Category: you've asked for it

Update: Preparing for the MPLS CCIP exam

Following my post about the relationship between the MPLS and VPN architectures books and CCIP MPLS exam, Peter Dob had an excellent idea: combine the MPLS and VPN architectures (Volume I, CCIP edition would be even better) with the MPLS fundamentals from Luc de Ghein. By reading Luc's book, you'll also get exposure to other MPLS-related topics (for example, AToM) on top of MPLS TE overview that you need for the exam.

This article is part of You've asked for it series.

add comment

Change the Telnet font color from a Cisco router

I've recently got an excellent question: how can I change the color of the terminal emulator font from the CLI by sending the telnet program an escape sequence?

For those of you that haven't worked with escape sequences before - you can control a lot of parameters in you terminal emulation program by sending it a special sequence starting with <ESC>[ (<ESC> begin character code 27). These sequences work even in the simplest telnet clients on Windows and Linux thanks to built-in operating system support or ANSI.SYS driver (on Windows); you can get an in-depth description and the list of all supported escape sequences from Wikipedia.

With the list of escape sequences in hand, the only remaining problem is how to send them from the router. Tcl shell was the immediate answer, but then I remembered the various banners provided by the Cisco IOS. As I wanted to change the font color as soon as possible, the login banner (or the message-of-the-day banner) seemed the right one to use.

To insert the ESC character in a banner from the configuration prompt, you have to use the Ctrl-V/Esc sequence. For example, to change the font color to bright yellow, do the following:
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#banner motd #
Enter TEXT message. End with the character '#'.
<Ctrl-V><ESC>[33;1mThis is a yellow router#
router(config)#
When you look at the running configuration, the router transforms the control characters into ^x sequences, so your banner will look like this:
router#show run | begin banner
banner motd ^C
^[[33;1mThis is a yellow router^C
...
Notes:
  • Saving router configurations on (T)FTP server and reloading them from a server does not pose a problem, as the control characters are preserved throughout the process, but you cannot use cut-and-paste with banners, as the terminal emulator does not transform ^x sequence into a control character.
  • With this technique, you can color-code your routers. For example, internal routers could use green font, publicly accessible ones red font and the firewall routers yellow font, so all the operators would know immediately what to expect on each device.
  • This article is part of You've asked for it series.
see 6 comments

Command Authorization Fails with EEM applet or Tcl policy

One of my readers asked an interesting question: „why do the commands executed within a EEM Tcl policy fail with Command authorization fails message?“ The short answer is simple: If you use AAA command authorization (which you can only do if you're using a TACACS+ server), you have to specify the username under which the EEM will execute its CLI commands with the event manager session cli username user configuration command.

read more see 8 comments

The self zone in zone-based firewall configuration

One of my readers made an interesting observation when faced with configuring zone-based firewall on Cisco IOS: „My main issue is a confusion between when to use self and when to use in/outside.“

The rules are simple:
  • Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.
  • The self zone controls traffic sent to the router itself or originated by the router.
  • Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)
  • To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.
  • To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.
More information about the self zone (as well as other aspects of zone-based firewall configuration) can be found in my digital book Deploying Zone-Based Firewalls published by Cisco Press.
see 8 comments

Continuous ping from a router

A lot of people arriving to my blog ask about continuous ping performed from a router. Well, you cannot generate never-ending ping from a command line interface, but you can get pretty close with a very large repeat count: Note: this article is part of You've asked for it series.
see 2 comments

Execute multiple commands at once

Sometimes you'd like to automate execution of command sequences or create a command alias that would trigger a series of commands. One way of achieving this is by creating an EEM applet. For example, to clear IP routing table and reset BGP neighbors, define the following EEM applet:
event manager applet ClearAll
event none
action 1.0 cli command "clear ip route *"
action 2.0 cli command "clear ip bgp *"
You can trigger this applet with the event manager run ClearAll command or you could configure a command alias, for example alias exec cleanup event manager run ClearAll.

Note: this article is part of You've asked for it series.
see 13 comments

Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:
  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.
see 5 comments

Local usernames with no password

There are two ways you can configure local usernames without a password:
  • By using the username user command without the password option, you create a username that has a blank password (the operator has to press ENTER at the Password: prompt)
  • With the username user nopassword command, you create a user where the operator will not be prompted for the password at all.
Hopefully, you would use such usernames only with the autocommand option to give guest users a short overview of the router's operation (for example, display the interface status).

Note: this article is part of You've asked for it series.
add comment

Stop extended ping or traceroute command

Every introductory Cisco course tells you that you can stop any IOS command (for example, ping or traceroute) with the Ctrl/^ (also written as ^^ or Ctrl-Shift-6) escape character. What they usually forget to tell you is how to do that on non-US-ASCII keyboards or with telnet programs that do not want to recognize weird control characters.

The trick is simple - if you cannot generate ^^ (ASCII code 30), change the escape character. You can change it for the current session with the terminal escape-character char exec-level command or permanently with the escape-character char line configuration command. For example, to set the escape character for the current session to ctrl-C, use terminal escape-character 3 command.

Note: this article is part of You've asked for it series.
see 10 comments

Where did the CBAC go?

I've got an interesting question a while ago: Do new Cisco routers still use CBAC?

Of course they do, it's just been renamed. The marketing department has decided that Context Based Access Control (CBAC) does not sound nearly so nice as the Cisco IOS Firewall. Even the command structure hasn't changed, you still use the ip inspect commands to configure it, unless, of course, you have IOS release 12.4(6)T or newer, where you can use zone-based policy firewall configuration.

This article is part of You've asked for it series.

add comment

Not All Static Routes Were Created Equal

In his excellent question, Matt reminded me of (almost prehistoric) days when static routes pointing to a connected interface (not IP next-hop) had administrative distance zero. I also remembered that we've had interesting routing problems as those static routes actually behaved like connected routes (and were redistributed into routing protocols with redistribute connected command).

read more see 5 comments

Unequal load split with static routes

Unequal load-sharing with static routes is almost impossible as there is no configuration command to assign non-default traffic share count to a static route. For example, if you configure two default routes, one pointing to a low-speed interface and another one pointing to a high-speed interface, there is no mechanism to force majority of the traffic onto the high-speed link (IOS ignores interface bandwidth when calculating load sharing ratios).

You can, howerer, use a workaround: if you configure multiple routes for the same prefix pointing to the same interface, that interface will attract proportionally more outbound traffic.

read more see 12 comments

What is the sl_def_acl access list

Recenty, a lot of people were looking for information on the sl_def_acl access list. Here's the whole story: if you've configured IOS login enhancements on your router, the router generates an access list named sl_def_acl (unless you specify your own with the login quiet-mode access-class command) the first time it has to enter the quiet mode. This access-list is then applied to the VTY lines whenever the router enters the quiet mode and removed from the after the quiet period is over. The access list itself is left in the running configuration.

read more see 7 comments

Default Action in Firewall Policy Maps

Marko asked a very interesting question: What is the default class policy in a firewall policy-map (policy-map type inspect)? Or, using his original wording, "is it mandatory to use class class-default/drop" at the end of every policy map?

As it turns out, the default action for any class (unless you specify otherwise) is drop. By default, packets not matched by any traffic class are therefore dropped (unless you specify a different action in the class-default), similar to well-known ip access-list behavior.

read more see 2 comments
Sidebar