Zone-based Firewall (quickie)

=====================

zone-based firewall example

=====================

Quickie Steps

1. create class-map

2. create policy-map

3. create zones

4. add members (interfaces) to zones

5. create zone-pair rules

1) class-map type inspect match-any CMAP1

match protocol tcp

match protocol udp

match protocol icmp

2) policy-map type inspect PMAP1

class type inspect CMAP1

inspect

3) zone security inside

zone security outside

4) int fa0/0

zone-member security inside

int fa0/1

zone-member security outside

5) zone-pair sec IN2OUT source inside destination outside

service-policy type inspect PMAP1

---------------

Explanations

---------------

1) Create a class-map to identify types of packets that you would like to match or inspect. Ensure to use "inspect" as a class-map type and use "match-any". The default parameter is "match-all". Use match protocol command to match desired protocols.

2) Create a policy-map to define actions. In this case, the action is to "inspect."

3) Define zones. I have defined two zones: "inside" and "outside".

4) Add members to the predefined zones. I have marked interface FastEthernet 0/0 as "inside" and FastEthernet 0/1 as "outside".

5) Finally and most importantly, create a zone-pair. This command completes the zone-based firewall by defining a relationship between the two zones. In this case, the PMAP1 policy-map will be enforced when packets are traveling from inside to outside.

Manipulating OSPF Routing Table - Part 1

Open Shortest Path First (OSPF) is a link-state routing protocol created in the mid-1980’s by the Internet Engineering Task Force (IETF). It is often valued as more advance protocol compared to Routing Information Protocol (RIP) and more flexible than Cisco’s Enhanced Internal Gateway Routing Protocol (EIGRP) because it is a multi-vendor protocol.

This blog assumes that you have a general understanding of the OSPF routing protocol as well as a proficiency to configure OSPF with the below features.

-OSPF LSA Types; (LSA type descriptions)

-Basic peering

-Inter-Area configuring

-OSPF authentication

-OSPF Virtual Links

-OSPF Stub Area

-OSPF Not-So-Stubby Area (NSSA)

The blog also assumes that you are familiar with configuring and performing basic troubleshooting the following technologies:

-IP Access Lists

-Route-map

The main topic for the blog is to manipulate entries for OSPF routing table, and this topic is not for a novice network engineer.

We often begin configuring the OSPF protocol by adding networks into the routing table. Then, we determine and configure which routers the routing table entries will be shared with. Finally, we may want to filter out particular networks from being advertised to certain neighbors or areas. We can achieve the final step by using a few different methods:

-Not advertise the network into OSPF routing protocol

-Use the filter-list command

-Use the area range command with the “not advertise” parameter

-Use the distribute-list command

-Use the route-maps command

-Use the prefix-suppression command

The first option is very basic and does not work if you are trying to share the network information with only a particular neighbor or an area. So, we will focus on the last five options.

---------------------------------------

use the filter-list command

---------------------------------------

-Filtering LSA Type : TYPE 3 LSA Filtering

-Performed Device Type: OSPF Area Border Router (ABR)

-Usage: This feature is used to filter out routes between different OSPF areas (inter-areas)

-Command:

-area x filter-list prefix name1 [in | out]

-ip prefix-list name1 seq x [deny | permit] A.B.C.D/y

-Caveat: Filtering routes into area 0 prevents the advertised network from propagating into all OSPF areas in the routing domain except the originating area.

-Condition: The basic connectivity as well as OSPF routing protocols have been already configured. Use filter-list command to prevent R4’s loopback address from propagating into R3’s routing table.

-Procedure: Configure R1_ABR to filter R4’s loopback address into OSPF Area 10.

R1_ABR#configure terminal

R1_ABR(config)#ip prefix-list From_R4_Loop seq 10 deny 4.4.4.4/32

R1_ABR(config)#ip prefix-list From_R4_Loop seq 20 permit 0.0.0.0/0 le 32

R1_ABR(config)#router ospf 1

R1_ABR(config-router)#area 10 filter-list prefix From_R4_Loop in

-With the above configuration, R1_ABR will remove 4.4.4.4/32 network from its OSPF Link-State database (LSD) under Area 10 while permitting any addresses that has a subnet mask of 32 or lower. It is important that you add the le 32 parameter at the end of the 3rd line to ensure that it allows all addresses.

---------------------------------------

Use the area range command with the “not advertise” parameter

---------------------------------------

-Filtering LSA Type : TYPE 3 LSA Filtering

-Performed Device Type: OSPF Area Border Router (ABR)

-Usage: This feature is used to filter out routes between different OSPF areas

-Command:

-area x range ip-address mask [advertise | not-advertise] [cost cost]

-Caveat: Ensure that the command is entered from an ABR.

-Condition: The basic connectivity as well as OSPF routing protocols have been already configured. Use area x range command with “not-advertise” parameter to prevent R4’s loopback address from being advertised outside of Area 20.

-Procedure: Configure R2_ABR to not advertise R4’s loopback address outside of Area 20.

R2_ABR#configure terminal

R2_ABR (config)# router ospf 1

R2_ABR (config-router)#area 20 range 4.4.4.4 255.255.255.255 not-advertise

-With the above configuration, R2_ABR will not advertise R4’s loopback address beyond OSPF Area 20.

---------------------------------------

Use the prefix suppression command

---------------------------------------

-Filtering LSA Type : TYPE 3 LSA Filtering

-Performed Device Type: Any OSPF routers

-Usage: This feature is used to filter out routes between different OSPF areas. This command is a new feature to IOS version 12.4(15)T to suppress IP prefixes propagation to Type 3 LSA database table from OSPF-enabled interfaces but excludes prefixes associated with loopbacks, secondary IP addresses, and passive interfaces.

-Command:

-(config-router)#prefix-suppression

-(config-if)#ip ospf prefix-suppression {disable}

-Caveat: The command can be entered from both the global router mode (e.g. router ospf) and the interface mode. The command at the interface level will overwrite the ones from the global router mode.

-Procedure 1: Configure R2_ABR to not advertise the prefixes associated with its OSPF-enabled interfaces

R2_ABR#configure terminal

R2_ABR (config)# router ospf 1

R2_ABR (config-router)#prefix-suppression

-Procedure 2: Configure R4 to not advertise its loopback address of 4.4.4.4/32

R4#configure terminal

R4 (config)# interface loopback 1

R4 (config-if)#ip ospf prefix-suppression

-Loopback addresses can be suppressed by entering the command from the loopback interface.

-Verification: Verify that R4 has suppressed the 4.4.4.4/32 network from its OSPF LSD

-----------------------------

THE BLOG SUMMARY

-----------------------------

The main focus of this blog is to introduce methods to filter out unwanted networks from propagating or being advertised to particular areas. There are two main methods in producing the desired outcomes:

-Removing entries from LSD

-Use the filter-list command

-Use the area range command with “not-advertised” parameter

-Use the prefix suppression command

-Removing entries from Routing Tables

-Use the distribute-list command

-Use the route-maps command: This option improves the flexibility of filtering based on matching other parameters as metric, route-type, and next-hop.

In the Part 2 of the blog, I will introduce the second part of using distribute-list and route-maps.

Rolling Back Your Configurations

We've all had to bear the pain of having to erase the startup-config and reload to get a fresh, out of the box configuration on a Cisco router or switch.  Once you caught on to the patterns in the lab guides, you probably even saved your configurations after you typed in the base configs and then reloaded to return to that point.  Even then, reloading is a process that takes time.  If you're impatient like me, it's too much time. 

Well, there is a command to revert you back to your last save point almost immediately.  It is as follows:

R1#config replace nvram:startup-config force

As stated, this command will almost instantly boot up the startup-config (aka the last time you performed a copy run start or wr command).  If you saved it immediately after your basic configs, this command will wipe out everything but those in a matter of seconds.

If you wanted to save even more time, alias the command.

R1(config)#alias exec rr config replace nvram:startup-config force

This command ties the "config replace" command to "rr".  You can use any letter combo instead of "rr".  That's just what I use.  I'll cover alias commands in another blog.

So now, to instantly revert back to the last save point:

R1# rr

Total number of passes: 1
Rollback Done


Enjoy!!

Cisco Tips for Time Saving Awareness: Smart Skillful and Efficient Navigational Habits for Time Savings Develo

We have seen in one of our previous articles how utilizing specific filtering methods better provides technicians with a more efficient search process to view configuration commands on our routing and switching devices. Refer to (cisco show running-configuration filter) .

While at first it may or may not appear to be such a necessary endeavor at any one particular time, however, if you find yourself constantly in need of opening a console session, it would be most beneficial to develop a smart habit by enforcing these time saving methods.

For example if you’re constantly using the show run command, it may not dawn on you that the amount of time you spend waiting for the routing or switch device to go through the thinking process can add up exponentially. You may find that by the end of the week you spent over an hour or more wasted in watching and scrolling. It reminds me of an old tune by the Moody Blues entitled, “Watching and Waiting” If its not the actual name of the song I assure you that those are the first lines in the song lyrics. J

Being part of a training group in which you coach where one is constantly in an environment surrounded by students and other IT professionals working towards validating their skill sets, its imperative to utilize such time saving approaches. Not to mention that what you demonstrate can positively rub off on to others.

Just to further extrapolate; An IT training facilitator delegated with the chore in need of scrolling through basic configurations from top to bottom, will find the following command, ‘show run exclude !’ , plays a useful role in reducing the time it takes when bypassing all of those seemingly incessant exclamation points, not to mention the time saving benefits when you copy the configuration to a notepad which further complements your time savings when the need arises to add those same configurations on other router or switch devices in your lab or other non productive testing environments.

I know what you may be thinking by now. Your thinking…, “but I like having the exclamation points and besides they are needed because it is important for documenting comments and it assists me in queuing where one configuration ends and where one configuration begins.” No argument here. You’re right. My reasoning for using this sample line command was to emphasize the good habits you are instilling. It is apparently more useful and beneficial using show run begin or show run include as depicted in the article previously referenced, since it sends you to the specific area of the configuration depending on the object you would want to search. Again, an excellent time savings endeavor.

More time saving techniques can be adhered to by practicing the “ do” command which can allow you to apply show commands normally only viewed from the execution mode but instead used in the global configuration terminal mode. Example While in the ( config )# ”Do show ip int brief” (Notice I didn’t say do show run) but you can.

Where is the times savings here for that endeavor? It gives you one less level to scale down to, and one less level to move you back up. Add that up in a days work. J

Let’s take a look at some other fun ‘saving tip’ navigational skills you can do on your switches without using the show run command.

Here is what I will go over: Show vlan-s
Show int tr
Sh eth summ

Let’s say you want to check on the specific trunks that you have configured: Instead of ‘show run’, you can do ‘sh vlans-s’.

You can then view the port numbers that are shown as vlans. If you don’t see a port number then you know the ports that are missing are configured as trunk ports.

On the other hand, you can do a ‘sh int tr’: short for show interface trunk; this will provide you a view of which ports are set up as trunk ports.

The command ‘sh eth summ’: short for show ether-channel summary. This would provide us with the ports configured as Ether channel groups, assuming they were configured. If nothing shows up, that means none have been configured.

Ether Channel is used to provide for load balancing and fault tolerance, but that is for another topic at another time, and is beyond the scope of this article.

These are only just a few command lines to help us become more aware of time saving skills that we would otherwise unknowingly drain away in our daily schedule.

By enforcing smart and skillful navigational habits, we will be keeping our minds sharp and our actions more efficient in many endeavors we undertake.

Keep on practicing.

GRE over IPSec with EIGRP to Route Through Two Remote Sites Configuration Example

Introduction

Let's consider the scenario when our company has two sites. They are equally big and some users require accessing other network devices directly by using its local IPs, or maybe you even have to replicate domain controllers over this tunnel. Let's say you want to access OWA and not too often check some shared files. The reason why I said not too often is because this will create some serious traffic over internet, if file is big.
Cisco GRE-Based VPN is the best choice for use, because it supports routing, QoS, Multicast and also non-IP protocols. You can configure it using SDM or CLI. The main downside is that this configuration is not multivendor. So both routers has to be Cisco routers with IOS that support VPN.

Refer here for differences between VPNs:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/prod_brochure0900aecd80582078.pdf

Network Diagram

Please check the diagram before you start to read further.


Components Used

- 2 Cisco routers 3745 running Cisco IOS (C3745-ADVIPSERVICESK9-M), Version 12.4(9)T1
- 2 Windows XP
- 1 Windows Server 2003 Enterprise


Configuration

This process has 3 steps:
- Configure the Generic Routing Encapsulation (GRE) Tunnels
- Configure Encryption for the GRE Tunnels
- Configure the Routing Protocol

Configure the GRE Tunnels

R1:
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2

R2:
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1

Check if you can ping by interface IP and by Tunnel IPs.

R2#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R2#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/16/48 ms

R1#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 172.31.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Configure the Encryption for the GRE Tunnels

First create a access list to define which traffic to encypt:

R1:

access-list 100 permit gre host 172.16.0.1 host 172.16.0.2

R2:

access-list 100 permit gre host 172.16.0.2 host 172.16.0.1

Configure an Internet Security Association and Key Management Protocol (ISAKMP) policy, an ISAKMP key, and an IPSec transform set. The ISAKMP policy, key, and IPSec transform set must match on both sides of a single tunnel.

R1 & R2:

crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport

Configure the crypto map

R1:

crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100

R2:
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100


Apply on BOTH:

R1 & R2:
interface FastEthernet0/1
crypto map vpn

interface Tunnel0
crypto map vpn


Enable EIGRP

R1:

router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes

R2:
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes

Full config

R1:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$JZ2K$15BvDKP555bzNmcnoxc2D.
!
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
username cisc0 privilege 15 password 0 cisc0
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.2
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.1 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 172.31.0.0
network 192.168.0.0 0.0.255.255
auto-summary
no eigrp log-neighbor-changes
!
!
!
access-list 100 permit gre host 172.16.0.1 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
alias exec sr show run
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
!
!
end


R2:
Building configuration...

Current configuration : 1412 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$aIoH$XR1H76kiRYuPGtAV07ST3.
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 10 ipsec-isakmp
set peer 172.16.0.1
set transform-set strong
match address 100
!
!
!
!
!
interface Tunnel0
ip address 172.31.0.2 255.255.0.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
router eigrp 60
network 10.0.0.0
network 172.31.0.0
auto-summary
no eigrp log-neighbor-changes
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 100 permit gre host 172.16.0.2 host 172.16.0.1
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

This post is based on:
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites Configuration

Other Examples:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Teleworker: Thin-Client SSL VPN (WebVPN) IOS Configuration Example with SDM

Before we proceed to the hard core part let's take a look at Cisco promotion video first, Cisco Teleworking Solutions - The World Is Your Office:



One of the key portion of that advanced product is SSL VPN. It used to be called in the past Web VPN. It is usefull in the situations where you need to reach network resources in your company LAN from remote location. Most likely it will be home, cofee shop etc. In this post we will focus on how to access your computer at work from home using Remote Desktop, OWA (Outlook Web Access) and internal website with News and Anouncements, it can be even Sharepoint site.

Take a look at the logical diagram:

As you can see we have 2 Routers. One of them for your remote location (R2) and one of them (R1) at our company site. R2 does not have to be cisco router, it just has to provide internet connection. The network between R1 and R2 (172.16.0.0/16) acts as an internet in this lab environment. In this lab both routers are Cisco 3745 with IOS C3745-ADVIPSERVICESK9-M 12.4 (9) T1.

The configuration can be done via SDM (GUI software to configure Cisco Devices) or CLI.

R2 config:

R2#show run
Building configuration...

Current configuration : 935 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret s
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip cef
!
interface FastEthernet0/0
ip address 10.0.0.2 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.2 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 10.0.0.0 0.255.255.255
!
control-plane
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
login
!
!
end




Below is a R1 config:

Current configuration : 3841 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret s
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
memory-size iomem 5
ip cef
!
!
crypto pki trustpoint TP-self-signed-998521732
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-998521732
revocation-check none
rsakeypair TP-self-signed-998521732
!
!
crypto pki certificate chain TP-self-signed-998521732
certificate self-signed 01
!---- output cut ---
ED20B032 D4BDEF14 5A114136 4C9F1794 3C3AA01E E670BC18 FC19B9B5
quit
username cisc0 privilege 15 password 0 cisc0
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.0.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface FastEthernet0/1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
alias exec s show ip inter brief
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password v
transport input telnet ssh
!
!
webvpn gateway gateway_1
ip address 172.16.0.1 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-998521732
inservice
!

webvpn context First
title-color #FFFF00
secondary-color white
text-color black
ssl authenticate verify all
!
url-list "First"
heading "Web Sites"
url-text "OWA" url-value "http://192.168.0.10/owa/exchange"
url-text "News" url-value "http://192.168.0.10/news"
!

port-forward "portforward_list_1"
local-port 3000 remote-server "192.168.0.100" remote-port 3389 description "XP1 RD"
local-port 3001 remote-server "192.168.0.10" remote-port description "DC1 Remote Desktop"
!
policy group policy_1
url-list "First"
port-forward "portforward_list_1"
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway gateway_1 domain mydomain
inservice
!
!
end


If you accomplish that config on the XP2 you can connect using web browser. After you login you need to Start Application access. The Java applet will create a VPN and using IP 127.0.0.1:3000 you will be able to connect to your computer at work while being at home!

Login screen from XP2:

After you login and click Start Application Access you will see:

More info:

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008072aa61.shtml

http://www.cisco.com/en/US/products/ps6496/products_configuration_example09186a008071c58b.shtml

cisco show running-configuration filter

Tired of having to scroll through your whole running-configuration just to read one line at the very end? Cisco has an in built command filter that allows you to specify more accurately what information you want from the running configurations, and mastering these commands not only makes you look like you know what you are doing ,they could save you lots of time and frustration having to look through irrelevant information.

There are mainly three widely used filter in the running config. BEGIN, EXCLUDE and INCLUDE. We can see this issuing the show running-configuration (sh run since we're trying to save time here) followed by the vertical bar key (|). We hit the question mark to see our options.

R1#sh run | ?
append Append redirected output to URL (URLs supporting append operation
only)
begin Begin with the line that matches
exclude Exclude lines that match
include Include lines that match
redirect Redirect output to URL
section Filter a section of output
tee Copy output to URL

The begin command filters through the configuration until it hits the first line that matches whatever word you put in after. Having an understanding of how lines are expressed in the configuration comes in handy when choosing what to type in.

As an example, here is the running-configuration of a router I am currently working on


R1#sh run
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

If we only wanted informatin on the configured static routes, using the begin command we can filter to the exact line.

R1#sh run | begin ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
!
!
end

and we see that this begins the display with the first line that has the words "ip route"

We can use the include command to only display lines that have the words "ip route"

R1#sh run | include ip route
ip route 192.168.2.0 255.255.255.0 Serial0/0.2

This is much more succint output and gives a much neater and pleasing to the eye display.

The Exclude command eliminates all the lines that have the word you put in. For example, if you wanted to remove all the lines that have the word "line".

R1#sh run | exclude line
Building configuration...

Current configuration : 1238 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
!
!
ip cef
no ip domain lookup
!
!
!
username R2 password 0 lanwan
!
!
!
interface Serial0/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
no frame-relay inverse-arp
frame-relay lmi-type ansi
!
interface Serial0/0.2 point-to-point
ip address 10.0.12.1 255.255.255.0
no cdp enable
frame-relay interface-dlci 102
!
interface Serial0/1
ip address 10.1.12.1 255.255.255.0
encapsulation ppp
serial restart-delay 0
no dce-terminal-timing-enable
ppp authentication chap
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
ip http server
!
ip route 192.168.2.0 255.255.255.0 Serial0/0.2
!
!
no cdp run
!
control-plane
!
!
exec-timeout 0 0
logging synchronous
!
!
end

Personally , I prefer the BEGIN and INCLUDE commands as they are more effective. Further more the output of the EXCLUDE command leaves some information hanging and that may be a bit confusing.