Path Trace
If you’ve ever had to trace the actual path a packet takes it can be tedious. There are some great commercial tools out there ...
Finding a Host
I wrote an article a long time ago on how to find out where a host is connected. APIC-EM’s host inventory makes finding a host a ...
Inventory & Config Management
Did you know that APIC-EM inventories your equipment and maintains a copy of the config? If you don’t see the Config header, ...
Troubleshooting Failover on the ASA
When troubleshooting failover on an ASA, there are a couple of spots to pay attention too. However we first need to understand how ...
ZBF and the default security zone
A customer had a hardware failure the other day and I went and replaced the router. It was an ISR4231 and was running Zone Based ...
Easy VSS
VSS isn’t the hardest thing in the world to configure, but at times it can be a pain. Cisco must have realized this and came up ...
ISR4000 Performance & Design
The performance license has been around on the ASR series for years and Cisco has now added it to the ISR4K series as well. You can ...
Using Dynamic Access Policies for Controlling VPN
One of the easiest ways, in my opinion, to control VPN access is with DAP. Let’s dig into this with an example. We will be ...
ASA and LDAP
I seem to be working on a lot of ASA’s and Sourcefire lately and I always end up connecting to AD for authentication of some ...
NTP Server & Clients
First determine what device(s) you want to be the NTP Master for your network. Commonly this is your core switches. In this example ...
Cisco Web Security (CWS)
Cisco Web Security (formerly ScanSafe) is a cloud based Web Filtering solution. It works pretty well and integrates with Anyconnect so ...
CCIE Lab Quickies
Alias’s for long commands Some alias’s for BGP alias exec inroutes show ip bgp neighbor 198.0.50.23 received-routes alias ...
Macro’s in Switches
I like using macro’s in switches. I find them useful since different customers have different requirements (for example ports ...
Speeding up the config
There’s nothing worse (OK there is) than working on a fully populated 6513 and you type show run and hit enter. Hurry up and wait ...
TDR cable test
How many times have been working on a problem and got to the point where you thought it might be the cable that’s causing ...
AAA with Cisco Network Assistant
I’m not a huge fan of CNA or GUI’s in general, however I have a couple of customers that use it. I recently configured a ...
EIGRP Named Mode
I previously posted on converting from converting from Classic to Named mode with EIGRP. I recently had a more complex configuration; ...
Cisco Call Home
Call me paranoid but I do not like anything automatically sending data somewhere. In all of my templates I disable/remove Cisco’s ...
Secure the control plane with QoS
I was playing around with different ways to secure a device that does not support Control Plane Protection yet. I thought QoS might be ...
Code for button in Visio
In Visio I like to use buttons to turn layers on and off. Here’s code that uses a single button for turning on and off the layer ...
Sourcefire with User Certificate
I was doing a Sourcefire/Defense Center install and the customer wanted to add their wildcard certificate to the Defense Center Web ...
Menu’s in IOS
I recently had to build a menu for a customer. It’s not something I do often, but they can be pretty handy. In this example there ...
Regex helpers
I need help remembering what regex’s do what for me and instead of re-learning them over and over, I thought I would post the ...
View PC network info – IP Config alternative
I connect to a lot of customer networks and I was looking for an easy way to view network info- especially the domain name. Yes I can ...
Control Plane Protection CPPr
I was browsing through the security docs the other day and came across CPPr. For detailed info go here. This is a feature for ...
Route filtering in BGP
Best practices is to not trust your ISP’s and filter routes (just in case they forget to). There are three common ways to filter; ...
public / internet facing ACL
Here’s the ACL I apply to public facing interfaces. You should check my blog post on Cisco’s Support Forum for the latest ...
HTTP Probe on the ACE
Configuration example of an HTTP Probe and ACL on an ACE. access-list ACL-PERMIT-WEB line 1 extended permit tcp any gt 1024 any eq ...
Making remote changes
We’ve all done this. You start changing a config under an interface and boom, you’re locked out. I hated calling a user and ...
ASA-X serial number
Typically for a device we use show version to view the serial number. However, for some strange reason, in the ASA-X the number that is ...
Working with flash and other filesystems
There’s nothing sexy about keeping flash neat and tidy. Too bad because it’s pretty easy to do. Let’s cover a couple ...
Fastest IOS Upgrade
Here’s the fastest way I know of to update the IOS on a Cisco device that has USB ports. Check the flash and see what image is on ...
Troubleshooting Circuits
We as engineers spend a lot of time troubleshooting circuits that are down. These are my troubleshooting steps and I use the checklist ...
Verifying IOS images
Verifying IOS should be a no-brainer, but I admit it’s something I forget to do sometimes.Here’s my process. First download ...
3750-X stacks suck
If you read a majority of my posts you may think I’m a Cisco hater. I’m not. I’ve made a career from them and it has ...
Making changes on remote devices
We’ve all done this. You start changing a config under an interface and boom, you’re locked out. I hated calling a user and asking them ...
PfR with 1 router and 2 links
A co-worker asked me about PfR today. I’ve been researching it for a couple of weeks for an install that I might use it with. His ...
I don’t like the Nexus 7000’s because&
OK, OK, before you guys start freaking out and leaving nasty comments, give me a second to explain. I don’t hate the Nexus, I ...
OTV redundancy with ASR’s
I deployed OTV at a customer site using Nexus 7K’s in one datacenter and ASR routers in the secondary datacenter. I got it all ...
NEXUS 7K CMP
This is a really weird (and bad) problem I ran into at a client site. I installed a couple of Nexus 7010’s. First things first I ...
ASA Asymmetric NAT
We had a normal AnyConnect VPN configured and everyone could get to the inside resources. We then put an application in the DMZ and ...
ACE and OTV and other layer 2 woes
So I have a client and they have two data centers. We’ve deployed OTV for VMotion, NFS, and all that jazz. They bought two ...
User IP script (php)
Often in testing NAT I want to see what my “external” IP address is. In scouring the net and doing a little hacking of my ...
NEXUS run-script
I ran across the run-script command for the Nexus the other day. It’s very helpful for putting the base config on the switch. ...
Convict Conditioning book review
I used to belong to a gym that focused on functional fitness. I eventually hit a plataue that I was having trouble getting past. I was ...
View interface statistics on a Netscreen
get counter statistics interface [interface id] [crayon-59c1e2603e17e840657711/]
Rebuild a NSRP Cluster
Configure the items that are unique to the box (Managment IP, SNMP, etc.) On the active box, set the priority lower than the new box. ...
Configure NTP on a Netscreen
set clock ntpset ntp server “10.10.12.7”set ntp server src-interface “ethernet0/2”set ntp server backup1 ...
Clear the config on a Netscreen
You can either log in to the device and enter unset allor when prompted for the username/password, enter the serial number of the ...
SecureCRT scripting
Simple example of a VBScript that will log you in to a Cisco router# $language = “VBScript”# $interface = ...
Find a device in the network
Always start at the Layer 3 boundary of the subnet. Do a show arp to find the MAC address. [crayon-59c1e2603e739860927136/] If you do ...
Public interface ACL
ip access-list extended inbound remark Allow BGP permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface] permit tcp host ...
TCP/IP table for certification tests
Before you take one of the TCP/IP tests you should construct a few tables for reference during the test. Microsoft/Cisco will not allow ...
Script to backup important local files
Here’s a little script (Backup.cmd) I wrote to backup important stuff on my PC like VPN profiles, chrome extensions and SecureCRT ...
Backup SecureCRT sessions
Here’s a script that will backup your SecureCRT sessions. It will go out to the network drive, zip the current sessions and ...
Avocent ACS Cyclades commands
Reset the device to default [crayon-59c1e2603efbd629132824/] Reboot the box [crayon-59c1e2603efc9883452293/] Power Down (stops and ...
Viewing dropped packets on ASA
show asp drop is a great troubleshooting command for the ASA. ASA5505#show asp dropFrame drop:Invalid encapsulation (invalid-encap) ...
URL filter on ASA
A lot of people post on NetPro that they want to permit or restrict by domain names on a PIX/ASA firewall. You can’t just type in ...
Transferring files to ASA via FTP
For some reason I can never remember this command…FTP Servers IP is 192.168.1.50FTP Username is MMessierFTP Password is ...
Configure the ASA to show as a hop in trace routes
Sometimes you want the ASA to show up as a hop in a traceroute to the internet. Here are the commands to allow that. class-map ...
AnyConnect VPN User
show vpn-sessiondb remote filter name ASA-VPN-1# show vpn-sessiondb remote filter name MMessierSession Type: IPsecUsername : MMessier ...
Configure ASA to prevent mail relay
We as Network Engineers are often called upon to “fix” problems that others create. For example, how many Server Admins do you know ...
Read only ASDM
First we have to configure local AAA. We must configure authorization so we can tell what user gets what level of commands.aaa ...
Configure SSH on ASA
Configure SSH on a PIX PIX(config)#hostname PIXOnePIXOne(config)#domain-name mydomain.comPIXOne(config)#ca generate rsa key ...
Basic ASA config
Basic config for ASA no service call-homeclear config call-homeftp mode passiveclock timezone CST -6clock summer-time CDT recurringdns ...
Access public IP from inside on ASA
In short, there is no more alias command, so you need to create more statics! static(dmz,inside) 51.88.80.100 172.16.1.100 ...
CYA
Here’s some things you may want to do to make sure you don’t leave yourself hanging in the breeze when things go SNAFU. ...
Using IPSLA to change routing
Let’s take a look at how we can change our default route using IP SLA. First we create our IP SLA. In this example we want to ...
General troubleshooting commands
Check ports for errorsshow interfaces | include errors Check the ports for duplex mismatchesshow interfaces | include duplex Check CPU ...
CoPP on routers
First I create the access lists that determine what I want to control or have access to. Notice that there are multiple access lists. I ...
Default router config
The default config is now managed through the configuration templates. Please use the menu above to go to the template section.
Verifing IOS images
Verifing the IOS image is a smart thing to do. It’s relatively easy for the image to get corrupt, especially if you use TFTP ...
Upgrading IOS over the internet
There are many obvious reason to use FTP to upload an image, but the one I’m going to cover is transferring an IOS image across ...
Track Changes without AAA
First create local username/passwordsusername MMessier password RaNgErS Next we enable AAA and tell AAA to use the local database of ...
My access lists logs are showing 0’s
Create another access-list that denies port 0 (which is null). Now your access list logging will show the port numbers. access-list 100 ...
Install IOS on 800 series router from rommon
All parameters are required! rommon 1 >IP_ADDRESS=10.1.2.55rommon 2 >IP_SUBNET_MASK=255.255.255.0rommon 3 ...
Netflow local on the router
Enable Netflow to a destinationip flow-export destination 10.10.1.2 9996ip flow-export source loopback0ip flow-cache timeout active 1ip ...
EIGRP internal and external routes
I was working on an EIGRP & BGP configuration. The customer had 3 sites connected with a high speed link between each site. Site #3 ...
Configure VWIC-MFT and MultiLink PPP
In this example we just installed 2 2-port VWIC-MFT cards, one is slot and one is slot 3. Once installed you’ll notice no ...
Timing/Clocking on T1’s
Typically ISP’s only provide clocking when connecting to them (ie MPLS). If you have point-to-point T1’s, you usually need ...
CoPP on a router
First I create the access lists that determine what I want to control or have access to. Notice that there are multiple access lists. I ...
Configure IPS on an IOS router
configure terminallogging console debugcrypto key pubkey-chain rsanamed-key realm-cisco.pub signaturekey-string30820122 300D0609 ...
PPPoE on a router
interface FastEthernet0/1 description DSL WAN Interface no ip address no ip redirects no ip unreachables no ip proxy-arp no ip ...
Configure SSH on a router
Router(config)#hostname RouterOneRouterOne(config)#ip domain-name mydomain.comRouterOne(config)#crypto key generate rsaThe name for the ...
Viewing VPN Keys
It’s well known that to recover VPN passwords for L2L tunnels you can copy the config to a TFTP server and view the configuration ...
Clean and Press ToM
This one is brutal, no fun, just painful 🙂 Grab two kettlebells so they equal 50-60% of your body weight. Start your minute timer and ...
Run Farmer Run
Grab some kettle bells or a D-Ball, about 50% of your body weight. I usually do this one in the gym or on the track to keep track of ...
Five Lords
Grab a D-Ball (www.d-ball.com) that’s 40-50% of your body weight. Start with the ball on the ground. Do a burpee with your hands ...
Quadzilla
A fun, tough, and sore leg workout I came up with. Body weight squat (just squat down with your hands on your head) 50 times then ...
AAA for internet routers
What we want to do is configure the firewall to allow the public router to authenticate administrators to the AAA server on the inside. ...
NEXUS Tips-N-Tricks
Show running config of multiple interfacesshow run interface e3/5 – 6 The section command has been removed, however you can still ...
NEXUS CoPP Configuration
The controlling of management access on the Nexus 7000 is very different than other Cisco routers and switches. The VTY lines are ...
Basic CSS Commands
I hope I never run into another CSS box, but in case I do… Check who is master CSS11503# show ...
AIM Daughter Card
To check and see if the card is being recognized by IOS RTR3825-1#show crypto engine briefcrypto engine name: Virtual Private Network ...