I'm from Linux world. In Linux I've been doing firewalls, QoS, dynamic routing, tunnels, ipsec, ipv6 and even written custom networking extensions to kernel.
And now I got some Cisco 681 under my control. I understand the basics but I'm constantly hitting some problems, like:
- it's hard to debug (where is tcpdump?!)
- it's easy to hang/crash the thing (especially when debugging)
- I'd need some pracitcal advices on how to manage the thing (copying running-config via scp and back fails ...)
- most of the documentation I'm finding is IMHO corporate crap (to many words, to less information)
I've been googlin' around and reading things, but still I fell very unskilled when dealing with the thing.
For example I'm trying to add a simple class-based QoS for a working configuration of one of the routers.
I've prepared a simple config:
no ip access-list extended RT_PROTOCOLS
ip access-list extended RT_PROTOCOLS
permit icmp any any
permit udp any any eq 53
permit tcp any any eq 22
!
no ip access-list extended HIGH_PROTOCOLS
ip access-list extended HIGH_PROTOCOLS
permit tcp any any eq 80
permit tcp any any eq 443
!
class-map match-any RT_CLASS
match access-group name RT_PROTOCOLS
class-map match-any HIGH_CLASS
match access-group name HIGH_PROTOCOLS
!
policy-map INTERNET_OUT_POLICY
class RT_CLASS
bandwidth percent 10
random-detect
class HIGH_CLASS
bandwidth percent 40
random-detect
class class-default
fair-queue
bandwidth percent 40
random-detect
!
policy-map INTERNET_OUT_QOS
class class-default
shape average 8000
service-policy INTERNET_OUT_POLICY
!
interface FastEthernet4
no fair-queue
service-policy output INTERNET_OUT_QOS
!
and I'm copying it via copy scp://source running-config. The router immediately causes high ping and after around 20 seconds hangs completely.
How do I debug what is wrong?
Any links, docs, advices and tips will be appreciated.
As a general rule, apply configurations from the console or via a telnet or SSH session to the device, instead of trying to copy configuration into the running config. By doing that, you'll be alerted to any problems with the configuration as you try to configure.
The specific problem I think you're having with this is that the 681 has a pretty weak CPU and matching on UDP/TCP port numbers is relatively intensive, so I suspect you're simply running out of processing power. If you try to do a couple of
show process cpuafter applying the configuration, you'll probably see the CPU usage spike dramatically.Edit: One handy thing to (somewhat) alleviate the problem of not having tcpdump ready at hand (it is available in some newer IOS versions, but only the "capture" bit, you then have to fetch the PCAP files to another host to do the analysis) is what I usually call "monitoring ACLs". Simply define an ACL that matche s what you're wanting to check for (existence or non-existence), then finish with a
permit ip any anyto not actually block any traffic. If the traffic you're specvifically looking for is passing through, the counters on the ACL (as shown with "show access-list name") will increment.Here are some tips to narrow down the output of show run, similar to grep:
I like to do my configuration over a serial console session with PuTTy so that I have an method of accessing IOS without depending on an interface being up (and as a fellow Linux guy who's been doing this for only six months or so, I'm often mucking about and taking down interfaces).
Coupled with the serial console, I do all my work-in-progress backups and restores by setting
terminal length 0so that I can copy and paste the entire running config to a file, make bulk changes there if I have to, and paste it back in again as needed.Dangerous (see your point #2), but there are some parsers that can generate a .pcap file from a cisco debug.
Sure. Even with big routers.
No need for reboot. You can also copy configuration from a tftp server.
Some good informations can be found on CCIE blogs. And if you want to practice on a lab, check packetlife community lab!