IOS Services


IOS Services although some if not most of them are hardly ever used on the real world you still need to be familiar with them for your LAB Exam in order to pass. I’ve heard that Cisco does not expect you to master topics like this but they do expect you to be able to find such features in the Doc CD which as you know is available on the exam and this sounds like a fair point so let’s begin !

Can you get any simpler with your topology ??? guess not but this is just what we need

IOS_services

This post contains topics such as :

HIDE ROUTER’S USERNAME
HIDE IP ADDRESS WHEN TELNETing
COPY IOS BETWEEN ROUTERS
LINE VTY ROTARY
ENABLE SSH BEETWEN DEVICES
BANNERS
ALIASES
LOGGING TO FLASH MEMORY
LOGIN CONFIGURATION CHANGES
DEBUGGING
TFTP SERVER AND TFTP CLIENT AND IOS COPY
REMOTE SHELL
KRON in other words how to schedule for something to occur

 

 

 

1 – HIDE ROUTER’S USERNAME

usrname

prompt config hostname-length 0 removes router’s username from the console and
prompt config hostname-length 10 says “show username up to 10 characters

=======================================================

2 – HIDE IP ADDRESS WHEN TELNETing

Normally when we telnet the console show the ip address of the remote device , so let’s say we telnet from R1 to R2

telnet

as you can see the console show ip address of R2 172.16.10.2 so what if for some security purposes we do not want that ? well …

telnet1

service hide-telnet-addresses will encrypt and hide ip addresses of the devices we telnet to

As you can see second screenshot only shows we are trying to open a connection between R1 and R2 but the parser hides an ip address in this case

=======================================================

3 – COPY IOS BETWEEN ROUTERS

Please go to : https://ccie4all.wordpress.com/?s=ios

Scroll down to find out other ways on how to do it !

=======================================================

4 – LINE VTY ROTARY

Another security feature is the “rotary” command which changes the port number the router is listening at so normally when we telnet from devices to another devices we do :

rotary

and we’re in but what if we want more control over it and make sure that only your Networks Team know “how” to telnet. Of course we do this by creating an ACL and only allowing certain ip addresses while blocking the other but let’s say we go one step deeper and user the rotary feature for this ? So on R2 under vty line let’s create some random rotary value

rotary1

By doing this from now we will only we able to telnet or ssh for that matter to R2 on this specific port

rotary2

As you can see every port except for 3063 specifically will fail

=======================================================

5 – ENABLE SSH BEETWEN DEVICES

We want to enable SSH so R1 can ssh instead of telnet to R2 so on R2 in our case we do  :

R2(config)#crypto key generate rsa general-keys modulus 1024
R2(config)#ip domain-name CISCO
R2(config)#ip ssh ver 2 (not required as ver 2 is a default)
R2(config)#username cisco pass cisco123
R2(config)#line vty 0 4
R2(config-line)#transport input ssh (only ssh will be allowed from now on and telnet will be disabled)
R2(config-line)#login local

and then we test

ssh

ssh -l cisco 172.16.10.2
Password : cisco123

=======================================================

6 – BANNERS

Let’s create some banners on R2

banner

so now when we telnet from R1 to R2 we will see :

banner1

MOTD and LOGIN banners (motd will show you regardless) then before we enter exec mode we will get an EXEX banner

=======================================================

7 – ALIASES

Let’s say if we issue ri in exec mode you should see the routing table and if you issue rb you should see the bgp table

R1(config)#alias exec ri show ip route
R1(config)#alias exec rb show ip bgp

alias

All good , we issued ri in exec mode and it took us straight to our local routing table and then rb and it came up with bgp table (we did not configure bgp on any of these routers but it’s clearly working)

If we issue i and for instance fa0/0 in configure mode it should take to you under Fa0/0 config mode and if you issue iea and for instance BLOCK it should create a named extended ACL called BLOCK

R1(config)#alias configure i interface
R1(config)#alias configure iea ip access-list extended

alias1

As you can see from the output it’s all working as expected

If we issue ipa and for instance 192.168.10.1 in interface mode it should create an ip address specified and and if you issue s it should shutdown an interface.

R1(config)#alias interface ipa ip address
R1(config)#alias interface s shutdown
alias2

and again all working as we expected

=======================================================

8 – LOGGING TO FLASH MEMORY

Let’s say for some reason we are not able to use SYSLOG server but must show our boss some log messages because for instance our internet link is flapping or something , well for that we can always use devices internal memory but be very careful with this feature on your production network (due to GNS3 limitation this feature can only be tested on real equipment and NOT GNS3)

Let’s configure R1 to log DEBUGGING messages in its internal flush under SYSLOG filename in a directory called LOG

First let’s create all required directories:

R1#mkdir flash:/var
Create directory filename [var]?
Creating dir flash:/var
R1#mkdir flash:/var/log
Create directory filename [/var/log]?
Creating dir flash:/var/log

and then let’s send it

R1(config)#logging file flash flash:/var/log/syslog 32768 debugging

=======================================================

9 – LOGIN CONFIGURATION CHANGES

Of course we can set up SYSLOG for this kind of things but like I said in the beginning , you may not need features like this on you r network but if you’re thinking of passing your CCIE lab you then must be aware.

So let’s see what my boss has been doing when logged onto the router 🙂

R1(config)#archive
R1(config-archive)# log config
R1(config-archive-log-cfg)#logging enable
R1(config-archive-log-cfg)#notify syslog (not required)
R1(config-archive-log-cfg)#hidekeys (not required)

and from now on everything will be logged locally on your router , send to a syslog server and passwords will be encrypted (the last two are not required for the feature to work)

archive

As you can see every command I’ve typed in has been logged and if you want to see statistics of that you can :

archive1

=======================================================

10 – DEBUGGING

Well I do now mean to show how to enable plain debugging but want to show you how to enable a feature called a conditional debugging which is extremely useful because it limit the amount of information on your devices. Network chaps are usually scared of debugging on a production network and I used to be the same until I discovered this simple feature which will not harm your routers.

Let’s say we want to debug IP ICMP or IP PACKETS or OSPF EVENTS or anything for that matter but we want to make sure that the messages come inbound on a specific interface. What’s cool about this is that if you have 27 routers running ospf and one of the adjacencies is down and you want to check what’s going on.

If you enable debugging for OSPF and possibly for IP PACKETS you will most definitely crush your routers depending of course on how you configured your buffers , console logging , monitor logging etc … cause you will start received messages from every connected to your router device !! I’ve crushed like that production routers before 🙂 where I had to ssh from another router and issues undebug all to stop the debugging !

The point is that you can set your debug based on some condition , so let’s image that we have OSPF running between R1 and R2 which has just gone down. You know you have other routers connected to R1 running OSPF but you only want to check what’s going on between R1 and R2 ? well then you can issue

debug

and that way we will only see debug messages for ip packet and ospf events on this particular link and not everyone else which massively reduces the risk of crushing your router

in order to disable the condition you need to put an exact syntax

debug1

Before you issue this do not forget to undebug other active debug beforehand unless you wander what if ? 🙂

=======================================================

11 – TFTP SERVER AND TFTP CLIENT AND IOS COPY

Just like with point number 3 – COPY IOS BETWEEN ROUTERS there is another way to copy an IOS from the remote device. When we’re in the office we usually have some sort of tftp server installed on our PCs , laptops and use it to move files back and forth. Another way you can do this if you want to pull an IOS for example from R1 and push it into R2 flash is :

Let’s say R2 is our TFTP Server

R2(config)#tftp-server flash:c3745-advipservicesk9-mz.124-25d.bin

Let’s test :

R1#copy tftp://172.16.10.2/c3745-adventerprisek9-mz.124-12.bin flash:
Destination filename [c3745-adventerprisek9-mz.124-12.bin]?
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device… eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee …erased
Erase of flash: complete
Loading tftp://172.16.10.2/c3745-adventerprisek9-mz.124-12.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

All working ! 🙂

=======================================================

12 – REMOTE SHELL

This one is a really cool trick which allows to view configuration of the remote device so let’s say we’re sitting on R1 and would like to view a configuration of R2’s fastethernet interface without logging onto R2 of course

R1(config)#ip rcmd remote-username R2CISCO

R2(config)#ip rcmd rcp-enable
R2(config)#ip rcmd rsh-enable
R2(config)#ip rcmd remote-host R2 172.16.10.1 R1 enable
R2(config)#ip rcmd remote-host R2CISCO 172.16.10.1 R1 enable

and test :

rsh

Fun stuff ! 🙂

=======================================================

13 – KRON in other words how to schedule for something to occur

Let’s say we want R1 to save its running config to a remote TFTP server daily at 08:00. TFTP is running on your PC and it’s address is 172.16.10.200

R1(config)#kron occurrence SAVEDAILY at 8:00 recurring
R1(config-kron-occurrence)#policy-list SAVE_CONFIG
R1(config)#kron policy-list SAVE_CONFIG
R1(config-kron-policy)#cli show running-config | redirect tftp://172.16.10.200/r1-config

R1 will now be saving its running config onto your PC which has got a TFTP server installed and the file will be called r1-config

This is something really fun test on GNS3. Connect R1 to a could , create Microsoft loopback on your PC , give it 172.16.10.200 ip address or any other and connect it with the Cloud , install any TFTP server on your PC , set clock between R1 and your PC so it matches on both and see what happens 🙂

=======================================================

Like I said most of these if not all you’d probably to use on your production network but in my opinion it is good to know !

I will add some more fun stuff as soon as I’ve discovered something which requires attention !

 

Enjoy !

Tom

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: