Cisco random pastebin :)
See open ports
R1# show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN tcp *:80 *:0 HTTP CORE LISTEN tcp *:179 *:0 BGP LISTEN tcp *:179 10.0.7.2:43962 BGP ESTABLIS tcp *:23 10.0.7.2:18036 Telnet ESTABLIS udp *:67 *:0 DHCPD Receive LISTEN udp *:68 *:0 BootP client LISTEN udp *:123 *:0 NTP LISTEN
Notes:
- This show command does not display non-TCP/UDP servers (OSPF, EIGRP, RSVP) or even some UDP-based services (RIP).
Policy QoS
Policy/QoS
policy-map 3GbE class class-default police cir 3000000000 bc 562500000 conform-action transmit exceed-action drop violate-action drop
Why are you receiving significantly more than 5Mbps inbound on interface f0/0 from the device with the MAC address of 1111.2222.3333?
Answer: Rate-limit command is wrong. Should use ‘access-group rate-limit 100′ to reference rate-limit access-list 100, not ‘access-group 100′.
interface FastEthernet0/0 rate-limit input access-group rate-limit 100 5000000 2500 2500 conform-action transmit exceed-action drop ! access-list rate-limit 100 1111.2222.3333
r1(config-if)#do sh int fa0/0 rate-limit FastEthernet0/0 Input **matches: access-group rate-limit 100** params: 5000000 bps, 2500 limit, 2500 extended limit conformed 0 packets, 0 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 2557168ms ago, current burst: 0 bytes last cleared 00:01:43 ago, conformed 0 bps, exceeded 0 bps
Alias
To display IP addresses assigned to router's interfaces (excluding interfaces with no IP address) use show ip interface brief | exclude unassigned
command.
Here is a sample printout:
C1#show ip int brief | excl unassigned Interface IP-Address OK? Method Status Protocol FastEthernet0/0 172.16.0.1 YES NVRAM up up Serial1/0 10.0.7.17 YES NVRAM up up Loopback0 10.0.1.1 YES NVRAM up up Tunnel0 192.168.0.1 YES manual up up
You could define an alias to create a new IOS command generating this printout, for example, alias exec ipconfig show ip interface brief | exclude unassigned
.
List of useful aliases
alias exec ifconfig show ip interface brief | exclude unassigned alias exec sofn show ip ospf neighbor alias exec proc show processes cpu | exclude 0.00%__0.00%__0.00%
and some more
alias exec siib sh ip int brief alias exec srint sh run int alias exec srb sh run | begin alias exec srs sh run | sec alias exec sri sh run | incl alias exec sia sh ip access-list
alias configure ping do ping alias configure sh do sh alias configure siib do siib alias configure srint do srint alias configure srb do srb alias configure sri do sri alias configure sia do sia alias interface ping do ping alias interface sh do sh alias interface siib do siib alias interface srint do srint alias interface srb do srb alias interface sri do sri alias interface sia do sia alias subinterface ping do ping alias subinterface sh do sh alias subinterface siib do siib alias subinterface srint do srint alias subinterface srb do srb alias subinterface sri do sri alias subinterface sia do sia
alias exec s show run alias exec c config t alias exec srs show run | section alias exec srb show run | begin alias exec si show run interface alias exec sri show run | include alias exec siib show ip interface brief | exclude admin alias exec sib show ip bgp alias exec sir show ip route alias exec sirp show ip route vrf PURPLE alias exec sibp show ip bgp vpnv4 vrf PURPLE alias exec pp ping vrf PURPLE alias exec zp show policy-map type inspect zone-pair alias exec sci show crypto ipsec alias exec sck show crypto isakmp alias exec cci clear crypto sa alias exec cck clear crypto isakmp alias exec sio show ip ospf alias exec sie show ip eigrp
A basic script for handling ACLs of your Cisco Catalyst
A handy script ( taken from this site ) to keep the ACLs of our Cisco Catalyst 3560 in separate files, so as be able to edit them without connecting to the device and finally update them on the switch by using a perl script like this:
f cisco-acl.pl
#! /usr/bin/perl -w # Note: in Debian/Ubuntu you need libnet-telnet-perl package # to be installed on your system. use Net::Telnet; use File::Basename; my $host = '1.1.1.1'; my $hostname = 'Switch'; my $username = 'ciscouser'; my $passwd = 'ciscopasswd'; my $enable = 'enablesecret'; my $aclname = $ARGV[0]; my $filepath = dirname($0)."/".$aclname; my $logfile = '/tmp/acl-update.log'; sub Usage { print "Usage: " . basename($0) . " \n"; exit 1; } if ( scalar @ARGV != 1) { print "Wrong number of arguments!\n"; &Usage(); } if ( ! -e $filepath ) { print "File " . $filepath . " does not exist\n"; &Usage(); } open(ACL, $filepath) || die("Could not open file $aclname!"); @file = <ACL>; $session = Net::Telnet->new(Timeout => 05, Prompt => '/$hostname(\(config.*\))?[#>] *$/', Dump_Log => '$logfile'); $session->open($host); $session->login($username, $passwd); $session->cmd("en\n$enable"); $session->cmd("conf t"); $session->cmd("no ip access-list extended $aclname"); $session->cmd("ip access-list extended $aclname"); foreach $line (@file) { chomp($line); $session->cmd($line); } $session->cmd("exit"); $session->cmd("exit"); @output = $session->cmd("sh access-list $aclname"); print @output; $session->cmd("exit");
Cisco IPIP Tunnels
Linux (192.168.2.1):
/sbin/ip tunnel add tunl1 mode ipip remote 192.168.1.1 /sbin/ifconfig tunl1 192.168.3.2 pointopoint 192.168.3.1 netmask 255.255.255.252 mtu 1500
Cisco (192.168.1.1):
interface Tunnel0 ip address 192.168.3.1 255.255.255.252 ip mtu 1500 tunnel source 192.168.1.1 tunnel destination 192.168.2.1 tunnel mode ipip
GRE tunel (Cisco & Juniper)
Juniper(M20) ----------------GRE tunnel-----------------------Cisco(7206)
Juniper Configuration
> show configuration interfaces gr-0/1/0 unit 0 { tunnel { source 219.93.2.1; destination 219.93.2.2; key 123456; ## problem } family inet { mtu 1514; address 192.168.1.1/30; } }
Cisco Configuration
interface Tunnel0 ip address 192.168.1.2 255.255.255.252 no ip unreachables no ip proxy-arp ip mtu 1514 tunnel source 219.93.2.2 tunnel destination 219.93.2.1 tunnel key 123456 # problem
Is there a way to block VTP from coming in a port
- make the port an access port
- block 01-00-0C-CC-CC-CC (used by CDP too)
- use transparent vtp v1 & different domain
- block vlan 1 (although actually that's not possible)
You can also use “switchport nonegotiate” to turn DTP off, if you're getting vtp mismatch messages (different vtp domains on each side).
DHCP Configuration for Cisco VOIP Phones
.... authoritative; ddns-update-style none; option voip-tftp-server code 150 = ip-address; option voip-tftp-server 192.168.134.192;
This should likely work for you as well, just make sure you replace the IP for “voip-tftp-server” with the address to your core phone server. Hopefully the next time someone hits google looking for “option code 150 cisco phone” the clear answer isn’t so hard to find.
Slow ADSL with 12.4 IOS version?!
Ciscozine(config-if)#clock rate aal5 ? 1000000 1300000 1600000 2000000 2600000 (default) 3200000 4000000 5300000 7000000 <1000000-7000000> clock rates in bits per second, choose one from above Ciscozine(config-if)#Ciscozine(config-if)#clock rate aal5 ? 1000000 1300000 1600000 2000000 2600000 (default) 3200000 4000000 5300000 7000000 <1000000-7000000> clock rates in bits per second, choose one from above Ciscozine(config-if)#
In fact, if you don’t define the clock rate command into the atm interface, the IOS set to 2600000 this parameter. To force it, use the command ‘clock rate aal5′; in my case I use the command ‘clock rate aal5 7000000′.
Below the download speed test guarantee the bandwith improvement. More info on http://www.ciscozine.com/2009/11/05/slow-adsl-with-12-4-ios-version/
1:1 NAT (not Cisco NAT) example
! WAN interface interface FastEthernet0/0.457 encapsulation dot1Q 457 ip address 10.66.175.21 255.255.240.0 ip nat outside ! PPPoE ip tcp adjust-mss 1412 ! ! LAN interface interface FastEthernet0/1 ip address 192.168.156.1 255.255.255.0 ip nat inside ! ! Redirect 0.0.0.0 --> 10.66.175.21 --> 192.168.156.2 ip nat inside source static 192.168.156.2 10.66.175.21
ip nat inside source static 192.168.156.2 10.66.175.21
it's done DNAT/SNAT (portforwarding as well as source NAT). If things are not working as they should you might have b0rken IOS firmware on Cisco router!
Cisco NAT
ip nat pool NAT 10.252.162.2 10.252.162.2 netmask 255.255.255.252 ip nat inside source list 10 pool NAT overload access-list 10 permit 10.52.4.0 0.0.0.255
NAT Based Upon Source Address
See original source: http://evilrouters.net/2010/04/21/nat-based-upon-source-address/
Foobar
interface FastEthernet0/5 description IP PHONE x1014 & HOST 10.1.20.5 switchport access vlan 20 switchport trunk encapsulation dot1q switchport trunk native vlan 20 switchport trunk allowed vlan none switchport mode access switchport nonegotiate switchport block multicast switchport block unicast switchport voice vlan 101 switchport port-security switchport port-security maximum 3 switchport port-security aging time 10 switchport port-security aging type inactivity no ip address ip access-group ip-device-list in mls qos trust device cisco-phone mls qos trust dscp dot1x port-control auto dot1x guest-vlan 999 dot1x reauthentication mac access-group mac-device-list in spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard root ! interface FastEthernet0/6 description *** UNUSED Port *** switchport access vlan 999 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan none switchport mode access switchport nonegotiate switchport block multicast switchport block unicast switchport port-security switchport port-security aging time 10 switchport port-security aging type inactivity no ip address ip access-group ip-device-list in shutdown mls qos cos override storm-control broadcast level 0.00 storm-control multicast level 0.00 storm-control unicast level 0.00 dot1x port-control force-unauthorized dot1x guest-vlan 999 dot1x host-mode multi-host mac access-group mac-device-list in no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard root
bba-group pppoe vpn1 virtual-template 1 sessions per-vc limit 1 (1 max number of vpdn session per-vc) sessions per-mac limit 1 ( 1 max number of vpnd session per-mac) sessions per-mac throtlle ...