Cisco tricks

From NuclearCat's homepage
Jump to: navigation, search

Contents

Devices comparison

Cisco backup and logging 

archive
 log config
  logging enable
  logging size 200
  notify syslog contenttype plaintext
  hidekeys
 path ftp://%%FTPHOST%%/cisco_$h_$t.cfg
 write-memory

logging esm config
logging %%LOGHOST%%

ip ftp source-interface %%INTERFACE%%
ip ftp username %%USERNAME%%
ip ftp password %%PASSWORD%%


QoS troubleshooting

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a0080883f9e.shtml

Switches 

Policers per port:
2950: 6 for 100M, 60 for 1G
2960: 64 per port
3550: 8 for 100M, 128 for 1G
2970/3560/2759: 64 per port, 256 per ASIC
4500: 1020 per port
6500: 1023 per port

service password-encryption

aaa new-model

username aaa secret bbb

aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default local

enable secret ccc

Send debug to syslog

logging trap debugging

Feature navigator

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Links

[| Etherchannel ]

Backup 

interface FastEthernet 0/0
 description primary-link
 ip address 10.1.1.1 255.0.0.0

interface Dialer 0
 description backup-link
 ip address 10.2.2.2 255.0.0.0

ip sla monitor 1
 type echo protocol ipIcmpEcho 172.16.23.7
 timeout 1000
 frequency 3
 threshold 2

ip sla monitor schedule 1 life forever start-time now
track 123 rtr 1 reachability

access list 101 permit icmp any host 172.16.23.7 echo
route map MY-LOCAL-POLICY permit 10
 match ip address 101
 set interface dialer 0 null 0
!
ip local policy route-map MY-LOCAL-POLICY

ip route 0.0.0.0 0.0.0.0 10.1.1.242 track 123
ip route 0.0.0.0 0.0.0.0 10.2.2.125 254

!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Cisco877
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
!
dot11 syslog
ip source-route
!
!
!
!
no ip cef
ip domain name XXXX.local
ip inspect log drop-pkt
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
object-group network og-L1-Allow-NTP 
 description Allow NTP from these hosts
 host XX.X.XX.XX
!
object-group network og-L2-Allow-SSH 
 description Allow SSH from these hosts
 192.168.1.0 255.255.255.0
!
username X-X password 7 XX
username X-X password 7 XX
username X privilege 15 secret 5 XX
! 
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2

track 10 ip sla 10 reachability
 delay down 180 up 10
!
track 20 ip sla 20 reachability
 delay down 180 up 10
!
!
!
interface ATM0
 description ADSL Connection
 no ip address
 no atm ilmi-keepalive
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl enable-training-log 
 dsl bitswap both
 hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool VPNPOOL
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap-v2
!
interface Vlan1
 description  LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip inspect firewall in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit
 ip address negotiated
 ip access-group acl-EXT-IN in
 ip access-group acl-EXT-OUT out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname XX@XX.XX.co.uk
 ppp chap password 7 XX
 ppp ipcp dns request
 ppp ipcp wins request
 ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 XX interface Dialer0 XX
ip nat inside source static tcp 192.168.1.50 XX interface Dialer0 XX
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.20 XX interface Dialer0 XX
ip nat inside source static tcp 192.168.1.65 XX interface Dialer0 XX
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
!
ip access-list standard acl-Allow-SNMP
 permit XX.XX.XX.XX
 permit XX.XX.XX.XX
 permit 192.168.1.0 0.0.0.255
 deny   any
ip access-list standard acl-NAT-Ranges
 remark Define NAT internal ranges
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
 remark Inbound external interface
 remark The below set the rfc1918 private exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 remark Allow established sessions back in
 permit tcp any any established
 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
 permit tcp any any eq smtp
 permit tcp any any eq www
 permit udp object-group og-L1-Allow-NTP any eq ntp
 permit tcp object-group og-L2-Allow-SSH any eq 22 log
 permit tcp any any eq 443
 permit tcp any any eq XX
 permit tcp any any eq XX
 permit tcp any any eq XX
 permit tcp any any eq XX
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 remark Passive FTP ports matching FTP Server config
 permit tcp any any range 50000 50050
 permit tcp any any eq 54321
 permit gre any any
 permit udp any eq domain any
 remark Standard acceptable icmp rules
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 deny   ip any any
ip access-list extended acl-EXT-OUT
 remark Allow all outbound IP
 permit ip any any
!
ip sla 10
 icmp-echo 8.8.8.8 source-interface Vlan1
 threshold 3000
 timeout 3000
 frequency 10
ip sla schedule 10 life forever start-time now
ip sla 20
 icmp-echo 208.67.222.222 source-interface Vlan1
 threshold 3000
 timeout 3000
 frequency 10
ip sla schedule 20 life forever start-time now
!
ip access-list logging interval 10
logging trap debugging
logging facility local6
logging 192.168.1.50
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community XX RO acl-Allow-SNMP
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp master
ntp server 129.6.15.28
event manager applet ema-ADSL-Down 
 event tag PingDown1 track 10 state down
 event tag PingDown2 track 20 state down
 trigger
  correlate event PingDown1 and event PingDown2
 action 10 syslog msg "********** WARNING! ADSL Line Down! **********"
 action 20 reload
event manager applet ema-ADSL-Up 
 event tag PingUp1 track 10 state up
 event tag PingUp2 track 20 state up
 trigger
  correlate event PingUp1 or event PingUp2
 action 10 syslog msg "********** ADSL Line UP **********"
!
end
Retrieved from "http://www.nuclearcat.com/mediawiki/index.php?title=Cisco_tricks&oldid=657"
Personal tools