Since the list is getting longer and longer, I am splitting it into two posts:
1. Basic Troubleshooting Commands
Ping
Traceroute
Telnet
Show interfaces (show interfaces GigabitEthernet 3/6)
Show ip interface
Show ip route
Show running-config
Show startup-config
show ip sockets
show conn
show tcp brief
2. Archive Command
- Configuration Change Logging and Save a copy of current configuration on local when write memory
- Configuration Change Logging and Save a copy of current configuration on local when write memory
archive
!!log all commands
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:backup-
maximum 8
write-memory
- Compare Startup-Configuration with Running-configuration
R1#show archive config differences
!Contextual Config Diffs:
!No changes were found
3. Enable IPv6 on Cisco Switch 3550/3560
3560:
sdm prefer dual-ipv4-and-ipv6 routing
3550:
4. Using ftp to transfer files to flashcopy ftp://test:[email protected] flash:
5. Clear IOS configuraiton
6. Delete flash: folder
a. Telnet Access
no aaa new-model
username test privilege 15 secret test
line vty 0 15
login local
no password
transport input telnet
b. SSH Access:
hostname Switch1
ip domain-name test.com
crypto key generate rsa general-usage modulus 2048
ip ssh time-out 60
ip ssh version 2
line vty 0 15
transport input ssh
c. Console Access with username/password:
line con 0
login local
exit
8. Debug IP Traffic based on Access-list
The debug procedure is the following:
1) Turn “on” process switching under both interfaces in the router.
Router(config)#interface g0/0
Router(config-if)#no ip route-cache
Router(config)#interface g0/1
Router(config-if)#no ip route-cache
2) Create an access-list. Define specific traffic you want to monitor between hosts.
Router(config)#access-list 199 permit tcp host 11.11.11.1 eq host 22.22.22.2
Router(config)#access-list 199 permit tcp host 22.22.22.2 eq host 11.11.11.1
3) If you are in a telnet session into the router turn “terminal monitor” on.
Router#term mon
If you are in a console session into the router, then the “logging console” command.
Router(config)#logging console
4)Finally the debug command.
Router#debug ip packet 199 detail
Where 199 is the access-list # we created.
*Jul 23 20:25:30.616: IP: s=11.11.11.1 (local), d=22.22.22.2, len 44, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
……..
5)Use the “un all” command to turn it off.
Router#un all
Kron command could use it to reboot router regularly, clear interface, save configuration, show routing table, etc. But it wont support any interactive command.
Following is an example to use it save configuration on a regular basis.
Another example to run TCL script script.tcl with specific user jonny:kron occurrence tcl_occur user jonny in 12:0 recurring
policy-list tclpol
kron policy-list tclpol
tclsh flash:/script.tcl
10. Enable IP Accounting on interface
IP accounting doesn’t quite provide much functionality, but it certainly provides a summary of traffic passing through a router. The router will only record packets that goes through the router. Any connections initiated from the router or terminates to the router are not counted.
interface GigabitEthernet0/1
ip address 100.199.48.15 255.255.255.0
ip accounting output-packets
duplex full
speed 100
end
R1#sh ip accounting
Source Destination Packets Bytes
100.199.48.10 100.199.3853 6 241
100.199.38.53 100.199.48.10 4 183
138.11.117.16 166.6.23.14 1 104
Accounting data age is 3w0d
11. Show configuration without break/pause @Cisco Router/Switch
terminal length 0
@ASA Firewall
terminal pager 0
12. Debug commands at Cisco ASA 9.1(2)
debug crypto ipsec 127
debug crypto ikev1 127
13. Display Cisco IOS Device Opened Ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:161 *:0 IP SNMP LISTEN
udp *:162 *:0 IP SNMP LISTEN
udp *:65110 *:0 IP SNMP LISTEN
udp *:1975 *:0 IPC LISTEN
The method how to close ports 23 from external scan is in my post: Close Cisco IOS TCP Ports 23, 2002, 4002, 6002, and 9002 from Network Ports Scanning
14. Native VLAN mismatch
although both ports are set as access port and set to different vlan 56 and 1, it should not have this mismatch info. Solution would be one global command :
no cdp advertise-v2
Or
This solution: using different vtp domain name on those switches:
Switch(config)# vtp mode transparent
Switch(config)# vtp domain a_unique_name
15. IOS Password Recovery Procedures
- Shut down the router then Power on the router
- Press Break on the terminal keyboard within 60 seconds of power up in order to put the router into Rommon. (In some Keyboards, Pause key is used to enter into Rommon mode. You may not need Fn+Pause, or CTRL+ Break)
- Once the Rommon1> prompt appears, enter this command: confreg 0x2142
Then type reset to reboot Cisco device. - When you are prompted to enter the initial configuration, type No, and press Enter.
At the Router> prompt, type enable. - At the Router# prompt, enter the configure memory command, and press Enter in order to copy the startup configuration to the running configuration.
- Use the config t command in order to enter global configuration mode.
- Use this command in order to create a new user name and password:
router(config)#username test privilege 15 password test - Use this command in order to change the boot statement: config-register 0x2102
- Use this command in order to save the configuration: write memory
16. Reload Device in xx minutes
It is helpful for your remote work just in case you lost connection by mis-configuration
Reload scheduled for 16:55:53 EDT Tue Aug 11 2015 (in 1 minute) by john on console
Reload reason: Reload Command
Proceed with reload? [confirm]
R-Test-Lab#
***
*** — SHUTDOWN in 0:01:00 —
***
R-Test-Lab##show reload
Reload scheduled for 16:55:55 EDT Tue Aug 11 2015 (in 57 seconds) by john on console
Reload reason: Reload Command
R-Test-Lab#reload cancel
R-Test-Lab#
***
*** — SHUTDOWN ABORTED —
***
interface GigabitEthernet0/0
ip flow ingress
load-interval 30
duplex auto
speed auto
end
Router#sh interfaces g0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is PQ3_TSEC, address is c464.139b.ee00 (bia c464.139b.ee00)
Description:
Internet address is
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 3/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/149/0 (size/max/drops/flushes); Total output drops: 15
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 12706000 bits/sec, 1423 packets/sec 30 second output rate 966000 bits/sec, 957 packets/sec 7877466781 packets input, 4315500899841 bytes, 1023 no buffer
Received 345354184 broadcasts (0 IP multicasts)
0 runts, 0 giants, 13 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 520835 multicast, 2112 pause input
7120190572 packets output, 2103538386166 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
121793930 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
4 lost carrier, 0 no carrier, 58519 pause output
0 output buffer failures, 0 output buffers swapped out
18. Turn off IP Spoof Protection
“Deny IP spoof from (10.245.6.1) to 192.168.6.25 on interface inside”
19. Create Read only Account
username local1 secret Cisco1234
username local1 privilege 15 autocommand show running
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
method two.
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization console
username local2 privilege 7 password Cisco1234
privilege exec level 7 show config
The list is getting longer , and I am splitting it to two posts:
 |
| Cisco My Device Page |
Reference:
wow….just super ..