Blog Posts in October 2006

Use Cisco IOS FTP server to bypass Microsoft "security patch"

Microsoft decided a while ago to disable the ability to send username and password encoded in URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS web server without explicit user login (IOS web server does not support anonymous access). However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most Cisco IOS images and download files to your web browser with the ftp://user:password@router/file URL.

To enable FTP server in Cisco IOS, use the ftp-server enable configuration command followed by the ftp-server topdir directory command which specifies the top-level FTP directory (for example, flash:). To authenticate FTP users, define local usernames with the username user password password configuration command.
add comment

TAR support in Cisco IOS

Cisco IOS supports the Unix tar format with the archive command. For example, to inspect the contents of the Secure Device Manager (SDM) that is present in Flash memory on most routers, use the archive tar /table flash:sdm.tar command.

You can also use the archive tar /xtract command to extract a tar file (local or external) into a directory (yet again local or external). For example, with the command archive tar /xtract flash:sdm.tar tftp:// you'd extract the SDM tar archive to a TFTP server.

Note: tar extract cannot create subdirectories on a TFTP server, the directory structure has to be prepared in advance.
see 1 comments

Home page for Cisco IOS web server

Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:
  1. The home.html file if it exists in any filesystem;
  2. The home.shtml file if it exists in any filesystem;
  3. a default page with links to exec, SDM, QDM and TAC support

Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.

see 2 comments

BGP peer groups no longer a performance feature

In Cisco IOS release 12.3T (integrated in 12.4), we've got an interesting (and quite understated) BGP feature: BGP peer-groups are no longer a performance feature (previously, IOS used them to reduce the time needed to compute outbound BGP updates). IOS now performs automatic grouping of BGP neighbors in dynamic update peer-groups that receive identical BGP updates based on per-neighbor outbound parameters.
add comment

Running syslog over TCP

Syslog has always been considered an undependable means of reporting network problems by serious network administrators as it runs over unreliable UDP transport. Sometime in the twilight zone between IOS releases 12.3T and 12.4, Cisco IOS got the capability to transport syslog messages over TCP with the logging host ip-address transport tcp port configuration command (the command is documented in 12.4 manuals but missing in 12.3T manuals).

Note: IOS implements standard syslog stream over TCP, not the more complex RFC 3195.

To support syslog over TCP, you also need TCP-capable syslog server. In Unix environments, you can use syslog-ng, on Windows, Kiwi syslog daemon is a perfect choice.

Note: to enable syslog over TCP in Kiwi Syslog Daemon, go to File/Setup/Inputs/TCP, click Listen for TCP Syslog messages and enter the desired TCP port number.
see 4 comments

CEF per-destination load sharing algorithms

According to the Cisco IOS documentation, you can select between the original and the universal CEF load sharing algorithm with the ip cef load-sharing algorithm name parameter global configuration command (we'll leave the tunnel algorithm aside for the moment). Of course, they don't tell you what you select.

The original algorithm used only the source and destination IP addresses to get the 4-bit hash entry (see the CEF Load Sharing Details for more information), which could result in suboptimal network utilization in some border cases (if anyone wants to know why, leave me a comment). The universal algorithm adds a router-specific value to the hash function, ensuring that the same source-destination pair will hash into a different 4-bit value on different boxes. If you really want to fine-tune the hash function, you can even specify the value to be added with the last option of the ip cef load-sharing algorithm command.
see 8 comments

CEF load sharing details

I had to investigate the details of CEF load sharing for one of my upcoming article and found (yet again) that the details are rather undocumented in official documentation. So, this is how it works (in case you ever need to know):
  • For every CEF entry (IP route) where there are multiple paths to the destination, the router creates a 16-row hash table, populating the entries with pointers to individual paths. The hash table can be inspected with the show ip cef prefix internal command.
  • The load balancing ratio is approxiated by number of entries in the hash table belonging to each path. If you have unequal-cost load balancing (EIGRP based on composite metrics and MPLS TE tunnels based on requested bandwidth), individual paths will be associated with different number of rows.
  • If you configure per-destination load balancing, the source and destination IP address in the incoming IP packet are hashed into a 4-bit value that selects the outgoing path in the CEF has table.
read more see 12 comments

Disable command execution with Cisco IOS web server

If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
  1. List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
  2. Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
  3. ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
  4. Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
  5. Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.
add comment

Include a default username/password in web request

I've got a great question related to a previous post:
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?
You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
Note: this syntax no longer works in Internet Explorer with latest security patches, please read for more information on how to re-enable this behavior.
add comment

Multilevel web (HTTP) access to a router

In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.

Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:
username guest privilege 1 password 0 guest
username admin privilege 15 password 0 admin
Note: unless you configure service password-encryption, the passwords in your configuration will remain in cleartext.

The last bit of the puzzle is the correct formation of the URLs: when executing a command on the router through a URL, you have to specify the required privilege level (the router will then prompt you for a username/password with at least that privilege level). The URL syntax is http://router/level/privilege-level/exec/command. For example, to execute non-privileged (level-1) show users command, use the following URL:
Note: the /CR suffix at the end of the URL tells the router to execute a command that contains optional (non-present) parameters.
add comment

Reload a router from VBScript or PERL with a HTTP (web) request

If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:
ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address
The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.

The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):
Const RouterIP = "" ' replace with router's IP address
Const EnablePassword = "password" ' replace with enable password

Set WebRq = CreateObject("MSXML2.XMLHTTP")
WebRq.Open "GET","http://" & RouterIP & "/level/15/exec/reload/CR",false,"Username",EnablePassword
And here is the equivalent PERL code for the open source community:
use LWP::UserAgent;

$routerIP = "";
$enablePwd = "password";

$ua = LWP::UserAgent->new;
$req = HTTP::Request->new(GET => "http://$routerIP/level/15/exec/reload/CR");
$req->authorization_basic('', $enablePwd);
print $ua->request($req)->as_string;
By default, the username specified in the web request is ignored by the router and the password has to be the enable password. Of course, if you change the authentication scheme on the router with the ip http authentication configuration command, you'd use proper username/password pair in the HTTP request.
add comment

Subinterface link status logging

If you're still stuck with frame-relay connections (or use them in test environment, because it's easy to set up any-to-any connectivity between a larger number of routers), you were probably used to subinterface logging events reporting when the line protocol on a point-to-point subinterface would go up or down based on LMI DLCI status.

Very quietly, these logging events disappeared, first on 7500-series routers in IOS release 12.1(14), now they're gone by default on all platforms. If you still want to see what's going on with your frame-relay subinterfaces, you have to enter logging event subif-link-status configuration command on every subinterface.

I can only guess that some people that used the syslog events for network management were very surprised by the first (undetected) frame-relay failure following an IOS upgrade :)
see 1 comments

Periodic router reload

Sometimes when using not-so-very stable IOS versions, periodic reload of a router during a non-peak (or idle) period is a good idea that can significantly increase the overall stability of your network. Until release 12.4, you had to write an external script that would log into the router and execute the reload command. With the Embedded Event Manager, the task is surprisingly simple - just enter the following configuration commands to reload the box every midnight (of course it helps if your router is NTP-synchronized to a reliable clock source and has correctly configured time zone).
event manager  applet Reload
event timer cron name Reload cron-entry "@midnight"
action 1.0 reload
The @midnight is a predefined symbolic value for "0 0 * * *". Of course you can use any other value that the UNIX cron utility would recognize as valid first five fields (time specification; username and command line are obviously not used).
add comment