SECOND EDITION

Cisco IOS Cookbook

Kevin Dooley and Ian]. Brown

O'REILLY4

Beijing • Cambridge • Farnham • Koln • Paris • Sebastopol • Taipei • Tokyo

Table of Contents

Preface xix

1. Router Configuration and File Management 11.1 Configuring the Router via TFTP 41.2 Saving Router Configuration to Server 51.3 Booting the Router Using a Remote Configuration File 71.4 Storing Configuration Files Larger Than NVRAM 10

1.5 Clearing the Startup Configuration ' 12

1.6 Loading a New IOS Image 151.7 Booting a Different IOS Image 18

1.8 Booting over the Network 221.9 Copying an IOS Image to a Server 24

1.10 Copying an IOS Image Through the Console 251.11 Deleting Files from Flash - 27

1.12 Partitioning Flash 301.13 Using the Router as a TFTP Server - . 32

1.14 Using FTP from the Router 33

1.15 Generating Large Numbers of Router Configurations 35

1.16 Changing the Configurations of Many Routers at Once 381.17 Extracting Hardware Inventory Information 41

1.18 Backing Up Router Configurations " 431.19 Warm Reload 471.20 Warm Upgrade 481.21 Configuration Archiving 50

1.22 Locking Configuration Access . 52

2. Router Management 552.1 Creating Command Aliases 552.2 Managing the Router's ARP Cache 582.3 Tuning Router Buffers 60

2.4 Auto Tuning Buffers 652.5 Using the Cisco Discovery Protocol 662.6 Disabling the Cisco Discovery Protocol 702.7 Using the Small Servers 712.8 Enabling HTTP Access to a Router 75

2.9 Enabling Secure HTTP (HTTPS) Access to a Router 772.10 Using Static Hostname Tables 79

2.11 Enabling Domain Name Services 81

2.12 Disabling Domain Name Lookups 842.13 Specifying a Router Reload Time 86

2.14 Scheduling of Router Commands . , 892.15 Displaying Historical CPU Values 912.16 Creating Exception Dump Files 942.17 Generating a Report of Interface Information 96

r 2.18 Generating a Report of Routing Table Information 99

2.19 Generating a Report of ARP Table Information 101

2.20 Generating a Server HostTable File 103

3. User Access and Privilege Levels 1073.1 Setting Up User IDs 1083.2 Encrypting Passwords 1113.3 Using Better Password-Encryption Techniques 1133.4 Removing Passwords from a Router Configuration File 1153.5 Deciphering Cisco's Weak Password Encryption 117

3.6 Displaying Active Users 1193.7 Sending Messages to Other Users 121

3.8 Changing the Number of VTYs 1233.9 Changing VTY Timeouts s, 125

3.10 Restricting VTY Access by Protocol 1273.11 Enabling Absolute Timeouts on VTY Lines 128

3.12 Implementing Banners 1293.13 Disabling Banners on a Port 133

3.14 Disabling Router Lines 1333.15 Reserving a VTY Port for Administrative Access 136

3.16 Restricting Inbound Telnet Access 138

vi | Table of Contents

3.17 Logging Telnet Access . 1393.18 Setting the Source Address for Telnet 140

3.19 Automating the Login Sequence 141

3.20 Using SSH for Secure Access • .-, 1443.21 Changing Privilege Level of IOS Commands . 148

3.22 Defining Per User Privileges • * 1513.23 Defining Per Port Privileges . . r . 154

4. TACACS+ 1564.1 Authenticating Login IDs from a Central System 157

4.2 Restricting Command Access 160

4.3 Losing Access to the TACACS+ Server 1624.4 Disabling TACACS+ Authentication on a Particular Line 164

4.5 Capturing User Keystrokes . 1654.6 Logging System Events • 1664.7 Setting the IP Source Address for TACACS+Messages 1684.8 Sample Server Configuration Files 169

5. IP Routing 1735.1 Finding an IP Route 176

5.2 Finding Types of IP Routes . 1775.3 Converting Different Mask Formats 1795.4 Using Static Routing - . 1845.5 Floating Static Routes 1875.6 Using Policy-Based Routing to Route Based on Source Address 1905.7 Using Policy-Based Routing to Route Based on Application Type 193

5.8 Examining Policy-Based Routing 196

5.9 Changing Administrative Distances 197

5.10 Routing Over Multiple Paths with Equal Costs 201

5.11 Static Routes That Track Interfaces or Other Routes 2035.12 Keeping Statistics on Routing Table Changes • 209

6. RIP T 2136.1 Configuring RIP Version 1 2156.2 Filtering Routes with RIP 2186.3 Redistributing Static Routes into RIP 2216.4 Redistributing Routes Using Route Maps 225

6.5 Creating a Default Route in RIP . 227

6.6 Disabling RIP on an Interface 229

Table of Contents | vii

6.7 Default Passive Interface 231

6.8 Unicast Updates for RIP 2336.9 Applying Offsets to Routes 235

6.10 Adjusting Timers 237

6.11 Configuring Interpacket Delay 240

6.12 Enabling Nonperiodic Updates 2416.13 Increasing the RIP Input Queue . . 2446.14 Configuring RIP Version 2 2456.15 Enabling RIP Authentication 2476.16 RIP Route Summarization 250

6.17 Route Tagging 253

7. EIGRP ....: 2 5 57.1 Configuring EIGRP 2567.2 Filtering Routes with EIGRP 2607.3 Redistributing Routes into EIGRP 2657.4 Redistributing Routes into EIGRP Using Route Maps 2697.5 Disabling EIGRP on an Interface 2707.6 Adjusting EIGRP Metrics 272

7.7 Adjusting Timers 274

7.8 Enabling EIGRP Authentication 2767.9 EIGRP Route Summarization 278

7.10 Logging EIGRP Neighbor State Changes 282

7.11 Limiting EIGRP's Bandwidth Utilization 2847.12 EIGRP Stub Routing, - ' 2857.13 Route Tagging 287

7.14 Viewing EIGRP Status 289

8. OSPF 2938.1 Configuring OSPF 2988.2 Filtering Routes in OSPF 300

8.3 Adjusting OSPF Costs ^ . 3068.4 Creating a Default Route in OSPF 3088.5 Redistributing Static Routes into OSPF 3118.6 Redistributing External Routes into OSPF 313

8.7 Manipulating DR Selection 3178:8 Setting the OSPF RID 3198.9 Enabling OSPF Authentication 321

8.10 Selecting the Appropriate Area Types 325

viii I Table of Contents

8.11 Using OSPF on Dial Interfaces 3338.12 Summarizing Routes in OSPF " 337

8.13 Disabling OSPF on Certain Interfaces 3398.14 Changing the Network Type on an Interface 341

8.15 OSPF Route Tagging 3468.16 Logging OSPF Adjacency Changes 347

8.17 Adjusting OSPF Timers ' - 3488.18 Reducing OSPF Traffic in Stable Networks 3508.19 OSPF Virtual Links , 3518.20 Viewing OSPF Status with Domain Names 352

8.21 Debugging OSPF 353

9. BGP 3559.1 Configuring BGP 3639.2 Using eBGP Multihop 3699.3 Adjusting the Next-Hop Attribute 3719.4 Connecting to Two ISPs 3729.5 Connecting to Two ISPs with Redundant Routers , 3769.6 Restricting Networks Advertised to a BGP Peer 378

9.7 Adjusting Local Preference Values 382

9.8 Load-Balancing 386^ _ 9.9 Removing Private ASNs from the AS Path • 388

9.10 Filtering BGP Routes Based on AS Paths 3909.11 Reducing the Size of the Received Routing Table 3939.12 Summarizing Outbound Routing Information 3969.13 Prepending ASNs to the AS Path 399

9.14 Redistributing Routes with BGP 4029.15 Using Peer Groups 405

9.16 Authenticating BGP Peers 407

9.17 Using BGP Communities 4099.18 Using BGP Route Reflectors 4159.19 Putting It All Together 9 419

10. Frame Relay 42310.1 Setting Up Frame Relay with Point-to-Point Subinterfaces 42610.2 Adjusting LMI Options 43010.3 Setting Up Frame Relay with Map Statements 43210.4 Using Multipoint Subinterfaces 435

10.5 Configuring Frame Relay SVCs 437

Table of Contents | ix

10.6 Simulating a Frame Relay Cloud 43910.7 Compressing Frame Relay Data on a Subinterface 442

10.8 Compressing Frame Relay Data with Maps . 445

10.9 PPP over Frame Relay • • • . • • 44610.10 Viewing Frame Relay Status Information :, 449

11. Handling Queuing and Congestion 45211.1 Fast Switching and CEF . 45611.2 Setting the DSCP or TOS Field 45911.3 Using Priority Queuing 46311.4 Using Custom Queuing • 465

11.5 Using Custom Queues with Priority Queues 46811.6 Using Weighted Fair Queuing 470

11.7 Using Class-Based Weighted Fair Queuing 47111.8 Using NBAR Classification 47411.9 Controlling Congestion with WRED 479

11.10 Using RSVP 482

11.11 Manual RSVP Reservations 485

11.12 Aggregating RSVP Reservations 49011.13 Using Generic Traffic Shaping 491

''LI, 14 Using Frame-Relay Traffic Shaping . 493

11.15 Using Committed Access Rate 49511.16 Implementing Standards-Based Per-Hop Behavior '• 50011.17 AutoQoS . . 503

11.18 Viewing Queue Parameters 510

12. Tunnels and VPNs 51312.1 Creating a Tunnel . • 51812.2 Tunneling Foreign Protocols in IP 523

12.3 Tunneling with Dynamic Routing Protocols 52512.4 Viewing Tunnel Status .. . 52812.5 Creating an Encrypted Router-to-Router VPN in a GRE Tunnel 530

12.6 Creating an Encrypted VPN Between the LAN Interfacesof Two Routers , 538

12.7 Generating RSA Keys 54112.8 Creating a Router-to-Router VPN with RSA Keys 54512.9 Creating a VPN Between a Workstation and a Router 549

12.10 Creating an SSL VPN 55212.11 Checking IPSec Protocol Status 556

Table of Contents

13. Dial Backup : 56113.1 Automating Dial Backup 56513.2 Using Dialer Interfaces 570

13.3 Using an Async Modem on the AUX Port 57413.4 Using Backup Interfaces . 57713.5 Using Dialer Watch • • 580

13.6 Using Virtual Templates . • 58213.7 Ensuring Proper Disconnection • 58613.8 View Dial Backup Status 587

13.9 Debugging Dial Backup . 591

14. NTP and Time 59314.1 Time-Stamping Router Logs 59514.2 Setting the Time 597

14.3 Setting the Time Zone 59914.4 Adjusting for Daylight Saving Time 60014.5 Synchronizing the Time on All Routers (NTP) 60214.6 Configuring NTP Redundancy 60514.7 Setting the Router As the NTP Master for the Network 607

14.8 Changing NTP Synchronization Periods 609

14.9 Using NTP to Send Periodic Broadcast Time Updates 61014.10 Using NTP to Send Periodic Multicast Time Updates 61114.11 Enabling arid Disabling NTP Per Interface 613

14.12 NTP Authentication 61514.13 Limiting the Number of Peers 61714.14 Restricting Peers ; 617

14.15 Setting the Clock Period 61814.16 Checking the NTP Status 619

14.17 Debugging NTP 622

14.18 NTP Logging 62414.19 Extended Daylight Saving Time 62414.20 NTP Server Configuration *• 626

15. DLSw . 6 2 915.1 Simple Bridging - 63415.2 Configuring DLSw 636

15.3 Using DLSw to Bridge Between Ethernet and Token Ring 643

15.4 Converting Ethernet and Token Ring MAC Addresses 64615.5 Configuring SDLC 648

Table of Contents | xi

15.6 Configuring SDLC for Multidrop Connections 65215.7 Using STUN , . . 65415.8 Using BSTUN 657

15.9 Controlling DLSw Packet Fragmentation 659

15.10 Tagging DLSw Packets for QoS . 66015.11 Supporting SNA Priorities . ,. 66115.12 DLSw+Redundancy and Fault Tolerance 66215.13 Viewing DLSw Status Information 66415.14 Viewing SDLC Status Information • 66515.15 Debugging DSLw 668

16. Router Interfaces and Media 67316.1 Viewing Interface Status 674

16.2 Configuring Serial Interfaces 68216.3 Using an Internal Tl CSU/DSU 686

16.4 Using an Internal ISDN PRI Module 68816.5 Using an Internal 56 Kbps CSU/DSU . 689

16.6 Configuring an Async Serial Interface 69216.7—Configuring ATM Subinterfaces , 69316.8 Setting Payload Scrambling on an ATM Circuit 696

16.9 Classical IP Over ATM 69716.10 Configuring Ethernet Interface Features 702

16.11 Configuring Token Ring Interface Features 70416.12 Connecting VLAN Trunks with ISL 706

16.13 Connecting VLAN Xrunks with 802.1Q 70916.14 LPD Printer Support 712

17. Simple Network Management Protocol 71517.1 Configuring SNMP 719

17.2 Extracting Router Information via SNMP Tools 72117.3 Recording Important Router Information for SNMP Access 72417.4 Using SNMP to Extract Inventory Information

from a List of Routers 72617.5 Using Access Lists to Protect SNMP Access 72817.6 Logging Unauthorized SNMP Attempts 73117.7 Limiting MIB Access 73217.8 Using SNMP to Modify a Router's Running Configuration 73617.9 Using SNMP to Copy a New IOS Image 738

17.10 Using SNMP to Perform Mass Configuration Changes 740

xii I Table of Contents

17.11 Preventing Unauthorized Configuration Modifications 743

17.12 Making Interface Table Numbers Permanent 74517.13 Enabling SNMP Traps and Informs . 747

17.14 Sending Syslog Messages As SNMP Traps and Informs 751

17.15 Setting SNMP Packet Size 75217.16 Setting SNMP Queue Size . 753

17.17 Setting SNMP Timeout Values . 75517.18 Disabling Link Up/Down Traps per Interface 75617.19 Setting the IP Source Address for SNMP Traps 75617.20 Using RMON to Send Traps 757

17.21 Enabling SNMPv3 ., 76217.22 Strong SNMPv3 Encryption 768

17.23 Using SAA ' 7 7 0

18. Logging . . . ; . . . . . . . 77518.1 Enabling Local Router Logging ' : 77718.2 Setting the Log Size ' • • 77818.3 Clearing the Router's Log 780

~~ 18.4 Sending Log Messages to Your Screen 780

18.5 Using a Remote Log Server , 782

18.6 Enabling Syslog on a Unix Server '• 784

18.7 Changing the Default Log Facility - • 78618.8 Restricting What Log Messages Are Sent to the Server 78818.9 Setting the IP Source Address for Syslog Messages 790

18.10 Logging Router Syslog Messages in Different Files 79118.11 Maintaining Syslog Files on the Server . 79218.12 Testing the Syslog Sever Configuration 794

18.13 Preventing the Most Common Messages from Being Logged 79618.14 Rate-Limiting Syslog Traffic 797

18.15 Enabling Error Log Counting 798

18.16 XML-Formatted Log Messages 79918.17 Modifying Log Messages s, 802

19. Access-Lists : 80719.1 Filtering by Source or Destination IP Address 80919.2 Adding a Comment to an ACL • 81319.3 Filtering by Application 81419.4 Filtering Based on TCP Header Flags • 818

19.5 Restricting TCP Session Direction 821

Table of Contents I xiii

19.6 Filtering Multiport Applications 822

19.7 Filtering Based on DSCP and TOS . - ' 82419.8 Logging When an Access-List Is Used ' 825

19.9 Logging TCP Sessions 82619.10 Analyzing ACL Log Entries ' 829

19.11 Using Named and Reflexive Access-Lists., . 83219.12 Dealing with Passive Mode FTP . . 834

19.13 Using Time-Based Access-Lists . • 83619.14 Filtering Based on Noncontiguous Ports 83919.15 Advanced Access-List Editing 840

19.16 Filtering IPv6 • = 843

20. DHCP '... 84720.1 Using IP Helper Addresses for DHCP 84820.2 Limiting the Impact of IP Helper Addresses . 85020.3 Using DHCP to Dynamically Configure Router IP Addresses 85220.4 Dynamically Allocating Client IP Addresses via DHCP 85520.5 Defining DHCP Configuration Options 857

20.6 Defining DHCP Lease Periods . 860

20.7 Allocating Static IP Addresses with DHCP ' 86120.8 Configuring a DHCP Database Client 863

20.9 Configuring Multiple DHCP Servers per Subnet 86520.10 DHCP Static Mapping " ' 8 6 620.11 DHCP-Secured IP Address Assignment . 869

20.12 Showing DHCP Status .„ . . • 87120.13 Debugging DHCP 873

21. NAT 87521.1 Configuring Basic NAT Functionality 877

21.2 Allocating External Addresses Dynamically 87921.3 Allocating External Addresses Statically 880

21.4 Translating Some Addresses Statically and Others Dynamically 881

21.5 Using Route Maps to Refine Static Translation Rules 88321.6 Translating in Both Directions Simultaneously 88421.7 Rewriting the Network Prefix • 88721.8 Using NAT for Server Load Distribution 888

21.9 Stateful NAT Failover 89021.10 Adjusting NAT Timers 894

xiv | Table of Contents

21.11 Changing TCP Ports for FTP 896

21.12 Checking NAT Status : . 89721.13 Debugging NAT ..• ' . 899

22. First Hop Redundancy Protocols 90122.1 Configuring Basic HSRP Functionality 90722.2 Using HSRP Preempt . 91122.3 Making HSRP React to Problems on Other Interfaces 91422.4 Load-Balancing with HSRP 918

22.5 Redirecting ICMP with HSRP 92122.6 Manipulating HSRP Timers • 92222.7 Using HSRP on Token Ring ' 924

22.8 HSRP SNMP Support 92622.9 Increasing HSRP Security 927

22.10 Showing HSRP State Information 93222.11 Debugging HSRP • 93322.12 HSRP Version 2 934

22.13 VRRP 93622.14 Gateway Load-Balancing Protocol • ' ' 938

23. IP Multicast : 94323.1 Configuring Basic Multicast Functionality with PIM-DM 95323.2 Routing Multicast Traffic with PIM-SM and BSR 95423.3 Routing Multicast Traffic with PIM-SM and Auto-RP 95923.4 Filtering PIM Neighbors 96223.5 Configuring Routing for a Low-Frequency Multicast Application 963

23.6 Multicast over Frame Relay or ATM WANs 96623.7 Configuring CGMP 967

23.8 Using IGMP Version 3 969

23.9 Static Multicast Routes and Group Memberships 971

23.10 Routing Multicast Traffic with MOSPF • 97223.11 Routing Multicast Traffic with DVMRP • 97423.12 DVMRP Tunnels r 97723.13 Configuring Bidirectional PIM 978

23.14 Controlling Multicast Scope with TTL 980

23.15 Controlling Multicast Scope with Administratively

Scoped Addressing 983

23.16 Exchanging Multicast Routing Information with MBGP 985

23.17 Using MSDP to Discover External Sources 987

Table of Contents I xv

23.18 Configuring Anycast RP 98923.19 Converting Broadcasts to Multicasts 99123.20 Showing Multicast Status 994

23.21 Debugging Multicast Routing 1003

24. IP Mobility 100624.1 Local Area Mobility 100824.2 Home Agent Configuration ' 101124.3 Foreign Agent Configuration 101524.4 Making a Router a Mobile Node . 101724.5 Reverse-Tunnel Forwarding 1020

24.6 Using HSRP for Home Agent Redundancy 1021

25. IPv6 102525.1 Automatically Generating IPv6 Addresses for an Interface 102925.2 Manually Configuring IPv6 Addresses on an Interface 103225.3 Configuring DHCP for IPv6 1036

^ 25.4 Dynamic Routing with RIP 103925.5 Modifying the Default RIP Parameters 104225.6 IPv6 Route Filtering and Metric Manipulation in RIP 1045

25.7 Using OSPF for IPv6 . 104925.8 IPv6 Route Filtering and Metric Manipulation in OSPF 1052

25.9 Route Redistribution - 1054

25.10 Dynamic Routing with MBGP 106025.11 Tunneling IPv6 Through an Existing IPv4 Network 106425.12 Translating Between IPv6 and IPv4 1066

26. MPLS 106926.1 Configuring a Basic MPLS P Router 107526.2 Configuring a Basic MPLS PE Router 1079

26.3 Configuring Basic MPLS CE Routers 108826.4 Configuring MPLS over ATM 108926.5 PE-CE Communication via RIP * 109426.6 PE-CE Communication via OSPF 1099

26.7 PE-CE Communication via EIGRP 1103

26.8 PE-CE Communication via BCP 110626.9 QoS over MPLS 1110

26.10 MPLS Traffic Engineering with Autoroute 1115

xvi I Table of Contents

26.11 Multicast Over MPLS 1121

26.12 Your Service Provider Doesn't Do What Ypu Want 1126

,27 . Security 113127.1 Using AutoSecure 113427.2 Using Context-Based Access-Lists 113727.3 Transparent Cisco IOS Firewall 114227.4 Stopping Denial of Service Attacks' 114427.5 Inspecting Applications on Different Port Numbers 114827.6 Intrusion Detection and Prevention 1153

27.7 Login Password Retry Lockout 115927.8 Authentication Proxy 1160

A. External Software Packages 1163

B. IP Precedence, TOS, and DSCP Classifications 1167

Index 1181

Table of Contents I xvii