Cisco FAQ

How to I implement AS_PATH prepending?

2008-02-26T08:41:00.004-05:00

Here's the scenario: you have multiple BGP connections to the Internet. For one of the prefixes you advertise, 33.44.55.0/24, you don't want traffic to come via the link with neighbor 1.2.3.4 unless all of the other BGP links are down. So you want to use ASPATH preprding on the advertisements you send to 1.2.3.4.

Let's say your own AS number is 65111. We'll prepend it twice to the advertisements of prefix 33.44.55.0/24 sent to neighbor 1.2.3.4:

! first define an ACL to use later to select which adverts to affect; 
! I numbered it 5
access-list 5 permit 33.44.55.0 0.0.0.255 !
! then make a route-map to do the prepending; I named it PREPEND1 
route-map PREPEND1 permit 10  
 match ip address 5  
 set as-path prepend 65111 65111 
!
route-map PREPEND1 permit 20
!
! so far, no effect. Next change makes it take effect
!
! finally, add the following command to the 
! router bgp 65111 section:
!
router bgp 65111
 neighbor 1.2.3.4 route-map PREPEND1 out

After doing this I did clear ip bgp 1.2.3.4. I think I could have used clear ip bgp 1.2.3.4 soft out

How do I know what BGP advertisements I am sending to a neighbor?

2008-02-26T08:38:00.002-05:00

One way: sho ip bgp neigh 1.2.3.4 adv

Also, this might work: debug ip bgp 1.2.3.4 updates

How do I control what prefixes I accept into my routing table from a BGP neighbor?

2007-12-10T09:44:00.000-05:00

Assume my AS is 12345, and I only want to accept 1.2.3.0/23 from my neighbor at 1.4.5.6.

router bgp 12345
neighbor 1.4.5.6 prefix-list PL0002 in
...
ip prefix-list PL0002 seq 5 permit 1.2.3.0/23

How do I establish a portchannel using multiple FOC trunks between my 4500s?

2007-09-06T10:31:00.000-04:00

Before getting started, let's recognize that Cisco uses the terms "portchannel" and "etherchannel" somewhat interchangably, although you do have to use the correct term for the command you are typing. Also, the "channel-group" interface-level command is used to join the interface to a portchannel. So "etherchannel 2", "portchannel 2", and "channel-group 2" all refer to the same channel.

For performance, the multiple trunks emanating from a 4500 should be on the same linecard. Start out by finding a linecard with enough free interfaces, disabling the interfaces on both 4500s, and running the cables between them. Then do the following.

We'll use interfaces g3/3 - g3/6 in our example, and set up portchannel 2. Before starting we'll clear the config of all of the interfaces, and get rid of the portchannel. We'll then configure all of the interfaces, ignoring the portchannel. The last command we issue on the interfaces, to join the portchannel, will result in the portchannel being created automatically. Then we will unshut the interfaces.

When the portchannel comes up, syslog messages such as the below at severity 5 are produced. Before starting, it might be good to set yourself up so you see the log messages on the console or vty session.

040589: Aug 19 15:18:38.648: %EC-5-BUNDLE: Interface GigabitEthernet3/5 joined port-channel Port-channel2
040590: Aug 19 15:18:38.812: %EC-5-BUNDLE: Interface GigabitEthernet3/6 joined port-channel Port-channel2
040591: Aug 19 15:18:38.872: %EC-5-BUNDLE: Interface GigabitEthernet3/4 joined port-channel Port-channel2

Here are the configuration steps:

conf t
! clearing the interface configs
(c) default int g3/3  (if this gives you an error, do it again.)
(c) default int g3/4
(c) default int g3/5
(c) default int g3/6
! getting rid of the existing portchannel
(c) no int po2
! configuring the interfaces
(c) int range g3/3 - 6
(c-i-r) desc To other 4500
(c-i-r) switchport trunk encapsulation dot1q
(c-i-r) switchport mode trunk
(c-i-r) switchport nonegotiate
(c-i-r) no snmp trap link-status
! next command magically creates the portchannel
(c-i-r) channel-group 2 mode desirable non-silent
^Z
conf t
(c)int po2
(c-i)desc To other 4500
^Z

At this point, the interfaces g3/3 - g3/6 and Po2 should all show as up. A show cdp neigh should show the other 4500. A show etherchannel 2 detail will show the details of the portchannel and its member interfaces. (show etherchannel summ will show all of the etherchannels in a brief, easy to read format.)

If this all works, each interface will have a config like this:

interface GigabitEthernet3/3
 description to other 4500
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 no snmp trap link-status
 channel-group 2 mode desirable non-silent

And the portchannel will have a config like this:

interface Port-channel2
 description to other 4500
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
end

On a 3750 switch stack, how do I execute a command on a particular stack member?

2007-05-03T15:38:00.000-04:00

On a 3750 stack, all commands execute by default on whichever switch happens to be the master. You can see which is the master by using the show switch command.

To issue commands on slave members, open up a session on them with the session # command. This opens up a command line on slave number #. Then type your commands. Just type exit or q to get back to the master when you are done.

How do I delete files and directories from flash of a router or switch with minimum fuss?

2007-04-24T13:45:00.000-04:00

If you want to get rid of everything in flash, just use erase flash:.

Otherwise, you can use delete /force /recursive flash:{target}. The /force qualifier will keep you from getting prompted before deleting each object, and /recursive will give you the ability to delete directories and subdirectories even when they are not empty.

How do I boot a 3750 stack into a new IOS?

2007-04-18T07:53:00.000-04:00

The entire stack will be powered off at some point during this operation. Allow about a half hour of downtime.

We'll assume that you have already copied the new IOS onto all of the stack members.

You define the image to boot from with the boot system command. However, unlike a router, a 3750 switch will not show this setting as part of the running-config, nor save it that way. To see the setting you'll have to use the show boot command.

In later versions of switch IOS, such as 12.2(35), Cisco has made it easier to reboot individual switch members. But to get there from an older version you may have to use my method. I did it the hard way, putting a console cable on each of the switches in the stack in turn. (Remember that no matter where the console cable is connected, it still talks only to the master.)

Use show switch to find out which switch is the master.
Do a dir flash: on the master to show the available IOS images. Use a copy and paste operation to paste the IOS filename you want into the command boot system flash:{IOS filename}.
Power down the switch (you need to unplug it) and connect the console cable to another switch if necessary.
Find the new master, and repeat the above steps on it. Continue on each switch in turn until the entire stack is powered down.
Now power up the switch you want to be the master. I suggest cabling your console cable to it and watching it come up. There will be a delay while it waits to make sure there is not already a master.
Once the master is up, power up the other switches in the stack. You can do them one at a time or all at once. They come up quickly because there is already a master.
Use show switch to make sure all of the switches are participating in the stack. You can also try show switch detail and show platform stack-manager all to get lots more info for troubleshooting.

Update:

If your IOS supports it, you can issue the boot system switch all flash:{IOS filename} to set the boot image name on all switches at once, which will simplify the above procedure. Then all you need to do is reload the stack.

You may then be able to reload the entire stack with a single reload command. Not sure about this. You also may be able to use reload slot # to reload each of the non-master stack members, just before issuing the final reload to reload the current master. I'll let you know if this works after I have had a chance to try it.

How do I stage a new IOS on a 3750 switch stack?

2007-03-12T11:28:00.000-04:00

There are some new IOS commands to automate upgrading of a stack, but I use the familiar manual method.

All of your stack members really should be running the same version of IOS (even though there's a chance that if the versions are close enough the stack might still work).

Upgrading a switch is like upgrading a router, really. You put the new IOS on the TFTP server. Make sure there is room for it in the flash of the target device, and tftp it up. When you are ready to start using it, change the boot system command on the device to point to it, and reload.

What makes switch stacks different is that you need to copy the IOS to all of the switches. Here's how.

Log into your stack. (You'll be logged into the master). Do show stack to find out how many switches are in the stack, and which one is the master. Let's say there are four switches and the master is 4.
Use copy tftp flash: and answer the prompts to get your IOS up there.
You can do dir flash: to see that the new IOS is there. When you refer to "flash:", you are always referring to the master. You can also refer to a particular stack member's flash like this: dir flash2:. So on this stack, where 4 is the master, dir flash: and dir flash4: will look the same.
Now get that IOS image onto the other switches in the stack. You can either tftp it to each in turn with copy tftp flash1: and so on, or use copy flash4: flash1:. The copy method is only a little quicker, but it works.

Do I have to worry about the U.S. DST change on my routers and switches?

2007-03-09T08:13:00.000-05:00

No, not likely. Even if your device is an NTP server for the rest of your network, the timezone really does not matter. The device's timezone settings does influence the timestamps on the router logs and the syslog messages it sends. It could also come into play if you are using time-based ACLs on your router (does anyone actually do this?). However, if you really want the local time on the router to be correct, you do not have to upgrade the IOS to a version that incorporates the new United States DST start and end dates. Just by adding one line to the config on your router or switch, you can change the DST policy. I'll show both timezone lines for my devices; you will want to change the timezone name in both lines (which is used for display purposes only) as well as the offset from UTC unless, like me, you are in the Eastern time zone.

clock timezone EST -5
clock summer-time EDT recurring 2 sun mar 02:00 1 sun nov 02:00

I found a router that had cef enabled, but "no ip route-cache cef" on each of its interfaces. Is there any reason not to enable cef on the interfaces?

2007-03-07T09:44:00.000-05:00

Haven't found any reasons not to enable cef on the 2600XM interfaces. If you know any, please post a comment...

Why isn't my router clock syncing to NTP time?

2007-03-06T14:18:00.000-05:00

If the difference between the NTP time received and the local clock time is more than 4000 seconds, the router or switch will not sync to the NTP time except:

on reload
when the NTP peer is first added to the config

How do I configure port-security on my switches?

2007-01-08T15:09:00.000-05:00

For each non-trunking, non-grouped switchport:

(config-if)#sw port-sec               // enables port-security
(config-if)#sw port-sec max 1         // max number of macs on that port
(config-if)#sw port-sec viol restrict // drop excess macs, and log
(config-if)#sw port-sec mac-addr {mac} // config the mac to allow

With a lot of macs, you'd have one sw port-sec mac-addr {mac} for each one, then also have to configure the max number of macs on that interface to exactly match the count. To check your results:

#show port-sec          // table of secure ports, with current macs and violations
#show port-sec int f0/4 // shows details on one interface
#show port-sec address  // shows table of all secure mac addresses

How do I configure port security on my ASW (3550s or 3750s)?

2006-08-25T15:05:00.000-04:00

First, make sure your IOS supports port security. You can use the Software Advisor tool on CCO to show you what versions of IOS support port security. Port security is set at the interface level. First, you set the maximum number of MAC addresses for the switchport (default is 1, so if you set it to this you will see nothing in sho run). sw(config-if)# switchport port-secu max 1 Then, choose between the three ways of learning MACs.

static - manually configured. command is switchport port-sec mac-add 0011.2233.4455
dynamic - port will learn MAC addresses as usual, but stop learning more addresses when it has reached the max.
sticky - converts dynamic address to static addresses in the running config only. To use this, wait until your switchport has learned the MACs you want, then issue the interface command switchport port-sec mac sticky. As soon as you do this, these MACs become static commands, but in the running config only. You then have to copy run start to make these settings survive a reload.

Next, decide how to handle security violations. A violation occurs either when the max number of MACs is exceeded, or when an address on one secure port is seen on another secure port on the same VLAN. The effects are:

protect - silently drop the packets from the excess MAC addresses.
restrict - drop the packets over the max, and log the event.
shutdown - err-disable the port. This is the default.

After finishing the config, enable security on the port with interface command port-security ena. Check the settings with sho port sec int f1/0/11.

How do I set up Netflow on my router?

2006-08-22T07:58:00.000-04:00

First make sure Netflow is included in the IOS you are running. You might try one of the "show" commands given below, or use Cisco's Software Advisor tool (on the CCO website). Turn on CEF, and set up the flow parameters. Here we are sending Netflow packets in version 5 format to 10.1.2.3 on port 2003/UDP. For active connections, we're sending flow info every 1 minute, and we are sending the flow info on connections that have gone inactive every 15 seconds:

ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
ip flow-export version 5
ip flow-export destination 10.1.2.3 2003

Note that even if you dn't have a place to send the flow information to, you can still do this setup, omitting the destination line, to make your router keep netflow stats for you to inspect using the show commands given below. Also, if you do send the flows to a host which is not listening on the given UDP port, you'll get an ICMP port unreachable message back for each datagram you send. Now enable netflow on each interface. You can use either "ingress" or "egress"; I'm not sure which is better from a perfomance standpoint. If you miss some interfaces, you won't see both sides of some conversations:

int f0/0
ip flow ingress
int f0/1
ip flow ingress
int s0/1
ip flow ingress

Use show ip flow export to look at the netflow setup and flow counters on your router. clear ip cache stats will clear these counters. To see the whole table of netflow stats, use show ip cache flow. clear ip cache flow will clear these counters.

How do I enable SSH logins on my routers?

2006-08-21T08:37:00.000-04:00

First, make sure you're using a version of IOS that supports SSH. I'm using 12.4. Turn on new-model logins (make the password better than my example):

aaa new-model
username cisco password cisco

Give it a FQDN, which is needed for key generation, and then generate a key. The key name will be devicename.domain-name:

ip domain-name example.com
cry key gen rsa

Check the key with show cry key mypub rsa. Now make the vty logins use ssh:

line vty 0 15
 transport input ssh

And define some ssh settings:

ip ssh ver 2
ip ssh source-int f0/0

What are your favorite command aliases on Cisco routers and switches?

2006-08-14T13:34:00.000-04:00

Alias force

Switches:

alias exec cpu sho proc cpu | include CPU
alias exec mac sho mac- dyn | include
alias exec ip sho arp | include
alias exec sis show interface status
alias exec po show interface status | include Po
alias exec fa show interface status | include Fa
alias exec gi show interface status | include Gi
alias exec vlans show vlan brief | include active

Routers:

alias exec cpu show proc cpu | include CPU
alias exec stat show run | include ip route
alias exec fa show interface status | include Fa
alias exec showtech show tech | redirect tftp://mytftpsrvr/thisrtr_showtech.txt
alias exec mac show mac- dyn | incl
alias exec ip show arp | include
alias exec sis show interface status

I type sis as soon as I log into a switch to see the interface table. I use fa instead on the big switches, when I'm not interested in seeing the Gigabit ports in the table (since they change infrequently). I can type mac 034b to find the switch CAM table entry for the mac containing those four digits. To track down the whereabouts of an IP on the switch fabric, I type ip 10.3.4.5 at the router to find its MAC address, then if the MAC is 1234.5678.abcd, I type mac abcd at the switches to see what switchport it's on.

How do I get a Cisco switch to log MAC addresses that it learns?

2005-12-19T11:01:00.000-05:00

The objective is to log MAC addresses as they are learned by the switch, to help detect when new equipment is added. Ideally, the log should only include MAC addresses learned on local interfaces, and not those learned across trunks from other switches. Working on it...

How do I keep the Cisco router or switch from garbling configs when I dump them to it from a console login using TERATERM?

2005-08-10T10:31:00.000-04:00

Set your router's console port up like this:

line con 0
 flowcontrol software

Also, in TERATERM, open your serial port, then menu: setup/serial port, flow control = Xon/Xoff; save the config.

How do I set a port's VLAN membership using SNMP?

2005-07-13T12:18:00.000-04:00

Using net-snmp, do c:\net-snmp\usr\bin\snmpset -v 2c -c community switchname 1.3.6.1.4.1.9.9.68.1.2.2.1.2.9 i 86 where 86 is the portname and 9 is the correct SNMP index to the switchport.

How do I display the list of ports and their VLANs using SNMP?

2005-07-07T14:13:00.000-04:00

I use the SNMPWALK program, part of the NET-SNMP distribution.

To display list of ports and their VLANs:: snmpwalk -c readcommunity -v 1 switchname .1.3.6.1.4.1.9.9.68.1.2.2.1.2
To display the Cisco port description:: snmpwalk -c readcommunity -v 1 switchname .1.3.6.1.2.1.2.2.1.2
To display the port descriptions you configured:: snmpwalk -c readcommunity -v 1 switchname .1.3.6.1.4.1.9.2.2.1.1.28

I bought 34 switches with Smartnet. How do I get the Smartnet tied to my CCO ID?

2005-05-24T14:27:00.000-04:00

Here's the way it worked on my recent Cisco switch purchase. I bought 8x5xNBD Smartnet on all 34 of the switches in the order. There were three different types of switches. It was then up to the vendor to notify Cisco. I had to remind them to do this for me. At the same time, and separately, I opened a case with Cisco customer support informing them of the situation, giving them the vendor name and order number, and asking them to help me get the contract info tied to my CCO account. This enabled Cisco to contact me once they had received the info from the vendor and created my entitlement. I then had to reply by email to the Cisco person working the case and give them my CCO ID and the IDs of all others at my company so that we could all access CCO based on the contract entitlement. Cisco promised to add the contract to all our IDs once I did that.

How do I restrict a switchport or VLAN to a list of valid MAC addresses?

2005-05-24T14:13:00.001-04:00

It looks like there are multiple methods and a lot of limitations. There's "port-security". This looks easiest to config. However, the switchport cannot be a trunk port, or a member of an etherchannel, so it can't be used at the core or distribution switch; it has to be applied on all of the access switches. There's another way: you create an extended mac access-list containing src-dest MAC address pairs you want to allow. Then there are two options: you could apply that access-list to all of the switch interfaces, or apply it to a VLAN. The mac access-list itself would look something like this:

(c)#mac access-list extended myfriends
(c-e-m)#permit host 1234.5678.90AB any
(c-e-m)#permit host AB12.3456.7890 any
(c-e-m)#deny any any                
(c-e-m)#end

Note the deny any any. On testing I found that this type of access-list does not include an implicit deny. To apply it to an interface (you would have to do all interfaces on the switch to be fully protected) to the following:

(c)#int ran f1/0/1 - 48 , f2/0/1 - 48
(c-i)#mac access-group myfriends in

Or, you create a vlan access-map with action forward for matches to that access list. Then you use the vlan filter command to apply that access-map to a VLAN or list of VLANs.

(c)#vlan access-map wksta 10
(c-a-m)#match mac address myfriends
(c-a-m)#end

(c)#vlan filter wksta vlan-list 20-23,51

Here's another possibility: VMPS. One guy says: There is a tool I use called VMPS that is in with the IOS of every Cisco Switch. VMPS means VLAN Membership Policy Server. This is a text file that lives on my Linux box that one of my Primary VMPS Switches queries at the time I configured on it. Then, all my other switches ask the Primary switch for the same info (a lot faster since they have a gig link to my Primary and the VMPS file lives in RAM). Now, in that file, I can group what switches belong to a group or what MAC address belong to a group (i.e., accounting) and say that port 1-18 are only accessible for accounting. After some research, I have concluded that VMPS is a CATOS-only featrue, so doesn't apply to my situation.

How do I set the lifetime for CAM table entries on switches?

2005-05-24T14:12:00.000-04:00

Working on it...

How do I reverse telnet out my aux port?

2005-05-09T13:49:00.003-04:00

If you connect one router's aux port to another device's console port, you can telnet to the router, then use reverse telnet to connect to the other device's console via your aux port. Here's how to set it up.

Connect your router's aux port to another device's console port using a Cisco flat crossover cable.

TELNET to your router, enable, and set the aux port up as follows:

# conf t
# line aux 0
(config-line)# modem InOut
(config-line)# transport preferred all
(config-line)# transport input all
(config-line)# transport output all
^z

Make sure you have an address on your lo0 interface, and the interface is up.

Back in enable mode, find out the line number of your AUX port with #show line. It will look something like this:

   Tty Typ     Tx/Rx    A Modem
     0 CTY              -    - 
*   97 AUX   9600/9600  - inout
*   98 VTY              -    - 
    99 VTY              -    - 
   100 VTY              -    - 
   101 VTY              -    - 
   102 VTY              -    -

On this router it is line 97. It's different from router to router but I've never seen it change.

Now all you need to do is add 2000 to the line number, and telnet to your lo0 address, port 2097.

I like to set up two aliases to save time:

(c)# alias exec auxup telnet 127.0.0.11 2097
(c)# alias exec auxdown clear line 97

With the setup above, you just connect the router's aux port to the target device. Then from the command line on the router, type auxup. This gives you a console connection to the target device. To end the connection, hit [<shift><ctrl>6] x, then type auxdown.

Update: it looks like the disconnect command (entered after the [<shift><ctrl>6] x) might be the proper way to end the telnet session.

How to I configure DHCP broadcast forwarding?

2005-02-28T14:48:00.000-05:00

A host can either be configured with its own IP address information, or it can be set to use DHCP. With DHCP, it will send out an IP broadcast message on the local network asking for a IP address. Of course, broadcasts do not traverse routers, so if the DHCP server is not on the local network with the DHCP client it will never hear the broadcast, and the DHCP client will never get an IP address. Cisco's solution to this is the ip helper command, which is applied to an interface. If an interface has, say, ip helper 192.168.2.4 in its config, then any DHCP broadcast the router hears on that interface will be changed to a unicast and sent directly to 192.168.2.4, wherever that might be. If the host at that address is a DHCP server, and it is configured to hand out addresses for 192.168.2.0, it will do so; it knows from the source address that the router put on the packet that the address it gives out needs to be for that network. The DHCP server then sends the DHCP response back to the 192.168.2.0 network as a directed broadcast; the routers put it on that network and the client gets its address. The problem is that there are many different types IP broadcasts other than DHCP, and once ip helper is configured, Cisco passes about 7 of them by default. (The various brodcast types can be distinguished by their destination ports.) This includes not only DHCP but also a couple of types of Microsoft netbios broadcasts; passing the netbios broadcasts will screw up the Microsoft "browser" and cause lots of error messages in the Windows server event logs, complaining about duplicate names found on the network or msbrowse errors. Cisco recommends the following commands be entered in global config mode on all routers which have "ip helper" configured on one or more interfaces. They prevent the forwarding of certain broadcasts. Only the DHCP broadcasts need be forwarded. Here are the commands. The bootp directive is the one which allows DHCP broadcasts to be forwarded.

no ip forward-protocol udp tftp
no ip forward-protocol udp dns
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc

I don't know why Cisco Inc. makes forwarding of all the above protocols the default, only to say that most or the protocols need to be disabled for the network to work properly, but that's what they do. Implementation of the filters which mention "netbios" is the significant change here. It should prevent most of the msbrowse errors and duplicate name errors we are seeing on our server event logs.

What is the correct syntax for the boot system command on routers and swtiches?

2005-01-31T09:31:00.000-05:00

If your router decompresses the IOS twice, as if booting twice, on every reload, you probably have the wrong syntax on the boot system command. It's picking a default version to use the second time around.

The correct syntax is:

boot system flash:c2600-i-mz.123-10b.bin

Cisco's own documentation on cco frequently gets this wrong.

On a router, you'll see the boot system command in the config. On a switch, it may not show in the config, but can see it using the show boot command. The syntax for setting it is the same in either case.

What are all of these Cisco extensions to Spanning Tree protocol (STP)?

2005-01-12T15:22:00.000-05:00

Backbone Fast Convergence: Provides fast convergence after a spanning-tree topology change caused by indirect link failures.
Loop Guard: The loop guard feature checks that a root port or an alternate root port is receiving BPDUs. If a port is not receiving BPDUs, the loop guard feature puts the port into an inconsistent state, isolating the failure and letting spanning tree converge to a stable topology until the port starts receiving BPDUs again.
Portfast: STP PortFast causes a Layer 2 LAN interface configured as an access port to enter the forwarding state immediately, bypassing the listening and learning states.
Portfast BPDU Guard: Provides a means to shut the port down when any received BPDUs are detected.
Root Guard: The STP root guard feature prevents a port from becoming root port or blocked port. If a port configured for root guard receives a superior BPDU, the port immediately goes to the root-inconsistent (blocked) state.
Uplink Fast Convergence: Uplink Fast Convergence provides rapid switchover to a redundant uplink for wiring closet switches when the spanning-tree root port fails or when the spanning-tree topology is recalculated.
Uplink Load Balancing: Uplink Load Balancing by VLAN enables traffic load balancing across uplinks by providing direct control over the spanning-tree port cost for VLANs on a trunking port.

How do I filter PINGs or ICMP using an access-list?

2004-12-09T09:55:00.000-05:00

To filter PINGs, you can create an extended access list, and then apply it to an interface. I usually apply these lists to each interface in the inbound direction. To filter only PINGs, use the following:

deny icmp any any echo
deny icmp any any echo-reply
permit ip any any

Most people like to filter out all ICMP traffic. However, there are three ICMP messages that should not be filtered: destination unreachable, source quench, and time exceed. The extended IP access list to filter everything but these looks like this:

permit icmp any any source-quench
permit icmp any any host-unreachable
permit icmp any any time-exceeded
deny icmp any any
permit ip any any

How do I use debug to see "ICMP can't fragment" errors generated by or passing through a router?

2004-12-08T08:15:00.000-05:00

The command #debug ip icmp will result in the following debug messages, if there are such errors:

ICMP: dst (10.10.10.10) frag. needed and DF set 
unreachable sent to 10.1.1.1

These "unreachable" messages must be allowed. If you are filtering ICMP, don't just use deny icmp any any. Make sure your interface access lists allow unreachable messages, as follows:

access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any source-quench
access-list 101 deny icmp any any

What is the naming convention for Cisco IOS releases?

2004-11-12T08:25:00.000-05:00

Cisco has a white paper which explains how the release names work.

How do I upgrade IOS on a 2600 series router?

2004-11-09T14:46:00.000-05:00

Inteructions are here at cco.

How do I configure Layer 2 security on a 3550?

2004-11-04T15:43:00.001-05:00

This article here explains it.

How do I view and clear err-disabled switchports on a 3550?

2004-11-04T15:15:00.000-05:00

On the 3550, the command #sho int status will print a table of interfaces, with status. The status may be "err-disabled". To investigate such ports, use #sho int status err. To clear the port status, issue a (c-i)#shut and then a (c-i)#no shut on the interface. Or, you can enable autorecovery after a time period. Use these commands to check your current autorecovery config:

#sho errdis detect
#sho errdis flap-val
#sho errdis recovery

To enable autorecovery for a particular cause, use

(c)#errdis recov cause {cause}

Why are only my eBGP-learned routes getting redistributed into OSPF, while the iBGP-learned routes are not?

2004-11-04T13:32:00.000-05:00

Cisco has added a "safety feature" to BGP in order to, they say, prevent possible accidental routing loops. I think this is unnecessary, as anyone configuring BGP should already be knowledgeable enough to set up route redistribution correctly. Anyway, your router won't redistribute any iBGP routes into OSPF unless you add the following directive to the ROUTER BGP section: bgp redistribute-internal

Where do I go to download IOS versions?

2004-11-04T13:31:00.001-05:00

Cisco has a tool called the IOS Upgrade Planner which allows you to drill down to IOS releases by version number, platform, and title. This is useful if you already know what you are looking for.

How do I determine what version of IOS is needed to support a particular command?

2004-11-04T13:31:00.000-05:00

The Cisco Feature Navigator page has links to tools which allow you to browse IOS versions. You might find what you need using one of these tools.

How do these posts look?

2004-11-04T13:26:00.000-05:00

These posts look almost exactly like this.