Routeadmin

One of the key facts regarding Access Control Lists (ACLs) that we drill into your head during CCNA is the fact that the lists you create end with what is called the “implicit” deny all. You do not see it, but the effect is undeniable. Any packets that do not match any of the permit statements in your list get deny treatment. In the case of our filtering access lists, this means the packets are dropped. As you recall from the course, this is why we desperately require at least one permit entry in all of our filtering access control lists.

But what if we want to track what we actually drop as a result of this powerful implicit deny all effect? Well, a clever trick is to end the list with an explicit deny statement and log the result. In this post, we will examine this technique.

Let’s create a named, standard ACL that permit packets sourced from the 10.x.x.x address space.

ip access-list standard AL_PERMIT_10
permit 10.0.0.0 0.255.255.255

Now I will apply this ACL inbound to a router interface and generate some traffic that matches this statement. When we run the command show access-lists, we can see from the “hit counter” that the permit has caught some matches. But what about packets that have failed?

R1(config-std-nacl)#int fa0/0
R1(config-if)#ip access-group AL_PERMIT_10 in
R1(config-if)#end
R1#
R1#show access-lists
Standard IP access list AL_PERMIT_10
10 permit 10.0.0.0, wildcard bits 0.255.255.255 (57 matches)

In order to be alerted about packets that hit the implicit deny all, we need to create an explicit one. If we are really concerned about packets that do not match any permits, we can add the log option so we can be alerted at the command line, in addition to being notified when we do the show access-list command.

R1(config)#ip access-list standard AL_PERMIT_10
R1(config-std-nacl)#deny any log

After this configuration change, watch what happens when someone from 1.1.1.1 tries to ping into R1 through our interface:

R1#
*Mar  1 00:12:23.251: %SEC-6-IPACCESSLOGNP: list AL_PERMIT_10 denied 0 1.1.1.1 -> 10.0.0.1, 1 packet
R1#show access-lists
Standard IP access list AL_PERMIT_10
10 permit 10.0.0.0, wildcard bits 0.255.255.255 (117 matches)
20 deny   any log (5 matches)

One question I often get from students at this point is: why did we only get one notification (of one packet) via the command line system message, but there were in fact 5 packets that were blocked (as depicted in the show command output)?

The answer is that the IOS is being smart here and it will batch up the log messages so that the system is not overwhelmed in trying to show us all of these matches in real time.

I hope you are enjoying CCNA studies here at INE!

Here we are combining two powerful IOS commands to save time when searching for text.

If you want to learn more about the individual commands, please get download our "Cool IOS Commands" EBook from http://www.ConfigureTerminal.com/Cool_IOS_Commands.html

In this example, we are looking to see if a dial-peer with a destination pattern of 1000 has been created, and we want to see what dial-peer number it is using. The first command we will use is:

         show run linenum | include 1000

This will display the text with the destination pattern as follows:

         Router#show run linenum | include 1000
         254 : destination-pattern 1000
         280 : number 1000
         306 : scheduler allocate 20000 1000

We can see that the destination pattern command is on line 254. Now we can do a show run starting with line number 253:

         Router#show run linenum | begin 253
         253 : dial-peer voice 1321 voip
         254 : destination-pattern 1000
         255 : session target ipv4:10.1.1.6

Thus we can see that the dial peer number used is 1321.

There are many cases where this can be used; another example would be with IPSec crypto maps or ISAKMP policies.

These commands can be used in many cases to save time when searching for text.

        How do I disable Password Recovery? (Which version does it apply to?)       

 The command to stop password recovery is"no service password-recovery".

The "no service password-recovery" feature is a security enhancement that prevents anyone with console access from accessing the router configuration and clearing the password and gaining access to the router's configuration.

Please note that they will still be able to reset the router to factory defaults, but will not gain access to the configuration. It will also prevent anyone from changing the configuration register values and accessing NVRAM.

Normally when doing password recovery you are able to get into privileged mode and copy the startup config to running config

Here are 4 methods (CCNA/CCENT)

Here are two questions that a lot of new Cisco Engineers struggle with.

<!--[if !supportLists]-->1)    <!--[endif]--> Are passwords required on vty lines?

<!--[if !supportLists]-->2)    <!--[endif]--> How do you configure vty passwords?

Here we look at 4 options:

<!--[if !supportLists]-->1)    <!--[endif]--> Line passwords

<!--[if !supportLists]-->2)    <!--[endif]--> Local username passwords

<!--[if !supportLists]-->3)    <!--[endif]--> No login

<!--[if !supportLists]-->4)    <!--[endif]--> AAA

By default, when you telnet to the vty line of a router or switch, you will see the following output:

           C:\>telnet 10.1.2.1

           Password required, but none set

           [Connection to 10.1.2.1 closed by foreign host]

The router/switch will drop your connection as a password is required for access to the router/switch. So by default you can see that a password is required to telnet to the vty lines of a router or switch.

Line passwords:

A password can be used on the line for access. This is easy to setup as there is only one password, but it not very secure because everyone shares that single password and it is difficult to track who has made changes.

This is configured as follows:

           Router>enable

          Router#configure terminal

           Router(config)#line vty 0 4

           Router-2(config-line)#login

           % Login disabled on line 2, until 'password' is set

           % Login disabled on line 3, until 'password' is set

           % Login disabled on line 4, until 'password' is set

           % Login disabled on line 5, until 'password' is set

           % Login disabled on line 6, until 'password' is set

           Router(config-line)#password configureterminal.com

 When a telnet connection is now made to the router, the router will prompt for a password:

            C:\>telnet 10.1.2.1

           User Access Verification

           Password:

Enter your password and you are now in user mode:

           Router>

Local usernames:

This is better than using a line password as different users have their own individual passwords. Each use is required to enter their own passwords rather than using a shared password. This helps with logging which user has made changes to the router.

           Router>enable

           Router#configure terminal

           Router(config)#username david password configureterminal.com

           Router(config)#line vty 0 4

           Router-2(config-line)#login local

Testing:

           C:\>telnet 10.1.2.1

           User Access Verification

           Username:david

           Password:

Enter your password and you are now in user mode:

           Router>

 No password (not recommended):

It is possible to set up a router to allow vty connections without authentication. This is not a good idea for the real world, but in a lab environment it can save time.

           Router>enable

           Router#configure terminal

           Router(config)#line vty 0 4

           Router-2(config-line)#no login

Testing:

           C:\>telnet 10.1.2.1

           Router>

Notice that no authentication was required. You are taken directly to user mode.

 AAA servers:

This is the most secure and scalable way of implementing authentication. This uses a central server where all usernames and passwords are stored. A windows 2000/2003 server could be used for example, so that users use the same passwords on windows and routers/switches.

           Router>enable

           Router#configure terminal

           Router(config)#aaa new-model

           Router(config)#aaa authentication login default group tacacs+

           Router(config)#line vty 0 4

           Router(config)#login authentication default

Testing:

C:\>telnet 10.1.2.1

           User Access Verification

           Username: david

           Password:

           Router>

As you can see, there are various ways to secure the vty lines on routers & switches. 

This is an advanced topic, so get your ready...

We have covered some basic regular expressions in our "Cool IOS Commands" EBook. Here I want to show you more complicated examples of how to use the power of regular expressions to filter output. This will allow the router to do the searching for text, rather than us doing it manually.

Regular expressions are used in many places in the IOS including BGP AS paths and Voice number translations. They are also used in other languages like Perl and TCL. Here however, we are going to concentrate on regular expressions with IOS show commands. We are going to use them to search for specific sets of strings.

A regular expression is a pattern (for example a phrase or a number) that can be used very effectively to filter output. Regular expressions are case-sensitive and allow for complex matching requirements.

I start with some simple examples so that you can learn each regular expression character individually and then we will combine them into complicated strings. As always with programming, there are many ways to do things, so use your imagination:

^ Regular Expression
Use this to look for text at the beginning of a string.

For Example: ^123 matches 1234, but not 01234 or 91234

On a router we can demonstrate this as follows: (without any regular expressions)

          Router#show run | include ip
          ip cef
          no ip dhcp use vrf connected
          ip dhcp pool ITS
          option 150 ip 10.1.1.1
          no ip domain lookup
          voice service voip
          allow-connections h323 to sip
          allow-connections sip to h323
          allow-connections sip to sip
          ip address 192.168.10.1 255.255.255.0
          ip address 192.168.11.1 255.255.255.0
          ip address 192.168.12.1 255.255.255.0
          ip address 192.168.13.1 255.255.255.0
          ip address 192.168.14.1 255.255.255.0
          <MORE>

However, if we use the following:
          Router#show run | include ^ip

          The output is:
          Router#show run | include ^ip
          ip cef
          ip dhcp pool ITS
          ip http server

Note - as expected, every line begins with "ip", string we matched on


$ Regular Expression:
Use this to look for text at the end of a string

For Example123$ matches 0123, but not 1234

On a router we can demonstrate this as follows: (without any regular expressions)

          Router#show run | include 1
          Current configuration : 5174 bytes
          ! Last configuration change at 15:27:21 UTC Wed Jan 24 2007
          ! NVRAM config last updated at 14:25:01 UTC Wed Jan 24 2007
          version 12.4
          network 10.1.1.0 255.255.255.0
          option 150 ip 10.1.1.1
          default-router 10.1.1.1
          source-address 10.1.1.1 port 5060
          create profile sync 0002381328447096
          voice register dn 1
          number 1100
          number 1101
          voice register pool 1
          id mac 0003.6B8B.174A
          number 1 dn 1
          codec g711ulaw
          ip address 192.168.10.1 255.255.255.0
          interface Loopback1
          ip address 192.168.11.1 255.255.255.0
          ip address 192.168.12.1 255.255.255.0
          ip address 192.168.13.1 255.255.255.0

but if we change it to
          Router#show run | include 1$

The output is:
          Router#show run | include 1$
          voice register dn 1
          number 1101
          voice register pool 1
          number 1 dn 1
          interface Loopback1
          interface Loopback11
          interface Loopback21
          interface FastEthernet0/1
          session target ipv4:10.1.1.1
          session target ipv4:10.1.1.11
          session target ipv4:10.1.1.21
          session target ipv4:10.1.1.31
          session target ipv4:10.1.1.41
          session target ipv4:10.1.1.51
          session target ipv4:10.1.1.61
          number 1001
          ephone 1
          button 1:1

Note - as expected, every line ends "1", string we matched on.


. Regular Expression:
The "." matches any single character.

For example:
0.0 matches 0x0 and 020
t..t matches strings such as test, text, and tart

On a router, let's look for all lines that end in 0 and another single character:

          Router#sh run | include 0.$
          ! Last configuration change at 15:27:21 UTC Wed Jan 24 2007
          ! NVRAM config last updated at 14:25:01 UTC Wed Jan 24 2007
          load 7960-7940 P0S3-07-4-00
          number 1100
          number 1101
          clock rate 2000000
          destination-pattern 1000
          load 7910 P00405000700
          ip source-address 10.1.1.1 port 2000
          number 1000
          number 1001
          scheduler allocate 20000 1000
         
Note: All the lines end with 0 and another single character.


_ Regular Expression:
This replaces a long regular expression list by matching a comma (,), left brace ({), right brace (}), the beginning of the input string, the end of the input string, or a space.

The characters _1400_ can match any of the following strings:
          ^1400$
          ^1400space
          space1400
          {1400,
          ,1400,
          {1400}
          ,1400,

We are going to use it looking for a space - in the following example, we are looking for loopback interfaces with 2:

          Router#show ip route | include k2
          C 192.168.12.0/24 is directly connected, Loopback2
          C 192.168.31.0/24 is directly connected, Loopback21
          C 192.168.30.0/24 is directly connected, Loopback20
          C 192.168.32.0/24 is directly connected, Loopback22
         
If however, we use the "_" character we see the following:

          Router#show ip route | include k2_
          C 192.168.12.0/24 is directly connected, Loopback2

Note: Only loopback interface 2 is displayed.


[ ] Regular Expression:
This matches the characters or a range of characters separated by a hyphen, within left and right square brackets.
[02468w] matches for example 0, 4, and w, but not 1, 9, or K

On a router we can demonstrate as follows:

          Router#show ip route | include k[1-9]
          C 192.168.12.0/24 is directly connected, Loopback2
          C 192.168.29.0/24 is directly connected, Loopback19
          C 192.168.28.0/24 is directly connected, Loopback18
          C 192.168.13.0/24 is directly connected, Loopback3
          C 192.168.14.0/24 is directly connected, Loopback4
          C 192.168.31.0/24 is directly connected, Loopback21
          C 192.168.30.0/24 is directly connected, Loopback20
          C 192.168.15.0/24 is directly connected, Loopback5
          C 192.168.25.0/24 is directly connected, Loopback15
          C 192.168.24.0/24 is directly connected, Loopback14
          C 192.168.27.0/24 is directly connected, Loopback17
          C 192.168.26.0/24 is directly connected, Loopback16
          C 192.168.11.0/24 is directly connected, Loopback1
          C 192.168.21.0/24 is directly connected, Loopback11
          C 192.168.20.0/24 is directly connected, Loopback10
          C 192.168.23.0/24 is directly connected, Loopback13
          C 192.168.22.0/24 is directly connected, Loopback12
          C 192.168.17.0/24 is directly connected, Loopback7
          C 192.168.16.0/24 is directly connected, Loopback6
          C 192.168.19.0/24 is directly connected, Loopback9
          C 192.168.32.0/24 is directly connected, Loopback22
          C 192.168.18.0/24 is directly connected, Loopback8
         
However, if we combine this with the "_" character:

          Router#show ip route | include k[1-9]_
          C 192.168.12.0/24 is directly connected, Loopback2
          C 192.168.13.0/24 is directly connected, Loopback3
          C 192.168.14.0/24 is directly connected, Loopback4
          C 192.168.15.0/24 is directly connected, Loopback5
          C 192.168.11.0/24 is directly connected, Loopback1
          C 192.168.17.0/24 is directly connected, Loopback7
          C 192.168.16.0/24 is directly connected, Loopback6
          C 192.168.19.0/24 is directly connected, Loopback9
          C 192.168.18.0/24 is directly connected, Loopback8
         

| Regular Expression:
Use the | as a logical or statement.
Matches one of the characters or character patterns on either side of the vertical bar.
A(B|C)D matches ABD and ACD, but not AD, ABCD, ABBD, or ACCD

As an example, if you want to look for a route in the routing table that contains routes with 10 or 20 in it:
          Router#show ip route | include 10|20
          C 192.168.10.0/24 is directly connected, Loopback0
          C 192.168.20.0/24 is directly connected, Loopback10


\ Regular Expression:
Use this if the following character is not a wildcard, but an actual character you are looking for.

As an example, if you do the following:

          Router#show running-config | include 10..

The result you get is:

          network 10.1.1.0 255.255.255.0
          option 150 ip 10.1.1.1
          default-router 10.1.1.1
          source-address 10.1.1.1 port 5060
          ip address 10.1.1.1 255.255.255.0
          destination-pattern 10..
          session target ipv4:10.1.1.1
          session target ipv4:10.1.1.6
          session target ipv4:10.1.1.11
          session target ipv4:10.1.1.16
          session target ipv4:10.1.1.21
          session target ipv4:10.1.1.26
          session target ipv4:10.1.1.31
          session target ipv4:10.1.1.36
          session target ipv4:10.1.1.41
          dial-peer voice 10 voip
          session target ipv4:10.1.1.46
          session target ipv4:10.1.1.51
          session target ipv4:10.1.1.56
          session target ipv4:10.1.1.61
          session target ipv4:10.1.1.66
          registrar ipv4:10.1.1.1 expires 60
          load 7910 P00405000700
          --More--

If you changed it to the following:

          Router#show running-config | include 10..$

The result is:

          destination-pattern 10..
          number 1000
          number 1001
          scheduler allocate 20000 1000

But if we now change it to use the "\" character, we can tell the router that we are actually looking for a ".", not using it as a wildcard:

          Router#show running-config | include 10\.\.

The result now is:

          destination-pattern 10..

Here is another example:

          Router#sh ip route | include \.20|\.10

This will look for anything entries in the routing table that contain a . followed by 20 or 10 (looking for the . in the IP address)

The result is:

          C 192.168.10.0/24 is directly connected, Loopback0
          C 192.168.20.0/24 is directly connected, Loopback10


? Regular Expression:
This matches zero or one occurrence of the pattern. (Remember to precede the question mark with Ctrl-V sequence to prevent it from being interpreted as a help command.)
ba?b matches bb and bab

          route-views.oregon-ix.net>show ip route | include 25?5

          B     216.221.5.0/24 [20/2954] via 208.51.134.254, 1w1d          <========= 25 is matched
          B     210.51.225.0/24 [20/0] via 203.62.252.186, 2w3d
          B     204.255.51.0/24 [20/4294967294] via 144.228.241.81, 3w5d           <========= 255 is matched
          B     203.34.233.0/24 [20/0] via 203.62.252.186, 3w5d
          B     192.68.132.0/24 [20/0] via 216.218.252.145, 3w5d
          B     222.35.252.0/24 [20/559] via 64.125.0.137, 1w0d
          B     212.205.24.0/24 [20/7549] via 64.125.0.137, 2d05h
          B     212.103.178.0/24 [20/0] via 216.218.252.145, 2w3d
          B     209.50.226.0/24 [20/124] via 64.125.0.137, 3w5d
          B     208.50.227.0/24 [20/3107] via 208.51.134.254, 1d22h
          B     203.254.52.0/24 [20/0] via 213.140.32.146, 1w1d
          B     203.1.203.0/24 [20/0] via 203.62.252.186, 3d03h
          B     202.171.96.0/24 [20/361] via 129.250.0.11, 5d19h


+ Regular Expression:
This matches one or more sequences of the character preceding the plus sign.
5+ requires there to be at least one number 5 in the string to be matched

In this example we are searching for 0 followed by one or more 0's:

          Router#sh run | i 00+

          load 7960-7940 P0S3-07-4-00
          create profile sync 0002381328447097
          number 1100
          id mac 0003.6B8B.174A
          clock rate 2000000
          tftp-server flash:P0S3-07-4-00.bin
          tftp-server flash:P003-07-4-00.bin
          tftp-server flash:P0S3-07-4-00.loads
          tftp-server flash:P003-07-4-00.sbn
          tftp-server flash:P0S3-07-4-00.sb2
          tftp-server flash:P00405000700.bin
          tftp-server flash:P00405000700.sbn
          tftp-server flash:P0030702T023.bin
          tftp-server flash:P0030702T023.loads
          tftp-server flash:P0030702T023.sb2
          tftp-server flash:P0030702T023.sbn
          load 7910 P00405000700
          load 7960-7940 P0030702T023
          ip source-address 10.1.1.1 port 2000
          create cnf-files version-stamp 7960 Jan 28 2007 14:22:09
          number 1000
          number 1001

[] Regular Expression:
Nest characters for matching. Separate endpoints of a range with a dash (-).
(18)* matches any number of the two-character string 18
([A-Za-z][0-9])+ matches one or more instances of letter-digit pairs: b8 and W4, as examples

          Router#sh run | i ([A-Za-z][0-9])+

          allow-connections h323 to sip
          allow-connections sip to h323
          load 7960-7940 P0S3-07-4-00
          id mac 0003.6B8B.174A
          codec g711ulaw
          interface Loopback0
          interface Loopback1
          interface Loopback2
          interface Loopback3
          interface Loopback4
          interface Loopback5
          interface Loopback6
          interface Loopback7
          interface Loopback8
          interface Loopback9
          interface Loopback10
          interface Loopback11
          interface Loopback12
          interface Loopback13
          interface Loopback14
          interface Loopback15

* Regular Expression:
Matches zero or more sequences of the character preceding the asterisk. Also acts as a wildcard for matching any number of characters.
0* matches any occurrence of the number 0 including none

10\..* matches the characters 10. and any characters that follow 10.


          Router#sh run | i 10\..*

          network 10.1.1.0 255.255.255.0
          option 150 ip 10.1.1.1
          default-router 10.1.1.1
          source-address 10.1.1.1 port 5060
          ip address 192.168.10.1 255.255.255.0
          ip address 10.1.1.1 255.255.255.0
          destination-pattern 10..
          session target ipv4:10.1.1.1
          session target ipv4:10.1.1.6
          session target ipv4:10.1.1.11
          session target ipv4:10.1.1.16
          session target ipv4:10.1.1.21
          session target ipv4:10.1.1.26
          session target ipv4:10.1.1.31
          session target ipv4:10.1.1.36
          session target ipv4:10.1.1.41
          session target ipv4:10.1.1.46
          session target ipv4:10.1.1.51
          session target ipv4:10.1.1.56
          session target ipv4:10.1.1.61
          session target ipv4:10.1.1.66

In this section we learnt about the different regular expressions and saw some examples. In the next section, let's use regular expressions on an Internet Backbone router.

 Have you ever wanted a way of storing templates for certain port types, for example an uplink port has an extremely different configuration to an access port...  Consistency is key to good network administration and that's why macros are a great tool.

What is Cisco's macro implementation?

The smartport macro feature was introduced in IOS version 12.1(20)EA1.  Default templates are stored on your device, to view the commands stored in the macros execute the following command:

         show parser macro

Each macro is a set of CLI commands that are defined and "wrapped-up".  When a macro is applied the commands are simply dumped at that level.  Global and interface specific macro's can be created but we are going to focus on creating custom interface macro's.

General guidelines:

Creating a macro is very similar to creating a banner, a character has to be used to identify the start and end of the macro - for example "@" is used by default.
Names are case sensitive.  When a macro is applied all existing configuration is maintained, if more than one macro is applied a description is amended to record a basic history.  Macros are stored in running-configuration until saved to startup-configuration, if a macro is amended the changes aren't sent to interfaces which have the macro applied - the macro would need re-applying.

How to create a custom macro:

         configure terminal
         !=== Enter global configuration mode

         macro name macro-name
         !=== Create macro

         "Enter macro commands one per line.  End with the character '@'."
         cli command 1
         cli command 2
         cli command 3
         !=== Enter commands
         @
         !=== Finish macro

Apply macro:

         configure terminal
         interface FastEthernet0/1
         !=== Enter interface configuration
         macro apply macro-name
         !=== Apply macro

Verify:

         show running-configuration | be macro
         !=== Shortcut to first instance of the string "macro"

         macro name macro-name
         cli command 1
         cli command 2
         cli command 3
         @
         !=== Verify macro exists in config
         /FastEthernet0/1
         !=== Shortcut to string "FastEthernet0/1"
         cli command 1
         cli command 2
         cli command 3
         !=== Verify commands exist on interface

Parameters:

Not all IOS commands are fixed, for example when applying the command "switchport access vlan ?" ? represents a value which can change depending on the individual switchport.  Cisco included the ability to define a parameter in a macro which when applied can be used to specify what the variable is.

For example:

         configure terminal
         macro name changevlan
         switchport access vlan $access
         @
         !=== Create macro

         interface FastEthernet 0/1
         macro apply changevlan $access 100
         !=== Apply macro - variable = 100 - put interface in vlan 100


Handy custom macro templates:

If some of the commands below don't make any sense whatsoever don't panic, a layer 2 security ebook covering many of them is in the first stages of creation.

         macro name data
         switchport
         switchport mode access
         switchport access vlan $access
         switchport port-security
         switchport port-security maximum 1
         switchport port-security aging time 2
         switchport port-security aging type inactivity
         switchport port-security violation protect
         spanning-tree portfast
         spanning-tree bpduguard enable
         spanning-tree bpdufilter enable
         ip dhcp snooping limit rate 10
         storm-control broadcast level 20.00
         storm-control multicast level 50.00
         storm-control unicast level 30.00
         storm-control action trap
         no cdp enable
         no snmp trap link-status
         @

         macro name datavoice
         switchport
         switchport mode access
         switchport access vlan $access
         switchport voice vlan $voice
         switchport port-security
         switchport port-security maximum 3
         switchport port-security aging time 2
         switchport port-security aging type inactivity
         switchport port-security violation protect
         srr-queue bandwidth share 10 10 60 20
         srr-queue bandwidth shape  10  0  0  0
         mls qos trust device cisco-phone
         mls qos trust cos
         auto qos voip cisco-phone
         spanning-tree portfast
         spanning-tree bpduguard enable
         spanning-tree bpdufilter enable
         ip dhcp snooping limit rate 10
         storm-control broadcast level 20.00
         storm-control multicast level 50.00
         storm-control unicast level 30.00
         storm-control action trap
         cdp enable
         no snmp trap link-status
         @

         macro name uplink
         switchport trunk encapsulation dot1q
         switchport mode trunk
         switchport trunk native vlan $native
         switchport trunk allowed vlan all
         switchport nonegotiate
         auto qos voip trust
         mls qos trust dscp
         spanning-tree link-type point-to-point
         ip arp inspection trust
         ip dhcp snooping trust
         ip dhcp snooping limit rate 100
         ip dhcp relay information trusted
         flowcontrol receive desired
         udld port
         cdp enable
         snmp trap link-status
         @

Handy tips

A macro may contain the entire configuration wanted on an interface, if this is the case and you want to ensure that the interface configuration is blank use the default command first:

         configure terminal
         default interface FastEthernet0/1
         interface FastEthernet0/1
         macro apply data $access 100

To apply a macro to more than one interface simply use the interface range command:

          configure terminal
          interface range FastEthernet 0/1 - 24
          macro apply data $access 100

If AAA is offloaded to a TACACS server for config-command authorization applying a macro to an interface range can fail due to the delay created by the request and approval procedure for each command.  I have found that although it's a little naughty the following can get around this:

          configure terminal
          no aaa new-model
          default interface range FastEthernet0/1 - 24
          interface range FastEthernet0/1 - 24
          macro apply data $access 100
          exit
          aaa new-model

Macro descriptions can be managed like a normal interface description:

          configure terminal
          interface FastEthernet0/1
          no macro description
          macro description data

"macro trace macro-name" instead of "macro apply macro-name" will display commands as they are entered

Modifying of macro's isn't possible, creating a macro with the same name will overwrite the existing macro (ensure all commands are present)

Don't use exit or end within a macro, this can cause commands to be executed at a different level.

I have found that macro configuration cannot be rolled out to devices using certain management tools so bear this in mind.

You can by default set a password of a single character on a router, or a very short password. This is obviously a security risk. It would be better to force a password of a minimum length of 8 or more characters.

This command was introduced in IOS version 12.3(1). The default length is 6 characters.

To set a minimum password length, enter the following commands:

         Router>enable
         Router#configure terminal
         Router(config)#security passwords min-length 8

If a user now attempts to set the enable password to cisco for example, the following happens:

         Router(config)#enable password cisco
         % Password too short - must be at least 8 characters. Password configuration failed
         Router(config)#

OR

        Router(config)#username david password cisco
        % Password too short - must be at least 8 characters. Password configuration failed
        Router(config)#

Recommended that you do this to insure better security

To save a copy of the current running configuration to the Cisco IOS configuration archive, use the archive config command in privileged EXEC mode.

         archive config

The Cisco IOS configuration archive is intended to provide a mechanism to store, organize, and manage an archive of Cisco IOS configuration files in order to enhance the configuration rollback capability provided by the configure replace command. Before this feature was introduced, you could save copies of the running configuration using the copy running-config destination-url command, storing the target file either locally or remotely. However, this method lacked any automated file management. On the other hand, the Configuration Replace and Configuration Rollback feature provides the capability to automatically save copies of the running configuration to the Cisco IOS configuration archive. These archived files serve as checkpoint configuration references and can be used by the configure replace command to revert to previous configuration states.

The archive config command allows you to save Cisco IOS configurations in the configuration archive using a standard location and filename prefix that is automatically appended with an incremental version number (and optional timestamp) as each consecutive file is saved. This functionality provides a means for consistent identification of saved Cisco IOS configuration files. You can specify how many versions of the running configuration will be kept in the archive. After the maximum number of files has been saved in the archive, the oldest file will be automatically deleted when the next, most recent file is saved. The show archive command displays information for all configuration files saved in the Cisco IOS configuration archive.

Examples
The following example shows how to save the current running configuration to the Cisco IOS configuration archive using the archive config command. Before using the archive config command, you must configure the path command in order to specify the location and filename prefix for the files in the Cisco IOS configuration archive. In this example, the location and filename prefix is specified as disk0:myconfig as follows:

         Router# configure terminal

         Router(config)# archive

         Router(config-archive)# path flash:myconfig

You then save the current running configuration in the configuration archive as follows:

          Router# archive config

The show archive command displays information on the files saved in the configuration archive as shown in the following sample output:

         Router#show archive
         There are currently 3 archive configurations saved.
         The next archive file will be named flash:myconfig-3
         Archive # Name
         0
         1 flash:myconfig-1
         2 flash:myconfig-2 <- Most Recent
         3
         4
         5
         6
         7
         8
         9
         10
         11
         12
         13
         14

To restore the config, you can do the following:

          r1#configure replace flash:myconfig-2
         This will apply all necessary additions and deletions
         to replace the current running configuration with the
         contents of the specified configuration file, which is
         assumed to be a complete configuration, not a partial
         configuration. Enter Y if you are sure you want to proceed. ? [no]: y
         Total number of passes: 0
         Rollback Done

The archive command is great for keeping multiple copies of the running config in an archive.

Just been updating some remote IOS's and thought a description of the method might be useful for a future newsletter as it's not really documented very well on CCO:

Rather than setting up public FTP or TFTP servers and changing access-lists, etc to download IOS images to remote routers you can use SCP to copy the image to the router as long as you have SSH access to the device. It's a bit slow but it does the trick.

To enable SCP on the router use the command "ip scp server enable"

Then use the putty scp client "pscp" to upload the image e.g. "pscp -C c:\iosimages\c2800nm-advipservicesk9-mz.124-15.T3.bin sshuser@u.x.y.z: c2800nm-advipservicesk9-mz.124-15.T3.bin", the -C switch just adds compression and the rest of the command is basically just pscp [source] [destination]

Of course make sure you have sufficient space on the routers flash or this will fail and always have a backup plan in case things go wrong!

Here is the full config required:


        ! AAA authentication and authorization must be configured properly for SCP to work.

        aaa new-model

        aaa authentication login default local

        aaa authorization exec default local

        username sshuser privilege 15 secret 0 password

        ! SSH must be configured and functioning properly.

        ip ssh time-out 120

        ip ssh authentication-retries 3

        ip scp server enable

To replace the current running configuration with a saved Cisco IOS configuration file, use the configure replace command in privileged EXEC mode.

         Router#configure replace flash:test.cfg


This command will replace (NOTE: not merge) the running config with the config in file test.cfg. This command was introduced in 12.3(7)T


Here is an example of the effect:

         Router#sh ip int brief
          Interface               IP-Address      OK?     Method     Status     Protocol
          FastEthernet0/0    10.10.10.3      YES     manual      up           up

          FastEthernet0/1    10.1.1.1           YES    manual      up           up

          Serial0/3/0             unassigned      YES    unset        administratively down down

         Router#configure replace flash:test.cfg
          This will apply all necessary additions and deletions
          to replace the current running configuration with the
          contents of the specified configuration file, which is
          assumed to be a complete configuration, not a partial
          configuration. Enter Y if you are sure you want to proceed. ? [no]: y
          Total number of passes: 1
         Rollback Done

          r1#
          Dec 18 00:44:05.927: Rollback:Acquired Configuration lock.
          Dec 18 00:44:07.703: %PARSER-3-CONFIGNOTLOCKED: Unlock requested by process '3'.
          Configuration not locked.
          Dec 18 00:44:08.819: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

         r1#sh ip int brief
          Interface               IP-Address      OK?     Method     Status     Protocol
          FastEthernet0/0    10.10.10.3      YES     manual      up           up

          FastEthernet0/1    10.1.1.1           YES    manual      administratively down down

          Serial0/3/0             unassigned      YES    unset        administratively down down


NOTE the following:
          1) Router name has changed
          2) FastEthernet 0/1 no longer has an IP address
          3) FastEthernet 0/1 is shutdown

This is great as rather than just MERGING a config, the command REPLACES the config. You can replace the running-config from many places:

          r1#configure replace ?
          archive: URL of config file that will replace running-config
          cns: URL of config file that will replace running-config
          flash: URL of config file that will replace running-config
          ftp: URL of config file that will replace running-config
          http: URL of config file that will replace running-config
          https: URL of config file that will replace running-config
          null: URL of config file that will replace running-config
          nvram: URL of config file that will replace running-config
          pram: URL of config file that will replace running-config
          rcp: URL of config file that will replace running-config
          scp: URL of config file that will replace running-config
          system: URL of config file that will replace running-config
          tftp: URL of config file that will replace running-config
          xmodem: URL of config file that will replace running-config
          ymodem: URL of config file that will replace running-config

         
You could thus have a backup config in flash or on a TFTP server and restore immediately to running config.