Saturday, November 1, 2025

Cisco Router Debug Using ACL

I was unable to debug an IP traffic using a named ACL so I used an extended numbered ACL instead. I also used an object group in order to group together public IP subnets and add more subnets as needed.

Router#debug ip packet ?      
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>         <cr>

Router#configure terminal          
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#object-group network MY-PUBLIC-IP 
Router(config-network-group)#202.8.6.0 255.255.255.0
Router(config-network-group)#exit
Router(config)#interface GigabitEthernet0/0/0
Router(config-if)#no ip access-group MY-PUBLIC-IP-IN in
Router(config-if)#ip access-list extended 101
Router(config-ext-nacl)# permit ip object-group MY-PUBLIC-IP any
Router(config-ext-nacl)# permit ip host 8.8.8.8 any 
Router(config-ext-nacl)#exit
Router(config)#interface GigabitEthernet0/0/0
Router(config-if)#ip access-group 101 in
Router(config-if)#end


Router#ping 8.8.8.8 source 192.168.14.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.14.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms

Router#debug ip packet ?
  <1-199>      Access list
  <1300-2699>  Access list (expanded range)
  detail       Print more debugging detail
  <cr>         <cr>

Router#debug ip packet 101 ?
  detail  Print more debugging detail
  <cr>    <cr>

Router#debug ip packet 101 
IP packet debugging is on for access list 101

Router#terminal monitor   // DISPLAY DEBUG OUTPUT WHEN CONNECTED VIA SSH

I tried to ping to Internet (Google DNS 8.8.8.8) and the debug output displayed the traffic source and destination IP address.

 Router#ping 8.8.8.8 source 192.168.144.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.14.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms


Oct 26 09:53:48.164 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.169 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.175 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
Oct 26 09:53:48.181 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB
MCT1-OOB-GW01#
Oct 26 09:53:48.186 UTC: IP: tableid=0, s=8.8.8.8 (GigabitEthernet0/0/0), d=192.168.14.1 (GigabitEthernet0/0/1) nexthop=192.168.14.1, routed via RIB

 

Posted by at No comments:

Wednesday, September 3, 2025

Configure Cisco no service password-recovery

The no service password-recovery is a security enhancement that prevents anyone with physical console access to perform router configuration and change local passwords. It also prevents anyone from changing the configuration register values and access the NVRAM which stores the startup config.

This command is applicable in a highly secure environment and for our scenario wherein we don't intend to retrieve or re-use our network gear since it's located in a very remote area.


Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#no service password-recovery
WARNING:
Executing this command will disable the password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes]: yes
Router(config)#end
Router#write memory
Building configuration...
[OK]

Router#show run | inc no service
no service pad
no service password-recovery


Disabling password recovery in a Cisco Catalyst switch use a slightly different command. You'll need to verify first if the switch is a standalone or a stacked using the show switch command.


Switch#show switch
Switch/Stack Mac Address : 3c0e.2357.1234 - Local Mac Address
Mac persistency wait time: Indefinite
                                             H/W   Current
Switch#   Role    Mac Address     Priority Version  State
------------------------------------------------------------
*1       Active   3c0e.2357.1234     1      V02     Ready

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
3850(config)#system ?
  debug        Debug Shell
  disable      Disable password recovery
  environment  Set the system environment settings
  fnf          Flexible Netflow
  ignore       Ignore Startup Config
  mode-button  Enable Mode button for reset
  mtu          Set the global ethernet payload size

Switch(config)#system disable ?
  password  Disable password recovery

Switch(config)#system disable password ?
  recovery  Disable password recovery

Switch(config)#system disable password recovery ?
  switch  Set config on switches in stack

Switch(config)#system disable password recovery switch ?
  <1-9>  Switch number
  all    Set config for all switches in stack

Switch(config)#system disable password recovery switch all
Applying config on Switch 1...[DONE]
Switch(config)#end
Switch#write memory
Building configuration...
Compressed configuration from 14004 bytes to 6042 bytes[OK]


The system disable password recovery switch command is not visible when you issue a show run.

Switch#show run | inc system
system mtu 1500
spanning-tree extend system-id

Switch#show run all | inc system disable
Switch# <BLANK>

Posted by at No comments:

Friday, August 1, 2025

Deleting a Cisco File Directory

Some older Cisco switches have limited flash memory and would require deleting large files such as an IOS/IOS-XE .bin to free up space.

 
Switch#copy ftp://ftp:ftp123@192.168.1.251/me360x-universalk9-mz.123-3.S5.bin flash
Destination filename [me360x-universalk9-mz.123-3.S5.bin]?
Accessing ftp://*****:*****@192.168.1.251/me360x-universalk9-mz.123-3.S5.bin...
Loading me360x-universalk9-mz.123-3.S5.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!
%Error writing flash:/me360x-universalk9-mz.123-3.S5.bin (No space left on device)


Switch#dir
Directory of flash:/

    2  -rwx       12196  Jul 20 2018 09:21:37 +00:00  vlan.dat
    3  -rwx        2251  Feb 25 2013 15:28:47 +00:00  FOC1637V0NF_20130225072612345.lic
    4  -rwx    24390193   Mar 5 2013 10:53:32 +00:00  me360x-universalk9-mz.456-1.S1.bin
    5  -rwx        4774  Feb 25 2013 13:38:53 +00:00  config.old
    6  drwx         512   Mar 1 1993 00:13:28 +00:00  me360x-universalk9-mz.789-2.S1
   14  -rwx        2072   Oct 2 2018 10:51:46 +00:00  multiple-fs
   15  -rwx       22731   Oct 2 2018 10:51:46 +00:00  config.text
   16  -rwx        3786   Oct 2 2018 10:51:46 +00:00  private-config.text

57931776 bytes total (6690816 bytes free)


You can't delete a directory if there are files within it. You'll need to issue a delete /recursive command to delete the entire directory and all its files.

 
Switch#delete flash:/me360x-universalk9-mz.789-2.S1
Delete filename [me360x-universalk9-mz.789-2.S1]?
Delete flash:/me360x-universalk9-mz.789-2.S1? [confirm]
%Error deleting flash:/me360x-universalk9-mz.789-2.S1 (Is a directory)

Switch#delete ?
  /force      Force delete
  /recursive  Recursive delete
  flash:      File to be deleted
  nvram:      File to be deleted

Switch#delete /recursive flash:me360x-universalk9-mz.789-2.S1      // USE /force TO SKIP CONFIRM
Delete filename [me360x-universalk9-mz.789-2.S1]?
Examine files in directory flash:/me360x-universalk9-mz.789-2.S1? [confirm]
Examine files in directory flash:/me360x-universalk9-mz.789-2.S1/html? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/html/foo.html? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/html? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/me360x-mfpga.bit? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/me360x-universalk9-mz.789-2.S1.bin? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/controlfpga.bin? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/info? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1/psoc.dld? [confirm]
Delete flash:/me360x-universalk9-mz.789-2.S1? [confirm]


Switch#dir
Directory of flash:/

    2  -rwx       12196  Jul 20 2018 09:21:37 +00:00  vlan.dat
    3  -rwx        2251  Feb 25 2013 15:28:47 +00:00  FOC1637V0NF_20130225072612345.lic
    4  -rwx    24390193   Mar 5 2013 10:53:32 +00:00  me360x-universalk9-mz.456-1.S1.bin
    5  -rwx        4774  Feb 25 2013 13:38:53 +00:00  config.old
   14  -rwx        2072   Oct 2 2018 10:51:46 +00:00  multiple-fs
   15  -rwx       22731   Oct 2 2018 10:51:46 +00:00  config.text
   16  -rwx        3786   Oct 2 2018 10:51:46 +00:00  private-config.text

57931776 bytes total (33289728 bytes free)

Posted by at No comments:

Friday, July 4, 2025

Cisco Nexus Switch SFP Validation Failed Error

I had to configure a Cisco Nexus 5K switch to be a trunk port and encountered an SFP validation failed error. I've checked the port is using a 10G SFP fiber optic but there was a typo error in the interface speed. After I hard coded the correct interface speed, the port went up afterwards.

 

N5K# show interface Ethernet1/32

Ethernet1/32 is down (SFP validation failed)

 Dedicated Interface

  Hardware: 1000/10000 Ethernet, address: 8c60.4f2b.1234 (bia 8c60.4f2b.1234)

  Description: # TRUNK #

  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec

  reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA

  Port mode is trunk

  auto-duplex, 1000 Mb/s, media type is 10G

  Beacon is turned off

  Input flow-control is off, output flow-control is off

  Rate mode is dedicated

  Switchport monitor is off

  EtherType is 0x8100

  Last link flapped 96week(s) 6day(s)

  Last clearing of "show interface" counters 543w6d

  11 interface resets

  30 seconds input rate 0 bits/sec, 0 packets/sec

  30 seconds output rate 0 bits/sec, 0 packets/sec

  Load-Interval #2: 5 minute (300 seconds)

    input rate 0 bps, 0 pps; output rate 0 bps, 0 pps

  RX

    2065321971623 unicast packets  4764671933 multicast packets  142845790 broadcast packets

    2070229489346 input packets  805314007316143 bytes

    7349470453 jumbo packets  0 storm suppression bytes

    0 runts  0 giants  0 CRC  0 no buffer

    0 input error  0 short frame  0 overrun   0 underrun  0 ignored

    0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop

    0 input with dribble  0 input discard

    0 Rx pause

  TX

    2209966729972 unicast packets  8503102832 multicast packets  2429472711 broadcast packets

    2220899685878 output packets  1550671605050314 bytes

    10754632287 jumbo packets

    0 output error  0 collision  0 deferred  0 late collision

    0 lost carrier  0 no carrier  0 babble 0 output discard

    0 Tx pause

 

 

N5K# show run interface Ethernet1/32

 

!Command: show running-config interface Ethernet1/32

!Time: Thu May 15 04:55:25 2025

 

version 7.0(1)N1(1)

 

interface Ethernet1/32

  description TRUNK

  switchport mode trunk

  speed 1000

 

 

N5K# show interface e1/32 transceiver

Ethernet1/32

    transceiver is present

    type is 10Gbase-SR

    name is CISCO-FINISAR  

    part number is FTLX8571D1234-56

    revision is A  

    serial number is FNS1123ABCD   

    nominal bitrate is 10300 MBit/sec

    Link length supported for 50/125um OM2 fiber is 82 m

    Link length supported for 62.5/125um fiber is 26 m

    Link length supported for 50/125um OM3 fiber is 300 m

    cisco id is --

    cisco extended id number is 4

         

 

N5K# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

N5K(config)# interface Ethernet1/32

N5K(config-if)# speed ?

  10     10Mb/s

  100    100Mb/s

  1000   1Gb/s

  10000  10Gb/s

  40000  40Gb/s

  auto   Auto negotiate speed

 

N5K(config-if)# speed 10000

N5K(config-if)# end

N5K# copy run start

[########################################] 100%

Copy complete, now saving to disk (please wait)...

 

N5K# show interface Ethernet1/32

Ethernet1/32 is up

 Dedicated Interface

  Hardware: 1000/10000 Ethernet, address: 8c60.4f2b.1234 (bia 8c60.4f2b.1234)

  Description: # TRUNK #

  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec

  reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA

  Port mode is trunk

  full-duplex, 10 Gb/s, media type is 10G

  Beacon is turned off

  Input flow-control is off, output flow-control is off

  Rate mode is dedicated

  Switchport monitor is off

  EtherType is 0x8100

  Last link flapped 04:17:12

  Last clearing of "show interface" counters 05:06:36

  12 interface resets

  30 seconds input rate 24 bits/sec, 0 packets/sec

  30 seconds output rate 720 bits/sec, 0 packets/sec

  Load-Interval #2: 5 minute (300 seconds)

    input rate 24 bps, 0 pps; output rate 440 bps, 0 pps

  RX

    0 unicast packets  521 multicast packets  0 broadcast packets

    521 input packets  51579 bytes

    0 jumbo packets  0 storm suppression bytes

    0 runts  0 giants  0 CRC  0 no buffer

    0 input error  0 short frame  0 overrun   0 underrun  0 ignored

    0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop

    0 input with dribble  0 input discard

    0 Rx pause

  TX

    0 unicast packets  8502 multicast packets  0 broadcast packets

    8502 output packets  1343284 bytes

    0 jumbo packets

    0 output error  0 collision  0 deferred  0 late collision

    0 lost carrier  0 no carrier  0 babble 0 output discard

    0 Tx pause

 

Posted by at No comments:

Friday, June 6, 2025

Cisco 1100 Router Flex Ports

The Cisco 1100 has a a built-in 8-port Layer 2 switch and the last two ports can be converted into a Layer 3 port. This feature is called Flex ports. The default IOS-XE that came with my Cisco 1100 router was version 17.12.x, so it supports this feature.

Restrictions for Flex Support on Layer 2 and Layer 3 Ports

  • Flex port support is enabled only on Cisco 1000 Series ISRs that have four or eight front-panel switch ports.
  • The last two ports of the front-panel fixed ports are the flex ports.
  • The two internal VLANs are dynamically reserved for two Layer 3 ports to isolate the Layer 3 traffic and separate the forwarding database for MAC filtering.
  • Flex Layer 2 and Layer 3 interfaces do not have PoE support because PoE is enabled only on the half lower number interfaces.
  • Weighted Round Robin (WRR) bandwidth and Quality of Service (QoS) mapping configuration are global.
  • 802.3x TX pause is not supported on flex Layer 2 and Layer 3 ports.
  • PLIM QoS is not supported on flex Layer 3 ports.
  • All ingress Layer 3 or Switch Virtual Interfaces (SVI) traffic is throttled if flow control is received.

 

Supported Platforms

From Cisco IOS XE Release 17.11.1a, the flex support on Layer 2 and Layer 3 ports is available on the Cisco 1000 Series Integrated Services Routers platform.



interface GigabitEthernet0/1/0

!

interface GigabitEthernet0/1/1

!

interface GigabitEthernet0/1/2

!

interface GigabitEthernet0/1/3

!

interface GigabitEthernet0/1/4

!

interface GigabitEthernet0/1/5

!

interface GigabitEthernet0/1/6

 no switchport

 ip address 10.1.1.5 255.255.255.0

 ip nat inside

 negotiation auto

!

interface GigabitEthernet0/1/7

 no switchport

 ip address 192.168.1.254 255.255.255.0

 ip nat inside

 negotiation auto



C1100#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

GigabitEthernet0/0/0   unassigned      YES TFTP   up                    up

Gi0/0/0.100            203.9.6.26   YES manual up                    up

GigabitEthernet0/1/0   unassigned      YES unset  down                  down

GigabitEthernet0/1/1   unassigned      YES unset  down                  down

GigabitEthernet0/1/2   unassigned      YES unset  down                  down

GigabitEthernet0/1/3   unassigned      YES unset  down                  down

GigabitEthernet0/1/4   unassigned      YES unset  down                  down

GigabitEthernet0/1/5   unassigned      YES unset  down                  down

GigabitEthernet0/1/6   10.1.1.5        YES manual up                    up

GigabitEthernet0/1/7   192.168.1.254   YES manual down                  down

ATM0/3/0               unassigned      YES NVRAM  down                  down

Ethernet0/3/0          unassigned      YES NVRAM  down                  down

Vlan1                  unassigned      YES manual down                  down



Posted by at No comments:

Sunday, May 4, 2025

Cisco ASR1K Policing QoS Configuration

Here's a Cisco link which compares the QoS strategies that can be applied in a Cisco router. The legacy ISR command rate-limit is no longer supported in the Cisco ASR1K IOS-XE. This link talks about the Policing QoS configuration in a Cisco ASR1K router which replaces the rate-limit command.

 
ASR1K(config)#interface GigabitEthernet0/0/0.123
ASR1K(config-subif)# rate-limit output 256000 24000 24000 conform-action transmit exceed-action drop
                                      ^
% Invalid input detected at '^' marker.


ASR1K(config)#policy-map 256K-RATE-LIMIT
ASR1K(config-pmap)# class class-default
ASR1K(config-pmap-c)#police cir 256000 bc 20000 be 21000
ASR1K(config-pmap-c-police)#conform-action transmit
ASR1K(config-pmap-c-police)#exceed-action drop
ASR1K(config-pmap-c-police)#violate-action drop
ASR1K(config-pmap-c-police)#interface GigabitEthernet0/0/0.123
ASR1K(config-subif)# service-policy input 256K-RATE-LIMIT
ASR1K(config-subif)# service-policy output 256K-RATE-LIMIT
Posted by at No comments:

Tuesday, April 1, 2025

Password Recovery in a Cisco ASR920

You can use PuTTY to send a Special Command such as Break when entering ROMMON mode in a Cisco router. Just right-click on the top area > Special Command > Break.


Refer to this Cisco link in performing a password recovery in a Cisco ASR920 router. You can use the Break key or in some cases Ctrl+Break key combo to get into ROMMON mode.

  • Use the power switch to turn off the router and then turn it on again.
  • Press Break on the terminal keyboard within 60 seconds of power up to put the router into ROMMON. In some cases Ctrl+Break key combination can be used.
  • Type confreg 0x2142 at the ROMMON.

    rommon1> confreg 0x2142
    rommon1>sync
    The router reboots, but ignores the saved configuration.
  • The router will reload and prompt for configuration.Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.
  • Type enable at the Router> prompt.
    You are now in enable mode and should see the Router# prompt.
  • Reset the config-register from 0x2142 to 0x2102. To do so, type the following:
    config-register     configuration_register_setting
    Where,     configuration_register_setting is 0x2102. For example,

    (config)# config-register 0x2102


Posted by at No comments:
Subscribe to: Comments (Atom)