Tag: ios
Useful IOS tricks (part 3) – the ‘do’ command
by rxtx on Jan.03, 2011, under Networks
I have a very short but very useful command for you today. You’ll often find yourself working within the IOS config mode, and you might forget little things such as ‘what is the interface number I need’, or ‘what is the current IP assigned to this interface’. Following this you probably go through a series of commands like the ones below
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/^Z <---Arrgh forgot which interface it was, Ctrl+Z out of config mode % Incomplete command. Router#sh ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 192.168.0.1 YES NVRAM up up Router#conf t <---OK found it, back into config mode Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/0 etc
This gets annoying pretty fast, but luckily you can execute exec commands from within config mode by preceding them with ‘do’! This is a lot nicer:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/ <---Arrgh forgot which interface it was, lets try 'do' % Incomplete command. Router(config)#do sh ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 192.168.0.1 YES NVRAM up up Router(config)#int fa 0/0
Much easier right? There are of course a few caveats, the main one being that you can’t use the ‘?’ symbol to remind you of the commands but its still a great little time saver.
Stratix 8000 IOS recovery (or how dd saved the day)
by rxtx on Oct.15, 2010, under Networks, Sysadmin
I’ve been playing with some Stratix 8000 switches lately – if you’ve never come across them they are built for heavy duty environments and are a result of a collaboration between Rockwell and Cisco. They run a Catalyst OS so if you’ve used a Cisco switch you’ll be in familiar territory. During my work with them I somehow ended up with a corrupt IOS following an upgrade and the switch would no longer boot, giving the console error message below
... mifs[7]: 684 files, 26 directories mifs[7]: Total bytes : 64094208 mifs[7]: Bytes used : 11614208 mifs[7]: Bytes available : 52480000 mifs[7]: mifs fsck took 60 seconds. ...done Initializing Flash. done. Loading "flash:/ies-lanbase-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin"...flash:/ies-lan base-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin: magic number mismatch: bad mzip file Error loading "flash:/ies-lanbase-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin" Interrupt within 5 seconds to abort boot process. Boot process failed... The system is unable to boot automatically. The BOOT environment variable needs to be set to a bootable image.
No problem I thought, I’ll just use Rommon and suck down a clean image from a TFTP server. How wrong I was! These switches don’t have Rommon, instead they have their own boot OS which bizarrely doesn’t seem to support any kind of networking whatsoever. It can format the filesystem and do basic file operations, but thats it as far as I can tell. You quickly find yourself stuck with no way to upload an image, and the scant documentation unhelpfully suggests that you reset your switch to factory defaults. If you follow this advice you now have a switch with no config and still a corrupt IOS. There doesn’t appear to be any documentation at all about the strange little OS you find yourself stuck in, so its time to experiment.
Plugging the flash card into my Windows machine showed that it wasn’t formatted in a way that Windows could read it, so you can’t copy an image that way. Formatting it as FAT resulted in a strange situation where both Windows and the switch could write to the flash card, but neither could see the others files. Unfortunately I didn’t have easy access to a Linux machine to see if it was readable on there, I needed another way to get the right data onto the card. I did have other working Stratixes, so I had the idea of cloning a working flash card. You can’t do this natively in Windows so I had to find a Windows version of the well known Linux tool, dd.
dd is a very low level tool that copies data at a block level. It doesn’t see files or folders or even disk formats, it just sees the raw bits. The plan was to make an image of a working flash card, and then dump that onto the failed one. In theory you should end up with a perfect clone, and this way Windows doesn’t need to be able to read the disk format. I used the tool as follows, first listing the available drives, second making an image of a good flash card and finally writing that image onto the corrupt one:
D:\Programs\dd>dd --list
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.
Win32 Available Volume Information
[snip]
\\.\Volume{43371b24-d6a0-11df-b040-005056c00008}\
link to \\?\Device\HarddiskVolume10
removeable media
Mounted on \\.\l:
[snip]
D:\Programs\dd>dd if=\\.\l: of=stratix.img
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.
125440+0 records in
125440+0 records out
D:\Programs\dd>dd if=stratix.img of=\\.\l:
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.
125440+0 records in
125440+0 records out
D:\Programs\dd>
Happily it worked flawlessly, the cloned flash card contained an exact copy of the working IOS and I was able to get my switch working again. I’d love to know the manufacturer’s recommended restore method, but as is often the case the documentation is lacking.
Useful IOS tricks (part 2) – access list editing
by rxtx on Oct.05, 2010, under Networks
This time we are talking about those pesky things that all the server guys blame when their apps don’t work – access lists! Until you know the tricks I’m about to show you, you’ve probably had a feeling of dread when you’ve been asked to add a rule at the end of the 200 entry ACL (but before the deny ip any any of course). We’ll use this simple access list to demonstrate
Router#sh access-lists 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 deny ip any any
First lets examine this output. Note that we are looking at an extended access list, although our trick will work with standard ACLs too. Also note that there are numbers before each rule. We are going to learn how to harness the power of these numbers. Lets say we want to add another rule, permitting mail to the 192.168.0.10 host. If you try and just add in the rule using the way they teach you in your CCNA, you end up with the following:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 100 permit tcp any host 192.168.0.10 eq 25 Router(config)#do sh access-l 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 deny ip any any 40 permit tcp any host 192.168.0.10 eq smtp Router(config)#
So not too good really, that rule will never get hit as its been put after the deny. Luckily theres another way, using the “ip access-list” configuration command. Take note here of the rule numbers – first we’ll remove the rule that was put at the end of the ACL, and then we’ll re-add it before the deny:
Router(config)#ip access-list extended 100 Router(config-ext-nacl)#no 40 Router(config-ext-nacl)#25 permit tcp any host 192.168.0.10 eq smtp Router(config-ext-nacl)#do show access-list 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 25 permit tcp any host 192.168.0.10 eq smtp 30 deny ip any any Router(config-ext-nacl)#
After entering the first command note that we go into config-ext-nacl mode which is where we add and remove rules. Its quite easy – you add a rule by starting with the sequence number of where you want it go and then entering the rest of the rule as normal. You remove a rule with “no” followed by the sequence number.
You might have realised that we can only add so many rules like this before we run out of numbers, but thats fine too as IOS includes a command to let you resequence the list. For example
Router#sh access-lists 100 Extended IP access list 100 1 permit tcp any host 192.168.0.10 eq www 2 permit tcp any host 192.168.0.10 eq 443 3 permit tcp any host 192.168.0.10 eq smtp 4 deny ip any any Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list resequence 100 10 10 Router(config)#do sh access-l 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 permit tcp any host 192.168.0.10 eq smtp 40 deny ip any any Router(config)#
So the key command there is “ip access-list resequence 100 10 10″. Don’t get worried by the raft of numbers, its really simple. The first number (100) is the access list we want to resequence; the second number (10) is what number we want the first rule to start at; the third number (10) is what we want the increment to be for each following rule. Lets try another example, we want the list to start at 50 and have increments of 5:
Router(config)#ip access-list resequence 100 50 5 Router(config)#do sh access-l 100 Extended IP access list 100 50 permit tcp any host 192.168.0.10 eq www 55 permit tcp any host 192.168.0.10 eq 443 60 permit tcp any host 192.168.0.10 eq smtp 65 deny ip any any Router(config)#
These few commands have come in incredibly useful for me and have saved me a great deal of ACL related headaches, I recommend you learn them!
Useful IOS tricks (part 1)
by rxtx on Sep.16, 2010, under Networks
This is going to be a series of short posts on little features in IOS which make your life easier. These won’t change your life or anything, but knowing them will make you much more proficient when sitting at a console. The first feature I’m going to discuss I hope everyone is aware of, the command lookup. This is incredibly useful when you can’t quite remember what command you need and it can be used in two slightly different ways.
The first way is when you have no clue at all what you need to type, and just want a refresher of what options are available. Typing the ‘?’ character will show you all possible commands with a brief description, eg
Router#? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry archive manage archive files audio-prompt load ivr prompt auto Exec level Automation beep Blocks Extensible Exchange Protocol commands bfe For manual emergency modes setting calendar Manage the hardware calendar call Voice call ccm-manager Call Manager Application exec commands cd Change current directory cellular cellular commands clear Reset functions clock Manage the system clock cns CNS agents configure Enter configuration mode connect Open a terminal connection copy Copy from one file to another credential load the credential info from file system crypto Encryption related commands. --More--
Press space to see more. You can also use this on a nested basis, eg
Router#show access-lists ? <1-2799> ACL number WORD ACL name compiled Compiled access-list statistics rate-limit Show rate-limit access lists | Output modifiers <cr> Router#show access-lists
The second, slightly different way to use this is when halfway through a command, it will try and match based on what you have already typed
Router#show ip in? inspect interface Router#show ip i? icmp igmp inspect interface ips irdp Router#show ip in? inspect interface Router#show ip in
However note that in this case you don’t get the command descriptions.
You can use this from any mode, so it works in config, user exec, privileged exec. A lot of the commands you’ll come to learn by heart, but this is very useful for the ones you use less often.