Archive for the ‘CISCO’ Category

Policy-Based Routing on IOS-XE Causes GRE Tunnel to drop

June 25th, 2018 No comments

I wanted to use PBR on our DMVPN tunnels to set the next-hop address to a Layer 3 switch on the LAN.  We set it up and it seemed to work fine.  Then it was noticed that is a site went down even briefly and the tunnel dropped, the tunnel would never re-establish itself (The tunnel interface remained line up/protocol down).  We recreated the problem in our lab and it consistently failed.  We moved the tunnel to an IOS router and that wasn’t affected.

It was eventually revealed that apparently, PBR is handled differently in IOS-XE and IOS routers.

The problem occurs when a route-map is attached to an interface with only a “set” operation and no “match” (When there is no match specified there is an implicit “match any any”) OR when a match “any any” is used.  Read more…

Categories: CISCO, Network Design Tags:

EEM Script to check log messages and trigger email

June 15th, 2017 No comments

Here’s a tip to become alerted when an interface is down (in this case a VPN tunnel). The script can be adapted to look for any pattern in the syslog and send a triggered email message:

event manager environment _ifDown_rcpt
event manager session cli username “admin”
event manager applet MailOnIfDown
event syslog occurs 1 pattern “%LINEPROTO-5-UPDOWN.* Tunnel” period 1
action 1.0 mail server “” to “$_ifDown_rcpt” from “” subject “DON’T PANIC – Tunnel Changed State!” body “$_syslog_msg”

Read more…

Categories: CISCO, EEM Scripts Tags:

Archive DHCP Bindings from Cisco Router using EEM

March 24th, 2017 No comments

This recipe describes a simple method to send DHCP bindings from a Cisco router to a remote TFTP server running on Windows.  A batch file renanes and date-stamps the file and another batch file removes the archived files after a retention period:


(Note: the cron entry sends the file every 5 minutes)
event manager session cli username “your_username”  (NOTE: this is required if tacacs+ is running on the router)
event manager applet copy-dhcp-bindings
event timer cron cron-entry “*/5 * * * * ”
action 0.5 cli command “enable”
action 1.0 cli command “show ip dhcp binding | redirect tftp://[ip_address]/bindings.txt”
end Read more…

Categories: CISCO, EEM Scripts Tags:

Monitor QoS Policy on Cisco Router using SNMP

March 23rd, 2017 No comments

This recipe describes how to use SNMP to determine the traffic offered and drop rate for a QoS policy configured on a Cisco router.

The steps here describe which OIDs to interrogate in the CISCO-CLASS-BASED-QOS-MIB


Get the SNMP ifIndex for the interface where the QoS policy is attached:
CiscoRouter#sh snmp mib ifmib ifindex | i GigabitEthernet0/1
GigabitEthernet0/1: Ifindex = 22

(or by using SNMP):
root@Linux# snmpwalk -v2c -c communityname | grep -i GigabitEthernet0/1
RFC1213-MIB::ifDescr.22 = STRING: “GigabitEthernet0/1” Read more…

Categories: CISCO, Network Management, QoS Tags: ,

Troubleshooting VMWare Networking

August 28th, 2015 No comments

To locate a VM Host on a Cisco switch, enable the sending of CDP (Cisco Discovery Protocol) packets on the VMWare host, the syntax is:

# esxcli network vswitch standard set –c both –v vSwitch# (Note: Replace # with the vSwitch number)

In ESXCLI 5.1, you can now retrieve additional network statistics at a physical NIC (vmnic), on a per VLAN (portgroup) which needs to be configured and on a per VM port (vNIC). Here is a quick diagram to help you visualize where you can retrieve network statistics: Read more…

Categories: CISCO Tags:

How to Find SNMP ifIndex on Cisco Devices

July 30th, 2015 2 comments

show snmp mib ifmib ifindex

show snmp interface Read more…

Categories: CISCO Tags:

Secure Hashing Algorithms SHA-1 and SHA-2

May 15th, 2015 No comments

First implemented by the National Security Agency (NSA) in 1993, the Secure Hashing Algorithm (SHA) is used by certification authorities such as Verisign and Thawte to sign certificates and Certificate Revocation Lists. SHA is used to generate unique hash values from files.

This is the SHA-1 hash fingerprint from the website:

root@raspberrypi:/# echo | openssl s_client -connect 2>/dev/null | openssl x509 -fingerprint -noout
SHA1 Fingerprint=EA:D2:F2:79:18:A0:CD:2B:10:3B:12:01:CF:B1:9E:CC:AF:0F:28:0C

SHA versions:

  • SHA0 Obsoleted
  • SHA1 Currently the most widely implemented
  • SHA2 Stronger than SHA-1 due to longer hash (SHA224, SHA256, SHA384 and SHA512)

As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates. Google began phasing out trust in SHA-1 certificates in November 2014. Read more…

Categories: Network Design, Security Tags: ,

Filtering Cisco “show” Output Using Regular Expressions

April 22nd, 2015 No comments

show run | i ^interface|^_ip address
! Gives you the every line in your running config that starts with (that’s what the ^ is all about) “interface” or ” ip address”, essentially giving you all of your interface IP’s in an IOS-pastable format.  The underscore represents a space.  Useful for displaying IP addresses with their associated masks and interfaces. Read more…

Categories: CISCO Tags:

Using nMap to Identify Applications

March 3rd, 2015 No comments

nMap uses a list of “default” applications in the nmap services file, used to list services running on scanned open ports.  To see the “real” application execute nMap using the “-sV” option. Read more…

OpenSSL – Self Signed Certificates / Becoming a Root CA

February 10th, 2015 No comments

Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term “Self signed certificate” is really incorrect, the proper phrase ought to be “Being your own Certificate Authority”, (or CA)
– You have the “root key”
– And you can “sign” other certificates
Read more…

Categories: Security Tags: ,