SECOND EDITION
Cisco IOS Cookbook
Kevin Dooley and Ian]. Brown
O'REILLY4
Beijing • Cambridge • Farnham • Koln • Paris • Sebastopol • Taipei • Tokyo
Table of Contents
Preface xix
1. Router Configuration and File Management 11.1 Configuring the Router via TFTP 41.2 Saving Router Configuration to Server 51.3 Booting the Router Using a Remote Configuration File 71.4 Storing Configuration Files Larger Than NVRAM 10
1.5 Clearing the Startup Configuration ' 12
1.6 Loading a New IOS Image 151.7 Booting a Different IOS Image 18
1.8 Booting over the Network 221.9 Copying an IOS Image to a Server 24
1.10 Copying an IOS Image Through the Console 251.11 Deleting Files from Flash - 27
1.12 Partitioning Flash 301.13 Using the Router as a TFTP Server - . 32
1.14 Using FTP from the Router 33
1.15 Generating Large Numbers of Router Configurations 35
1.16 Changing the Configurations of Many Routers at Once 381.17 Extracting Hardware Inventory Information 41
1.18 Backing Up Router Configurations " 431.19 Warm Reload 471.20 Warm Upgrade 481.21 Configuration Archiving 50
1.22 Locking Configuration Access . 52
2. Router Management 552.1 Creating Command Aliases 552.2 Managing the Router's ARP Cache 582.3 Tuning Router Buffers 60
2.4 Auto Tuning Buffers 652.5 Using the Cisco Discovery Protocol 662.6 Disabling the Cisco Discovery Protocol 702.7 Using the Small Servers 712.8 Enabling HTTP Access to a Router 75
2.9 Enabling Secure HTTP (HTTPS) Access to a Router 772.10 Using Static Hostname Tables 79
2.11 Enabling Domain Name Services 81
2.12 Disabling Domain Name Lookups 842.13 Specifying a Router Reload Time 86
2.14 Scheduling of Router Commands . , 892.15 Displaying Historical CPU Values 912.16 Creating Exception Dump Files 942.17 Generating a Report of Interface Information 96
r 2.18 Generating a Report of Routing Table Information 99
2.19 Generating a Report of ARP Table Information 101
2.20 Generating a Server HostTable File 103
3. User Access and Privilege Levels 1073.1 Setting Up User IDs 1083.2 Encrypting Passwords 1113.3 Using Better Password-Encryption Techniques 1133.4 Removing Passwords from a Router Configuration File 1153.5 Deciphering Cisco's Weak Password Encryption 117
3.6 Displaying Active Users 1193.7 Sending Messages to Other Users 121
3.8 Changing the Number of VTYs 1233.9 Changing VTY Timeouts s, 125
3.10 Restricting VTY Access by Protocol 1273.11 Enabling Absolute Timeouts on VTY Lines 128
3.12 Implementing Banners 1293.13 Disabling Banners on a Port 133
3.14 Disabling Router Lines 1333.15 Reserving a VTY Port for Administrative Access 136
3.16 Restricting Inbound Telnet Access 138
vi | Table of Contents
3.17 Logging Telnet Access . 1393.18 Setting the Source Address for Telnet 140
3.19 Automating the Login Sequence 141
3.20 Using SSH for Secure Access • .-, 1443.21 Changing Privilege Level of IOS Commands . 148
3.22 Defining Per User Privileges • * 1513.23 Defining Per Port Privileges . . r . 154
4. TACACS+ 1564.1 Authenticating Login IDs from a Central System 157
4.2 Restricting Command Access 160
4.3 Losing Access to the TACACS+ Server 1624.4 Disabling TACACS+ Authentication on a Particular Line 164
4.5 Capturing User Keystrokes . 1654.6 Logging System Events • 1664.7 Setting the IP Source Address for TACACS+Messages 1684.8 Sample Server Configuration Files 169
5. IP Routing 1735.1 Finding an IP Route 176
5.2 Finding Types of IP Routes . 1775.3 Converting Different Mask Formats 1795.4 Using Static Routing - . 1845.5 Floating Static Routes 1875.6 Using Policy-Based Routing to Route Based on Source Address 1905.7 Using Policy-Based Routing to Route Based on Application Type 193
5.8 Examining Policy-Based Routing 196
5.9 Changing Administrative Distances 197
5.10 Routing Over Multiple Paths with Equal Costs 201
5.11 Static Routes That Track Interfaces or Other Routes 2035.12 Keeping Statistics on Routing Table Changes • 209
6. RIP T 2136.1 Configuring RIP Version 1 2156.2 Filtering Routes with RIP 2186.3 Redistributing Static Routes into RIP 2216.4 Redistributing Routes Using Route Maps 225
6.5 Creating a Default Route in RIP . 227
6.6 Disabling RIP on an Interface 229
Table of Contents | vii
6.7 Default Passive Interface 231
6.8 Unicast Updates for RIP 2336.9 Applying Offsets to Routes 235
6.10 Adjusting Timers 237
6.11 Configuring Interpacket Delay 240
6.12 Enabling Nonperiodic Updates 2416.13 Increasing the RIP Input Queue . . 2446.14 Configuring RIP Version 2 2456.15 Enabling RIP Authentication 2476.16 RIP Route Summarization 250
6.17 Route Tagging 253
7. EIGRP ....: 2 5 57.1 Configuring EIGRP 2567.2 Filtering Routes with EIGRP 2607.3 Redistributing Routes into EIGRP 2657.4 Redistributing Routes into EIGRP Using Route Maps 2697.5 Disabling EIGRP on an Interface 2707.6 Adjusting EIGRP Metrics 272
7.7 Adjusting Timers 274
7.8 Enabling EIGRP Authentication 2767.9 EIGRP Route Summarization 278
7.10 Logging EIGRP Neighbor State Changes 282
7.11 Limiting EIGRP's Bandwidth Utilization 2847.12 EIGRP Stub Routing, - ' 2857.13 Route Tagging 287
7.14 Viewing EIGRP Status 289
8. OSPF 2938.1 Configuring OSPF 2988.2 Filtering Routes in OSPF 300
8.3 Adjusting OSPF Costs ^ . 3068.4 Creating a Default Route in OSPF 3088.5 Redistributing Static Routes into OSPF 3118.6 Redistributing External Routes into OSPF 313
8.7 Manipulating DR Selection 3178:8 Setting the OSPF RID 3198.9 Enabling OSPF Authentication 321
8.10 Selecting the Appropriate Area Types 325
viii I Table of Contents
8.11 Using OSPF on Dial Interfaces 3338.12 Summarizing Routes in OSPF " 337
8.13 Disabling OSPF on Certain Interfaces 3398.14 Changing the Network Type on an Interface 341
8.15 OSPF Route Tagging 3468.16 Logging OSPF Adjacency Changes 347
8.17 Adjusting OSPF Timers ' - 3488.18 Reducing OSPF Traffic in Stable Networks 3508.19 OSPF Virtual Links , 3518.20 Viewing OSPF Status with Domain Names 352
8.21 Debugging OSPF 353
9. BGP 3559.1 Configuring BGP 3639.2 Using eBGP Multihop 3699.3 Adjusting the Next-Hop Attribute 3719.4 Connecting to Two ISPs 3729.5 Connecting to Two ISPs with Redundant Routers , 3769.6 Restricting Networks Advertised to a BGP Peer 378
9.7 Adjusting Local Preference Values 382
9.8 Load-Balancing 386^ _ 9.9 Removing Private ASNs from the AS Path • 388
9.10 Filtering BGP Routes Based on AS Paths 3909.11 Reducing the Size of the Received Routing Table 3939.12 Summarizing Outbound Routing Information 3969.13 Prepending ASNs to the AS Path 399
9.14 Redistributing Routes with BGP 4029.15 Using Peer Groups 405
9.16 Authenticating BGP Peers 407
9.17 Using BGP Communities 4099.18 Using BGP Route Reflectors 4159.19 Putting It All Together 9 419
10. Frame Relay 42310.1 Setting Up Frame Relay with Point-to-Point Subinterfaces 42610.2 Adjusting LMI Options 43010.3 Setting Up Frame Relay with Map Statements 43210.4 Using Multipoint Subinterfaces 435
10.5 Configuring Frame Relay SVCs 437
Table of Contents | ix
10.6 Simulating a Frame Relay Cloud 43910.7 Compressing Frame Relay Data on a Subinterface 442
10.8 Compressing Frame Relay Data with Maps . 445
10.9 PPP over Frame Relay • • • . • • 44610.10 Viewing Frame Relay Status Information :, 449
11. Handling Queuing and Congestion 45211.1 Fast Switching and CEF . 45611.2 Setting the DSCP or TOS Field 45911.3 Using Priority Queuing 46311.4 Using Custom Queuing • 465
11.5 Using Custom Queues with Priority Queues 46811.6 Using Weighted Fair Queuing 470
11.7 Using Class-Based Weighted Fair Queuing 47111.8 Using NBAR Classification 47411.9 Controlling Congestion with WRED 479
11.10 Using RSVP 482
11.11 Manual RSVP Reservations 485
11.12 Aggregating RSVP Reservations 49011.13 Using Generic Traffic Shaping 491
''LI, 14 Using Frame-Relay Traffic Shaping . 493
11.15 Using Committed Access Rate 49511.16 Implementing Standards-Based Per-Hop Behavior '• 50011.17 AutoQoS . . 503
11.18 Viewing Queue Parameters 510
12. Tunnels and VPNs 51312.1 Creating a Tunnel . • 51812.2 Tunneling Foreign Protocols in IP 523
12.3 Tunneling with Dynamic Routing Protocols 52512.4 Viewing Tunnel Status .. . 52812.5 Creating an Encrypted Router-to-Router VPN in a GRE Tunnel 530
12.6 Creating an Encrypted VPN Between the LAN Interfacesof Two Routers , 538
12.7 Generating RSA Keys 54112.8 Creating a Router-to-Router VPN with RSA Keys 54512.9 Creating a VPN Between a Workstation and a Router 549
12.10 Creating an SSL VPN 55212.11 Checking IPSec Protocol Status 556
Table of Contents
13. Dial Backup : 56113.1 Automating Dial Backup 56513.2 Using Dialer Interfaces 570
13.3 Using an Async Modem on the AUX Port 57413.4 Using Backup Interfaces . 57713.5 Using Dialer Watch • • 580
13.6 Using Virtual Templates . • 58213.7 Ensuring Proper Disconnection • 58613.8 View Dial Backup Status 587
13.9 Debugging Dial Backup . 591
14. NTP and Time 59314.1 Time-Stamping Router Logs 59514.2 Setting the Time 597
14.3 Setting the Time Zone 59914.4 Adjusting for Daylight Saving Time 60014.5 Synchronizing the Time on All Routers (NTP) 60214.6 Configuring NTP Redundancy 60514.7 Setting the Router As the NTP Master for the Network 607
14.8 Changing NTP Synchronization Periods 609
14.9 Using NTP to Send Periodic Broadcast Time Updates 61014.10 Using NTP to Send Periodic Multicast Time Updates 61114.11 Enabling arid Disabling NTP Per Interface 613
14.12 NTP Authentication 61514.13 Limiting the Number of Peers 61714.14 Restricting Peers ; 617
14.15 Setting the Clock Period 61814.16 Checking the NTP Status 619
14.17 Debugging NTP 622
14.18 NTP Logging 62414.19 Extended Daylight Saving Time 62414.20 NTP Server Configuration *• 626
15. DLSw . 6 2 915.1 Simple Bridging - 63415.2 Configuring DLSw 636
15.3 Using DLSw to Bridge Between Ethernet and Token Ring 643
15.4 Converting Ethernet and Token Ring MAC Addresses 64615.5 Configuring SDLC 648
Table of Contents | xi
15.6 Configuring SDLC for Multidrop Connections 65215.7 Using STUN , . . 65415.8 Using BSTUN 657
15.9 Controlling DLSw Packet Fragmentation 659
15.10 Tagging DLSw Packets for QoS . 66015.11 Supporting SNA Priorities . ,. 66115.12 DLSw+Redundancy and Fault Tolerance 66215.13 Viewing DLSw Status Information 66415.14 Viewing SDLC Status Information • 66515.15 Debugging DSLw 668
16. Router Interfaces and Media 67316.1 Viewing Interface Status 674
16.2 Configuring Serial Interfaces 68216.3 Using an Internal Tl CSU/DSU 686
16.4 Using an Internal ISDN PRI Module 68816.5 Using an Internal 56 Kbps CSU/DSU . 689
16.6 Configuring an Async Serial Interface 69216.7—Configuring ATM Subinterfaces , 69316.8 Setting Payload Scrambling on an ATM Circuit 696
16.9 Classical IP Over ATM 69716.10 Configuring Ethernet Interface Features 702
16.11 Configuring Token Ring Interface Features 70416.12 Connecting VLAN Trunks with ISL 706
16.13 Connecting VLAN Xrunks with 802.1Q 70916.14 LPD Printer Support 712
17. Simple Network Management Protocol 71517.1 Configuring SNMP 719
17.2 Extracting Router Information via SNMP Tools 72117.3 Recording Important Router Information for SNMP Access 72417.4 Using SNMP to Extract Inventory Information
from a List of Routers 72617.5 Using Access Lists to Protect SNMP Access 72817.6 Logging Unauthorized SNMP Attempts 73117.7 Limiting MIB Access 73217.8 Using SNMP to Modify a Router's Running Configuration 73617.9 Using SNMP to Copy a New IOS Image 738
17.10 Using SNMP to Perform Mass Configuration Changes 740
xii I Table of Contents
17.11 Preventing Unauthorized Configuration Modifications 743
17.12 Making Interface Table Numbers Permanent 74517.13 Enabling SNMP Traps and Informs . 747
17.14 Sending Syslog Messages As SNMP Traps and Informs 751
17.15 Setting SNMP Packet Size 75217.16 Setting SNMP Queue Size . 753
17.17 Setting SNMP Timeout Values . 75517.18 Disabling Link Up/Down Traps per Interface 75617.19 Setting the IP Source Address for SNMP Traps 75617.20 Using RMON to Send Traps 757
17.21 Enabling SNMPv3 ., 76217.22 Strong SNMPv3 Encryption 768
17.23 Using SAA ' 7 7 0
18. Logging . . . ; . . . . . . . 77518.1 Enabling Local Router Logging ' : 77718.2 Setting the Log Size ' • • 77818.3 Clearing the Router's Log 780
~~ 18.4 Sending Log Messages to Your Screen 780
18.5 Using a Remote Log Server , 782
18.6 Enabling Syslog on a Unix Server '• 784
18.7 Changing the Default Log Facility - • 78618.8 Restricting What Log Messages Are Sent to the Server 78818.9 Setting the IP Source Address for Syslog Messages 790
18.10 Logging Router Syslog Messages in Different Files 79118.11 Maintaining Syslog Files on the Server . 79218.12 Testing the Syslog Sever Configuration 794
18.13 Preventing the Most Common Messages from Being Logged 79618.14 Rate-Limiting Syslog Traffic 797
18.15 Enabling Error Log Counting 798
18.16 XML-Formatted Log Messages 79918.17 Modifying Log Messages s, 802
19. Access-Lists : 80719.1 Filtering by Source or Destination IP Address 80919.2 Adding a Comment to an ACL • 81319.3 Filtering by Application 81419.4 Filtering Based on TCP Header Flags • 818
19.5 Restricting TCP Session Direction 821
Table of Contents I xiii
19.6 Filtering Multiport Applications 822
19.7 Filtering Based on DSCP and TOS . - ' 82419.8 Logging When an Access-List Is Used ' 825
19.9 Logging TCP Sessions 82619.10 Analyzing ACL Log Entries ' 829
19.11 Using Named and Reflexive Access-Lists., . 83219.12 Dealing with Passive Mode FTP . . 834
19.13 Using Time-Based Access-Lists . • 83619.14 Filtering Based on Noncontiguous Ports 83919.15 Advanced Access-List Editing 840
19.16 Filtering IPv6 • = 843
20. DHCP '... 84720.1 Using IP Helper Addresses for DHCP 84820.2 Limiting the Impact of IP Helper Addresses . 85020.3 Using DHCP to Dynamically Configure Router IP Addresses 85220.4 Dynamically Allocating Client IP Addresses via DHCP 85520.5 Defining DHCP Configuration Options 857
20.6 Defining DHCP Lease Periods . 860
20.7 Allocating Static IP Addresses with DHCP ' 86120.8 Configuring a DHCP Database Client 863
20.9 Configuring Multiple DHCP Servers per Subnet 86520.10 DHCP Static Mapping " ' 8 6 620.11 DHCP-Secured IP Address Assignment . 869
20.12 Showing DHCP Status .„ . . • 87120.13 Debugging DHCP 873
21. NAT 87521.1 Configuring Basic NAT Functionality 877
21.2 Allocating External Addresses Dynamically 87921.3 Allocating External Addresses Statically 880
21.4 Translating Some Addresses Statically and Others Dynamically 881
21.5 Using Route Maps to Refine Static Translation Rules 88321.6 Translating in Both Directions Simultaneously 88421.7 Rewriting the Network Prefix • 88721.8 Using NAT for Server Load Distribution 888
21.9 Stateful NAT Failover 89021.10 Adjusting NAT Timers 894
xiv | Table of Contents
21.11 Changing TCP Ports for FTP 896
21.12 Checking NAT Status : . 89721.13 Debugging NAT ..• ' . 899
22. First Hop Redundancy Protocols 90122.1 Configuring Basic HSRP Functionality 90722.2 Using HSRP Preempt . 91122.3 Making HSRP React to Problems on Other Interfaces 91422.4 Load-Balancing with HSRP 918
22.5 Redirecting ICMP with HSRP 92122.6 Manipulating HSRP Timers • 92222.7 Using HSRP on Token Ring ' 924
22.8 HSRP SNMP Support 92622.9 Increasing HSRP Security 927
22.10 Showing HSRP State Information 93222.11 Debugging HSRP • 93322.12 HSRP Version 2 934
22.13 VRRP 93622.14 Gateway Load-Balancing Protocol • ' ' 938
23. IP Multicast : 94323.1 Configuring Basic Multicast Functionality with PIM-DM 95323.2 Routing Multicast Traffic with PIM-SM and BSR 95423.3 Routing Multicast Traffic with PIM-SM and Auto-RP 95923.4 Filtering PIM Neighbors 96223.5 Configuring Routing for a Low-Frequency Multicast Application 963
23.6 Multicast over Frame Relay or ATM WANs 96623.7 Configuring CGMP 967
23.8 Using IGMP Version 3 969
23.9 Static Multicast Routes and Group Memberships 971
23.10 Routing Multicast Traffic with MOSPF • 97223.11 Routing Multicast Traffic with DVMRP • 97423.12 DVMRP Tunnels r 97723.13 Configuring Bidirectional PIM 978
23.14 Controlling Multicast Scope with TTL 980
23.15 Controlling Multicast Scope with Administratively
Scoped Addressing 983
23.16 Exchanging Multicast Routing Information with MBGP 985
23.17 Using MSDP to Discover External Sources 987
Table of Contents I xv
23.18 Configuring Anycast RP 98923.19 Converting Broadcasts to Multicasts 99123.20 Showing Multicast Status 994
23.21 Debugging Multicast Routing 1003
24. IP Mobility 100624.1 Local Area Mobility 100824.2 Home Agent Configuration ' 101124.3 Foreign Agent Configuration 101524.4 Making a Router a Mobile Node . 101724.5 Reverse-Tunnel Forwarding 1020
24.6 Using HSRP for Home Agent Redundancy 1021
25. IPv6 102525.1 Automatically Generating IPv6 Addresses for an Interface 102925.2 Manually Configuring IPv6 Addresses on an Interface 103225.3 Configuring DHCP for IPv6 1036
^ 25.4 Dynamic Routing with RIP 103925.5 Modifying the Default RIP Parameters 104225.6 IPv6 Route Filtering and Metric Manipulation in RIP 1045
25.7 Using OSPF for IPv6 . 104925.8 IPv6 Route Filtering and Metric Manipulation in OSPF 1052
25.9 Route Redistribution - 1054
25.10 Dynamic Routing with MBGP 106025.11 Tunneling IPv6 Through an Existing IPv4 Network 106425.12 Translating Between IPv6 and IPv4 1066
26. MPLS 106926.1 Configuring a Basic MPLS P Router 107526.2 Configuring a Basic MPLS PE Router 1079
26.3 Configuring Basic MPLS CE Routers 108826.4 Configuring MPLS over ATM 108926.5 PE-CE Communication via RIP * 109426.6 PE-CE Communication via OSPF 1099
26.7 PE-CE Communication via EIGRP 1103
26.8 PE-CE Communication via BCP 110626.9 QoS over MPLS 1110
26.10 MPLS Traffic Engineering with Autoroute 1115
xvi I Table of Contents
26.11 Multicast Over MPLS 1121
26.12 Your Service Provider Doesn't Do What Ypu Want 1126
,27 . Security 113127.1 Using AutoSecure 113427.2 Using Context-Based Access-Lists 113727.3 Transparent Cisco IOS Firewall 114227.4 Stopping Denial of Service Attacks' 114427.5 Inspecting Applications on Different Port Numbers 114827.6 Intrusion Detection and Prevention 1153
27.7 Login Password Retry Lockout 115927.8 Authentication Proxy 1160
A. External Software Packages 1163
B. IP Precedence, TOS, and DSCP Classifications 1167
Index 1181
Table of Contents I xvii