www.howtonetwork.org

CCNA & CCNP Certifcation Training

  • About
  • Contact
  • FAQ
  • Join
  • Home
  • CCNA
    • ICND1
    • ICND2
    • 101 CCNA LABS
  • CCNP
    • ROUTE
    • SWITCH
    • TSHOOT
    • 101 CCNP LABS
  • CompTIA
    • Security+
    • Network+
  • Design
    • CCDA
    • CCDP
You are here: Home / TSHOOT / Module 1 / IOS Maintenance and Monitoring Tools – Part 5

IOS Maintenance and Monitoring Tools – Part 5

Network Based Application Recognition

Network Based Application Recognition (NBAR) is another Cisco IOS software tool that can be used for monitoring and baselining network performance. NBAR is an intelligent classification engine in Cisco IOS software that can recognize a wide variety of applications. Once the applications are recognized, the network can invoke required services for that particular application by implementing QoS policies to support the application requirements. NBAR provides two primary functions – identifying applications and protocols and allowing for the dynamic discovery of protocols on the network.

NBAR can classify applications that use statically assigned TCP and UDP port numbers, as well as those that use dynamically assigned or negotiated TCP and UDP port numbers. NBAR can also recognize and classify applications based on non-UDP and non-TCP IP protocols. In addition, NBAR can also perform sub-port classification including the classification of HTTP URLs, mime or hostnames. NBAR also supports and can be used for Citrix traffic classification, as well as for Real-Time Transport Protocol (RTP) which is used by IP voice and video.

The NBAR Protocol Discovery (PD) feature can also be used to collect application and protocol statistics, such as packet counts, byte counts and bit rates, on a per-interface basis. This information can then be retrieved by polling SNMP statistics from the NBAR PD Management Information Base (MIB). NBAR uses Packet Description Language Modules (PDLMs) for protocol and application recognition. In the event that a specific protocol or application is not recognized, an external PDLM can be loaded at any time into the router Flash memory to extend the NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition capability. The use of PDLMs allows NBAR to recognize additional protocols and applications without having to upgrade or replace the current version of software on the router, providing additional flexibility for network administrators.

Like NetFlow, NBAR Protocol Discovery is enabled on a per-interface basis using the ip nbar protocol-discovery interface configuration command.  Prior to configuring NBAR, you must enable Cisco Express Forwarding (CEF) on the router using the ip cef global configuration command. CEF is described in detail in both the ROUTE and SWITCH guides that are available online. CEF troubleshooting will be described later in this guide. The following configuration example illustrates how to enable NBAR on a router interface. Note that Cisco Express Forwarding (CEF) is enabled prior to the NBAR PD configuration:

R2(config)#ip cef
R2(config)#interface fastethernet 0/0
R2(config-if)#ip nbar protocol-discovery
R2(config-if)#exit

Following this configuration, NBAR PD statistics can be viewed by issuing the show ip nbar protocol-discovery command. Keep in mind that the recognized applications or protocols printed in the output of this command will vary depending on your current IOS version and the PDLMs that have been integrated into that version of code, or loaded into router Flash memory:

R2#show ip nbar protocol-discoveryFastEthernet0/0
Input                    Output
—–                    ——
Protocol                 Packet Count             Packet Count
Byte Count               Byte Count
5min Bit Rate (bps)      5min Bit Rate (bps)
5min Max Bit Rate (bps)  5min Max Bit Rate (bps)
———————— ———————— ————————
netbios                  832                      0
76544                    0
3000                     0
3000                     0
snmp                     24                       12
3172                     1655
0                        0
1000                     0
icmp                     222                      221
16428                    16342
0                        0
0                        0
eigrp                    0                        10
0                        740
0                        0
0                        0
ospf                     0                        3
0                        270
0                        0
0                        0
syslog                   0                        2
0                        254
0                        0
0                        0

[Truncated Output]

When using NBAR, it is important to remember that NBAR PD is based on the standard port numbers for the different applications. For example, NBAR will recognize an application as HTTP if the application is using TCP port 80. Likewise, NBAR will recognize SMTP based on the standard TCP port number of 25.  This presents a potential problem in the event that protocols or applications are not using well-known port numbers. For example, it is common practice that some Web applications use TCP port 8080 in addition to the standard port 80.

In such case, you can use the ip nbar port-map [application or protocol] [tcp | udp] [port number 1] [port number 2]…[port number 16] global configuration command to specify up to sixteen (16) additional port numbers used by the protocol. The following configuration example illustrates how to configure NBAR to search for a protocol or protocol name using a port number other than the well-known port as follows:

  1. For Email (SMTP) traffic, NBAR should search for TCP ports 25 and 2525
  2. For Telnet traffic, NBAR should search for TCP ports 23 and 3023
  3. For Web (HTTP) traffic, NBAR should search for TCP ports 80 and 8080

This configuration would be implemented as follows on the local router:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip cef
R2(config)#ip nbar port-map smtp tcp 25 2525
R2(config)#ip nbar port-map telnet tcp 23 3023
R2(config)#ip nbar port-map http tcp 80 8080
R2(config)#interface fastethernet 0/0
R2(config-if)#description ‘Connected To Corporate LAN’
R2(config-if)#ip nbar protocol-discovery
R2(config-if)#exit

Following this configuration, you can then use the show ip nbar port-map [protocol]command to see the ports that NBAR is recognizing for either specific applications or protocols or for all applications and protocols. For example, to see the ports that NBAR is recognizes for the Telnet application, you would issue the following command on the router:

R2#show ip nbar port-map telnet
port-map telnet                   tcp 23 3023

If the [protocol] is not specified at the end of the command, NBAR shows default as well as customized port information for all supported protocols and applications as follows:

R2#show ip nbar port-map
port-map bgp                      udp 179
port-map bgp                      tcp 179
port-map citrix                   udp 1604
port-map citrix                   tcp 1494
port-map cuseeme                  udp 7648 7649 24032
port-map cuseeme                  tcp 7648 7649
port-map dhcp                     udp 67 68
port-map dns                      udp 53
port-map dns                      tcp 53[Truncated Output]

As previously stated, NBAR uses PDLMs for protocol and application recognition. In the event that the PDLM file on the router does not recognize a specific protocol or application, you can download a PDLM file for the application (if one exists) from the Cisco website. Once the download is complete, copy the file to the router Flash memory and then use the ip nbar pdlm [flash://filename.pdlm] global configuration command to reference the file. For example, to load a PDLM for Bit Torrent application recognition, you would download the PDLM from the Cisco website and then implement the following configuration on the router:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#ip cef
R2(config)#ip nbar pdlm flash://bittorrent.pdlm
R2(config)#interface fastethernet 0/0
R2(config-if)#description ‘Connected To Corporate LAN’
R2(config-if)#ip nbar protocol-discovery
R2(config-if)#exit

As previously stated, PDLMs are available for most well-known applications and protocols, but this does not include proprietary applications. If, for example, you have a custom application that uses TCP port numbers 1111, 2222, and 3333, you can use the ip nbar custom [custom name] [tcp | udp] [port number 1]…[port number x] global configuration command to configure NBAR to classify and monitor the additional static port application as illustrated in the following configuration example:

R2(config)#ip cef
R2(config)#ip nbar custom h2n_custom_app tcp 1111 2222 3333
R2(config)#interface fastethernet 0/0
R2(config-if)#description ‘Connected To Corporate LAN’
R2(config-if)#ip nbar protocol-discovery
R2(config-if)#exit

Following your configuration, you can then use the show ip nbar port-map [protocol]command to see the ports that NBAR is recognizing for the specific application as follows:

R2#show ip nbar port-map h2n_custom_app
port-map h2n_custom_app           tcp 1111 2222 3333

Additionally, you can also use the show ip nbar protocol discovery command to view statistics for the custom application as shown in the following output which has been filtered to include only the previously configured custom application statistics:

R2#show ip nbar protocol-discovery | section h2n_custom_app
h2n_custom_app           21                       21
1358                     1134
0                        0
0                        0

Given the options available with and the flexibility afforded by NBAR, it is easy to see why this is a popular network monitoring tool. However, one significant drawback to NBAR is that it is very resource intensive and consumes a lot of CPU and memory resources. It is important to ensure that you do not implement NBAR on a router whose resources are already taxed.  After NBAR has been enabled, you can use the show ip nbar resources command to view how much memory it is consuming.

R2#show ip nbar resources
NBAR memory usage for tracking Stateful sessions
Max-age              : 120 secs
Initial memory       : 1383 KBytes
Max initial memory   : 4611 KBytes
Memory expansion     : 68 KBytes
Max memory expansion : 68 KBytes
Memory in use        : 1383 KBytes
Max memory allowed   : 9223 KBytes
Active links         : 0
Total links          : 20346

You can monitor the CPU utilization on the router using the show processes cpu command. This is a core troubleshooting command that will be described in detail later in this guide.

Configuration Management

In this next section of Cisco IOS network maintenance and monitoring tools, we are going to be looking at some of the tools available in Cisco IOS software for configuration management. As we learned earlier in this chapter, configuration management, including backing up configurations, scheduling backups, and restoring from backups, is a core maintenance task. This section describes the toolkit available in Cisco IOS software to assist with these tasks.

One of the most commonly used configuration management commands in Cisco IOS software is the copy running-config command. This command can be used to save the device configuration locally or to a remote destination, such as a Trivial File Transfer Protocol (TFTP) or a File Transfer Protocol (FTP) server. Supported options are shown below:

R2#copy running-config ?
archive:        Copy to archive: file system
flash:          Copy to flash: file system
ftp:            Copy to ftp: file system
http:           Copy to http: file system
https:          Copy to https: file system
ips-sdf         Update (merge with) IPS signature configuration
null:           Copy to null: file system
nvram:          Copy to nvram: file system
pram:           Copy to pram: file system
rcp:            Copy to rcp: file system
running-config  Update (merge with) current system configuration
scp:            Copy to scp: file system
startup-config  Copy to startup configuration
syslog:         Copy to syslog: file system
system:         Copy to system: file system
tftp:           Copy to tftp: file system

NOTE: The options displayed above will vary depending on the IOS version on the device.

The following configuration example illustrates how to copy the router running configuration to a TFTP server with the IP address 150.1.1.254:

R2#copy running-config tftp:
Address or name of remote host []? 150.1.1.254
Destination filename [r2-confg]?
!!
2732 bytes copied in 2.296 secs (1190 bytes/sec)

The same action can also be performed on a single line as follows:

R2#copy running-config tftp://150.1.1.254
Address or name of remote host [150.1.1.254]?
Destination filename [r2-confg]?
!!
2732 bytes copied in 2.288 secs (1194 bytes/sec)

Unlike TFTP, file transfers to FTP servers typically require a username and password, which in turn allows for greater security than that which is provided by TFTP. When copy configuration files to an FTP server requiring and username and password pair for login, you have two options for specifying the username and password pair that the local device will use. The first option is to globally configure the FTP username and password on the device using the ip ftp username <name> and ip ftp password <secret> global configuration commands.

Following this, you can then use the copy running-config ftp: command. The example below illustrates how to configure a global FTP username and password pair and copy the configuration of the local router to an FTP server with the IP address 150.1.1.254. This example assumes that the FTP server has been appropriately configured:

R2(config)#ip ftp username netadmin
R2(config)#ip ftp password tshoot
R2(config)#end
R2#copy running-config ftp:
Address or name of remote host []? 150.1.1.254
Destination filename [r2-confg]?
Writing r2-confg !
2780 bytes copied in 4.932 secs (564 bytes/sec)

NOTE: Referencing the FTP configuration above, it is important to keep in mind that the FTP password will be stored in plain text on the device until the service password-encryptionglobal configuration command is issued. Following that, the password will be displayed in a hashed format.

If the FTP username and password pair is not configured globally on the router, you can still specify these parameters when using the copy command as follows:

R2#copy running-config ftp://netadmin:tshoot@150.1.1.254
Address or name of remote host [150.1.1.254]?
Destination filename [r2-confg]?
Writing r2-confg !
2738 bytes copied in 7.180 secs (381 bytes/sec)

In addition to basic copy commands, Cisco IOS software also supports configuration archive, configuration replace and configuration rollback tools for configuration management functionality. The configuration archive provides a mechanism to store, organize, and manage an archive of configuration files. This functionality is intended to enhance the configuration rollback capability that is also supported in Cisco IOS software.

The configuration archive feature allows you to save configurations in the configuration archive using a standard location and filename prefix that is automatically appended with an incremental version number, and optional timestamp, as each consecutive file is saved. This functionality provides a means for consistent identification of saved configuration files. You can specify how many versions of the running configuration are kept in the archive. After the maximum number of files specified has been reached in the archive, the oldest file will then be automatically deleted when the next, most recent file is saved. The Cisco IOS configuration archive, in which the configuration files are stored, can be located on the following file systems:

  1. If your platform has disk0—disk0:, disk1:, ftp:, pram:, rcp:, slavedisk0:, slavedisk1:, tftp:
  2. If your platform does not have disk0—ftp:, http:, pram:, rcp:, tftp:

Implementing the configuration archive feature is a four step process performed as follows:

  1. After entering global configuration mode, issue the archive command to enter archive configuration mode
  2. When in archive configuration mode, next specify the location and filename prefix for the files in the Cisco IOS configuration archive using the path <url> archive configuration mode command. The <url> argument is one of the valid locations specified in the previous section, e.g. tftp:, ftp: disk0:, etc. The available options will depend on the platform that this command is implemented on
  3. Optionally specify the maximum number of files to save using the maximum <number>archive configuration command. By default, 10 (ten) files will be saved; however, up to 14 (fourteen) files can be saved in the archive. When the specified maximum value has been reached, the oldest file will be overwritten and replaced by the most recent file. An important point to remember is that this command cannot be used or is not supported when backup up the configuration to a network location such as a TFTP of FTP server
  4. And finally, optionally specify the time increment for automatically saving an archive file of the current running configuration in the configuration archive using the time-period <minutes> archive configuration command. This command has no default

When configuration the archive feature, the write-memory archive configuration command is typically included in the configuration to allow the router to automatically save the configuration to the specified location each time the running configuration is saved to NVRAM, i.e. the startup configuration (which typically indicates some type of configuration change).

The following configuration example illustrates how to configure the local router to back up the configuration to an FTP server, using the specified FTP username and password pair, every week, which is 168 hours or 10080 minutes. The running configuration file will be saved to the server using the name R2-Archive-Config. In addition to the weekly scheduled backup, the router is also configured to archive the configuration every time the running configuration file is saved to NVRAM, i.e. the startup configuration:

R2(config)#ip ftp username netadmin
R2(config)#ip ftp password tshoot
R2(config)#archive
R2(config-archive)#path ftp://150.1.1.254/R2-Archive-Config
R2(config-archive)#write-memory
R2(config-archive)#time-period 10080
R2(config-archive)#exit

Following this configuration, you can use the show archive command to view the archived configuration files. Following is a sample output printed by this command:

R2#show archive
The next archive file will be named ftp://150.1.1.254/R2-Archive-Config-6
Archive #  Name
0
1       ftp://150.1.1.254/R2-Archive-Config-1
2       ftp://150.1.1.254/R2-Archive-Config-2
3       ftp://150.1.1.254/R2-Archive-Config-3
4       ftp://150.1.1.254/R2-Archive-Config-4
5       ftp://150.1.1.254/R2-Archive-Config-5 <- Most Recent
6
7
8
9
10
11
12
13
14

Because the write-memory archive configuration command has been included in the archive configuration, the local router will save the configuration to the FTP server if either the write memory or copy running-config startup-config commands are issued:

R2#copy running-config startup-config
Destination filename [startup-config]?
Building configuration…
[OK] Writing R2-Archive-Config-1 !
R2#write memory
Building configuration…
[OK] Writing R2-Archive-Config-2 !
R2#

The configuration replace and configuration rollback allows you to restore previously archived configurations using the configure replace <target-url> [nolock] [list] [force] [ignorecase] [revert trigger [error | timer <minutes>] | time <minutes>] privileged exec command. The <target-url> is used to specify the location of the saved configuration file that is to replace the current running configuration.

The optional [nolock] keyword is used to disable the locking of the running configuration file. This is used to prevent other users from changing the running configuration during a configuration replace operation. The optional [list] keyword is used to display a list of the command lines applied by the Cisco IOS software parser during each pass of the configuration replace operation. When this keyword is used, the total number of passes performed is also displayed. The [force] keyword is yet another optional keyword that can be used to replace the current running configuration file with the specified saved Cisco IOS configuration file without prompting for confirmation.

The [ignorecase] keyword is an optional keyword that is used to instruct the configuration to ignore the case of the configuration confirmation. The [revert trigger [error | timer <minutes>] keywords set the triggers for reverting to the original configuration. If the [error]keyword is included, then the router will revert back to the original configuration is an error is detected. If the timer <minutes>] keywords is included, then the router will revert back to the original configuration file if the specified time period elapses.

And finally, the optional time <minutes> keyword can be used to specify the time in which theconfigure confirm command must be issued to confirm the replacement of the current running configuration file. If the configure confirm command is not issued within the specified time limit, the configuration replace operation is automatically reversed by the router.

The following example illustrates how to replace the existing running configuration with the archived configuration file named R2-Archive-Config-5 stored on FTP server 150.1.1.254:

R2#configure replace ftp://150.1.1.254/R2-Archive-Config-5
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y
Loading R2-Archive-Config-5 !
[OK – 2959/4096 bytes]Total number of passes: 0
Rollback Done

The following example illustrates how to replace the existing running configuration with the archived configuration file named R2-Archive-Config-5 stored on FTP server 150.1.1.254 and specify that the change should be confirmed in 10 (ten) minutes, and if not, the router should reverse this operation automatically:

R2#configure replace ftp://150.1.1.254/R2-Archive-Config-5 time 10
Writing R2-Archive-Config-6 !Timed Rollback: Backing up to ftp://150.1.1.254/R2-Archive-Config-6This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: y
Loading R2-Archive-Config-5 !
[OK – 2959/4096 bytes]

Total number of passes: 0
Rollback Done

R2#configure confirm

NOTE: Referencing the output above, if the configure confirm command is not issued, then the changes will be reversed in 10 (ten) minutes. This option is applicable only when a time for the change confirmation has been specified when using the configure replace command.  Because a time limit was not imposed in the first example, this command need not be issued.

Cisco IOS Command Scheduler

The final Cisco IOS maintenance tool that we are going to discuss in this section is the Cisco IOS Command Scheduler (KRON). The Command Scheduler allows you to run exec commands on a regular basis on a router. For simplicity, consider it as an automation tool for running exec commands on a router at specified or configured intervals. The IOS Command Scheduler has 2 (two) processes, which are policy lists and the scheduler.

Policy lists contain the exec commands that you want executed on the router. When configuring policy lists, it is important to remember that KRON does not support interactive commands. Therefore, if you want to create a policy list that saves the device configuration, you should use the write memory command instead of the copy running-config startup-config command which requires confirmation of this action. This is one of the main limitations of the KRON feature and one of the reasons it is not implemented as much as the other features.

KRON policy lists are configured using the kron policy-list <name> global configuration command. Following this, in policy list configuration mode, the cli <exec command> KRON policy list configuration command is used to specify the exec command that the configured policy list run. This command can be used to specify multiple commands that will run at the same time or during the same interval.

Following the configuration of the policy list, the next step or task is to configure the Command Scheduler occurrences using the kron occurrence <occurrence-name> [user <name>] [in [[days:]hours:]min | at hours:min [[month] day-of-month] [day-of-week][ [oneshot | recurring] global configuration command. Next, within Command Scheduler configuration mode, specify the policy list that this schedule applies to using the policy-list <name>Command Scheduler configuration mode command.

NOTE: You are not expected to implement any Command Scheduler (KRON) configuration in the current TSHOOT certification exam. However, ensure that you are familiar with basic KRON configuration and functionality.

The following configuration example illustrates how to configure a KRON policy that will be used to automatically save the router configuration every day (1440 minutes):

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#kron policy-list SaveRouterConfiguration
R2(config-kron-policy)#cli write memory
R2(config-kron-policy)#exit
R2(config)#kron occurrence SaveRouterConfigurationSchedule in 1440 recurring
R2(config-kron-occurrence)#policy-list SaveRouterConfiguration
R2(config-kron-occurrence)#exit

Following the Configuration Scheduler configuration on the router, you can then use the show kron schedule command to display information about the status and schedule of all configured Command Scheduler occurrences as is illustrated in the following router output:

R2#show kron scheduleKron Occurrence Schedule
SaveRouterConfigurationSchedule inactive, will run again in 0 days 23:58:23

While the example used in the previous example is a simple one, KRON can be used for other tasks such as saving device configurations to remote servers, e.g. TFTP servers, making it yet another useful maintenance tool that is available and at your disposal in Cisco IOS software.

Prev

Next

About Us

This is a free bonus site for members of www.howtonetwork.com

Copyright

The content on this copyright Reality Press Ltd.
Copyright Reality Press Ltd.