IOS Ping With Extended Options

While Ping is one of the best known tools for network monitoring and troubleshooting, the IOS version has a set of options that make it even more useful than the Ping you might know from your desktop. For instance, IOS allows you to set the size of the datagram and the DF (Do not Fragment) bit, so you can test MTU (Maximum transmission unit) of a network path.

Ping officially stands for “Packet INternet Groper,” but that is a backronym with the name probably coming from the pinging sound of active sonar.

Ping is part of the ICMP (Internet Control Message Protocol) suite, and uses Type 8 (Echo Request) and Type 0 (Echo Reply) ICMP messages. Below is a Wireshark analysis of an ping request packet. 

Note the Ethernet type of 0x0800 (IP), an IP protocol of 1 (ICMP), and and ICMP type of 8 (Echo Request). ICMP does not use TCP or UDP, it is it’s own protocol riding directly on IP.

To use Ping without the expended commands, you can just issue the ping command, followed by the ip address you want to ping.

R1#ping 192.168.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/102/312 ms

If you want to use the extended commands, you can add some of the options to the end of the ping command:

R1#ping 192.168.13.3 ?
  data      specify data pattern
  df-bit    enable do not fragment bit in IP header
  repeat    specify repeat count
  size      specify datagram size
  source    specify source address or name
  timeout   specify timeout interval
  validate  validate reply data
  <cr>

Or issue the ping command, and hit enter, and IOS will prompt you for the other options. This allows for more options than are available as command line options, and walks you through the options you can set.

R1#ping 
Protocol [ip]: 
Target IP address: 192.168.1.1 
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5)
R1#

The options for IP ping are as follows:

  • Protocol – Although IP is the most common protocol, IOS Ping also supports appletalk, clns, decnet, ipv6, ipx, mpls, and srb.
  • Repeat Count – How many ping requests should be sent? If you are looking for packet loss, it can be useful to send more pings. Five percent packet loss is one packet out of 20, so you may not see it reliably without sending hundreds of pings.
  • Datagram size – the size of the packets to be sent. This can be quite useful for testing for network congestion, or a segment that has an MTU that is either preventing larger packets from passing through or causing delays due to fragmentation.
  • Timeout in Seconds – How long to wait before considering a packet lost. 2 seconds should be fine for most uses, but it can be adjusted up or down to test for tighter requirements, or see if there is an inordinately long delay rather than a full outage.
  • Extended Commands – Allows for the following extended commands.
  • Source Address or Interface – by default, IOS sends internally sourced traffic, such as ping, traceroute, or outgoing telnet/SSH with a source IP of the outgoing interface. You can specify another interface, or an address assigned to an interface on the router. You may need to do this to test reverse routes, or test NAT or IPSec. You can either specify the interface or an ip address on the router for this.
  •  Type of Service – set a type of service to test QoS.
  • Set DF bit in IP header – Set the Do not Fragment bit in the IP header to prevent transit routers from fragmenting the packet. The size where you start losing packets indicates the MTU somewhere along the path. 
  • Validate reply data – Validate the data in the reply packets. Could be useful for troubleshooting framing errors. 
  • Data pattern – Specify a HEX data pattern to use. This could also be used looking for framing errors.
  • Loose, Strict, Record, Timestamp, Verbose. Specific options that can be added, definitions follow. Once you enter one, it will prompt you again, with the options entered in brackets. To proceed press enter again, or select another option. 
    • Verbose information (automatically enabled with the other options) displays more information, such as the time for individual pings, rather than just showing exclamation points (for  successful pings) and  periods (of lost pings)
    • Record displays up to nine hops, but shows both the hops to and from the remote host, where traceroute only shows hops to the destination. 
    • Loose/Strict allows you to set IP addresses the packets should pass through. Strict requires the packet to take that route, while loose will attempt to pass those IPs, but can pass through others, as well.
  • Sweep range of sizes – Set a minimum size, maximum size, and the size interval in bytes, and have IOS sweep the sizes to determine the MTU

Here is an example sweeping for the MTU. If you need more detail, you could run a sweep between the last successful size, 1500, and the first failed size, 1600, at a smaller interval to find an exact MTU.

R1#ping      
Protocol [ip]: 
Target IP address: 172.16.2.2
Repeat count [5]: 1 !only send one set of pings, or the sweep will be repeated.
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 
Type of service [0]: 
Set DF bit in IP header? [no]: yes
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: V
Loose, Strict, Record, Timestamp, Verbose[V]: 
Sweep range of sizes [n]: y
Sweep min size [36]: 100
Sweep max size [18024]: 2000
Sweep interval [1]: 100
Type escape sequence to abort.
Sending 20, [100..2000]-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
Packet sent with the DF bit set
Reply to request 0 (36 ms) (size 100)
Reply to request 1 (116 ms) (size 200)
Reply to request 2 (76 ms) (size 300)
Reply to request 3 (48 ms) (size 400)
Reply to request 4 (32 ms) (size 500)
Reply to request 5 (8 ms) (size 600)
Reply to request 6 (16 ms) (size 700)
Reply to request 7 (28 ms) (size 800)
Reply to request 8 (16 ms) (size 900)
Reply to request 9 (32 ms) (size 1000)
Reply to request 10 (12 ms) (size 1100)
Reply to request 11 (32 ms) (size 1200)
Reply to request 12 (16 ms) (size 1300)
Reply to request 13 (28 ms) (size 1400)
Reply to request 14 (4 ms) (size 1500)
Request 15 timed out (size 1600)
Request 16 timed out (size 1700)
Request 17 timed out (size 1800)
Request 18 timed out (size 1900)
Request 19 timed out (size 2000)
Success rate is 75 percent (15/20), round-trip min/avg/max = 4/33/116 ms

Summary:

Ping is a tool used to monitor and troubleshoot networks. It is based on ICMP, a set of protocols and tools built into the TCP/IP protocol stack. Any IP host should be able to respond to Pings, although some block it for security reasons.

IOS Ping allows an administrator to set advanced options, increasing its value as a troubleshooting tool.

The CCNA blueprint includes extended ping in the topics, so make sure you know this material, and that you take some time testing the the different options.

For more information on this, see:

Configuring and Using Floating Static Routes

Sometimes it becomes necessary to build static backup routes, where a dynamically learned route is preferred, and the static route is only used if the dynamic route is lost. Common applications of this would be a WAN with a VPN backup, and Dial on Demand Routing (DDR). The route to a remote location is normally learned over the WAN by a routing protocol, but should be routed out an interface configured for VPN if the WAN connection is lost.

Since the default administrative distance of static routes makes them preferred over any routes learned by dynamic protocols, this normally would not work. The router would prefer the route to the VPN all the time.

There are a couple ways around this. One would be to use a less specific route, such as a default route, which would only be preferred if the more specific routes are lost, but this is not always workable. If both internet and VPN traffic should take the same route, often the default route could be used, since the more specific dynamic routes would be preferred if available.

The other option, and the one we will look at here, is a so-called floating static route. Floating static routes are like regular static routes, except that the administrative distance has been manually changed. Since this allows for the static route having a higher administrative distance than the dynamic routes, so they will not be used if there is a dynamic route available.

In the following, we are learning the route to 172.16.2.0/24 from OSPF, pointed to 192.168.12.3. After adding the static route with an administrative distance of 254, we are still routing via OSPF. Then we lose our OSPF neighbor, and the static route takes over, with an Administrative distance of 254.

R1(config)#ip route 172.16.2.0 255.255.255.0 192.168.13.3 254
R1(config)#
R1(config)#do sh ip route                                    
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/1
C    192.168.13.0/24 is directly connected, Serial1/3
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Loopback0
O       172.16.2.0 [110/11] via 192.168.12.3, 00:00:12, FastEthernet0/1
R1(config)#
*Mar  3 05:13:25.666: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.12.3 on 
FastEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
R1(config)#
R1(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/1
C    192.168.13.0/24 is directly connected, Serial1/3
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Loopback0
S       172.16.2.0 [254/0] via 192.168.13.3
R1(config)#

While Administrative distances go up to 255, a route with an AD of 255 will not be installed in the routing table, so 254 is effectively the highest you can use. Note that the route is no longer installed in the routing table after having the AD changed to 255.

R1(config)#ip route 172.16.2.0 255.255.255.0 192.168.13.3 255
R1(config)#
R1(config)#do sh ip route                                    
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/1
C    192.168.13.0/24 is directly connected, Serial1/3
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Loopback0
R1(config)#

Any administrative distance can be assigned to a static route, but to work as a floating static route, it needs to have an AD between the AD of the routing protocol +1 and 254, inclusive. If it is below the routing protocol it will be preferred, rather than floating, 255 is not used. Below the route is added with an AD of 111, which makes it less preferred than OSPF, but it would be preferred over a RIP route with an AD of 120. If you find yourself needing to do this, it’s probably time to redesign your network, but it is possible.

R1(config)#ip route 172.16.2.0 255.255.255.0 192.168.13.3 111
R1(config)#
R1(config)#do sh ip route                                    
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/1
C    192.168.13.0/24 is directly connected, Serial1/3
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Loopback0
S       172.16.2.0 [111/0] via 192.168.13.3
R1(config)#
*Mar  3 05:19:23.042: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.12.3 on 
FastEthernet0/1 from LOADING to FULL, Loading Done
R1(config)#
R1(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/1
C    192.168.13.0/24 is directly connected, Serial1/3
     172.16.0.0/24 is subnetted, 2 subnets
C       172.16.1.0 is directly connected, Loopback0
O       172.16.2.0 [110/11] via 192.168.12.3, 00:02:56, FastEthernet0/1
R1(config)#

Summary.

Floating static allows an administrator to define a static backup route by manipulating the Administrative Distance. Without manipulating the AD, static routes are preferred over any dynamic protocol. The AD needs to be set somewhere between one more than the routing protocol and 254, since routes with an AD of 255 will not get installed in the routing table. While you can set it at a lower number, floating statics normally use 254, which leads to more predictable behavior, and is more likely to be understood if someone else needs to work on the network.

Further Reading:

Sample Configuration: Using Floating Static Routes and Dial-on-Demand Routing – Cisco.com
CCENT/CCNA ICND1 100-105 Official Cert Guide (affiliate link)
Routing TCP/IP Volume 1, Chapter 3. (affiliate link)

Blocking Calls at the Gateway by Caller ID

Sometimes administrators have to block calls harassing, scam, or other undesirable calls. In newer versions of CUCM, this can be done in CUCM, or it can be done on an h.323 or SIP gateway.

Which should you use? There are good reasons to use both. Blocking on CUCM centralizes call routing, so you don’t need to touch gateways, and can be configured so that placing a number in once blocks it at all gateways. Blocking it at the gateway can be easier to implement, and stops the call at the ingress, so that no internal resources are ever used. Properly configured, blocking at the gateway will maintain protection in SRST, as well. So either way has benefits, use the one that fits into the existing environment best.

Blocking on the gateway uses translation profiles, which can be applied to the ingress port, and the inbound or outbound dial peers. Placing the blocking patterns on the port stops them right away, but may require placement on multiple ports. Continue reading

Reversible vs. Non-Reversible Encryption

Cisco devices can store passwords using either a reversible (Type 7) or non-reversible (Type 4 or 5, enabled by the “secret” keyword) encryption.

Reversible encryption has the ability to decrypt the stored password, which can then be compared to the password a user wishing to authenticate provides. Cisco Type 7 passwords are stored using reversible encryption. When you configure a password with “service password-encryption” enabled in the config, the device runs a calculation against the password, creating a string that contains the encrypted password. It is not a simple substitution cipher, but it is easily decrypted, and can even be decrypted on a router. Continue reading

Reading Data From XML Documents in UCCX

Have you ever wanted to do any of the following from a Contact Center application?

  • Read a schedule from a local document, rather than having to use script editor to edit schedules
  • Be able to load a schedule from a web server, so you didn’t even need to touch you CCX server
  • Bring in external data without UCCX Premium
  • Bring in external data from a database there isn’t a driver for

All these and more can be done by reading XML formatted data either stored in the local repository, or served from an external web server, and retrieved using the Create URL Document or Make REST Call steps. Since you are able to read from a web server, any web programing language, like PHP, ASP, or JSP, could be used to retrieve and format the data.

Once UCCX has the XML formatted data, the Get XML Document Data step uses the XPath syntax to get data out of the document. This is a powerful syntax for reading data from XML formatted documents, as we will explore here.

In this post, we will use the Make REST Call step to retrieve information from the REST interface on the UCCX server, which provides easy access to a remote source of XML formatted data. Continue reading

Impressions of the 8861

I recently had the opportunity to pick up a couple of 8861s for my lab/home phones, and thought I would do a writeup on my initial impressions. The 8800 series phones offer an updated look, and a number of new features.

The 8800 series also continues the move from soft keys to more hard keys, with hard Back, End Call, Hold, Transfer, and Conference keys added to the Voicemail, Settings (now combined with services), Directories, Headset, Speaker, and Mute buttons on the 7900 series. I don’t know how I feel about the move to more hard keys. Soft keys have the advantage that only the necessary ones are displayed, but sometimes important ones can get buried. Hard keys will also have an advantage when using apps like IP Phone Agent, since the call control soft keys are hidden by the application soft keys.

Also, in keeping with the new Cisco phone lines, they are SIP only, no option for SCCP.

phones-_DSC0386

Continue reading

Time of Day Routing in CUCM

Time of Day routing allows for calls to be treated differently based on the time of day and day of week. This allows for things like automatically rerouting calls to a different destination when the company is closed, not allowing PSTN calls after hours, or requiring a Forced Authorization Code outside of business hours. Another real-world example I have worked with is patient rooms in hospitals, which should not receive outside calls at night.

CUCM uses the standard Partitions and Calling Search Spaces, with the addition of a Time Schedule that specifies when the Partitions will be active, to perform time of day routing. Outside the time schedule, the partition is effectively invisible to call routing. Appropriate ordering of in a CSS allows the calls to be routed to an alternate number when the partition is not available.

An important consideration in designing the Partitions and CSSs is whether you want calls to be able to route to the phone off hours at all. For instance, with the patient room example, should internal numbers be able to call the rooms, and only outside calls be blocked? We will look at two examples, one that allows for some calls to go through, one that does not.

Continue reading

Initial Configuration of IOS Devices

In this post we will take a look at the initial configuration that should be performed on a new device before the actual network configuration is performed.

Most Cisco IOS devices come from the factory with a very basic default configuration, and require configuration before the are deployed. The majority come with no IP addresses, and routers even have all their interfaces shut down by default.

To begin the configuration, the first step is to console into the device, using either a serial port and the Cisco rollover serial cable, or the mini USB port on the newer devices. Console settings should be 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. You need terminal emulation software, such as PuTTY or SecureCRT.

Continue reading

Practical OSI Layers – Part 2

In the previous post, we took a look at the basics of the OSI and TCP/IP model layers. In this post we are going to take a closer look at end to end routing of a packet, and the interaction between layers 2 and 3 as a packet is passed between routers to it’s ultimate destination. The following is the general process to route between endpoints. Some operating systems may behave a little different that described, but this is the general process.

This post will use this network, with a telnet session from R1 to R3. R1 is connected to R2 via a serial link running PPP, and R2 is connected to R3 via an Ethernet segment. Continue reading