Router configuration partitioning

If you have to troubleshoot routers with long configurations, you're probably as fed up with the slow response of the show running-config command as I am. Unfortunately, there's not much you can do; the running configuration is reverse-engineered from various memory variables every time you ask for it and that process simply takes time if you've configured many parameters.

IOS release 12.2(33)SRB has introduced a fantastic feature: router configuration partitioning. The early seeds of this idea are already present in mainstream IOS releases. For example, you can display the configuration of a single interface, all class-maps or all policy-maps. The configuration partitioning gives you the ability to display access-lists, route-maps, static routes, router configurations ...The following printout shows you the various parts of router configuration you can display:

PE-A#show running-config partition ?
  access-list       All access-list configurations
  class-map         All class-map configurations
  common            All remaining unregistered configurations
  global-cdp        All global cdp configurations
  interface         Each Interface specific Configurations
  ip-as-path        All IP as-path configurations
  ip-community      All IP community list configurations
  ip-domain-list    All ip domain list configurations
  ip-prefix-list    All ip prefix-list configurations
  ip-static-routes  All IP static configurations
  line              All line mode configurations
  policy-map        All policy-map configurations
  route-map         All route-map configurations
  router            All routing configurations
  snmp              All SNMP configurations
  tacacs            All TACACS configurations

For example, if you want to display just the configuration of the OSPF process, you'd ask for show running partition router ospf 1:

PE-A#show running partition router ospf 1
Building configuration...

Current configuration : 164 bytes
!
Configuration of Partition - router ospf 1
!
!
router ospf 1
 log-adjacency-changes
 passive-interface Serial1/1
 network 0.0.0.0 255.255.255.255 area 0
!
!
end

Disable optional IOS features on high CPU load

One of my readers has submitted an interesting EEM applet in a comment to the Generate SNMP trap on high CPU load post. The applet monitors the CPU load (using SNMP variable from the CISCO-PROCESS-MIB) and disables WCCP when the 1-minute average load exceeds 75%. You can change the thresholds or disable/enable other IOS features by modifying the applet's source code.

Configuring lines and terminals

Numerous comments to the "terminal exec prompt" post told me that it might be good to review the line/terminal configuration rules:

• If you want to configure a permanent line characteristic (for example, international), you should do so in the VTY configuration (see also how the VTY configurations are merged);
• If you want a temporary change in the characteristic of your current line (VTY or console), use terminal characteristic to enable it or terminal no characteristic to disable it.

For example, IOS performs DNS lookups on all names entered by a user (assuming the ip domain-lookup is not disabled). You can change that behavior with the domain-lookup characteristic (enabled by default). To permanently disable DNS lookups on all VTYs use:

line vty 0 4
 no domain-lookup

To disable the lookup for the current session, use terminal no domain-lookup.

When “copy” actually means “merge”

Marcus Jensen asked me a very interesting question:

I want to send 3 lines of configuration to a remote router, but I know the first line will kill my connection. Can I save these 3 lines of code to a text file, and then issue a Tcl command to add those to the running config?

The solution is much simpler and does not have to involve Tcl at all. The copy something system:running-config command merges the configuration commands in the source file with the current running configuration.

You can store the configuration commands you want to execute in a local file (even in NVRAM) or you could execute them directly off a file server (using HTTP, FTP, TFTP or SCP protocol).

This article is part of You've asked for it series.

Merging VTY configurations

Someone has sent me an interesting question a while ago: he's changed the configuration of a single VTY line and got three blocks of VTY configuration commands, similar to this:

line vty 0 2
 login
line vty 3
 password secret
 login
line vty 4
 login

He wanted to merge the three configuration blocks back into a single one but somehow didn't know how to do it.

To realize what's going on, you have to understand how the IOS generates line configurations. It takes the first line (VTY 0, for example) and generates its configuration. If the next line (VTY 1) has exactly the same configuration, the range of numbers is expanded (becoming VTY 0 1) and so forth until the pool of similar lines is exhausted or a line is found that has at least one parameter different from the starting one, in which case a new block is started. That's why the sample configuration has three blocks (0-2, 3 and 4) even though the first and the third block are identical.

However, if you change the offending parameter, the VTY lines will have identical configurations and will be automatically merged. If you want to be on the safe side, you should change the parameter for all lines, for example:

line vty 0 4
 login
 password secret

Note: This article is part of You've asked for it series.

Reduce IP addressing errors in lab environment

One of the most tedious tasks in the initial lab setup (at least for me) is the IP address configuration, which usually includes a number of typos and mixups on the WAN links. You can simplify then WAN address configuration if you configure only one end of the WAN link and let PPP do the rest. For example, you could use the following configuration to configure WAN link on your core router …

hostname Core-2
!
interface Serial1/0
 description link to POP
 ip address 10.0.2.1 255.255.255.252
 encapsulation ppp
 peer default ip address 10.0.2.2

… and use IPCP negotiation on the POP router to pick up the WAN IP address:

hostname POP
!
interface Serial1/0
 description link to Core-1
 ip address negotiated
 encapsulation ppp

You should not configure no peer neighbor-route on the router that gets dynamic IP address, as the subnet mask is not assigned with IPCP; you need the IPCP-generated host routes if you want to do hop-by-hop telnet between the routers.

Fix bugs in EEM action cli implementation

Every now and then, EEM applets fail to recognize a new configuration prompt generated by the router and abort due to timeout (or hang-up forever if you're using IOS release prior to 12.4(15)T). You can use the new pattern keyword of the action cli configuration command to fix the bug.

For example, the DNS view configuration is not recognized by the EEM code, so the following applet fails to complete:

event manager applet Test
 event none
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "ip dns view default"
 action 1.3 cli command "dns forwarder 10.0.0.2"

… as you can test quite easiliy with the EEM CLI debugging (note the highlighted times that indicate the EEM applet timeout) …

Rtr#event man run Test
:13.343: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : CTL : cli_open called.
:13.451: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT :
:13.455: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT : GW-B>
:13.459: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : IN  : GW-B>enable
:13.499: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT :
:13.499: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT : GW-B#
:13.499: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : IN  : GW-B#configure terminal
:13.519: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT :
:13.519: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
:13.523: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT : GW-B(config)#
:13.523: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : IN  : GW-B(config)#ip dns view default
:33.395: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT :
:33.399: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : OUT : GW-B(cfg-dns-view)#
:33.403: %HA_EM-6-LOG: Test : DEBUG(cli_lib) : : CTL : cli_close called.

To fix this bug, use the pattern "#" option of the action cli command to tell the EEM applet what prompt to expect:

event manager applet Test
 event none
 action 1.0 cli command "enable"
 action 1.1 cli command "configure terminal"
 action 1.2 cli command "ip dns view default" pattern "#"
 action 1.3 cli command "dns forwarder 10.0.0.2" pattern "#"

Copy the text files into router's flash through a Telnet session

Were you ever in a situation where a file that would have to be on the router was sitting on your laptop, but you couldn't store it into the router's flash across the Telnet session or through the console port?

If the file in question is a text file, and the router supports Tcl shell, danshtr documented an interesting trick: you create the file in Tclsh interpreter, cut-and-paste the text through the telnet session into a Tcl string and write the string to the file. If you want to have a more cryptic solution here it is:

• Start tclsh;
• Enter puts [open "flash:filename" w+] {. Do not hit the ENTER key at the end of the line
• Copy-paste the file contents. The contents should not include unmatched curly right brackets (every curly right bracket has to be preceded by a matching curly left bracket).
• After the file contents have been pasted, enter } and press ENTER.
• End the tclsh session with tclquit.

Kron: poor-man's cron

When two groups within Cisco needed time-based command execution in Cisco IOS, they (in a typical big-corporation fashion) decided to implement the same wheel from two different sets of spokes and rims. One group built the Embedded Event Manager with its event timer cron command (introduced in 12.2(25)S and 12.3(14)T), the other group created the more limited kron command set (introduced in 12.3(1)).

EEM is almost a perfect superset of kron, both can trigger a set of CLI commands at reload, at periodic intervals or at certain time in the future. The only extra functionality offered by kron is the ability to specify a different username for each event (whereas all EEM applets have to run under a common username) … and kron is available in older IOS releases.

Similar to EEM applets, CLI commands executed within kron cannot expect extra input (so you cannot execute clear counters or reload from kron) and the output they generate is lost unless you use output filters to redirect it to an external file.

Here is a simple configuration that archives the router's running configuration every sunday half an hour before midnight:

kron policy-list archiveConfig
 cli archive config
!
kron occurrence archiveConfig at 23:30 Sun recurring
 policy-list archiveConfig

Enable password or enable secret?

I've stumbled across a blog post that indicates there's still confusion on some fundamental configuration issues. I will not even try to guess whether there is a wide consensus on how to configure a router, but these are the facts (and here is a ten year old position from Cisco):

• Type-7 encryption used in enable password has been broken. Source code for the decrypt program and cracker programs are available online, or you could use a router to do it for you.
• The type-7 encryption is reversible (and easily breakable due to a weak algorithm), whereas type-5 encryption is a one-way encryption that probably requires a dictionary attack to break.
• Based on the previous two facts, you should never use enable password. Use enable secret.
• The service password-encryption encodes passwords attached to local usernames with type-7 encryption. The usage of type-7 encryption is necessary as you might need the cleartext passwords in some authentication mechanisms (for example, CHAP). However, it's still better to have scrambled passwords than cleartext ones; at least a casual observer will not be able to read them. Conclusion: use service password-encryption.
• If your authentication methods don't need cleartext passwords (examples: local username/password authentication, local AAA authentication or PAP authentication), use username secret configuration command (available from IOS releases 12.2T, 12.3 and 12.0S).

Remove the configuration prompt

I should probably write this one on April 1st, but maybe October 31st is not such a bad choice after all … if you configure no service prompt config, the configuration prompt is gone; when you enter the configuration mode with the configure terminal command, you get an empty line (like you did with Cisco software release 9.1 some 15 years ago). Similarly, you can disable command-line editing with the no editing line configuration command or terminal no editing exec-level command. If only there would be a way to disable the context-sensitive help :)

IOS 12.4T features summarized on one page

I always thought that the new format of the Cisco web-based documentation was awful, as it consumes way more bandwidth than the old version and is slower to load over low-speed links as it displays the text only after the complete page is loaded due to heavy use of table-based HTML layout (I will refrain from commenting the use of this layout technique in the third millenium). However, the new content structure has some significant benefits; for example, all the 12.4T feature guides are collected on a single page … fantastic if you try to find a feature that you remember was implemented somewhere in 12.4T track.

Re-enable debugging without EEM

In his comment to my post about re-enabling debugging after router reload, Mike pointed out an interesting IOS feature: you can execute the do command from a configuration file, not just from the user interface. To make his tip even more useful, you can store the do command(s) in an external file on a TFTP server, not in the startup configuration (which would have to be edited manually). With the boot host URL configuration command you'd then ensure that these commands are executed after the router reload.

Notes:

• The router expects a newline character at the end of the configuration file. The best way to ensure it's always there is to add a comment line at the end of the file
• The configuration file load usually fails immediately after the reboot, as the interfaces and IP routing processes are not yet fully operational. You might thus miss the first few seconds of the router's operations (unless you store the extra configuration file Flash or NVRAM).

Default interface configuration command

The easiest way to remove all settings from an interface is to use the default interface configuration command. For example, if you've configured Frame Relay interface with subinterfaces ...

interface Serial0/0/0
 no ip address
 encapsulation frame-relay
 load-interval 60
!
interface Serial0/0/0.100 point-to-point
 bandwidth 2000
 ip address 172.16.1.1 255.255.255.252
 ip load-sharing per-packet
 ip ospf cost 50
 frame-relay interface-dlci 100

... and have erase all interface-specific configuration, the ...

rtr(config)#default interface serial 0/0/0
Building configuration...

Interface Serial0/0/0 set to default configuration

... gets you there. As you can see, after the configuration change, the main interface has no IP address and the subinterface is deleted.

a1#show ip interfaces brief
Interface          IP-Address  OK? Method Status     Protocol

... non-relevant lines deleted ...

Serial0/0/0        unassigned  YES TFTP   up         up
Serial0/0/0.100    unassigned  YES manual deleted    down

Fix router configuration after a reload

Sometimes, parts of router configuration get lost during the reload process: although the configuration commands are saved in NVRAM, they are not processed after the reload and thus do not appear in the running configuration. Re-entering these commands manually solves the problem ... but it's obviously not a reliable solution.

Embedded Event Manager (EEM) solves this issue as well. You just configure an applet that triggers on syslog message SYS-5-RESTART and reapplies the necessary configuration commands.For example, to fix the bug CSCsf32390, Cisco recomments the following applet:

event manager applet add-buffer
 event syslog occurs 1 pattern "%SYS-5-RESTART: System restarted"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "buffers particle-clone 16384"
action 4.0 cli command "buffers header 4096"
action 5.0 cli command "buffers fastswitching 8192"
action 6.0 syslog msg "Reinstated buffers command"

Boot a 2800-router with an USB image

If you would like to boot an ISR router (for example, a 2800) from USB flash, but cannot upgrade the ROMMON, all is not lost - you can specify the USB-based image with the boot system configuration command (for example, boot system usbflash1:c2800nm-advipservicesk9-mz.124-11.T1.bin), but the boot process will take significantly longer (this also applies to any other scenarios where the ROMMON cannot get the image specified in the boot system command):

• When the router is reloaded, ROMMON reads the router configuration and tries to start the required image
• If ROMMON cannot load the image specified in the boot system command, it starts the default image (usually whatever is stored in on-board flash)
• When the first IOS image loads (after being copied and decompressed in most cases), it discovers that it's not the correct image
• The now-operational IOS image loads the new image in RAM (in our case from usbflash1:), decompresses it and transfers the control to it

Execute show commands while configuring a router

I've always wanted to be able to execute a show command while configuring a router (I'm never good at remembering subinterface numbers). A while ago Cisco introduced the do configuration command that allows you to execute any exec-level command (including telnetting to another device) without leaving the current configuration mode.For example, to view the interface numbers while trying to configure an interface, use the do show ip interface brief command:

router(config-if)#do show ip interfaces brief
Interface       IP-Address   OK? Method Status                Protocol
FastEthernet0/0 192.168.0.6  YES manual administratively down down
FastEthernet0/1 unassigned   YES unset  administratively down down
Serial0/0/0     unassigned   YES manual up                    up
Serial0/0/0.101 172.16.1.6   YES manual up                    up
Serial0/1/0     unassigned   YES unset  administratively down down
Serial0/1/1     unassigned   YES TFTP   administratively down down
Loopback0       172.16.0.22  YES manual up                    up

Display configuration of a single interface

Displaying configuration of a single interface can be a time-consuming task if your router has extremely long configuration (for example, high-end device with hundreds of interfaces, route-maps, access-lists etc.). In this case, the interface keyword of the show running-config command becomes extremely useful.For example, the show running-config interface serial 0/0.1 command displays only configuration of the specified interface (without building the whole running configuration)

POP#show running-config interface serial 0/0.1
Building configuration...

Current configuration : 154 bytes
!
interface Serial0/0.1 point-to-point
 description *** Link to Core-1 ***
 ip address 172.16.1.6 255.255.255.252
 frame-relay interface-dlci 101
end

Note: the printout is taken from the Configuring BGP Route Reflectors remote lab.

Replacing configuration on a working router

In my IP Corner article Replacing Configuration on a Working Router, I'm describing how you can use the Configuration Replace and Configuration Rollback features of Cisco IOS to replace configuration you've managed to break with a working one. In the section Event-Driven Rollback, you'll also find Embedded Event Manager applets that emulate the Configuration Commit feature of IOS XR in IOS release 12.4.

Filter sections of your running configuration

The IOS command line interface has long included unix-style pipes that you could use to limit the output generated by the show commmands. Initially, the only available filters were begin (include everything after the first regular expression match), end (stop the output at the RE match) or include (include only matching lines).

IOS release 12.3(2)T (integrated in 12.4) brought us a few new filters, among them the section filter that includes or excludes whole sections (start of section being defined by a line with no leading space). You can use this filter to focus on parts of your router configuration. For example, to display only the routing protocols configuration, use show running | section include router command.

Of course, you can go a step further and define an alias, for example alias exec events show running | include ^event manager configuration command defines the exec-mode events command that lists all EEM applets.