Configuration Lock

Ever busy with a scheduled change, and the configuration all of a sudden differs from what you configured five minutes ago?

Normal IOS (not XR) behaviour allows multiple users to make instant changes to the running configuration. Occasionally two users make changes to the same config portion at the same time. One overwriting the others. ONLY the last commands entered will take effect.

The Configuration Lock  feature allows a one to have exclusive change access to the Cisco IOS running configuration, preventing multiple users from making concurrent configuration changes.

There are two modes:

  • Auto
  • Manual

Continue reading “Configuration Lock”

Getting your router to Tweet

Ok, so an earlier post sharing a really neat geek trick is awesome, but how the hell does one go about configuring a router to tweet something? (if you not a programmer)

To do it, you would need the following:

  • IOS image that supports EEM.
  • A twitter account.
  • A base64 encoded representation of you twitter account’s
  • Bruno’s twitter script. Download tweet-policy.tcl here.
  • The IP address of your nearest twitter server. (nslookup or dig will help you there)

The IOS obviously must support EEM.

Then once you have your twitter account, you need to encode your twitter account’s username:password to a base64 encoded representation.  Could be done using this website. Example:

        gives you

Continue reading “Getting your router to Tweet”

Route Selection with equal AD’s

I had a interesting question from a friend today.

Assume the following scenario:

Im going to exclude any MPLS connectivity, as it is not relevant.
The PE (Router1) connects the CE (Router3) with two links, one serial and one wireless.
This particular ISP runs mostly static routes to client sites (within the VRF’s) or alternatively eBGP.

On a wireless link it is always good practise to run BGP to detect when connectivity with the remote end is lost in the underlying Layer2 network. (Preventing a blackhole)
Regarding routing on the Serial Link, there as a default route out from Router 3 and a static route to on Router1 pointing to Router3.

The client wants to load-balance traffic across both links. And the Admin Distance of the static route was set to 20 to match eBGP. (this is the scenario)

So the question : Why does Router1 not install both routes (the eBGP route and the Static), both with an prefix-length of /24,  a Admin Distance of 20, and metric of 0 into the RIB??

Continue reading “Route Selection with equal AD’s”

Searching for something?

Everybody knows how to use the include|begin|exclude search operators (I hope so at least), but you can also search through screen output with the “/” operator. You can use this with most ‘SHOW’ commands provided the output is more than one page long.

It is very useful to see a specific search string bound to show up multiple times from the SHOW command.

Example:  Show the running-config, and one the first page break, hit the forward slash “/”. Now enter the string you looking for:
Continue reading “Searching for something?”

CPU and Memory Thresholding

It is never nice when devices on a network go belly-up, but to know why or what happened right before they went belly-up, is crucial.

By enabling CPU and Memory thresholding, you can be sure to get those vital notifications when it happen allowing you to respond a lot quicker.

When a router is overloaded by processes, the amount of available memory might fall to levels insufficient for it to issue critical notifications, so the first step is to reserve some memory:
memory reserve critical {kilobytes}

Continue reading “CPU and Memory Thresholding”

BFD – Bidirectional Forwarding Detection

What is one pain-in-the-butt thing with wireless links connected to a Ethernet port on a Cisco router?
You don’t know when the wireless link goes down?

Since Ethernet technology does not provide for end-to-end connectivity checks, like ATM OAM F5, Frame-Relay EEK, or PPP LCP Keepalive, you need a similar method to know when the wireless link or the remote site is unreachable.

There are varies workarounds, eg using IP SLA monitor, or using BGP with reduced timers. A better solution is to use Bidirectional Forwarding Detection (BFD), to quickly identify the failing wireless VLANs and route your retraffic quickly and efficiently.

Continue reading “BFD – Bidirectional Forwarding Detection”

IOS upgrade tip

So it is sunday morning, the change window just kicked in, you copied the new IOS image to the router, used the ‘boot system’ command as per my previous post, you save your config and reload. All looking good for an early night, but when the router reloads you get a bunch of errors during bootup along the lines of:

% Invalid input detected at '^' marker.
% Incomplete command.

Oh no, you didn’t do you homework, did you check for command differences between the IOS versions? Did you test the current config on the new IOS in a lab prior to the upgrade (yes not always possible), do you have a config backup?

If you don’t have a full config backup you have BIGGER problems. If you remove the first ‘boot system’ command to boot of the working IOS, and write your config, usually all commands that gave errors during that boot-up, will now be LOST since you saved the config and overwrote the startup-config.

So what now?

Appose to freaking out and start dancing like a banshee doing some tribal dance, do the following. ‘Rename’ the NEWLY installed IOS image in Flash, the image specified in the first ‘boot system’ command to something else, and ‘Reload’ WITHOUT SAVING the config. When the router reboots it will attempt to locate the first specified boot system image, but because you renamed it, it can not be loaded. The router will then attempt to boot off the second specified boot system image, the old working IOS image. And happiness is restored.

Boot System command

Whenever doing IOS upgrades on production devices, it is always best to have a fail-back plan. With most platforms, the best way to archieve this is with the ‘boot system’ command and altough not a new command, still good to cover.

The  ‘boot system’ command is non-exclusive, and if multiple entries exist, the commands are tried top down. If the first is unsuccessful, the second will be tried. If the first is successful it is loaded. This is very handy, since it provides IOS-image redundancy, and a fail-back option.

What do I mean by IOS-image redundancy?
If you are using a bigger platform that has 2x Compact Flash Slots, by loading the same IOS image on both disks you can have image redundancy, incase one of the Compact Flash Cards bombs out, with the following config:

boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin
boot system flash disk1:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin

The same redundancy could be achieved by using a remote FTP/TFTP location as the second command.

This command however becomes most useful when doing IOS upgrades. Provided you have enough space to store a second IOS image, load the NEW IOS Image on that same disk, then by using the ‘boot system’ command, specify the path to the NEW IOS Image first and then the path to the current IOS Image:

boot system flash disk0:s72033-adventerprisek9_wan-mz.122-33.SXI2.bin
boot system flash disk0:s72033-adventerprisek9_wan-mz.122-18.SXF6.bin

Now looking at the example above, when the router reboots, the router will try to load 122-33.SXI2 first, if unsuccessful, then it will load the current (122-18.SXF6).

Telnet Response Messages

Knowing the difference in telnet responses could easily point you in the right direction when a telnet to a host on a particular port in unsuccessful.

There are a distinct differences in getting  ‘refused’ or ‘timeout’ responses.

You will get a connection refused message for one of the following reasons:

  • The application you are trying to test hasn’t been started/installed on the remote server.
  • There is a firewall rejecting the connection attempt by terminating the connection setup.

Example output from a linux box:

telnet-refused Continue reading “Telnet Response Messages”

Top Talkers

Every quickly wanted to see the current top-talkers on a link?
Who that culprit is, that is using all the bandwidth?

Although you can use normal netflow output to work that out using the packet count or by using some external cache-flow interpreter, it is much easier to just enable netflow top-talkers.

To enable and enter top-talkers configuration mode:
(config)#ip flow-top-talkers

Continue reading “Top Talkers”

OUTPUT 101- Interface states

Sometimes it is necessary to go back to the basics that we have already forgotten. You can identify six possible states in the interface status line of the show interfaces serial output:

  1. Serial x/y is up, line protocol is up
  2. Serial x/y is down, line protocol is down
  3. Serial x/y is up, line protocol is down
  4. Serial x/y is up, line protocol is up (looped)
  5. Serial x/y is up, line protocol is down (disabled)
  6. Serial x/y is administratively down, line protocol is down

Continue reading “OUTPUT 101- Interface states”

Using the Track Statement

Assume you have the following hypothetical scenario, R2 and R7 on one site, connected to a WAN infrastructure via multiple links (omitted here), where there are two gateways R5 & R6:


Client requests the following:

  • R2 should be the active HRSP router if R2 has connectivity to BOTH R5 and R6 loopbacks.
  • R7 should be the active HSRP router if R2 has connectivity to only ONE of the 2 gateways.
  • R2 should be the active HSRP router if R2 has NO connectivity to either R5 or R6.

Continue reading “Using the Track Statement”

Using Netflow’s verbose output with QOS

In the previous article I showed how useful Netflow can be, but that is only the beginning. The “verbose” output provides even more useful information, specifically the TOS-Byte. That field is necessary when you want to verify if QOS marking is correctly applied to traffic classes.

But first you have to understand a little about QOS (Quality of Service) and the TOS-byte/DS-Field in the IP header.

The IP header is defined in RFC 791, includes a 1-byte field called the Type of Service (ToS) byte. The ToS byte was intended to be used as a field to mark a packet for treatment with QoS tools. The ToS byte itself was initially further subdivided, with the high-order 3 bits defined as the IP Precedence (IPP) field. Bits 3 through 6 were not used very often, and bit 7 was never defined, so over time the entire ToS byte’s purpose was to hold the 3-bit IPP field. 3 bits (23 = 8 ) allowed 8 possible markings.


Continue reading “Using Netflow’s verbose output with QOS”

Using Netflow

Ever needed to track specific flow of information or find out what ports a application is using, or verify if your QOS is working correctly? Cisco Netflow is the answer.

NetFlow is a Cisco IOS application that provides a rich set of traffic statistics on packets flowing through the router, both ingress and egress. A NetFlow network flow is defined as a unidirectional stream of packets between a given source and destination. These key fields/statistics define a unique flow:

  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer 3 protocol type
  • Type of service (ToS)
  • Input logical interface

If a packet has one key field different from another packet, it is considered to belong to another flow. Flows are stored in the NetFlow cache and does does consumes additional memory, but generally this is not to much of a problem. Netflow data could be exported, but here I’ll show how to use it on CLI and how to interpret it.

Continue reading “Using Netflow”