Cisco optimize

10 things you can do with the Cisco IOS service command


Are you familiar with the Global Configuration Code service command? At first, you might not recognize this command, but if you think about it, some well-known commands start with service.

A quick review

The service command is the beginning of 24 other subcommands. Some of these commands are relatively unimportant, but others are so important that you probably know them by heart. However, as you know, many commands seem unimportant -- until you need them.

Again, you must use the service command when in Global Configuration Mode. Here's a look at the 24 subcommands:

TechRepublic-Router# config t TechRepublic-Router(config)# service ?

TechRepublic-Router(config)#service ?

   alignment              Control alignment correction and logging

   compress-config        Compress the nvram configuration file

   config                 TFTP load config files

   dhcp                   Enable DHCP server and relay agent

   disable-ip-fast-frag   Disable IP particle-based fast fragmentation

   exec-callback          Enable exec callback

   exec-wait              Delay EXEC startup on noisy lines

   finger                 Allow responses to finger requests

   hide-telnet-addresses  Hide destination addresses in telnet command

   linenumber             enable line number banner for each exec

   nagle                  Enable Nagle's congestion control algorithm

   old-slip-prompts       Allow old scripts to operate with slip/ppp

   pad                    Enable PAD commands

   password-encryption    Encrypt system passwords

   prompt                 Enable mode specific prompt

   pt-vty-logging         Log significant VTY-Async events

   sequence-numbers       Stamp logger messages with a sequence number

   slave-log              Enable log capability of slave IPs

   tcp-keepalives-in      Generate keepalives on idle incoming network connections

   tcp-keepalives-out     Generate keepalives on idle outgoing network connections

   tcp-small-servers      Enable small TCP servers (e.g., ECHO)

   telnet-zeroidle        Set TCP window 0 when connection is idle

   timestamps             Timestamp debug/log messages

   udp-small-servers      Enable small UDP servers (e.g., ECHO)TechRepublic-Router(config)#service

Of course, it's unlikely you're going to spend the time to memorize all 24 subcommands. To help you out, I've chosen the 10 most important commands you should know.

#1: service dhcp

You can use the service dhcp command to enable or disable the Cisco IOS DHCP server and relay agent. The Cisco IOS enables this command by default.

However, if you're turning on DHCP or it isn't functioning, you should check the status of the service dhcp command. (You can disable the server using the no service dhcp command.)

#2: service linenumber

The service linenumber command notifies the user of the router's or switch's async line number used at login. This can come in handy if you're having problems with your VTY line -- it reminds you what line you're on. It even works on the console. Here's an example:

TechRepublic-Router con0 is now available 

Press RETURN to get started.

TechRepublic-Router line 0

TechRepublic-Router>

#3: service password-encryption

This command should be one you've already enabled. While disabled by default, the service password-encryption command is one that I recommend everyone turn on.

This command encrypts the Cisco IOS passwords stored in the router's NVRAM configuration files. This helps prevent anyone from browsing the passwords if the configuration finds its ways to something like a TFTP server.

#4: service nagle

Nagle is a congestion control algorithm used to reduce the transmission of small packets. It's a bandwidth-saving feature for keystroke-based applications (such as Telnet). While the Cisco IOS turns off Nagle by default, you can enable it with the service nagle command.

#5: service prompt config

The service prompt config command displays the configuration prompt. To be honest, I never noticed this command before researching this article. (All the hidden commands in the IOS continue to amaze me.)

If you enter no service prompt config, you'll get no prompt when going into Global Configuration Mode. In other words, you can still type, but you don't get any kind of prompt. This would really throw off someone who wasn't familiar with this command.

Here's an example:

TechRepublic-Router(config)# no service prompt config

^Z

TechRepublic-Router#

TechRepublic-Router# conf t

Enter configuration commands, one per line.  End with CNTL/Z.

service prompt config

TechRepublic-Router(config)#

#6: service sequence-numbers

You can use the service sequence-numbers command to insert sequence numbers into log files. This can be important when log entries are coming really quickly. In fact, they can come so quickly that they appear at the same time. Here's an example of sequence numbers:

000377: *Mar 17 23:06:33.609: %SYS-5-CONFIG_I: Configured from console by console

(where the 000377 is the sequence number)

#7: service tcp-keepalives

You can use the service tcp-keepalives-in and the service tcp-keepalives-out commands to monitor TCP connections to and from the router. They can terminate connections if the router or switch doesn't receive a response from the remote device.

#8: service tcp-small-servers

The Cisco IOS disables the service tcp-small-servers command by default. Enabling this command turns on the following services on the router: Echo, Discard, Chargen, and Daytime.

I don't recommend enabling this service because it could be a security concern. If you see any routers that have this command enabled, I suggest disabling it unless there's a purpose for these services.

#9: service timestamps

You can use the service timestamps command to create timestamps on the router's log files. Since version 11.3, the Cisco IOS has enabled certain timestamps by default, so most of us have this on. However, there are additional timestamps options that you can enable as well as places where timestamps are probably off by default.

Here's an example of turning on all timestamp options for logging and debugging:

service timestamps log datetime localtime msec show-timezone year 

service timestamps debugging datetime localtime msec show-timezone year

#10: service password-recovery

The service password-recovery command enables the password recovery capability. This lets you recover the enable-mode password if you lose it by changing the config-register.

The no service password-recovery command can be dangerous. If you use this command, there's no way to recover the enable-mode password if you lose it.

The service command offers plenty of options, but these are the 10 I think are the most important -- do you agree? What do you use the service command for?

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

8 comments
Jimbo Jones
Jimbo Jones

Although "service password-encryption" does encrypt your passwords in the config file, they are encrypted as type 7 passwords which are easily decrypted by any web-based type 7 password decryptor.  The purpose of this command is to obfuscate passwords so people reading over your shoulder don't see plain text passwords scroll by.

If you really want to make your config secure even from hackers who have a copy of your config file, use "enable secret" -- NOT "enable password".  This will encrypt your enable password using an MD5 hash which is much more secure (although you still want to use a long complex password because even MD5 passwords can be cracked with brute force and rainbow tables)

jayasudha_manohar
jayasudha_manohar

how to enable in dhcp service in cisco 2500 series of router? How to set the exclusion range and how to the set dhcp service in client?

gwcarter
gwcarter

Mr. Davis, your post has done me a service. I am not a professional network administrator, but, as chief cook and bottlewasher at this small zoo, such tasks fall to me by default. My sole training for this is a Cisco Intro to Configuration class I attended last year. Your post deals with a subject not covered in that class, and I consider it very valuable. Thank you, sir. More such posts will be welcomed here.

jameshar
jameshar

In your article, you reference the YEAR at the end of the command. ====================================== service timestamps log datetime localtime msec show-timezone year service timestamps debugging datetime localtime msec show-timezone year ====================================== I am using IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)S XF7, RELEASE SOFTWARE (fc1) c6kr1(config)#serv tim de dat ms localtime show-timezone year (the carat appears under the Y in year...) % Invalid input detected at '^' marker. Further testing of this command on other IOS based devices, Cat 3524 and C-2650 routers all verify this command fails. Can you explain why?

fred.newton
fred.newton

Hi James, I am running IOS 12.3(8r)T9, on 2801 with no issues. I do have IOS switches that I'd like to see if the issue exists. version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone year service timestamps log datetime msec localtime show-timezone service password-encryption