Blog: Router

The switch ports on the Cisco routers don’t appear to be as robust as a standard switch.  All clients at a clients motor bank went down the other morning.  After travelling on site, it turned out the problem was a bad cable end on one client.  All seven devices connected to the same 8-port switch on the branch router, and this one bad cable took down all seven devices.  I could move the faulty device from the router’s switch port to an external switch, and everything would work.  I went ahead and replaced the bad cable end, and reconnected all devices to the router’s switchports.

Here is a way to easily display several lines before what you are searching for in a Cisco router configuration.  Use “show run line | include <string>”.  The line modifier causes the device to number each line.  Then use “show run line | beginning <number> :” to start a few lines before.  Keep in mind these commands can be abbreviated.

Using TCL on Cisco devices: TCL is a powerful programming language that can be used to many tasks.  You enter the TCL environment by entering the tclsh command.  You exit by entering tclquit.  Here is a command you can use to create file on a router.  For text files, this could be much easier than getting a tftp for tfp server available to use.  First enter tclsh to get into TCL.  Enter this command but do not press Enter after the line.  Substitute the file name and location for flash:test

puts [open "flash:test" w+] {

[more]Enter or paste in your text in right after the {.  When finished, enter } and press Enter.  Then enter tclquit to exit out of the TCL environment.  If the text you are entering contains an unmatched right curly brace }, this will not work since this will terminate the input.  Also, TCL variables being with a dollar sign $, so you cannot use those either.  If you are pasting in a configuration, then usually passwords are the only lines that will give problems.

Many TCL scripts have been written, including a simple editor.  I am not sure what versions of IOS include TCL – the feature navigator does not match what I have seen.  A nice introduction to TCL on Cisco is http://www.netcraftsmen.net/welcher/papers/iostcl01.html, which has links to some Cisco pages.  Learn more about TCL at http://tcl.tk.

I've recently been trying out the PuTTY Connection Manager and I think it's a very useful tool. What I find most useful is the ability to store the connection information for all of the routers/switches that you connect to regularly similar to VissionApp or RoyalTS does for terminal servers. It is currently a work in progress but the beta version is pretty stable. You can download it for free here: http://puttycm.free.fr/

The other day I was setting up a Disaster Recovery DHCP server. Part of the testing process was to set up a test branch with an additional 'ip helper' command in the router so that it would start forwarding DHCP broadcasts across the WAN to the Disaster Recovery site. I entered the command and immediately started seeing traffic at the DR DHCP server. However, i was seeing more UDP traffic than just DHCP. I also started seeing errors like this in the event logs:

The master browser has received a server announcement from the computer <MACHINE> that believes that it is the master browser for the domain on transport NetBT_Tcpip_{66AC525D-CD06-401. The master browser is stopping or an election is being forced.

[more]Its not uncommon to see these messages from time to time, but i was seeing these non-stop for about an hour. After some searching i found that the 'ip helper-address' command that is standard in our Cisco router config turns on UDP broadcast forwarding for 8 different protocols. DHCP is one of them, but i wanted to turn it off for all the others. So, i found this command:

ip forward-protocol upd <protocol/port>

The previous command was supposed to fix it. The router would accept 'ip forward-protocol udp dhcp' , but it would not show up in the running config. Finally, I realized it is one of those commands that that you have to turn off what you don't want instead of turn on what you do, so i entered in these commands to stop the NETBIOS broadcast traffic:

no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm

For those who like to experiment, there is open-source firmware available for many SOHO routers.  Two popular ones are:

• DD-WRT - http://www.dd-wrt.com/dd-wrtv3/index.php
• Tomato - http://www.polarcloud.com/tomato

Here’s a partial list of extra features you get with these:

• Improved QoS capabilities
• Better bandwidth reporting
• Ability to increase wireless output power
• Support for wireless clients and wireless bridging
• Improved access restriction rules

The new business class Linksys router (RVS4000) has lots of great features (very much like Cisco’s IOS).  I was recently setting one up for a customer that had an SBS server and a Symantec mail appliance.  The SBS server was not going to use ISA so I needed to set up a VLAN on the Linksys for the DMZ.  This was all easy enough, but when it came to publishing ports, I ran into a limitation in the configuration interface.  I needed to publish RDP (TCP port 3389) directly to the SBS server on the main/default VLAN, and SMTP (TCP port 25) to the mail appliance on the DMZ VLAN.  Unfortunately, the web interface for configuring port forwarding on the Linksys only allows you to modify the last octet of a published address (pre-filling the first three octets from the default VLAN).  [more]I did some research and even called Linksys support, but this is “by design”.  I tried exporting the config to see if I could change the publishing definitions directly and just re-import, but the config also only saved the last octet.  I was able to work around this limitation by spliting their class C in half (255.255.255.128 as the subnet mask) and using the lower half for the internal LAN, and the upper half for the DMZ.  This way, I was able to publish ports on the two separate VLANs, but still have the traffic segmented.

I was researching a way to do major router changes remotely.  I found that if I tftp’ed a new configuration directly to NVRAM and replaced the startup-config file, then reloaded the router, all changes would go into effect.  While testing this process locally, I found out that when the router was reloaded with the new configuration file, the SSH encryption keys got erased and had to be regenerated.  So if this process is used, make sure telnet is enabled on the VTY lines so that you can get back into the router!

We use the ip tcp adjust-mss command on Cisco routers to set the maximum segment size for TCP connections going over VPN connections.

To find the optimum maximum segment size, be sure to use the do-not-fragment option when pinging across the link.  Sending a regular ping will show you the largest packet size that will make it across the link; using the df flag will tell you the largest packet that can traverse the link without being broken into multiple parts.  To set the do-not-fragment flag using the Windows ping utility, add "-f" to the command line.

Also, be sure to perform the same test over the regular, non-tunneled connection to the destination router.  Make sure your adjust-mss value is lower than the maximum non-fragmented packet.