Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

reserve a seat

Log user privilege level changes

The logging userinfo configuration command introduced in IOS release 12.3T (integrated into 12.4) starts logging of all changes in user privilege levels (as requested by enable or disable commands).
Sample printout:
fw>enable
Password:
03:00:50: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by unknown on console
fw#disable
fw>
03:00:52: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 1 by unknown on console
Add comment

Network statements in the OSPF process are no longer order-dependent

When I was still teaching Cisco courses, we were telling the students that the order of network statements in an OSPF process was important if their ranges were overlapping; the first network statement that matched an interface IP address would place that interface in the corresponding area. This is no longer true, Cisco IOS now properly handles overlapping network ... area configuration commands.
Consider the following example:
fw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
fw(config)#router ospf 100
fw(config-router)#network 0.0.0.0 255.255.255.255 area 0
fw(config-router)#network 10.0.0.0 0.0.3.255 area 1
13:06:57: %OSPF-6-AREACHG: 10.0.0.0 255.255.252.0 changed from area 0 to area 1
fw(config-router)#network 10.0.0.0 0.0.0.7 area 2
13:07:10: %OSPF-6-AREACHG: 10.0.0.0 255.255.255.248 changed from area 1 to area 2
fw(config-router)#^Z
I've entered overlapping network statements, each one with a smaller address range. Not only does IOS detect that they overlap, it also prints nice syslog messages and reorders the commands in the running configuration. Well done !
fw#show run | begin router ospf
router ospf 100
log-adjacency-changes
network 10.0.0.0 0.0.0.7 area 2
network 10.0.0.0 0.0.3.255 area 1
network 0.0.0.0 255.255.255.255 area 0
see 5 comments

Deploying Zone-Based Firewalls

Cisco Press has just released my latest book (and my first digital one): Deploying Zone-Based Firewalls. The book covers a completely new way to configure IOS firewall feature set based on security zones you define on a router and inter-zone policies configured using the familiar class-maps and policy-maps.

You can preview this digital book (they call it Digital Short Cut) using the Safari technology at Cisco Press and buy it at Amazon.
see 22 comments

Reduce the noise generated by the Cisco IOS copy command

I always hate it when Cisco IOS asks me for things I've already supplied in a command line, the most notable case being the copy command. For example, if you supply the complete source and destination file name in the command line, IOS still insists on asking you all the same questions (at least filling in the parameters I've supplied in the command line):
fw#copy system:running-config tftp://10.0.0.2/fw-test
Source filename [running-config]?
Address or name of remote host [10.0.0.2]?
Destination filename [fw-test]?
!!
2009 bytes copied in 0.604 secs (3326 bytes/sec)
You can disable the annoying questions with the file prompt quiet configuration command (the default value of this parameter is noisy).
fw#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
fw(config)#file prompt quiet
fw(config)#^Z
fw#copy system:running-config tftp://10.0.0.2/fw-test
!!
2009 bytes copied in 0.616 secs (3261 bytes/sec)
However, if you decide to use this configuration command, you might be surprised by its side effects - whenever you don't specify a parameter, the router tries to use its default value and you might not like what you get. Consider this sequence:
fw#copy system:running-config tftp:
Address or name of remote host []? 10.0.0.2
!!
2009 bytes copied in 0.600 secs (3348 bytes/sec)
Could you guess what the remote file name is in this case? I couldn't and had to look into the TFTP server log. Turns out the router uses router-name-confg as the default file name.
see 3 comments

Log configuration commands entered on your Cisco router

As part of Configuraton Change Notification and Logging feature, Cisco IOS stores the most recent configuration commands in a circular buffer and (optionally) sends them to syslog streams.

This feature is configured under the archive configuration mode with the log config command, which brings you to yet another configuration mode where you can fine-tune the parameters (they are obvious, on-router help is sufficient), for example:
archive
log config
logging enable 100
notify syslog
hidekeys
After you've enabled configuration command logging, you can use the show archive log config all command to inspect the logging buffer. You can also display commands entered in a particular session or by a selected user.

If you've configured notify syslog, every configuration command also triggers a syslog message similar to this one:
3d03h: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:interface loopback 0
Note: This feature logs only the configuration commands, if you want to log all commands, use TACACS+ or Embedded Event Manager.
see 2 comments

CLI command logging without TACACS+

The AAA architecture of Cisco IOS contains a number of very useful features, including the ability to authorize and log every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in environments using RADIUS.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.
event manager applet CLIaccounting
event cli pattern ".*" sync no skip no
action 1.0 syslog priority informational msg "$_cli_msg"
set 2.0 _exit_status 1
The log messages generated by this EEM applet have the following format:
%HA_EM-6-LOG: CLIaccounting: command
As the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router's console, unless you disable console logging with no logging console command or use TCL-based syslog filters (more about them in an upcoming post).
see 12 comments
Sidebar