Please don't forget to enable PIM!

When you joining to multicast group with "ip igmp join-group" 

How to get list of processes from Cisco IOS router/switch and CPU usage per process via SNMP

With help of snmpwalk utility you can list processes and their CPU usage per-process even if router is at 100% CPU load. Use the following OIDs to list processes: 1.3.6.1.4.1.9.9.109.1.2.1.1.2.1 and this OID to list corresponding CPU usage per-process: 1.3.6.1.4.1.9.9.109.1.2.2.1.7.1

For example here is output from snmpwalk from 2811 router with 99% cpu and no SSH/telnet access because of high CPU load with appropriate retry/timeout parameters:

snmpwalk -r 9 -t 5 -v 2c -c public 10.81.1.1 1.3.6.1.4.1.9.9.109.1.2.1.1.2.1

...

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.188 = STRING: "CCVPM_HDSPRM"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.189 = STRING: "FLEX DSPRM MAIN"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.190 = STRING: "FLEX DSP KEEPALIVE MAIN"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.191 = STRING: "HDA DSPRM MAIN"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.192 = STRING: "cpf_process_msg_holdq"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.193 = STRING: "AAA Cached Server Group"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.194 = STRING: "ENABLE AAA"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.195 = STRING: "EM Background Process"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.196 = STRING: "Key chain livekeys"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.197 = STRING: "LINE AAA"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.198 = STRING: "LOCAL AAA"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.199 = STRING: "TPLUS"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.200 = STRING: "VSP_MGR"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.201 = STRING: "Crypto WUI"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.202 = STRING: "Crypto Support"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.203 = STRING: "IPSECv6 PS Proc"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.204 = STRING: "EPM MAIN PROCESS"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.205 = STRING: "CCVPM_HTSP"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.206 = STRING: "VPM_MWI_BACKGROUND"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.207 = STRING: "CCVPM_R2"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.208 = STRING: "EPHONE MWI Refresh"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.209 = STRING: "FB/KS Log HouseKeeping"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.210 = STRING: "EPHONE MWI BG Process"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.211 = STRING: "Skinny HW conference digit event"

iso.3.6.1.4.1.9.9.109.1.2.1.1.2.1.212 = STRING: "VOICE REG BG Process"

...

snmpwalk -r 9 -t 5 -v 2c -c public 10.81.1.1 1.3.6.1.4.1.9.9.109.1.2.2.1.7.1

...

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.189 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.190 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.191 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.192 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.193 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.194 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.195 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.196 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.197 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.198 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.199 = Gauge32: 87

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.200 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.201 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.202 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.203 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.204 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.205 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.206 = Gauge32: 0

iso.3.6.1.4.1.9.9.109.1.2.2.1.7.1.207 = Gauge32: 0

...

As you can see, TPLUS process is using 87% CPU. Seems it is a software defect and my IOS will be upgraded.

"How to check udp port is open using IOS CLI only" or "Do you really know how traceroute works"?

Just want to share with you one interesting but very simple trick with udp traceroute which can be used to check if udp port is open or filtered. In practical case it can be very handy to use it if you think somebody in the middle filtering your ISAKM udp/500 or NAT-T udp/4500 ports for example and you can't use any third-party tools to check it (CCIE lab environment?)
Only few key things you had to remember: Cisco IOS using UDP traceroute and you can define initial destination port, moreover this port number is incremented with each subsequent packet, even if to the same hop with same TTL.
The technique is simple as said above: you need to send traceroute in such way so that intermediate hop router will receive packet with verifiable destination port number. If intermediate hop router is doing filtering and configured to allow to send ip unreachables ICMP messages, you will receive "!A" symbol in your traceroute output, meaning "Administratively filtered". This is the simplest case, but observed very rare since most of the routers configured with "no ip unreachables" to lower the load on CPU resources. Later I will also show how to check a port if "no ip unreachables" is configured on a verifiable router.

Anyway here is the example step by step, ip addresses is self-explained:

R1#traceroute 155.1.45.5 numeric probe 1 port 500
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 64 msec
  2 155.1.23.3 112 msec
  3 155.1.34.4 136 msec
  4 155.1.45.5 136 msec

All OK. At this step we know full path to the final router R5, and second router in the line (R2) was not filtering UDP/500. Lets decrement port number to 499, so next router R3 will receive UDP/500 packet:

R1#traceroute 155.1.45.5 numeric probe 1 port 499
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 60 msec
  2 155.1.23.3 124 msec
  3 155.1.34.4 108 msec
  4 155.1.45.5 148 msec

Once again all fine, R3 is not filtering,  we are decrementing destination port number again and testing R4:

R1#traceroute 155.1.45.5 numeric probe 1 port 498
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 60 msec
  2 155.1.23.3 88 msec
  3 155.1.34.4 !A

Gotcha! Next to the last router (R4) is filtering our ISAKMP packets! Here is how it looks in Wireshark:

Now let's try to do the same testing, but on R4 with "no ip unreachables" configured:

R1#traceroute 155.1.45.5 numeric probe 1 port 500
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 68 msec
  2 155.1.23.3 108 msec
  3 155.1.34.4 128 msec
  4 155.1.45.5 132 msec
R1#traceroute 155.1.45.5 numeric probe 1 port 499
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 52 msec
  2 155.1.23.3 100 msec
  3 155.1.34.4 104 msec
  4 155.1.45.5 140 msec
R1#traceroute 155.1.45.5 numeric probe 1 port 498
Type escape sequence to abort.Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 92 msec
  2 155.1.23.3 84 msec
  3  *
  4 155.1.45.5 136 msec
R1#traceroute 155.1.45.5 numeric probe 1 port 497
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 60 msec
  2 155.1.23.3 100 msec
  3 155.1.34.4 108 msec
  4  *
  5 155.1.45.5 128 msec
R1#traceroute 155.1.45.5 numeric probe 1 port 496
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 92 msec
  2 155.1.23.3 100 msec
  3 155.1.34.4 100 msec
  4 155.1.45.5 168 msec

As you can see, on the third step (bold text), exactly when R4 receives UDP/500 we can see symbol "*" which meaning timeout. On the fourth step here is also timeout, it is again because of R4 is filtering and UDP/500 packet can't reach R5. Here is how 3rd iteration looks like:

Please note that in our sandbox case filtering was made with simple extended access-list which was applied to inbound (ingress) interface to the "in" direction:

ip access-list extended DENY_IKE
 deny   udp any any eq isakmp
 permit ip any any
!
interface FastEthernet0/0
 ip address 155.1.34.4 255.255.255.0
 ip access-group DENY_IKE in

In case of this access-list applied to the outbound (egress) interface FastEthernet0/1 to the "out" direction, traceroute behavior will be different, but it still can bring us results and required information to detect intermediate hop router which performing filtering, behavior is just like in the fourth step/iteration in the previous example. 

R1#traceroute 155.1.45.5 numeric probe 1 port 496
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 104 msec
  2 155.1.23.3 100 msec
  3 155.1.34.4 140 msec
  4 155.1.45.5 128 msec
R1#traceroute 155.1.45.5 numeric probe 1 port 497
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 56 msec
  2 155.1.23.3 116 msec
  3 155.1.34.4 120 msec
  4  *
  5 155.1.45.5 156 msec
R1#traceroute 155.1.45.5 numeric probe 1 port 498
Type escape sequence to abort.
Tracing the route to 155.1.45.5
VRF info: (vrf in name/id, vrf out name/id)
  1 155.1.12.2 88 msec
  2 155.1.23.3 104 msec
  3 155.1.34.4 140 msec
  4 155.1.45.5 128 msec

Instead of conclusion I recommend for best results to make the same testing in both directions, obvious since some kind of filtering can be applied in outbound direction of ingress interface and you will not notice it until testing done from another side. Thank you for reading.

EIGRP named mode "passive-interface default" vs "af-interface default shutdown" and Virtual-Template

    As you probably know, EIGRP named mode is a new style standard for EIGRP configuration in current IOS versions. So I would like to note some interesting points on configuration.
May be not so interesting really, but this significant difference was noted between "af-interface default shutdown" and "af-interface default passive" (except it's primary goals ;)) so we need to be accurate with behavior related to Virtual-Template interfaces. Let's look at the firs useful application of "shutdown". It is very handy to use it in OSPF-like interface configuration style to include only required interfaces in routing protocol:

interface Virtual-Template1 type tunnel
 ip ospf 2 area 1

And if our Virtual-Access is connected, OSPF will enable process on this interface also:

R1#sh ip ospf interface b

Virtual-Access1            10.0.1.2        YES unset  up                    up
Virtual-Template1          10.0.1.2        YES unset  up                    down

R1#sh ip ospf interface b
Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C
Vi1          2     1               Unnumbered Lo0     1     P2P   1/1

In this example we are enabling EIGRP only on Virtual-Template1 interface similarly to OSPF:

router eigrp TEST
 !
 address-family ipv4 unicast autonomous-system 1
  !
  af-interface default
   shutdown
  exit-af-interface
  !
  af-interface Virtual-Template1
   no shutdown
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 0.0.0.0
 exit-address-family

But note significant difference. EIGRP will not be enabled on Virtual-Access interface although it is up and running:

R1#sh ip int b
Virtual-Access1            10.0.1.2        YES unset  up                    up
Virtual-Template1          10.0.1.2        YES unset  up                    down 

R1#sh ip eigrp neighbors
EIGRP-IPv4 VR(IPSEC) Address-Family Interfaces for AS(1)
                              Xmit Queue   PeerQ        Mean   Pacing Time   Multicast    Pending
Interface              Peers  Un/Reliable  Un/Reliable  SRTT   Un/Reliable   Flow Timer   Routes
Vt1                      0        0/0       0/0           0       6/6            0           0

 Now let's look at "passive-interface default" behaviour:

router eigrp TEST
 !
 address-family ipv4 unicast autonomous-system 1
  !
  af-interface default
   passive-interface
  exit-af-interface
  !
  af-interface Virtual-Template1
   no passive-interface
  exit-af-interface
  !
  topology base
  exit-af-topology
  network 0.0.0.0
 exit-address-family

And as you can see, It is all fine, up and running in such way, just as expected:

R1#sh ip int b
Virtual-Access1            10.0.1.2        YES unset  up                    up
Virtual-Template1          10.0.1.2        YES unset  up                    down

R1#sh ip eigrp neighbors
EIGRP-IPv4 VR(IPSEC) Address-Family Neighbors for AS(1)
H   Address                 Interface              Hold Uptime   SRTT   RTO  Q  Seq
                                                   (sec)         (ms)       Cnt Num
0   10.0.1.1                Vi1                      10 00:00:09  479  2874  0  5

All testing were made with  IOS version 15.2(4)M6. Thank you for interest to this blog post. Please say couple words in comments if it was usefull/interesting, because it seems to me nobody interested in my posts :(

Random note about bgp ttl-security, ebgp-multihop and disable-connected-check commands.

Just simple note in case you're studying ccie lab. As you know, anything you can do - you can also do it another way.
For example you need to configure eBGP session between 2 directly connected routers and initiate session from Loopback interfaces. All of the following commands will be suitable:

 ttl security hops 2 = disable-connected-check = ebgp-multihop 2

Please note that ebgp-multihop 2 and ttl-security hops 2 will also allow to establish bgp session with router one hop away, even if you're initiating session from loopbacks, it may be not desired in redundant topologies. For example:
R1 ---- R2 ---- R3
R1 and R3 can also form bgp peering.

disable-connected-check is not modifying TTL of bgp ip packets, it just allow bgp session to be established from non directly connected subnets (it disables this default precheck behavior).

Also here is interesting buggy trick to make somebody crazy. You can configure ebgp-multihop 1 and it will be not shown in configuration (as of  15.2(4)M6 ) and will not allow to configure ttl-security.
For example:

R1(config-router)#neighbor 120.100.2.1 ebgp-multihop 1
R1(config-router)#do sh run | sec bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 120.100.2.1 remote-as 300
 neighbor 120.100.2.1 update-source Loopback0
R1(config-router)#neighbor 120.100.2.1 ttl-security hops 2
Remove ebgp-multihop before configuring ttl-security
R1(config-router)#do sh run | sec bgp
router bgp 100
 bgp log-neighbor-changes
 neighbor 120.100.3.1 remote-as 300
 neighbor 120.100.3.1 update-source Loopback0
R1(config-router)#no neighbor 120.100.2.1 ebgp-multihop 1
R1(config-router)#neighbor 120.100.2.1 ttl-security hops 2

MTS 3G configuration for Cisco 880G and 890G series routers

#cellular 0 gsm profile create 1 internet.mts.ru pap mts mts ipv4
!
chat-script reset_chat-script "" \d\d\d+++\d\d\d
chat-script mts_chat-script TIMEOUT 90 "" AT+CGDCONT=1,"IP","internet.mts.ru" OK ATDT*99*1# CONNECT
!

interface Cellular0
 ip address negotiated
 encapsulation ppp
 dialer in-band
 dialer string mts4
 dialer-group 1
 autodetect encapsulation ppp
 async mode interactive
 ppp authentication pap chap callin
 ppp chap hostname mts
 ppp chap password 0 mts
 ppp chap refuse
 ppp pap sent-username mts password 0 mts
!
dialer-list 1 protocol ip permit
!
line 3
 script dialer mts_chat-script
 script reset reset_chat-script
 no login
 modem InOut
 modem autoconfigure discovery
 no exec
 transport input none
 transport output all

Do you know that: redistribution and route types internal/external

Do you know how to make route internal or external during redistribution?

Look at the configuration example:

R1:

interface Loopback1
 ip address 10.20.30.40 255.255.255.255
!
interface FastEthernet1/0
 ip address 10.0.1.1 255.255.255.252
!
router eigrp 1
 network 10.0.1.1 0.0.0.0
 redistribute static metric 1000 10 10 10 1500


!
ip route 10.10.10.10 255.255.255.255 Loopback1

R1#sh ip route | b Gate
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C        10.0.1.0/30 is directly connected, FastEthernet1/0
L        10.0.1.1/32 is directly connected, FastEthernet1/0
D        10.0.3.0/30 [90/30720] via 10.0.1.2, 00:05:33, FastEthernet1/0
S        10.10.10.10/32 is directly connected, Loopback1
C        10.20.30.40/32 is directly connected, Loopback1


R1#sh ip eigrp topology 10.10.10.10/32
EIGRP-IPv4 Topology Entry for AS(1)/ID(10.0.1.1) for 10.10.10.10/32
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2562560
  Descriptor Blocks:
  0.0.0.0, from Rstatic, Send flag is 0x0
      Composite metric is (2562560/0), route is External
      Vector metric:
        Minimum bandwidth is 1000 Kbit
        Total delay is 100 microseconds
        Reliability is 10/255
        Load is 10/255
        Minimum MTU is 1500
        Hop count is 0
        Originating router is 10.0.1.1
      External data:
        AS number of route is 0
        External protocol is Static, external metric is 0
        Administrator tag is 1 (0x00000001)


As you can see here is redistributed static route is injected in eigrp topology as external. How to make it internal? It is simple: include redistributed subnet into network command under eigrp section.

R1(config)#router eigrp 1
R1(config-router)#network 0.0.0.0
R1(config-router)#do sh ip eigrp topology 10.10.10.10/32
EIGRP-IPv4 Topology Entry for AS(1)/ID(10.0.1.1) for 10.10.10.10/32
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2562560
  Descriptor Blocks:
  0.0.0.0, from Rstatic, Send flag is 0x0
      Composite metric is (2562560/0), route is Internal
      Vector metric:
        Minimum bandwidth is 1000 Kbit
        Total delay is 100 microseconds
        Reliability is 10/255
        Load is 10/255
        Minimum MTU is 1500
        Hop count is 0
        Originating router is 10.0.1.1
        Internal tag is 1