Configuring Cisco to authenticate (also including authorization and accounting) to Tacacs+ server 10.10.10.10 – Tacacs+ AAA server IOS: aaa authentication login VTY group tacacs+ line aaa authentication enable default group tacacs+ enable aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host 10.10.10.10 single-connection tacacs-server key 7 1234567890 ip…
Category: <span>Cisco</span>
Static Route Configuration Examples in Cisco (IOS-XR) for BGP aggregated prefix advertisements In order to advertise the aggregated routes (and default routes) via BGP, it should exists in the routing table, that’s the #1 rule. If these summarized routes (/16) are not existing and only smaller subnets are learned via the IGP(e.g. OSPF,IS-IS), then configure static route and next hop e.g. Null0. Configuration: router static address-family ipv4 unicast 0.0.0.0/0 Null0 172.16.0.0/16 Null0 address-family ipv6 unicast ::/0 Null0 fd41:c8be:2153:f400::/64 Null0 In…
Originating BGP advertisement can be configured to any iBGP peer router. Here’s the sample configuration of originating BGP routes and community tagging in Cisco Assuming these are the summarized prefixes that you want to advertise via BGP. 111.111.0.0/16 222.222.0.0/16 Configuration: Configure the prefix-set prefix-set SITE1 111.111.0.0/16, 222.222.0.0/16 end-set 2. Configure the community route-policy bgp-statement if destination in SITE1 then set community (12345:111) endif end-policy 3. Configure BGP router bgp 11111 nsr bgp router-id 1.1.1.1 bgp graceful-restart address-family ipv4 unicast network…
If you keep getting this error when generating key as license for running IOL or IOS On Linux, (also called IOU or IOS On Unix) in EVE-NG darwin@eve-ng:/$ cd /opt/unetlab/addons/iol/bin darwin@eve-ng:/opt/unetlab/addons/iol/bin$ python keygen.py ********************************************************************* Cisco IOU License Generator – Kal 2011, python port of 2006 C version hostid=bada0c0f, hostname=eve-ng, ioukey=bada0e51 Traceback (most recent call last): File “./keygen.py”, line 18, in <module> md5input=iouPad1 + iouPad2 + struct.pack(‘!i’, ioukey) + iouPad1 struct.error: ‘i’ format requires -2147483648 <= number <= 2147483647 Step 1:…
This can be done by increasing metric @OSPF Set the max-metric in OSPF and OSPFv3 in IOS-XR devices: RP/0/RSP0/CPU0:IOS-XR(config)# router ospf 65555 max-metric router-lsa external-lsa router ospfv3 65555 stub-router router-lsa v6-bit always Save the changes: commit RP/0/RSP0/CPU0:IOS-XR(config)#commit Verify: show ospf database @ISIS Increase ISIS metric router isis XXXX set-overload-bit Save the changes: commit RP/0/RSP0/CPU0:IOS-XR(config)#commit Verify: show isis database
SPAN mirrors receive or transmit (or both) traffic on one or more source ports to a destination port for analysis. A copy of the packets received or sent by the source interfaces are sent to the destination interfacePrerequisites:Need to understand how optical tap works, here’s some interesting information (ctto) Link:https://community.fs.com/blog/do-you-know-about-optical-tap-test-access-point-cassettes.html https://en.wikipedia.org/wiki/Network_tap#/media/File:Optical-tap-schema-wiki.gif Setup: Cisco Catalyst 4948 2 Routers connected via Optical Tap Network Diagram: : Step 1: Connect physically the links as per above diagram. Connect UTP cable from switch to…
Nmap, or short for Network Mapper, is a free and pen-source tool for scanning vulnerabilities and can also be used for network discovery. It can help identify what devices are running on their systems, discovering hosts that are available and the services they running. To see the open ports or running daemon/services in your routers or switches, you can use nmap to test your routers. where: 192.168.1.1 is your router IP Sample1: To scan using default safe scripts nmap -sV…
There are sample best practice commands that need to be configured in Cisco IOS-XR devices for additional security. Global config: nsr process-failures switchover tcp path-mtu-discovery tcp selective-ack logging console disable snmp-server ifmib stats cache ssh server logging no telnet vrf $vrf-name ipv4 server ssh client source-interface $$loopback0 logging events link-status software-interfaces Admin config: upgrade fpd all loc all fpd auto-upgrade Interface config: interface [interface name] ipv4 unreachable disable ipv6 unreachable disable dampening 1 xxx yyy 1 OSPF config: router ospf…
For IOS, the equivalent command of “write erase” to IOS-XR is the command “commit replace” RP/0/RSP0/CPU0:ASR9K(config)#commit replace ? best-effort Commit the configuration changes via best-effort operation comment Assign a comment to this commit confirmed Rollback this commit unless there is a confirming commit force Override the memory checks label Assign a label to this commit save-running Save running configuration to a file show-error Displays commit failures immediately <cr> …
How to upgrade Field Programmable Device (FPD) on Cisco IOS XRAs per Cisco official documentation, the definition of FPD as follows: An FPD refers to any programmable hardware device on a router, which includes a Field Programmable Gate Array (FPGA) and Read Only Memory Monitor (ROMMON). Cisco IOS® XR routers use a number of FPDs that are crucial for the function of route processors, line cards, shared port adapters (SPAs), SPA Interface Processors (SIPs), and fan trays.1. Use the command…
4 Comments