Building network automation solutions

9 module online course

Start now!

Category: you've asked for it

Router as a TFTP server

Shaun needed an extra TFTP server in CCNP labs and asked whether you could use a router to act as one. The read-only (download only) TFTP functionality has been available in Cisco IOS for a long time, but the common wisdom was that you could only use the TFTP server function to serve current IOS image.

Fortunately, as of IOS 11.0, the function is more generic; you can serve any file residing on the router (you still cannot upload files), but you have to declare each file to be served with the tftp-server path global configuration command. You could even specify an alias to have the file available under a different name and attach an access list to each configured file to restrict its availability.

Note: This article is part of You've asked for it series.

see 4 comments

Reload a router from Tcl script

In his comment, Michal has asked about the ability to execute IOS commands with prompts from Tcl shell. I haven't found a generic solution yet, but you can reload a router from a Tcl script. First you have to define an EEM applet that reloads the router and can be triggered from command-line interface:
event manager applet forceReload
event none
action 1.0 reload
Now you can use the exec "event manager run forceReload" Tcl command in your Tcl script to run the applet (and reload the router).


see 2 comments

Example: Tcl script with command-line parameters

In a comment to the “Execute multiple commands at once” post, Michal has asked for a complete Tcl-shell-with-parameter example. Here's a short script that shuts down the interface and displays its status:

  • Variable ifname is set to the value of the first command-line parameter (in many other programming languages, this would be written as argv[0]);
  • If the ifname is empty, the script aborts and prints the usage guidelines (again, in a more human-oriented programming language, this would be if (ifname == “”) ...);
  • The show ip interface ifname command is executed. If it fails, the interface name is not correct and the script aborts.
  • IOS configuration commands interface ifname and shutdown are executed.
  • The show ip interface brief configuration command is executed and filtered with the interface name.
# ifname is set to first CLI parameter (interface name)
set ifname [lindex $argv 0]
if {[string equal $ifname ""]} { puts "Usage: shutdown ifname"; return; }
if { [ catch { exec "show ip interface $ifname" } errmsg ] } {
puts "Invalid interface $ifname, show ip interface failed"; return}

ios_config "interface $ifname" "shutdown"
puts [ exec "show ip interface brief ¦ include $ifname" ]

If you store this Tcl script into your flash as shutdown.tcl and configure alias exec shutdown tclsh flash:shutdown.tcl, you can execute the command shutdown Serial0 to shut down the serial interface.


  • The last show command will display the interface status only if the specified interface name exactly matches the actual IOS interface name (whereas the rest of the script accepts shortcut names). The more generic matching algorithm is left as an exercise for the reader
  • For more in-depth information on Tclsh implementation on Cisco IOS, read the IOS Tclsh resources.
  • This article is part of You've asked for it series.
see 10 comments

Update: Preparing for the MPLS CCIP exam

Following my post about the relationship between the MPLS and VPN architectures books and CCIP MPLS exam, Peter Dob had an excellent idea: combine the MPLS and VPN architectures (Volume I, CCIP edition would be even better) with the MPLS fundamentals from Luc de Ghein. By reading Luc's book, you'll also get exposure to other MPLS-related topics (for example, AToM) on top of MPLS TE overview that you need for the exam.

This article is part of You've asked for it series.

add comment

Change the Telnet font color from a Cisco router

I've recently got an excellent question: how can I change the color of the terminal emulator font from the CLI by sending the telnet program an escape sequence?

For those of you that haven't worked with escape sequences before - you can control a lot of parameters in you terminal emulation program by sending it a special sequence starting with <ESC>[ (<ESC> begin character code 27). These sequences work even in the simplest telnet clients on Windows and Linux thanks to built-in operating system support or ANSI.SYS driver (on Windows); you can get an in-depth description and the list of all supported escape sequences from Wikipedia.

With the list of escape sequences in hand, the only remaining problem is how to send them from the router. Tcl shell was the immediate answer, but then I remembered the various banners provided by the Cisco IOS. As I wanted to change the font color as soon as possible, the login banner (or the message-of-the-day banner) seemed the right one to use.

To insert the ESC character in a banner from the configuration prompt, you have to use the Ctrl-V/Esc sequence. For example, to change the font color to bright yellow, do the following:
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#banner motd #
Enter TEXT message. End with the character '#'.
<Ctrl-V><ESC>[33;1mThis is a yellow router#
When you look at the running configuration, the router transforms the control characters into ^x sequences, so your banner will look like this:
router#show run | begin banner
banner motd ^C
^[[33;1mThis is a yellow router^C
  • Saving router configurations on (T)FTP server and reloading them from a server does not pose a problem, as the control characters are preserved throughout the process, but you cannot use cut-and-paste with banners, as the terminal emulator does not transform ^x sequence into a control character.
  • With this technique, you can color-code your routers. For example, internal routers could use green font, publicly accessible ones red font and the firewall routers yellow font, so all the operators would know immediately what to expect on each device.
  • This article is part of You've asked for it series.
see 6 comments

Command Authorization Fails with EEM applet or Tcl policy

One of my readers asked an interesting question: „why do the commands executed within a EEM Tcl policy fail with Command authorization fails message?“ The short answer is simple: If you use AAA command authorization (which you can only do if you're using a TACACS+ server), you have to specify the username under which the EEM will execute its CLI commands with the event manager session cli username user configuration command.

read more see 8 comments

The self zone in zone-based firewall configuration

One of my readers made an interesting observation when faced with configuring zone-based firewall on Cisco IOS: „My main issue is a confusion between when to use self and when to use in/outside.“

The rules are simple:
  • Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.
  • The self zone controls traffic sent to the router itself or originated by the router.
  • Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)
  • To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.
  • To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.
More information about the self zone (as well as other aspects of zone-based firewall configuration) can be found in my digital book Deploying Zone-Based Firewalls published by Cisco Press.
see 8 comments

Continuous ping from a router

A lot of people arriving to my blog ask about continuous ping performed from a router. Well, you cannot generate never-ending ping from a command line interface, but you can get pretty close with a very large repeat count: Note: this article is part of You've asked for it series.
see 2 comments

Execute multiple commands at once

Sometimes you'd like to automate execution of command sequences or create a command alias that would trigger a series of commands. One way of achieving this is by creating an EEM applet. For example, to clear IP routing table and reset BGP neighbors, define the following EEM applet:
event manager applet ClearAll
event none
action 1.0 cli command "clear ip route *"
action 2.0 cli command "clear ip bgp *"
You can trigger this applet with the event manager run ClearAll command or you could configure a command alias, for example alias exec cleanup event manager run ClearAll.

Note: this article is part of You've asked for it series.
see 13 comments

EIGRP load balancing based on interface load

EIGRP computes its composite metric from five parameters, one of them being interface load, therefore raising the theoretical possibility of having route metrics that include interface load. However, tweaking EIGRP K-values with the metric weights command to include interface load in metric calculations is highly discouraged - every change in interface load could lead to network instability. Even worse, whenever an interface load would increase, the increased composite metric of the afftected routes in EIGRP topology table would cause them to enter active state (and the router to start the DUAL algorithm trying to find more optimum paths toward the destination).

To make the whole idea even more impractical, EIGRP does not scan the interface load (and other parameters influencing the metric) on periodical basis, but only when triggered by a change in network topology (for example, interface or neighbor up/down even).

Note: this article is part of You've asked for it series.
see 2 comments

Configure local authentication with AAA

This should be a no-brainer for anyone preparing for the CCIE lab exam (I'll not elaborate why, but you could guess), but here it is for the benefits of everyone else: if you want to enable AAA on Cisco IOS but still retain local usernames (at least for the console access), this is how you do it:
  • Define local usernames with username xxx password yyy command (I would prefer the secret option if your IOS supports it).
  • Configure aaa new-model.
  • Configure a named AAA authentication list with the aaa authentication login MyList local.
  • Attach the named AAA authentication list to the console line with the login authentication MyList command.
If you want to use the local usernames only as a fallback mechanism in case the AAA servers fail or become unreachable, you could use the aaa authentication login MyList group [radius|tacacs+|name] local command.

Note: this article is part of You've asked for it series.
see 5 comments

Local usernames with no password

There are two ways you can configure local usernames without a password:
  • By using the username user command without the password option, you create a username that has a blank password (the operator has to press ENTER at the Password: prompt)
  • With the username user nopassword command, you create a user where the operator will not be prompted for the password at all.
Hopefully, you would use such usernames only with the autocommand option to give guest users a short overview of the router's operation (for example, display the interface status).

Note: this article is part of You've asked for it series.
add comment

Stop extended ping or traceroute command

Every introductory Cisco course tells you that you can stop any IOS command (for example, ping or traceroute) with the Ctrl/^ (also written as ^^ or Ctrl-Shift-6) escape character. What they usually forget to tell you is how to do that on non-US-ASCII keyboards or with telnet programs that do not want to recognize weird control characters.

The trick is simple - if you cannot generate ^^ (ASCII code 30), change the escape character. You can change it for the current session with the terminal escape-character char exec-level command or permanently with the escape-character char line configuration command. For example, to set the escape character for the current session to ctrl-C, use terminal escape-character 3 command.

Note: this article is part of You've asked for it series.
see 10 comments

Where did the CBAC go?

I've got an interesting question a while ago: Do new Cisco routers still use CBAC?

Of course they do, it's just been renamed. The marketing department has decided that Context Based Access Control (CBAC) does not sound nearly so nice as the Cisco IOS Firewall. Even the command structure hasn't changed, you still use the ip inspect commands to configure it, unless, of course, you have IOS release 12.4(6)T or newer, where you can use zone-based policy firewall configuration.

This article is part of You've asked for it series.

add comment