Cisco IOS Command Tips and Tricks - Part 1 - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, March 24, 2016

Cisco IOS Command Tips and Tricks - Part 1


This post is used to collect some small tips and tricks I found during my daily work. Since the list is getting longer  and longer, I am splitting it into two posts:

1. Basic Troubleshooting Commands

Ping
Traceroute
Telnet
Show interfaces (show interfaces GigabitEthernet 3/6)
Show ip interface
Show ip route
Show running-config
Show startup-config
show ip sockets
show conn
show tcp brief



2. Archive Command

  • Configuration Change Logging and Save a copy of current configuration on local when write memory
archive!!log all commands log config logging enable logging size 200 notify syslog contenttype plaintext hidekeys path flash:backup- maximum 8 write-memory
  • Compare Startup-Configuration with Running-configuration

R1#show archive config differences 
!Contextual Config Diffs:
!No changes were found

  • show archive log config all
  • show archive


3. Enable IPv6 on Cisco Switch 3550/3560
3560:
sdm prefer dual-ipv4-and-ipv6 routing

3550:


Switch:  interface f0/24 is connected to router P1R1
interface FastEthernet0/24
no switchport
ip address 172.17.255.1 255.255.255.254
ip authentication mode eigrp 1 md5
ip authentication key-chain eigrp 1 EIGRP-KEY
ipv6 address 2001:DB8:CAFE:201::/64 eui-64
ipv6 rip 1 enable
spanning-tree portfast

Tunnel 0:
interface Tunnel0
no ip address
ipv6 address 2001:DB8:CAFE:301::/64 eui-64
ipv6 enable
ipv6 rip 1 enable
tunnel source FastEthernet0/24
tunnel destination 172.17.255.0    !---> P1R1

P1R1
interface Tunnel0
no ip address
ipv6 address 2001:DB8:CAFE:301::/64 eui-64
ipv6 enable
ipv6 rip 1 enable
tunnel source Ethernet0/0
tunnel destination 172.17.255.1

4. Using ftp to transfer files to flashcopy ftp://test:[email protected] flash:


5. Clear IOS configuraiton
write erase

6. Delete flash: folder
delete /force /recursive flash:/c2960-lanbase-mz.122-52.SE

7. Basic Commands to Enable Telnet/SSH on Cisco Devices

a. Telnet Access

no aaa new-model
username test privilege 15 secret test
line vty 0 15
login local
no password
transport input telnet

b. SSH Access:

hostname Switch1
ip domain-name test.com
crypto key generate rsa general-usage modulus 2048
ip ssh time-out 60
ip ssh version 2
line vty 0 15
transport input ssh

c. Console Access with username/password:

line con 0
login local
exit

8. Debug IP Traffic based on Access-list

The debug procedure is the following:
1) Turn "on" process switching under both interfaces in the router.
Router(config)#interface g0/0
Router(config-if)#no ip route-cache
Router(config)#interface g0/1
Router(config-if)#no ip route-cache

2) Create an access-list. Define specific traffic you want to monitor between hosts. 
Router(config)#access-list 199 permit tcp host 11.11.11.1 eq host 22.22.22.2
Router(config)#access-list 199 permit tcp host 22.22.22.2 eq host 11.11.11.1

3) If you are in a telnet session into the router turn "terminal monitor" on.
Router#term mon
If you are in a console session into the router, then the "logging console" command.
Router(config)#logging console

4)Finally the debug command.
Router#debug ip packet 199 detail
Where 199 is the access-list # we created.
*Jul 23 20:25:30.616: IP: s=11.11.11.1 (local), d=22.22.22.2, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
........

5)Use the "un all" command to turn it off.
Router#un all

9. Kron command

Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.

Following is an example to use it save configuration on a regular basis. 


Router# show kron schedule
Kron Occurrence Schedule
backup inactive, will run again in 2 days 22:03:46 at 22:00 on Mon

Router# show running-configuration
(truncated)
kron occurrence backup at 22:00 Mon recurring
 policy-list backup
!
kron policy-list backup
 cli write

Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
policy-list tclpol
kron policy-list tclpol
tclsh flash:/script.tcl

10. Enable IP Accounting on interface

IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.

interface GigabitEthernet0/1
ip address 100.199.48.15 255.255.255.0
ip accounting output-packets
duplex full
speed 100
end

R1#sh ip accounting
Source Destination Packets Bytes
100.199.48.10 100.199.3853 6 241
100.199.38.53 100.199.48.10 4 183
138.11.117.16 166.6.23.14 1 104

Accounting data age is 3w0d

11. Show configuration without break/pause @Cisco Router/Switch
terminal length 0

@ASA Firewall
terminal pager 0

12. Debug commands at Cisco ASA 9.1(2)

terminal monitor
logging buffer-size 1048576
logging buffered 7
logging monitor 7
debug crypto condition peer 10.10.10.10

debug crypto ipsec 127
debug crypto ikev1 127

13. Display Cisco IOS Device Opened Ports

R#show control-plane host open-ports
Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN
 udp                       *:161                         *:0                  IP SNMP   LISTEN
 udp                       *:162                         *:0                  IP SNMP   LISTEN
 udp                     *:65110                         *:0                  IP SNMP   LISTEN
 udp                      *:1975                         *:0                      IPC   LISTEN

The method how to close ports 23 from external scan is in my post: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning

14. Native VLAN mismatch

062275: May 12 00:09:37.207 EDT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/3 (1), with Swtch1 GigabitEthernet0/5 (56).

although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info.   Solution would be one global command :

no cdp advertise-v2

Or

This solution: using different vtp domain name on those switches:

Switch(config)# vtp mode transparent
Switch(config)# vtp domain a_unique_name

15. IOS Password Recovery Procedures

  • Shut down the router then Power on the router
  • Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into Rommon. (In some Keyboards, Pause key is used to enter into Rommon mode. You may not need Fn+Pause, or CTRL+ Break)
  • Once the Rommon1> prompt appears, enter this command: confreg 0x2142
    Then type reset to reboot Cisco device.
  • When you are prompted to enter the initial configuration, type No, and press Enter.
    At the Router> prompt, type enable.
  • At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration.
  • Use the config t command in order to enter global configuration mode.
  • Use this command in order to create a new user name and password:
    router(config)#username test privilege 15 password test
  • Use this command in order to change the boot statement: config-register 0x2102
  • Use this command in order to save the configuration: write memory

16. Reload Device in xx minutes 

It is helpful for your remote work just in case you lost connection by mis-configuration
R-Test-Lab#reload in 1
Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
Reload reason: Reload Command
Proceed with reload? [confirm]
R-Test-Lab#
***
*** --- SHUTDOWN in 0:01:00 ---
***
R-Test-Lab##show reload
Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
Reload reason: Reload Command
R-Test-Lab#reload cancel
R-Test-Lab#
***
*** --- SHUTDOWN ABORTED ---
***

17. Load-Interval 30

By default, the IOS calculate statistics by interval 5 minutes. The minimal interval is 30 seconds you can set.
interface GigabitEthernet0/0
 ip flow ingress
 
load-interval 30

 duplex auto
 speed auto
end
Router#sh interfaces g0/0
GigabitEthernet0/0 is up, line protocol is up
  Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
  Description:
  Internet address is
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 3/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full Duplex, 1Gbps, media type is RJ45
  output flow-control is XON, input flow-control is XON
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 12706000 bits/sec, 1423 packets/sec  30 second output rate 966000 bits/sec, 957 packets/sec     7877466781 packets input, 4315500899841 bytes, 1023 no buffer
     Received 345354184 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 13 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 520835 multicast, 2112 pause input
     7120190572 packets output, 2103538386166 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     121793930 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     4 lost carrier, 0 no carrier, 58519 pause output
     0 output buffer failures, 0 output buffers swapped out
18. Turn off IP Spoof Protection

ip verify reverse-path interface outside
"Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside"

19. Create Read only Account

method one.
username local1 secret Cisco1234
username local1 privilege 15 autocommand show running

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
method two.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console

username local2 privilege 7 password Cisco1234
privilege exec level 7 show config




20. Upgrade Cisco Device IOS 



Switch# delete /f /r flash1:c3750-ipbase-mz.122.35-35.SE5.bin

Switch#copy tftp: flash:ios.tar

Switch#verify /md5 flash:ios.tar
.........................Done!
verify /md5 (flash:ios.tar) = bb86b1de4eb8e37fd0710c40d891445c

Switch#archive tar /xtract ios.tar flash:

Switch(config)#boot system flash:/ios/ios.bin

Switch#wr
Switch#show boot
BOOT path-list      : flash:/ios/ios.bin
Config file         : flash:/config.text
Private Config file : flash:/private-config.text
.....

Switch#reload



21. Set SSH/Telnet/Ping/Traceroute with a source ip or interface

  • SSH

ip ssh source-interface <interface to use>

  • Telnet

ip telnet source-interface <interface to use>

R1#telnet 10.9.38.3 22 /source-interface l0Trying 10.9.38.3, 22 ... OpenSSH-2.0-1.36 sshlib: GlobalScape

  • Ping

ping <ip address> source <ip address / interface to use>

  • Traceroute 

using extended traceroute:
R1#traceroute
Protocol [ip]:
Target IP address: 10.10.10.10
Source address: 10.11.11.11Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.10.10.10
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *




The list is getting longer , and I am splitting it to two posts:
Reference:




1 comment: