Blog Posts in October 2006
Use command aliases to simplify Cisco IOS web server URLs
Cisco IOS has the ability to define command aliases - short words that substitute a whole exec-mode or configuration command. These aliases can also be used in command execution URLs. For example, if you define alias exec showdefault show ip route 0.0.0.0 0.0.0.0, you can view the status of the default route with the http://router/exec/showdefault/CR URL.
Use Cisco IOS FTP server to bypass Microsoft "security patch"
Microsoft decided a while ago to disable the ability to send username and password encoded in URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS web server without explicit user login (IOS web server does not support anonymous access). However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most Cisco IOS images and download files to your web browser with the ftp://user:password@router/file URL.
Tar archives used by Cisco IOS web server
To optimize the space utilizations and file transfer operations in flash: memory, Cisco IOS web server allows files to be served from tar archives stored on flash: (or any other) filesystem. The URL syntax to access a file in a tar archive is /archive/archive-name-without-tar-suffix/file-in-archive.
TAR support in Cisco IOS
Cisco IOS supports the Unix tar format with the archive command. For example, to inspect the contents of the Secure Device Manager (SDM) that is present in Flash memory on most routers, use the archive tar /table flash:sdm.tar command.
You can also use the archive tar /xtract command to extract a tar file (local or external) into a directory (yet again local or external). For example, with the command archive tar /xtract flash:sdm.tar tftp://10.0.0.10 you'd extract the SDM tar archive to a TFTP server.
Home page for Cisco IOS web server
Another un(der)documented fact: when you access the router's home page (assuming HTTP or HTTPS server has been enabled), the router displays:
- The home.html file if it exists in any filesystem;
- The home.shtml file if it exists in any filesystem;
- a default page with links to exec, SDM, QDM and TAC support
Note: even though you can access home.html file on flash: device directly, that web page cannot reference any other file in flash: as a relative link unless you specify flash: as the default path for the HTTP requests with the ip http path flash: command.
BGP peer groups no longer a performance feature
In Cisco IOS release 12.3T (integrated in 12.4), we've got an interesting (and quite understated) BGP feature: BGP peer-groups are no longer a performance feature (previously, IOS used them to reduce the time needed to compute outbound BGP updates). IOS now performs automatic grouping of BGP neighbors in dynamic update peer-groups that receive identical BGP updates based on per-neighbor outbound parameters.
Running syslog over TCP
Syslog has always been considered an undependable means of reporting network problems by serious network administrators as it runs over unreliable UDP transport. Sometime in the twilight zone between IOS releases 12.3T and 12.4, Cisco IOS got the capability to transport syslog messages over TCP with the logging host ip-address transport tcp port configuration command (the command is documented in 12.4 manuals but missing in 12.3T manuals).
Note: IOS implements standard syslog stream over TCP, not the more complex RFC 3195.
CEF per-destination load sharing algorithms
According to the Cisco IOS documentation, you can select between the original and the universal CEF load sharing algorithm with the ip cef load-sharing algorithm name parameter global configuration command (we'll leave the tunnel algorithm aside for the moment). Of course, they don't tell you what you select.
CEF load sharing details
I had to investigate the details of CEF load sharing for one of my upcoming article and found (yet again) that the details are rather undocumented in official documentation. So, this is how it works (in case you ever need to know):
Cisco IOS Web Server
These tips will help you get the most out of the Cisco IOS embedded web server:
Disable command execution with Cisco IOS web server
If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
Include a default username/password in web request
I've got a great question related to a previous post:
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?
You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
http://guest:guest@router/level/1/exec/show/ip/interface/brief
Note: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.
Multilevel web (HTTP) access to a router
In some scenarios you want to use true username/password authentication when accessing the router's web server (by default, you have to use enable password). To change the HTTP authentication method, use the ip http authentication local configuration command; it tells the router to use local usernames and passwords when authentication web requests.
Before changing the HTTP authentication, you must define local usernames with the username username privilege-level level password password command, for example:
Reload a router from VBScript or PERL with a HTTP (web) request
If you have HTTP enabled on your router, you can use it to automate router reloads through web requests. To enable HTTP on the router, use the following commands:
ip http server
ip http access-class 90
access-list 90 permit network-management-ip-address
The ip http access-class configuration command is vital - it limits the access to the web server on your router to well-defined IP addresses.
The Visual Basic script to reload the router is extremely simple (just save the following lines into a file called reload.vbs):
Subinterface link status logging
If you're still stuck with frame-relay connections (or use them in test environment, because it's easy to set up any-to-any connectivity between a larger number of routers), you were probably used to subinterface logging events reporting when the line protocol on a point-to-point subinterface would go up or down based on LMI DLCI status.
Very quietly, these logging events disappeared, first on 7500-series routers in IOS release 12.1(14), now they're gone by default on all platforms. If you still want to see what's going on with your frame-relay subinterfaces, you have to enter logging event subif-link-status configuration command on every subinterface.
Periodic router reload
Sometimes when using not-so-very stable IOS versions, periodic reload of a router during a non-peak (or idle) period is a good idea that can significantly increase the overall stability of your network. Until release 12.4, you had to write an external script that would log into the router and execute the reload command.
With the Embedded Event Manager, the task is surprisingly simple - just enter the following configuration commands to reload the box every midnight (of course it helps if your router is NTP-synchronized to a reliable clock source and has correctly configured time zone).