admin – Page 4 – CCIE23050.com CCIE Network blog HTTP://1806971003

How to see open ports on a IOS router.

Posted on November 1, 2016 by admin

show ip sockets details or show socket detail – will give you a list of open ports.

If that command is not supported you can look at the pid and do a show sockets (pid) detail

Rack01R1#sh processes | i DHCP
42 Mwe 61554938 72 4486 16 5496/6000 0 DHCPD Timer
132 Mwe 61D37488 780188 1074772 72510568/12000 0 DHCPD Receive
151 Msi 6155CC30 464 8975 51 5124/6000 0 DHCPD Database
248 Mwe 6153E90C 93604 537591 174 6424/9000 0 DHCP Client

Rack01R1#show sockets 132 detail
FD LPort FPort Proto Type TransID

0 67 0 UDP DGRAM 0x672F5140
State: SS_ISBOUND
Options: SO_BROADCAST
Total open sockets – TCP:0, UDP:1, SCTP:0

You can also get some information for the control-plane host.

Rack01R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
udp *:68 *:0 BootP client LISTEN

Generate and test simulated traffic on IOS.

Posted on November 1, 2016 by admin

Generate HTTP traffic
Rack07R1#copy http://33.33.6.3/File1 null:
%Error opening http://33.33.6.3/File1 (No such file or directory)

Generate FTP traffic
Rack07R1#copy ftp://33.33.6.3/File1 null:
Accessing ftp://33.33.6.3/File1…
%Error opening ftp://33.33.6.3/File1 (Undefined error)
Test http or gernerate traffic on any port with telnet

Rack07R1#telnet 33.33.6.3 80
Trying 33.33.6.3, 80 … Open

get
HTTP/1.1 400 Bad Request
Date: Fri, 15 Mar 2002 21:45:45 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 33.33.6.3 closed by foreign host]

ICMP

Rack07R1#debug ip icmp
ICMP packet debugging is on

Rack07R1#ping 33.33.6.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.6.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/16 ms
Rack07R1#
Jan 13 19:51:50.812: ICMP: echo reply sent, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.816: ICMP: echo reply rcvd, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.828: ICMP: echo reply sent, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.836: ICMP: echo reply rcvd, src 33.33.6.3, dst 33.33.6.3

other traffic – debug ip packet detail

Test Radius and Tacacs
Rack07R1#test aaa group tacacs+ cisco cisco new-code
Rack07R1#test aaa group radius cisco cisco new-code

ASA Failover

Posted on November 1, 2016 by admin

Using two interfaces:Configure primary first.

On the primary

failover
failover lan unit primary
failover lan interface LFAIL GigabitEthernet0/6
failover key cisco1
failover replication http
failover link LSTATE GigabitEthernet0/7
failover interface ip LFAIL 172.20.248.17 255.255.255.252 standby 172.20.248.18
failover interface ip LSTATE 172.20.248.21 255.255.255.252 standby 172.20.248.22
monitor-interface INSIDE <- if not physical on the secondary failover lan unit secondary failover lan interface LFAIL GigabitEthernet0/6 failover key cisco1 failover interface ip LFAIL 172.20.248.17 255.255.255.252 standby 172.20.248.18 failover Using management interface with Vlans. interface Management0/0 ! interface Management0/0.303 description LAN Failover Interface vlan 303 ! interface Management0/0.304 description STATE Failover Interface vlan 304 failover failover lan unit primary failover lan interface LAN-FO Management0/0.303 failover key cisco1 failover link STATE-FO Management0/0.304 failover interface ip LAN-FO 192.168.2.37 255.255.255.252 standby 192.168.2.38 failover interface ip STATE-FO 192.168.2.41 255.255.255.252 standby 192.168.2.42 On the secondary unit. failover lan unit secondary failover lan interface LAN-FO Management0/0.303 failover key cisco1 failover interface ip LAN-FO 192.168.2.37 255.255.255.252 standby 192.168.2.38 failover

6500 TDR

Posted on November 1, 2016 by admin

6509#test cable-diagnostics tdr interface gi8/26

TDR test started on interface Gi8/26

A TDR test can take a few seconds to run on an interface

Use ‘show cable-diagnostics tdr’ to read the TDR results.

6509#show cab

6509#show cable-diagnostics td

6509#show cable-diagnostics tdr ?

interface Specify an interface for TDR
result

module Specify module for
TDR result

6509#show cable-diagnostics tdr interface gi8/26

TDR test last run on: October 13 10:02:06

Interface Speed Pair Cable
length Distance to fault
Channel Pair status

——— —– —- ——————- ——————- ——- ————

Gi8/26 auto 1-2
N/A
51 +/- 3 m Invalid
Open

3-4
N/A
48 +/- 3 m Invalid
Open

5-6
N/A
49 +/- 3 m Invalid
Open

7-8
N/A
52 +/- 3 m Invalid Open

6500 VSS – ISSU – notes

Posted on November 1, 2016 by admin

Make sure the old version is set in bootvar

Re: ISSU loadversion on VSS ? Make sure that the current image is
configured on the switch

boot system flash sup-bootdisk:s72033-ipbase-mz.122-33.SXI2a.bin

look at this post.

https://supportforums.cisco.com/message/606688

issu loadversion 1/5
sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXI4a.bin 2/5
slavesup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXI4a.bin

C6506VSS#issu runversion

This command will reload the Active unit. Proceed ?
[confirm]

C6506VSS# issu acceptversion

% Rollback timer stopped. Please issue the commitversion command.

C6506VSS#issu commitversion

Building configuration…

[OK]

%issu commitversion executed successfully

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html#wp1042706

issu loadversion
sup-bootdisk:/newsys/s72033/base/s72033-advipservicesk9_wan-vm

2.copy
tftp sup-bootdisk:s72033-advipservicesk9-mz.122-33.SXI2a.bin

copy tftp slavesup-bootdisk:s72033-advipservicesk9-mz.122-33.SXI2a.bin

3.show version | inc image

show bootvar

show redundancy

show issu state detail

4. issu loadversion sup-bootdisk:s72033-advipservicesk9-mz.122-33.SXI2a.bin

5. show issu outage slot all

6 issu-runversion

7. issu acceptversion

8. issu commitversion

9. show redundancy

show issu state detail

At the end

redundancy force-switchover

to get on the right switch

IPSEC VPN cert trustpoint notes

Posted on November 1, 2016 by admin

on the router this makes the identifier the dn

crypto isakmp identity dn

On the ASA

tunnel-group 200.0.23.3 type ipsec-l2l

tunnel-group 200.0.23.3 ipsec-attributes

pre-shared-key cisco

trust-point ROUTER2

peer-id-validate nocheck

trust point needs to be set two different places.

tunnel-group for receiving

tunnel-group 200.0.23.3 type ipsec-l2l

tunnel-group 200.0.23.3 ipsec-attributes

pre-shared-key cisco

trust-point ROUTER2

crypto map for initiating it.

crypto map CRYPTO 10 set trustpoint ROUTER2

ASA EZVPN

Posted on November 1, 2016 by admin

crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map CMAP 1 ipsec-isakmp dynamic dyn1

crypto map CMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

access-list 100 extended permit ip 10.0.0.0 255.0.0.0 any

group-policy tgroup1gp internal

group-policy tgroup1gp attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 100

username cisco password cisco

ip local pool TESTPOOL 192.168.0.1-192.168.0.254

tunnel-group tgroup1 type remote-access

tunnel-group tgroup1 general-attributes

address-pool TESTPOOL

default-group-policy tgroup1gp

tunnel-group tgroup1 ipsec-attributes

pre-shared-key cisco

on client

tgroup1 password cisco

then username cisco password cisco

ping with tos – dscp

Posted on November 1, 2016 by admin

dscp 1 (000001) = tos (00000100) = tos decimal 4

Router(config)#access-list 105 deny ip any any dscp 1
Router(config)#access-list 105 permit ip any any
Router(config)#interface ethernet 0/1
Router(config-if)#ip access-group 105 out
Router#show access-list 105

Rack9SW2#ping 200.0.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
Rack9SW2#ping
Protocol [ip]:
Target IP address: 200.0.12.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Vlan118
Type of service [0]: 4
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.12.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.118.8
U.U.U
Success rate is 0 percent (0/5)
Rack9SW2#

ASA capture tips.

Posted on November 1, 2016 by admin

ASA and FWSM Capture
Here are some options for doing a capture on the ASA.

asa# access-list CAP1 ext permit ip any any
asa# capture CAPTRAFFIC access-list CAP1 circular-buffer interface outside

These are the options.
asa# capture CAPTRAFFIC ?

access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP interface Capture packets on a specific interface
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default is 68 bytes
real-time Display captured packets in real-time. Warning: using this option with a slow console connection may result in an excessive amount of non-displayed packets due to performance limitations.
trace Trace the captured packets
type Capture packets based on a particular type

To view capture output:

show capture CAPTRAFFIC

To see the traffic that the ASA is dropping.
asa# capture capasp type asp-drop all

If you want to see the actual capture pcap output

capture capinout type raw-data interface OUTSIDE [Capturing – 2164 bytes]
match udp host 172.16.1.176 any

Then in a web browser you can download the capture from the ASA.

https://172.16.254.1/capture/capinout/pcap
Then you can open it in wireshark and see what the traffic was in detail.

syslog commands

Posted on November 1, 2016 by admin

cat ASA1.log | grep exceeded | tail -n 100 | grep -v ‘Scanning’
cat ASA1.log | grep shun