by Tony Mattke on September 6, 2011
Everyone has different views on hardening IOS, and while I do not claim to be an expert, these are the practices that I commonly use when bringing up a new device. If you see something I missed, please leave a comment and I’ll add it to the list and send the credit your way. I’ve also included general best practices that I follow that fall outside of the security realm. This is in no way a complete list of best practices, or a complete steb-by-step guide to hardening an IOS device.
[ read more... ]
by Tony Mattke on February 14, 2011
Tired of setting up SPAN sessions? Need to do some packet analysis? Since IOS 12.4(20)T Cisco has made Embedded Packet Capture (EPC) available. EPC is a powerful troubleshooting tool that allows engineers to capture packets inside a Cisco router which can be essential in many troubleshooting scenarios.
Configuring EPC
The following steps will guide you through the EPC configuration process.
Define a capture buffer
The capture buffer is an area in memory for holding packet data. Here you have the option for two types of buffers, circular and linear. A linear buffer stops capturing data when full, while a circular buffer continues capturing while overwriting older data, acting like a FIFO (First in, First out) buffer.
R1#monitor capture buffer TEST_BUFFER ?
circular Circular Buffer
clear Clear contents of capture buffer
export Export in Pcap format
filter Configure filters
limit Limit the packets dumped to the buffer
linear Linear Buffer(Default)
max-size Maximum size of element in the buffer (in bytes)
size Packet Dump buffer size (in Kbytes)
R1#monitor capture buffer TEST_BUFFER size ?
<1-512> Buffer size in Kbytes : 512K or less (default is 256K)
You can also limit the number of bytes to capture per packet, truncating any excess data.
R1#monitor capture buffer TEST_BUFFER max-size ?
<68-1024> Element size in bytes : 1024 bytes or less (default is 68 bytes)
[ read more... ]
by Tony Mattke on July 7, 2010
Greg Ferro of Etheralmind.com has started a petition asking Cisco to embrace those who pursue Cisco’s certifications a legal course of licensing without the cost of building a home made space shuttle. Please take some time and read / sign the petition.
We want to be able to practice that knowledge, and demonstrate our competence. We know that you are considering the value. This petition is to show our need for this solution. Wendel Odom discusses the possibility Cisco Considers IOS for Certifcation Self Study and we are calling for Cisco to make an option available.
This experience and knowledge we gain gives us the capability to make the most of Cisco equipment for our employers, your customers. We help drive the best return on investment, and keep the network performing in the way that your customers expect. We can test configurations prior to making and be better prepared. We can develop more complex configurations than would otherwise be possible, and not blame the equipment afterwards.
updated: with new url
by Tony Mattke on November 23, 2009
This is one of those tricks you wish you learned about 10 years ago, but never did. You know how easy it is to mess up a nice looking access list. You get one setup on the router, and then you end up tinkering with it over the next month and the next thing you know you have the ACL that fell out of the ugly tree and hit every branch on the way down. I have the same issue, actually the other day I was working on some ACLs for a clients VPN configuration when I realized I had forgot to include some entries. So after adding what I needed, I ended up with something like this… ( IP address have been obviously changed to protect the innocent. Ok, honestly, the whole example is just hog wash. I’m way too lazy to actually go lookup the ACL I was working on. )
[ read more... ]
by Tony Mattke on July 19, 2009
How many times a day do you issue a show command from configuration mode ? If you’re anything like me, its enough to get annoying. Luckily Cisco has given us the ability to user define aliases, here is a simple solution to this issue.
Router(config)#alias configure show do show
While this fixes part of the issue, you’ll need to configure additional aliases for each configuration mode that you wish to use this in. I would certainly at least setup interface and router. Are there any handy alises you use every day? Comment below to share them with us!
Update: I had to update this article to include another alias I’ve configured recently on our Nexus gear. NX-OS has eliminated the wr command to write memory, forcing you to use copy running-config startup-config or a shortened version like copy run start. Either way, I always forget at least once a day. Using the following alias we can restore that functionality!
N7K(config)#cli alias name wr copy running-config startup-config
by Tony Mattke on May 27, 2009
So, I’m sure these have been posted almost on every networking blog under the sun, but who knows, right? Here are a few tips and tricks to help you move around the IOS a bit faster, find information faster, and locate problems… faster.
[ read more... ]
by Tony Mattke on March 16, 2009
As I started building this lab, I realized that I had to find a refresher course on the IOS naming conventions. They have gone through a number of revisions through the years, but here is a guide that should help most of you building CCNA/CCNP labs.
Lets take c3640-jk9s-mz.124-16.bin for example.
The first thing we see is a platform designator. c3640 tells us that the IOS is for a 3640 router. See, I told you this was easy.
After that you see a series of alphanumeric characters, these designate feature sets included in the image.
“c” Remote Access Server
“i“ designates IP feature set
“j“ designates the Enterprise feature set (all protocols)
“s“ designates a PLUS feature set (extra queuing, manipulation or translations)
“s2″ Voice IP to IP Voice Gateway (26xx/36xx/37xx only)
“s3“ “Basic” (limited IP routing, for limited-memory 26xx, 36xx)
“s4” “Basic” without switching
“s5” “Basic” without HD analog/AIM/Voice
“56i“ designates 56-bit IPSec DES encryption
“o“ designates the Firewall
“o3“ designates the Firewall/IDS
“k2“ designates included encryption (having trouble finding exact info on these.. )
“k8“ designates the DES encryption
“k9“ designates the 3DES IPSec encryption (168-bit)
The next part tells you where the image runs from, most end in ‘mz’, ‘m’ meaning it runs from memory (not flash), and ‘z’ tell us that it is zip compressed.
The third part we have is the actual IOS version number itself, for example:
“124-16“ indicates IOS 12.4 subrelease 16
Recent Comments