Cisco optimize

10 dumb things you can do to your Cisco router and how to fix them

David Davis points out the dumb things you can do to mess up your Cisco router and how to fix them. He also lists some important resources for each step to give you even more detailed instructions.

TechRepublic author Deb Shinder detailed network administrator mistakes in her very popular article "10 Dumb Things IT Pros Do That Can Mess Up Their Networks." Deb's 10 Things article inspired me to come up with one of my own with Cisco routers as the focus.

------------------------------------------------------------------------------------------------------------------

As IT pros, we have many stories about end users who did something dumb with their computers (how many times have you heard the CD-ROM drive as a cup holder story?). However, we tend to keep our Cisco networking mistakes to ourselves, right? I am not too bashful to admit that I have taken down a network before due to a dumb mistake that could have been prevented (but I won't tell you what it was). In order to help other network admins avoid costly mistakes, I've come up with a list of 10 dumb things you can do to your Cisco router.

#1: Not having a backup of your Cisco router configuration

While these aren't listed in any particular order, if they were, I would say that this belongs at the top of the most common router mistakes. Picture this: your Cisco router dies, but you're getting a replacement overnight, so your boss is ecstatic. However, you, as the Cisco network admin, can't seem to make the router pass traffic as you have no backup of the config. Don't get put in the doghouse over this. It's easy to make a backup using:

Router# copy running-configuration tftp

Built into routers with newer IOS versions is IOS configuration archiving. This can automatically copy your router's configuration off of the router when configuration changes are made. To learn more about it read, "Use the Cisco IOS Archive Command to Archive Your Router's Configuration."

Also, there are many third-party GUI applications that will schedule this for you so that you can "set it and forget it." For example, see my article on Kiwi CatTools and products from ManageEngine OpUtils and PacketTrap pt360 Pro.

#2: Not having a backup of your Cisco router IOS software

Not only is a Cisco router completely useless if it isn't properly configured, but it is also useless if it has no IOS or it has the wrong IOS. As a Cisco network admin, you had better have a repository of all the different Cisco IOS router and switch IOS versions in use on your network today, stored on a file share somewhere.

By doing this, you can copy the proper IOS back onto a Cisco router that is shipped to you from Cisco or reconfigure another Cisco router (say an older router off the shelf) to take the place of a broken Cisco router.

Backing up the IOS is easy. Just TFTP it to your server with a command like this:

Router# copy flash tftp

And you will be prompted to answer all the questions needed to back up your Cisco IOS.

#3: Not having spare router hardware

I have found Cisco hardware to be extremely reliable. Still, I have had to replace both Cisco routers and switches periodically, over the years. These days, it's not acceptable for the Internet connection to be down for a few days should a Cisco router go bad or an interface in the router start taking errors. You must be prepared to replace that hardware at a moment's notice. The replacement hardware must have the same configuration (or a config that delivers the same network connectivity to the end users) and the IOS should also be the same (or offer the same features as needed by the config).

Trust me, you don't want to be making calls all over the country asking if anyone can overnight you a router for a hefty charge.

If you aren't going to have spare hardware on site, you should at least have a Cisco SmartNET contract on your router hardware that is able to deliver a replacement router to you in an acceptable amount of time.

#4: Never document changes

When you discover that you are having networking issues, the first questions are always "when did this start?" and "did we change anything?" By setting up a change documentation or change management procedure, you can have a history of changes -- what was changed and when. If you set up change management, you typically also have approval processes in there so that someone must have tested and then approved the changes before they went in.

Another way to document changes is to use router configuration archiving. To learn more about it read "Use the Cisco IOS Archive Command to Archive Your Router's Configuration."

#5: Don't log your router events

When issues do come up in the network, you first want to check out router logs. Not only should you have some buffered logs on the router for temporary storage, you should also have a central syslog repository of Cisco router logs. Cisco IOS logging is easy to configure, and you can use a free Linux syslog server or buy one for Windows such as Kiwi Syslog.

To learn all about configuring logging in the Cisco IOS, please see my article "Get to Know Your Logging Options in the Cisco IOS."

#6: Not upgrading your Cisco IOS

Like any operating system, the Cisco IOS periodically has bugs (see tip #7 on searching for bugs). Plus, over time, you will get new routers with new IOS versions and you want router IOS versions to maintain compatibility. For these reasons and others, you need to make sure that your Cisco IOS stays up to date.

To upgrade your Cisco IOS, see my article "Upgrading" and my video on upgrading your Cisco IOS.

#7: Don't know where to search for Cisco documentation and troubleshooting tips

I get many Cisco IOS technical questions via e-mail, and many of these can be answered by using your favorite search engine. However, here are a couple of tips:

  • Use Google search with the "site:cisco.com" keyword to search only for articles on Cisco's official Web site or the "site:techrepublic.com" keyword to search for articles at TechRepublic.
  • Install the Cisco Search Toolbars to your browser. With these, you can search the Cisco Bug database, Command Line lookups, error message decoder, your RMA orders, TAC Service requests, and Cisco netpro discussions. Trust me, these tools are very cool and make it easier to find the answer to your Cisco IOS problem. For more information read "Adding Cisco.com Searches and Tools to Your Browser."
#8: Forgetting your password and not knowing how to reset it

At some point, you may forget the password on a router. Or, an admin could leave and not tell you the password to a router. While these things can happen, what you need to know is how to reset a lost Cisco router password. To do this, check out these two resources:

#9: Not securing your router

Security? Who has time for that, right? Well, if you don't secure your routers and network, it could all be lost (and so could the company's most critical data). Make sure you follow best practices to lock down your routers and your network. I recommend you start with reading my TechRepublic download on locking down your Cisco IOS router in 10 steps.

#10: Not spending the time to create documentation

Most of us loathe having to create documentation, but let's face it, we forget things and we aren't going to be here forever. Wouldn't you just love to tell a junior admin to "go read my document on how to reset a Cisco router password" when he asks you how to do it? To prevent mistakes and downtime in the future, make sure you keep your Cisco network documentation up to date.

18 comments
curtis
curtis

There is an opensource project, ZipTie, that will automatically perform router backups and versioning. You can find it in a VMWare VM called NetworkAuthority Inventory. I sleep alot better with that in place. It also allows you to find out what MAC address and IP address are connected on what switchport on what switch across your whole network. You can also run searches across all configs and push out commands to groups of devices.

rahbm
rahbm

is to throw it out and buy a NO rip-off alternative, saving heaps of money up front AND down the track. Lifetime warranty? Free software updates? Not from Cisco! They copied proprietary lock-in from Microsoft, just as MS did from IBM. I have to ask why the brand name was even used in this article; surely these points are common-sense for ANY brand of router? Please wake up and smell the savings - there are ALTERNATIVES out there!

Justin James
Justin James

Here's a subset of #2: accidentally erasing the IOS, thinking that you are wiping the configuration. :) Been there, done that! J.Ja

bott
bott

The newer Versions of IOS incorporate a Kron Command which will allow you to force the router to archive its configu automatically without having to resort to a third party tool. Refer to Cisco for details on the Kron command, Here is the basic code to force a TFTP archive of the config kron occurrence Config_Backup at 1:00 recurring policy-list TFTP_Backup ! kron policy-list TFTP_Backup cli show startup-config | redirect tftp:///

gfjim
gfjim

Typing "debug ip packet" in a heavily loaded, very critical, production router... (or any debug command in "those" routers for that matter) boy was that router on its knees in a matter of seconds!! I'm so glad it wasn't me! (I've had my share of dumb mistakes but I'll keep them to myself and the people who found out then ;-) )

rufusion
rufusion

#12 After several minutes of inputting and testing new configuration commands: # copy start run Oops.

archetype
archetype

#11: Applying an ACL that locks you out of your own router. It never hurts to have some peer review before you apply an access control list: someone else might catch the item that would lock you out of the console, telnet, etc. Also the reload 10 command is your friend. If you screw up it will reload the saved config, if you don't screw up you can cancel it.

ron
ron

This one has bitten me more than once. Just last month I was working with a customer who claimed that his 3750 mysteriously ?lost its config? (the guy erased his config and then rebooted his device, thinking that it would come back). Luckily the engineer who configured and sent the device out still had the config on his laptop, alowing me to restore it? Problem is we don?t normally keep backup configs of our clients that we setup, we send it out to them and recommend that they back it up? but?

csmith.kaze
csmith.kaze

and i have worked with a company that had a mixed network and guess which hardware was replaced more often? Not the Cisco. One thing Cisco did not copy from Ms is their quality. I wouldn't recommend anything other than Cisco unless it is an absolute no from higher up. and even then I would recommend them.

cisco.kron.bug
cisco.kron.bug

Dis you have any problems with kron on new year's eve? It caused all our routers to crash and reboot constantly

road-dog
road-dog

Have the command ready to execute. Then hammer it until the madness stops. I learned this early on and made it a habit. It saved me from looking dumb a few times over the years on heavy traffic routers.

bobbycornetto
bobbycornetto

Been there man! I love the flexibility of the "copy" command, but "write mem" seems more human error proof.

ddavis
ddavis

I just wanted to take a second to say Thank You to all of you who read the article and commented! I am glad that you found the article useful! I was impressed with the excellent additional tips that you offered! I will try to combine these into a future article. Thanks for reading TechRepublic! -David Davis

chasbrey
chasbrey

I can't imagine what I would do without Solarwinds Cirrus. I was able to upgrade all my similar switches and routers to the same IOS version across the entire enterprise. I get a daily report of changed configs in every device (why did so-and-so change that port config?). I even get a text when the power goes out in that remote closet on the 3rd floor. I've been able to upload similar configs to new devices for quick deployments and rapid turn around. My boss thinks I have a direct line to The Big Guy. I just learned a few lessons the hard way early on (in the lab?).

John.Schupp
John.Schupp

That's not what you should be doing... This being a capitalist society you should keep a comprehensive list of all switch/router configs that you do, and everytime you touch a router/switch you take a copy of the config why? Because nextime the device "loses" it's config you can say i have a copy right here and charge an additional fee for having it :) Or if you want to be all customer-service oriented you could just hand it over and create repeat business... I just made you a million dollars.... maybe. You can thank me later.

gfjim
gfjim

yeah that's what they did, however it was the main edge router carrying data and VoIP traffic for 500+ employees so it took a while before the router regained its strength and the madness stopped.

tedeansiii
tedeansiii

You dont even have to type write mem you can just type wri