Any tips for Cisco IOS newbie from Linux world?

Question

I'm from Linux world. In Linux I've been doing firewalls, QoS, dynamic routing, tunnels, ipsec, ipv6 and even written custom networking extensions to kernel.

And now I got some Cisco 681 under my control. I understand the basics but I'm constantly hitting some problems, like:

it's hard to debug (where is tcpdump?!)
it's easy to hang/crash the thing (especially when debugging)
I'd need some pracitcal advices on how to manage the thing (copying running-config via scp and back fails ...)
most of the documentation I'm finding is IMHO corporate crap (to many words, to less information)

I've been googlin' around and reading things, but still I fell very unskilled when dealing with the thing.

For example I'm trying to add a simple class-based QoS for a working configuration of one of the routers.

I've prepared a simple config:

no ip access-list extended RT_PROTOCOLS                                         
ip access-list extended RT_PROTOCOLS                                            
 permit icmp any any                                                            
 permit udp any any eq 53                                                       
 permit tcp any any eq 22                                                       
!                                                                               
no ip access-list extended HIGH_PROTOCOLS                                       
ip access-list extended HIGH_PROTOCOLS                                          
 permit tcp any any eq 80                                                       
 permit tcp any any eq 443                                                      
!                                                                               
class-map match-any RT_CLASS                                                    
 match access-group name RT_PROTOCOLS                                           
class-map match-any HIGH_CLASS                                                  
 match access-group name HIGH_PROTOCOLS                                         
!                            
policy-map INTERNET_OUT_POLICY                                                  
 class RT_CLASS                                                                 
  bandwidth percent 10                                                          
  random-detect                                                                 
 class HIGH_CLASS                                                               
  bandwidth percent 40                                                          
  random-detect                                                                 
 class class-default                                                            
  fair-queue                                                                    
  bandwidth percent 40                                                          
  random-detect                                                                 
!                                                                               
policy-map INTERNET_OUT_QOS                                                     
 class class-default                                                            
  shape average 8000                                                            
  service-policy INTERNET_OUT_POLICY                                            
!                                                                               
interface FastEthernet4                                                         
 no fair-queue                                                                  
 service-policy output INTERNET_OUT_QOS                                         
!

and I'm copying it via copy scp://source running-config. The router immediately causes high ping and after around 20 seconds hangs completely.

How do I debug what is wrong?

Any links, docs, advices and tips will be appreciated.

also have a look at gns3 for router emulation, thus you can play around with the IOS and configurations without trying it out on live equipment. — The Unix Janitor, Sep 20 '10 at 15:22

Vatine · Accepted Answer · 2010-09-15T20:50:53.920

As a general rule, apply configurations from the console or via a telnet or SSH session to the device, instead of trying to copy configuration into the running config. By doing that, you'll be alerted to any problems with the configuration as you try to configure.

The specific problem I think you're having with this is that the 681 has a pretty weak CPU and matching on UDP/TCP port numbers is relatively intensive, so I suspect you're simply running out of processing power. If you try to do a couple of show process cpu after applying the configuration, you'll probably see the CPU usage spike dramatically.

Edit: One handy thing to (somewhat) alleviate the problem of not having tcpdump ready at hand (it is available in some newer IOS versions, but only the "capture" bit, you then have to fetch the PCAP files to another host to do the analysis) is what I usually call "monitoring ACLs". Simply define an ACL that matche s what you're wanting to check for (existence or non-existence), then finish with a permit ip any any to not actually block any traffic. If the traffic you're specvifically looking for is passing through, the counters on the ACL (as shown with "show access-list name") will increment.

The running out of CPU tips is especially interesting. I was wondering if that may be the case. — dpc.pw, Sep 16 '10 at 06:46

score 1 · Answer 2 · answered Sep 15 '10 at 15:19

Here are some tips to narrow down the output of show run, similar to grep:

show run | begin word    : to start displaying the config at a specific line containing word
show run | include word  : to display all the lines containing the given word
show run | section word  : is a good one, too

score 1 · Answer 3 · answered Sep 15 '10 at 15:29

I like to do my configuration over a serial console session with PuTTy so that I have an method of accessing IOS without depending on an interface being up (and as a fellow Linux guy who's been doing this for only six months or so, I'm often mucking about and taking down interfaces).

Coupled with the serial console, I do all my work-in-progress backups and restores by setting terminal length 0 so that I can copy and paste the entire running config to a file, make bulk changes there if I have to, and paste it back in again as needed.

petrus · Answer 4 · 2010-09-15T22:21:47.330

it's hard to debug (where is tcpdump?!)

debug ip packets

Dangerous (see your point #2), but there are some parsers that can generate a .pcap file from a cisco debug.

it's easy to hang/crash the thing (especially when debugging)

Sure. Even with big routers.

I'd need some pracitcal advices on how to manage the thing (copying running-config via scp and back fails ...)

router#copy tftp://tftpsrv.local/conf/router-confg start
Destination filename [startup-config]? 
[OK]

router#configure replace nvram:startup-config
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y
...

No need for reboot. You can also copy configuration from a tftp server.

most of the documentation I'm finding is IMHO corporate crap (to many words, to lessinformation)

Some good informations can be found on CCIE blogs. And if you want to practice on a lab, check packetlife community lab!

Any tips for Cisco IOS newbie from Linux world?

4 Answers4