O'Reilly Network    
 Published on O'Reilly Network (http://www.oreillynet.com/)
 See this if you're having trouble printing code examples


[ Donkey ]

Top Ten Cisco IOS Tips

by James Boney, author of Cisco IOS in a Nutshell
01/02/2002

When O'Reilly asked me to write a collection of hints and tips about Cisco routers, I knew that it would be difficult to come up with a list that would do justice to all the various features of a Cisco IOS device.

In hopes of making the list smaller and more useful, I decided to list ten tips that discuss situations I have encountered either through my own experience or that were sparked by other people's questions. Some of these hints are simple while others a little more advanced. Whether you are a novice or an expert, I hope you will find them useful.

  1. Commands take effect right away.

    If you are an experienced Cisco router user, you probably just groaned. However, I find that this concept escapes new users.

    As you type commands into the configuration mode, they immediately take effect. For example, if we change the router's name, we see that the very next line contains the new router name:

    
        Router1#config terminal
        Enter configuration commands, one per line.  End with CNTL/Z.
        Router1(config)#hostname MyRouter
        MyRouter(config)#^Z
        MyRouter#
    

    As you can see, we changed the router's name to MyRouter, which was immediately processed. This concept applies to everything in the router's configuration mode.

  2. Use all the descriptions you can.

  3. In the router's configuration, there are certain commands that let you document various portions of a configuration. For example, the interface description command, an access-list remark command, or a banner message. All of these commands stay within the router configuration, which helps greatly when you are trying to configure or troubleshoot a router.

    Here's an example of a description on an interface:

    
        ! Here is an interface description. 
        ! Document as much about the interface as possible
        interface Serial0
            description Connection To Irvine: Wan ID [23499]

    The available banner messages are the message of the day, or MOTD, login, incoming, and exec. Consult the documentation or Cisco IOS in a Nutshell for a description of each. Here is an example of the MOTD banner, which is the first message a person sees when connecting to the device:

    
        MyRouter(config)#banner motd #
        Enter TEXT message.  End with the character '#'.
            Welcome to MyRouter.
        Some legalese should go here about unauthorized access.
        #
    

    The remark statement in an access-list is a relatively new feature. It first appeared in version 12.0(2)T of the IOS. This handy command allows you to make an entry in your access-list that describes what you are trying to accomplish. The comment can be up to 100 characters in length. statements work for both numbered and named access-lists.

    
        access-list 1 remark Permit our private network through the list
        access-list 1 permit 10.1.1.0 0.0.0.255
        access-list 1 remark Just deny everything else
        access-list 1 deny any

    You might be wondering about commenting a configuration with the "!" symbol.

    Yes, you can comment a configuration with a "!" as I have done in the above examples. However, these comments do not stay in the router configuration. They are great when you are working on a configuration offline in a text editor. (Where you plan to upload the configuration to a router.)

    However, these "!" comments will get lost when you send the configuration to the router because the router ignores them.

  4. The reload command can get you out of a jam.

    Related Reading

    Cisco IOS in a NutshellCisco IOS in a Nutshell
    By James Boney
    December 2001
    Table of Contents
    Index
    Sample Excerpt
    Full Description

    No matter how well you plan an upgrade, you are eventually going to need to change a router configuration remotely. If you make a mistake and can no longer get to the router because of the change you made, you have to make the embarrassing call to someone to go "hit the power." The power cycle takes the router back to the original starting configuration because your change was never saved. In other words, since you lost connection, you couldn't type "copy run start" to save your changes.

    One of the classic mistakes (I know because I have done it myself a number of times) is to incorrectly update an access-list on an interface when you are connected to the device remotely. And suddenly, the Telnet connection is dropped to the router because of a forgotten list entry that would permit your incoming connection.

    There is another way. When you are doing something tricky, you can use the following feature of the reload command, which causes the router to reboot in a certain number of minutes. For example, let's tell the router to reboot in three minutes.

    
        MyRouter#reload in 3
            Reload scheduled in 3 minutes
        Proceed with reload? [confirm]y
    

    Now, we have three minutes to do what we need to do. Let's say we are applying an access-list to serial0.

    
        MyRouter#config terminal
        Enter configuration commands, one per line.  End with CNTL/Z.
        MyRouter(config)#interface serial0
        MyRouter(config-if)#ip access-group 110 in
        MyRouter(config-if)#^Z
        MyRouter#
    

    We made the change and everything still works. (Well, at least our connection wasn't dropped.) Now all we have to do cancel the impending reload with the following command:

    
        MyRouter#reload cancel
    

    Or, if our access-list update did destroy our connection to the router, all we need to do is wait three minutes (plus the router's reload time) before the router is back online. After the reload, the router uses the original saved configuration before our access-list change.

  5. Don't forget to add either an enable password or an enable secret password.

    If you are planning to telnet into your router remotely, you need to add an enable password or enable secret password, or the router will not allow you to go to enable mode. Of course, it goes without saying that adding an enable password is always a good thing.

    
        ! Enable service password-encryption if it isn't already.
        service password-encryption
        ! Here is our enable password, which is ok 
        ! but not too secure.
        enable password 7 141B171F01012325
        ! Here is our enable secret, much better.
        enable secret 5 $1$99Jc$dxVXUkwMM3Edvj7f0SUrL/
    

    Don't forget that "enable secret" overrides the "enable" password. Just be safe and use the enable secret command. The enable secret uses a better encryption method to encode the password.

  6. Stopping the router from trying to telnet.

    This is often an annoying problem. Mistype a command and the router thinks you just typed a hostname. For example:

    
        MyRouter#shwo
        Translating "shwo"...domain server (10.1.1.2)
        % Unknown command or computer name, or unable to find computer address
        MyRouter#
    

    Here, we just mistyped the word show. We didn't want to telnet to a device named "shwo." The way to handle this is to change the preferred transport method:

    
        ! Console port
        line con 0
            transport preferred none
        ! VTY Ports
        line vty 0 5
            transport preferred none
    

    The output shows the lack of a failed connection based on our mistyped keyword:

    
        MyRouter#shwo
            ^
        % Invalid input detected at '^' marker.
    

  1. Two common access-list pitfalls.

    The first common access-list problem I have seen is not allowing some ICMP (Internet Control Message Protocol) traffic through a gateway firewall.

    For example, you just configured an access-list on your DSL link for your home router. All of the sudden, when you send big transmissions like a large email attachment, you find your connections timing out or closing unexpectedly. Unsure, you take the access-list off and the problem goes away. When you put the access-list back on, the problem reappears. You ask yourself what happened as you review the access-list. Well, the problem is as simple as not permitting ICMP through your list.

    As I say in Cisco IOS in a Nutshell, people often think of ICMP as the hacker's tool. But in reality, it plays a very important role. In the problem I just described, it sounds like an MTU (Maximum Transmission Unit) or source-quench problem, which means the ICMP information isn't getting through the access-list. Either way, add the following commands to your access-list and your problems might go away:

    
        ! allow pings into the network
        access-list 110 permit icmp any any echo
        ! allow ping responses
        access-list 110 permit icmp any any echo-reply
        ! allow ICMP source-quench 
        access-list 110 permit icmp any any source-quench
        ! allow path MTU discovery
        access-list 110 permit icmp any any packet-too-big
        ! allow time-exceeded, which is useful for traceroute
        access-list 110 permit icmp any any time-exceeded
        ! deny all other ICMP packets
        access-list 110 deny icmp any any
    

    A second common access-list pitfall is when people forget to allow DNS (Domain Name Servers) from their internal network to the provider's DNS servers. Mainly this is a problem on home or small office routers where you might not have an internal DNS server running.

    The following command allows DNS access from your hosts to the outside DNS server. In this example, our outside DNS servers are 172.16.1.1 and 172.30.1.1

    
        access-list 110 permit udp host 172.16.1.1 eq domain any gt 1023
        access-list 110 permit udp host 172.30.1.1 eq domain any gt 1023 
    
  2. Useful show commands.

    Configuration of a router is only half the battle. Without a good toolbox of show commands, configuring your router properly will be very difficult. Throughout the tutorial section of my book, I tried to include the appropriate show commands for each topic.

    But here are some of the most useful show commands that you should have at a minimum. Of course, the bias here is towards IP.

    show ip arp
    Displays the entire ARP (Address Resolution Protocol)table, which is the MAC-to-IP resolution table.

    show version
    This command gives a good amount of information; the IOS version you are running, the available interfaces, the system uptime, the last reload reason, and the configuration register setting.

    show ip protocols
    Displays information about the currently running routing protocols.

    show ip route
    The old standby, which displays the entire IP route table.

    show ip route summary
    Gives a very useful summary of the IP route table.

    show ip interface
    Gives a summary of each interface from the IP level.

    show ip interface brief
    A very brief summary of each interface.

    show ip traffic
    An extensive summary of IP traffic statistics on the router.

    show access-list
    This useful command not only shows the all the currently configured access-lists, but it also shows you the number of hits each line has received. You can use this information to better troubleshoot your access-lists.

    show cdp neighbors
    Assuming you have CDP enabled, this command gives you a report of all Cisco devices that the current device is connected to. CDP stands for Cisco Discovery Protocol, which can be an invaluable tool.

    show cdp neighbors detail
    This command gives even more information about CDP neighbors.
  3. Learn the command-line editing keys.

    When spending time on a Cisco IOS device, it is good to know some of the hot keys. People are always surprised (so it seems) that these editing keys even exist. If you are familiar with Unix, these commands will also look familiar. (The Bash shell, for example, uses a very similar list of keys.)

    The entire list is included in Cisco IOS in a Nutshell. But here are a few to get you started:

    
    Control A      Goes to the beginning of the line
    Control E      Goes to the end of the line
    Control K      Deletes everything to the right of the cursor
    Control P      Recalls the previous command in the history buffer
    Control N      Recalls the next command in the history buffer
    
  4. A common frame-relay misunderstanding.

    The encapsulation type on the physical interface must be set to frame-relay before any sub-interfaces can be created. The default encapsulation type is usually HDLC (High-level Data Link Control).

    So, before starting to create our frame-relay sub-interfaces, we need to first set the encapsulation type to frame-relay on the physical interface:

    
        interface serial0
            encapsulation frame-relay
    

    Now we can create our sub-interfaces:

    
        interface serial0.1 point-to-point
            description This is our first sub interface for serial1
    
  5. Setting the bandwidth on serial links.

    Setting the bandwidth on a serial interface has nothing to do with the actual link speed. Rather, it provides the value that some routing protocols use in calculating routing metrics. The default bandwidth is 1.544mps, which is the speed of a T1 link.

    However, if you aren't using a T1, setting your bandwidth on serial links is always a good (and sometimes forgotten) idea.

    
        interface serial0
            description This is a 56k link
            bandwidth 56
    

    That's it for now. I hope these tips will help you avoid some of the common pitfalls of dealing with Cisco IOS devices.

James Boney is a consultant specializing in a wide variety of subjects, including network design, network management, Unix administration, and programming.


O'Reilly & Associates recently released (December 2001) Cisco IOS in a Nutshell.

Return to the O'Reilly Network.

Copyright © 2009 O'Reilly Media, Inc.