Arnaud Fenioux 's Personal Home Page


Tips related on cisco CLI

IS-IS tuning

July 3, 2015 - Arnaud
Categorie: Technical
Tags: cisco

Here is a sample configuration of ISIS for Cisco routers. This example is a level2 only zone (like a backbone area 0 in OSPF).

Note : Loopback addresses are (or should be) always configured with /32 netmask.
It's a good practice to dedicate a contiguous range for all your loopback addresses, this range is most of time the first of your supernet (i.e. your "big" network allocation), or the one with a zero.

Let's begin to create an loopback interface and annonce this IP (In this example we will use the first /24 of our "big" range for loopbacks) :

Switch CAM, TCAM and SDM

August 20, 2014 - Arnaud
Categorie: Technical
Tags: cisco

Cisco Catalyst switches use CAM and TCAM to store MAC addresses, ACL, QoS tables in order to have wire-speed switching : they are ASICs and search the entire memory in one operation.
The CAM (Content Addressable Memory) stores MAC addresses, VLAN and ports assignments. During a lookup, the CAM returns the address where the data is stored (the inverse of regular RAM). It is used on L2 swich.


July 14, 2014 - Arnaud
Categorie: Technical
Tags: cisco

I've not yet deployed such techno, but I found some great presentations to better understand theses concepts & configuration :



L2 ACL / MAC ACL vs Port Security

May 19, 2014 - Arnaud
Categorie: Technical
Tags: cisco

Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):

---Port-security on cat 6500---

in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode): 

Enable SSH && disable telnet

April 30, 2014 - Arnaud
Categorie: Technical
Tags: cisco

Telnet is "bad", this is how to enable ssh and disable telnet login, and BTW we only want ssh v2 as v1 is vulnerable to several attacks:
When asked choose a least 1024bits for the key

hostname switch
ip domain-name mydomain.tld
aaa new-model
crypto key generate rsa
ip ssh version 2
line vty 0 15
 transport input ssh

Remember to add ACL, this is always a good thing

BGP references

March 23, 2014 - Arnaud
Categorie: Technical
Tags: cisco
I have put here lots of links I use for my presentations, and that could be interresting for anyone :
PDF Slides of my BGP workshops (in French)
What is Peering?

Vlan Shaping

March 11, 2014 - Arnaud
Categorie: Technical
Tags: cisco
conf t
  mls qos

  class-map match-any vlan123
   match vlan 123

  policy-map ratelimit
   class vlan123
   police cir 1000000000
   confirm-action transmit
   exceed-action drop

  int gi0/1
    service-policy input ratelimit

Limit user access (cisco view)

March 11, 2014 - Arnaud
Categorie: Technical
Tags: cisco

limit commands to admin 15 :

privilege exec level 15 ssh
privilege exec level 15 telnet

Create a view for a user :

enable view
conf t
  parser view readonly
    secret 5 ???
    commands exec include show vlan
    commands exec include show
  username test view readonly password 0 ????


Configuring Netflow

January 8, 2014 - Arnaud
Categorie: Technical
Tags: cisco

Old style :

Cisco logging

November 26, 2013 - Arnaud
Categorie: Technical
Tags: cisco

you can check your log in buffer :

#show logging

By default the buffer is 4k (aprox 60 lines), you can change it with :

(config)#logging buffered 23456

Remove logging to console :

(config)#no logging console

Disable specific logging in the buffer :


Subscribe to RSS - cisco RSS Feed