Cisco IOS: Trunking VLANs and subinterfaces.

So the usual way of connecting one network device to another is the physical approach – you plug both ends in, and that’s it. One service works over one physical cable, easy and uncomplicated. I love 1:1 relationships, life is simple.

Sometimes though, you end up having to connect several connections with only one physical cable – how does that work? We call it trunking, and this requires a little bit of configuration.

Let’s start with a sample scenario and work from there.

A router with two interfaces is required to provide an uplink to three separate services.

So we have:
1. FastEthernet0/0 as the uplink to the Internet, and
2. FastEthernet1/0 as the link to the three services.

There are three ports waiting to be connected on a patch panel, one for each service.

Here’s what we need:

  • Subinterfaces: Subinterfaces are required to be configured on the original physical interface.

    In our example, FastEthernet1/0 will have FastEthernet1/0.100, FastEthernet1/0.200 and FastEthernet1/0.300.

  • VLANs: VLANs are required to be allocated on your network, and configured on the subinterfaces – ISL or 802.1q, both work fine.

    Note: try to use the same number for the VLAN and subinterface – different numbers work fine, but I like to keep things simple.

    Therefore, we have FastEthernet1/0.100 using VLAN 100 on 802.1q, and the same for VLANs 200/300.

  • Switch trunk: We need a switch if there are multiple physical handoffs.

    There are three separate physical handoffs for three services, so we need a switch to connect to the handoffs. It doesn’t make sense for us to have one physical cable coming out of the router, then magically split itself into three connections.

    Every handoff requires a physical connection, so we need one port (configured as trunk) to handle the incoming router connection, and another three ports (configured as access) going to the various services.

Now that we have the concepts explained, let’s have a look at the actual configuration.

Router sample config


interface FastEthernet1/0.100
description Service A configured 29Aug2012 by K
encapsulation dot1Q 100
ip address 192.168.25.2 255.255.255.252
!
interface FastEthernet1/0.200
description Service B configured 29Aug2012 by K
encapsulation dot1Q 200
ip address 10.0.0.1 255.255.255.252
!
interface FastEthernet1/0.300
description Service C configured 29Aug2012 by K
encapsulation dot1Q 300
ip address 192.168.29.6 255.255.255.252
end

Switch sample config


interface FastEthernet0/1
description dot1q trunk from routerA configured 29Aug2012 by K
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100,200,300
switchport mode trunk
speed 100
!
interface FastEthernet0/2
description Handoff for service A configured 29Aug2012 by K
switchport access vlan 100
switchport mode access
!
interface FastEthernet0/3
description Handoff for service B configured 29Aug2012 by K
switchport access vlan 200
switchport mode access
!
interface FastEthernet0/4
description Handoff for service C configured 29Aug2012 by K
switchport access vlan 300
switchport mode access
!

Fairly simple, not rocket science by any stretch of imagination. Hope this helps, and feel free to comment.

CEF is cool.

When you have a lot of subinterfaces on your Cisco router, using ip cef and ip route-cache same-interface actually helps in reducing CPU interrupt utilisation. It dropped mine by about 10%, whew. Odd actually, because I actually disabled CEF earlier in the year due to increased CPU utilisation.

Cisco MRTG temperature graphing with the 7200 router

In a way, this post is a sequel to the previous MRTG tutorial I wrote. Then again, it’s slightly more specific towards the Cisco 7200 series router, so it wouldn’t be as applicable to everyone. If you are interested in graphing Cisco MRTG temperature though, read on.

Once again the disclaimer follows – I’m using Debian distribution 2.4.18-bf2.4.


#1 Knowing what’s good and what’s not

It’s not very useful to know the temperature if you don’t know what you’re looking out for.

Ambient operating temperature: Cisco advises a minimum of 32°F (0°C) and maximum of 104°F (40°C). 40 degrees Celsius doesn’t sound like it’s enough to cook the router though.

If we check the table displayed in our router’s CLI by going into exec mode:

Router#show environment table

We get:

Sample Point LowCritical LowWarning HighWarning HighCritical
I/O Cont Inlet 40C/104F 50C/122F
I/O Cont Outlet 43C/109F 53C/127F
NPE Inlet 75C/167F 75C/167F
NPE Outlet 50C/122F 60C/140F

Seems to be a wee bit higher than what the website said? Oh well, I guess it’s a good thing.


#2 Checking your router’s temperature the quick and easy way

Login to your router (telnet, console whatever) and go into exec mode.

Router#show environment all

I believe the display differs according to the NPE (Network Processing Engine) you’ve got, but this is what mine says.

Power Supplies:

Power Supply 1 is Zytek AC Power Supply. Unit is on.
Power Supply 2 is Zytek AC Power Supply. Unit is on.

Temperature readings:

I/O Cont Inlet measured at 25C/77F
I/O Cont Outlet measured at 27C/80F
NPE Inlet measured at 28C/82F
NPE Outlet measured at 29C/84F

Voltage readings:

+3.45 V measured at +3.50 V
+5.15 V measured at +5.25 V
+12.15 V measured at +12.39 V
-11.95 V measured at -11.85 V

Envm stats saved 94 time(s) since reload

The bolded section’s what we want, period.


#3 Using MRTG to plot your router’s temperature

Takes a bit more effort, but at least you’ve got some historical data to rely on for comparison. Plus, you don’t have to keep logging into your router to check!

We can’t use cfgmaker this time round as it takes a bit of typing to get things done.
Here’s a sample .cfg template of what I used:

Target[router.temp]:1.3.6.1.4.1.9.9.13.1.3.1.3.1&1.3.6.1.4.1.9.9.13.1.3.1.3.2:CommunityName@RouterIP
Directory[router.temp]: temperature
WithPeak[router.temp]: wmy
YLegend[router.temp]: Degrees C
ShortLegend[router.temp]: °C
MaxBytes[router.temp]: 50
Options[router.temp]: nopercent, growright, gauge
Unscaled[router.temp]: dwmy
AbsMax[router.temp]: 50
Title[router.temp]: Router
Colours[router.temp]: GREEN#00eb0c,BLUE#1000ff,BLUE#1000ff,VIOLET#ff00ff
Legend1[router.temp]: Average 1 minute Inlet Temperature
Legend2[router.temp]: Average 1 minute Outlet Temperature
Legend3[router.temp]: Average 5 minute Inlet Temperature
Legend4[router.temp]: Average 5 minute Outlet Temperature
LegendI[router.temp]:  Inlet:
LegendO[router.temp]:  Outlet:
PageTop[router.temp]: <H1> Router temperature - Degrees C<BR></H1>
<TABLE>
<TR><TD>System:</TD><TD>Router</TD></TR>
<TR><TD>Maintainer:</TD><TD>Admin</TD></TR>
</TABLE>

There’s actually four points of temperature measurement for the 7200, but since we only need two for the MRTG, I used the inlet temperature and one of the outlets, which makes more sense than checking the temperature of two outlets.

OIDs for the four points are as follow:


Inlet .1.3.6.1.4.1.9.9.13.1.3.1.3.1
Outlet 1 .1.3.6.1.4.1.9.9.13.1.3.1.3.2
Outlet 2 .1.3.6.1.4.1.9.9.13.1.3.1.3.3
Outlet 3 .1.3.6.1.4.1.9.9.13.1.3.1.3.4

Follow up with the usual steps to creating the index and populating the cron job (refer to my previous MRTG article), and we should be done.


Credits for the solution goes to a whole ton of Googled results, and I sort of lost track along the way after reading numerous websites. One of the major help sites is the MRTG mailing list, and the people there are seriously good.

I hope this post helps some other poor soul out there who’s trying to do the same thing, and here’s to you saving two hours of research on doing up a Cisco MRTG temperature graph for your router.

Cisco IOS: password recovery notes

I’m pretty sure any CCNA worth his salt has this procedure down pat, but here’s a summary with things to remember if you’re too lazy to plow through Cisco.

1. Reboot the router, have your console terminal all connected and ready.

2. Send break signal to the router before the POST – on Teraterm this means Alt-B or click on Control then Send break

3. Alter the configuration register value to ignore NVRAM contents.

confreg 0x2142

4. Reboot the router again, so that you can boot into the router without a need for password.

5. Don’t get this command wrong after you enter privilege exec:

copy start run

Doing the reverse means a dump of an empty config onto your router. We are trying to edit the startup configuration, not overwrite the startup with the running (which is empty!).

6. Change the console and secret, change the configuration register back to default value.

config terminal

line con 0

password NEWPASSWORD

exit

enable secret NEWSECRET

configuration-register 0x2102

end

Don’t forget to write your new passwords down.

7. Save the configuration.

copy run start

8. Reboot the router, and enjoy.

Cisco IOS: switch configuration – limiting bandwidth and enabling SNMP

Here’s a couple more mini-guides to Cisco IOS configuration, this time round for the switches. As always, these are just tips for my own reference and sharing to the general community.

#1 How would you limit the bandwidth on a switch port?

Edit: this configuration doesn’t seem to be that simple, because it’s not working very well on my 3560 now. I’ll put up another post specifically for 3560 QoS soon as I finish reading the Cisco tech note.

Edit #2: It turns out everything works as stated, except for the minor fact that the command slows your interface down.

Go into interface configuration mode, on the port you are making changes on.

switch(config-if)#srr-queue bandwidth ?
limit Configure bandwidth-limit for this interface
shape Configure shaping on transmit queues
share Configure shared bandwidth

These is what the IOS help is showing; you can see that there are more options than merely limiting the bandwidth.

switch(config-if)#srr-queue bandwidth limit ?
enter bandwidth limit for interface as percentage

The percentage value range that should be entered, ranging from 10 to 90. The default is 100.

Therefore, a workaround to limit the switch port’s speed to 5mbps would be to do the following instead:

switch(config-if)#speed 10

switch(config-if)#srr-queue bandwidth limit 50

*Remember that this will slow your interface down, as it’s reduced from a 100mbps interface to a 10mbps interface instead.


#2 How would you enable SNMP on a switch (or router)?

Go into configuration mode.

switch(config)#snmp-server ?
chassis-id String to uniquely identify this chassis
community Enable SNMP; set community string and access privs
contact Text for mib object sysContact
context Create/Delete a context apart from default
enable Enable SNMP Traps or Informs
engineID Configure a local or remote SNMPv3 engineID
group Define a User Security Model group
host Specify hosts to receive SNMP notifications
ifindex Enable ifindex persistence
inform Configure SNMP Informs options
ip IP ToS configuration for SNMP traffic
location Text for mib object sysLocation
manager Modify SNMP manager parameters
packetsize Largest SNMP packet size
queue-length Message queue length for each TRAP host
system-shutdown Enable use of the SNMP reload command
tftp-server-list Limit TFTP servers used via SNMP
trap SNMP trap options
trap-source Assign an interface for the source address of all traps
trap-timeout Set timeout for TRAP message retransmissions
user Define a user who can access the SNMP engine
view Define an SNMPv2 MIB view

As you can see, SNMP has a bucketful of options so we would delve too deep here; the keyword we’re interested in is community.

switch(config)#snmp-server community ?
WORD SNMP community string

We’re supposed to enter the community string here, the basic workings of SNMP will not be reiterated here.

switch(config)#snmp-server community TESTread ?
Std IP accesslist allowing access with this community string
Expanded IP accesslist allowing access with this community string
WORD Access-list name
ro Read-only access with this community string
rw Read-write access with this community string
view Restrict this community to a named MIB view

You can see that there are ways to limit access to your community string here, as well as read/write privileges.

For the quick fix answer, here’s an easy default configuration.

switch(config)#snmp-server community TESTread ro

SNMP community string TESTread, and read-only (ro) privileges.

Additional tidbits in configuration optional SNMP information on the device:

switch(config)# snmp-server contact Kein Engineer 1234-1234-1234
switch(config)# snmp-server location Melbourne
switch(config)# snmp-server chassis-id Cisco3500-SW

Any other interesting need-to-know commands you’d like to share?

Cisco IOS: scheduled task options – kron and Kiwi CatTools

There was a need to run a command at midnight on the first of every month on the 7200 router, so I began researching on ways and means to accomplish it.

Option #1: kron
Many of us have probably heard of cron from the Linux/Unix operating system, and kron is Cisco’s IOS CLI (command-line interface) version of it. Basically you define a policy-list, which contains the commands that you want to run.

Router(config)# kron policy-list displayCONFIG
Router(config-kron-policy)# show run
Router(config-kron-policy)# exit

The above example does nothing but a show running-configuration, which of course does nothing helpful at all.

After that, you create a kron, which is the scheduler that runs the task on a defined timeframe.

Router(config)# kron occurrence TEST at 00:00 Mon recurring
Router(config-kron-occurrence)# policy-list displayCONFIG

This sets the ocurrence (named TEST) to run the policy-list (named displayCONFIG) at midnight on Monday everyday.

Router(config)#kron occurrence TEST at 00:00 ?
Day of month
DAY Day of Week eg mon, tue, etc
MONTH Month of year eg jan, feb, etc
oneshot Schedule kron occurrence exactly once
recurring Schedule kron occurrence repeatedly

As you can see, there are a variety of options that you can play with to set your desired schedule.

Drawback: however, there is a main drawback to using kron: configuration commands are not allowed. That sort of takes all the fun out of it, as I can imagine.

Option #2: Kiwi CatTools
Although not a proprietary Cisco product, Kiwi CatTools proves to have required functionality that is needed to run a scheduled task at a required time. Best of all? It’s fully functional even in the freeware version; licensed copies get to control more devices.


After starting the program up, you add a device.


Enter the required passwords.


Add an activity.


Enter the time required.


Enter the required commands.

And you’re all set to do a test run after that. All in all, a pretty nifty tool.

Drawback: as you would have noticed from the time interface, the existing interface options do not allow you to schedule tasks on the Xth of each month. Here’s what a Kiwi rep replied when I emailed them last week.

Hi Kein,

Thanks for your enquiry regarding CatTools.

At present, there is no easy way to setup a monthly activity apart from (as you may have found already) setting up an activity is a custom schedule.
To set up a monthly custom schedule, you enter in the time (or times) you want the activity to run in the ‘Custom schedule’ box; and then in the Dates box you Add a line for the 1st day of each month.

e.g. ‘Include’ ‘Start date’ = 1/01/2008 ‘End date’ = 1/01/2008

Repeat, adding a line for each of the 1st day of the month.

As this isn’t the nicest or most practical of solutions to adding a monthly activity, we have added a task to the project enhancements list to overhaul the whole scheduler.
I’m afraid however that at this point in time, there is no firm date as to when we will be looking at revising the scheduler, mainly because there are many other tasks that the scheduler would be dependent on, which need to be completed and rolled out first.

Kind regards,

Steve Welsh
Kiwi Enterprises

I’ll be keeping an eye out for this added feature, but until then Kiwi CatTools works fine.

Cisco IOS: 7200 series router – dumping the IOS

[Cisco 7200 Series Routers] – ^tt^ on Flickr, 27 Oct ’07.

I was fiddling around with a Cisco 7204 VXR yesterday, wondering how the hell it was supposed to work without an IOS. (The vendor blandly admitted that his new warehouse manager stuffed it up.) After a bit of reading, I concluded that I had to get the IOS into the PCMCIA flash card somehow.

Option 1: rip the IOS off the existing router. Troublesome; not within walking distance and no car.
Option 2: download the IOS and ram it into the card somehow. I had no idea on how this could be done.

I was about to resign myself to option 1 when the answer finally appeared: I could just download the IOS off the Cisco site, plug the card into my laptop and transfer it over.

(Incase you were wondering why I didn’t think of that: I thought the file systems weren’t compatible, which was why I hadn’t tried.)

So I copied it into the card, stuffed it into the slot0 on my router and rebooted it. And all was good after that. Just remember to format the card before that:

Router# format slot0: