 192.168.0.1 to flow over a different link than the traffic between 10.0.0.2 and 192.168.0.2. The command that will help you is the show ip cef exact-route source destination. In our example, both traffic flows would go over the same serial link:
a1#show ip cef exact-route 10.0.0.1 192.168.0.1
10.0.0.1 -> 192.168.0.1 : Serial0/0/0.100 (next hop 172.16.1.2)
a1#show ip cef exact-route 10.0.0.2 192.168.0.2
10.0.0.2 -> 192.168.0.2 : Serial0/0/0.100 (next hop 172.16.1.2)
However, by changing the seed parameter of the ip cef load-sharing algorithm universal command, you can influence the CEF hashing function, eventually reaching a state where the traffic flows are spread between both WAN links:
a1(config)#ip cef load-sharing algorithm universal 1
a1(config)#^Z
a1#show ip cef exact-route 10.0.0.1 192.168.0.1
10.0.0.1 -> 192.168.0.1 : Serial0/0/0.100 (next hop 172.16.1.2)
a1#show ip cef exact-route 10.0.0.2 192.168.0.2
10.0.0.1 -> 192.168.0.2 : Serial0/0/0.200 (next hop 172.16.1.6)

Local username authentication

As I get a lot of hits from Google refering to local login, here's the whole story: Cisco IOS supports local username/password based authentication (almost) forever (it's been there even before the AAA architecture). To change from simple password-based authentication to username+password based on, use login local configuration command on console and/or VTY lines. The local usernames and passwords are defined with the username configuration command.The Cisco IOS thus supports the following local (non-AAA) authentication settings:

  • no login disables any authentication; anyone able to access the line (console or VTY through telnet or SSH) is logged in automatically (do not use outside of lab environment).
  • login enables simple password-based authentication. The password is specified per-line (console or VTY) with the password command (do not specify different passwords on different VTY lines or you'll create total confusion).
  • login local enables local username+password authentication.

The login tacacs configuration command specifies the old TACACS protocol and is almost unusable these days.


This article is part of You've asked for it series.

Cisco IOS violates RFC 2616 (HTTP/1.1)

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

I simply had to check with the RFC; by setting the Host: field of HTTP request to an IP address (instead of a host name), Cisco IOS violates section 14.23 of RFC 2616, which says:

The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource ... The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.

IOS HTTP client sets Host: field to IP address

Update 2012-08-27: Stefan de Kooter reported the bug had been fixed in IOS release 15.1(4)M.

If you run multiple web sites on a single physical server, it's highly likely that you rely on the ability of HTTP/1.1 clients to specify the Host: field in the HTTP request to indicate which web site they're trying to access.

Cisco IOS always inserts the web server's IP address (not the hostname) in the Host: field of the HTTP request, regardless of whether you enter IP address or hostname in the URL part of an IOS command that supports HTTP (for example, copy or more command) ... and regardless of whether the hostname is locally configured with the ip host command or resolved by an external DNS server specified in the ip name-server command.

End result: Cisco IOS-based routers (tested up to release 12.4(11)T) can access only the default web site on a web server hosting multiple web sites.

Log terminal access to your router

In a previous post, I've shown how you can log the changes in interactive user's privilege level. With the Cisco IOS Login Enhancements (introduced in IOS release 12.3(4)T, integrated in 12.4), you can also log all login successes and failures, even when using local user database (a similar functionality was previously achievable only when using central TACACS+ or RADIUS server).

The configuration commands to enable terminal access logging are login on-success log and login on-failure log. You can also specify that you want send SNMP traps in these circumstances (with the trap option) or that you only want to log every Nth attempt with the every n option.After you've configured terminal access logging, the router will start to generate syslog messages similar to the ones below (localport: 23 indicates the user was using telnet to access the router, localport: 80 that she was using HTTP):

%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test] [Source: 172.16.1.1] [localport: 23] at 19:10:27 UTC Sat Dec 2 2006
1d04h: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: a] [Source: 192.168.0.10] [localport: 80] [Reason: Login Authentication Failed - BadPassword] at 19:35:53 UTC Sat Dec 2 2006
If the user accesses the router through the console port, both the source and localport are set to all zeroes:
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ] [Source: 0.0.0.0] [localport: 0] at 19:10:48 UTC Sat Dec 2 2006

Router Configuration Management … Too Good to be True?

In the Router Configuration Management … Too Good to be True?, the latest IP Corner article, I'm describing two of the router configuration management features introduced in Cisco IOS release 12.4: Configuration Change Notification and Contextual Configuration Diff utility. While the first one behaves as expected, the second one produced unexpected results under the stress test.

Log user privilege level changes

The logging userinfo configuration command introduced in IOS release 12.3T (integrated into 12.4) starts logging of all changes in user privilege levels (as requested by enable or disable commands).
Sample printout:

fw>enable
Password:
03:00:50: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
fw#disable
fw>
03:00:52: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console

Network statements in the OSPF process are no longer order-dependent

When I was still teaching Cisco courses, we were telling the students that the order of network statements in an OSPF process was important if their ranges were overlapping; the first network statement that matched an interface IP address would place that interface in the corresponding area. This is no longer true, Cisco IOS now properly handles overlapping network ... area configuration commands.
Consider the following example:

fw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
fw(config)#router ospf 100
fw(config-router)#network 0.0.0.0 255.255.255.255 area 0
fw(config-router)#network 10.0.0.0 0.0.3.255 area 1
13:06:57: %OSPF-6-AREACHG: 10.0.0.0 255.255.252.0 changed from area 0 to area 1
fw(config-router)#network 10.0.0.0 0.0.0.7 area 2
13:07:10: %OSPF-6-AREACHG: 10.0.0.0 255.255.255.248 changed from area 1 to area 2
fw(config-router)#^Z
I've entered overlapping network statements, each one with a smaller address range. Not only does IOS detect that they overlap, it also prints nice syslog messages and reorders the commands in the running configuration. Well done !
fw#show run | begin router ospf
router ospf 100
log-adjacency-changes
network 10.0.0.0 0.0.0.7 area 2
network 10.0.0.0 0.0.3.255 area 1
network 0.0.0.0 255.255.255.255 area 0

Deploying Zone-Based Firewalls

Cisco Press has just released my latest book (and my first digital one): Deploying Zone-Based Firewalls. The book covers a completely new way to configure IOS firewall feature set based on security zones you define on a router and inter-zone policies configured using the familiar class-maps and policy-maps.

You can preview this digital book (they call it Digital Short Cut) using the Safari technology at Cisco Press and buy it at Amazon.

Reduce the noise generated by the Cisco IOS copy command

I always hate it when Cisco IOS asks me for things I've already supplied in a command line, the most notable case being the copy command. For example, if you supply the complete source and destination file name in the command line, IOS still insists on asking you all the same questions (at least filling in the parameters I've supplied in the command line):

fw#copy system:running-config tftp://10.0.0.2/fw-test
Source filename [running-config]?
Address or name of remote host [10.0.0.2]?
Destination filename [fw-test]?
!!
2009 bytes copied in 0.604 secs (3326 bytes/sec)
You can disable the annoying questions with the file prompt quiet configuration command (the default value of this parameter is noisy).
fw#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
fw(config)#file prompt quiet
fw(config)#^Z
fw#copy system:running-config tftp://10.0.0.2/fw-test
!!
2009 bytes copied in 0.616 secs (3261 bytes/sec)
However, if you decide to use this configuration command, you might be surprised by its side effects - whenever you don't specify a parameter, the router tries to use its default value and you might not like what you get. Consider this sequence:
fw#copy system:running-config tftp:
Address or name of remote host []? 10.0.0.2
!!
2009 bytes copied in 0.600 secs (3348 bytes/sec)
Could you guess what the remote file name is in this case? I couldn't and had to look into the TFTP server log. Turns out the router uses router-name-confg as the default file name.

Log configuration commands entered on your Cisco router

As part of Configuraton Change Notification and Logging feature, Cisco IOS stores the most recent configuration commands in a circular buffer and (optionally) sends them to syslog streams.

This feature is configured under the archive configuration mode with the log config command, which brings you to yet another configuration mode where you can fine-tune the parameters (they are obvious, on-router help is sufficient), for example:

archive
log config
logging enable 100
notify syslog
hidekeys
After you've enabled configuration command logging, you can use the show archive log config all command to inspect the logging buffer. You can also display commands entered in a particular session or by a selected user.

If you've configured notify syslog, every configuration command also triggers a syslog message similar to this one:
3d03h: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface loopback 0
Note: This feature logs only the configuration commands, if you want to log all commands, use TACACS+ or Embedded Event Manager.

CLI command logging without TACACS+

The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.

event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
The log messages generated by this EEM applet have the following format:
%HA_EM-6-LOG: CLIaccounting: command
As the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).

Perfect load balancing with MPLS Traffic Engineering

In the article Perfect Load-Balancing: How Close Can You Get?, you'll find in-depth information on how you can use MPLS traffic engineering to load-balance traffic in highly redundant designs.

Cisco IOS from an attacker's perspective

Although a bit outdated (and discussing older Cisco IOS releases), the article Cisco IOS from an Attacker's Point of View is still very relevant, as most vulnerabilities discussed in it arise from unsecure router configuration. Highly recommended reading!

Use command aliases to simplify Cisco IOS web server URLs

Cisco IOS has the ability to define command aliases - short words that substitute a whole exec-mode or configuration command. These aliases can also be used in command execution URLs. For example, if you define alias exec showdefault show ip route 0.0.0.0 0.0.0.0, you can view the status of the default route with the http://router/exec/showdefault/CR URL.

Use Cisco IOS FTP server to bypass Microsoft "security patch"

Microsoft decided a while ago to disable the ability to send username and password encoded in URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS web server without explicit user login (IOS web server does not support anonymous access). However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most Cisco IOS images and download files to your web browser with the ftp://user:[email protected]/file URL.

To enable FTP server in Cisco IOS, use the ftp-server enable configuration command followed by the ftp-server topdir directory command which specifies the top-level FTP directory (for example, flash:). To authenticate FTP users, define local usernames with the username user password password configuration command.

Tar archives used by Cisco IOS web server

To optimize the space utilizations and file transfer operations in flash: memory, Cisco IOS web server allows files to be served from tar archives stored on flash: (or any other) filesystem. The URL syntax to access a file in a tar archive is /archive/archive-name-without-tar-suffix/file-in-archive.

For example, with the archive command, you can list the common.tar file found on all routers with preinstalled Secure Device Manager (SDM). It contains the following files:

router#archive tar /table flash:common.tar
common/runAPP.shtml (13065 bytes)
common/blank.html (86 bytes)
common/appsupport.js (1690 bytes)
common/common.js (6958 bytes)
common/blank.gif (43 bytes)
common/launcher.html (2534 bytes)
common/home_ui.html (7587 bytes)
common/spacer.gif (43 bytes)
common/Cisco_logo.gif (1098 bytes)
common/launchTask.html (1794 bytes)
common/cisco-logo-clear.gif (641 bytes)
common/error.html (1133 bytes)
common/version.txt (85 bytes)
common/common.sgz (851879 bytes)
common/com/cisco/nm/util/sgz/Loader.class (703 bytes)
common/ieloader.cab (41780 bytes)
common/jploader.jar (61760 bytes)
To access the Cisco_logo.gif file from that archive, use the URL http://router/archive/flash:common/common/Cisco_logo.gif (you can omit the flash: string in the URL).

TAR support in Cisco IOS

Cisco IOS supports the Unix tar format with the archive command. For example, to inspect the contents of the Secure Device Manager (SDM) that is present in Flash memory on most routers, use the archive tar /table flash:sdm.tar command.

You can also use the archive tar /xtract command to extract a tar file (local or external) into a directory (yet again local or external). For example, with the command archive tar /xtract flash:sdm.tar tftp://10.0.0.10 you'd extract the SDM tar archive to a TFTP server.

Note: tar extract cannot create subdirectories on a TFTP server, the directory structure has to be prepared in advance.

Home page for Cisco IOS web server

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:

  1. The home.html file if it exists in any filesystem;
  2. The home.shtml file if it exists in any filesystem;
  3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

BGP peer groups no longer a performance feature

In Cisco IOS release 12.3T (integrated in 12.4), we've got an interesting (and quite understated) BGP feature: BGP peer-groups are no longer a performance feature (previously, IOS used them to reduce the time needed to compute outbound BGP updates). IOS now performs automatic grouping of BGP neighbors in dynamic update peer-groups that receive identical BGP updates based on per-neighbor outbound parameters.

Running syslog over TCP

Syslog has always been considered an undependable means of reporting network problems by serious network administrators as it runs over unreliable UDP transport. Sometime in the twilight zone between IOS releases 12.3T and 12.4, Cisco IOS got the capability to transport syslog messages over TCP with the logging host ip-address transport tcp port configuration command (the command is documented in 12.4 manuals but missing in 12.3T manuals).

Note: IOS implements standard syslog stream over TCP, not the more complex RFC 3195.

To support syslog over TCP, you also need TCP-capable syslog server. In Unix environments, you can use syslog-ng, on Windows, Kiwi syslog daemon is a perfect choice.

Note: to enable syslog over TCP in Kiwi Syslog Daemon, go to File/Setup/Inputs/TCP, click Listen for TCP Syslog messages and enter the desired TCP port number.

CEF per-destination load sharing algorithms

According to the Cisco IOS documentation, you can select between the original and the universal CEF load sharing algorithm with the ip cef load-sharing algorithm name parameter global configuration command (we'll leave the tunnel algorithm aside for the moment). Of course, they don't tell you what you select.

The original algorithm used only the source and destination IP addresses to get the 4-bit hash entry (see the CEF Load Sharing Details for more information), which could result in suboptimal network utilization in some border cases (if anyone wants to know why, leave me a comment). The universal algorithm adds a router-specific value to the hash function, ensuring that the same source-destination pair will hash into a different 4-bit value on different boxes. If you really want to fine-tune the hash function, you can even specify the value to be added with the last option of the ip cef load-sharing algorithm command.

CEF load sharing details

I had to investigate the details of CEF load sharing for one of my upcoming article and found (yet again) that the details are rather undocumented in official documentation. So, this is how it works (in case you ever need to know):

  • For every CEF entry (IP route) where there are multiple paths to the destination, the router creates a 16-row hash table, populating the entries with pointers to individual paths. The hash table can be inspected with the show ip cef prefix internal command.
  • The load balancing ratio is approxiated by number of entries in the hash table belonging to each path. If you have unequal-cost load balancing (EIGRP based on composite metrics and MPLS TE tunnels based on requested bandwidth), individual paths will be associated with different number of rows.
  • If you configure per-destination load balancing, the source and destination IP address in the incoming IP packet are hashed into a 4-bit value that selects the outgoing path in the CEF has table.

If this sounds confusing, here are two examples to make it easier: if you have two equal-cost paths to the same destination, each path will have eight entries in the hash table.

a1#show ip route 192.168.0.0
Routing entry for 192.168.0.0 255.255.255.0
Known via "ospf 1", distance 110, metric 51, type intra area
Last update from 172.16.0.21 on Serial0/0/0.100, 00:00:05 ago
Routing Descriptor Blocks:
* 172.16.0.21, from 172.16.0.22, 00:00:05 ago, via Serial0/0/0.100
Route metric is 51, traffic share count is 1
172.16.0.21, from 172.16.0.22, 00:00:05 ago, via Serial0/0/0.200
Route metric is 51, traffic share count is 1
a1#show ip cef 192.168.0.0 internal
192.168.0.0/24, version 33, epoch 0, per-destination sharing
0 packets, 0 bytes
via 172.16.0.21, Serial0/0/0.100, 0 dependencies
traffic share 1
next hop 172.16.0.21, Serial0/0/0.100
valid adjacency
via 172.16.0.21, Serial0/0/0.200, 0 dependencies
traffic share 1
next hop 172.16.0.21, Serial0/0/0.200
valid adjacency

0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes
Load distribution: 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 (refcount 1)

Hash OK Interface Address Packets
1 Y Serial0/0/0.100 point2point 0
2 Y Serial0/0/0.200 point2point 0
3 Y Serial0/0/0.100 point2point 0
4 Y Serial0/0/0.200 point2point 0
5 Y Serial0/0/0.100 point2point 0
6 Y Serial0/0/0.200 point2point 0
7 Y Serial0/0/0.100 point2point 0
8 Y Serial0/0/0.200 point2point 0
9 Y Serial0/0/0.100 point2point 0
10 Y Serial0/0/0.200 point2point 0
11 Y Serial0/0/0.100 point2point 0
12 Y Serial0/0/0.200 point2point 0
13 Y Serial0/0/0.100 point2point 0
14 Y Serial0/0/0.200 point2point 0
15 Y Serial0/0/0.100 point2point 0
16 Y Serial0/0/0.200 point2point 0

However, if you have three equal-cost paths to the destination, each path will have only five entries and the hash table will have 15 rows instead of 16.

a1#show ip route 192.168.0.0
Routing entry for 192.168.0.0 255.255.255.0
Known via "ospf 1", distance 110, metric 51, type intra area
Last update from 10.0.0.6 on FastEthernet0/0, 00:00:02 ago
Routing Descriptor Blocks:
* 172.16.0.21, from 172.16.0.22, 00:00:02 ago, via Serial0/0/0.100
Route metric is 51, traffic share count is 1
172.16.0.21, from 172.16.0.22, 00:00:02 ago, via Serial0/0/0.200
Route metric is 51, traffic share count is 1
10.0.0.6, from 172.16.0.22, 00:00:02 ago, via FastEthernet0/0
Route metric is 51, traffic share count is 1
a1#show ip cef 192.168.0.0 internal
192.168.0.0/24, version 44, epoch 0, per-destination sharing
0 packets, 0 bytes
via 172.16.0.21, Serial0/0/0.100, 0 dependencies
traffic share 1
next hop 172.16.0.21, Serial0/0/0.100
valid adjacency
via 172.16.0.21, Serial0/0/0.200, 0 dependencies
traffic share 1
next hop 172.16.0.21, Serial0/0/0.200
valid adjacency
via 10.0.0.6, FastEthernet0/0, 0 dependencies
traffic share 1
next hop 10.0.0.6, FastEthernet0/0
valid adjacency

0 packets, 0 bytes switched through the prefix
tmstats: external 0 packets, 0 bytes
internal 0 packets, 0 bytes
Load distribution: 0 1 2 0 1 2 0 1 2 0 1 2 0 1 2 (refcount 1)

Hash OK Interface Address Packets
1 Y Serial0/0/0.100 point2point 0
2 Y Serial0/0/0.200 point2point 0
3 Y FastEthernet0/0 10.0.0.6 0
4 Y Serial0/0/0.100 point2point 0
5 Y Serial0/0/0.200 point2point 0
6 Y FastEthernet0/0 10.0.0.6 0
7 Y Serial0/0/0.100 point2point 0
8 Y Serial0/0/0.200 point2point 0
9 Y FastEthernet0/0 10.0.0.6 0
10 Y Serial0/0/0.100 point2point 0
11 Y Serial0/0/0.200 point2point 0
12 Y FastEthernet0/0 10.0.0.6 0
13 Y Serial0/0/0.100 point2point 0
14 Y Serial0/0/0.200 point2point 0
15 Y FastEthernet0/0 10.0.0.6 0

Cisco IOS Web Server

These tips will help you get the most out of the Cisco IOS embedded web server:

These ones explain how to use IOS HTTP server and client to manage your router configuration and execute commands on the router:

Disable command execution with Cisco IOS web server

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):

  1. List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
  2. Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
  3. ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
  4. Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
  5. Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.

Include a default username/password in web request

I've got a great question related to a previous post:

Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?
You can specify username and password as part of standard URL syntax http://username:[email protected]/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
http://guest:[email protected]/level/1/exec/show/ip/interface/brief
Note: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.

Multilevel web (HTTP) access to a router

In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.

Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:

username guest privilege 1 password 0 guest
username admin privilege 15 password 0 admin
Note: unless you configure service password-encryption, the passwords in your configuration will remain in cleartext.

The last bit of the puzzle is the correct formation of the URLs: when executing a command on the router through a URL, you have to specify the required privilege level (the router will then prompt you for a username/password with at least that privilege level). The URL syntax is http://router/level/privilege-level/exec/command. For example, to execute non-privileged (level-1) show users command, use the following URL:
http://router/level/1/exec/show/users/CR
Note: the /CR suffix at the end of the URL tells the router to execute a command that contains optional (non-present) parameters.

Reload a router from VBScript or PERL with a HTTP (web) request

If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:

ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address
The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.

The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):
Const RouterIP = "10.0.0.1" ' replace with router's IP address
Const EnablePassword = "password" ' replace with enable password

Set WebRq = CreateObject("MSXML2.XMLHTTP")
WebRq.Open "GET","http://" & RouterIP & "/level/15/exec/reload/CR",false,"Username",EnablePassword
WebRq.Send
And here is the equivalent PERL code for the open source community:
use LWP::UserAgent;

$routerIP = "10.0.0.1";
$enablePwd = "password";

$ua = LWP::UserAgent->new;
$req = HTTP::Request->new(GET => "http://$routerIP/level/15/exec/reload/CR");
$req->authorization_basic('', $enablePwd);
print $ua->request($req)->as_string;
By default, the username specified in the web request is ignored by the router and the password has to be the enable password. Of course, if you change the authentication scheme on the router with the ip http authentication configuration command, you'd use proper username/password pair in the HTTP request.

Managing your routers with HTTP ... more information

If you've found the description of how to store your router configuration on a web server interesting, you'll probably enjoy the full article documenting the step-by-step solution including the web server configuration.

Subinterface link status logging

If you're still stuck with frame-relay connections (or use them in test environment, because it's easy to set up any-to-any connectivity between a larger number of routers), you were probably used to subinterface logging events reporting when the line protocol on a point-to-point subinterface would go up or down based on LMI DLCI status.

Very quietly, these logging events disappeared, first on 7500-series routers in IOS release 12.1(14), now they're gone by default on all platforms. If you still want to see what's going on with your frame-relay subinterfaces, you have to enter logging event subif-link-status configuration command on every subinterface.

I can only guess that some people that used the syslog events for network management were very surprised by the first (undetected) frame-relay failure following an IOS upgrade :)

Periodic router reload

Sometimes when using not-so-very stable IOS versions, periodic reload of a router during a non-peak (or idle) period is a good idea that can significantly increase the overall stability of your network. Until release 12.4, you had to write an external script that would log into the router and execute the reload command. With the Embedded Event Manager, the task is surprisingly simple - just enter the following configuration commands to reload the box every midnight (of course it helps if your router is NTP-synchronized to a reliable clock source and has correctly configured time zone).

event manager  applet Reload
event timer cron name Reload cron-entry "@midnight"
action 1.0 reload
The @midnight is a predefined symbolic value for "0 0 * * *". Of course you can use any other value that the UNIX cron utility would recognize as valid first five fields (time specification; username and command line are obviously not used).

Use your Cisco router as a primary DNS server

In IOS release 12.3, most Cisco routers can act as primary DNS servers (formerly, this functionality was only available as part of DistributedDirector product), alleviating the need for a host-based DNS server in your perimeter network. To configure a router to act as primary
DNS server for a zone, use the ip dns primary command, for example:

ip dns server
ip dns primary website.com soa ns.website.com
[email protected] 86400 3600 1209600 86400

Next, you need to define primary and secondary name servers for the domain.
Use the ip host ns command:
ip host website.com ns ns.website.com
ip host website.com ns ns.isp.com
You can also define mail routing for the domain with the ip host mx command:

ip host website.com mx 10 mail.website.com
ip host website.com mx 20 mail.isp.com


Finally, you need to define hosts within your domain (with the traditional form of the ip host command):

ip host ns.website.com 192.168.0.1 ! router's IP address
ip host www.website.com 192.168.1.1
ip host website.com 192.168.1.1 ! alternate for www.website.com
ip host mail.website.com 192.168.1.2

Download Router Configuration to a Web Browser

If you have HTTP server enabled on your router (on by default in many IOS releases, enable with ip http server), you can download the current router configuration into your web browser simply by typing in the URL http://router/exec/show/running/full. To get the startup configuration, use http://router/exec/show/startup-config/CR.

Of course, you need to authenticate to the router. By default, you can use anything as the username and the enable-password as the password, but you also use local usernames or AAA authentication. To use local usernames, configure ip http authentication local and enter username and password with the username username privilege 15 password password configuration command.

Use HTTP to Store Router Configurations on Web Server

It's been possible for a long time to use HTTP to download information from a web server to a router. In IOS release 12.3(2)T, integrated in 12.4 release, Cisco has introduced the ability to store local information (for example, router configurations) on a web server. To use this feature, configure the username and password giving you write access to the web server with:
ip http client username web-user
ip http client password secret-password
After the username and password have been configured, you can use copy running http: to copy router's configuration to a web server.
Note: on the web server, you have to configure the target virtual directory for write access (default: disabled) and allow file-system write access to the underlying physical directory for the target user.
Alternatively, you can specify the username and password in the URL using the copy running http://user:[email protected]/file syntax.
router#copy running http://student:[email protected]/router-config
Address or name of remote host [192.168.0.2]?
Destination filename [router]?
Storing http://student:[email protected]/router-config !!
4231 bytes copied in 0.864 secs (4897 bytes/sec)
router#

Using a router as a DNS proxy server

A Cisco router running IOS release 12.3 can act as a proxy DNS server - when you configure ip dns server and ip name-server ip-address, it starts forwarding any received DNS requests to the upstream name server.

The router does not act as a recursive server, it just propagates the requests. For example, if the client asks for A record for www.nil.com and the upstream DNS server responds with a NS record for the .com tree, the router will not perform recursive DNS lookups to get the answer (and the resolver code in most clients will fail). The upstream DNS server has to be willing to perform recursive lookups for you.

You can use this functionality (potentially in combination with other external proxies) to set up an environment where the clients do not need to access the Internet directly.