Cisco 3560, 3750 archive command to install or upgrade IOS via tar file
Some newer L3 Cisco switches are now happier if you use the ‘archive’ facility to manage images.
If you only want the IOS, and not the web interface and so on, use the /imageonly flag.
From the Cisco release notes :
For example:
Switch# archive download-sw /overwrite tftp://198.30.20.19/c3750-ipservices-tar.122-50.SE.tar
Check the release notes or command reference (or in-exec help) for further options.
This apparently does away with ‘boot system statements’ as well, as you can see if you run ’show boot’ on the switches. The image set by your ‘archive’ command becomes the active image on reboot. I’m not sure what happens if you have both explicit ’system boot <blah>’ statements and the automatic IOS precedence setting configured via the fancy archive method.
anynode#sh boot
BOOT path-list : flash:c3750-ipservicesk9-mz.122-53.SE1/c3750-ipservicesk9-mz.122-53.SE1.bin
Config file : flash:/config.text
Private Config file : flash:/private-config.text
Enable Break : no
Manual Boot : no
HELPER path-list :
Auto upgrade : yes
Auto upgrade path :
Timeout for Config
Download: 0 seconds
Config Download
via DHCP: disabled (next boot: disabled)
-------------------
linux/Unix tools for multiline grep
grep -A 2 SearchString
grep -B 3 SearchString
also,
pcregrep
pcregrep -M ‘a\nb’ files…
How to keep apache from autostarting on system boot for Debian or Ubuntu
An easy way to remove apache2 (or another system service) from the start up scripts in Debian or Ubuntu is to use the update-rc.d mechanism.
For instance:
# update-rc.d -f apache2 remove
The “-f” is required if you have existing scripts in /etc/init.d/apache2. If you are planning on manually starting apache, the “-f” is [barring heroic/quixotic effort to create alternatives] a requirement.
Otherwise, in this situation, you will see:
update-rc.d: /etc/init.d/apache2 exists during rc.d purge (use -f to force)
A good write-up is here:
http://www.debuntu.org/how-to-manage-services-with-update-rc.d
Ubuntu 9.10 (Karmic) Beta
Instead of ‘ do-release-upgrade ‘ as I did with my upgrade to 9.04 , going to the Beta of 9.10 I used
update-manager -d
No major problems. I did have to manually remove a couple of ppa entries from my /etc/apt/sources.list. Also, I changed from the generic ‘main server’ to a much, much faster (at the time) server. The easiest way to do this is via gui, as far as I know. Ubuntu will check for the fastest responding site if you use ‘System’ -> ‘Administration’ -> ‘Software Sources’ and ‘Select Best Server’,’ or use ‘Settings’ under the update-manager interface (’settings’ is on the lower left) to get to the same place. I shaved off several hours from my package download by switching to a server that had some combination of proximity, light load, and high bandwidth. This involved a generous amount of luck, and probably the uneven demand associated with a pre-release version of the OS.
redirecting standard error (stderr) and standard output (stdout) to a file
Capturing both errors and normal list output from ls, with “long” and recursive options set, to a file called /tmp/allout :
ls -lR > /tmp/allout 2>&1
upgrading an Ubuntu server from the command line
This is how I upgraded from 8.10 to 9.04 over the network:
sudo apt-get install update-manager-core
sudo do-release-upgrade
[reference : http://www.ubuntu.com/getubuntu/upgrading ]
Cisco IOS CLI regular expressions, Part II — ‘AND’
In an earlier post, I talked about Cisco command line regular expressions, and held off on giving any good examples of using the CLI regexp tools to get ‘AND’ functionality. ( I pointed out there that the ‘|’ (pipe symbol) could be used as a simple ‘OR’ function.)
Here are some easy regexp’s that function (more as less) as simple Boolean ‘AND’s.
Here’s a scenario: you’re auditing one of your routers, checking to make sure privilege levels are what they should be for individual users, and that commands that have been moved into non-default privilege levels that appear to be correctly defined.
Here’s the output of ’show running-config’ with only lines that match ‘privi’ included (so as to catch lines that show privilege levels):
IOS-rtr#sh run | inc privi
username sneezy privilege 0 secret 5 $1$Dz6cKoEINsYusITt.l
username dopey privilege 0 secret 5 $1$MIUYWJ.I3iGq/qNleB.
username meson privilege 0 secret 5 $1$7uBWyjan.5JB8KHR0
username gluon privilege 15 secret 5 $1$VuoC$09dsgXRB.A/d
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
privilege level 15
privilege level 15
In this case, you can use the regular expression “.*” (dot-star) to match lines that contain both the word ‘privilege’ and ‘level 0′, thus eliminating other priv levels, as well as username definitions:
IOS-rtr#sh run | inc privi.*level 0
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
The same thing works for an audit of ‘level 7′ commands:
OS-rtr#sh run | inc privi.*level 7
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
If you want to show lines that match privilege levels other than zero, you could use this:
IOS-rtr#sh run | inc priv.*[1-9]
You should note that the “.*” (dot-star) regular expression can be used as a synonym for AND, provided that you are aware that “.*” is not order agnostic.
In order to do a true AND, you’d need an expression like :
sh run | inc (privi.*level 0|level 0.*privi)
This will match lines containing both ‘privilege’ and ‘level 0′, no matter which of the words appears first. To illustrate this, I’ll create a loopback interface (loop3) with some description text that will match the regex:
IOS-rtr#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS-rtr(config)#int loop3
IOS-rtr(config-if)#desc level 0 is not privileged here!
IOS-rtr(config-if)#^Z
IOS-rtr#sh run | inc (privi.*level 0|level 0.*privi)
description level 0 is not privileged here!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
It works! Notice that we caught both the description line and the privilege exec lines.
Apparently I’m easily amused, but there it is.
Cisco IOS CLI regular expressions (“Ceci n’est pas une pipe.”)
[taken from a note originally written March 2007]Yesterday, I was trying to find a method to implement an ‘AND’ function within the Cisco IOS cisco command line. I was familiar with the ‘OR’ function available through the ‘|’ symbol (which is to say, the same symbol as the pipe).
For example, if you wanted to show the running config, and filter out lines that contained either ‘foo’ or ‘bar’, you could type
show run | include foo|bar
The second “pipe,” in this case, isn’t a pipe, but the symbol for an ‘OR’ function. (“Ceci n’est pas une pipe.”)
I wasn’t able to find a way to do an ‘AND’ in an analogous fashion, but I did find a decent Cisco webpage on CLI and regular expressions (regexp) that helped a bit. That page can be found here: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/cliparse.htm
It is possible to do ‘AND’ type functions implicitly by using a more complex set of matching rules based on regular expressions.
Here’s a example that shows (from an interactive session on the Cisco CLI) if access-lists have been applied to interfaces using the “access-group” command:
sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])
Lines that start with ‘interface’ followed by an uppercase letter (the expression matches anything in the range A-Z) are supposed to match things like ‘interface Fastethernet,’ ‘interface Serial’ and so on. The second part of the expression matches access-groups that have three possible initial character ranges: a lowercase letter (a-z), an uppercase letter (A-Z), or a number (0-9) for the standard access lists.
Some rudimentary filtering is done, so things like Loopback sourcing, route-maps, and so on, don’t match.
Interfaces that have no access-lists applied have on the interface name listed, but interfaces with an access-group command show the complete access-group statement under the relevant interface (which makes sense, given that this is only a filtered ’show run’).
Output might look something like this:
interface Serial3/3
interface Serial3/3.1 point-to-point
ip access-group pac in
ip access-group ket out
interface FastEthernet4/0
interface Serial6/0
ip access-group Ozona in
If this kind of function is useful for you, it is even easier to use if you put it in an alias on your switch or router:
#conf t
#alias exec shag sh run | include (^interface [A-Z])|(ip access-group [0-9a-zA-Z])
You should, of course, pick a name for the alias that you’ll remember.
