Tag: iostricks
Useful IOS tricks (part 3) – the ‘do’ command
by rxtx on Jan.03, 2011, under Networks
I have a very short but very useful command for you today. You’ll often find yourself working within the IOS config mode, and you might forget little things such as ‘what is the interface number I need’, or ‘what is the current IP assigned to this interface’. Following this you probably go through a series of commands like the ones below
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/^Z <---Arrgh forgot which interface it was, Ctrl+Z out of config mode % Incomplete command. Router#sh ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 192.168.0.1 YES NVRAM up up Router#conf t <---OK found it, back into config mode Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/0 etc
This gets annoying pretty fast, but luckily you can execute exec commands from within config mode by preceding them with ‘do’! This is a lot nicer:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/ <---Arrgh forgot which interface it was, lets try 'do' % Incomplete command. Router(config)#do sh ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 192.168.0.1 YES NVRAM up up Router(config)#int fa 0/0
Much easier right? There are of course a few caveats, the main one being that you can’t use the ‘?’ symbol to remind you of the commands but its still a great little time saver.
Useful IOS tricks (part 2) – access list editing
by rxtx on Oct.05, 2010, under Networks
This time we are talking about those pesky things that all the server guys blame when their apps don’t work – access lists! Until you know the tricks I’m about to show you, you’ve probably had a feeling of dread when you’ve been asked to add a rule at the end of the 200 entry ACL (but before the deny ip any any of course). We’ll use this simple access list to demonstrate
Router#sh access-lists 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 deny ip any any
First lets examine this output. Note that we are looking at an extended access list, although our trick will work with standard ACLs too. Also note that there are numbers before each rule. We are going to learn how to harness the power of these numbers. Lets say we want to add another rule, permitting mail to the 192.168.0.10 host. If you try and just add in the rule using the way they teach you in your CCNA, you end up with the following:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 100 permit tcp any host 192.168.0.10 eq 25 Router(config)#do sh access-l 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 deny ip any any 40 permit tcp any host 192.168.0.10 eq smtp Router(config)#
So not too good really, that rule will never get hit as its been put after the deny. Luckily theres another way, using the “ip access-list” configuration command. Take note here of the rule numbers – first we’ll remove the rule that was put at the end of the ACL, and then we’ll re-add it before the deny:
Router(config)#ip access-list extended 100 Router(config-ext-nacl)#no 40 Router(config-ext-nacl)#25 permit tcp any host 192.168.0.10 eq smtp Router(config-ext-nacl)#do show access-list 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 25 permit tcp any host 192.168.0.10 eq smtp 30 deny ip any any Router(config-ext-nacl)#
After entering the first command note that we go into config-ext-nacl mode which is where we add and remove rules. Its quite easy – you add a rule by starting with the sequence number of where you want it go and then entering the rest of the rule as normal. You remove a rule with “no” followed by the sequence number.
You might have realised that we can only add so many rules like this before we run out of numbers, but thats fine too as IOS includes a command to let you resequence the list. For example
Router#sh access-lists 100 Extended IP access list 100 1 permit tcp any host 192.168.0.10 eq www 2 permit tcp any host 192.168.0.10 eq 443 3 permit tcp any host 192.168.0.10 eq smtp 4 deny ip any any Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list resequence 100 10 10 Router(config)#do sh access-l 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 permit tcp any host 192.168.0.10 eq smtp 40 deny ip any any Router(config)#
So the key command there is “ip access-list resequence 100 10 10″. Don’t get worried by the raft of numbers, its really simple. The first number (100) is the access list we want to resequence; the second number (10) is what number we want the first rule to start at; the third number (10) is what we want the increment to be for each following rule. Lets try another example, we want the list to start at 50 and have increments of 5:
Router(config)#ip access-list resequence 100 50 5 Router(config)#do sh access-l 100 Extended IP access list 100 50 permit tcp any host 192.168.0.10 eq www 55 permit tcp any host 192.168.0.10 eq 443 60 permit tcp any host 192.168.0.10 eq smtp 65 deny ip any any Router(config)#
These few commands have come in incredibly useful for me and have saved me a great deal of ACL related headaches, I recommend you learn them!
Useful IOS tricks (part 1)
by rxtx on Sep.16, 2010, under Networks
This is going to be a series of short posts on little features in IOS which make your life easier. These won’t change your life or anything, but knowing them will make you much more proficient when sitting at a console. The first feature I’m going to discuss I hope everyone is aware of, the command lookup. This is incredibly useful when you can’t quite remember what command you need and it can be used in two slightly different ways.
The first way is when you have no clue at all what you need to type, and just want a refresher of what options are available. Typing the ‘?’ character will show you all possible commands with a brief description, eg
Router#? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry archive manage archive files audio-prompt load ivr prompt auto Exec level Automation beep Blocks Extensible Exchange Protocol commands bfe For manual emergency modes setting calendar Manage the hardware calendar call Voice call ccm-manager Call Manager Application exec commands cd Change current directory cellular cellular commands clear Reset functions clock Manage the system clock cns CNS agents configure Enter configuration mode connect Open a terminal connection copy Copy from one file to another credential load the credential info from file system crypto Encryption related commands. --More--
Press space to see more. You can also use this on a nested basis, eg
Router#show access-lists ? <1-2799> ACL number WORD ACL name compiled Compiled access-list statistics rate-limit Show rate-limit access lists | Output modifiers <cr> Router#show access-lists
The second, slightly different way to use this is when halfway through a command, it will try and match based on what you have already typed
Router#show ip in? inspect interface Router#show ip i? icmp igmp inspect interface ips irdp Router#show ip in? inspect interface Router#show ip in
However note that in this case you don’t get the command descriptions.
You can use this from any mode, so it works in config, user exec, privileged exec. A lot of the commands you’ll come to learn by heart, but this is very useful for the ones you use less often.