object-group network og-rfc1918 /8 /12 /16
ip access-list extended acl-nat
permit ip object-group og-rfc1918 any
route-map rm-site-a
match ip address acl-nat
match interface FastEthernet0/0
route-map rm-site-b
match ip address acl-nat
match interface FastEthernet1/0
ip nat inside source route-map rm-site-a interface FastEthernet0/0 overload
ip nat inside source route-map rm-site-b interface FastEthernet1/0 overload

This keeps things a bit simpler because the router can rely on the routing table to figure out which NAT table to use based on the destination rather than hard-coding the destination into the ACLs.

Found this article from Cisco Forum. Credits to original author.

Network Address Translation is a very common feature used to address some issues and also to meet some networks’ requirements such as, overlapped networks and Internet links.

In this small document we will discuss a business requirement example, and the main idea behind this example is to demonstrate how to implement and configure NATign with dual homed Internet edge Router  in conjunction with other Cisco IOS advanced features (Policy Based routing PBR and IPSLA ).

Also we will see how all of the above mentioned features work together and how IP SLA will work like a gear to this implementation in term of controlling the exit path of the traffic by controlling the default route in the routing table and PBR decision.

Company XYZ.com has bought a second Internet connection with 1 Mbps in addition to the existing one with 512 Kbps.

  • the requirement is to load share the traffic over those two links
  • web traffic and telnet traffic must use the the new ISP link ISP2  and all other traffic must go thorough the old ISP link ISP1
  • in the case of any of the above links gose down all the traffic should use the remaining link

this example has been configured in a lab environment and al the private ip addresses used in this document just for the purpose of this example


Proposed solution:

  • According to the above requirements we will use Policy Based routing feature to control LAN traffic going to the Internet and which path to use.
  • all traffic from the LAN subnet destined to tcp 23, 80 and 443 must be routed to ISP 2  link with next hop
  • all other traffic will go though ISP 2 with next hop of
  • as we do not have any subnet or ip ranges to use it over the Internet we have to use NATing with overload option to use the Internet interface IP address of each ISP link. For example traffic going through ISP 1 will be seen by ISP one and the Internet as it is from if it is through ISP 2 will be seen as it is from
  • In the case of one of the links go down we need all the traffic to use the other remaining link. This will be archived here by using IP SLA with ICMP echo that will be sent to each of the ISP next hop IP addresses in our example and
  • the ICMP echo will be sent every 1 second with time out of 500 msec
  •  if the icmp reply not heard from any of those next hops within 1 second that link will be considered down and the default route in the Internet router pointing to that hop will be withdrawn from the routing table and the PBR descion will be changed based on that as well

interface FastEthernet1/0
description LAN interface
ip address
ip nat inside
ip policy route-map PBR    —- this is for policy based routing

interface FastEthernet1/1
description To ISP 1
ip address
ip nat outside
interface FastEthernet2/0
description To ISP 2
ip address
ip nat outside

  • as we can see above the inside interface was configured as inside NAT interface also a policy based routing with a name of PBR applied to that interface, the configurations of this PBR will be described later
  • both of the Internet ISP links configured as outside NAT interfaces

IP SLA configurations:
ip sla 1
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

  •  as we can see P sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

 track 10 rtr 1 reachability
delay down 1 up 1
track 20 rtr 2 reachability
delay down 1 up 1

  • if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1)
  • track 20 same for ISP 2

ip route track 10
ip route track 20

 we have two default routes each one point to one of the ISP’s IP address, also each static default route is associated with the corresponding IP SLA track created above

in this case if ISP 1 link is down the first default route will disappear from  the routing table ( we will see this through some verifications command later in his document).

access-list 10 permit
access-list 100 permit tcp any eq telnet
access-list 100 permit tcp any eq www
access-list 100 permit tcp any eq 443
access-list 101 permit ip any any

these ACLs will be used with PBR and NATing
route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 1 track 20
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 2 track 10

  • we can see from the above route-map called PBR that we have several checks to our traffic coming from the LAN interface towards the Internet

first check is the ACL level

if the traffic soured from our LAN subnet and going to any destination using tcp 23, 80 or 443 then this traffic will be match with ACL 100

if any thing else then will be match with ACL 101

In case of telnet traffic tcp 23, this will be match by ACL 100 and route-map sequence 10

but in this sequence we have another check before we send the traffic to the next hope, we need to make sure this next hope is up and reachable this is done by the IP SLA /track 20 created above if this track is up then the traffic will be route thorough ISP2 with a next hop

if this track 20 is down then the default static route entry points to ISP2 will be withdrawn from the routing table and traffic matched by ACL 100 under the sequence number of 10 of the route-map will be routed according to the normal routing table which is through ISP1 ( because at this stage we have only one default static route left  points to ISP1).  Any other traffic has not matched by ACL 100 will use the route map sequence 30 with the same concept described above

Now we can see how IP SLA controlling the routing table and the  PBR choice !!!

route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1

those two Route maps will be used by the NAT command

Please note that we have in each of the route-maps match interface this interface representing the exit interface of that nat

this command is important if we do not use it the router always will use the first nating statement and all our traffic will be sourced in our example from !!

we will see that later in this document the effect of removing the match interface from the route-map

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload

this is simply our nating commands each with is corresponding interface and route-map


for the verifications purposes we will use a loopback interface created on both ISP routers in our example to represent an destination in the Internet

which is 100100.100.100/32

show ip route
Routing entry for, supernet
Known via “static”, distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
      Route metric is 0, traffic share count is 1
      Route metric is 0, traffic share count is 1

we have two default route in our routing table which means both ISP routers IP addresses are reachable by SLA icmp echo

show route-map PBR
route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop verify-availability 1 track 20 [up]
  Policy routing matches: 24 packets, 1446 bytes
route-map PBR, permit, sequence 30
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop verify-availability 2 track 10  [up]
  Policy routing matches: 60 packets, 6840 bytes

both SLA traks 10 and 20 in UP state shown in the route maps show command

now lets ping from the an internal host in subnet and we enable debug of NATing on the Internet edge router to see the translated traffic


*Dec 19 20:24:44.103: NAT*: s=>, d= [80]
*Dec 19 20:24:44.371: NAT*: s=, d=> [80]

this is showing us that icmp traffic translated to ->,

this means that icmp traffic has been match with ACL 101 and because track 10 is up traffic sent to then translated using NAT

this is the PBR debug result for the above ping

*Dec 19 20:25:12.247: IP: s= (FastEthernet1/0), d=, len
100, FIB policy match
*Dec 19 20:25:12.251: IP: s= (FastEthernet1/0), d=, g=19, len 100, FIB policy routed
*Dec 19 20:25:12.259: NAT*: s=>, d= [81]
*Dec 19 20:25:12.623: NAT*: s=, d=> [81]

Now lets see the result when we do a telnet session from the internal network:


*Dec 19 20:26:00.375: IP: s= (FastEthernet1/0), d=, len
44, FIB policy match
*Dec 19 20:26:00.375: IP: s= (FastEthernet1/0), d=, g=17, len 44, FIB policy routed
*Dec 19 20:26:00.383: NAT*: s=>, d= [57504]    — the traffic used link —–
*Dec 19 20:26:01.159: NAT*: s=, d=> [25782]

lets shut down ISP1 link to simulated a link down and see how IP SLA will work in this situation:


*Dec 19 20:27:54.139: %TRACKING-5-STATE: 10 rtr 1 reachability Up->Down
*Dec 19 20:27:57.895: NAT*: s=>, d= [82]
*Dec 19 20:27:58.099: NAT*: s=, d=> [82]

now our ICMP traffic match by ACL 101 is using the link of ISP2 with as the source IP.

we can see bellow that interface connected to ISP 1 is still up, but because the next hop not reachable via ICMP,  IP SLA removed the default route that uses ISP1 next hop from the routing table

interfaces up/up but default route to ISP1 disappeared because of SAL track 10

FastEthernet1/0          YES NVRAM  up                    up

FastEthernet1/1       YES NVRAM  up                    up

FastEthernet2/0        YES manual up                    up

show ip route
Routing entry for, supernet
Known via “static”, distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
      Route metric is 0, traffic share count is 1

lets bring it back to up now

*Dec 19 20:31:29.143: %TRACKING-5-STATE: 10 rtr 1 reachability Down->Up

Routing entry for, supernet
Known via “static”, distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
      Route metric is 0, traffic share count is 1
      Route metric is 0, traffic share count is 1


*Dec 19 20:32:15.559: NAT*: s=>, d= [183]
*Dec 19 20:32:16.071: NAT*: s=, d=> [183]

Now lets remove the match interface command from each of the NAT route-maps and see the result

(config)#route-map ISP1
(config-route-map)#no ma
(config-route-map)#no match in
(config-route-map)#no match interface fa1/1
(config-route-map)#route-map ISP2
(config-route-map)#no ma
(config-route-map)#no match int fa2/0

#clear ip nat translation *

then we do ping and telnet we will see al the traffic will be translated to regardless which exit the traffic is using !!!


*Dec 19 20:33:47.615: NAT*: s=>, d= [184]
*Dec 19 20:33:48.067: NAT*: s=, d=> [184]

*Dec 19 20:34:51.675: NAT*: i: tcp (, 21603) -> (, 23) [
*Dec 19 20:34:51.679: NAT*: i: tcp (, 21603) -> (, 23) [
*Dec 19 20:34:51.683: NAT*: s=>, d= [64704]
*Dec 19 20:34:51.847: NAT*: o: tcp (, 23) -> (, 21603)
*Dec 19 20:34:51.847: NAT*: s=, d=> [52374]
*Dec 19 20:34:52.123: NAT*: i: tcp (, 21603) -> (, 23) [

lets put match interface back  to the nat route-maps

*Dec 19 20:36:23.379: NAT*: i: icmp (, 16) -> (, 16) [18
*Dec 19 20:36:23.383: NAT*: i: icmp (, 16) -> (, 16) [18
*Dec 19 20:36:23.387: NAT*: s=>, d= [185]
*Dec 19 20:36:23.827: NAT*: o: icmp (, 16) -> (, 16) [
*Dec 19 20:36:23.827: NAT*: s=, d=> [185]


*Dec 19 20:36:52.099: NAT*: i: tcp (, 16305) -> (, 23) [
*Dec 19 20:36:52.099: NAT*: i: tcp (, 16305) -> (, 23) [
*Dec 19 20:36:52.103: NAT*: s=>, d= [46655]
*Dec 19 20:36:52.259: NAT*: o: tcp (, 23) -> (, 16305)
*Dec 19 20:36:52.259: NAT*: s=, d=> [41145]
*Dec 19 20:36:52.355: NAT*: i: tcp (, 16305) -> (, 23) [
*Dec 19 20:36:52.359: NAT*: s=>, d= [46656]
*Dec 19 20:36:52.375: NAT*: i: tcp (, 16305) -> (, 23) [

to conclude the above configuration example, by using NAT with other Cisco IOS features in particular IP SLA the network will be more automated and reliable, we can track the next hop reachability and we may use other advanced features of IP sla such as link jitter, in the case that we have VOIP traffic. Also by using PBR functionalities we were able to classify our traffic and send it based on the requirements over the two links to avoid congesting one link and leave the other link as passive/back up only.

Thank you
Marwan Alshawi

In Windows Server 2012, Microsoft added DHCP failover feature. However, this feature will not replicate MAC filter lists (Allow/Deny). Below script is to synchronize DHCP MAC filter database. Link to original post: http://sysadminreference.blogspot.com/2014/02/dhcp-fail-over-service-do-not.html

Paste below script in Powershell ISE

[code language=”powershell”]
$MasterServerHostname = "MasterDHCPFQDN";

# Get the LOCAL filters from localhost
$lfilters = Get-DhcpServerv4Filter

# Get the REMOTE filters from $MasterServerHostname
$rfilters = invoke-command -computername $MasterServerHostname { Get-DhcpServerv4Filter }

# Delete the local Filter Set
#ForEach ($filter in $rfilters) {
# Remove-DhcpServerv4Filter -MacAddress $filter.MacAddress

# Import the new Filter Set
ForEach ($filter in $rfilters) {
write-host $filter.List
write-host $filter.MacAddress;
write-host $filter.Description
Add-DhcpServerv4Filter -List $filter.List -Force -MacAddress $filter.MacAddress -Description $filter.Description

Script to check number of MAC address record, to ensure all DHCP servers having the same number (optional)
[code language=”powershell”]del C:\MAC\LocalMacList.txt
Get-DhcpServerv4Filter -List Allow > C:\MAC\LocalMacList.txt
Get-Content C:\MAC\LocalMacList.txt | Measure-Object[/code]

Install xrdp

apt-get install xrdp

Configure xrdp


apt-get install gnome-session-fallback
echo gnome-session --session=gnome-fallback > ~/.xsession

Xfce (xubuntu)

echo xfce4-session > ~/.xsession

LXDE (lubuntu)

echo lxsession -s Lubuntu -e LXDE > ~/.xsession


There’re many ways of doing this. The scenario and configuration is flexible enough, depending on what you want to achieve.

The easy way

My review: Provide the simplest method, poisoned DNS record will be redirected to Longer page load due to no content served in (wait until connection timeout). However this script let you manually control on white list and black list domain.

My review: The script will attempt to create another interface alias and run pixelserv (simple webserver serving 1×1 pixel transparent gif) on that interface. However, you’ll not be able to manually control on white/black list as previous script.

My method

Again, this might not be the best way, but it served my requirements. I’ll be using the same script except that i tweaked it to suit my environment.

Step 1: Create interface alias
I need my pixelserv to run in different ip address (let say my LAN ip is i want pixelserv to run on so that my uhttpd can listen on for LuCI. Add below interface to /etc/config/network

#nano /etc/config/network
config interface 'lan2'
	option ifname 	'eth0'
	option proto	'static'
	option ipaddr 	''
	option netmask	''

Restart network interfaces
#/etc/init.d/network restart

Verify new interface alias created

[email protected]:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 08:00:27:9A:88:DD
          inet addr:  Bcast:  Mask:
          RX packets:629 errors:0 dropped:0 overruns:0 frame:0
          TX packets:661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:73752 (72.0 KiB)  TX bytes:393608 (384.3 KiB)

eth0      Link encap:Ethernet  HWaddr 08:00:27:9A:88:DD
          inet addr:  Bcast:  Mask:
          RX packets:633 errors:0 dropped:0 overruns:0 frame:0
          TX packets:769 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:82836 (80.8 KiB)  TX bytes:528224 (515.8 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:9C:1E:FF
          inet addr:  Bcast:  Mask:
          RX packets:157 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15482 (15.1 KiB)  TX bytes:13962 (13.6 KiB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1648 (1.6 KiB)  TX bytes:1648 (1.6 KiB)

[email protected]:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth1        *        U     0      0        0 eth1     *        U     0      0        0 br-lan    *        U     0      0        0 eth0

Step 2: Pixelserv setup
We already have a web server installed on the router (serving LuCI), we just need to configure a new uHTTPd server instance.

mkdir /www_pixelserv
wget -O /www_pixelserv/blank.gif http://probablyprogramming.com/wp-content/uploads/2009/03/tinytrans.gif

Edit /etc/config/uhttpd

config uhttpd 'main'
list listen_http ''
list listen_https ''
option home '/www'

config uhttpd 'pixelserv'
list listen_http ''
option home '/www_pixelserv'
option error_page '/blank.gif'

Restart uhttpd

/etc/init.d/uhttpd restart

Step 3: Adblock for dnsmasq
Follow installation instruction at https://gist.github.com/teffalump/7227752
For adblock.sh, add following lines to with

#Download and process the files needed to make the lists (add more, if you want)
wget -qO- "http://adaway.org/hosts.txt"|grep "^" >> /tmp/block.build.list

#Replace with
sed -i 's/' /tmp/block.build.list
#Add black list, if non-empty
[ -s "/etc/black.list" ] && sed -e 's/^/\t/g' /etc/black.list >> /tmp/block.build.list


Above mentioned method (creating interface alias) is valid for interface that do not have vlan tagging. For my case, eth0 is tagged with vlan500 and vlan600 (eth0.500 and eth0.600) and I cannot find any documentation for creating alias for tagged interfaces. As workaround, I’ve changed the pixelserv uhttpd to listen to, while for router web ui (LuCI) listened to port 443.

This is my modified adblock.sh

#Put in /etc/adblock.sh

#Script to grab and sort a list of adservers and malware

#Delete the old block.hosts to make room for the updates
rm -f /etc/block.hosts

#Download and process the files needed to make the lists (add more, if you want)
wget -qO- http://www.mvps.org/winhelp2002/hosts.txt| sed 's/' |grep "^" > /tmp/block.build.list
wget -qO- http://www.malwaredomainlist.com/hostslist/hosts.txt|grep "^" >> /tmp/block.build.list
wget -qO- "http://hosts-file.net/.\ad_servers.txt"|grep "^" >> /tmp/block.build.list
wget -qO- "http://adaway.org/hosts.txt"|grep "^" >> /tmp/block.build.list

#Replace with
sed -i 's/' /tmp/block.build.list
#Add black list, if non-empty
[ -s "/etc/black.list" ] && sed -e 's/^/\t/g' /etc/black.list >> /tmp/block.build.list

#Sort the download/black lists
sed -e 's/\r//g' -e 's/^[ ]\+/\t/g' /tmp/block.build.list|sort|uniq > /tmp/block.build.before

if [ -s "/etc/white.list" ]
    #Filter the blacklist, supressing whitelist matches
    sed -e 's/\r//g' /etc/white.list > /tmp/white.list
    grep -vf /tmp/white.list /tmp/block.build.before > /etc/block.hosts
    rm -f /tmp/white.list
    cat /tmp/block.build.before > /etc/block.hosts

#Delete files used to build list to free up the limited space
rm -f /tmp/block.build.before




AUTHOR: [email protected]

Install ‘curl’ package:

# opkg update
# opkg install curl

Next create a script and call it /root/rc.ddns_opendns.sh :


/usr/bin/curl -4 -k -u username:password "https://updates.opendns.com/account/ddns.php?"

Make the script executable:

# chmod +x /root/rc.ddns_opendns.sh

Next create another script and call it /etc/hotplug.d/iface/100-opendns :


if [ "$ACTION" = ifup ]; then
/root/rc.ddns_opendns.sh > /dev/null 2>&1

This will update your IP with OpenDNS whenever you reboot or reconnect.

One of the benefits of using OpenDNS is their web content filter. Login to your account on OpenDNS
and start configuring the content filter for your network. Choose Custom and select the categories
you want the content filter to apply too for your home/office network.

Click Apply and wait for roughly 5 minutes for it to take effect. Your network is now protected.

Reference: https://lemur.mybsd.org.my/drl/OpenWRT/DDNS_OpenDNS_OpenWRT.txt

A very useful IOS tips from PacketLife

Keyboard shortcuts

These shortcuts can be used to speed up operating with the CLI:

Ctrl+B or Left Move the cursor one character to the left
Ctrl+F or Right Move the cursor one character to the right
Esc, B Move the cursor one word to the left
Esc, F Move the cursor one word to the right
Ctrl+A Move cursor to the beginning of the line
Ctrl+E Move cursor to the end of the line
Ctrl+P or Up Retrieve last command from history
Ctrl+N or Down Retrieve next command from history
Ctrl+T Swap the current character with the one before it
Ctrl+W Erase one word
Ctrl+U Erase the entire line
Ctrl+K Erase all characters from the current cursor position to the end of the line
Ctrl+X Erase all characters from the current cursor position to the beginning of the line
Ctrl+L Reprint the line
Ctrl+C Exit configuration mode
Ctrl+Z Apply the current command and exit configuration mode

Filter output

Most show commands support filtering with the pipe (|) character, allowing a user to display only the information he’s looking for.

Switch# show interface status | include notconnect
Gi1/0/7                         notconnect   1          auto   auto 10/100/1000BaseTX
Gi1/0/9                         notconnect   1          auto   auto 10/100/1000BaseTX
Gi1/0/22                        notconnect   1          auto   auto 10/100/1000BaseTX

Filter options are include, exclude, and begin. The remaining characters after one of these filter types is processed as a regular expression, which could be a simple string (as in the example above) or something a bit more complex. The example below demonstrates filtering for interface numbers and any assigned IP addresses.

Switch# show run | include interface|ip address
interface FastEthernet0
 ip address
interface FastEthernet1
interface FastEthernet2
 ip address
 ip address secondary
interface FastEthernet3

You can also filter by section. Thanks to Carl Baccus to reminding me to include this.

R1# show run | section bgp
router bgp 100
 no synchronization
 redistribute connected
 neighbor remote-as 200
 neighbor remote-as 300
 no auto-summary

Skip through the configuration

You can begin viewing a configuration with the begin filter:

Router# show run | begin interface
interface FastEthernet0/0
 no ip address

You can also skip forward to a certain line once you’ve already begun viewing the configuration by hitting / at the --More-- prompt, followed by the string you want to match:

Router# sh run
Building configuration...

Current configuration : 601 bytes
version 12.4
interface FastEthernet0/0
 no ip address

Do the do

Exec commands can be issued from within configuration mode via the do command. This can be handy for double-checking the current configuration before applying any changes.

Switch(config-if)# do show run int f0
Building configuration...

Current configuration : 31 bytes
interface FastEthernet0
description Internal LAN
ip address

Insert question marks

You can insert question marks into literal strings (such as interface descriptions) by typing CTRL+V immediately before the question mark. This acts as an escape character and prevents the command line from summoning the help menu.

Switch(config-if)# description Where does this go[ctrl+v]?

The interface description will appear as “Where does this go?”

Disable domain lookup on typos

Don’t you hate it when this happens?

Switch# shrun
Translating "shrun"...domain server (
% Unknown command or computer name, or unable to find computer address

You can disable automatic DNS lookups with no ip domain-lookup, which will remove the delay before returning a new console prompt. However, this will also prevent you from referencing remote hosts by name, for example when telneting.

Switch(config)# no ip domain-lookup
Switch# shrun
Translating "shrun"
% Unknown command or computer name, or unable to find computer address

Another option is to leave DNS enabled, but configure your console ports and vtys to have no preferred transport for logging in to remote devices.

Router(config)# line console 0
Router(config-line)# transport preferred none
Router# asdfxyz
% Invalid input detected at '^' marker.


You can no longer telnet by typing an IP address on the console, instead use the “telnet” or “ssh” commands for connecting to the desired hostname or ip address.

Synchronous logging

When logging to the console is enabled, a Cisco device will often dump messages directly to the screen. This can become irritating when it interrupts you in the midst of typing a command. (FYI, you can continue typing normally and the command will still take, but this still throws some people off.)

Synchronous logging can be enabled to “clean up” the CLI when this happens, outputting a fresh prompt below the message, along with any partially completed command.

Switch(config)# line con 0
Switch(config-line)# logging synchronous
Switch(config)# line vty 0 15
Switch(config-line)# logging synchronous

Revert a configuration to its default

The default command, called from global configuration, can be used to revert any part of a configuration to its default value (which is often nothing). For example, it can be used to remove all configuration from a particular interface:

Switch(config)# default g1/0/5
Interface GigabitEthernet1/0/5 set to default configuration
Switch(config)# ^Z
Switch# show run int g1/0/5
Building configuration...

Current configuration : 38 bytes
interface GigabitEthernet1/0/5

Show only applied access lists

For reasons unknown to me, IOS doesn’t include a command to view what interfaces have ACLs applied. The closest we can get is drudging through the entire output of show ip interface. But, with a little ingenuity and the help of regular expressions, we can summon an efficient view of where our ACLs are applied.

Switch# sh ip int | inc line protocol|access list is [^ ]+$
FastEthernet0 is up, line protocol is down
FastEthernet1 is up, line protocol is up
  Inbound  access list is prohibit-web
FastEthernet2 is up, line protocol is up
  Inbound  access list is 42
FastEthernet3 is up, line protocol is down
FastEthernet4 is up, line protocol is up

For those curious, the regex above matches a line which either a) contains the string “line protocol”, or b) contains the string “access list is ” followed by a single word. This matches an ACL number or name (which can’t contain spaces) but not “not set”.

Speed up running-config display

When the show running-config command is issued, the output has to be assembled from numerous values in memory into the human-friendly display you see on the CLI. Unfortunately, the longer your configuration is, the more time this takes. IOS 12.3T introduced a feature to cache the running configuration text for quicker output:

Router(config)# parser config cache interface

Changing the break character to Ctrl+C

Router(config)# line vty 0 15
Router(config-line)# escape-character 3
Router(config)# line con 0
Router(config-line)# escape-character 3

Show running configuration with all defaults

Append the full command to show running-config to include all the default statements which are normally hidden for brevity.

Reload command

One of the classic mistakes is to incorrectly update an access-list on an interface when you are connected to the device remotely. And suddenly, the Telnet connection is dropped to the router because of a forgotten list entry that would permit your incoming connection.

When you are doing something tricky, you can use the following feature of the reload command, which causes the router to reboot in a certain number of minutes. For example, let’s tell the router to reboot in three minutes.

Router# reload in 3
    Reload scheduled in 3 minutes
Proceed with reload? [confirm]

Now, we have three minutes to do what we need to do. Let’s say we are applying an access-list to serial0.

Router# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface serial0
Router(config-if)# ip access-group 110 in
Router(config-if)# ^Z

We made the change and everything still works. (Well, at least our connection wasn’t dropped.) Now all we have to do cancel the impending reload with the following command:

Router# reload cancel

If the reload is not canceled, all the changes made will be discarded since they only exist in the running configuration.

Decrypting type-7 passwords in house on a device

A good way to catch trailing spaces within passwords

Router(config)#username user1 password 0 pass1word
Router#sh run | inc username
username user1 password 0 pass1word

Router(config)#service password-encryption
Router#sh run | inc username
username user1 password 7 06160E325F1F1E161713


Router(config)# key chain TEST
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string 7 06160E325F1F1E161713

Router(config-keychain-key)#sh key chain TEST
Key-chain TEST:
    key 1 -- text "pass1word"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

Using command aliases

You can speed up your routine operations in IOS if you create aliases to often used commands, for exmaple:

Router(config)# alias exec sip show ip interface brief
Router(config)# exit
Router#  sip
Interface           IP-Address            OK? Method Status              Protocol
FastEthernet0/0           YES manual up                  up

avh-x5650bt_rc_rd_ri_green_left_b2When I received my Pioneer AVH-X5650BT 2DIN player, I was struggling to play any video files from any media. In the product manual it provide very brief information on the supported video format. I am very frustrated when I always get “unplayable file” error message. I’m surprised that actually there’re few limitations and requirements for the player to recognized the video files.

Rule of Thumb

  • Maximum height cannot exceed 404pixels or else you will get “resolution not supported”.
  • Some user reported maximum resolution is 720×576. I haven’t tried this.
  • Maximum total bitrate must not exceed 1000kbps.
  • Avoid underscore in filename.

Converting your video files

Download DivX video converter and install it.
Load your video files that need to be converted, and select “HD 720p” profile.
divx profile
Modify resolution, click maintain aspect ratio and adjust the height to 404.
Keep an eye to the Total bitrate, make sure it does not exceed 1000kbps. You can tune the value by adjusting the video bitrate.
divx profile2

Save Presets so that you can load the profile in the future.
divx profile3



Feel free to share your setting or anything that can improve this post.

From the Owner Manual
div5 div1 div div2 div3 div4

Download AVH-X5650BT, AVH-X4650DVD, AVH-X2650BT & AVH-X1650DVD User Manual


VPN Mode (Layer 2 or Layer 3)


Layer 2 = Use TAP interface, bridge your LAN to VPN Client. VPN client will reside within the same VPN segment. LAN Broadcast will works in this mode. Considered legacy, only Windows  vpn client support this method.

Layer 3 = Use TUN interface, VPN Client will be given a pool of ip address which is different from VPN segment. Better control and most of enterprise VPN deployment use this method.



Create VPN User

By default, OpenVPN Access Server use PAM authentication, to add new vpn client we can just simply add a new user to our LINUX server.

[email protected]:~# useradd nas
[email protected]:~# passwd nas
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

If you checked “Allow Auto-login”, your vpn client will be automatically connect to vpn without entering any username/password, useful for automation.

Generate and download OpenVPN profile

Login to https://serverip and select “login”. Login option will allow you to download vpn profile, to connect to vpn server, select Connect.
Click on “Yourself (autologin profile) and keep the profile safely.

Connect to vpn server using CLI

Transfer the client profile to your box (in this example, to my OpenWRT router) via SCP. Your must have openvpn binary files installed prior to this.

[email protected]:~# openvpn --config client.ovpn

If you received Initialization Sequence Completed, that’s mean the tunnel is up. You can verify using ifconfig and you will see new interface tun0 is there.

All configuration is performed in Virtual Private Server (VPS). If you have the intention to use VPS, make sure your provider support and enable TUN/TAP module in your VPS container. For the following example, I’m using Ramnode VPS (affiliate link) because of their good support, you can enable and disable TUN/TAP easily on your own and their price is relatively cheap. For myself, I’m subscribed to their OpenVZ SSD VPS (128MB RAM, 10GB SSD Space) for 20.40 USD Annually (USD1.70 per month). Don’t forget to enter the promotional code RN15OFF to enjoy 15% Recurring Discount off your VPS price.

Enable TUN/TAP

Go to your VPS Control Panel, and at the bottom you will see an option to enable TUN/TAP module. Turn it on and reboot your VPS.

Once boot up, check whether the module is enabled or not by executing below command:

[email protected]:~# cat /dev/net/tun

If you receive the message File descriptor in bad state your TUN/TAP device is ready for use.
If you receive the message No such device the TUN/TAP device was not successfully created.

Download and Install OpenVPN Access Server

Go to OpenVPN Access Server download page and select your architecture. I’m using Debian 7 32bit OS.

[email protected]:/home# wget http://swupdate.openvpn.org/as/openvpn-as-2.0.3-Debian7.i386.deb

Perform installation by executing:

[email protected]:/home# dpkg -i openvpn-as-2.0.3-Debian7.i386.deb

Change openvpn default password:

[email protected]:/home#  passwd openvpn

Now you can access OpenVPN Admin UI from below link:
Admin UI: https://serverip:943/admin
Client UI: https://serverip:943/