Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

Vlan Shaping

Written by Arnaud no comments
conf t
  mls qos

  class-map match-any vlan123
   match vlan 123

  policy-map ratelimit
   class vlan123
   police cir 1000000000
   confirm-action transmit
   exceed-action drop

  int gi0/1
    service-policy input ratelimit
Classified in : cisco Tags : none

Limit user access (views)

Written by Arnaud no comments

limit commands to admin 15 :

privilege exec level 15 ssh
privilege exec level 15 telnet

Create a view for a user :

enable view
conf t
  parser view readonly
    secret 5 ???
    commands exec include show vlan
    commands exec include show
  username test view readonly password 0 ????

sources :

Classified in : cisco Tags : none

Configuring Netflow

Written by Arnaud no comments

Old style :

interface Gi0/1
   ip flow ingress

 ip flow-export source Gi0/2
 ip flow-export destination 2055
New Style :
interface Gi0/1
  ip route-cache flow sampled
  ip route-cache distributed
ip flow-export version 5
ip flow-export destination 2055
ip flow-sampling-mode packet-interval 100
Or even :
flow-sampler-map SAMPLER
 mode random one-out-of 100

ip flow-export version 5
ip flow-export destination 2055

interface Gi0/1
 flow-sampler SAMPLER
Debug :
show ip flow sampling
sh ip flow export


Classified in : cisco Tags : none


Written by Arnaud no comments

you can check your log in buffer :

#show logging

By default the buffer is 4k (aprox 60 lines), you can change it with :

(config)#logging buffered 23456

Remove logging to console :

(config)#no logging console

Disable specific logging in the buffer :

(config)#logging discriminator nologthr msg-body drops string_or_regexp_to_match 
(config)#logging buffered discriminator nologthr

To only have notifications (level 5) and more important logs :

(config)#logging buffered 40960 notifications

Add proper time format to your logs :
(config)#service timestamps log datetime localtime show-timezone

Log when someone fail (or success) to log in :

(config)#login on-failure log
(config)#login on-success log
Classified in : cisco Tags : none

SPAN / Port Mirroring

Written by Arnaud no comments

To monitor one Vlan, on a specific switch (here vlan 622 goes on port gi1/0/22):

(config)#monitor session 1 source vlan 622
(config)#monitor session 1 destination interface Gi1/0/22

To check if it's OK :

#show monitor session 1
Session 1
Type                   : Local Session
Source VLANs           :
    Both               : 622
Destination Ports      : Gi1/0/22
    Encapsulation      : Native
          Ingress      : Disabled

To monitor one port (here port gi1/0/11 goes on port gi1/0/22):

(config)#monitor session 1 source interface gi1/0/11
(config)#monitor session 1 destination interface gi1/0/22

To monitor one Vlan, on all your switches (here vlan 500 goes on port gi1/0/22):

On all the switches :

(config)#vlan 21
config-vlan)#name RSPAN_VLAN_500
monitor session 2 source vlan 500 rx
monitor session 2 destination remote vlan 21

On the destination switch

monitor session 1 source remote vlan 21
monitor session 1 destination interface Gi1/0/22
Classified in : cisco Tags : none

How to use VRF

Written by Arnaud no comments

This Example is only working for IPv4 (see the "vrf definition" command below for IPv6) :

First create your VRF and define an RD (Route Distinguisher) which is 16bits:16bits (can also be 32b:16b if you use doted IP notation)

(config)# ip vrf my_vrf_1
(config-vrf)# rd 500:1

Add you interface into the VRF (remeber to set the IP address *after*)

(config)# interface Gi0/0
(config-if)# ip vrf forwarding my_vrf_1
(config-if)# ip

Define your RT (Route Targert), which will tell how you want to export/import between VRF (aka route leaking). You must enable BGP on the router but no BGP neighbor is required.

(config)# ip vrf my_vrf_1
(config-vrf)# route-target export 500:1
(config-vrf)# route-target import 100:1 

Make you BGP

(config)# ip route vrf my_vrf_1 XX.XX.XX.XX Null0
(config)# router bgp 65534
(config-router)# address-family ipv4 vrf my_vrf_1
! next line is for the RT, if you don t do it your interface won't have a route to others vrf
(config-router)# redistribute connected
! next lines are for remote BGP session
(config-router)# network XX.XX.XX.XX mask
(config-router)# neighbor XX.XX.XX.XX remote-as XXXXX
(config-router)# neighbor XX.XX.XX.XX prefix-list PFX-OUT out

And the "show ip bgp sum" & fiends like :

sh ip bgp vpnv4 all sum
sh bgp vpnv6 uni all sum
sh ip bgp vpnv4 vrf NAME sum
sh bgp vpn6 uni vrf NAME sum
clear bgp vrf NAME ipv6 unicast *
clear bgp vrf NAME ipv4 unicast A.B.C.D
ping vrf NAME A.B.C.D

Source : (French) and
(English) What are RD / RT


You can easily import route of you global table into your VRF :

(config)# vrf definition NAME
(config-vrf)# rd XX:XX
(config-vrf)# address-family ipv4
(config-vrf-af)# import ipv4 unicast map RMAP-NAME

You may have noticed we used "vrf definition" instead of "ip vrf", if you want to convert you old vrf conf to "vrf def" use the command below :

(config)#vrf upgrade-cli multi-af-mode common-policies

And the question in now : How to export the route of the VRF to the Global table?
Sadly this feature (BGP Support for IP Prefix Export from a VRF Table into the Global Table) is only available on 15.2+ IOS... You can check on the Cisco Feature Navigator :

(config)# vrf definition NAME
(config-vrf)# rd XX:XX
(config-vrf)# address-family ipv4
(config-vrf-af)# export ipv4 unicast map MAP_NAME

Do not use the "export map RMAP-NAME" it does not what you want! (It's the way to set route-max when leaking between VRF)

Oh BTW you can create a static route in a VRF to an IP in the global table like this :

ip route vrf NAME x.x.x.x s.s.s.s nh.nh.nh.nh global

Souce :

Go futher and read this excellent explanation :

Classified in : cisco Tags : none

Cisco security & misc

Written by Arnaud no comments

Some basic tips, things to remove from IOS default configuration!

Prevent from source routing (ie the souce can specify the path the packet should take)

(config)#no ip source-route


Dont make your router a default gw for bad configured hosts

(config)#int gi0/0
(config-if)#no ip proxy-arp


suppress Router Advertisement messages on an interface:
(config-if)# ipv6 nd suppress-ra
! OR
(config-if)# ipv6 nd ra suppress

Use you own timeout (in minutes) for your enable session

(config)#line vty 0 4
(config-line)#exec-timeout 60 0


Don't try to resolve typo (prevent  from : Translating "xxxxxx"...domain server (xx.xx.xx.xx) )

(config)#no ip domain-lookup

Create a new user localy and add authentication to the console port (timout is 20minutes by default) :

username <USERNAME> secret <PASSWORD>
enable secret <PASSWORD>

aaa new-model
aaa authentication login MY-AUTH-LOCAL local
line console 0
 login authentication MY-AUTH-LOCAL 


And set the Clock / Timezone / Daylight Saving Time :

clock summer-time CEST recurring last Sun Mar 3:00 last Sun Oct 3:00
clock timezone CET 1
ntp server
Classified in : cisco Tags : none
Rss feed of the articles