Building network automation solutions

9 module online course

Start now!

Category: command line interface

Dance around IOS bugs with Tcl and EEM

Recently, on an IPSec-based customer network, we installed one of the brand new platforms introduced by Cisco Systems. The initial software release had memory leaks (no problem, we all know these things happen), so we upgraded the box to the latest software. It works perfectly … until you reload it. The software we’re forced to use cannot get IPSec to work if the startup configuration includes interface-level crypto-maps. Interestingly, you can configure crypto-maps manually and they work … until you save them into the startup configuration and reload the box.

read more add comment

Annotate your router sessions

The November Technical Services News from Cisco included the Annotating Troubleshooting Sessions document from the Cisco’s support wiki. The document describes two well hidden features of Cisco IOS:

  • The send log exec-level command writes a line in the syslog, allowing you to delineate logging or debugging outputs.
  • The exclamation mark used as the first character in any IOS command line (not just in the configuration) serves as a comment. If you’re logging the TTY session, you can use these comments to document the session.
see 9 comments

AAA command authorization gotchas

Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):

  • Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
  • Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
  • Other commands (for example, ping) are authorized based on the current privilege level.

For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.

  • Command authorization is not performed on console unless you’ve configured aaa authorization console.
read more see 6 comments

Enhance the Traceroute Output

After working with MPLS Traffic Engineering lab for a few days and interpreting IP addresses from various traceroute outputs, I finally had enough and wrote a simple Perl script (below) that parses router configurations and produces ip host configuration commands for every interface IP address it encounters. When you paste the ip host commands into the configuration of the edge router from which you do the tests, the meaningless numbers finally make sense.

read more see 3 comments

Make the "show" command available in configuration mode

I tend to forget whether I'm in configuration mode or not and often type the do command in exec mode or the show command in configuration modes. With the alias functionality you can make the show command a native command in the configuration modes; just configure alias configure show do show.

The “only” drawback of this approach is that IOS has zillion different configuration modes and you have to define the alias in each one of them (you could do it just in the most common ones … or try to remember to type the do keyword first :).

see 4 comments

Router configuration partitioning

If you have to troubleshoot routers with long configurations, you're probably as fed up with the slow response of the show running-config command as I am. Unfortunately, there's not much you can do; the running configuration is reverse-engineered from various memory variables every time you ask for it and that process simply takes time if you've configured many parameters.

IOS release 12.2(33)SRB has introduced a fantastic feature: router configuration partitioning. The early seeds of this idea are already present in mainstream IOS releases. For example, you can display the configuration of a single interface, all class-maps or all policy-maps. The configuration partitioning gives you the ability to display access-lists, route-maps, static routes, router configurations ...
read more see 8 comments

Shorter Display of OSPF Database

Recently I had to explore the behavior of Cisco IOS OSPF implementation and had to inspect OSPF database on routers in various areas.

If you’re only interested in the contents of the database (not in low-level troubleshooting), variety of LSA fields (including LS Age, Options, Checksum, Length …) are just cluttering the printout, so I fine-tuned the show filter to exclude all the non-relevant fields, ending with show ip ospf database parameters | exclude LS|Options|Check|Len|(MTID:[ 0-9]+$) (the MTID field appears in IOS release 12.2SRC).

To make the command more useful, I’ve changed it into a short Tcl script:

read more add comment

Simple extensions to exec-mode CLI

The various show filters available in Cisco IOS are a great tool to minimize the amount of printout you have to analyze, their only problem (from my perspective) is that you cannot make an alias out of them, as you usually have to supply one or more parameters to the show command and these parameters have to be inserted before the filter (and the alias command does not support replaceable parameters). You could solve the problem with Tcl shell, but I'm not sure many networking engineers are fluent Tcl programmers. Fortunately, the code you need is so simple anyone can create a working solution.
read more add comment

Display locally originated BGP routes

Displaying the BGP routes originated in the local AS is simple: you just filter the BGP table with a regular expression matching an empty AS path. Displaying routes originated by the local router is tougher. You could use the fact that the local routes have the weight set to 32768:

PE-A#show ip bgp quote-regexp "^$" | inc Network|32768
Network Next Hop Metric LocPrf Weight Path
*> 0 32768 i

This would work if you don’t play with BGP weights in network statements. If you’ve changed the weights, you should filter the routes based on the BGP next-hop: locally originated routes have the next-hop and all other routes should have a non-zero BGP next-hop. To filter BGP routes based on the next-hop you have to:

  • Define an access-list that matches desired next-hop (
  • Define a route-map that uses the access-list to match IP next hop.
  • Display BGP routes matched by a route-map.

A sample configuration and show command printout is included below:

ip access-list standard AllZeros
route-map NextHopSelf permit 10
match ip next-hop AllZeros

PE-A#show ip bgp route-map NextHopSelf | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 0 32768 i

To make this command simpler to use, define an alias: alias exec mybgp show ip bgp route-map NextHopSelf | begin Network.

see 3 comments

Display BGP routes originated in the local AS

The easiest way to display BGP routes originating in the local autonomous system is to use the regular expression ^$ (empty AS-path) in the show ip bgp regexp command, for example:

PE-A#show ip bgp regexp ^$
BGP table version is 10, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 0 32768 i
r>i10.0.1.2/32 0 100 0 i

If you want to apply a show filter to the printout of this command, you have to use the quote-regexp variant; otherwise the rest of the line is interpreted as regular expression. To skip the header explaining the BGP status code (we know them by heart by now, don’t we?), use …

PE-A#show ip bgp quote-regexp "^$" | begin Network
Network Next Hop Metric LocPrf Weight Path
*> 0 32768 i
r>i10.0.1.2/32 0 100 0 i

… and end with the eye candy – define this command as an alias: alias exec localbgp show ip bgp quote-regexp "^$" | begin Network.

add comment

Configuring lines and terminals

Numerous comments to the "terminal exec prompt" post told me that it might be good to review the line/terminal configuration rules:
  • If you want to configure a permanent line characteristic (for example, international), you should do so in the VTY configuration (see also how the VTY configurations are merged);
  • If you want a temporary change in the characteristic of your current line (VTY or console), use terminal characteristic to enable it or terminal no characteristic to disable it.
read more see 1 comments

Display operational IPv6 interfaces

The brief display of the state of IPv6 interfaces in the router (show ipv6 interface brief) is significantly different from the well-known show ip interface brief display as the IPv6 address might not fit in the same line as all the other data. To filter the printout and display only the operational interfaces, you have to replace the include filter with the section filter, which displays all the lines matching the regular expression as well as associated follow-up lines.
PE-A#show ipv6 interface brief | section up
Serial1/0 [up/up]
Serial1/1 [up/up]
Loopback0 [up/up]

The definition of the associated follow-up lines depends on the printout. Usually the indented lines are assumed to belong to a section, but you might be surprised.

see 1 comments

Display the names of the configured route-maps

I’m probably getting old … I keep forgetting the exact names (and capitalization) of route-maps I’ve configured on the router. The show route-maps command is way too verbose when I’m simply looking for the exact name of the route-map I want to use, so I wrote a Tcl script that displays the names of the route-maps configured on the router. If you add a -d switch, it also displays their descriptions (to be more precise, the first description configured in the route-map).

read more see 1 comments