A lot of people arriving to my blog ask about continuous ping performed from a router. Well, you cannot generate never-ending ping from a command line interface, but you can get pretty close with a very large repeat count:

• Before starting the ping, set the line escape character to something you can generate from your keyboard (otherwise you won't be able to stop end the command). For example, terminal escape 3 will set the escape character to Ctrl-C.
• Start the ping with the ping ip destination repeat very-large-value command. For example, ping ip 10.0.0.1 repeat 1000000 will ping the target host longer than you'll be willing to wait.

Note: this article is part of You've asked for it series.

Sometimes you'd like to automate execution of command sequences or create a command alias that would trigger a series of commands. One way of achieving this is by creating an EEM applet. For example, to clear IP routing table and reset BGP neighbors, define the following EEM applet:

event manager applet ClearAll
 event none
 action 1.0 cli command "clear ip route *"
 action 2.0 cli command "clear ip bgp *"

You can trigger this applet with the event manager run ClearAll command or you could configure a command alias, for example alias exec cleanup event manager run ClearAll.

Note: this article is part of You've asked for it series.

I've almost started writing a Tcl procedure to display top-10 CPU-intensive processes on a router ... and then discovered the sorted option of the show processes cpu command. Even more, starting in IOS release 12.2T, the show processes cpu history command gives you a nice CPU utilization graph.

The Warm Reload functionality introduced in IOS release 12.3(2)T significantly reduces the reload time. In my test lab, the reload time of a Cisco 2800 router booting from flash was reduced from 135 to 54 seconds as measured by the %SYS-6-BOOTTIME: Time taken to reboot after reload ... syslog message.

The theory behind warm reload is simple: the router saves initial data (as stored in IOS image) in a separate memory region and reuses saved data together with IOS code already residing in RAM to restart IOS. Of course, the IOS code (depending on platform's memory management capabilities) or saved data could get corrupted, therefore the warm reload cannot be used continuously (and the router falls back to traditional reload if the router crashes before a specified time interval).

Warm reload is configured with the warm-reboot count number uptime minutes configuration commands. After it has been configured, a router reload (or power-up) is needed to initialize the saved data region. When the warm reboot is operational (as verified with the show warm-reboot command), you can use reload warm command to start it.

When pinging a directly-attached host (end-station) from a router, it's quite common to lose the first reply, as shown in the following example (the same symptom might occur when pinging a remote host that has been inactive).

a2#ping 10.0.0.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

Actually, it's not the reply that was lost, the request was never sent out. Whenever a router has to send a packet to the next-hop (or directly attached destination) that has no entry in the ARP table, the ARP request is sent out, but the original packet is unconditionally dropped.

In a previous post, I’ve described how to execute a Tcl file with the tclsh command.

You can do even more than that: you can pass parameters to the executed file. Every word you enter after the file name in the tclsh command line is passed as a parameter to the Tcl code you execute. To get these parameters in Tcl, use Tcl commands similar to the code below:

One of my readers has asked an interesting question: can you reload a router when pinging a specific IP address from it fails? While there are other ways of dealing with stuck interfaces or routing processes, sometimes such a drastic measure is the only workaround, so here's how you do it:

By default, IOS routers use enable passwords to authenticate incoming HTTP (web) requests. You could also use local usernames as the authentication mechanism, or you could deploy full-blown AAA-based solution.

The Tcl procedures used to execute IOS commands in Embedded Event Manager (cli_open, cli_write …) don’t work when you start Tcl shell from command line interface. To execute IOS commands in this context, use:

• exec command to execute an exec-level command, for example exec “show ip route”
• ios_config mode command to configure the router

If the first parameter of the ios_config command is a global configuration command, you shall omit the second parameter (for example, ios_config “hostname router”). To configure a parameter in one of the sub-configuration modes (for example, interface state), use the first parameter to specify the configuration mode and the second parameter as the actual configuration command (for example, ios_config “interface loop 0” “no shutdown”).

TL&DR: Don’t.

EIGRP computes its composite metric from five parameters, one of them being interface load, therefore raising the theoretical possibility of having route metrics that include interface load. However, tweaking EIGRP K-values with the metric weights command to include interface load in metric calculations is highly discouraged – every change in interface load could lead to network instability.

The more command display the specified file as a hex dump if the contents don't look like a text file. In my example, it didn't like the CR/LF pairs in the Autorun.inf file written on an USB token by a Windows PC, but you could also dump an IOS image or a tar archive used by SDM (or other web-based applications). To force the display format, use the /ascii, /binary or /ebcdic (for IBM/SNA gurus) parameters. Cool feature ... IOS is obviously full of hidden gems :)

router#more usbflash1:Autorun.inf
00000000:  5B617574 6F72756E 5D0D0A6F 70656E3D    [aut orun ]..o pen=
00000010:  496E7374 616C6C65 722E6578 650D0A69    Inst alle r.ex e..i
00000020:  636F6E3D 496E7374 616C6C65 722E6578    con= Inst alle r.ex
00000030:  650D0A41 6374696F 6E3D4C61 756E6368    e..A ctio n=La unch
00000040:  20496E73 74616C6C 65722066 6F722047     Ins tall er f or G
00000050:  6F6F676C 65204170 706C6963 6174696F    oogl e Ap plic atio
00000060:  6E73200D 0AXXXXXX XXXXXXXX XXXXXXXX    ns . .XXX XXXX XXXX

I've always wanted to be able to execute a show command while configuring a router (I'm never good at remembering subinterface numbers). A while ago Cisco introduced the do configuration command that allows you to execute any exec-level command (including telnetting to another device) without leaving the current configuration mode.

Cisco routers preconfigured for SDM have default username/password cisco/cisco. As many users forget to disable or change the default username after configuring their router with SDM, they could end up with an exposed router.

Cisco has patched this vulnerability in IOS release 12.4(11)T that includes the one-time password/secret option of the username command, allowing you to define a username/password combination that can be used only once.

You might have wondered what happens with output produced by Tcl procedures (for example, with the puts command) when you use Tcl in Embedded Event Manager (EEM) or Embedded Syslog Manager (ESM). If the Tcl procedure executes in context of a line (console or virtual terminal), the output is sent straight to the attached line, otherwise it's processed by the logging manager (resulting in a syslog message).

There are two scenarios where Tcl would execute in context of a line: if you start a Tcl procedure with the tclsh command or if it's an EEM policy registered with the event_register_cli with sync parameter set to yes.

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:

• Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
• Configure aaa new-model.
• Configure a named AAA authentication list with the aaa authentication login MyList local.
• Attach the named AAA authentication list to the console line with the login authentication MyList command.

If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.