BGP configuration resources
- Cisco has published excellent in-depth document as part of Cisco IOS documentation
- A lot of BGP technical documents can be found in BGP resource center on CCO, including a simple document on BGP multihoming.
- Someone has put together a comprehensive list of BGP-related books on Amazon.com
- ... out of those books, the Internet Routing Architectures is a must-have.
- If you'd like to know more about BGP, attending a Configuring BGP course might be a good idea (more so as passing the corresponding exam counts toward your CCIP certification).
- If you're a Cisco partner, you can get BGP-related remote labs free of charge:
- Start Partner e-learning connection.
- After landing on the main PEC page, click here.
- Everyone else can buy the same set of remote lab exercises from NIL Data Communications.
When is the default-gateway used?
b2#show ip route
Default gateway is 192.168.0.5
Host Gateway Last Use Total Uses Interface
1.2.3.4 192.168.0.10 0:00 13 FastEthernet0/0
Disabling IP routing on a router makes perfect sense if you use it as a (reverse) terminal server or telnet-to-X.25 gateway.
Sinkholes and blackholes
Save IOS printouts in a file
The show output can be redirected to a local filename (in flash, on usb token or even in NVRAM) or sent to a remote server (currently only FTP and TFTP servers are supported). For example, the show ip interface brief | redirect ftp://student:[email protected]/ifstatus command will store the current interface status to an FTP server.
Note: the append (or tee /append) operation only works on destinations that support the file append operation: class-C flash file systems, local disks, USB tokens and NVRAM.
Summarize IOS printouts (example: Frame Relay DLCIs)
b2#show frame pvcThe first line I'm interested in contains the pattern for interface, the second one DLCI USAGE. My output filter would thus have to match any one of these patterns:
PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)
Active Inactive Deleted Static
Local 1 0 0 0
Switched 0 0 0 0
Unused 3 0 0 0
DLCI = 101, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0.101
input pkts 1003 output pkts 948 in bytes 107601
out bytes 106438 dropped pkts 68 in pkts dropped 68
out pkts dropped 0 out bytes dropped 0
... rest deleted ...
b2#show frame pvc ¦ include (for interface¦DLCI USAGE)And to add icing on the cake, I defined an alias with the alias exec dlci show frame pvc ¦ include (for interface ¦ DLCI USAGE) configuration command. Now I can display the FR DLCI status with a simple dlci command.
PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)
DLCI = 101, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0.101
DLCI = 201, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0
DLCI = 302, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0
DLCI = 401, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0
Fix router configuration after a reload
Embedded Event Manager (EEM) solves this issue as well. You just configure an applet that triggers on syslog message SYS-5-RESTART and reapplies the necessary configuration commands.For example, to fix the bug CSCsf32390, Cisco recomments the following applet:
event manager applet add-buffer
event syslog occurs 1 pattern "%SYS-5-RESTART: System restarted"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "buffers particle-clone 16384"
action 4.0 cli command "buffers header 4096"
action 5.0 cli command "buffers fastswitching 8192"
action 6.0 syslog msg "Reinstated buffers command"
EIGRP stub routers: virtual classroom recording

Change the username/password prompt with AAA
To change the login prompts when using RADIUS servers, use the aaa authentication [banner|fail-message|password-prompt|username-prompt] text configuration command.For example, to introduce meaningful prompts when using one-time password solution, you could use something similar to this configuration:
aaa authentication banner #Note: the texts specified with the password-prompt and username-prompt options are one-line texts delimited with quotes, the parameters of the banner and fail-message options are multi-lined texts delimited with any character.
Access to this router is protected with one-time passwords.
Send an e-mail to [email protected] if you need access.
#
aaa authentication fail-message #
Login failed. Wait at least 30 seconds and retry
#
aaa authentication password-prompt "Enter your PIN + one-time password:"
aaa authentication username-prompt "Enter your username:"
Changes in EIGRP summary address are no longer disruptive
Recent IOS releases are more lenient: router with a change in summary address requests a resync (logged as graceful-restart on adjacent routers). A lot of updates and queries are still sent, but the adjacencies themselves are preserved:
- When configuring a summary route, all more specific prefixes on downstream routers enter active state.
- When a summary is removed, only the summary prefix itself enters active state and the affected router sends queries to all its neighbors, while the more specific prefixes are sent as regular EIGRP updates to the neighbors across the affected interface.
a1(config)#interface serial 0/0/0.100... and the downstream router generates log messages similar to these:
a1(config-subif)#ip summary-address eigrp 1 0.0.0.0 0.0.0.0
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0/0.100) is resync: summary configured
a1(config-subif)#no ip summary-address eigrp 1 0.0.0.0 0.0.0.0
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.2 (Serial0/0/0.100) is resync: summary configured
b1#
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 172.16.1.1 (Serial0/0/0.100) is resync: peer graceful-restart
Continuous ping from a router
- Before starting the ping, set the line escape character to something you can generate from your keyboard (otherwise you won't be able to stop end the command). For example, terminal escape 3 will set the escape character to Ctrl-C.
- Start the ping with the ping ip destination repeat very-large-value command. For example, ping ip 10.0.0.1 repeat 1000000 will ping the target host longer than you'll be willing to wait.
Execute multiple commands at once
event manager applet ClearAllYou can trigger this applet with the event manager run ClearAll command or you could configure a command alias, for example alias exec cleanup event manager run ClearAll.
event none
action 1.0 cli command "clear ip route *"
action 2.0 cli command "clear ip bgp *"
Note: this article is part of You've asked for it series.
New CCNP certification training in e-learning format
Read more about this offering in the Blended Solutions Portfolio of NIL's web site.
Display top CPU processes on the router
router#show processes cpu sorted 1min
CPU utilization for five seconds: 1%/0%; one minute: 2%; five minutes: 2%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
5 180080 9762 18447 0.00% 1.75% 1.73% 0 Check heaps
62 648 181 3580 0.00% 0.31% 0.12% 2 Virtual Exec
25 4116 173 23791 0.49% 0.05% 0.00% 0 Per-minute Jobs
30 848 1172 723 0.00% 0.01% 0.00% 0 IP Input
81 12 357 33 0.08% 0.00% 0.00% 0 CEF Scanner
6 8 2 4000 0.00% 0.00% 0.00% 0 Pool Manager
4 0 86 0 0.00% 0.00% 0.00% 0 DHCPD Timer
3 4 27 148 0.00% 0.00% 0.00% 0 CRYPTO IKMP IPC
9 0 1 0 0.00% 0.00% 0.00% 0 AAA high-capacit
10 52 238 218 0.00% 0.00% 0.00% 0 ARP Input
... rest deleted ...
router#show processes cpu history
22222
22 11111 11111
100
90
80
70
60
50
40
30
20 *****
10 *****
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
2121121112121112121 11111222222122 12211121119112121 12221
1926405121716641818 76211100148411 70088401221831611470011
100
90 *
80 *
70 *
60 *
50 *
40 *
30 * *
20 **** ** ***** **** ** ****** ** ***** * ** *** ****
10 ******************* **********#*** **********#****** *****
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
1
80
60
100 *
90 **
80 **
70 **
60 **
50 **
40 **
30 **
20 **
10 **
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Warm reload
The theory behind warm reload is simple: the router saves initial data (as stored in IOS image) in a separate memory region and reuses saved data together with IOS code already residing in RAM to restart IOS. Of course, the IOS code (depending on platform's memory management capabilities) or saved data could get corrupted, therefore the warm reload cannot be used continuously (and the router falls back to traditional reload if the router crashes before a specified time interval).
Warm reload is configured with the warm-reboot count number uptime minutes configuration commands. After it has been configured, a router reload (or power-up) is needed to initialize the saved data region. When the warm reboot is operational (as verified with the show warm-reboot command), you can use reload warm command to start it.The output of the show warm-reboot command displays all the relevant setup parameters as well as the amount of memory used by this feature:
a2#show warm-rebootThe saved data region is also displayed with the show region command:
Warm Reboot is enabled
Maximum warm reboot count is 5
Uptime after which warm reboot is safe in case of a crash is 2 (min)
Statistics:
0 warm reboots due to crashes and 0 warm reboots due to requests
have taken place since the last cold reboot
2823 KB taken up by warm reboot storage
a2#show region
Region Manager:
Start End Size(b) Class Media Name
0x0F400000 0x0FFFFFFF 12582912 Iomem R/W iomem:(uncached_iomem_region)
0x3F400000 0x3FFFFFFF 12582912 Iomem R/W iomem
0x40000000 0x4F3FFFFF 255852544 Local R/W main
0x4000F000 0x431DFFFF 52236288 IText R/O main:text
0x431E0000 0x45F8C25F 47891040 IData R/W main:data
0x45F8C260 0x465FFA5F 6764544 IBss R/W main:bss
0x465FFA60 0x468C19AF 2891600 Local R/W main:saved-data
0x468C19B0 0x4F3FFFFF 146007632 Local R/W main:heap
0x80000000 0x8F3FFFFF 255852544 Local R/W main:(main_k0)
0xA0000000 0xAF3FFFFF 255852544 Local R/W main:(main_k1)
Why is the first ping lost?
When pinging a directly-attached host (end-station) from a router, it's quite common to lose the first reply, as shown in the following example (the same symptom might occur when pinging a remote host that has been inactive).
a2#ping 10.0.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Actually, it's not the reply that was lost, the request was never sent out. Whenever a router has to send a packet to the next-hop (or directly attached destination) that has no entry in the ARP table, the ARP request is sent out, but the original packet is unconditionally dropped.
Tclsh command line parameters
In a previous post, I've described how to execute a Tcl file with the tclsh command. You can do even more than that: you can pass parameters to the executed file. Every word you enter after the file name in the tclsh command line is passed as a parameter to the Tcl code you execute. To get these parameters in Tcl, use Tcl commands similar to the code below:
# loop.tcl: changes loopback state
#
# syntax: tclsh loop.tcl ifnum state
#
set ifnum [lindex $argv 0] # first parameter after file name
set ifstate [lindex $argv 1] # second parameter after file name
if {[string equal $ifstate ""]} {
return -code error "Syntax: loop.tcl ifnum ifstate"
}
... rest of procedure ...
You'll find more details in the Tclsh command line parameters article in the CT3 wiki.
Scaling EIGRP networks with stub routers

Reload a router when ping fails
- Configure an IP SLA measurement (you'll find the necessary commands in the Not-so-Very-Static Routes section of my IP Corner article Small Site Multihoming). You might want to use the after parameter in the ip sla schedule command to ensure the router does not get reloaded immediately after the startup due to IP routing table not being populated.
- Configure a tracked object based on the IP SLA measurement with the track object-id rtr sla-id reachability command
- Configure an EEM applet that will reload the router if the tracked object enters the down state
event manager applet PingHasFailedNote: this article is part of You've asked for it series.
event track 100 state down
action 1.0 syslog msg "Ping has failed, reloading the router"
action 2.0 reload
Authenticating HTTP requests with AAA
aaa authentication login web localWarning: the router executes AAA authentication/authorization for every HTTP request sent by the browser. It's thus very hard to integrate this solution with one-time passwords (unless you can cache the credentials on the AAA server).
aaa authorization exec web local
!
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
Boot a 2800-router with an USB image
- When the router is reloaded, ROMMON reads the router configuration and tries to start the required image
- If ROMMON cannot load the image specified in the boot system command, it starts the default image (usually whatever is stored in on-board flash)
- When the first IOS image loads (after being copied and decompressed in most cases), it discovers that it's not the correct image
- The now-operational IOS image loads the new image in RAM (in our case from usbflash1:), decompresses it and transfers the control to it
Executing IOS commands from Tcl shell
- exec command to execute an exec-level command, for example exec "show ip route"
- ios_config mode command to configure the router
Note: I knew what I wrote initially did not feel right (although that's what the docs say), so I simply had to go back and so some more testing.
An in-depth version of this article is available in the CT3 wiki