My Network Lab: 2024

Friday, April 5, 2024

Add Button Bar in Secure CRT

You can add a Button Bar in Secure CRT to send a string command in your SSH session. This will "automate" frequently typed commands to a Cisco device. To add a button, right-click at the bottom of the terminal screen > select Button Bar.

Alternatively, go to View > select Button Bar.

Select New Button.

Select Function: Send String > type a command String > optional: type a Label > click OK.

In newer versions of Secure CRT, you can choose the button color.

Notice there's a "break" in the output and had an invalid input. This typically happens when the output is very long such as the show version command output.

In order to avoid this, you should the include terminal length 0 command at the start of the string. Right-click on the button > select Edit Button. You can use a Notepad to edit strings and then copy/paste in Secure CRT.

Saturday, March 2, 2024

Cisco BGP neighbor shutdown Command

To administratively shutdown a BGP neighbor in a Cisco router, issue a neighbor <BGP PEER IP> shutdown command under the BGP routing process. This will stop the BGP route exchange with the BGP neighbor/peer and it's often useful when performing a maintenance such as policy change with the peer/upstream ISP.

R1#show run | sec router bgp

router bgp 64001

bgp router-id 62.19.10.15

bgp log-neighbor-changes

no bgp default ipv4-unicast

neighbor 62.19.10.16 remote-as 700

neighbor 62.19.10.16 description ISP

neighbor 62.19.10.16 password cisco123

neighbor 62.19.10.16 update-source GigabitEthernet0/0

neighbor 62.19.10.16 version 4

R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config-router)#neighbor 62.19.10.16 ?

ao TCP-AO authentication

bmp-activate Activate the BMP monitoring for a BGP peer

cluster-id Configure Route-Reflector Cluster-id (peers may reset)

description Neighbor specific description

disable-connected-check one-hop away EBGP peer using loopback address

dont-capability-negotiate Send Capability parameters in Open

ebgp-multihop Allow EBGP neighbors not on directly connected networks

fall-over session fall on peer route lost

ha-mode high availability mode

inherit Inherit a template

local-as Specify a local-as number

log-neighbor-changes Log neighbor up/down and reset reason

password Set a password

path-attribute BGP optional attribute filtering

peer-group Member of the peer-group

remote-as Specify a BGP neighbor

shutdown Administratively shut down this neighbor

timers BGP per neighbor timers

transport Transport options

ttl-security BGP ttl security check

update Modify update processing

update-source Source of routing updates

version Set the BGP version to match a neighbor

R1(config-router)#neighbor 62.19.10.16 shutdown

R1(config-router)#end

R1#show run | sec router bgp

router bgp 64001

bgp router-id 62.19.10.15

bgp log-neighbor-changes

no bgp default ipv4-unicast

neighbor 62.19.10.16 remote-as 700

neighbor 62.19.10.16 description ISP

neighbor 62.19.10.16 shutdown

neighbor 62.19.10.16 password cisco123

neighbor 62.19.10.16 update-source GigabitEthernet0/0

neighbor 62.19.10.16 version 4

R1#show ip bgp summary

BGP router identifier 62.19.10.15, local AS number 64001

BGP table version is 394500023, main routing table version 394500023

860025 network entries using 213286200 bytes of memory

1720036 path entries using 233924896 bytes of memory

431848/148584 BGP path/bestpath attribute entries using 120917440 bytes of memory

240343 BGP AS-PATH entries using 11369538 bytes of memory

25898 BGP community entries using 3703042 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 583201116 total bytes of memory

BGP activity 19138181/18274056 prefixes, 156266333/154546297 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

62.19.10.16 4 700 0 0 1 0 0 00:00:28 Idle (Admin)

R1#show ip bgp neighbor 62.19.10.16

BGP neighbor is 62.19.10.16, remote AS 700, external link

Description: ISP

Administratively shut down

BGP version 4, remote router ID 0.0.0.0

BGP state = Idle, down for 00:00:43

Neighbor sessions:

0 active, is not multisession capable (disabled)

Stateful switchover support enabled: NO

Do log neighbor state changes (via global configuration)

Default minimum time between advertisement runs is 30 seconds

To re-enable the BGP neighbor, just use the 'no' form of the said command.

R1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

R1(config)#router bgp 64001

R1(config-router)#no neighbor 62.19.10.16 shutdown

R1(config-router)#end

R1#show run | sec router bgp

router bgp 64001

bgp router-id 62.19.10.15

bgp log-neighbor-changes

no bgp default ipv4-unicast

neighbor 62.19.10.16 remote-as 700

neighbor 62.19.10.16 description ISP

neighbor 62.19.10.16 password cisco123

neighbor 62.19.10.16 update-source GigabitEthernet0/0

neighbor 62.19.10.16 version 4

Friday, February 2, 2024

Cisco Switch VTP Version 3

The VLAN Trunking Protocol (VTP) version 3 is backwards compatible with version 2 but not with version 1. VTP version 3 supports Extended VLAN range (1006-4094), Private VLAN (PVLAN), Multiple Spanning Tree (MST), encrypt/hash VTP password and many more.

The main command for checking VTP info in a Cisco switch is show vtp status. The current VTP version is 1.

SW01#show vtp status

VTP Version capable : 1 to 3

VTP version running : 1

VTP Domain Name :

VTP Pruning Mode : Disabled

VTP Traps Generation : Disabled

Device ID : aabb.cc00.0200

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:

--------------

VTP Operating Mode : Server

Maximum VLANs supported locally : 1005

Number of existing VLANs : 5

Configuration Revision : 0

MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD

0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC

Before changing to VTP version 3, you'll need to set the VTP domain first.

SW01#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

SW01(config)#vtp version ?

<1-3> Set the administrative domain VTP version number

SW01(config)#vtp version 3

Cannot set the version to 3 because domain name is not configured

SW01(config)#

SW01(config)#vtp domain LAB

Changing VTP domain name from NULL to LAB

SW01(config)#

SW01(config)#vtp version 3

SW01(config)#

SW01(config)#vlan 99

VTP VLAN configuration not allowed when device is not the primary server for vlan database.

SW01(config)#

SW01(config)#end

In order to add/create Layer 2 VLANs, set the switch to VTP Primary using the privilege EXEC command vtp primary.

SW01#vtp ?

password Set the password for the VTP administrative domain.

primary Make the system as the primary server

pruning Set the administrative domain to permit pruning.

version Set the adminstrative domain VTP version

SW01#vtp primary ?

force Do not check for conflicting devices

mst MST feature

vlan Vlan feature

<cr>

SW01#vtp primary

This system is becoming primary server for feature vlan

No conflicting VTP3 devices found.

Do you want to continue? [confirm]

SW01#

*Jan 29 02:57:46.373: %SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: aabb.cc00.0200 has become the primary server for the VLAN VTP feature

SW01#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

SW01(config)#vlan 99

SW01(config-vlan)#name TEST

SW01(config-vlan)#end

SW01#show vtp status

VTP Version capable : 1 to 3

VTP version running : 3

VTP Domain Name : LAB

VTP Pruning Mode : Disabled

VTP Traps Generation : Disabled

Device ID : aabb.cc00.0200

Feature VLAN:

--------------

VTP Operating Mode : Primary Server

Number of existing VLANs : 6

Number of existing extended VLANs : 0

Maximum VLANs supported locally : 4096

Configuration Revision : 2

Primary ID : aabb.cc00.0200

Primary Description : SW01

MD5 digest : 0x69 0x34 0x9F 0x61 0x0A 0xF0 0x29 0x1F

0xAE 0xDB 0xFA 0x70 0xCA 0x10 0x50 0x35

Feature MST:

--------------

VTP Operating Mode : Transparent

Feature UNKNOWN:

--------------

VTP Operating Mode : Transparent

SW01#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Et0/0, Et0/3, Et1/0, Et1/1

Et1/2, Et1/3, Et2/0, Et2/1

Et2/2, Et2/3, Et3/0, Et3/1

Et3/2, Et3/3

99 TEST active

1002 fddi-default act/unsup

1003 trcrf-default act/unsup

1004 fddinet-default act/unsup

1005 trbrf-default act/unsup

The VTP password is shown in plain text. In VTP version 3, you can "hide" or hash the password.

SW01#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

SW01(config)#vtp password cisco123

Setting device VTP password to cisco123

SW01(config)#do show vtp password

VTP Password: cisco123

SW01(config)#vtp password ?

WORD The ascii password for the VTP administrative domain.

SW01(config)#vtp password cisco123 ?

hidden Set the VTP password hidden option

secret Specify the vtp password in encrypted form

<cr>

SW01(config)#vtp password cisco123 hidden

Setting device VTP password

SW01(config)#

SW01(config)#do sh vtp password

VTP Password: DD9E88A11A75B21E42627A20F00FD980

If you're adding another switch, just copy/paste the hashed string and use the keyword secret.

SW02(config)#vtp password DD9E88A11A75B21E42627A20F00FD980 secret

Wednesday, January 3, 2024

Configure NetFlow in Cisco NCS 540 IOS-XR

Here's a link for the steps in configuring NetFlow (version 9) in a Cisco NCS 540 IOS-XR.

Step 1

Create and configure an exporter map.

Step 2

Create and configure a monitor map and a sampler map.

Note	The monitor map must reference the exporter map you created in Step 1. If you do not apply an exporter-map to the monitor-map, the flow records are not exported, and aging is done according to the cache parameters specified in the monitor-map.

Step 3

Apply the monitor map and sampler map to an interface.

There are some caveats in configuring NetFlow in a Cisco IOS-XR:

Do not use the management interface to export the NetFlow packets.
NetFlow can be configured only in the ingress direction.
A source interface must always be configured. If you do not configure a source interface, the exporter will remain in a disabled state.
Only export format Version 9 and IPFIX is supported.
A valid record map name must always be configured for every flow monitor map.
NetFlow is not supported on Bridge Virtual Interface (BVI).
NetFlow is not supported on sub-interfaces.
NetFlow on sub-interface routed via BVI is not supported.
Destination-based Netflow accounting is not supported, only IPv4, IPv6 and MPLS record types are supported under monitor-map.
Output interface field is not updated in data and flow records when the traffic is routed through ACL based forwarding (ABF).
Output interface field is not updated in data and flow records for the multicast traffic.
Output interface, source and destination prefix lengths fields are not set in data and flow records for GRE transit traffic.
For Netflow IPFIX315, configure the hw-module profile netflow ipfix315 command.
If IPFIX315 is enabled on a line card then all the ports on that line card should have IPFIX315 configured.
For hw-module profile qos hqos-enable , NetFlow does not give the output interface for cases like L2 bridging, xconnect, IPFIX, and so on.
L4 header port numbers are supported only for TCP and UDP.
NetFlow does not give the output interface for traffic terminating on GRE tunnel.

Here's a sample NetFlow configuration template. It's similar to the legacy IOS IP accounting feature.

flow exporter-map <EXPORTER MAP NAME>
destination <NETFLOW ANALYZER IP>
transport udp 2055
source <SOURCE INTERFACE>
version v9
template data timeout 60
template options timeout 60
options interface-table
options sampler-table

sampler-map <SAMPLER MAP NAME>
random 1 out-of 500

flow monitor-map <MONITOR MAP NAME>
record mpls ipv4-fields
exporter <EXPORTER MAP NAME>
cache entries 1000000
cache timeout active 60
cache timeout inactive 30
cache timeout rate-limit 2000

commit

interface GigabitEthernet0/0/0/x
flow mpls monitor <MONITOR MAP NAME> sampler <SAMPLER MAP NAME>

commit

show flow exporter <EXPORTER MAP NAME> location 0/0/CPU0

show flow monitor <MONITOR MAP NAME> cache format table location 0/0/CPU0

RP/0/RP0/CPU0:NCS540#show flow monitor MONITOR cache format table location 0/0/CPU0
Thu Dec 21 22:18:21.552 UTC
Cache summary for Flow Monitor MONITOR:
Cache size:                          65535
Current entries:                        13
Flows added:                            25
Flows not added:                         0
Ager Polls:                            573
- Active timeout                      12
- Inactive timeout                     0
- Immediate                            0
- TCP FIN flag                         0
- Emergency aged                       0
- Counter wrap aged                    0
- Total                               12
Periodic export:
- Counter wrap                         0
- TCP FIN flag                         0
Flows exported                           0

LabelType Prefix/Length      Label1-EXP-S     Label2-EXP-S     Label3-EXP-S     Label4-EXP-S     Label5-EXP-S     Label6-EXP-S     InputInterface OutputInterface ForwardStatus        FirstSwitched   LastSwitched    ByteCount    PacketCount Dir SamplerID IPV4SrcAddr      IPV4DstAddr      IPV4TOS IPV4Prot L4SrcPort L4DestPort L4TCPFlags   InputVRFID                        OutputVRFID                       BGPNextHopV4
      LDP 10.14.6.35/32       24088-5-0        14724-5-1           -                -                -                -          Gi0/0/0/19      Gi0/0/0/1       Fwd                  08 16:44:31:287 08 16:45:20:486 2600         10           Ing 1          10.1.1.5         172.16.4.13   0xb8     udp      4790       4790       0            default                           default                           0.0.0.0