Blog Posts in October 2006
To enable FTP server in Cisco IOS, use the ftp-server enable configuration command followed by the ftp-server topdir directory command which specifies the top-level FTP directory (for example, flash:). To authenticate FTP users, define local usernames with the username user password password configuration command.
You can also use the archive tar /xtract command to extract a tar file (local or external) into a directory (yet again local or external). For example, with the command archive tar /xtract flash:sdm.tar tftp://10.0.0.10 you'd extract the SDM tar archive to a TFTP server.
Note: tar extract cannot create subdirectories on a TFTP server, the directory structure has to be prepared in advance.
- The home.html file if it exists in any filesystem;
- The home.shtml file if it exists in any filesystem;
- a default page with links to exec, SDM, QDM and TAC support
Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.
Note: IOS implements standard syslog stream over TCP, not the more complex RFC 3195.
To support syslog over TCP, you also need TCP-capable syslog server. In Unix environments, you can use syslog-ng, on Windows, Kiwi syslog daemon is a perfect choice.
Note: to enable syslog over TCP in Kiwi Syslog Daemon, go to File/Setup/Inputs/TCP, click Listen for TCP Syslog messages and enter the desired TCP port number.
The original algorithm used only the source and destination IP addresses to get the 4-bit hash entry (see the CEF Load Sharing Details for more information), which could result in suboptimal network utilization in some border cases (if anyone wants to know why, leave me a comment). The universal algorithm adds a router-specific value to the hash function, ensuring that the same source-destination pair will hash into a different 4-bit value on different boxes. If you really want to fine-tune the hash function, you can even specify the value to be added with the last option of the ip cef load-sharing algorithm command.
- For every CEF entry (IP route) where there are multiple paths to the destination, the router creates a 16-row hash table, populating the entries with pointers to individual paths. The hash table can be inspected with the show ip cef prefix internal command.
- The load balancing ratio is approxiated by number of entries in the hash table belonging to each path. If you have unequal-cost load balancing (EIGRP based on composite metrics and MPLS TE tunnels based on requested bandwidth), individual paths will be associated with different number of rows.
- If you configure per-destination load balancing, the source and destination IP address in the incoming IP packet are hashed into a 4-bit value that selects the outgoing path in the CEF has table.
- Home page for a Cisco IOS web server;
- Tar archives used by Cisco IOS web server;
- Multilevel web (HTTP) access to a router;
- Use command aliases to simplify Cisco IOS web server URLs;
- Include a default username/password in web request;
- Use Cisco IOS FTP server to bypass Microsoft "security patch".
These ones explain how to use IOS HTTP server and client to manage your router configuration and execute commands on the router:
- List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
- Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
- Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
- Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.
ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?You can specify username and password as part of standard URL syntax http://username:[email protected]/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
http://guest:[email protected]/level/1/exec/show/ip/interface/briefNote: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.
Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:
username guest privilege 1 password 0 guestNote: unless you configure service password-encryption, the passwords in your configuration will remain in cleartext.
username admin privilege 15 password 0 admin
The last bit of the puzzle is the correct formation of the URLs: when executing a command on the router through a URL, you have to specify the required privilege level (the router will then prompt you for a username/password with at least that privilege level). The URL syntax is http://router/level/privilege-level/exec/command. For example, to execute non-privileged (level-1) show users command, use the following URL:
http://router/level/1/exec/show/users/CRNote: the /CR suffix at the end of the URL tells the router to execute a command that contains optional (non-present) parameters.
ip http serverThe ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.
ip http access-class 90
access-list 90 permit network-management-ip-address
The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):
Const RouterIP = "10.0.0.1" ' replace with router's IP addressAnd here is the equivalent PERL code for the open source community:
Const EnablePassword = "password" ' replace with enable password
Set WebRq = CreateObject("MSXML2.XMLHTTP")
WebRq.Open "GET","http://" & RouterIP & "/level/15/exec/reload/CR",false,"Username",EnablePassword
use LWP::UserAgent;By default, the username specified in the web request is ignored by the router and the password has to be the enable password. Of course, if you change the authentication scheme on the router with the ip http authentication configuration command, you'd use proper username/password pair in the HTTP request.
$routerIP = "10.0.0.1";
$enablePwd = "password";
$ua = LWP::UserAgent->new;
$req = HTTP::Request->new(GET => "http://$routerIP/level/15/exec/reload/CR");
Very quietly, these logging events disappeared, first on 7500-series routers in IOS release 12.1(14), now they're gone by default on all platforms. If you still want to see what's going on with your frame-relay subinterfaces, you have to enter logging event subif-link-status configuration command on every subinterface.
I can only guess that some people that used the syslog events for network management were very surprised by the first (undetected) frame-relay failure following an IOS upgrade :)
event manager applet ReloadThe @midnight is a predefined symbolic value for "0 0 * * *". Of course you can use any other value that the UNIX cron utility would recognize as valid first five fields (time specification; username and command line are obviously not used).
event timer cron name Reload cron-entry "@midnight"
action 1.0 reload