Cisco Tips & Tricks

May 3, 2006

Binding IP Addresses to MAC Addresses

Filed under: Switching — ciscotips @ 6:26 pm

If you need to set the IP addresses on several devices that were connected to the network but had not been configured. If you know the first four digits of the OrganizationallyUnique Identifier (OUI), so for locations that had switches you can use the following command to learn the MAC addresses:

sh mac address-table | include xxxx (xxxx = first four digits of the OUI)

In config t, using the MAC address above, you can bound the IP to the MAC:

arp xx.xx.xx.xx yyyy.yyyy.yyyy.yyyy arpa(x = IP y = MAC)

You will be able to Telnet to the device and complete the network configuration. For sites that did not have switches, you can turn on Address Resolution Protocol (ARP) debugging in therouter (only if the sites had fewer other devices and low traffic): debug arp.

Clear the arp table: clear arp.

Simply monitor the debug session for the devices to appear in the router log (referring to the first four digits of the MACaddress). Turn off debug: no debug all.

In config t, using the MAC address found in the log, the IP binding can be done:

arp xx.xx.xx.xx yyyy.yyyy.yyyy.yyyy arpa(x = IP y = MAC)

Advertisements

Testing Remote Authentication of Users on Wireless Network

Filed under: cisco, Router, security, wifi — ciscotips @ 6:18 pm

I am not a Wireless guy but found a beautiful tip for you  wireless geeks. 

One of the greatest challenges in supporting a large wireless network is testing authentication from a remote access point. Asking a user to retry a login multiple times can be time consuming and frustrating.

To solve this problem, you can use the test aaa group command to test both RADIUS and TACACS authentication using a user ID and password combination from the access point:

AP#test aaa group ? radius Test list of all Radius hosts tacacs+ Test list of all Tacacs+ hosts While this isn’t exactly like a connecting user, it can verify a critical piece of the login. Here are some examples using the command.

AP#test aaa group radius <domain>\<userid>

<goodpassword> new

Trying to authenticate with Servergroup radius User successfully authenticated

AP#test aaa group radius <domain>\<userid>

<badpassword> new

Trying to authenticate with Servergroup radius User rejected

Using Previledge mode commands in Global Config Mode

Filed under: Router — ciscotips @ 6:11 pm

Here’s a handy tip when using the show, ping, and telnet commands. Instead of switching back and forth between global configuration mode and privilege mode to use these commands, you can remain in global configuration mode and type the do command with the original syntax.

For example:

Router(config)#do show running-config

or

Router(config)#do show interface e0

or

Router(config)#do PING 10.0.0.1

Recovering Lost passwords on remote devices

Filed under: Uncategorized — ciscotips @ 6:07 pm

Configuring a Simple Network Management Protocol (SNMP) read-write (RW) community ahead of time can enable  you to modify the configuration of a device if you need to recover a lost password from a remote router or switch.  Use following steps:

1. Set the copy mode (1.- TFTP; 3.-RCP)

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.2.83119 i 1

2. Set the source configuration type to copy (1.-Network; 3.-Startup-config; 4.-Running-Config):

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.3.83119 i 4

3. Set the destination configuration type to copy (1.Network; 3.-Startup-config; 4.-Running-Config):

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.4.83119 i 1

4. Set the TFTP server IP address:

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.5.83119 a TFTP-SRV-ipAddress

5. Set the name of the file that contains my device configuration:

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.6.83119 s “Mydevice

Config.txt”

6. Set the create and go command:

 snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.14.83119 i 1

Then just modify the password in a file named MydeviceConfig.txt and run the command again, modifying the following lines:

1. Set source configuration type to copy (1.-Network; 3.-Startup-config; 4.-Running-Config):

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.3.83119 i 1

2. Set destination configuration type to copy (1.-Network; 3.-Startup-config; 4.-Running-Config):

snmpset ipAddress RW-Community .1.3.6.1.4.1.9.9.96.1.1.1.1.4.83119 i 4

Be careful when you modify and upload the configuration to the device, and remember that the destination is Running-Config, so you must ingress to thedevice to change the password again and then write this to the startup configuration.

Troubleshooting DoS attacks

Filed under: Uncategorized — ciscotips @ 5:54 pm

Multiple large-sized packets injected into your network from any source, including a host PC, can bring your network to a dead crawl. In the worst case, theycan even shut down operations. To determine which host or node is sending or receiving suspisciously large and multiple “packets” (no pun intended), enable ip accounting output-packets in the interface that you suspect they pass through. Then use the command sh ip accounting output-packets to viewthe output in real time. Even packet and byte sizes are displayed, which can help you identify what kind oftraffic is present in your link. For example:

Router(config)# interface FastEthernet 0/1

Router(config-if)# ip accounting output-packets

Router# sh ip accounting output-packets

But The preferred, more scalable, method is to use NetFlow on ingress interfaces to try to find the type of traffic Because NetFlow keeps statistics on flows, you can more easily isolate the protocols involved. To enable NetFlow on interfaces, use the interface configuration command ip route-cache flow. Support for NetFlow can vary depending on your platform and code version.

For older platforms that do not support NetFlow, IPaccounting can be useful.

OSPF/distribute-list

Filed under: IP Routing, ospf — ciscotips @ 4:55 pm

If you are running Open Shortest Path First (OSPF) with static routes and you use the distribute-list command to control the advertisement of these routes, alwaysuse the clear ip ospf redist command if you make a change to the distribute list.If you do not, the routing tables will not reflect the change.W e run Cisco IOS Software Release 12.2(12f) on our Cisco 2600 routers and the IP OSPF priority does not appear to have any effect when the DR fails or recovers.So if this situation occurs, I use the clear ip ospf proc command on the current DR rather than reloading it.

Tip for Unix/Linux users

Filed under: Uncategorized — ciscotips @ 4:51 pm

Using a UNIX or Linux machine and need to send a show tech or log to the Cisco TAC? Try using the tee command after the pipe (|) command.This creates a file that records all key strokes and output.An exampleis Telnet Router-name| tee hold.When you’re ready, just attach the file named “hold” to the e-mail instead of doing a copy and paste.Because passwords are not echoed  back to the screen, they do not appear inthe file.This also works well when you are  trying to find something specific in large ARP tables or routing tables.

Troubleshooting Switch ports in Campus Network

Filed under: Uncategorized — ciscotips @ 4:48 pm

A pretty simple command which most of the people are not aware of.

An effective way to detect “suspicious” ports in a large campus switched network is with the show diag link-flap command, which is available on Cisco IOS Software-based switches.

Tunneling

Filed under: Uncategorized — ciscotips @ 4:46 pm

Whenever a Generic Routing Encapsulation (GRE) tunnel is formed, the tunnel interface shows status UP in show interface tunnel<no>, but actually the tunnel is not active.You need to manually do a “no shutdown”in the tunnel interface.One can also view the tunnel status in show interface summary or show ip interface brief.

Using debug Commands

Filed under: Uncategorized — ciscotips @ 4:43 pm

When using debug commands that increase CPU load, disable console logging using the Cisco IOS global configuration command no logging console and enable  buffered logging with the IOS global configuration command logging buffered.  Then execute the command from a virtual terminal session and view the output in that session.If the session is unresponsive, you can use the console to disable the debug because the console has higher priority than the virtual terminal session. Review the debug output in the log buffer using the IOS EXEC command show log.If syslogging is enabled,you can also view the output in the log file on the syslog server.

Older Posts »

Blog at WordPress.com.