Blog Posts in July 2007

Update: The “show ip interface” command I've always wanted to have

After I've published the Tcl script that displays the interface IP parameters in a formatted table, cos quickly pointed out a bug: I've expected the IP addresses in the address mask format. In the meantime, I've figured out the root cause of the problem (our remote labs are set to display IP masks in decimal format for compatibility reasons) and fixed the Tcl script. It temporarily sets the terminal ip netmask-format to bit-count before executing the show command. The new script recognizes three parameters:

  • active: display only interfaces that are up/up;

  • configured: display only interfaces with configured IP addresses (unnumbered interfaces using IP address of an interface without one count as configured since IOS reports their IP address as

  • address: displays IP address of the unnumbered interface, not the interface that it's borrowing the address from.
You can view the Tcl source or download it from my web site.
see 6 comments

Changing the format of IP routes

The comment to one of my previous posts reminded me of a cool feature that's been available in Cisco IOS for a number of years - you can change how the IP addresses and routes are displayed in various show printouts (but not in the router configuration) with the terminal ip netmask-format bit-count|decimal exec-level command. You can even make the change permanent by configuring ip netmask-format format on console and VTY lines.

And the funniest part of the whole story is that I was utterly impressed with the feature when it was introduced ... and now almost started to reinvent the wheel and implement the same functionality in Tcl

see 1 comments

Update: Preparing for the MPLS CCIP exam

Following my post about the relationship between the MPLS and VPN architectures books and CCIP MPLS exam, Peter Dob had an excellent idea: combine the MPLS and VPN architectures (Volume I, CCIP edition would be even better) with the MPLS fundamentals from Luc de Ghein. By reading Luc's book, you'll also get exposure to other MPLS-related topics (for example, AToM) on top of MPLS TE overview that you need for the exam.

This article is part of You've asked for it series.

add comment

Inspection of router-generated traffic does not recognize DHCP client traffic

After I've published a post on how you can use the new router-traffic keyword to minimize the Internet-facing access list you use with CBAC, Euphrates Greene pointed out to me that this feature does not work for client DHCP traffic (if the router is acting as a DHCP client, for example, when connected to a MAN Ethernet environment).

Once you start thinking about what's really going on, it all becomes obvious: as the router has no IP address when it sends the DHCP request, and it sends the DHCP request to a broadcast address (as it doesn't know the IP address of the upstream DHCP server), there is no session that could be entered into the CBAC session table. So you still have to allow all DHCP traffic to your router with an access-list similar to this one:
ip access-list extended Internet
 permit udp any eq bootps any eq bootpc
 deny ip any any

Note: Replace the highlighted any keyword with the actual DHCP server's IP adress if you have it available and you want to have an even more secure IP access-list.

add comment

DHCP and BOOTP coexistence

If you have an existing BOOTP environment (for example, a set of old Unix workstations and X-terminals) and want to deploy DHCP on the same LAN segment, you could run into interesting compatibility issues, as the DHCP servers by default responds to BOOTP requests.

However, IOS has an interesting feature when you use a router as a DHCP server: you can tell it to ignore the BOOTP requests with the ip dhcp bootp ignore global configuration command (introduced in 12.2T and 12.3). Even more, the router can respond to DHCP requests and forward BOOTP requests to a non-local BOOTP server configured with the ip helper-address interface configuration command.
see 1 comments

Totally Stealthy Router

In response to the post detailing router response to port scans, one of my readers asked an interesting question:

“I was wondering if there was a way to prevent the router from sending those TCP RST packets administratively prohibited ICMP messages back to scanners for TCP and UDP respectively. I basically want my router to drop all packets period without replying back in any way, shape, form, or fashion.”

Here's how you do it:

read more see 1 comments

Be Smart When Using the OSPF Network Statement

For whatever reason, a lot of people have the impression that the wildcard bits in the OSPF network statement have to be the inverse of the interface subnet mask. For example, if you have configured ip address on an interface, they would enter network in the OSPF configuration (and use one network statement per interface).

In reality, the network statements work like simple IP access-list: whenever an interface IP address matches the network statement, the interface is put into the selected area. The Cisco IOS CLI got better over the years: the network statements are automatically sorted from most-specific to least-specific and (like with the access lists) the first match stops the search.

read more see 11 comments

Update: Inspect router-generated traffic

In my previous post, I've described how you can get a very clean configuration with no holes in your Internet-facing access-list if you have IOS release that supports inspection of router-generated traffic. As it turns out, my solution was not complete - you could not ping from the router. On top of inspecting UDP and TCP traffic (as is usually done), you also have to inspect ICMP traffic that the router uses for pings.

Furthermore, if you use any protocols that have separate control and data sessions (for example, FTP, H.323 or SIP), you have to list them before tcp or udp keywords, otherwise their control streams will not be inspected and there will be no provision for data sessions.
ip inspect name Internet ftp
ip inspect name Internet h.323 router-traffic
ip inspect name Internet sip router-traffic
ip inspect name Internet tcp router-traffic
ip inspect name Internet udp router-traffic
ip inspect name Internet icmp router-traffic
interface FastEthernet0/0
ip access-group Internet in
ip inspect Internet out
ip access-list extended Internet
deny ip any any
see 12 comments

Redundant DHCP server

If you want to build a truly redundant LAN infrastructure, you should also have redundant DHCP servers. If you decide to do the DHCP address allocation locally (on the router), you should take care that the two routers acting as DHCP servers don't assign overlapping addresses.

If the address space assigned to a LAN is at least twice as large as the number of LAN-attached devices, you can use the ip dhcp excluded-addresses command to exclude half of the address pool on each router, for example:
ip dhcp pool LAN
! Exclude router addresses
ip dhcp excluded-addresses
! Exclude half of the pool
ip dhcp excluded-addresses
Alternatively, you can rely on the ip dhcp ping packets command; the router will ping an IP address to check whether it's live before assigning it (by default, the router sends two pings with 500 millisecond timeout).

Note: You can also inspect the conflicting IP addresses the router found with the show ip dhcp conflict command.
see 8 comments

Network Statements Are No Longer Needed in OSPF Configuration

If you’ve ever had to configure OSPF on a Cisco router, you’re well familiar with the venerable network statement, which effectively assigns interfaces into OSPF areas based on their IP addresses. Although our life became simpler when the network statements stopped being order-dependent (the order dependency allowed for a few nasty surprises in the troubleshooting part of the CCIE lab when the CCIE title still implied you had to be able to fix other people’s mistakes :), it was still an awkward way of configuring what belongs where.

read more see 3 comments