Mundy

IT Knowledge Base

User Tools

Site Tools


kb:cisco

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
kb:cisco [2016/09/29 16:04]
Dan Mundy
— (current)
Line 1: Line 1:
-====== Cisco ====== 
- 
-  * [[it:​cisco_sg300]] 
-  * [[it:​cisco_switches]] 
- 
-===== Misc ===== 
- 
-  * [[http://​www.subnetonline.com/​pages/​subnet-calculators/​ipv4-wildcard-calculator.php|Wildcard mask calculator]] to convert a subnet mask into a wildcard mask required for ACLs 
- 
-===== Config / Firmware / etc ===== 
- 
-  * [[it:​delete_sdm_from_cisco_flash]] 
-  * [[it:​cisco_password_recovery]] 
-  * [[it:​setting_password_on_cisco_routers]] 
-  * [[it:​upgrading_ios_on_cisco]] 
-  * [[it:​clearing_configs_on_cisco_routers_and_switches]] 
-  * [[it:​how_to_save_a_cisco_config_file]] 
- 
-===== Networking / Routing / etc ===== 
- 
-  * [[https://​supportforums.cisco.com/​docs/​DOC-8313|dual internet links NATing with PBR and IP SLA]] 
-  * [[it:​how_to_disable_stp]] 
-  * [[it:​vlans_in_cisco_routers]] 
- 
-===== Logging etc ===== 
- 
-  * [[https://​supportforums.cisco.com/​docs/​DOC-4687|Router log timestamp entries are different from the system clock when the NTP is configured]] 
-  * [[it:​date_and_time_on_cisco]] 
-  * [[it:​cisco_logging_debugging_and_adsl_troubleshooting]] 
-  * [[it:​netflow_in_cisco]] 
-  * [[it:​stop_logging_messages_from_interrupting_your_configuration]] 
-  * [[Troubleshooting Cisco CPU utilisation]] 
- 
-===== Network Services ===== 
- 
-  * [[Cisco Router as a DHCP Server]] 
-  * [[it:​use_a_cisco_router_as_a_dns_server]] 
-  * [[it:​running_an_ftp_server_behind_a_cisco_router_with_nat]] 
-  * [[it:​dhcp_relay_in_cisco_router]] 
-  * [[it:​cisco_router_as_a_dhcp_client]] 
- 
-===== SSH ===== 
- 
-  * [[it:​regenerate_ssh_keys_on_cisco]] 
-  * [[it:​lock_down_ssh_on_cisco_routers]] 
-  * [[http://​blog.pluralsight.com/​configure-secure-shell-ssh-on-cisco-router|Configure SSH]] 
- 
-===== Scripting ===== 
- 
-  * [[it:​cisco_scripts]] 
- 
-Resources for scripting in cisco: 
- 
-  * [[http://​blog.ioshints.info/​2007/​04/​execute-multiple-commands-at-once.html|Execute multiple commands at once]] 
-  * [[http://​blog.ioshints.info/​2007/​05/​ios-tclsh-resources.html|IOS Tclsh resources]] 
-  * [[http://​blog.ioshints.info/​2007/​08/​example-tcl-script-with-command-line.html|Example:​ Tcl script with command-line parameters]] 
- 
-===== Security ===== 
- 
-  * [[Cisco router users]] 
- 
-===== VPN ===== 
- 
-  * [[it:​cisco_vpn_client]] 
-  * [[it:​ias_authentication_for_cisco_vpn]] 
- 
-IPSEC uses "​Security Associations"​ (SA) - An SA is a relationship between two or more potential VPN endpoints, which determines what encryption algorithms to use, and the two endpoints exchange session keys. ([[http://​etutorials.org/​Networking/​Cisco+Certified+Security+Professional+Certification/​Part+III+Virtual+Private+Networks+VPNs/​Chapter+9+Cisco+IOS+IPSec+Introduction/​Security+Association+SA/​|more info]]) 
- 
-You can see the SAs with the command: show crypto isakmp sa 
- 
-Sometimes an endpoint will reconnect to the Internet and reconnect with a different session key, and the other endpoint will think that nothing even happened, so both endpoints have different session keys and can't talk. You can clear the SA with this command: clear crypto ipsec sa 
- 
-Or in Cisco'​s words: An IPSec "black hole" occurs when one IPSec peer "​dies"​ (for example, a peer can "​die"​ if a reboot occurs or if an IPSec peer somehow gets reset). Because one of the peers (the receiving peer) is completely reset, it loses its IKE SA with the other peer. Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE "​INVALID SPI NOTIFY"​ message to the data originator. This notification is sent using the IKE SA. If there is no IKE SA available, the receiving peer drops the packet. Source: [[http://​www.cisco.com/​en/​US/​docs/​ios/​12_3t/​12_3t2/​feature/​guide/​gt_ispir.html|Invalid SPI Recovery]] - this may be a feature we can turn on so we never see this problem... 
- 
-===== Config Templates ===== 
- 
-  * [[it:​cisco_template_-_gre_with_ipsec]] 
-  * [[it:​cisco_template_-_dmvpn]] 
-  * [[it:​cisco_template_-_switch]] 
-  * [[it:​cisco_template_-_ipsec_dial-in_vpn]] 
- 
------------------------------------- 
- 
-===== Basic Commands ===== 
- 
-When typing any command, you can press ? to show help information. This can show available commands, and also syntax for specific commands. You can also use TAB to complete commands. 
- 
-  * Clear the NAT translation tables: clear ip nat translation * 
-  * Go to beginning of line: CTRL+A, to end of line: CTRL+E 
-  * Delete the startup config (will show setup mode after reload): erase startup-config 
-  * Show host table: show hosts (temp = cached lookup, perm = host added with "ip host") 
-  * Disable console logging: no logging console 
-  * Turn off all debugging: "​undebug all" or "un all" 
- 
-Reload the Router 
- 
-  * Reload config:​reload 
-  * reload in 5 (say no to save config) 
-  * reload at 
-  * reload cancel 
-  * Some examples: http://​www.problutions.com/?​p=462 
- 
-Show the Running Config 
- 
-  * Turn off the annoying MORE behaviour:​terminal length 0(term len 0) 
-  * Show the configuration:​show running-config(show run) 
-  * Show the startup config:show startup-config(show start) 
-  * Revert changes from startup config:copy startup-config running-config(copy start run) - or just reboot the router 
-  * Commit changes to startup config:copy running-config startup-config(copy run start) 
-  * Another method (does the same thing):wr 
-  * Start displaying config at specific line containing word: show run | begin word 
-  * Display all lines with given word: show run | include word 
-  * show run | section word 
- 
-Routing 
- 
-  * Show routes: show ip route 
- 
-Interfaces 
- 
-  * List interfaces: show ip int brief 
-  * Show particular interface: show run interface Dialer0 
-  * Show trunk ports: show interface trunk 
- 
-Insert ACLs using Line Numbers 
- 
-  * To show ACL rules with line numbers: show ip access-list 
-  * To remove a line (eg. 50): no 50 
-  * To add a rule at a line number (eg. 50): 50 permit udp any any eq domain 
  
kb/cisco.1475130865.txt.gz · Last modified: 2016/09/29 16:04 by Dan Mundy