Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

reserve a seat

Simple extensions to exec-mode CLI

The various show filters available in Cisco IOS are a great tool to minimize the amount of printout you have to analyze, their only problem (from my perspective) is that you cannot make an alias out of them, as you usually have to supply one or more parameters to the show command and these parameters have to be inserted before the filter (and the alias command does not support replaceable parameters). You could solve the problem with Tcl shell, but I'm not sure many networking engineers are fluent Tcl programmers. Fortunately, the code you need is so simple anyone can create a working solution.

Follow these simple steps:

  1. Execute the show command you're interested in and fine-tune the filter. For example, I wanted to have a short display of IP interfaces produced with the show ip interface fa0/0 ¦ include address¦protocol command.
  2. Store the following line of Tcl code in a flash file: puts [exec "your-command"], replacing the arguments in your command with $argv (you can use this trick if you don't have an external file server handy). In my case, the flash:ipconfig.tcl file contained the following code:
  3. puts [exec "show ip interface $argv ¦ include address¦protocol"]
  4. Define a command alias: alias exec new-command tclsh file-in-flash, for example, alias exec ipconfig flash:ipconfig.tcl.
Now you can execute your new command and use command parameters to select the printout you want.
X1#ipconfig fa0/0
FastEthernet0/0 is up, line protocol is up
  Internet address is 172.16.0.1/24
  Broadcast address is 255.255.255.255
  Helper address is not set
  Network address translation is disabled

Replace the broken vertical bar in sample printouts with a vertical bar before using them.

Add comment

Is Internet melting down?

A while ago I’ve read a post about the potential Internet meltdown by Michael Morris. He provided an amazingly accurate analysis of the facts … and ended with a wrong conclusion. To understand the whole issue, please thoroughly read his text in its entirety before proceeding.

Back? OK. As I said, his analysis was great, but the conclusions were wrong. Regardless of whether we use IPv4 (and advertise smaller and smaller prefixes) or IPv6, the problem is the same: everyone wants to have chunks of non-aggregatable provider-independent public address space (so you can freely move between Service Providers) and everyone advertises these PI prefixes to multiple service providers (because multihoming is so cheap these days). Even networks that are not multihomed today use their own PI address space and private AS numbers to connect to a single ISP, so they could get multi-homed in a second if they feel like it.

The growth of the Internet routing tables thus has nothing to do with the prefix sizes and version of IP, but with the requirements of the end-customers to have immediate capability to switch service providers at will. As long as this trend persists (and I cannot see it stopping, as Internet is considered a commodity these days), the routing tables will grow, regardless of whether we use IPv4 or IPv6 or CLNS or something not invented yet.

see 8 comments

IOS hints Wiki is part of NIL Community

The careful visitors of my Wiki have probably noticed subtle changes in its design, particularly the logo in the upper-left corner. When we launched NIL community, my Wiki became an official part of it. I'm positive this change will result in even more high-quality content, as other experts within NIL will contribute to the wiki. The wiki will go beyond Cisco (we provide end-to-end solutions including servers, Vmware, one-time password solutions and network management tools), so we've changed the name from Ciscopedia to Communications Technologies Tips and Tricks which has a nice acronym CT3.

I would also kindly ask those of you who link to my Wiki to use the new URL (wiki.nil.com), not the old one (wiki.ioshints.info). I've set up automatic redirects, but it's better to use the final URL (it also improves the response time for the end-users).

see 4 comments

Simple EIGRP in MPLS VPN networks

A few days ago I've been involved in an interesting EIGRP-within-MPLS/VPN troubleshooting session. I wanted to reproduce the behavior in the lab, so I set up a simple EIGRP lab … and realized that it's been a while since we wrote the MPLS and VPN Architectures, Volume II, which covers EIGRP used as PE-CE routing protocol. To make things more interesting, a few details have changed in the meantime; you have to configure the following features to get EIGRP running within MPLS/VPN environment:
  • The autonomous-system command within the VRF address family is mandatory, even if the VRF AS number matches the EIGRP process number.
  • The default BGP-to-EIGRP redistribution metric has to be configured, otherwise remote EIGRP routes will not be redistributed even though they have EIGRP metric encoded in extended BGP communities.
  • Things work best if you disable auto-summary on PE-routers.

You can find more details and complete configuration examples in the EIGRP in MPLS VPN networks article I wrote in the CT3 wiki.

Add comment

OOPS :)

This is what I've found in my e-mail this morning ... ... and this is what happens when I click the link in the e-mail (as of 11:36 CET @ June 26th 2008):It's comforting to know the Apache web server has been installed :)
see 1 comments

Static DHCP assignment for clients without client-id

A while ago I've installed Fedora Linux on one of my workstations and spent enormous amount of time trying to give it a static IP address from the Cisco IOS DHCP server. I though I was the only one dumb enough to have this problem, so I didn’t document my solution, but then one of the readers made a comment to the Assigning server IP addresses with DHCP post describing almost identical symptoms:

I have a hp2300n and I want to make a static IP assignment with DHCP. Nothing is working: hardware-address, client-identifier, no prepend, 01 prepend, 00 prepend.

In my case, the Fedora DHCP client did not send any DHCP client-ID in the DHCPREQUEST message. One would think that the IOS DHCP server would use the MAC address as the client-ID, but that's not the case. You have to configure the hardware-address parameter in the host DHCP pool to match the MAC address of the DHCP client with the pool and the static IP address:

ip dhcp pool fedi
host 192.168.200.206 255.255.255.240
hardware-address 000f.fe83.bca9
dns-server 208.67.220.220 208.67.222.222

This article is part of You've asked for it series.

see 13 comments

PPP default route

One of those readers that prefer to remain anonymous has left an interesting comment to my post “Almost-dynamic routing over ADSL interfaces”:
You do not need the route "ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 100" and the tracking if you configure "ppp ipcp route default" on the dialer interface. Works the same way... :-)
You might be wondering why Cisco's engineers decided to pollute IOS with yet another feature. The problem they had was the way PPP over Frame Relay is implemented: it uses virtual interfaces and although you have a very static connection, you cannot bind a static interface name to it. A dynamic interface (with potentially changing name) is cloned from the virtual template every time the PPP-over-Frame-relay session is started. Obviously you cannot configure a static default route pointing to it in advance, so you need yet another feature to do it (I'll not even try to figure out how to create non-default static routes pointing to cloned interface).
see 5 comments

Disable optional IOS features on high CPU load

One of my readers has submitted an interesting EEM applet in a comment to the Generate SNMP trap on high CPU load post. The applet monitors the CPU load (using SNMP variable from the CISCO-PROCESS-MIB) and disables WCCP when the 1-minute average load exceeds 75%. You can change the thresholds or disable/enable other IOS features by modifying the applet's source code.
Add comment

Followup: zone-based firewall performance

The Zone-based firewall performance post has generated a few interesting comments. William Chu and an anonymous reader posted links to a Cisco ZBFW performance document. The document claims that the performance of TCP session inspection was significantly increased in 12.4(4)T (which would apply to CBAC as well, since zone-based firewalls were introduced in 12.4(6)T), but the maximum HTTP throughput numbers for ZBFW are way lower than the Cisco IOS Firewall Performance (table 3 of the Cisco Integrated Firewall Solutions document). One could only guess that the discrepancy does not indicate that CBAC is twice as fast as ZBFW but illustrates the gap between the real-life test scenarios and marketing figures.

David has also mailed me an interesting observation: CBAC inspects all traffic exiting (or entering) an interface; ZBFW inspects only inter-zone traffic. This distinction does not matter in common scenarios where there is not much traffic between external interfaces, but it could become important if you use IOS firewall to filter traffic between two IP networks and have multiple transit interfaces in each network.

see 2 comments

Display locally originated BGP routes

Displaying the BGP routes originated in the local AS is simple: you just filter the BGP table with a regular expression matching an empty AS path. Displaying routes originated by the local router is tougher. You could use the fact that the local routes have the weight set to 32768:

PE-A#show ip bgp quote-regexp "^$" | inc Network|32768
Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i

This would work if you don’t play with BGP weights in network statements. If you’ve changed the weights, you should filter the routes based on the BGP next-hop: locally originated routes have the next-hop 0.0.0.0 and all other routes should have a non-zero BGP next-hop. To filter BGP routes based on the next-hop you have to:

  • Define an access-list that matches desired next-hop (0.0.0.0)
  • Define a route-map that uses the access-list to match IP next hop.
  • Display BGP routes matched by a route-map.

A sample configuration and show command printout is included below:

ip access-list standard AllZeros
permit 0.0.0.0
!
route-map NextHopSelf permit 10
match ip next-hop AllZeros

PE-A#show ip bgp route-map NextHopSelf | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i

To make this command simpler to use, define an alias: alias exec mybgp show ip bgp route-map NextHopSelf | begin Network.

see 3 comments

Control Plane Protection logging does not work on transit subinterface

When I was trying to test how the router running IOS release 12.4(15)T5 classifies inbound IP packets into various CPPr subinterfaces, I wanted to use the log action in the MQC classes I've defined. This approach worked perfectly for the host and cef-exception interface (I've even seen ARP packets logged), but the packets classified as transit generated no log messages. While this makes perfect sense (after all, all punted packets are processed by the transit service-policy), the IOS should generate a warning when you apply a policy-map with the log option as service-policy on the control-plane transit interface.
Add comment

IOS auto-upgrade

I've noticed the IOS auto-upgrade functionality when the IOS software release 12.4(15)T was launched, but it was missing from the 1800 images, so I wrote a note in the "to-test" folder and forgot about it. In the meantime, the code obviously appeared in IOS images, as Joe Harris managed to get the auto-ugprade from CCO to work. However, the IOS documentation lacks "a few" details, while Joe's post has a step-by-step explanation.
see 1 comments

Change the source IP address of an EEM SMTP session

I've got the following question from Levi:
I have a Tcl script that is used in conjunction with EEM to send email whenever the amount of CRC errors on a particular interface increases above a certain threshold. My problem is that the router uses the IP of the outgoing interface as the source IP when it communicates with the SMTP server. This particular interface happens to have a private IP. There's another interface with a public IP and I wanted to know how to get the router to use the public IP on the other interface when it's sending email generated by the TCL script.
There are several ways to solve this problem. If you use Tcl, you could write your own SMTP client and use the -myaddr parameter in the socket call to specify the source IP address. Those of us who prefer EEM applets are not so lucky, you have to use NAT to change the source IP address before the packet is sent toward the SMTP server.

This article is part of You've asked for it series.

see 4 comments

Zone-based firewall performance

David asked me an interesting question:

Can you comment on the performance differences between zone-based firewalls and the classic Content-Based Access Control (CBAC) IOS firewall? I’m running into issues where the router is running VoIP and CBAC, and call quality issues are appearing during heavy data usage.

I never did performance tests with one or the other, but I wouldn’t expect the zone-based firewall (ZFW) performance to exceed CBAC. They use the same (or at least very similar) code, ZFW is primarily a different method of configuring the same functionality.

Does anyone have different experience? It looks like Colin McNamara disagrees with me, but the document with performance data I found at Cisco’s web site does not list different figures for CBAC and ZFW (and they would surely make them public if the ZFW would be way better than CBAC).

This article is part of You've asked for it series.

see 6 comments

Reorganized NIL training catalog

Our software developers have recently restructured our training catalog, resulting in a much cleaner look-and-feel in which (I hope) you'll find it easier to locate what you're looking for. The feature I like most which was sorely missing from the old catalog pages is the right sidebar telling you how to get the product and the Also available section listing related products. I am positive you'll also like the ability to view the descriptions of individual lab exercises (from the product details section of remote lab descriptions), where the right sidebar tells you which products contain this particular exercise. As always, your feedback is most welcome :)
Add comment

NAT caveats in IOS release 12.4T

If you have upgraded your router from any other IOS release to release 12.4T without changing the NAT configuration (or used NAT configuration known to work into a router running IOS release 12.4T), you might have encountered weird behavior due to the changes in NAT implementation. The unexpected behavior and configuration fixes needed to avoid the NAT-related problems are described in my new NAT Caveats in IOS release 12.4T article.
see 8 comments

BGP Templates on MPLS VPN PE-routers

BGP session and policy templates are a fantastic feature if you want to design scalable, easy to maintain BGP configurations. The IOS documentation doesn't even mention how they could be used in designs using multiple address families, for example in MPLS VPN networks; the article I wrote in the CT3 wiki should resolve any ambiguities.
see 1 comments

Display BGP routes originated in the local AS

The easiest way to display BGP routes originating in the local autonomous system is to use the regular expression ^$ (empty AS-path) in the show ip bgp regexp command, for example:

PE-A#show ip bgp regexp ^$
BGP table version is 10, local router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i
r>i10.0.1.2/32 10.0.1.2 0 100 0 i

If you want to apply a show filter to the printout of this command, you have to use the quote-regexp variant; otherwise the rest of the line is interpreted as regular expression. To skip the header explaining the BGP status code (we know them by heart by now, don’t we?), use …

PE-A#show ip bgp quote-regexp "^$" | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i
r>i10.0.1.2/32 10.0.1.2 0 100 0 i

… and end with the eye candy – define this command as an alias: alias exec localbgp show ip bgp quote-regexp "^$" | begin Network.

Add comment

Fix the "do" command

The do command available in configuration modes of Cisco IOS is probably one of the best features ever implemented in IOS, but you tend to continue typing the do keyword even in the exec mode, resulting in syntax errors. The alias command doesn't help as you cannot specify an empty command line. However, there is a Tcl-based workaround.Store the following Tcl code in flash:do.tcl:
puts [exec $argv]
Configure alias exec do tclsh flash:do.tcl and you can execute the do command from exec mode.

The simple solution does not page the output, a lot more work would be needed to implement the proper paging functionality

see 5 comments

Not all free services are created equal

During my problems with Blogger poll, the web site I'm using to count visitors also experienced huge problems. Since I've lost only the weekend stats, I didn't even think about opening a ticket or complaining ... but this is what I found when I've logged into their web site today. One could only wish that everyone (including people that charge for their services, like my beloved ISP), would be as honest and responsive as these guys were in this particular instance.
see 2 comments

The total failure of Blogger poll

The “What's your network size” poll was a total failure. Either Blogger messed up completely (before you ask: I did not get any response from the Google help groups or Blogger support) or someone was actively playing with the poll results (I guess that would not be so easy to do and would require significant creativity, so I wonder who would be willing to invest the time and energy into this). Anyhow, this is the nonsense I've got at the end of the poll:The last time I've looked at the results that made sense (around 300 votes), the spread was approximately 40% SP, 40% large enterprise, 15% SMB, 5% SOHO.

In my opinion, this failure is another proof that you have to pay for reliable service (regardless of what Google would like you to think) ... time to move to my own Wordpress server.
see 3 comments

Configuring lines and terminals

Numerous comments to the "terminal exec prompt" post told me that it might be good to review the line/terminal configuration rules:
  • If you want to configure a permanent line characteristic (for example, international), you should do so in the VTY configuration (see also how the VTY configurations are merged);
  • If you want a temporary change in the characteristic of your current line (VTY or console), use terminal characteristic to enable it or terminal no characteristic to disable it.

For example, IOS performs DNS lookups on all names entered by a user (assuming the ip domain-lookup is not disabled). You can change that behavior with the domain-lookup characteristic (enabled by default). To permanently disable DNS lookups on all VTYs use:

line vty 0 4
no domain-lookup
To disable the lookup for the current session, use terminal no domain-lookup.
see 1 comments

Public servers in a small multihomed site

If you want to deploy high-availability public servers within your network, you should implement proper multi-homing solution including BGP routing with the Service Providers. If you don't have your own public IP address space and your own AS number, you should try to become multihomed to one ISP (or change your ISP if they don't know what you're talking about). If you want to be multi-homed to two ISPs using techniques similar to the ones I've described in the Small-Site Multi-Homing article, you should be using a hosted service (they're probably cheaper than your time), not your own public server.

But if you still insist (like numerous readers of my articles) to deploy public servers on a site multi-homed via NAT, you'll find the design and implementation guidelines in my latest IP Corner article Servers in Small Site Multi-homing.

This article is part of You've asked for it series.

see 3 comments

Use the explicit "address-family ipv4" in BGP configurations

If you use multiprotocol BGP (MP-BGP) in your network to support MPLS VPN, IPv6 or IP Multicast over BGP, it's best if you go all the way and configure an explicit ipv4 address family; the resulting BGP configuration is significantly easier to read and understand as the session-specific parameters are clearly separated from the routing-specific parameters and the IPv4 settings are nicely grouped in an explicit section.

To change the format of the BGP configuration, configure the IPv4 address family with the address-family ipv4 unicast router configuration command (the neighbor statements and other configuration settings pertinent to IPv4 configuration are automatically moved into the new address family) or manually activate a BGP neighbor for IPv4 route exchange with the neighbor activate router configuration command.To illustrate the differences between the traditional BGP configuration and the per-address-family configuration, consider a simple MPLS VPN+Internet setup. First the traditional approach:
router bgp 65000
template peer-policy Internal
send-community both
exit-peer-policy
!
template peer-session Internal
remote-as 65000
update-source Loopback0
exit-peer-session
!
no synchronization
bgp log-neighbor-changes
network 10.0.1.1 mask 255.255.255.255
neighbor 10.0.1.5 inherit peer-session Internal
neighbor 10.0.1.5 description PE-C(RR)
neighbor 10.0.1.5 inherit peer-policy Internal
no auto-summary
!
address-family vpnv4
neighbor 10.0.1.5 activate
neighbor 10.0.1.5 send-community extended
exit-address-family
... and the changed configuration after the address-family ipv4 command has been entered:
router bgp 65000
template peer-policy Internal
send-community both
exit-peer-policy
!
template peer-policy InternalV6
send-label
inherit peer-policy Internal 1
exit-peer-policy
!
template peer-session Internal
remote-as 65000
update-source Loopback0
exit-peer-session
!
bgp log-neighbor-changes
neighbor 10.0.1.5 inherit peer-session Internal
neighbor 10.0.1.5 description PE-C(RR)
!
address-family ipv4
no synchronization
network 10.0.1.1 mask 255.255.255.255
neighbor 10.0.1.5 activate
neighbor 10.0.1.5 inherit peer-policy Internal
no auto-summary
exit-address-family
!
address-family vpnv4
neighbor 10.0.1.5 activate
neighbor 10.0.1.5 send-community extended
exit-address-family
see 4 comments

CEF and MLS

Harold Arley Morales has asked an interesting question:

What's the difference between Cisco Express Forwarding and Cisco MLS? Is Cisco's implementation of MLS standardized?

CEF is a routing table lookup mechanism. Instead of doing a lookup in the main IP routing table (displayed with the show ip route), the router does a lookup in a fully computed non-recursive version of the IP routing table (Forwarding Information Base - FIB) with layer-2 next-hop information attached to it (adjacency table).

MLS is a caching mechanism (similar to Netflow) that offloads layer-3 processing from the routing component into layer-2 ASICs that cannot perform full-blown layer-3 switching. When the layer-2 engine detects a single IP packet traversing multiple VLANs, the MLS populates the cache with the flow details and the subsequent packets belonging to the same flow (same source/destination IP addresses and port numbers ...) are switched without going through all the layer-3 mechanisms (for example, access lists). The Multilayer Switching Overview document gives you additional details.

The MLS uses a proprietary protocol (MLSP) through which the layer-2 switches identify routers.

This article is part of You've asked for it series.

Update 2008-12-08: Ofer Granit sent me the following information: according to Troubleshooting IP Multilayer Switching document, Supervisor Engine 2 and Supervisor Engine 720 no longer use MLS but rely exclusively on CEF to perform layer-3 forwarding.

see 7 comments

Another way to generate SNMP trap on high CPU load

Yesterday ago I've described how you can use the ERM functionality together with an EEM applet to generate SNMP traps whenever the CPU load exceeds predefined thresholds. When testing this solution, I started to wonder what the snmp-server enable traps cpu threshold command does. After lenghty conversation with uncle Google and Cisco documentation, I found that there's another way to detect and report high CPU load in Cisco IOS: the CPU threshold notification introduced in IOS release 12.3T (and Tassos pointed that out before I had the time to write a post about it :).To use this feature, you have to configure the thresholds with the process cpu threshold configuration command and enable related SNMP traps with the snmp-server enable traps cpu threshold. For example, to send SNMP traps whenever the total CPU load measured over a 30-second interval exceeds 40%, use the following configuration:
snmp-server enable traps cpu threshold
process cpu threshold type total rising 40 interval 30
see 4 comments

Programming language consistency

I've just started to read the AXP (Linux on router module) documentation and found the set of supported programming languages somewhat intriguing. I don't like Tcl at all (and I am glad someone within Cisco finally acknowledged the existence of PERL), but if they made us jump through the hoops to get scripting capabilities on IOS, they should include it on AXP as well.
Add comment

Generate SNMP trap on high CPU load

Gernot Nusshall has asked an interesting question:
How could I configure the EEM to send an SNMP trap when the cpu load (interval=30sec) is higher than 30%?
My first solution was to enable resource policy traps with the snmp-server enable traps resource-policy, but this feature was introduced in 12.4(15)T and I am not sure everyone is willing to run the latest-and-greatest IOS code. Furthermore, it looks like the traps are sent only for resource policies defined through the ERM MIB; I was not able to generate a trap from a manually configured resource policy. Obviously it was time for another EEM applet.The EEM version 2.0 (available in 12.2S, 12.3T and 12.4) includes the action snmp-trap command, which can generate a trap from an EEM applet. To generate CPU utilization traps, configure the desired resource policy and an EEM applet that is triggered on the ERM policy event. The simplest EEM applet would just report a change in ERM policy …
event manager applet ReportHighCPU
 event resource policy "HighGlobalCPU"
 action 1.0 snmp-trap strdata "High CPU"

… but as the applet would be run on rising and falling events, it would make sense to include a few _resource_* environment variables in the SNMP trap data. Last but not least, don't forget to enable EEM traps with the snmp-server enable traps event-manager configuration command.

This article is part of You've asked for it series.

see 4 comments
Sidebar