Top Ten Cisco IOS Tips
Pages: 1, 2
Two common access-list pitfalls.
The first common access-list problem I have seen is not allowing some ICMP (Internet Control Message Protocol) traffic through a gateway firewall.
For example, you just configured an access-list on your DSL link for your home router. All of the sudden, when you send big transmissions like a large email attachment, you find your connections timing out or closing unexpectedly. Unsure, you take the access-list off and the problem goes away. When you put the access-list back on, the problem reappears. You ask yourself what happened as you review the access-list. Well, the problem is as simple as not permitting ICMP through your list.
As I say in Cisco IOS in a Nutshell, people often think of ICMP as the hacker's tool. But in reality, it plays a very important role. In the problem I just described, it sounds like an MTU (Maximum Transmission Unit) or source-quench problem, which means the ICMP information isn't getting through the access-list. Either way, add the following commands to your access-list and your problems might go away:
! allow pings into the network access-list 110 permit icmp any any echo ! allow ping responses access-list 110 permit icmp any any echo-reply ! allow ICMP source-quench access-list 110 permit icmp any any source-quench ! allow path MTU discovery access-list 110 permit icmp any any packet-too-big ! allow time-exceeded, which is useful for traceroute access-list 110 permit icmp any any time-exceeded ! deny all other ICMP packets access-list 110 deny icmp any anyA second common access-list pitfall is when people forget to allow DNS (Domain Name Servers) from their internal network to the provider's DNS servers. Mainly this is a problem on home or small office routers where you might not have an internal DNS server running.
The following command allows DNS access from your hosts to the outside DNS server. In this example, our outside DNS servers are 172.16.1.1 and 172.30.1.1
access-list 110 permit udp host 172.16.1.1 eq domain any gt 1023 access-list 110 permit udp host 172.30.1.1 eq domain any gt 1023Useful
showcommands.Configuration of a router is only half the battle. Without a good toolbox of
showcommands, configuring your router properly will be very difficult. Throughout the tutorial section of my book, I tried to include the appropriateshowcommands for each topic.But here are some of the most useful
showcommands that you should have at a minimum. Of course, the bias here is towards IP.show ip arp- Displays the entire ARP (Address Resolution Protocol)table, which is the MAC-to-IP resolution table.
show version- This command gives a good amount of information; the IOS version you are running, the available interfaces, the system uptime, the last reload reason, and the configuration register setting.
show ip protocols- Displays information about the currently running routing protocols.
show ip route- The old standby, which displays the entire IP route table.
show ip route summary- Gives a very useful summary of the IP route table.
show ip interface- Gives a summary of each interface from the IP level.
show ip interface brief- A very brief summary of each interface.
show ip traffic- An extensive summary of IP traffic statistics on the router.
show access-list- This useful command not only shows the all the currently configured access-lists, but it also shows you the number of hits each line has received. You can use this information to better troubleshoot your access-lists.
show cdp neighbors- Assuming you have CDP enabled, this command gives you a report of all Cisco devices that the current device is connected to. CDP stands for Cisco Discovery Protocol, which can be an invaluable tool.
show cdp neighbors detail- This command gives even more information about CDP neighbors.
Learn the command-line editing keys.
When spending time on a Cisco IOS device, it is good to know some of the hot keys. People are always surprised (so it seems) that these editing keys even exist. If you are familiar with Unix, these commands will also look familiar. (The Bash shell, for example, uses a very similar list of keys.)
The entire list is included in Cisco IOS in a Nutshell. But here are a few to get you started:
Control A Goes to the beginning of the line Control E Goes to the end of the line Control K Deletes everything to the right of the cursor Control P Recalls the previous command in the history buffer Control N Recalls the next command in the history bufferA common frame-relay misunderstanding.
The encapsulation type on the physical interface must be set to frame-relay before any sub-interfaces can be created. The default encapsulation type is usually HDLC (High-level Data Link Control).
So, before starting to create our frame-relay sub-interfaces, we need to first set the encapsulation type to frame-relay on the physical interface:
interface serial0 encapsulation frame-relayNow we can create our sub-interfaces:
interface serial0.1 point-to-point description This is our first sub interface for serial1Setting the bandwidth on serial links.
Setting the bandwidth on a serial interface has nothing to do with the actual link speed. Rather, it provides the value that some routing protocols use in calculating routing metrics. The default bandwidth is 1.544mps, which is the speed of a T1 link.
However, if you aren't using a T1, setting your bandwidth on serial links is always a good (and sometimes forgotten) idea.
interface serial0 description This is a 56k link bandwidth 56That's it for now. I hope these tips will help you avoid some of the common pitfalls of dealing with Cisco IOS devices.
James Boney is a consultant specializing in a wide variety of subjects, including network design, network management, Unix administration, and programming.
O'Reilly & Associates recently released (December 2001) Cisco IOS in a Nutshell.
Sample Excerpt, Reference Section I, is available free online.
You can also look at the Table of Contents, the Index, and the Full Description of the book.
For more information, or to order the book, click here.
Return to the O'Reilly Network.
