The course of the young fighter: the subtleties of the settings of routers and switches
We assume that you are already actively mastering the tricks of setting through the console. It's time to tell a few more subtleties. What it makes sense to think about when configuring routers and switches cisco.
Subtlety 1. Neatness.
Often there is a task to add something to the current configuration. Surely you know that many elements are written separately, and separately applied (on the interface, to the entire piece of hardware, etc.). Be extremely careful when changing the settings of technologies such as PBR (route-map), QoS (policy-map), IPSec (crypto map), NAT. It is best to first remove them from use, then change them, then hang them again. This is due to the fact that all changes you make immediately to the state of the piece of iron. Sometimes what is already working (for example, loaded into the RAM) conflicts with a new config. Situations when the piece of iron goes into reboot after trying to change the config are not rare.
Example: let us have a route-map applied to the interface. Let us need to change it. The most "clean" way is:
')
1. Copy the existing route-map from the config
2. Paste it into a notebook.
3. We change his name in the notebook
4. We change the route-map itself
* Be sure to check it for logic: will it do what it needs
5. Copy it from the notebook
6. We insert into the config.
* It has not been applied yet, because with a different name, so the procedure is safe
7. Apply new route-map to interface
Unfortunately, such a beautiful procedure is usually too lazy to do :)
If the security policy requires that all names in the config be canonical, then you can additionally do this:
3A. We copy route-map with a new name
3b. We insert into the config.
3B. We apply route-map with a new name
And we leave the old, canonical name to the changed route-map. If there is no possibility to remove, for example, the crypto map (in this case all the tunnels fall), and you need to add a new paragraph, then you should minimize the time during which the “unfinished config” will be (incomplete crypto map). This happens if a paragraph is missing one or two lines from
match address
set transform-set
set peer
To minimize idle time, enter the necessary piece of the crypto-map config in a notebook and then copy-paste it onto the tsiska.
2. Subtlety. Safety net.
Remember that while you are not scored
copy running-config startup-config
or what is the same
wr
The initial configuration file is still old. Therefore, if everything is broken, just restart the piece of iron. In order not to run or call to the other end (office / city / planet) there is a technology of "delayed reset"
reload in
and reboot at a specific time
reload at
(they were mentioned in the topic about the console)
You can cancel a delayed restart with the command
reload cancel
3. Subtlety. Saving configs
Remember that a configuration file is just a text file. You can skip the configuration file on tftp, ftp, http, flash, etc. And you can just take him to your work machine. For example, by including in the PuTTy (or another terminal client) log displayed on the screen, you can simply give the command
sh run
and get your config to the log file.
* Hint: sh run displays the config on-screen, dividing the stripes. In the file, these stripes will also be. If you are too lazy to remove these stripes, you can give the command
sh run | tee http: // 1.1.1.1
The tee command copies to the screen what it is trying to send via http to 1.1.1.1. It will not be able to send it, but the entire config will fall out on the screen without delays and delimiters.
4. Subtlety. Names
It is no secret that it is easier to write a config yourself than to understand someone else :) Yes, and it is sometimes difficult to read your old configs. Therefore, to help yourself and others recommend
- All names (ACL, route-map, crypto-map, transform-set, etc.) should be written in capital letters (or at least with a capital letter). And it is desirable to select names that are not too long (otherwise you will be tortured to drive in), but “speaking” ones. I will cite as an example the favorite line from the ASA config (it uses an ACL with the name outside for an external NAT on the external interface)
nat (outside) 10 access-list outside outside
If you use ACL in capital letters it is easy to identify where the keywords are and where the names are
nat (outside) 10 access-list OUTSIDE outside
- IMMEDIATELY REMOVE NON-IMPORTANT! Practice, beat forehead, experimented - remove garbage! After a week, it is difficult to remember whether these are necessary constructions or not.
- In new IOS (starting from version 12.3), the lines of the named ACL are numbered after 10 (this is easy to see by giving the command sh ip access-list ). Therefore, you can delete the existing one or add a new line between the existing ones using the syntax (for example, add between 20 and 30 line numbers)
ip access-list ex NEW
25 permit tcp any any eq 25
- If ACLs are still used numbered (historically, for example), they can be modified using the syntax of the named ACL
ip access-list ex 101
no 10
25 permit tcp host 1.1.1.1 any eq 25
Dare and let your tsisk work steadily!
And wait for the next episode :)
WBR, Sergey Fedorov
Subtlety 1. Neatness.
Often there is a task to add something to the current configuration. Surely you know that many elements are written separately, and separately applied (on the interface, to the entire piece of hardware, etc.). Be extremely careful when changing the settings of technologies such as PBR (route-map), QoS (policy-map), IPSec (crypto map), NAT. It is best to first remove them from use, then change them, then hang them again. This is due to the fact that all changes you make immediately to the state of the piece of iron. Sometimes what is already working (for example, loaded into the RAM) conflicts with a new config. Situations when the piece of iron goes into reboot after trying to change the config are not rare.
Example: let us have a route-map applied to the interface. Let us need to change it. The most "clean" way is:
')
1. Copy the existing route-map from the config
2. Paste it into a notebook.
3. We change his name in the notebook
4. We change the route-map itself
* Be sure to check it for logic: will it do what it needs
5. Copy it from the notebook
6. We insert into the config.
* It has not been applied yet, because with a different name, so the procedure is safe
7. Apply new route-map to interface
Unfortunately, such a beautiful procedure is usually too lazy to do :)
If the security policy requires that all names in the config be canonical, then you can additionally do this:
3A. We copy route-map with a new name
3b. We insert into the config.
3B. We apply route-map with a new name
And we leave the old, canonical name to the changed route-map. If there is no possibility to remove, for example, the crypto map (in this case all the tunnels fall), and you need to add a new paragraph, then you should minimize the time during which the “unfinished config” will be (incomplete crypto map). This happens if a paragraph is missing one or two lines from
match address
set transform-set
set peer
To minimize idle time, enter the necessary piece of the crypto-map config in a notebook and then copy-paste it onto the tsiska.
2. Subtlety. Safety net.
Remember that while you are not scored
copy running-config startup-config
or what is the same
wr
The initial configuration file is still old. Therefore, if everything is broken, just restart the piece of iron. In order not to run or call to the other end (office / city / planet) there is a technology of "delayed reset"
reload in
and reboot at a specific time
reload at
(they were mentioned in the topic about the console)
You can cancel a delayed restart with the command
reload cancel
3. Subtlety. Saving configs
Remember that a configuration file is just a text file. You can skip the configuration file on tftp, ftp, http, flash, etc. And you can just take him to your work machine. For example, by including in the PuTTy (or another terminal client) log displayed on the screen, you can simply give the command
sh run
and get your config to the log file.
* Hint: sh run displays the config on-screen, dividing the stripes. In the file, these stripes will also be. If you are too lazy to remove these stripes, you can give the command
sh run | tee http: // 1.1.1.1
The tee command copies to the screen what it is trying to send via http to 1.1.1.1. It will not be able to send it, but the entire config will fall out on the screen without delays and delimiters.
4. Subtlety. Names
It is no secret that it is easier to write a config yourself than to understand someone else :) Yes, and it is sometimes difficult to read your old configs. Therefore, to help yourself and others recommend
- All names (ACL, route-map, crypto-map, transform-set, etc.) should be written in capital letters (or at least with a capital letter). And it is desirable to select names that are not too long (otherwise you will be tortured to drive in), but “speaking” ones. I will cite as an example the favorite line from the ASA config (it uses an ACL with the name outside for an external NAT on the external interface)
nat (outside) 10 access-list outside outside
If you use ACL in capital letters it is easy to identify where the keywords are and where the names are
nat (outside) 10 access-list OUTSIDE outside
- IMMEDIATELY REMOVE NON-IMPORTANT! Practice, beat forehead, experimented - remove garbage! After a week, it is difficult to remember whether these are necessary constructions or not.
- In new IOS (starting from version 12.3), the lines of the named ACL are numbered after 10 (this is easy to see by giving the command sh ip access-list ). Therefore, you can delete the existing one or add a new line between the existing ones using the syntax (for example, add between 20 and 30 line numbers)
ip access-list ex NEW
25 permit tcp any any eq 25
- If ACLs are still used numbered (historically, for example), they can be modified using the syntax of the named ACL
ip access-list ex 101
no 10
25 permit tcp host 1.1.1.1 any eq 25
Dare and let your tsisk work steadily!
And wait for the next episode :)
WBR, Sergey Fedorov
Threat I correct the topic a little without notice at your request or myself, if the thought comes to mind
Source: https://habr.com/ru/post/59415/
All Articles