Ciscoman's notes (Записки цыщика c дипломом)

I'm Cisco Champion Community member for 2017!

I'm Cisco Champion Community member for 2017!
"Cisco Champions are passionate about Cisco and happy to share our knowledge, experience, and feedback."

вторник, 22 декабря 2015 г.

Radius configuration trick to allow "CLID-like" filtering on ACS for l2tp/pptp

Here is "trcik" to allow l2tp/pptp client access filtering based on their IP-address for ACS 5.X
1) configure NAS with "vpdn aaa attribute nas-ip-address vpdn-tunnel-client"
This command will allow IOS to send client ip address in attribute 4 like this output from debug:
RADIUS:  NAS-IP-Address      [4]   6  1.2.3.4
2) Use "compound condition"  in ACS Access Policies - Authorization rules to match based on this attribute.
Tested on 15.1(4)M6 IOS for 7200 series router.


воскресенье, 20 декабря 2015 г.

CCIE R&S

Finally I nailed it. I passed on the first try after so much time spent since 2013... Just since June 2015 I was at both Cisco360 workshops and spent more than 400 hours labbing (workshops time is not counted) and more than 300 hours VoD from different training vendors...
Now I feel completely drained and squeezed like a lemon, time to make a pause.

воскресенье, 4 октября 2015 г.

Cisco IOS tcl simple script to use instead of interface level configuration

Example:

tclsh
set area 0
ios_config "router os 1" "router-id [ lindex [exec "sh ip int b lo0 | exclude face"] 1 ] "
foreach i {
Lo0
Et0/0
Et0/1
} { ios_config "router os 1" "net [ lindex [exec "sh ip int b $i | exclude face"] 1 ] 0.0.0.0 area $area"
}



четверг, 1 октября 2015 г.

Cisco IOS tclsh oneliner to configure vrf on interface

Example:
ios_config "int Et0/0" "ip vrf for VPNA" [exec "sh run int Et0/0 | i addr"]

More advanced stuff:
foreach i {
Et0/0.10
Et0/0.20
Et0/0.33
Tu1
s1/0
} { ios_config "int $i" "ip vrf for VPNA" [exec "sh run int $i | i addr"] }

четверг, 24 сентября 2015 г.

Useful EEM to remember


event manager applet ERROR_RATE
event interface name FastEthernet0/0 parameter input_errors entry-op gt entry-type value entry-val 100 poll-interval 15
action 10.1 syslog msg "For $_interface_name, $_interface_parameter is $_interface_value."
action 20.1 cli command "enable"
action 20.2 cli command "show interface FastEthernet0/0 | include 5 minute"
action 20.3 syslog msg "$_cli_result "
action 30.1 cli command "clear counters FastEthernet0/0" pattern "confirm"
action 30.2 cli command "y"
action 40.1 mail server "172.16.254.1" to "monitoring@example.com" from "router@example.com" subject "FastEthernet0/0 input errors counter is above 100" body "$_cli_result"

среда, 23 сентября 2015 г.

Simple route-map question for interview

In which range will it match metric?

route-map MATCH_METRIC
 match metric 1 +- 999 1000 500 +- 500 1

пятница, 4 сентября 2015 г.

quick note: ninja command to use during the lab

sh run | i ospf|eigrp|int|band|delay|access-gr|policy|arp|mac

понедельник, 31 августа 2015 г.

quick note: standby use-bia

Q. What is the standby use-bia command and how does it work?

A. By default, HSRP uses the preassigned HSRP virtual MAC address <...> In order to configure HSRP to use the burnt-in address of the interface as its virtual MAC address, instead of the default, use the standby use-bia command.

Note: Using the standby use-bia command has these disadvantages:
  • When a router becomes active the virtual IP address is moved to a different MAC address. The newly active router sends a gratuitous ARP response, but not all host implementations handle the gratuitous ARP correctly.
  • Proxy ARP breaks when use-bia is configured. A standby router cannot cover for the lost proxy ARP database of the failed router.


quick note: mpls ldp router-id

Don't forget yo use "force" to quicker change router-id (don't wait for event that lead to router-id change).

вторник, 25 августа 2015 г.

How to test your url filtering via telnet during the lab

Use simple method, don't forget to place two new lines after "Host":
telnet 10.1.1.1 8080
Trying 10.1.1.1....
Connected to 10.1.1.1.
Escape character is '^]'.
GET /testurl.html HTTP/1.0
Host: R1.lab

четверг, 13 августа 2015 г.

Most awesome show running-config parsing shortcuts for CCIE R&S Lab I'm using

Find passwords with space sign at the end:
sh run | i _$

Show "router bgp/eigrp/ospf/rip" section of the configuration:
sh run | s r b
sh run | s r e
sh run | s r o
sh run | s r r

Show interface config only:
sh run | s int
Note: you can't use sh ru | s i because "i" in this case means "section include", also as "e" means "exclude"

Use short and informative route-map names, for example:
route-m c2e
to describe route-map for redistribution from connected to EIGRP.

Searching route in all VRFs:
sh ip ro vrf * | i ...

Show "crypto" part of the configuration (everything about IPSec):
sh run | s ^cr
or
sh run | s cry

Show routing part of the configuration with route-maps and without route-maps(longer and less used):
sh run | s ^r
sh run | s router

Less used, but valuable.
Show all ip prefix lists:
sh run | s ip p

Show all ip access-lists:
sh run | s ip ac

Note: I'm using sh run instead of sh ru because there is show rudpv1 command also exists.



понедельник, 6 июля 2015 г.

Useful command to debug ip tos precedence packets

Yet another note for myself:

R1#sh run int s1/0
Building configuration...

Current configuration : 244 bytes
!
interface Serial1/0
 ip address 172.16.13.1 255.255.255.0
 ip accounting precedence input

...


R1#sh interfaces s1/0 precedence
Serial1/0
  Input
    Precedence 0:  408 packets, 42172 bytes
    Precedence 3:  2812 packets, 180528 bytes
    Precedence 4:  2819 packets, 180976 bytes
    Precedence 6:  613 packets, 41872 bytes

пятница, 5 июня 2015 г.

Please don't forget to enable PIM!

When you joining to multicast group with "ip igmp join-group" 

среда, 1 апреля 2015 г.

How to get list of processes from Cisco IOS router/switch and CPU usage per process via SNMP


With help of snmpwalk utility you can list processes and their CPU usage per-process even if router is at 100% CPU load. Use the following OIDs to list processes: 1.3.6.1.4.1.9.9.109.1.2.1.1.2.1 and this OID to list corresponding CPU usage per-process: 1.3.6.1.4.1.9.9.109.1.2.2.1.7.1
For example here is output from snmpwalk from 2811 router with 99% cpu and no SSH/telnet access because of high CPU load with appropriate retry/timeout parameters:

snmpwalk -r 9 -t 5 -v 2c -c public 10.81.1.1 1.3.6.1.4.1.9.9.109.1.2.1.1.2.1
...
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.188 = STRING: "CCVPM_HDSPRM"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.189 = STRING: "FLEX DSPRM MAIN"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.190 = STRING: "FLEX DSP KEEPALIVE MAIN"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.191 = STRING: "HDA DSPRM MAIN"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.192 = STRING: "cpf_process_msg_holdq"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.193 = STRING: "AAA Cached Server Group"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.194 = STRING: "ENABLE AAA"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.195 = STRING: "EM Background Process"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.196 = STRING: "Key chain livekeys"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.197 = STRING: "LINE AAA"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.198 = STRING: "LOCAL AAA"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.199 = STRING: "TPLUS"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.200 = STRING: "VSP_MGR"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.201 = STRING: "Crypto WUI"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.202 = STRING: "Crypto Support"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.203 = STRING: "IPSECv6 PS Proc"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.204 = STRING: "EPM MAIN PROCESS"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.205 = STRING: "CCVPM_HTSP"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.206 = STRING: "VPM_MWI_BACKGROUND"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.207 = STRING: "CCVPM_R2"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.208 = STRING: "EPHONE MWI Refresh"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.209 = STRING: "FB/KS Log HouseKeeping"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.210 = STRING: "EPHONE MWI BG Process"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.211 = STRING: "Skinny HW conference digit event"
iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.212 = STRING: "VOICE REG BG Process"
...


snmpwalk -r 9 -t 5 -v 2c -c public 10.81.1.1 1.3.6.1.4.1.9.9.109.1.2.2.1.7.1
...
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.189 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.190 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.191 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.192 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.193 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.194 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.195 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.196 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.197 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.198 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.199 = Gauge32: 87
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.200 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.201 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.202 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.203 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.204 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.205 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.206 = Gauge32: 0
iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.207 = Gauge32: 0
...

As you can see, TPLUS process is using 87% CPU. Seems it is a software defect and my IOS will be upgraded.

Постоянные читатели

Архив блога

Поиск по этому блогу