Chapter 11

Network Assurance

This chapter provides information and commands concerning the following topics:

Internet Control Message Protocol Redirect Messages

Internet Control Message Protocol (ICMP) is used to communicate to the original source the errors encountered while routing packets and to exercise control on the traffic. Routers use ICMP redirect messages to notify the hosts on the data link that a better route is available for a particular destination.

Router(config-if)# no ip redirects

Disables ICMP redirects from this specific interface

Router(config-if)# ip redirects

Reenables ICMP redirects from this specific interface

The ping Command

Router# ping w.x.y.z

Checks for Layer 3 connectivity with the device at IPv4 address w.x.y.z

Router# ping aaaa:aaaa: aaaa:aaaa:aaaa:aaaa: aaaa:aaaa

Checks for Layer 3 connectivity with the device at IPv6 address aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa:aaaa

Router# ping 172.16.20.1 source loopback 1

Checks for Layer 3 connectivity with the device at IPv4 address 172.16.20.1 with the packets originating from source interface loopback 1

Router# ping 2001::1 source loopback 1

Checks for Layer 3 connectivity with the device at IPv6 address 2001::1 with the packets originating from source interface loopback 1

Router# ping

Enters extended ping mode, which provides more options

Table 11-1 describes the possible ping output characters.

TABLE 11-1 ping Output Characters

Character

Description

!

Each exclamation point indicates receipt of a reply

.

Each period indicates that the network server timed out while waiting for a reply

?

Unknown error

@

Unreachable for unknown reason

A

Administratively unreachable. Usually means that an access control list (ACL) is blocking traffic

B

Packet too big

H

Host unreachable

N

Network unreachable (beyond scope)

P

Port unreachable

R

Parameter problem

T

Time exceeded

U

No route to host

Examples of Using the ping and the Extended ping Commands

Router# ping 172.16.20.1

Performs a basic Layer 3 test to IPv4 address 172.16.20.1

Router# ping paris

Same as above but through the IP host name

Router# ping 2001:db8:d1a5:c900::2

Checks for Layer 3 connectivity with the device at IPv6 address 2001:db8:d1a5:c900::2

Router# ping

Enters extended ping mode; can now change parameters of ping test

Protocol [ip]: Images

Press to use ping for IP

Target IP address: 172.16.20.1

Enter the target IP address

Repeat count [5]: 100

Enter the number of echo requests you want to send. The default is 5

Datagram size [100]: Images

Enter the size of datagrams being sent. The default is 100

Timeout in seconds [2]: Images

Enter the timeout delay between sending echo requests

Extended commands [n]: yes

Allows you to configure extended commands

Source address or interface: 10.0.10.1

Allows you to explicitly set where the pings are originating from. An interface name may also be used here

Type of Service [0]

Allows you to set the TOS field in the IP header

Set DF bit in IP header [no]

Allows you to set the DF bit in the IP header

Validate reply data? [no]

Allows you to set whether you want validation

Data Pattern [0xABCD]

Allows you to change the data pattern in the data field of the ICMP echo request packet

Loose, Strict, Record, Timestamp, Verbose[none]:

Offers IP header options. This prompt offers more than one of the following options to be selected:

Verbose is automatically selected along with any other option

Record is a very useful option because it displays the address(es) of the hops (up to nine) the packet goes through

Loose allows you to influence the path by specifying the address(es) of the hop(s) you want the packet to go through

Strict is used to specify the hop(s) that you want the packet to go through, but no other hop(s) are allowed to be visited

Timestamp is used to measure roundtrip time to particular hosts

Sweep range of sizes [no]:

Allows you to vary the sizes of the echo packets that are sent

Type escape sequence to
abort
Sending 100, 100-byte ICMP
Echos to 172.16.20.1,
timeout is 2 seconds:
Packet sent with a source
address of 10.0.10.1

!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
Success rate is 100 percent
(100/100) round-trip min/
avg/max = 1/1/4 ms

Tip

If you want to interrupt the ping operation, use the Ctrl-Shift-6 keystroke combination. This ends the operation and returns you to the prompt.

The traceroute Command

The traceroute command (or tracert in Microsoft Windows) is a utility that allows observation of the path between two hosts.

Router# traceroute 172.16.20.1

Discovers the route taken to travel to the IPv4 destination of 172.16.20.1

Router# traceroute paris

Shows command with IP host name rather than IP address

Router# traceroute 2001:db8:d1a5:c900::2

Discovers the route taken to travel to the IPv6 destination of 2001:db8:d1a5:c900::2

Router# trace 172.16.20.1

Shows common shortcut spelling of the traceroute command

Note

In Microsoft Windows operating systems, the command to allow observation between two hosts is tracert:

Click here to view code image

   C:Windowssystem32>tracert 172.16.20.1
   C:Windowssystem32>tracert 2001:db8:c:18:2::1

The debug Command

The output from debug privileged EXEC commands provides diagnostic information that includes a variety of internetworking events related to protocol status and network activity in general.

Caution

Using the debug command may severely affect router performance and might even cause the router to reboot. Always exercise caution when using the debug command, and do not leave it on. Use debug long enough to gather needed information, and then disable debugging with the undebug all or no debug all command.

Tip

Send your debug output to a syslog server to ensure that you have a copy of it in case your router is overloaded and needs to reboot. Use the no logging console command to turn off logging to the console if you have configured a syslog server to receive debug output.

Router# debug all

Turns on all possible debugging

Caution

This is just an example. Do not use this command in a production network

Router# u all

(short form of undebug all)

Turns off all possible debugging

Router# show debug

Lists what debug commands are on

Router# debug ip packet 10

Turns on IPv4 packet debugging that matches the criteria defined in ACL 10

Note

The debug ip packet command helps you to better understand the IP packet forwarding process, but this command only produces information on packets that are process-switched by the router. Packets generated by a router or destined for a router are process-switched and are therefore displayed with the debug ip packet command

Router# terminal monitor

Displays debug output through a Telnet/SSH (a vty line connection) session (default is to only send output on the console screen)

Conditionally Triggered Debugs

When the Conditionally Triggered Debugging feature is enabled, the router generates debugging messages for packets entering or leaving the router on a specified interface; the router does not generate debugging output for packets entering or leaving through a different interface.

Use the debug condition command to restrict the debug output for some commands.

If any debug condition commands are enabled, output is generated only for interfaces associated with the specified keyword. In addition, this command enables debugging output for conditional debugging events. Messages are displayed as different interfaces meet specific conditions.

If multiple debug condition commands are enabled, output is displayed if at least one condition matches. All the conditions do not need to match. The no form of this command removes the debug condition specified by the condition identifier.

The condition identifier is displayed after you use a debug condition command or in the output of the show debug condition command. If the last condition is removed, debugging output resumes for all interfaces. You will be asked for confirmation before removing the last condition or all conditions.

Not all debugging output is affected by the debug condition command. Some commands generate output whenever they are enabled, regardless of whether they meet any conditions.

Router# debug condition interface interface-type interface number

Filters output on the basis of the specified interface

Router# debug condition ip

Filters output on the basis of the specified IP address

Router# debug condition mac-address

Filters messages on the specified MAC address

Router# debug condition username

Filters output on the basis of the specified username

Router# debug condition vlan

Filters output on the basis of the specified VLAN ID

Router# show debug condition

Displays which conditional debugs are enabled

Configuring Secure SNMP

Simple Network Management Protocol (SNMP) is the most commonly used network management protocol. It is important to restrict SNMP access to the routers on which it is enabled.

Tip

If SNMP is not required on a router, you should turn it off by using the no snmp-server global configuration command:

Click here to view code image

   Edmonton(config)# no snmp-server

Note

Beginning with SNMPv3, methods to ensure the secure transmission of data between manager and agent were added. You can now define a security policy per group, or limit IP addresses to which its members can belong. You now have to define encryption and hashing algorithms and passwords for each user.

Table 11-2 shows the different SNMP security models.

TABLE 11-2 SNMP Security Models

SNMP Version

Access Mode

Authentication

Encryption

SNMPv1

noAuthNoPriv

Community string

No

SNMPv2c

noAuthNoPriv

Community string

No

SNMPv3

noAuthNoPriv

authNoPriv

authPriv

Username

MD5 or SHA-1

MD5 or SHA-1

No

No

DES, 3DES, or AES

Tip

The SNMP security levels are as follows:

  • noAuthNoPriv: Authenticates SNMP messages using a community string. No encryption provided.

  • authNoPriv: Authenticates SNMP messages using either HMAC with MD5 or SHA-1. No encryption provided.

  • authPriv: Authenticates SNMP messages by using either HMAC-MD5 or SHA. Encrypts SNMP messages using DES, 3DES, or AES.

  • priv: Does not authenticate SNMP messages. Encrypts only using either DES or AES.

Tip

SNMPv3 provides all three security level options. It should be used wherever possible.

Tip

If SNMPv3 cannot be used, then use SNMPv2c and secure it using uncommon, complex community strings and by enabling read-only access.

Tip

If community strings are also used for SNMP traps, they must be different from community strings for get and set methods. This is considered best practice.

Securing SNMPv1 or SNMPv2c

Edmonton(config)# snmp-server community C0mpl3xAdmin ro 98

Sets a community string named C0mpl3xAdmin. It is read-only and refers to ACL 98 to limit SNMP access to the authorized hosts

Note

A named ACL can be used as well

Edmonton(config)# access-list 98 permit host 192.168.10.3

Creates an ACL that will limit the SNMP access to the specific host of 192.168.10.3

Edmonton(config)# snmp-server host 192.168.10.3 AdminC0mpl3x

Sets the Network Management System (NMS) IP address of 192.168.10.3 and the community string of AdminC0mpl3x, which will be used to protect the sending of the SNMP traps. The community string is also used to connect to the host

Securing SNMPv3

Edmonton(config)# access-list 99 permit 10.1.1.0 0.0.0.255

Creates an ACL that will be used to limit SNMP access to the local device from SNMP managers within the 10.1.1.0/24 subnet

Edmonton(config)# snmp-server view MGMT sysUpTime included

Defines an SNMP view named MGMT to include an OID name of sysUpTime

Edmonton(config)# snmp-server view MGMT ifDescr included

Defines an SNMP view named MGMT to include an OID name of ifDescr

Edmonton(config)# snmp-server view MGMT ifAdminStatus included

Defines an SNMP view named MGMT and an OID name of ifAdminStatus. This OID is included in the view

Edmonton(config)# snmp-server view MGMT ifOperStatus included

Defines an SNMP view named MGMT and an OID name of ifOperStatus. This OID is included in the view

Edmonton(config)# snmp-server group groupAAA v3 priv read MGMT write MGMT access 99

Defines an SNMPv3 group called groupAAA and configures it with the authPriv security level. SNMP read and write access to the MGMT view is limited to devices defined in ACL 99

Edmonton(config)# snmp-server user userAAA groupAAA v3 auth sha itsa5ecret priv aes 256 another5ecret

Configures a new user called userAAA to the SNMPv3 group groupAAA with authentication and encryption. Authentication uses SHA with a password of itsa5ecret. Encryption uses AES-256 with a password of another5ecret

Edmonton(config)# snmp-server enable traps

Enables SNMP traps

Edmonton(config)# snmp-server host 10.1.1.50 traps version 3 priv userAAA cpu port-security

Defines a receiving manager for traps at IP address 10.1.1.50. The user userAAA is used to authenticate the host. The traps sent relate to CPU and port security events

Edmonton(config)# snmp-server ifindex persist

Prevents index shuffle

Note

SNMP does not identify object instances by names but by numeric indexes. Index number may change due to instance changes, such as a new interface being configured. This command will guarantee index persistence when changes occur

Verifying SNMP

Edmonton# show snmp

Provides basic information about SNMP configuration

Edmonton# show snmp view

Provides information about SNMP views

Edmonton# show snmp group

Provides information about configured SNMP groups

Edmonton# show snmp user

Provides information about configured SNMP users

Implementing Logging

It is important for network administrators to implement logging to get insight into what is occurring in their network. When a router reloads, all local logs are lost, so it is important to implement logging to an external destination. The following sections deal with the different mechanisms that you can use to configure logging to a remote location.

Configuring Syslog

Edmonton(config)# logging on

Enables logging to all supported destinations

Edmonton(config)# logging 192.168.10.53

Sends logging messages to a syslog server host at address 192.168.10.53

Edmonton(config)# logging sysadmin

Sends logging messages to a syslog server host named sysadmin

Edmonton(config)# logging trap x

Sets the syslog server logging level to value x, where x is a number between 0 and 7 or a word defining the level. Table 11-3 provides more details

Edmonton(config)# service sequence-numbers

Stamps syslog messages with a sequence number

Edmonton(config)# service timestamps log datetime

Causes a time stamp to be included in syslog messages

Syslog Message Format

The general format of syslog messages generated on Cisco IOS Software is as follows:

Click here to view code image

seq no:timestamp: %facility-severity-MNEMONIC:description

Item in Syslog Message

Definition

seq no

Sequence number. Stamped only if the service sequence- numbers global configuration command is configured

timestamp

Date and time of the message. Appears only if the service timestamps log datetime global configuration command is configured

facility

The facility to which the message refers (SNMP, SYS, and so on)

severity

Single-digit code from 0 to 7 that defines the severity of the message. See Table 11-3 for descriptions of the levels

MNEMONIC

String of text that uniquely defines the message

description

String of text that contains detailed information about the event being reported

Syslog Severity Levels

Table 11-3 outlines the eight levels of severity in logging messages.

TABLE 11-3 Syslog Severity Levels

Level #

Level Name

Description

0

Emergencies

System is unusable

1

Alerts

Immediate action needed

2

Critical

Critical conditions

3

Errors

Error conditions

4

Warnings

Warning conditions

5

Notifications

Normal but significant conditions

6

Informational

Informational messages (default level)

7

Debugging

Debugging messages

Setting a level means you will get that level and everything numerically below it; for example, setting level 6 means you will receive messages for levels 0 through 6.

Syslog Message Example

The easiest syslog message to use as an example is the one that shows up every time you exit from global configuration mode back to privileged EXEC mode. You have just finished entering a command and you want to save your work, but after you type exit you see something like this (your output will differ depending on whether you have sequence numbers and/or time/date stamps configured):

Click here to view code image

Edmonton(config)# exit
Edmonton#
*Oct 23:22:45:20.878: %SYS-5-CONFIG_I: Configured from console by
console
Edmonton#

So, what does this all mean?

  • No sequence number is part of this message

  • The message occurred on October 23, at 22:45:20.878 (or 10:45 PM, and 20.878 seconds)

  • It is a SYS message, and it is level 5 (a notification)

  • It is a CONFIG message, and the configuration occurred from the console

Configuring NetFlow

NetFlow is an application for collecting IP traffic information. It is used for network accounting and security auditing.

Caution

NetFlow consumes additional memory. If you have limited memory, you might want to preset the size of the NetFlow cache to contain a smaller amount of entries. The default cache size depends on the platform of the device.

Edmonton(config)# interface gigabitethernet 0/0/0

Moves to interface configuration mode

Edmonton(config-if)# ip flow ingress

Enables NetFlow on the interface. Captures traffic that is being received by the interface

Edmonton(config-if)# ip flow egress

Enables NetFlow on the interface. Captures traffic that is being transmitted by the interface

Edmonton(config-if)# exit

Returns to global configuration mode

Edmonton(config)# ip flow-export destination ip_address udp_port

Defines the IP address of the workstation to which you want to send the NetFlow information as well as the UDP port on which the workstation is listening for the information

Edmonton(config)# ip flow-export version x

Specifies the version format that the export packets used

Note

NetFlow exports data in UDP in one of five formats: 1, 5, 7, 8, 9. Version 9 is the most versatile, but is not backward compatible with versions 5 or 8. The default is version 1. Version 5 is the most commonly used format, but version 9 is the latest format and has some advantages for key technologies such as security, traffic analysis, and multicast.

Configuring Flexible NetFlow

Flexible NetFlow improves on original NetFlow by adding the capability to customize the traffic analysis parameters for your specific requirements. Flexible NetFlow facilitates the creation of more complex configurations for traffic analysis and data export through the use of reusable configuration components. Flexible NetFlow is an extension of NetFlow v9.

Configuring Flexible NetFlow is a four-step process:

Step 1. Configure a flow record.

Step 2. Configure a flow exporter.

Step 3. Configure a flow monitor.

Step 4. Apply the flow monitor to an interface.

Step 1: Configure a Flow Record

R1(config)# flow record R1-FLOW-RECORD

Creates a new flow record called R1-FLOW-RECORD

R1(config-flow-record)# match ipv4 source address

Includes the source IPv4 address to the flow record

R1(config-flow-record)# match ipv4 destination address

Includes the destination IPv4 address to the flow record

R1(config-flow-record)# collect counter bytes

Includes statistics on the number of bytes in the flow record

Step 2: Configure a Flow Exporter

R1(config)# flow exporter R1-FLOW-EXPORTER

Creates a flow exporter called R1-FLOW-EXPORTER

R1(config-flow-exporter)# destination 10.250.250.25

Specifies the IP address of the NetFlow collector

Step 3: Configure a Flow Monitor

R1(config)# flow monitor R1-FLOW-MONITOR

Creates a flow monitor called R1-FLOW-MONITOR

R1(config-flow-monitor)# exporter R1-FLOW-EXPORTER

Assigns the flow exporter to the flow monitor

R1(config-flow-monitor)# record R1-FLOW-RECORD

Assigns the flow record to the flow monitor

Step 4: Apply the Flow Monitor to an Interface

R1(config)# interface gigabitethernet 0/0/0

Enters interface configuration mode

R1(config-if)# ip flow monitor R1-FLOW-MONITOR input

Applies the flow monitor to the interface in the input direction

Verifying NetFlow

Edmonton# show ip interface gigabitethernet 0/0/0

Displays information about the interface, including NetFlow as being either ingress or egress enabled

Edmonton# show ip flow export

Verifies status and statistics for NetFlow accounting data export

Edmonton# show ip cache flow

Displays a summary of NetFlow statistics on a Cisco IOS router

Edmonton# show flow monitor

Displays a summary of the Flexible NetFlow configuration

Edmonton# show flow exporter

Displays information about the Flexible NetFlow exporter configuration

Edmonton# show flow record

Displays information about the configured Flexible NetFlow records

Note

The show ip cache flow command is useful for seeing which protocols use the highest volume of traffic and between which hosts this traffic flows.

Implementing Port Mirroring

Using a traffic sniffer can be a valuable tool to monitor and troubleshoot a network. In the modern era of switches, using the Switched Port Analyzer (SPAN) feature enables you to instruct a switch to send copies of packets seen on one port to another port on the same switch.

Default SPAN and RSPAN Configuration

Table 11-4 shows the default SPAN and remote SPAN (RSPAN) settings.

TABLE 11-4 SPAN and RSPAN Default Settings

Feature

Default Setting

SPAN state (SPAN and RSPAN)

Disabled

Source port traffic to monitor

Both received and sent traffic (both SPAN and RSPAN)

Encapsulation type (destination port)

Native form (untagged packets)

Ingress forwarding (destination port)

Disabled

VLAN filtering

On a trunk interface used as a source port, all VLANs are monitored

RSPAN VLANs

None configured

Configuring Local SPAN

Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and destination ports are in the same switch or switch stack. Local SPAN copies traffic from one or more source ports in any VLAN or from one or more VLANs to a destination port for analysis.

Local SPAN Guidelines for Configuration

When configuring SPAN, follow these guidelines:

  • For SPAN sources, you can monitor traffic for a single port or VLAN or a series or range of ports or VLANs for each session. You cannot mix source ports and source VLANs within a single SPAN session.

  • The destination port cannot be a source port; a source port cannot be a destination port.

  • You cannot have two SPAN sessions using the same destination port.

  • When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port.

  • Entering SPAN configuration commands does not remove previously configured SPAN parameters. You must enter the no monitor session {session_number | all | local | remote} global configuration command to delete configured SPAN parameters.

  • For local SPAN, outgoing packets through the SPAN destination port carry the original encapsulation headers (untagged or IEEE 802.1Q) if the encapsulation replicate keywords are specified. If the keywords are not specified, the packets are sent in native form. For RSPAN destination ports, outgoing packets are not tagged.

  • You can configure a disabled port to be a source or destination port, but the SPAN function does not start until the destination port and at least one source port or source VLAN are enabled.

  • You can limit SPAN traffic to specific VLANs by using the filter vlan keywords. If a trunk port is being monitored, only traffic on the VLANs specified with these keywords are monitored. By default, all VLANs are monitored on a trunk port.

  • You cannot mix source VLANs and filter VLANs within a single SPAN session.

Configuration Example: Local SPAN

Figure 11-1 is the network topology for local SPAN commands.

Images

Figure 11-1 Local SPAN

Switch(config)# no monitor session 1

Removes any existing SPAN configuration on session 1. The session number is a number between 1 and 66

Switch(config)# no monitor session all

Removes all SPAN sessions

Switch(config)# no monitor session local

Removes all local SPAN sessions

Switch(config)# no monitor session remote

Removes all remote SPAN sessions

Switch(config)# monitor session 1 source interface gigabitethernet 0/1

Sets a new SPAN session where the source of the traffic will be interface GigabitEthernet 0/1

Switch(config)# monitor session 2 source gigabitethernet 0/2 rx

Configures session 2 to monitor received traffic on interface GigabitEthernet 0/2

Switch(config)# monitor session session_number source {interface interface-id | vlan vlan-id} [, | -] [both | rx | tx]

Options for this command include the following:

session_number: Any number between 1 and 66

interface-id: Specifies the source port to monitor. Can be any valid physical interface or port channel logical interface

vlan-id: Specifies the source VLAN to monitor. The range is 1 to 4094

, | - (optional): To be used to help specify a series or ranges of interfaces. There must be a space both before and after the comma or hyphen

both (optional): Monitors both received and sent traffic. This is the default setting

rx (optional): Monitors received traffic

tx (optional): Monitors sent traffic

Note

A single session can include multiple sources (ports or VLANs), defined in a series of commands, but you cannot combine source ports and source VLANs in one session

Note

You can use the monitor session session_number source command multiple times to configure multiple source ports

Switch(config)# monitor session 1 filter vlan 6 - 10

Limits the SPAN source traffic to VLANs 6 to 10

Switch(config)# monitor session session_number filter vlan vlan-id [, | -]

Options for this command include the following:

session_number: Must match the session number used in the monitor session source command

vlan-id: Specifies the source VLAN to monitor. The range is 1 to 4094

, | - (optional): To be used to help specify a series or ranges of interfaces. There must be a space both before and after the comma or hyphen

Switch(config)# monitor session 1 destination interface gigabitethernet 0/24 encapsulation replicate

Sets a new SPAN session where the destination for the traffic will be interface GigabitEthernet 0/24. The encapsulation method will be retained

Switch(config)# monitor session 2 destination interface gigabitethernet 0/24 encapsulation

replicate ingress dot1q vlan 6

Monitored traffic from session 2 will be sent to interface GigabitEthernet 0/24. It will have the same egress encapsulation type as the source port, and will enable ingress forwarding with IEEE 802.1Q encapsulation and VLAN 6 as the default ingress VLAN

Switch(config)# monitor session session_number destination {interface interface-id [, | -] [encapsulation {dot1q | replicate}]} [ingress {dot1q vlan vlan-id | untaggedvlan vlan-id | vlan vlan-id}]}

Options for this command include the following:

session_number: Enter the session number used in the source command earlier in this example. For local SPAN, you must use the same session number for the source and destination interfaces

interface-id: Specifies the destination port. This must be a physical port; it cannot be an EtherChannel, and it cannot be a VLAN

, | - (optional): To be used to help specify a series or ranges of interfaces. There must be a space both before and after the comma or hyphen

encapsulation dot1q: Specifies that the destination interface use the IEEE 802.1Q encapsulation method

encapsulation replicate: Specifies that the destination interface replicate the source interface encapsulation method

Note

If no encapsulation method is selected, the default is to send packets in native form (untagged)

ingress dot1q vlan vlan-id: Accept incoming packets with IEEE 802.1Q encapsulation with the specified VLAN as the default VLAN

ingress untagged vlan vlan-id: Accept incoming packets with untagged encapsulation with the specified VLAN as the default VLAN

ingress vlan vlan-id: Accept incoming packets with untagged encapsulation with the specified VLAN as the default VLAN

Note

You can use the monitor session session_number destination command multiple times to configure multiple destination ports

Configuring Remote SPAN

While local SPAN supports source and destination ports only on one switch, a remote SPAN supports source and destination ports on different switches. RSPAN consists of an RSPAN VLAN, an RSPAN source session, and an RSPAN destination session. You separately configure RSPAN source sessions and destination sessions on different switches.

Remote SPAN Guidelines for Configuration

When configuring RSPAN, follow these guidelines:

  • All the items in the local SPAN guidelines for configuration apply to RSPAN.

  • Because RSPAN VLANs have special properties, you should reserve a few VLANs across your network for use as RSPAN VLANs; do not assign access ports to these VLANs.

  • You can apply an output access control list (ACL) to RSPAN traffic to selectively filter or monitor specific packets. Specify this ACL on the RSPAN VLAN in the RSPAN source switches.

  • For RSPAN configuration, you can distribute the source ports and the destination ports across multiple switches in your network.

  • RSPAN does not support bridge protocol data unit (BPDU) packet monitoring or other Layer 2 switch protocols.

  • The RSPAN VLAN is configured only on trunk ports and not on access ports. To avoid unwanted traffic in RSPAN VLANs, make sure that the VLAN Remote SPAN feature is supported in all the participating switches.

  • Access ports (including voice VLAN ports) on the RSPAN VLAN are put in the inactive state.

  • RSPAN VLANs are included as sources for port-based RSPAN sessions when source trunk ports have active RSPAN VLANs. RSPAN VLANs can also be sources in SPAN sessions. However, because the switch does not monitor spanned traffic, it does not support egress spanning of packets on any RSPAN VLAN identified as the destination of an RSPAN source session on the switch.

  • You can configure any VLAN as an RSPAN VLAN as long as these conditions are met:

    • The same RSPAN VLAN is used for an RSPAN session in all the switches.

    • All participating switches support RSPAN.

  • Configure an RSPAN VLAN before you configure an RSPAN source or a destination session.

  • If you enable VTP and VTP pruning, RSPAN traffic is pruned in the trunks to prevent the unwanted flooding of RSPAN traffic across the network for VLAN IDs that are lower than 1005.

Configuration Example: Remote SPAN

Figure 11-2 is the network topology for remote SPAN commands.

Images

Figure 11-2 Remote SPAN

Switch1(config)# vlan 901

Creates VLAN 901 on Switch1

Switch1(config-vlan)# remote span

Makes this VLAN an RSPAN VLAN

Switch1(config-vlan)# end

Returns to global configuration mode

Switch2(config)# vlan 901

Creates VLAN 901 on Switch2

Switch2(config-vlan)# remote span

Makes this VLAN an RSPAN VLAN

Switch2(config-vlan)# end

Returns to global configuration mode

Note

You must create the RSPAN VLAN in all switches that will participate in RSPAN.

Note

If the RSPAN VLAN ID is in the normal range (lower than 1005) and VTP is enabled in the network, you can create the RSPAN VLAN in one switch, and VTP propagates it to the other switches in the VTP domain. For extended-range VLANs (greater than 1005), you must configure the RSPAN VLAN on both source and destination switches and any intermediate switches.

Tip

Use VTP pruning to get an efficient flow of RSPAN traffic, or manually delete the RSPAN VLAN from all trunks that do not need to carry the RSPAN traffic.

Switch1(config)# no monitor session 1

Removes any previous configurations for session 1

Switch1(config)# monitor session 1 source interface gigabitethernet 0/1 tx

Configures session 1 to monitor transmitted traffic on interface GigabitEthernet 0/1

Switch1(config)# monitor session 1 source interface gigabitethernet 0/2 rx

Configures session 1 to monitor received traffic on interface GigabitEthernet 0/2

Switch1(config)# monitor session 1 destination remote vlan 901

Configures session 1 to have a destination of RSPAN VLAN 901

Switch2(config)# no monitor session 1

Removes any previous configurations for session 1

Switch2(config)# monitor session 1 source remote vlan 901

Configures session 1 to have a source of VLAN 901

Switch2(config)# monitor session 1 destination interface gigabitethernet 0/24

Configures session 1 to have a destination interface of GigabitEthernet 0/24

Note

The commands to configure incoming traffic on a destination port and to filter VLAN traffic are the same for remote SPAN as they are for local SPAN.

Configuring Encapsulated RSPAN (ERSPAN)

The Cisco ERSPAN feature allows you to monitor traffic on one or more ports or one or more VLANs, and send the monitored traffic to one or more destination ports. ERSPAN sends traffic to a network analyzer such as a Switch Probe device or other Remote Monitoring (RMON) probe. ERSPAN supports source ports, source VLANs, and destination ports on different routers, which provides remote monitoring of multiple routers across a network. The traffic is encapsulated in Generic Routing Encapsulation (GRE) and is, therefore, routable across a Layer 3 network between the “source” switch and the “destination” switch. ERSPAN consists of an ERSPAN source session, routable ERSPAN GRE encapsulated traffic, and an ERSPAN destination session.

Note

ERSPAN is a Cisco proprietary feature and is available only to Catalyst 6500, 7600, 9200, 9300, Nexus, and ASR 1000 platforms to date. The ASR 1000 supports ERSPAN source (monitoring) only on FastEthernet, GigabitEthernet, and port-channel interfaces.

ERSPAN Source Configuration

Router-1(config)# monitor session 1 type erspan-source

Creates an ERSPAN source session

Router-1(config-mon-erspan-src)# source interface gigabitethernet 0/0/1

Assigns the GigabitEthernet 0/0/1 interface as the source interface for the ERSPAN session

Router-1(config-mon-erspan-src)# destination

Enters ERSPAN destination configuration mode

Router-1(config-mon-erspan-src-dst)# erspan-id 1

Assigns an ERSPAN ID of 1

Router-1(config-mon-erspan-src-dst)# ip address 2.2.2.2

Defines the ERSPAN destination IP address

Router-1(config-mon-erspan-src-dst)# origin ip address 1.1.1.1

Defines the ERSPAN source IP address
ERSPAN Destination Configuration

Router-2(config)# monitor session 1 type erspan-destination

Creates an ERSPAN destination session

Router-2(config-mon-erspan-dst)# destination interface gigabitethernet 0/0/1

Assigns the GigabitEthernet 0/0/1 interface as the destination interface for the ERSPAN session

Router-2(config-mon-erspan-dst)# source

Enters ERSPAN source configuration mode

Router-2(config-mon-erspan-dst-src)# erspan-id 1

Assigns an ERSPAN ID of 1

Router-2(config-mon-erspan-dst-src)# ip address 2.2.2.2

Defines the ERSPAN source IP address

Verifying and Troubleshooting Local and Remote SPAN

Switch# show monitor session 1

Displays output for SPAN session 1

Note

On some platforms the command is show monitor

Switch# show running-config

Displays configuration of sessions running in active memory

Switch# show vlan remote-span

Displays information about VLANs configured as RSPAN VLANs

Switch# debug monitor all

Displays all SPAN debugging messages

Switch# debug monitor list

Displays SPAN port and VLAN list tracing

Switch# debug monitor requests

Displays SPAN requests

Configuring Network Time Protocol

Most networks today are being designed with high performance and reliability in mind. Delivery of content is, in many cases, guaranteed by service level agreements (SLAs). Having your network display an accurate time is vital to ensuring that you have the best information possible when reading logging messages or troubleshooting issues.

NTP Configuration

Edmonton(config)# ntp server 209.165.200.254

Configures the Edmonton router to synchronize its clock to a public NTP server at address 209.165.200.254

Note

This command makes the Edmonton router an NTP client to the external NTP server

Note

A Cisco IOS router can be both a client to an external NTP server and an NTP server to client devices inside its own internal network

Note

When NTP is enabled on a Cisco IOS router, it is enabled on all interfaces

Caution

NTP is slow to converge. It can take up to 5 minutes before an NTP client synchronizes with an NTP server

Edmonton(config)# ntp server 209.165.200.234 prefer

Specifies a preferred NTP server if multiple servers are configured

Tip

It is recommended to configure more than one NTP server

Edmonton(config-if)# ntp disable

Disables the NTP server function on a specific interface. The interface will still act as an NTP client

Tip

Use this command on interfaces connected to external networks

Edmonton(config)# ntp master stratum

Configures the router to be an NTP master clock to which peers synchronize when no external NTP source is available. The stratum is an optional number between 1 and 15. When enabled, the default stratum is 8

Note

A reference clock (for example, an atomic clock) is said to be a stratum-0 device. A stratum-1 server is directly connected to a stratum-0 device. A stratum-2 server is connected across a network path to a stratum-1 server. The larger the stratum number (moving toward 15), the less authoritative that server is and the less accuracy it will have

Edmonton(config)# ntp max-associations 200

Configures the maximum number of NTP peer-and-client associations that the router will serve. The range is 0 to 4 294 967 295. The default is 100

Edmonton(config)# access list 101 permit udp any host a.b.c.d eq ntp

Creates an access list statement that will allow NTP communication for the NTP server at address a.b.c.d. This ACL should be placed in an inbound direction

Note

When a local device is configured with the ntp master command, it can be identified by a syntactically correct but invalid IP address. This address will be in the form of 127.127.x.x. The master will synchronize with itself and uses the 127.127.x.x address to identify itself. This address will be displayed with the show ntp associations command and must be permitted via an access list if you are authenticating your NTP servers.

NTP Design

You have two different options in NTP design: flat and hierarchical. In a flat design, all routers are peers to each other. Each router is both a client and a server with every other router. In a hierarchical model, there is a preferred order of routers that are servers and others that act as clients. You use the ntp peer command to determine the hierarchy. Figure 11-3 is a topology showing a hierarchical design.

Images

Figure 11-3 NTP Hierarchical Design

Tip

Do not use the flat model in a large network, because with many NTP servers it can take a long time to synchronize the time.

Edmonton(config)# ntp source-interface loopback 0

Configures the source interface for all NTP packets

Edmonton(config)# ntp peer 172.16.21.1

Configures an IOS device to synchronize its software clock to a peer at 172.16.21.1

Edmonton(config)# ntp peer 172.16.21.1 version 2

Configures an IOS device to synchronize its software clock to a peer at 172.16.21.1 using version 2 of NTP. There are three versions of NTP (versions 2–4)

Edmonton(config-if)# ntp broadcast

Configures the options for broadcasting or multicasting NTP traffic on a specified interface. You can include the authentication key and version options with this command

Edmonton(config-if)# ntp broadcast client

Configures a device to receive NTP broadcast or multicast messages on a specified interface. You can include the authentication key and version options with this command

Note

Although Cisco IOS recognizes three versions of NTP, versions 3 and 4 are most commonly used. Version 4 introduces support for IPv6 and is backward compatible with version 3. NTPv4 also adds DNS support for IPv6.

Note

NTPv4 has increased security support using public key cryptography and X.509 certificates.

Note

NTPv3 uses broadcast messages. NTPv4 uses multicast messages.

Edmonton(config)# ntp peer 172.16.21.1 source loopback 0

Configures an IOS device to synchronize its software clock to a peer at 172.16.21.1. The source IP address is the address of interface Loopback 0

Tip

Choose a loopback interface as your source for NTP, because it will never go down. ACL statements will also be easier to write as you will require only one line to allow or deny traffic

Edmonton(config)# ntp peer 172.16.21.1 source loopback 0 prefer

Makes this peer the preferred peer that provides synchronization

Securing NTP

You can secure NTP operation using authentication and access lists.

Enabling NTP Authentication

NTPServer(config)# ntp authentication-key 1 md5 NTPpa55word

Defines an NTP authentication key

1 = number of authentication key. Can be a number between 1 and 4 294 967 295

md5 = using MD5 hash. This is the only option available on Cisco devices

NTPpa55word = password associated with this key

NTPServer(config)# ntp trusted-key 1

Defines which keys are valid for NTP authentication. The key number here must match the key number you defined in the ntp authentication-key command

NTPServer(config)# ntp authenticate

Enables NTP authentication

NTPClient(config)# ntp authentication-key 1 md5 NTPpa55word

Defines an NTP authentication key

NTPClient(config)# ntp server 192.168.200.1 key 1

Defines the NTP server that requires authentication at address 192.168.200.1 and identifies the peer key number as key 1

NTPClient(config)# ntp trusted-key 1

Defines which keys are valid for NTP authentication. The key number here must match the key number you defined in the ntp authentication-key command

NTPClient(config)# ntp authenticate

Enables NTP authentication

Note

You can configure the device to authenticate the time sources to which the local clock is synchronized. When you enable NTP authentication, the device synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the authentication check and prevents them from updating the local clock. NTP authentication is disabled by default.

You can also control access to NTP services by using access lists. Specifically, you can decide the types of requests that the device allows and the servers from which it accepts responses. If you do not configure any ACLs, NTP access is granted to all devices. If you configure ACLs, NTP access is granted only to the remote device whose source IP address passes the access list criteria.

Note

Once a device is synchronized to an NTP source, it becomes an NTP server to any device that requests synchronization.

Limiting NTP Access with Access Lists

Edmonton(config)# access-list 1 permit 10.1.0.0 0.0.255.255

Defines an access list that permits only packets with a source address of 10.1.x.x

Edmonton(config)# ntp access-group peer 1

Creates an access group to control NTP access and applies access list 1. The peer keyword enables the device to receive time requests and NTP control queries and to synchronize itself to servers specified in the access list

Edmonton(config)# ntp access-group serve 1

Creates an access group to control NTP access and applies access list 1. The serve keyword enables the device to receive time requests and NTP control queries from the servers specified in the access list but not to synchronize itself to the specified servers

Edmonton(config)# ntp access-group serve-only 1

Creates an access group to control NTP access and applies access list 1. The serve-only keyword enables the device to receive only time requests from servers specified in the access list

Edmonton(config)# ntp access-group query-only 1

Creates an access group to control NTP access and applies access list 1. The query-only keyword enables the device to receive only NTP control queries from the servers specified in the access list

Note

NTP access group options are scanned from least restrictive to most restrictive in the following order: peer, serve, serve-only, query-only. However, if NTP matches a deny ACL rule in a configured peer, ACL processing stops and does not continue to the next access group option.

Verifying and Troubleshooting NTP

Edmonton# show ntp associations

Displays the status of NTP associations

Edmonton# show ntp associations detail

Displays detailed information about each NTP association

Edmonton# show ntp status

Displays the status of the NTP configuration. This command shows whether the router’s clock has synchronized with the external NTP server

Edmonton# debug ip packets

Checks to see whether NTP packets are received and sent

Edmonton# debug ip packet 1

Limits debug output to ACL 1

Edmonton# debug ntp adjust

Displays debug output for NTP clock adjustments

Edmonton# debug ntp all

Displays all NTP debugging output

Edmonton# debug ntp events

Displays all NTP debugging events

Edmonton# debug ntp packet

Displays NTP packet debugging; lets you see the time that the peer/server gives you in a received packet

Edmonton# debug ntp packet detail

Displays detailed NTP packet dump

Edmonton# debug ntp packet peer a.b.c.d

Displays debugging from NTP peer at address a.b.c.d

Setting the Clock on a Router

Note

It is important to have your routers display the correct time for use with time stamps and other logging features.

If the system is synchronized by a valid outside timing mechanism, such as an NTP server, or if you have a router with a hardware clock, you do not need to set the software clock. Use the software clock if no other time sources are available.

Edmonton# calendar set 16:30:00 23 October 2019

Manually sets the system hardware clock. Time is set using military (24-hour) format. The hardware clock runs continuously, even if the router is powered off or rebooted

Edmonton# show calendar

Displays the hardware calendar

Edmonton(config)# clock calendar-valid

Configures the system as an authoritative time source for a network based on its hardware clock

Note

Because the hardware clock is not as accurate as other time sources (it runs off of a battery), you should use this only when a more accurate time source (such as NTP) is not available

Edmonton# clock read-calendar

Manually reads the hardware clock settings into the software clock

Edmonton# clock set 16:30:00 23 October 2019

Manually sets the system software clock. Time is set using military (24-hour) format

Edmonton(config)# clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]

Edmonton(config)# clock summer-time zone date date month year hh:mm date month year hh:mm [offset]

Edmonton(config)# clock summer-time zone date month date year hh:mm month date year hh:mm [offset]

Configures the system to automatically switch to summer time (daylight saving time)

Note

Summer time is disabled by default

Arguments for the command are as follows:

zone: Name of the time zone (see Tables 11-5 and 11-6 for alternative ways to specify the time zone)

recurring: Indicates that summer time should start and end on the corresponding specified days every year

date: Indicates that summer time should start on the first specific date listed in the command and end on the second specific date in the command

week: (Optional) Week of the month (1 to 4 or last)

day: (Optional) Day of the week (Sunday, Monday, and so on)

date: Date of the month (1 to 31)

month: (Optional) Month (January, February, and so on)

year: Year (1993 to 2035)

hh:mm: (Optional) Time (military format) in hours and minutes

offset: (Optional) Number of minutes to add during summer time (default is 60)

Edmonton(config)# clock timezone zone hours-offset [minutes-offset]

Configures the time zone for display purposes. To set the time to Coordinated Universal Time (UTC), use the no form of this command

zone: Name of the time zone to be displayed when standard time is in effect

hours-offset: Hours difference from UTC

minutes-offset: (Optional) Minutes difference from UTC

Edmonton(config)# clock timezone PST -8

Configures the time zone to Pacific Standard Time, which is 8 hours behind UTC

Edmonton(config)# clock timezone NL -3 30

Configures the time zone to Newfoundland time for Newfoundland, Canada, which is 3.5 hours behind UTC

Edmonton# clock update-calendar

Updates the hardware clock from the software clock

Edmonton# show clock

Displays the time and date from the system software clock

Edmonton# show clock detail

Displays the clock source (NTP, hardware) and the current summer-time setting (if any)

Table 11-5 shows the common acronyms used for setting the time zone on a router.

TABLE 11-5 Common Time Zone Acronyms

Region/Acronym

Time Zone Name and UTC Offset

Europe

GMT

Greenwich Mean Time, as UTC

BST

British Summer Time, as UTC +1 hour

IST

Irish Summer Time, as UTC +1 hour

WET

Western Europe Time, as UTC

WEST

Western Europe Summer Time, as UTC +1 hour

CET

Central Europe Time, as UTC +1

CEST

Central Europe Summer Time, as UTC +2

EET

Eastern Europe Time, as UTC +2

EEST

Eastern Europe Summer Time, as UTC +3

MSK

Moscow Time, as UTC +3

MSD

Moscow Summer Time, as UTC +4

United States and Canada

AST

Atlantic Standard Time, as UTC –4 hours

ADT

Atlantic Daylight Time, as UTC –3 hours

ET

Eastern Time, either as EST or EDT, depending on place and time of year

EST

Eastern Standard Time, as UTC –5 hours

EDT

Eastern Daylight Time, as UTC –4 hours

CT

Central Time, either as CST or CDT, depending on place and time of year

CST

Central Standard Time, as UTC –6 hours

CDT

Central Daylight Time, as UTC –5 hours

MT

Mountain Time, either as MST or MDT, depending on place and time of year

MST

Mountain Standard Time, as UTC –7 hours

MDT

Mountain Daylight Time, as UTC –6 hours

PT

Pacific Time, either as PST or PDT, depending on place and time of year

PST

Pacific Standard Time, as UTC –8 hours

PDT

Pacific Daylight Time, as UTC –7 hours

AKST

Alaska Standard Time, as UTC –9 hours

AKDT

Alaska Standard Daylight Time, as UTC –8 hours

HST

Hawaiian Standard Time, as UTC –10 hours

Australia

WST

Western Standard Time, as UTC +8 hours

CST

Central Standard Time, as UTC +9.5 hours

EST

Eastern Standard/Summer time, as UTC +10 hours (+11 hours during summer time)

Table 11-6 lists an alternative method for referring to time zones, in which single letters are used to refer to the time zone difference from UTC. Using this method, the letter Z is used to indicate the zero meridian, equivalent to UTC, and the letter J (Juliet) is used to refer to the local time zone. Using this method, the international date line is between time zones M and Y.

TABLE 11-6 Single-Letter Time Zone Designators

Letter Designator

Word Designator

Difference from UTC

Y

Yankee

UTC –12 hours

X

X-ray

UTC –11 hours

W

Whiskey

UTC –10 hours

V

Victor

UTC –9 hours

U

Uniform

UTC –8 hours

T

Tango

UTC –7 hours

S

Sierra

UTC –6 hours

R

Romeo

UTC –5 hours

Q

Quebec

UTC –4 hours

P

Papa

UTC –3 hours

O

Oscar

UTC –2 hours

N

November

UTC –1 hour

Z

Zulu

Same as UTC

A

Alpha

UTC +1 hour

B

Bravo

UTC +2 hours

C

Charlie

UTC +3 hours

D

Delta

UTC +4 hours

E

Echo

UTC +5 hours

F

Foxtrot

UTC +6 hours

G

Golf

UTC +7 hours

H

Hotel

UTC +8 hours

I

India

UTC +9 hours

K

Kilo

UTC +10 hours

L

Lima

UTC +11 hours

M

Mike

UTC +12 hours

Using Time Stamps

Edmonton(config)# service timestamps

Adds a time stamp to all system logging messages

Edmonton(config)# service timestamps debug

Adds a time stamp to all debugging messages

Edmonton(config)# service timestamps debug uptime

Adds a time stamp along with the total uptime of the router to all debugging messages

Edmonton(config)# service timestamps debug datetime localtime

Adds a time stamp displaying the local time and the date to all debugging messages

Edmonton(config)# no service timestamps

Disables all time stamps

Configuration Example: NTP

Figure 11-4 shows the network topology for the configuration that follows, which demonstrates how to configure NTP using the commands covered in this chapter.

Images

Figure 11-4 Network Topology for NTP Configuration

Core1 Router

Core1(config)# ntp server 209.165.201.44

Configures router to synchronize its clock to a public NTP server at address 209.165.201.44

Core1(config)# ntp server 209.165.201.111

Configures router to synchronize its clock to a public NTP server at address 209.165.201.111

Core1(config)# ntp server 209.165.201.133

Configures router to synchronize its clock to a public NTP server at address 209.165.201.133

Core1(config)# ntp server 209.165.201.222

Configures router to synchronize its clock to a public NTP server at address 209.165.201.222

Core1(config)# ntp server 209.165.201.233 prefer

Configures router to synchronize its clock to a public NTP server at address 209.165.201.233. This is the preferred NTP server

Core1(config)# ntp max-associations 200

Configures the maximum number of NTP peer-and-client associations that the router will serve

Core1(config)# clock timezone EST -5

Sets time zone to Eastern Standard Time

Core1(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

Configures the system to automatically switch to summer time and to repeat on the same day

Core1(config)# ntp master 10

Configures the router to serve as a master clock if the external NTP server is not available

Core1(config)# ntp source Loopback 0

Sets the source of all NTP packets to 192.168.223.1, which is the address of Loopback 0

Core1(config)# access-list 1 permit 127.127.1.1

Sets access 1 list to permit packets coming from 127.127.1.1

Core1(config)# access-list 2 permit 192.168.0.0 0.0.255.255

Sets access list 2 to permit packets coming from 192.168.x.x

Core1(config)# ntp access-group peer 1

Configures Core1 to peer with any devices identified in access list 1

Core1(config)# ntp access-group serve-only 2

Configures Core1 to receive only time requests from devices specified in the ACL
Core2 Router

Core2(config)# ntp server 209.165.201.44

Configures router to synchronize its clock to a public NTP server at address 209.165.201.44

Core2(config)# ntp server 209.165.201.111

Configures router to synchronize its clock to a public NTP server at address 209.165.201.111

Core2(config)# ntp server 209.165.201.133

Configures router to synchronize its clock to a public NTP server at address 209.165.201.133

Core2(config)# ntp server 209.165.201.222

Configures router to synchronize its clock to a public NTP server at address 209.165.201.222

Core2(config)# ntp server 209.165.201.233 prefer

Configures router to synchronize its clock to a public NTP server at address 209.165.201.233. This is the preferred NTP server

Core2(config)# ntp max-associations 200

Configures the maximum number of NTP peer-and-client associations that the router will serve

Core2(config)# clock timezone EST -5

Sets time zone to Eastern Standard Time

Core2(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

Configures the system to automatically switch to summer time and to repeat on the same day

Core2(config)# ntp master 10

Configures the router to serve as a master clock if the external NTP server is not available

Core2(config)# ntp source Loopback 0

Sets the source of all NTP packets to 192.168.224.1, which is the address of Loopback 0

Core2(config)# access-list 1 permit 127.127.1.1

Sets ACL 1 to permit packets coming from 127.127.1.1

Core2(config)# access-list 2 permit 192.168.0.0 0.0.255.255

Sets ACL 2 to permit packets coming from 192.168.x.x

Core2(config)# ntp access-group peer 1

Configures Core2 to peer with any devices identified in ACL 1

Core2(config)# ntp access-group serve-only 2

Configures Core2 to receive only time requests from devices specified in the ACL
DLSwitch1

DLSwitch1(config)# ntp source Loopback 0

Sets the source of all NTP packets to 192.168.225.1, which is the address of Loopback 0

DLSwitch1(config)# ntp server 192.168.223.1

Configures DLSwitch1 to synchronize its clock to an NTP server at address 192.168.223.1

DLSwitch1(config)# ntp server 192.168.224.1

Configures DLSwitch1 to synchronize its clock to an NTP server at address 192.168.224.1

DLSwitch1(config)# clock timezone EST -5

Sets time zone to Eastern Standard Time

DLSwitch1(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

Configures the system to automatically switch to summer time and to repeat on the same day
DLSwitch2

DLSwitch2(config)# ntp source Loopback 0

Sets the source of all NTP packets to 192.168.226.1, which is the address of Loopback 0

DLSwitch2(config)# ntp server 192.168.223.1

Configures DLSwitch2 to synchronize its clock to an NTP server at address 192.168.223.1

DLSwitch2(config)# ntp server 192.168.224.1

Configures DLSwitch2 to synchronize its clock to an NTP server at address 192.168.224.1

DLSwitch2(config)# clock timezone EST -5

Sets time zone to Eastern Standard Time

DLSwitch2(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

Configures the system to automatically switch to summer time and to repeat on the same day
ALSwitch1

ALSwitch1(config)# ntp source Loopback 0

Sets the source of all NTP packets to 192.168.227.1, which is the address of Loopback 0

ALSwitch1(config)# ntp server 192.168.223.1

Configures ALSwitch1 to synchronize its clock to an NTP server at address 192.168.223.1

ALSwitch1(config)# ntp server 192.168.224.1

Configures ALSwitch1 to synchronize its clock to an NTP server at address 192.168.224.1

ALSwitch1(config)# clock timezone EST -5

Sets time zone to Eastern Standard Time

ALSwitch1(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

Configures the system to automatically switch to summer time and to repeat on the same day
ALSwitch2

ALSwitch2(config)# ntp source Loopback 0

Sets the source of all NTP packets to 192.168.228.1, which is the address of Loopback 0

ALSwitch2(config)# ntp server 192.168.223.1

Configures ALSwitch2 to synchronize its clock to an NTP server at address 192.168.223.1

ALSwitch2(config)# ntp server 192.168.224.1

Configures ALSwitch2 to synchronize its clock to an NTP server at address 192.168.224.1

ALSwitch2(config)# clock timezone EST -5

Sets time zone to Eastern Standard Time

ALSwitch2(config)# clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

Configures the system to automatically switch to summer time and to repeat on the same day

Tool Command Language (Tcl)

Tcl shell is a feature that is built into Cisco routers and switches that allows engineers to interact directly with the device by using various Tcl scripts. Tcl scripting has been around for quite some time and is a very useful scripting language. Tcl provides many ways to streamline different tasks that can help with day-to-day operations and monitoring of a network. Some of the following are tasks that can be automated by using these scripts:

  • Verify IP and IPv6 reachability, using ping

  • Verify IP and IPv6 reachability, using traceroute

  • Check interface statistics

  • Retrieve SNMP information by accessing Management Information Base (MIB) objects

  • Send email messages containing CLI outputs from Tcl script

Most often, basic Tcl scripts are entered line by line within the Tcl shell, although, for some of the more advanced scripting methods, you can load the script into the flash of the device you are working on and execute the script from there using a command like source flash:ping.tcl from the Tcl shell.

A classic use case for Tcl scripting is when you need to perform network testing using ping. The following example shows the general syntax for a Tcl script:

Router# tclsh
Router(tcl)# foreach address {
+>(tcl)# 172.16.10.1
+>(tcl)# 172.16.10.2
+>(tcl)# 172.16.10.3
+>(tcl)# } { ping $address
+>(tcl)# }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2 timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/5 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
Router(tcl)# tclquit
Router#

This simple Tcl script automates a ping test to the 172.16.10.1, 172.16.10.2, and 172.16.10.3 addresses. Notice that the test executes as soon as you enter the closing brace

The tclsh command grants you access to the Tcl shell

The tclquit command returns you to privileged EXEC mode

Embedded Event Manager (EEM)

Embedded Event Manager is a flexible system designed to customize Cisco IOS, XR, and NX-OS. EEM allows you to automate tasks, perform minor enhancements, and create workarounds. Applets and scripting are two pieces of EEM. Applets are a collection of CLI commands, while scripts are actions coded in Tcl. Event detectors are used by EEM, and actions provide notifications of the events. EEM event detectors include SNMP object monitoring, syslog message monitoring, interface counter monitoring, CLI event monitoring, and IP SLA and NetFlow event monitoring.

EEM actions can include sending an email, executing a CLI command, generating an SNMP trap, reloading a device, and generating specific syslog messages.

Note

The following examples assume that the first command is typed in global configuration mode.

EEM Configuration Examples

EEM Example 1

The first EEM example shows an applet that monitors the GigabitEthernet 0/0/0 interface. If a syslog message indicates that its state has changed to administratively down, the applet is triggered, the interface is re-enabled, and an email is sent containing a list of users currently logged into the router.

Notice the use of the $_cli_result keyword in the email configuration. This means that the email body will include the output of any CLI commands that were issued in the applet. In this case, the output of the show users command will be included in the debug and the email message.

Click here to view code image

event manager applet interface_Shutdown
event syslog pattern "Interface GigabitEthernet 0/0/0, changed state
to administratively down"
action 1.0 cli command "enable"
action 1.5 cli command "config terminal"
action 2.0 cli command "interface gigabitethernet0/0/0"
action 2.5 cli command "no shutdown"
action 3.0 cli command "end"
action 3.5 cli command "show users"
action 4.0 mail server 209.165.201.1 to [email protected] from EEM@
cisco.com subject "ISP1 Interface GigabitEthernet0/0/0 SHUT." body
"Current users $_cli_result"
end
EEM Example 2

The second EEM example shows an applet that monitors the CLI for the debug ip packet command. When this pattern is matched, the applet will skip the command so that it does not take effect. The action list first enters the enabled mode and issues the show users | append flash:Debug command. This command will append the output from the show users command to the end of a file in flash called Debug. The next action will then append the current time stamp to the end of the file in flash named Debug_clock. By matching the order of the entries in both files you will have a list of the users that tried to enter the debug command and the date and time that the user attempted it.

Click here to view code image

event manager applet Stop_Debug
 event cli pattern "debug ip packet" sync no skip yes
 action 1.0 cli command "enable"
 action 2.0 cli command "show users | append flash:Debug"
 action 3.0 cli command "show clock | append flash:Debug_clock"
end
EEM Example 3

The third EEM example shows an applet that matches a CLI pattern that starts with “wr”. When a match is detected, the applet is triggered. Cisco IOS prompting is disabled and a copy of the new startup-configuration file is backed up to a TFTP server. A syslog message is triggered confirming a successful TFTP file transfer. Notice that two environment variables were created and are used within the applet, one for the file name and one for the IP address.

Click here to view code image

event manager environment filename router.cfg
event manager environment tftpserver tftp://10.99.1.101/
event manager applet SAVE-to-TFTP
 event cli pattern "wr.*" sync yes
 action 1.0 cli command "enable"
 action 2.0 cli command "configure terminal"
 action 3.0 cli command "file prompt quiet"
 action 4.0 cli command "end"
 action 5.0 cli command "copy start $tftpserver$filename"
 action 6.0 cli command "configure terminal"
 action 7.0 cli command "no file prompt quiet"
 action 8.0 syslog priority informational msg "Running-config saved
to NVRAM! TFTP backup successful."
EEM Example 4

The final example is more complex but demonstrates how powerful EEM applets can be. This example is based on the latest version of EEM (version 4). In this scenario, an IP SLA is configured to send an ICMP echo request every 10 seconds to address 209.165.201.1. IP SLA reaction alerts are enabled, which allows the IP SLA to send an alert after three consecutive timeouts. This triggers the EEM applet and a syslog message is displayed. Notice the use of the $_ipsla_oper_id variable. This is a built-in environment variable and returns the IP SLA number, which in this case is 1.

Click here to view code image

ip sla 1
 icmp-echo 209.165.201.1
 frequency 10
ip sla schedule 1 life forever start-time now
ip sla reaction-configuration 1 react timeout threshold-type consecutive 3
ip sla enable reaction-alerts
!

event manager applet IPSLA
 event ipsla operation-id 1 reaction-type timeout
 action 1.0 syslog priority emergencies msg "IP SLA operation
$_ipsla_oper_id to ISP DNS server has timed out"

EEM and Tcl Scripts

Using an EEM applet to call Tcl scripts is another very powerful aspect of EEM. This example shows how to manually execute an EEM applet that will, in turn, execute a Tcl script that is locally stored in the device’s flash memory. It is important to understand that there are many ways to use EEM and that manually triggered applets are also a very useful tool. The following example depicts an EEM script that is configured with the event none command. This means that there is no automatic event that the applet is monitoring, and that this applet will only run when it is triggered manually. To manually run an EEM applet, the event manager run command must be used, as illustrated at the router prompt. In this example, the ping_script.tcl file is a Tcl script similar to the one described earlier in this chapter.

Click here to view code image

event manager applet myping
 event none 
 action 1.0 cli command "enable" 
 action 1.1 cli command "tclsh flash:/ping_script.tcl"


Router# event manager run myping
Router#

Verifying EEM

Router# debug event manager action cli

Displays actual actions taking place when an applet is running

Router# show event manager policy registered

Displays all configured applets, their triggers and actions

Router# show event manager version

Displays the version of EEM that is supported in the Cisco IOS software
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.181.52