One of my readers made an interesting observation when faced with configuring zone-based firewall on Cisco IOS: „My main issue is a confusion between when to use self and when to use in/outside.“

The rules are simple:

• Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.
• The self zone controls traffic sent to the router itself or originated by the router.
• Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)
• To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.
• To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.

More information about the self zone (as well as other aspects of zone-based firewall configuration) can be found in my digital book Deploying Zone-Based Firewalls published by Cisco Press.

During network troubleshooting or proof-of-concept testing, I often change the state of a loopback interface (to insert or remove IP prefix from the routing protocols) or flap it to test the impact on network stability. The traditional approach to this procedure should be known to everyone:

• Enter configuration mode;
• Select the appropriate interface with the interface loopback x command;
• Try to remember whether you need to disable or enable it;
• Issue the shutdown or no shutdown command;
• Exit the configuration mode and continue your debugging/testing process.

After a particularly boring testing session I decided to write a Tcl script to automate the job. To use it, download it and store it into ifchange.tcl. Download the Tcl file to your router (Flash or NVRAM) and define an alias: alias exec ifchange tclsh flash:ifchange.tcl. Now you can use the new ifchange command to change interface status.

Before trying to write Tcl procedures to be executed by Cisco IOS tclsh command, read the following articles:

• Running Tcl procedures from IOS command line
• Tclsh command line parameters
• Where does Tcl output go
• Executing IOS commands from Tcl shell
• IOS scripting with Tcl (IOS 12.3T documentation)
• TCL'ing your Cisco router

And last but not least, if you want to store Tcl procedures on your router and don't want to write into the router's Flash memory (I hate that the router prompts me whether I want to erase the flash every time I store something into it), you can store them in NVRAM.

Cisco IOS allows you to configure the ip default-gateway, but most often it looks like this setting is ignored. In fact, the default gateway is only used when an IOS device does not perform IP routing (acts like an IP host), for example, when you configure a Catalyst switch for layer-2 switching ... or when you disable IP routing on a router with no ip routing configuration command. In both cases, the show ip route command (or show ip redirects on some Catalyst switches) displays the default gateway and any ICMP redirects received from directly attached routers:

b2#show ip route
Default gateway is 192.168.0.5

Host      Gateway         Last Use    Total Uses  Interface
1.2.3.4   192.168.0.10        0:00            13  FastEthernet0/0

Disabling IP routing on a router makes perfect sense if you use it as a (reverse) terminal server or telnet-to-X.25 gateway.

In his latest Q&A post, Scott Morris mentioned an excellent Cisco article that describes routing tricks needed to implement sinkholes and remote blackholes in great details. Highly recommended reading.

IOS release 12.2(13)T (integrated in IOS release 12.3) has added the capability to redirect output of an IOS show command to a file. This feature uses Unix-style pipes (similar to the include, exclude and section keywords) and adds append, redirect and tee (redirect + print) keywords.

The show output can be redirected to a local filename (in flash, on usb token or even in NVRAM) or sent to a remote server (currently only FTP and TFTP servers are supported). For example, the show ip interface brief | redirect ftp://student:[email protected]/ifstatus command will store the current interface status to an FTP server.

Note: the append (or tee /append) operation only works on destinations that support the file append operation: class-C flash file systems, local disks, USB tokens and NVRAM.

I've always wanted a short summary display of DLCIs configured on my Frame Relay boxes (or whatever your favorite WAN technology is), but the only printout I would get from the router would be the lengthy show frame pvc printout. Fortunately, a judicious use of output filters can get you a summary printout from almost anything Cisco IOS produces.

Sometimes, parts of router configuration get lost during the reload process: although the configuration commands are saved in NVRAM, they are not processed after the reload and thus do not appear in the running configuration. Re-entering these commands manually solves the problem ... but it's obviously not a reliable solution.

Embedded Event Manager (EEM) solves this issue as well. You just configure an applet that triggers on syslog message SYS-5-RESTART and reapplies the necessary configuration commands.

TACACS+ protocol introduced with the IOS AAA architecture had great provisions for customizing the whole login process (user-defined banners, prompts ...). Unfortunately, it never really took off and most AAA solutions deployed today rely on RADIUS servers that cannot control the login process itself (the RADIUS server can only check the username/password pair for validity).

To change the login prompts when using RADIUS servers, use the aaa authentication [banner|fail-message|password-prompt|username-prompt] text configuration command.

Early EIGRP implementation treated changes in EIGRP summary address configuration (configured with the ip summary-address eigrp interface configuration command) very disruptively: all EIGRP sessions across the affected interface were cleared, sometimes resulting in a large number of routes entering active state, potentially leading to a stuck-in-active condition.

A lot of people arriving to my blog ask about continuous ping performed from a router. Well, you cannot generate never-ending ping from a command line interface, but you can get pretty close with a very large repeat count:

• Before starting the ping, set the line escape character to something you can generate from your keyboard (otherwise you won't be able to stop end the command). For example, terminal escape 3 will set the escape character to Ctrl-C.
• Start the ping with the ping ip destination repeat very-large-value command. For example, ping ip 10.0.0.1 repeat 1000000 will ping the target host longer than you'll be willing to wait.

Note: this article is part of You've asked for it series.

Sometimes you'd like to automate execution of command sequences or create a command alias that would trigger a series of commands. One way of achieving this is by creating an EEM applet. For example, to clear IP routing table and reset BGP neighbors, define the following EEM applet:

event manager applet ClearAll
 event none
 action 1.0 cli command "clear ip route *"
 action 2.0 cli command "clear ip bgp *"

You can trigger this applet with the event manager run ClearAll command or you could configure a command alias, for example alias exec cleanup event manager run ClearAll.

Note: this article is part of You've asked for it series.

I've almost started writing a Tcl procedure to display top-10 CPU-intensive processes on a router ... and then discovered the sorted option of the show processes cpu command. Even more, starting in IOS release 12.2T, the show processes cpu history command gives you a nice CPU utilization graph.

The Warm Reload functionality introduced in IOS release 12.3(2)T significantly reduces the reload time. In my test lab, the reload time of a Cisco 2800 router booting from flash was reduced from 135 to 54 seconds as measured by the %SYS-6-BOOTTIME: Time taken to reboot after reload ... syslog message.

The theory behind warm reload is simple: the router saves initial data (as stored in IOS image) in a separate memory region and reuses saved data together with IOS code already residing in RAM to restart IOS. Of course, the IOS code (depending on platform's memory management capabilities) or saved data could get corrupted, therefore the warm reload cannot be used continuously (and the router falls back to traditional reload if the router crashes before a specified time interval).

Warm reload is configured with the warm-reboot count number uptime minutes configuration commands. After it has been configured, a router reload (or power-up) is needed to initialize the saved data region. When the warm reboot is operational (as verified with the show warm-reboot command), you can use reload warm command to start it.

When pinging a directly-attached host (end-station) from a router, it's quite common to lose the first reply, as shown in the following example (the same symptom might occur when pinging a remote host that has been inactive).

a2#ping 10.0.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

Actually, it's not the reply that was lost, the request was never sent out. Whenever a router has to send a packet to the next-hop (or directly attached destination) that has no entry in the ARP table, the ARP request is sent out, but the original packet is unconditionally dropped.