- Basic Troubleshooting Commands
Ping
Traceroute
Telnet
Show interfaces (show interfaces GigabitEthernet 3/6)
Show ip interface
Show ip route
Show running-config
Show startup-config
show ip sockets
show conn
show tcp brief
Traceroute
Telnet
Show interfaces (show interfaces GigabitEthernet 3/6)
Show ip interface
Show ip route
Show running-config
Show startup-config
show ip sockets
show conn
show tcp brief
- Archive Command
- Configuration Change Logging and Save a copy of current configuration on local when write memory
archive
!!log all commands
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:backup-
maximum 8
write-memory
!!log all commands
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:backup-
maximum 8
write-memory
- Compare Startup-Configuration with Running-configuration
R1#show archive config differences
!Contextual Config Diffs:
!No changes were found
- show archive log config all
- show archive
- Enable IPv6 on Cisco Switch 3550/3560
Switch: interface f0/24 is connected to router P1R1
interface FastEthernet0/24
no switchport
ip address 172.17.255.1 255.255.255.254
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP-KEY
ipv6 address 2001:DB8:CAFE:201::/64 eui-64
ipv6 rip 1 enable
spanning-tree portfast
Tunnel 0:
interface Tunnel0
no ip address
ipv6 address 2001:DB8:CAFE:301::/64 eui-64
ipv6 enable
ipv6 rip 1 enable
tunnel source FastEthernet0/24
tunnel destination 172.17.255.0 !---> P1R1
P1R1
interface Tunnel0
no ip address
ipv6 address 2001:DB8:CAFE:301::/64 eui-64
ipv6 enable
ipv6 rip 1 enable
tunnel source Ethernet0/0
tunnel destination 172.17.255.1
- Using ftp to transfer files to flash
copy ftp://test:test@192.168.2.27 flash:
- Clear IOS configuraiton
write erase
- Delete flash: folder
delete /force /recursive flash:/c2960-lanbase-mz.122-52.SE
- Basic Commands to Enable Telnet/SSH on Cisco Devices
- Telnet Access
no aaa new-model
username test privilege 15 secret test
line vty 0 15
login local
no password
transport input telnet
username test privilege 15 secret test
line vty 0 15
login local
no password
transport input telnet
- SSH Access:
hostname Switch1
ip domain-name test.com
crypto key generate rsa general-usage modulus 2048
ip ssh time-out 60
ip ssh version 2
line vty 0 15
transport input ssh
ip domain-name test.com
crypto key generate rsa general-usage modulus 2048
ip ssh time-out 60
ip ssh version 2
line vty 0 15
transport input ssh
- Console Access with username/password:
line con 0
login local
exit
login local
exit
- Debug IP Traffic based on Access-list
The debug procedure is the following:
1) Turn "on" process switching under both interfaces in the router.
Router(config)#interface g0/0
Router(config-if)#no ip route-cache
Router(config)#interface g0/1
Router(config-if)#no ip route-cache
2) Create an access-list. Define specific traffic you want to monitorbetween hosts. For
Router(config)#access-list 199 permit tcp host 11.11.11.1 eq host 22.22.22.2
Router(config)#access-list 199 permit tcp host 22.22.22.2 eq host 11.11.11.1
3) If you are in a telnet session into the router turn "terminal monitor" on.
Router#term mon
If you are in a console session into the router, then the "logging console" command.
Router(config)#logging console
4)Finally the debug command.
Router#debug ip packet 199 detail
Where 199 is the access-list # we created.
*Jul 23 20:25:30.616: IP: s=11.11.11.1 (local), d=22.22.22.2, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
........
5)Use the "un all" command to turn it off.
Router#un all
- Kron command
Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.
Following is an example to use it save configuration on a regular basis.
Router# show kron schedule
Router# show kron schedule
Kron Occurrence Schedule
backup inactive, will run again in 2 days 22:03:46 at 22:00 on Mon
Router# show running-configuration
(truncated)
kron occurrence backup at 22:00 Mon recurring
policy-list backup
!
kron policy-list backup
cli write
Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
policy-list tclpol
kron policy-list tclpol
tclsh flash:/script.tcl
policy-list tclpol
kron policy-list tclpol
tclsh flash:/script.tcl
- Enable IP Accounting on interface
IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.
interface GigabitEthernet0/1
ip address 100.199.48.15 255.255.255.0
ip accounting output-packets
duplex full
speed 100
end
ip address 100.199.48.15 255.255.255.0
ip accounting output-packets
duplex full
speed 100
end
R1#sh ip accounting
Source Destination Packets Bytes
100.199.48.10 100.199.3853 6 241
100.199.38.53 100.199.48.10 4 183
138.11.117.16 166.6.23.14 1 104
Accounting data age is 3w0d
Source Destination Packets Bytes
100.199.48.10 100.199.3853 6 241
100.199.38.53 100.199.48.10 4 183
138.11.117.16 166.6.23.14 1 104
Accounting data age is 3w0d
- Show configuration without break/pause
@Cisco Router/Switch
terminal length 0
terminal length 0
@ASA Firewall
terminal pager 0
terminal pager 0
- Debug commands at Cisco ASA 9.1(2)
terminal monitor
logging buffer-size 1048576
logging buffered 7
logging monitor 7
debug crypto condition peer 10.10.10.10
debug crypto ipsec 127
debug crypto ikev1 127
debug crypto ikev1 127
- Display Cisco IOS Device Opened Ports
R#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:65110 *:0 IP SNMP LISTEN
udp *:1975 *:0 IPC LISTEN
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:65110 *:0 IP SNMP LISTEN
udp *:1975 *:0 IPC LISTEN
- Native VLAN mismatch
062275: May 12 00:09:37.207 EDT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/3 (1), with Swtch1 GigabitEthernet0/5 (56).
although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info. Solution would be one global command :
no cdp advertise-v2
Or
Or
This solution: using different vtp domain name on those switches:
Switch(config)# vtp mode transparent
Switch(config)# vtp domain a_unique_name
Switch(config)# vtp domain a_unique_name
- IOS Password Recovery Procedures
- Shut down the router then Power on the router
- Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into Rommon. (In some Keyboards, Pause key is used to enter into Rommon mode. You may not need Fn+Pause, or CTRL+ Break)
- Once the Rommon1> prompt appears, enter this command: confreg 0x2142
Then type reset to reboot Cisco device. - When you are prompted to enter the initial configuration, type No, and press Enter.
At the Router> prompt, type enable. - At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration.
- Use the config t command in order to enter global configuration mode.
- Use this command in order to create a new user name and password:
router(config)#username test privilege 15 password test - Use this command in order to change the boot statement: config-register 0x2102
- Use this command in order to save the configuration: write memory
- Reload Device in xx minutes
It is helpful for your remote work just in case you lost connection by mis-configuration
R-Test-Lab#reload in 1
Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
Reload reason: Reload Command
Proceed with reload? [confirm]
R-Test-Lab#
***
*** --- SHUTDOWN in 0:01:00 ---
***
R-Test-Lab##show reload
Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
Reload reason: Reload Command
R-Test-Lab#reload cancel
R-Test-Lab#
***
*** --- SHUTDOWN ABORTED ---
***
Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
Reload reason: Reload Command
Proceed with reload? [confirm]
R-Test-Lab#
***
*** --- SHUTDOWN in 0:01:00 ---
***
R-Test-Lab##show reload
Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
Reload reason: Reload Command
R-Test-Lab#reload cancel
R-Test-Lab#
***
*** --- SHUTDOWN ABORTED ---
***
- Load-Interval 30
By default, the IOS calculate statistics by interval 5 minutes. The minimal interval is 30 seconds you can set.
interface GigabitEthernet0/0
ip flow ingress
load-interval 30
duplex auto
speed auto
end
ip flow ingress
load-interval 30
duplex auto
speed auto
end
Router#sh interfaces g0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
Description:
Internet address is
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 3/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 12706000 bits/sec, 1423 packets/sec 30 second output rate 966000 bits/sec, 957 packets/sec 7877466781 packets input, 4315500899841 bytes, 1023 no buffer
Received 345354184 broadcasts (0 IP multicasts)
0 runts, 0 giants, 13 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 520835 multicast, 2112 pause input
7120190572 packets output, 2103538386166 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
121793930 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
4 lost carrier, 0 no carrier, 58519 pause output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/0 is up, line protocol is up
Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
Description:
Internet address is
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 3/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 12706000 bits/sec, 1423 packets/sec 30 second output rate 966000 bits/sec, 957 packets/sec 7877466781 packets input, 4315500899841 bytes, 1023 no buffer
Received 345354184 broadcasts (0 IP multicasts)
0 runts, 0 giants, 13 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 520835 multicast, 2112 pause input
7120190572 packets output, 2103538386166 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
121793930 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
4 lost carrier, 0 no carrier, 58519 pause output
0 output buffer failures, 0 output buffers swapped out
- Turn off IP Spoof Protection
ip verify reverse-path interface outside
"Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside"
"Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside"
- Create Read only Account
method a.
username local1 secret Cisco1234
username local1 privilege 15 autocommand show running
username local1 privilege 15 autocommand show running
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
method b.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
username local2 privilege 7 password Cisco1234
privilege exec level 7 show config
privilege exec level 7 show config
- Upgrade Cisco Device IOS
Switch# delete /f /r flash1:c3750-ipbase-mz.122.35-35.SE5.bin
Switch#copy tftp: flash:ios.tar
Switch#verify /md5 flash:ios.tar
.........................Done!
verify /md5 (flash:ios.tar) = bb86b1de4eb8e37fd0710c40d891445c
Switch#verify /md5 flash:ios.tar
.........................Done!
verify /md5 (flash:ios.tar) = bb86b1de4eb8e37fd0710c40d891445c
Switch#archive tar /xtract ios.tar flash:
Set the boot path
Switch(config)#boot system flash:/ios/ios.bin
Switch(config)#boot system flash:/ios/ios.bin
Switch#wr
Switch#show boot
BOOT path-list : flash:/ios/ios.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
.....
Switch#reload
Switch#show boot
BOOT path-list : flash:/ios/ios.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
.....
Switch#reload
No comments:
Post a Comment