Building network automation solutions

9 module online course

Start now!

Category: command line interface

Dance around IOS bugs with Tcl and EEM

Recently, on an IPSec-based customer network, we installed one of the brand new platforms introduced by Cisco Systems. The initial software release had memory leaks (no problem, we all know these things happen), so we upgraded the box to the latest software. It works perfectly … until you reload it. The software we’re forced to use cannot get IPSec to work if the startup configuration includes interface-level crypto-maps. Interestingly, you can configure crypto-maps manually and they work … until you save them into the startup configuration and reload the box.

read more add comment

Annotate your router sessions

The November Technical Services News from Cisco included the Annotating Troubleshooting Sessions document from the Cisco’s support wiki. The document describes two well hidden features of Cisco IOS:

  • The send log exec-level command writes a line in the syslog, allowing you to delineate logging or debugging outputs.
  • The exclamation mark used as the first character in any IOS command line (not just in the configuration) serves as a comment. If you’re logging the TTY session, you can use these comments to document the session.
see 9 comments

AAA command authorization gotchas

Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):

  • Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
  • Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
  • Other commands (for example, ping) are authorized based on the current privilege level.

For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.

  • Command authorization is not performed on console unless you’ve configured aaa authorization console.
read more see 6 comments

Enhance the traceroute output

After working with MPLS Traffic Engineering lab for a few days and interpreting IP addresses from various traceroute outputs, I finally had enough and wrote a simple Perl script that parses router configurations and produces ip host configuration commands for every interface IP address it encounters. When you paste the ip host commands into the configuration of the edge router from which you do the tests, the meaningless numbers finally make sense.

read more see 3 comments

Introduction to Embedded Menu Manager

One of the great new features introduced in IOS release 12.4(20)T is the Embedded Menu Manager (EMM), which allows you to build dynamic hierarchical menus with a combination of static definitions in XML and Tcl scripts. The Cisco documentation on this feature is quite cryptic, so I wrote an introduction to EMM, describing the major XML elements and the ways to use it.

Read more in CT3 wiki.

add comment

Make the "show" command available in configuration mode

I tend to forget whether I'm in configuration mode or not and often type the do command in exec mode or the show command in configuration modes. With the alias functionality you can make the show command a native command in the configuration modes; just configure alias configure show do show.

The “only” drawback of this approach is that IOS has zillion different configuration modes and you have to define the alias in each one of them (you could do it just in the most common ones … or try to remember to type the do keyword first :).

see 4 comments

ARP table with logical and physical interfaces

In a layer-3 switching environment, the ARP table displayed with the show arp command lists the logical (L3) interfaces, for example the VLAN or BVI interface. This Tcl script displays the logical as well as physical interface associated with each IP/MAC address.

Martin Hecko gave me the idea for this script and helped to test it on a Catalyst switch. Thank you!

read more see 8 comments

Router configuration partitioning

If you have to troubleshoot routers with long configurations, you're probably as fed up with the slow response of the show running-config command as I am. Unfortunately, there's not much you can do; the running configuration is reverse-engineered from various memory variables every time you ask for it and that process simply takes time if you've configured many parameters.

IOS release 12.2(33)SRB has introduced a fantastic feature: router configuration partitioning. The early seeds of this idea are already present in mainstream IOS releases. For example, you can display the configuration of a single interface, all class-maps or all policy-maps. The configuration partitioning gives you the ability to display access-lists, route-maps, static routes, router configurations ...
read more see 8 comments

Shorter display of OSPF database

Recently I had to explore the behavior of Cisco IOS OSPF implementation and had to inspect OSPF database on routers in various areas. If you're only interested in the contents of the database (not in low-level troubleshooting), variety of LSA fields (including LS Age, Options, Checksum, Length ...) are just cluttering the printout, so I fine-tuned the show filter to exclude all the non-relevant fields, ending with show ip ospf database parameters | exclude LS|Options|Check|Len|(MTID:[ 0-9]+$) (the MTID field appears in IOS release 12.2SRC).
read more add comment

Simple extensions to exec-mode CLI

The various show filters available in Cisco IOS are a great tool to minimize the amount of printout you have to analyze, their only problem (from my perspective) is that you cannot make an alias out of them, as you usually have to supply one or more parameters to the show command and these parameters have to be inserted before the filter (and the alias command does not support replaceable parameters). You could solve the problem with Tcl shell, but I'm not sure many networking engineers are fluent Tcl programmers. Fortunately, the code you need is so simple anyone can create a working solution.
read more add comment

Display locally originated BGP routes

Displaying the BGP routes originated in the local AS is simple: you just filter the BGP table with a regular expression matching an empty AS path. Displaying routes originated by the local router is tougher. You could use the fact that the local routes have the weight set to 32768:

PE-A#show ip bgp quote-regexp "^$" | inc Network|32768
Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i

This would work if you don’t play with BGP weights in network statements. If you’ve changed the weights, you should filter the routes based on the BGP next-hop: locally originated routes have the next-hop 0.0.0.0 and all other routes should have a non-zero BGP next-hop. To filter BGP routes based on the next-hop you have to:

  • Define an access-list that matches desired next-hop (0.0.0.0)
  • Define a route-map that uses the access-list to match IP next hop.
  • Display BGP routes matched by a route-map.

A sample configuration and show command printout is included below:

ip access-list standard AllZeros
permit 0.0.0.0
!
route-map NextHopSelf permit 10
match ip next-hop AllZeros

PE-A#show ip bgp route-map NextHopSelf | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i

To make this command simpler to use, define an alias: alias exec mybgp show ip bgp route-map NextHopSelf | begin Network.

see 3 comments

Display BGP routes originated in the local AS

The easiest way to display BGP routes originating in the local autonomous system is to use the regular expression ^$ (empty AS-path) in the show ip bgp regexp command, for example:

PE-A#show ip bgp regexp ^$
BGP table version is 10, local router ID is 10.0.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i
r>i10.0.1.2/32 10.0.1.2 0 100 0 i

If you want to apply a show filter to the printout of this command, you have to use the quote-regexp variant; otherwise the rest of the line is interpreted as regular expression. To skip the header explaining the BGP status code (we know them by heart by now, don’t we?), use …

PE-A#show ip bgp quote-regexp "^$" | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 10.0.1.1/32 0.0.0.0 0 32768 i
r>i10.0.1.2/32 10.0.1.2 0 100 0 i

… and end with the eye candy – define this command as an alias: alias exec localbgp show ip bgp quote-regexp "^$" | begin Network.

add comment

Configuring lines and terminals

Numerous comments to the "terminal exec prompt" post told me that it might be good to review the line/terminal configuration rules:
  • If you want to configure a permanent line characteristic (for example, international), you should do so in the VTY configuration (see also how the VTY configurations are merged);
  • If you want a temporary change in the characteristic of your current line (VTY or console), use terminal characteristic to enable it or terminal no characteristic to disable it.
read more see 1 comments
Sidebar