Do Write Memory and DHCP !!! Not always Best Bet

Lets go to IOS and experience an interesting case

R1(config)#ip dhcp pool Strange

Oh wait a min, I want to save my Config !!! Lets use write mem or do wr

R1(dhcp-config)#do wr
R1(dhcp-config)#end

Now My Config is save, let see show run output

Sh run
Output ommited....
!
ip dhcp pool Strange
domain-name wr------------> Ooops watch that.....where the domain name comes!!!!
!

My God this made me totally mad during an implementation, i were able to figure out this after sometime. So beware of shorcuts they are not always good (:

IOS privilege and Show Running Dispute:

One of my client has requested to implement role based access using IOS privilege level and AAA local Database. I encounter an interesting problem. The customer requested to make a user with only show running-configuration access



When this particular user is created with a privilege level 10, and only show running-config is assigned to that privelege but to my surprise it only shows blank configuration Initially it was considered to be cisco Bug. When i dig it further, it found out that it is Cisco design and not any bug.

Please refer below for details
IOS Privilege Levels Cannot See Complete Running Configuration

Cisco IOS comes with 16 privialege level from 0-15 By default, Cisco assigns commands to only three of these privilege levels: zero, user, and enable. There are five commands with privilege level zero: disable, enable, exit, help, and logout. User EXEC mode — privilege level 1 (when you login this is default level). Privileged EXEC mode — privilege level 15 (when you are in enable mode, equivalent to root access of linux)

To assign a privilege level to a user:
2801(config)# username support password abc privilege 5
2801# show privilege
Current privilege level is 5

To assign a privilege level to a particular command
Router1#configure terminal
Router1(config)#privilege exec level 1 show running-config


Problem Finding:
The show running configuration only displays all of the commands that the current user is able to modify. i.e. in other words, only shows configuration section that is below the user's current privilege level.

Solution:
1- Instead of using show run, we may use show startup but it may show steal configuration and might not be actual replica of running configuration.
2- We may use command

username printconfig privilege 10 password test

username printconfig privilege 15 autocommand show running

By doing when the user is login the show running config command will be executed immediately but immediately logut the user. SO we will leave with configuration but need some other account to perform troubleshooting etc.



Reference:
How to Configure Local Username Database in Cisco IOS
http://www.petri.co.il/csc_how_to_configure_local_username_database_cisco_ios.htm

IOS Privilege Levels Cannot See Complete Running Configuration
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml

IPSEC not supported!!!! Reason you go for router

One of the many things that my customer ask why we donot go for layer 3 switch instead of router when ethernet is our only requirement. Cisco 1 port FE card still have GPL of 950 USD. While L3 switches comes with 24/48 port and this is really cheaper when customer require many Ethernet interfaces.

Well although in some cases the customer may opt the option but i still don't encourage them as one obvious answer is router is still intended for routing while L3 switch is still have switching hardware and intended for LAN . It cannot support many necessary features like IPSEC VPN, GRE tunnel and even NAT that are necessary for WAN edge

Well i still remember from my previous job experience that one of my colleague purchase 3560 for site to site vpn with router, only to figure out that IPsec is not supported on it.

To summarize L3 switches were introduced by keeping mind to perform efficient intervlan routing and are best within campus. Routers are destined for edge and will still be used at WAN edges.

Subinterface, SVI and Catalyst Catch!!!

Well there are many who do not know this

You cannot make subinterfaces on Cisco switches. No matter its 2960,3560 or 3750. No matter its LANLITE or LAN base. No matter its standard image or enhanced image. Subinterfaces are simply not supported.

So what the alternative solution? You get it. Use SVI instead. You can do almost every thing that you can do with physical interface

Int vlan 10
ip address x.x.x.x x.x.x.x
Access-group 101
IP ospf cost 10

SSL VPN Configuration...Good Resources!!!

On group study i found good links for SSL VPN config. I find it useful to document it for future reference!!!

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml

http://www.cisco.com/E-Learning/bulk/public/celc/Cisco_QLM13_ASA_beta/course_skin.html

http://www.tech21century.com/how-to-configure-anyconnect-ssl-vpn-on-cisco-asa-5500/

BGP Support on ASA

Lesson of the Day: BGP is not supported on ASA

Juniper SSG using ScreenOS are featured rich but it can also become internet facing device even if you need dual homing, as it supports BGP

Beside other feaures Cisco ASA with Linux kernell left behinf in routing protocol support. Till now BGP is still unsupported on ASA platform.

SSG support RIPv1/2, OSPF, BGP, Frame Relay, Multilink Frame Relay, PPP, Multilink PPP, HDLC and ASA only RIPv1/2, OSPF.

Repartition Cisco Flash

Repartition Flash

Well I have 2621XM in my hand; I need to enable IPsec VPN on it. Ooops it shows no option for Cypto isamkp. I need to upgrade to Security IOS. Before that I must figure out the version that fits in my little 32MB Flash. After a while I were able to find it, download it. Now TFTP server is ready to finsh the job and make the router ready tor VPN.

Copy tftp flash …………………

Oh I get error Error : Your flash is 16 MB you cannot copy 24 Mb IOS.

I check flash again

Router# show flash

The repartition process involves erasing Flash memory, so as per a document I found on a forum that

1- Reboot the router to run in ROM mode.

2- Change the config-register to 0x2101 and reload, using the following commands

Router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config) # config-register 0x2101

Router(config) # exit

Router # reload
Below is excerpting what I found on this document that is originally written for 25XX.

This will bring the router up in boot mode and Flash will be idle. You can not change the partition when the router is running under a full IOS from Flash. You will see a different router prompt, but enable passwords and most commands will remain the same.

3- Now Erase the flash using

Router # erase flash

4- Now repartition it to a single 32 MB flash using command,
Router # configure t

Router(config) # partition flash 1 32

Where 1 in above command denotes number of partition

5- Change the config register value again

Router(config) # config-register 0x2102

Router(config) # exit

Router # reload

Before reloading donot forget to copy new ios to the flash, else you should know how play with Xmodem on Saturday night (:

Work done!!! Now it 2:00 AM …Go to sleep now (: