Table of Contents

Cisco random pastebin :)

See open ports

 R1# show control-plane host open-ports
 Active internet connections (servers and established)
 Prot   Local Address  Foreign Address          Service    State
  tcp            *:23              *:0           Telnet   LISTEN
  tcp            *:80              *:0        HTTP CORE   LISTEN
  tcp           *:179              *:0              BGP   LISTEN
  tcp           *:179   10.0.7.2:43962              BGP ESTABLIS
  tcp            *:23   10.0.7.2:18036           Telnet ESTABLIS
  udp            *:67              *:0    DHCPD Receive   LISTEN
  udp            *:68              *:0     BootP client   LISTEN
  udp           *:123              *:0              NTP   LISTEN

Notes:

Policy QoS


Policy/QoS

 policy-map 3GbE
    class class-default
    police cir 3000000000 bc 562500000 conform-action transmit
 exceed-action drop     violate-action drop

Why are you receiving significantly more than 5Mbps inbound on interface f0/0 from the device with the MAC address of 1111.2222.3333?
Answer: Rate-limit command is wrong. Should use ‘access-group rate-limit 100′ to reference rate-limit access-list 100, not ‘access-group 100′.

 interface FastEthernet0/0
 rate-limit input access-group rate-limit 100 5000000 2500 2500 conform-action transmit exceed-action drop
 !
 access-list rate-limit 100 1111.2222.3333
 r1(config-if)#do sh int fa0/0 rate-limit
 FastEthernet0/0
 Input
 **matches: access-group rate-limit 100**
 params:  5000000 bps, 2500 limit, 2500 extended limit
 conformed 0 packets, 0 bytes; action: transmit
 exceeded 0 packets, 0 bytes; action: drop
 last packet: 2557168ms ago, current burst: 0 bytes
 last cleared 00:01:43 ago, conformed 0 bps, exceeded 0 bps

Alias

To display IP addresses assigned to router's interfaces (excluding interfaces with no IP address) use show ip interface brief | exclude unassigned command.

Here is a sample printout:

C1#show ip int brief | excl unassigned  
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            172.16.0.1      YES NVRAM  up                    up      
Serial1/0                  10.0.7.17       YES NVRAM  up                    up      
Loopback0                  10.0.1.1        YES NVRAM  up                    up      
Tunnel0                    192.168.0.1     YES manual up                    up      

You could define an alias to create a new IOS command generating this printout, for example, alias exec ipconfig show ip interface brief | exclude unassigned.

List of useful aliases

alias exec ifconfig show ip interface brief | exclude unassigned
alias exec sofn show ip ospf neighbor
alias exec proc show processes cpu | exclude 0.00%__0.00%__0.00%

and some more

alias exec siib sh ip int brief
alias exec srint sh run int
alias exec srb sh run | begin
alias exec srs sh run | sec
alias exec sri sh run | incl
alias exec sia sh ip access-list
alias configure ping do ping
alias configure sh do sh
alias configure siib do siib
alias configure srint do srint
alias configure srb do srb
alias configure sri do sri
alias configure sia do sia

alias interface ping do ping
alias interface sh do sh
alias interface siib do siib
alias interface srint do srint
alias interface srb do srb
alias interface sri do sri
alias interface sia do sia

alias subinterface ping do ping
alias subinterface sh do sh
alias subinterface siib do siib
alias subinterface srint do srint
alias subinterface srb do srb
alias subinterface sri do sri

alias subinterface sia do sia
alias exec s show run
alias exec c config t
alias exec srs show run | section
alias exec srb show run | begin
alias exec si show run interface
alias exec sri show run | include
alias exec siib show ip interface brief | exclude admin
alias exec sib show ip bgp
alias exec sir show ip route
alias exec sirp show ip route vrf PURPLE
alias exec sibp show ip bgp vpnv4 vrf PURPLE
alias exec pp ping vrf PURPLE
alias exec zp show policy-map type inspect zone-pair
alias exec sci show crypto ipsec
alias exec sck show crypto isakmp
alias exec cci clear crypto sa
alias exec cck clear crypto isakmp
alias exec sio show ip ospf
alias exec sie show ip eigrp

A basic script for handling ACLs of your Cisco Catalyst

A handy script ( taken from this site ) to keep the ACLs of our Cisco Catalyst 3560 in separate files, so as be able to edit them without connecting to the device and finally update them on the switch by using a perl script like this:

f cisco-acl.pl

#! /usr/bin/perl -w
# Note: in Debian/Ubuntu you need libnet-telnet-perl package
# to be installed on your system.

use Net::Telnet;
use File::Basename;

my $host = '1.1.1.1';
my $hostname = 'Switch';
my $username = 'ciscouser';
my $passwd = 'ciscopasswd';
my $enable = 'enablesecret';
my $aclname = $ARGV[0];
my $filepath = dirname($0)."/".$aclname;
my $logfile = '/tmp/acl-update.log';

sub Usage {
        print "Usage:    " . basename($0) . " \n";
    exit 1;
}

if ( scalar @ARGV != 1)
{
    print "Wrong number of arguments!\n";
    &Usage();
}

if ( ! -e $filepath )
{
    print "File " . $filepath . " does not exist\n";
    &Usage();
}

open(ACL, $filepath) || die("Could not open file $aclname!");
@file = <ACL>;

$session = Net::Telnet->new(Timeout => 05,
                             Prompt => '/$hostname(\(config.*\))?[#>] *$/',
                             Dump_Log => '$logfile');
$session->open($host);
$session->login($username, $passwd);

$session->cmd("en\n$enable");
$session->cmd("conf t");
$session->cmd("no ip access-list extended $aclname");
$session->cmd("ip access-list extended $aclname");
foreach $line (@file)
{
   chomp($line);
   $session->cmd($line);
}
$session->cmd("exit");
$session->cmd("exit");
@output = $session->cmd("sh access-list $aclname");
print @output;
$session->cmd("exit");

Cisco IPIP Tunnels

Linux (192.168.2.1):

 /sbin/ip tunnel add tunl1 mode ipip remote 192.168.1.1
 /sbin/ifconfig tunl1 192.168.3.2 pointopoint 192.168.3.1 netmask 255.255.255.252 mtu 1500

Cisco (192.168.1.1):

 interface Tunnel0
 ip address 192.168.3.1 255.255.255.252
 ip mtu 1500
 tunnel source 192.168.1.1
 tunnel destination 192.168.2.1
 tunnel mode ipip

GRE tunel (Cisco & Juniper)

 Juniper(M20) ----------------GRE tunnel-----------------------Cisco(7206)

Juniper Configuration

> show configuration interfaces gr-0/1/0
unit 0 {
    tunnel {
        source 219.93.2.1;
        destination 219.93.2.2;
        key 123456; ## problem
    }
    family inet {
        mtu 1514;
        address 192.168.1.1/30;
    }
}

Cisco Configuration

interface
Tunnel0
 ip address 192.168.1.2 255.255.255.252
 no ip unreachables
 no ip proxy-arp
 ip mtu 1514
 tunnel source 219.93.2.2
 tunnel destination 219.93.2.1
 tunnel key 123456 # problem 

Is there a way to block VTP from coming in a port

You can also use “switchport nonegotiate” to turn DTP off, if you're getting vtp mismatch messages (different vtp domains on each side).

DHCP Configuration for Cisco VOIP Phones

....
authoritative;
ddns-update-style none;
option voip-tftp-server code 150 = ip-address;
option voip-tftp-server 192.168.134.192;

This should likely work for you as well, just make sure you replace the IP for “voip-tftp-server” with the address to your core phone server. Hopefully the next time someone hits google looking for “option code 150 cisco phone” the clear answer isn’t so hard to find.

Slow ADSL with 12.4 IOS version?!

Ciscozine(config-if)#clock rate aal5 ?
        1000000
        1300000
        1600000
        2000000
        2600000 (default)
        3200000
        4000000
        5300000
        7000000

  <1000000-7000000>  clock rates in bits per second,
                     choose one from above

Ciscozine(config-if)#Ciscozine(config-if)#clock rate aal5 ?
        1000000
        1300000
        1600000
        2000000
        2600000 (default)
        3200000
        4000000
        5300000
        7000000

  <1000000-7000000>  clock rates in bits per second,
                     choose one from above

Ciscozine(config-if)#

In fact, if you don’t define the clock rate command into the atm interface, the IOS set to 2600000 this parameter. To force it, use the command ‘clock rate aal5′; in my case I use the command ‘clock rate aal5 7000000′.

Below the download speed test guarantee the bandwith improvement. More info on http://www.ciscozine.com/2009/11/05/slow-adsl-with-12-4-ios-version/

1:1 NAT (not Cisco NAT) example

! WAN interface
interface FastEthernet0/0.457
 encapsulation dot1Q 457
 ip address 10.66.175.21 255.255.240.0
 ip nat outside
 ! PPPoE ip tcp adjust-mss 1412
!
! LAN interface
interface FastEthernet0/1
 ip address 192.168.156.1 255.255.255.0
 ip nat inside
!
! Redirect 0.0.0.0 --> 10.66.175.21 --> 192.168.156.2
ip nat inside source static 192.168.156.2 10.66.175.21
With this rule ip nat inside source static 192.168.156.2 10.66.175.21 it's done DNAT/SNAT (portforwarding as well as source NAT). If things are not working as they should you might have b0rken IOS firmware on Cisco router!

Cisco NAT

ip nat pool NAT 10.252.162.2 10.252.162.2 netmask 255.255.255.252
ip nat inside source list 10 pool NAT overload


access-list 10 permit 10.52.4.0 0.0.0.255

NAT Based Upon Source Address

See original source: http://evilrouters.net/2010/04/21/nat-based-upon-source-address/

Foobar

interface FastEthernet0/5
description IP PHONE x1014 & HOST 10.1.20.5
switchport access vlan 20
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport voice vlan 101
switchport port-security
switchport port-security maximum 3
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
mls qos trust device cisco-phone
mls qos trust dscp
dot1x port-control auto
dot1x guest-vlan 999
dot1x reauthentication
mac access-group mac-device-list in
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root
!
interface FastEthernet0/6
description *** UNUSED Port ***
switchport access vlan 999
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan none
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
no ip address
ip access-group ip-device-list in
shutdown
mls qos cos override
storm-control broadcast level 0.00
storm-control multicast level 0.00
storm-control unicast level 0.00
dot1x port-control force-unauthorized
dot1x guest-vlan 999
dot1x host-mode multi-host
mac access-group mac-device-list in
no cdp enable
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
spanning-tree guard root 

bba-group pppoe vpn1 
 virtual-template 1 
 sessions per-vc limit 1 (1 max number of vpdn session per-vc)
 sessions per-mac limit 1 ( 1 max number of vpnd session per-mac)
 sessions per-mac throtlle ...