Find the plain text authentication of a peer RIP router

Followings commands can be useful if you need to use authenticated 'RIP updates' between 2 routers and whether you don't have access to the peer (you don't know the authentication message used by the peer). If it's a clear text, you can use the following debug:

access-list 100 permit udp any any eq rip
debug ip packet 100 dump

Normally, the password will appear in a clear text as below:

*Sep  4 17:27:54.815: IP: s=10.10.10.2 (FastEthernet/1), d=224.0.0.9, len 72, input feature
AC43C9C0:        0100 5E000009 AABBCC00 07030800    ..^...*;L.....
AC43C9D0:  45C00048 00000000 0111C4D0 0A0A0A02  E@.H......DP....
AC43C9E0:  E0000009 02080208 003453BE 02020000  `........4S>....
AC43C9F0:  FFFF0002 54455354 00000000 00000000  ....TEST........
AC43CA00:  00000000 00020000 0A010100 FFFFFF00  ................
AC43CA10:  00000000 00000001                    ........
Router#, MCI Check(68), rtype 0, forus FALSE, sendself FALSE, mtu 0

Track and modify a route with EEM!

This script EEM aims to add or delete a static ip route. Each 10 seconds a ping is sent to a host. If this ping fails a static route is deleted. If this host responds, a route is added. If this host responds and if the route is already in the routing table, no change is done.

event manager applet Route_redisribute
 event tag 1.0 timer watchdog time 10
 action 001 cli command "enable"
 action 002 cli command "ping 10.1.37.3"
 action 003 regexp "!!" "$_cli_result"
 action 004 if $_regexp_result eq 1
 action 005  cli command "show ip route static"
 action 006  regexp "10.12.37.0/24" "$_cli_result"
 action 007  if $_regexp_result ne 1
 action 008   cli command "conf t"
 action 009   cli command "ip route 10.12.37.0 255.255.255.0 10.1.37.8 tag 100"
 action 010  end
 action 011 else
 action 012  continue
 action 013 else
 action 014  cli command "conf t"
 action 015  cli command "no ip route 10.12.37.0 255.255.255.0 10.1.37.8 tag 100"
 action 016 end
!
end


In order to debug this script, the following command is helpful:
debug event manager action cli

Basic NAT reminders

Below, there are some simple examples of NAT configurations on a Cisco router. 

STATIC NAT:

interface fa0/0

 ip address 10.1.1.2 255.255.255.0

 ip nat outside

!

interface fa0/1

 ip address 10.1.3.2 255.255.255.0

 ip nat inside

!

ip nat inside source static 10.1.3.1 10.1.1.10

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- 10.1.1.10          10.1.3.1           ---                ---

host1#ping 10.1.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

icmp 10.1.1.10:5       10.1.3.1:5         10.1.1.1:5         10.1.1.1:5

--- 10.1.1.10          10.1.3.1           ---                ---

PAT:

interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip access-list extended NET_INSIDE
 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat inside source list NET_INSIDE interface fa0/1 overload
!


R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.3.2:6        10.1.1.1:6         10.1.3.1:6         10.1.3.1:6

NAT SRC & DST:

interface fa0/0

 ip address 10.1.1.2 255.255.255.0

 ip nat inside

!

interface fa0/1

 ip address 10.1.3.2 255.255.255.0

 ip nat outside

!

ip nat inside source static 10.1.1.1 10.1.3.10

ip nat outside source static 10.1.3.1 10.1.1.10

!

ip route 10.1.1.10 255.255.255.255 10.1.3.1

!

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                10.1.1.10          10.1.3.1

--- 10.1.3.10          10.1.1.1           ---                ---

R3#show ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

--- ---                ---                10.1.1.10          10.1.3.1

icmp 10.1.3.10:10      10.1.1.1:10        10.1.1.10:10       10.1.3.1:10

icmp 10.1.3.10:18      10.1.1.1:18        10.1.1.10:18       10.1.3.1:18

--- 10.1.3.10          10.1.1.1           ---                ---

Dynamic NAT:

interface fa0/0
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
!
interface fa0/1
 ip address 10.1.3.2 255.255.255.0
 ip nat outside
!
ip access-list extended NET_INSIDE
 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat pool NAT_OUTSIDE 10.1.3.1 10.1.3.254 prefix-length 24 type match-host
!!!!!!!!!!!!!!!!!!!!!!
! Alternative:
!ip nat pool NAT_OUTSIDE 10.1.3.9 10.1.3.254 prefix-length 24 type rotary
!!!!!!!!!!!!!!!!!!!!!!!!
!
ip nat inside source list NET_INSIDE pool NAT_OUTSIDE

R3#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
icmp 10.1.3.10:27      10.1.1.10:27       10.1.4.1:27        10.1.4.1:27
--- 10.1.3.10          10.1.1.10          ---                ---

Troubleshoot HIGH CPU during the night !

 

You will find below another EEM configuration. This script is useful in order to determine the root cause of an high CPU.

Some high CPU alerts can be generated during off hours. Obviously, nobody is working during the night in order to diagnose this alert! It's why I have created the script below.

If an high CPU syslog message ("%SYS-1-CPURISINGTHRESHOLD") is detected, the command "show proc cpu sorted 5min" is executed. The result of this command is then send to a mailbox.

 

process cpu threshold type total rising 80 interval 30

!

event manager applet ALERT-CPU

event syslog pattern "%SYS-1-CPURISINGTHRESHOLD"

 action 1.0 cli command "enable"

 action 2.0 cli command "show proc cpu sorted 5min"

 action 3.0 mail server "172.16.10.10" to "NetAdmin@mybox.com" from "myswitch@mylab.lab" subject "CPU Alert 5 min" body "$_cli_result"

Cisco Prompt Modification

 

I have recently discovered a practice tips. As on UNIX you can easily modify you prompt on Cisco equipment. You have to use the prompt command with the following variables:
%h - hostname
%n - tty command counter number
%p - prompt character (> or #)
%s - Space
In the following example, I have modified the prompt in order to see on which line I'm connected.
With this variable, I can diretly see if another person is connected on the router:

Before:
RouterLAB #

Command:
#prompt %h%s-%s%n%p

After:
RouterLAB - 2#

Detect High CPU on a Cisco Switch

Recently, I have had an issue on a Core Switch. This switch was running at 80% of CPU for 3 days. The CPU was not monitored and we have not received a syslog message on our server.
Also, I have decided to use the following command (on 4k5) in order to trigger a syslog alert in case of High CPU:

process cpu threshold type total rising 60 interval 20

This command trigger a syslog alert if the CPU exceeds 60 percent for a period of 20 seconds.

EEM - Generate a customized syslog message

In order to generate a customized syslog message, you can use EEM (Embedded Event Manager). This is a Cisco tool. It helps to monitor events and generates an action when an particular event occur. In my case, I would like generate a customized Cisco log message if my primary WAN link is down. This message will have an 'alerts' level with my own description. By default, if an interface goes down it will only generate a 'informational' message. The policy of my syslog server is to generate an email only if I receive an 'error' level message.
I monitor interface giga1/1. If this this interface goes down (log message), I generate my customized message. You can see below the configuration:


event manager applet WanMonitor
 event syslog pattern "Interface GigabitEthernet1/1, changed state to administratively down"
 action 1.0 syslog priority alerts msg "PRIMARY WAN LINK is DOWN on Core 1"