PBSPlaza.nl

The nice thing working with Cisco is that you always hear about features from which you never heard before. This is also true for the following feature.

When you do a show run on – for instance – a Cisco router, you can press / to quickly find parts of the config. This is nice when you have very large configs.

The following output show me quickly the configuration for port Gi13/18 on a Cisco switch without scrolling through the entire config!

switch#sh run
Building configuration…

Current configuration : 63114 bytes
!
! Last configuration change at 12:20:34 MET-DST Sat Sep 20 2008 by xxx
! NVRAM config last updated at 12:20:35 MET-DST Sat Sep 20 2008 by xxx
!
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service counters max age 5
!
hostname switch
!
enable secret 5 xxx
!
aaa new-model
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
!
!
/13/18
filtering…
interface GigabitEthernet13/18
description server1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11,12
switchport mode trunk
switchport nonegotiate
no ip address

Recently, I want to sniff a packet stream which was inline with an ASA firewall. Normally I would think on a external sniffer such as ethereal, put it on a mirror port of the firewall port, an sniff the packets. But I found that I can do the same with the capture command in the ASA. Let’s take a quick look how the capture command works and what it is.

In short, these are the steps that I walked through;

1) Create an ACL that will match interesting traffic
2) Define the capture and bind it to an access-list and interface
3) View the capture on the firewall, or copy it off in .pcap format

Here is my situation;

The ACL that you have to make to match traffic, can be made on a interface basis. When you want to use the capture command in a troubleshooting scenario, the best thing you can do is to build a capture for the inside and outside interface, relative to the packet stream. In my situation, I want to sniff a web session of a workstation with IP address 10.1.1.10 to webserver 62.69.184.129. The traffic is PATed to 192.168.10.2 (fictional).

! inside capture ACL
Access-list 100 permit tcp host 10.1.1.10 host 62.69.184.129 eq 80
Access-list 100 permit tcp host 62.69.184.129 eq 80 host 10.1.1.10

! outside capture ACL
Access-list 101 permit tcp host 62.69.184.129 eq 80 host 192.168.10.2
Access-list 101 permit tcp host 192.168.10.2 host 62.69.184.129 eq 80

Now I create the captures for both the inside and outside interface;

capture in access-list 101 interface inside packet-length 1518
capture out access-list 101 interface outside packet-length 1518

Let the client do the session. Then you can copy the results to a tftp server;

copy /pcap capture:out tftp://10.1.1.10/out.pcap
copy /pcap capture:in tftp://10.1.1.10/in.pcap

Finally, you can read the sniffs with wireshark.

Ever wanted to do something on a Cisco switch, but you cannot because the action will throw yourself out? I had it recently when I want to activate a new SVI on a Catalyst 2950. Since there can be only 1 SVI active at a time, a decided to do this with a macro. A macro can be placed in the switch, and can be applied manually. When it is applied, you will be sure the script runs from begin to end, without interruption.

I have used the following script;

macro name change_vlan
interface Vlan1
no desc
no ip address
shutdown
interface vlan250
description production
ip address 10.101.3.1 255.255.255.0
no shutdown @

To apply the macro, you have to enter;

switch(config)# macro global apply change_vlan