RSH/RCP - quick and easy

This is one of those topics that probably won't be in the exam, but it can't hurt to learn it if its easy enough.

On R3, I have:

R3#sho run | inc rcmd
ip rcmd remote-username R3
ip rcmd source-interface Loopback0

On R5, I have:

R5#sho run | inc rcmd
ip rcmd rsh-enable
ip rcmd remote-host cisco 172.16.0.3 R3 enable
ip rcmd source-interface Loopback0

On R3:

R3#rsh 172.16.0.5 /user cisco sho run int lo0

Building configuration...

Current configuration : 63 bytes
!
interface Loopback0
ip address 172.16.0.5 255.255.255.255
end

R3#

Now Let's do some RCP file copying:

R5(config)#ip rcmd rcp-enable
R5(config)#^Z
R5#copy run r5test.txt
Destination filename [r5test.txt]?
Erase flash: before copying? [confirm]n
Verifying checksum... OK (0xFD5B)
2714 bytes copied in 4.856 secs (559 bytes/sec)
Rack1R5#

Copy from R3:

R3#copy rcp://cisco@172.16.0.5/R5test.txt flash:
Destination filename [R5test.txt]?
Accessing rcp://cisco@172.16.0.5/R5test.txt...
Erase flash: before copying? [confirm]n!
Verifying checksum... OK (0xFD5B)
2714 bytes copied in 0.644 secs (4214 bytes/sec)
R3#

Key things to remember:

-Server side has two names in that rcmd command
-First one must match /user on client
-Second one must match client hostname or client "remote-username" command

SNAT: Making it work?

This is a poorly documented feature and I really just played around with it until I got it to work. If you see anything missing or unnecessary, please comment. The one thing I worry about is I am using secondary addresses which may or may not be allowed in the lab. If you know another way, PLEASE let me know. Other than that, it was all kind of patchwork but it does the job :-)

Here is the topology:


R6 will be our test host who will telnet to R4 at 4.4.4.4. If all goes well, after we shut the link from R1 to R2 (whos is HSRP Active), R6 session will stay up. We will then look at the NAT translation table on R2 and R3.

Here is the configuration for R2:

interface FastEthernet0/0
ip address 10.0.0.2 255.255.255.0
ip nat inside
standby 1 ip 10.0.0.1
standby 1 priority 105
standby 1 preempt
standby 1 name SNAT
standby 1 track Serial1/0

interface Serial1/0
ip address 172.12.23.202 255.255.255.0 secondary
ip address 172.12.12.2 255.255.255.0
ip nat outside

ip nat Stateful id 1
redundancy SNAT
mapping-id 10

ip nat pool POOL 172.12.23.1 172.12.23.254 prefix-length 24
ip nat inside source list LAN pool POOL mapping-id 10 overload

R3 is pretty much the same except for the IP addresses:

interface FastEthernet0/0
ip address 10.0.0.3 255.255.255.0
ip nat inside
standby 1 ip 10.0.0.1
standby 1 preempt
standby 1 name SNAT
standby 1 track Serial1/0

interface Serial1/0
ip address 172.12.23.203 255.255.255.0 secondary
ip address 172.12.13.3 255.255.255.0
ip nat outside

ip nat Stateful id 1
redundancy SNAT
mapping-id 10

ip nat pool POOL 172.12.23.1 172.12.23.254 prefix-length 24
ip nat inside source list LAN pool POOL mapping-id 10 overload

I had to put secondary addresses on the serial links. These routers need to share an address space so they can use the same address to translate and so R1 and R4 no how to reach the translated address range. This secondary address range is being advertised in ospf:

R1#sho ip route 172.12.23.0
Routing entry for 172.12.23.0/24
Known via "ospf 1", distance 110, metric 128, type intra area
Last update from 172.12.12.2 on Serial1/0, 00:07:58 ago
Routing Descriptor Blocks:
* 172.12.13.3, from 172.12.35.3, 00:07:58 ago, via Serial1/1
Route metric is 128, traffic share count is 1
172.12.12.2, from 2.2.2.2, 00:07:58 ago, via Serial1/0
Route metric is 128, traffic share count is 1

Also note that the HSRP group name "SNAT" is referenced in the stateful NAT configuration. The mapping ID is then referenced in the NAT statement itself.

Let's telnet from R6 to R4, we will first verify that we route through R2:

R6#telnet R4
Translating "R4"
% Unknown command or computer name, or unable to find computer address
R6#telnet 4.4.4.4
Trying 4.4.4.4 ... Open

R4#
R4#!here we are!

Shut the interface on R1 to R2:

R1(config)#int s1/0
R1(config-if)#shut

Check back on R4. This may take awhile because HSRP still has to failover:

R4#
R4#
R4#!Hey we're still alive!
R4#
R4#exit

[Connection to 4.4.4.4 closed by foreign host]
R6#trace 4.4.4.4

Type escape sequence to abort.
Tracing the route to 4.4.4.4

1 10.0.0.3 56 msec 48 msec 60 msec
2 172.12.13.1 132 msec 68 msec 104 msec
3 172.12.14.4 148 msec * 184 msec

We are going through R3! If we did not have SNAT, our session would have dropped when R4 noticed that our address has changed.

Let's look at our address translations:

R2#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 172.12.23.5:37518 10.0.0.6:37518 4.4.4.4:33441 4.4.4.4:33441
udp 172.12.23.5:39661 10.0.0.6:39661 4.4.4.4:33442 4.4.4.4:33442
udp 172.12.23.5:42398 10.0.0.6:42398 4.4.4.4:33437 4.4.4.4:33437
udp 172.12.23.5:36656 10.0.0.6:36656 4.4.4.4:33439 4.4.4.4:33439
udp 172.12.23.5:39090 10.0.0.6:39090 4.4.4.4:33438 4.4.4.4:33438
udp 172.12.23.5:35099 10.0.0.6:35099 4.4.4.4:33440 4.4.4.4:33440

R3#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 172.12.23.5:37518 10.0.0.6:37518 4.4.4.4:33441 4.4.4.4:33441
udp 172.12.23.5:39661 10.0.0.6:39661 4.4.4.4:33442 4.4.4.4:33442
udp 172.12.23.5:42398 10.0.0.6:42398 4.4.4.4:33437 4.4.4.4:33437
udp 172.12.23.5:36656 10.0.0.6:36656 4.4.4.4:33439 4.4.4.4:33439
udp 172.12.23.5:39090 10.0.0.6:39090 4.4.4.4:33438 4.4.4.4:33438
udp 172.12.23.5:35099 10.0.0.6:35099 4.4.4.4:33440 4.4.4.4:33440
R3#

Exactly the same! Have no idea where these ports came from, but let's watch closer at the interaction between R2 and R3.

R2#clear ip nat translation *
R3#clear ip nat translation *

R6#telnet 4.4.4.4
Trying 4.4.4.4 ... Open

R4#

Here we go:

R2#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.12.23.6:47684 10.0.0.6:47684 4.4.4.4:23 4.4.4.4:23

R3#sho ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.12.23.6:47684 10.0.0.6:47684 4.4.4.4:23 4.4.4.4:23

Some more commands:

R2#sho ip snat distributed
Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: STANDBY
    : State READY
    : Local Address 10.0.0.2
    : Local NAT id 1
    : Peer Address 10.0.0.3
    : Peer NAT id 1
    : Mapping List 10 

R3#sho ip snat distributed 

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE
    : State READY
    : Local Address 10.0.0.3
    : Local NAT id 1
    : Peer Address 10.0.0.2
    : Peer NAT id 1
    : Mapping List 10 
R3#

R3 has already been updated and is ready to take over when needed.

DHCP Snooping - missing command?

I was having a hard time with this awhile ago because I could not get an address even when I enabled "trust" on the server port. However, after looking through the PG on Mock Lab 3 and discussion in the cisco channel on freenode I found out the issue.

I needed this command on the server:

R2(config)#int e0/0
R2(config-if)#ip dhcp relay information trusted

Now my binding database is populated after about 9 months!

SW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:07:EB:14:4F:81 192.168.12.1 86312 dhcp-snooping 12 FastEthernet0/1
Total number of bindings: 1

SW1#

Auto-install, eh?

While doing IPexpert Volume 2 Section 13 I ran into a task that said:

"There is a high chance you will be replacing your current R4 router with another high-end router. The admin of R4 has saved its configuration on a TFTP server whose IP address is 136.10.12.100. Make sure the new router will automatically configure itself."

So I started browsing through the DocCD for auto-install when it hit me...how exactly is this supposed to work? Not knowing the exact details about auto-install I knew that this should be a simple task since it was only 1 point.

Well the new router needs to know about address 136.10.12.100 somehow...but when it has no config it has no address. What I figured was that the new router will send a broadcast on it's frame-relay interface which happens to connect to R2. In fact the 136.10.12.100 network is also on R2's ethernet interface.

So I configured a helper address on R2's frame-relay interface pointing to 136.10.12.100. The PG agreed! 1 task, 1 command, 1 point :-)

Mobile ARP

Well seeing as how I just missed a 4-point task on mobile ARP, I thought now was a good time to learn it. It's actually very simple and pretty cool once you get it working.

Topology is a little confusing so here it is in 2 parts:

PHYSICAL:

R1---CAT1===dot1q===CAT2---R8

LOGICAL:

VLAN 100---R1---R2---R5---R7---R8---VLAN 200

The task says that users on R8's LAN occasionally mover over to R1's LAN. They still need access to the network. What we do is configure R1 to listen for ARP packets from R8's subnet (VLAN 200).

We can test this by creating an SVI for VLAN 100 and giving it an IP in R8's subnet. When it tries to contact anyone, we will see a mobile route appear in R1's route table. This route then gets redistributed into the routing protocol (OSPF in this case). It appears as a /32 route so the longer match wins over any other route advertisement of VLAN 200.

All configuration is on R1:

1) CREATE THE ACL

R1(config)#access-list 8 permit 172.31.80.0 0.0.0.255


2) CONFIGURE MOBILE ARP ON INTERFACE

R1(config)#interface f0/0
R1(config-if)# ip mobile arp access-group 8


3) REDISTRIBUTE

R1(config)#router ospf 1
R1(config-router)# redistribute mobile subnets


4) VERIFY

Ceate an SVI on VLAN 100 with VLAN 200 IP address:

CAT1(config)#int vlan 100
CAT1(config-if)#ip address 172.31.80.100 255.255.255.0
CAT1(config-if)#^Z
CAT1#ping 172.31.80.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.80.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/219/1016 ms

Run debug and show commands on R1:

R1#debug ip mobile
IP mobility events debugging is on
Nov 29 21:17:14.138: Local MobileIP: route add 172.31.80.100

R1#show ip route mobile
172.31.0.0/16 is variably subnetted, 11 subnets, 6 masks
M 172.31.80.100/32 [3/1] via 172.31.80.100, 00:11:05, FastEthernet0/1
R1#

Traceroute shows how many hops we are actually going through:

CAT1#trace 172.31.80.8

Type escape sequence to abort.
Tracing the route to 172.31.80.8

1 172.31.10.1 4 msec 4 msec 0 msec
2 172.31.12.2 0 msec 4 msec 0 msec
3 172.31.100.5 12 msec 8 msec 12 msec
4 172.31.200.7 12 msec 8 msec 12 msec
5 172.31.78.8 12 msec * 8 msec
CAT1#

Logging XML - A short DocCD adventure

I had a task today in IPexpert volume 2 section 7 that asked me to configure R5 such that while I am telnetted into it, it will display error messages in XML. huh?

I had no idea what command this was and while it turned out to be simple here's how I found it:

1. Main DocCD URL:
http://www.cisco.com/web/psa/products/index.html

2. Select Cisco IOS Software > 12.4 > 12.4 Mainline

3. Master Index

4. Cisco IOS Master Command List, All Releases

5. Now here is where I used the browser search to look for XML in EACH page (didn't take but 1 minute). By the time I go to section labeled "is-type through mwi-server" I had found the following commands:

logging buffered xml
logging console xml
logging monitor xml

Which one is it? Well it's not buffered because we want the logs displayed on the screen. And it's probably not console because we are going to be logged in through the vty. So I used the logging monitor xml and then test:

R5(config)#logging monitor xml

From any other router:

R1#
R1#telnet 192.168.5.5
Trying 192.168.5.5 ... Open


User Access Verification

Password:
R5>en
Password:
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int f0/1
R5(config-if)#shut
R5(config-if)#

hmm...nothing...oh wait!

R5(config-if)#
R5(config-if)#exit
R5(config)#exit
R5#term mon
R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int f0/1
R5(config-if)#no shut
R5(config-if)#
LINK3UPDOWN*Nov 8 20:07:21.098FastEthernet0/1up

That's better!

Config mode lock - auto and manual

I stumbled upon this command while browsing the doc cd. It allows you to lock global configuration mode so only 1 user can access it at a time. Here is how it works.

R6-----R7

On R6 we have the following:

R6(config)#configuration mode exclusive auto
R6(config)#username cisco pass cisco
R6(config)#line vty 0 4
R6(config-line)#login local

If you exit out of global config mode now and go back, you will see this message:

R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
*Oct 19 03:42:03.710: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit

On R7 we telnet to R6:

R7#telnet 200.0.0.6
Trying 200.0.0.6 ... Open
CCC Blah, Blah, Blah... If you are not an authorized user, go away!

User Access Verification

Username: cisco
Password:
R6>en

Next we try to enter global config mode but we are denied:

R6#conf t
Configuration mode locked exclusively by user 'unknown' process '3' from terminal '0'. Please try later.
R6#

Back on R6 console we can verify the lock is in place:

R6(config)#do show configuration lock
Parser Configure Lock
---------------------
Owner PID : 3
User : unknown
TTY : 0
Type : EXCLUSIVE
State : LOCKED
Class : EXPOSED
Count : 1
Pending Requests : 0
User debug info : configure terminal
R6(config)#

You can also configure a manual lock with the following command:

R6(config)#configuration mode exclusive manual

With this command, another user can still enter config mode:

R7#telnet 200.0.0.6
Trying 200.0.0.6 ... Open
CCC Blah, Blah, Blah... If you are not an authorized user, go away!

User Access Verification

Username: cisco
Password:
R6>en
Password:
R6#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#

To lock the mode we have to manually lock it upon entering global config mode:

R6#conf term ?
lock Lock configuration mode


R6#conf term lock
Enter configuration commands, one per line. End with CNTL/Z.
R6(config)#
*Oct 19 03:55:16.806: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
R6(config)#

Now R7 console we are still in global config mode, we didn't get kicked out. But if we leave, we can't go back:

R6(config)#
R6(config)#exit
R6#conf t
Configuration mode locked exclusively by user 'unknown' process '3' from terminal '0'. Please try later.
R6#

IP Accounting for traffic violations

R6 <---FRAME---> R5 <----ETHERNET---> R3

First step is to create the ACL that blocks traffic. Here will block traffic (and configure accounting) for packets from R6 to R3. IP address 6.6.6.10 is a loopback on R6 being advertised into OSPF to R5 and on to R3. 3.3.3.3 is the loopback on R3.

R5#show run | section access-list 101
access-list 101 deny ip host 6.6.6.10 host 3.3.3.3
access-list 101 permit ip any any

Apply the ACL to the interface where traffic is to be restricted. FastEthernet0/0 is the interface connected to R3's LAN interface. Enable accounting for access-violations on that interface with the command "ip accounting access-violations"

R5#show run int f0/0
Building configuration...

Current configuration : 153 bytes
!
interface FastEthernet0/0
ip address 172.12.34.5 255.255.255.0
ip access-group 101 out
ip accounting access-violations
speed 100
full-duplex
end

Ping from R6 to verify that traffic is blocked:

R6#ping 3.3.3.3 source 6.6.6.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.10
U.U.U
Success rate is 0 percent (0/5)

Verify accounting on R5:

R5#show ip accounting access-violations
Source Destination Packets Bytes ACL
6.6.6.10 3.3.3.3 6 600 101

Accounting data age is 4

The output of the command shows how many packets (6) and bytes (600) were blocked as well as the ACL (101) that blocked them.