Jan 142013

How to see which VLANs are currently used on a trunkport on a switch?

Easy Answer:
Do a show mac address-table interface <interface>

and you will get a list of VLANs with MAC addresses used. Of course, any VLAN that have MAC-addresses associated, is in use.

That’s an easy way to find out which VLAN-tags are currently running over a trunk. (keep MAC-address aging timer in mind)

 Posted by at 12:23
Nov 042010

Have you ever killed your router/switch by enabling “some” debugging output?
You can easily reduce the impact of debug-logging on cisco devices by disabling logging to the console port. Under normal circumstances you don’t need the logging output on the console port.
In global configuration mode type:

no logging console to disable logging to the console.

This will prevent your router/switch from generating an interrupt for each single character, that is put to the console interface.

 Posted by at 14:59
Nov 032010

show running won’t show you any pre-shared-keys for tunnels, aaa-server keys and failover keys in cleartext. You will only see things like:

failover key *****

aaa-server authserver (inside) host
key *****

tunnel-group clients ipsec-attributes
pre-shared-key *****

simply use the more system:running-config-command to show all your keys uncrypted.

 Posted by at 11:22
Jul 082010

You want to keep older configurations of your router? Maybe to switch back to the last known good config? Or just for documentation? Or to verify the last changes in your config? Or review changes made by your collegue?

Of course RANCID combined with a graphical CVS-viewer would be a very good solution. But you can achieve this task with less effort directly on your router too. Therefor you need the archive-feature.

With the archive commands you can automatically write your configs to flash: – or some other destinations (ftp:, http:, https:, pram:, rcp:, scp:, tftp:)

You have many features with archive – but today let’s focus only on automatically archiving the current configuration when doing a copy running-config startup-config (or the more or less obsolete write mem)

mkdir flash:/configs
configure terminal
path flash:configs/archive
maximum 14

Command explanation:

  • mkdir flash:/configs creates a new directory on flash:
  • path flash:configs/archive defines the path and filenamesuffix of the files
  • maximum 14 defines the maximum number of configs held on the flash: (currently 1-14)
  • write-memory will save a new version of the running-config into the archive-folder (flash:configs in our example) each time you do a copy running-config startup-config or write mem

with show archive you can review all existing configs in flash:

Router#sh archive
The maximum archive configurations allowed is 14.
There are currently 3 archive configurations saved.
The next archive file will be named flash:configs/archive-3
Archive # Name
1 flash:configs/archive-0
2 flash:configs/archive-1
3 flash:configs/archive-2 <- Most Recent

to view differences between 2 configs use show archive config differences <file1> <file2>
For demonstration I created a new Loopback Interface, added an EIGRP-routing-process and wrote the new configuration to NVRAM (write mem)

show archive config differences flash:configs/archive-2 flash:configs/archive-3

Contextual Config Diffs:
+interface Loopback1
+ip address
+router eigrp 1
+no auto-summary
+eigrp stub connected summary


You also can write a new version of your current configuration into the archive without touching the startup-config with the archive config command.

It is also possible to write a new configuration on a interval-basis. But I don’t recommend this on a flash-device, because if you don’t change your config for a longer time (“long” depends on your backup-interval) you have a maximum of 14 same configurations – and of course lost the configs with real changes.

 Posted by at 14:41
Mar 172010

Worried about the following error-message while plugging in a TwinGig Converter Module (CVR-X2-SFP) in a Catalyst 4500?

%C4K_TRANSCEIVERMAN-3-SEEPROMREADFAILED: Failed to read transceiver serial eeprom on port Te5/3, try reinserting

This is really not a serious problem although it looks like one. You just have to configure your TenGigE-Port to GigE. On a 6Port 10GE-Linecard (WS-X4606-X2-E) it is important, that you can only put 3 ports in 1GigE-Mode at once. Each 3 Ports are grouped together to one Port-Group. If this is a problem you can deal with the TenGigE-Ports on your Sup (depending on the Sup you are using…)

You can have the following configurations on a WS-X4606-X2-E:

  • 6 TenGigE
  • 3 TenGigE, 6 GigE
  • 6GigE, 3 TenGigE
  • 12 GigE

To switch a Port-Group over to 1 GigE use the following command:

hw-module module 5 port-group 1 select gigabitethernet

This will put your 1st three ports on the Module in Slot 5 into Gigabit-Mode and voila – your TwinGigConverterModule will no longer be rejected with this crazy errormessage.

 Posted by at 19:50
Feb 242010

Do you sometimes have the problem, that CTRL-SHIFT-6 (CTRL-^) won’t work to cancel a traceroute or other commands? Especially on foreign keymaps? Than simply change the escape-sequence for your VTYs or CONsole:

change escape-character to CTRL-C on VTYs (telnet and/or ssh-access):

line vty 0 15
escape-character 3

change escape-character to ESC on CONsole (serial-access on console port):

line con 0
escape-character 27

CTRL-C is a good choice – it’s a well known keystroke to cancel processes on CLIs.
ESC is nice because it uses the very less used ESC key – but the usage of the esc-code has one drawback: If you telnet to a further router from the commandline of your current router, than the command history will not be accessible via your curser up-/down-keys any longer because they are sending keycodes beginning with ESC – this breakes the Cursor-keycodes. Also the 1st CTRL-C will be eaten by router 1 – the next one is passed to router2.

So I recommend to use CTRL-C but of course you can configure any other ASCII-code as the escape-character.

 Posted by at 21:57
Nov 182009

Did you ever tag your EIGRP routes to prevent routingloops in an enterprise network? And did you mind about the TAG-value? YOU HAVE TO!

If you tag your external EIGRP routes (that ones you already redistributed from another routing protocol or from static) with a routemap you can choose your TAG-value from 0-4294967295.

But if you try to tag internal EIGRP routes, you can only use the range 0-255. Currently I wasn’t able to find any documentation about this – but thats the thing I had to learn while trying to use greater values.

Let’s do an example:

2 Routers connected via Eth 1/0, Transfernet, Lo 0 on both routers, EIGRP 1

router eigrp 1
distribute-list route-map settag out
no auto-summary
route-map settag permit 10
set tag 199

The topology-table on Router2 for the Loopback-IP of Router1 shows this:

R2#sh ip eig top
IP-EIGRP (AS 1): Topology entry for
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 409600
Routing Descriptor Blocks: (Ethernet1/0), from, Send flag is 0x0
Composite metric is (409600/128256), Route is Internal
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 6000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1
Internal tag is 199

Now Let’s try it with tag-value 256

route-map settag permit 10
set tag 256

Topology-table of Router2:

R2#sh ip eig top
IP-EIGRP (AS 1): Topology entry for
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 409600
Routing Descriptor Blocks: (Ethernet1/0), from, Send flag is 0x0
Composite metric is (409600/128256), Route is Internal
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 6000 microseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1

As we can see, internal TAG-values greater than 255 are ignored.
If you tag an external Route, you can use the whole range suggested from the set tag command (0-4294967295). This limitation applies only to internal routes.

All tests were made with 12.4(24)T2

 Posted by at 18:25
Nov 072009

Phone7960_4452It’s a shame that the 7940/7960 doesn’t have a backlight. But there is a DIY-solution for this problem. You can modifiy the display of your Cisco IP-Phone relativley easy. You simply need a few inexpensive parts and can start to modify your phone.

You will need:

  • EL Foil 112x87mm (blue one looks very cool)
  • EL-Power Supply
  • 2 LEDs – 3mm – blue
  • some wires
  • and of course some tools for soldering and dis-/reassembling the phone

In Germany you can get the EL-parts at Conrad Electronic – but you should be able to get these stuff in all big electronic stores or even at ebay. Don’t worry if you couldn’t get the EL-Foil in the right dimensions – you can cut these foils with a pair of scissors. YES, the foil won’t be destroyed (but DON’T cut the connectors 😉 )

The powersupply for the EL-foil (the EL-converter) is a very big problem. These converters work with a frequence of about 400Hz to 900Hz for genereating the supply voltage of abt. 110 Volt. If you place this converter inside your phone (there is enough room for it inside) and even try to supply some power of your phone to the converter, you will hear a very annoying noise in your handset and even in the loudspeaker of your phone. This is absolutly inacceptable – so I’m currently searching for a good solution to power the EL-foil quietly.

If you have a good idea or even a ready solution – please let me know. It must be possible to build a cheap EL-converter with a working frequency outside the hearable soundspectrum. Someone told me that there are ICs from MAXIM which are working at about 1MHz – but I couldn’t find a suitable chip yet.

Ok, let’s begin with the Phone-mod.

Have a look at the following pictures for disassembling the phone:


Now let’s continue with the more tricky part:

DisplayUnglue_4472You need to remove the LCDisplay from the frame. It is glued with double-faced adhesive tape. Be VERY CAREFUL not to break the GlasDisplay! You can gently bend the frame very slowly away from the LCD. This works better if you get your display including the frame to a temperature of about 40 or 50 degrees.

Removing the reflective foil:

DisplayCloseup_4473DisplayRemoveReflective_4474Pay attention that you only remove the thin, reflective foil. There is another, thicker foil for polarization. If you remove this one you will not be able to see anything on your Display. At last use isopropanol to remove the glue from the polarization foil.

Place EL-Foil and Converter:

Backlight_4475Converter_4478Insert the EL-Foil between plastic frame and display. There is no need to glue this parts together – just be careful while reassembling the phone. If you decide to use the “noisy solution” here is a good position for placing the EL-converter. In this case it is highly reccomended that you power your converter from an external source outside the phone. This will keep the noises very low – and nearly unhearable. If you like a clean, blue optic change the 2 LEDs on the little PCB near the handset cradle. Connect all parts with the correct wires and reassemble the phone – and you are done.

Enjoy your 7940/7960 at night 😉


If you have a good solution for a silent EL-Converter, I would appreciate if you contact me or write a comment here. It doesn’t matter if it is a ready made converter or just an application note, design guide or partnumber of the right chip. Thank you.

 Posted by at 12:42
Oct 212009

Did you ever have the problem that your switch didn’t learn the MAC-addresses of the connected devices on one of its switchport? All cabling seems all right – Link is UP – Port is connected.
But show mac address-table won’t show you the MAC of your device although it is sending packets.

Check your VLAN-config!

If your switchport is configured to a VLAN thet doesn’t exists on your switch – then the switch won’t learn anything on this port. This could only happen if your switch is in VTP mode “client”.
Otherwise the VLAN will be created automatically.

 Posted by at 14:06
Sep 032009

Per default TLS is not allowed by the application inspection on ASA55x0 and fixup protocol on PIX.

PIX with IOS 6.x even is not capable of handling ESMTP. The only way to enable TLS/ESMTP on an old PIX is to disable the smtp-fixup:

no fixup smtp

On ASA55x0 Systems things are looking better. If you run 7.2(3) or higher you can enable the 250-STARTTLS ESMTP-Command by adding the following policy-map:

policy-map type inspect esmtp esmtp_pmap
allow-tls [action log]

action log enables the logging of TLS events.

Don’t forget to activate this policy. If you want to enable it on the default global policy type:

policy-map global_policy
class inspection_default
no inspect esmtp
inspect esmtp esmtp_pmap

ASA‘s below 7.2(3) have only the option to disable esmtp inspection like this:

policy-map global_policy
class inspection_default
no inspect esmtp

Why is TLS disabled per default?
TLS is an end to end encryption between two MTA’s. The Firewall is not able to inspect any payload of encrypted traffic – so for security reasons TLS will be denied by default.