advertisement

Print

Top Ten Cisco IOS Tips
Pages: 1, 2

  1. Two common access-list pitfalls.



    The first common access-list problem I have seen is not allowing some ICMP (Internet Control Message Protocol) traffic through a gateway firewall.

    For example, you just configured an access-list on your DSL link for your home router. All of the sudden, when you send big transmissions like a large email attachment, you find your connections timing out or closing unexpectedly. Unsure, you take the access-list off and the problem goes away. When you put the access-list back on, the problem reappears. You ask yourself what happened as you review the access-list. Well, the problem is as simple as not permitting ICMP through your list.

    As I say in Cisco IOS in a Nutshell, people often think of ICMP as the hacker's tool. But in reality, it plays a very important role. In the problem I just described, it sounds like an MTU (Maximum Transmission Unit) or source-quench problem, which means the ICMP information isn't getting through the access-list. Either way, add the following commands to your access-list and your problems might go away:

    
        ! allow pings into the network
        access-list 110 permit icmp any any echo
        ! allow ping responses
        access-list 110 permit icmp any any echo-reply
        ! allow ICMP source-quench 
        access-list 110 permit icmp any any source-quench
        ! allow path MTU discovery
        access-list 110 permit icmp any any packet-too-big
        ! allow time-exceeded, which is useful for traceroute
        access-list 110 permit icmp any any time-exceeded
        ! deny all other ICMP packets
        access-list 110 deny icmp any any
    

    A second common access-list pitfall is when people forget to allow DNS (Domain Name Servers) from their internal network to the provider's DNS servers. Mainly this is a problem on home or small office routers where you might not have an internal DNS server running.

    The following command allows DNS access from your hosts to the outside DNS server. In this example, our outside DNS servers are 172.16.1.1 and 172.30.1.1

    
        access-list 110 permit udp host 172.16.1.1 eq domain any gt 1023
        access-list 110 permit udp host 172.30.1.1 eq domain any gt 1023 
    
  2. Useful show commands.

    Configuration of a router is only half the battle. Without a good toolbox of show commands, configuring your router properly will be very difficult. Throughout the tutorial section of my book, I tried to include the appropriate show commands for each topic.

    But here are some of the most useful show commands that you should have at a minimum. Of course, the bias here is towards IP.

    show ip arp
    Displays the entire ARP (Address Resolution Protocol)table, which is the MAC-to-IP resolution table.

    show version
    This command gives a good amount of information; the IOS version you are running, the available interfaces, the system uptime, the last reload reason, and the configuration register setting.

    show ip protocols
    Displays information about the currently running routing protocols.

    show ip route
    The old standby, which displays the entire IP route table.

    show ip route summary
    Gives a very useful summary of the IP route table.

    show ip interface
    Gives a summary of each interface from the IP level.

    show ip interface brief
    A very brief summary of each interface.

    show ip traffic
    An extensive summary of IP traffic statistics on the router.

    show access-list
    This useful command not only shows the all the currently configured access-lists, but it also shows you the number of hits each line has received. You can use this information to better troubleshoot your access-lists.

    show cdp neighbors
    Assuming you have CDP enabled, this command gives you a report of all Cisco devices that the current device is connected to. CDP stands for Cisco Discovery Protocol, which can be an invaluable tool.

    show cdp neighbors detail
    This command gives even more information about CDP neighbors.
  3. Learn the command-line editing keys.

    When spending time on a Cisco IOS device, it is good to know some of the hot keys. People are always surprised (so it seems) that these editing keys even exist. If you are familiar with Unix, these commands will also look familiar. (The Bash shell, for example, uses a very similar list of keys.)

    The entire list is included in Cisco IOS in a Nutshell. But here are a few to get you started:

    
    Control A      Goes to the beginning of the line
    Control E      Goes to the end of the line
    Control K      Deletes everything to the right of the cursor
    Control P      Recalls the previous command in the history buffer
    Control N      Recalls the next command in the history buffer
    
  4. A common frame-relay misunderstanding.

    The encapsulation type on the physical interface must be set to frame-relay before any sub-interfaces can be created. The default encapsulation type is usually HDLC (High-level Data Link Control).

    So, before starting to create our frame-relay sub-interfaces, we need to first set the encapsulation type to frame-relay on the physical interface:

    
        interface serial0
            encapsulation frame-relay
    

    Now we can create our sub-interfaces:

    
        interface serial0.1 point-to-point
            description This is our first sub interface for serial1
    
  5. Setting the bandwidth on serial links.

    Setting the bandwidth on a serial interface has nothing to do with the actual link speed. Rather, it provides the value that some routing protocols use in calculating routing metrics. The default bandwidth is 1.544mps, which is the speed of a T1 link.

    However, if you aren't using a T1, setting your bandwidth on serial links is always a good (and sometimes forgotten) idea.

    
        interface serial0
            description This is a 56k link
            bandwidth 56
    

    That's it for now. I hope these tips will help you avoid some of the common pitfalls of dealing with Cisco IOS devices.

James Boney is a consultant specializing in a wide variety of subjects, including network design, network management, Unix administration, and programming.


O'Reilly & Associates recently released (December 2001) Cisco IOS in a Nutshell.

Return to the O'Reilly Network.