Cisco WLC Hex Settings

For a single controller with an IP address of 10.1.1.3 configure this in the DHCP scope.

option 43 hex f1040a010103

Also have to add option 60 to the DHCP scope. For a 1700 series AP:

option 60 ascii “Cisco AP c1700”

Cisco WLC Multicast Address

239.0.1.1


http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/82463-wlc-config-best-practice.html

STP and Switching Loops

STP does not completely protect you from switching loops.

http://blog.ipspace.net/2012/04/stp-loops-strike-again.html
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml

ISDN Caller ID Name

No caller ID (CID) names showing up on phones? Run the usual debug isdn q931 and debug isdn q921 to make sure that the CID name is coming from the provider. If it is, add isdn supp-service name calling to the serial port for the ISDN trunk. Then retest.

Source: https://supportforums.cisco.com/docs/DOC-8873

Example:

interface Serial0/3/0:23
 no ip address
 encapsulation hdlc
 isdn switch-type primary-ni
 isdn incoming-voice voice
 isdn map address . plan unknown type unknown
 isdn supp-service name calling
 isdn sending-complete
 isdn outgoing ie redirecting-number
 trunk-group ALL_T1E1
 no cdp enable

Seconds Per Ring = 6

In the US, a standard ring cycle is 6 seconds.
2-4 - 2 seconds of ringing followed by 4 seconds of silence.

http://en.wikipedia.org/wiki/Ringtone
http://www.tek-tips.com/viewthread.cfm?qid=1065741

Test Post

Test post. 13:19

Cisco VPN Broken

VPN not functioning for connecting to other hosts including the CUE? Disable IP cef

conf t
no ip cef

Adding Entries to an Existing ACL on an ASA

Adding Entries (ACEs) to an Existing ACL

You can add entries to ACLs on ASAs by using the line number command. Line numbers on ASAs work differently than on routers. They are not stored in the configs and they will not show up in a show access-list command (basically the ASA doesn't keep the numbers, they are just used for inserting). To do this, just count the line numbers and tell the ASA where you want the new one to go. The existing line of that number will move down (e.g. if you insert at line 3, the old line 3 will become line 4 because you have just added a line above it).  

! Test ACL

access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

! Implicit Deny

! Deny access from 10.1.1.1 to evil DNS servers 4.2.2.2 and 8.8.8.8. We need this to be above the permit any from 10.1.1.1 so the denies will take effect.
! We can use line numbers to do this
access-list TEST_ACL line 1 extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL line 2 extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
!

!NEW ACL
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

! Ooops, we forgot to deny access from 10.1.1.2 to these same evil DNS servers
access-list TEST_ACL line 1 extended deny ip 10.1.1.2 255.255.255.255 4.2.2.2
access-list TEST_ACL line 2 extended deny ip 10.1.1.2 255.255.255.255 8.8.8.8
!

!New New ACL
!NEW ACL
access-list TEST_ACL extended deny ip 10.1.1.2 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.2 255.255.255.255 8.8.8.8
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 4.2.2.2
access-list TEST_ACL extended deny ip 10.1.1.1 255.255.255.255 8.8.8.8
access-list TEST_ACL extended permit ip 10.1.1.1 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.2 255.255.255.255 any
access-list TEST_ACL extended permit ip 10.1.1.3 255.255.255.255 any

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.html#wp1074591

  Adding an Extended Access List

An access list is made up of one or more access control entries (ACEs) with the same access list ID. To create an access list you start by creating an ACE and applying a list name. An access list with one entry is still considered a list, although you can add multiple entries to the list.

To add an extended access list or an ACE, enter the following command:

Command

Purpose

access-list access_list_name [line line_number] [extended] {deny | permit} protocol source_address mask [operator port] dest_address mask [operator port | icmp_type] [inactive] Example: hostname(config)# access-list ACL_IN extended permit ip any any

Adds an extended access control entry. The line line_number options specify the line number at which insert the ACE. If you do not specify a line number, the ACE is added to the end of the access list. The line number is not saved in the configuration; it only specifies where to insert the ACE. The extended option adds an ACE. The deny keyword denies a packet if the conditions are matched. Some features do not allow deny ACEs, such as NAT. See the command documentation for each feature that uses an access list for more information. The permit keyword permits a packet if the conditions are matched. The protocol argument specifies the IP protocol name or number. For example UDP is 17, TCP is 6, and EGP is 47. The source_address specifies the IP address of the network or host from which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address. The operator port option matches the port numbers used by the source or destination. The permitted operators are as follows: •lt—less than. •gt—greater than. •dq—equal to. •neq—not equal to. •range—an inclusive range of values. When you use this operator, specify two port numbers, for example: range 100 200. The dest_address argument specifies the IP address of the network or host to which the packet is being sent. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask. Enter the any keyword instead of the address and mask to specify any address. The icmp_type argument specifies the ICMP type if the protocol is ICMP. The inactive keyword disables an ACE. To reenable it, enter the entire ACE without the inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier. (See the access-list extended command in the Cisco Security Appliance Command Reference for more information about command options.)

Default Interface Cisco Command

I can't even count the number of times I've tried to remove all the configs from an interface by doing a no interface command. The router or switch always replies with a snarky "Removal of physical interfaces is not permitted." I then copy all the commands for the interface, open up notepad, put a no in front of all the ones I don't want and then paste it back into the CLI.

A 10 second change has now taken 2 minutes and increased my frustration level unnecessarily.

 Default to the rescue. Just use this command to return the physical interface and any subinterfaces to their default (unconfigured) values. Note: if you only want to default a single subinterface, you can just do a no to remove it and then add it back in.  

default

default fa0/1



http://blog.ioshints.info/2007/06/default-interface-configuration-command.html
http://www.cisco.com/en/US/docs/ios/12_2t/inter/command/reference/irftdce.html#wp1081863

Cisco - CUE - Show Voicemail Email Notification Settings for a User from CLI

 show voicemail notification owner email

Check Dropped Packets

show policy-map interface

Cisco Config Archive and Replace

Sweet.

http://www.fryguy.net/2011/06/06/cisco-archive-and-configure/

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtrollbk.html#wp1066709

MWI Manual Disable

For those times when MWI is stuck on:

Find the MWI off DN.

ephone-dn  599
 number A801.... no-reg primary
 mwi off



Build a new DN which has CFA set to the complete dialstring (fill in the .... with the extension you want to turn MWI off on). The below example will shut off MWI for extension 5040.

ephone-dn  559
call-forward all A8015040
number 5990 no-reg primary

Call the number associated with the ephone-dn.

Cisco Router VPN Details

show crypto isakmp peers           - Show ISAKMP peer structures (IPs and etc connected over the VPN)

show crypto isakmp sa                  - Show ISAKMP Security Associations (IPs and etc connected over the VPN)

show crypto session summary   - Show VPN groups and their members (users and groups connected over the VPN)

who                                          - Shows users currently logged into the router

SIP Carrier Debugs

SIP: Attribute mid, level 1 instance 1 not found.
2524735: Feb 11 17:54:53.522 MST: //-1/xxxxxxxxxxxx/SIP/Msg/ccsipDisplayMsg:
Received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP >:5060;branch=z9hG4bK2D041732
Record-Route:
From: "Bob Jones" ;tag=BAAA8198-462
To: ;tag=_1255064163-933720387
Call-ID: 876EDB09-357911E0-970ADCDF-F107A873@>
CSeq: 101 INVITE
Contact: sip:+18004444444@67.231.0.94:5070
Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay,  multipart/mixed
Allow: INVITE,ACK,CANCEL,BYE,REGISTER,REFER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH
Content-Disposition: session; handling=required
Content-Type: application/sdp
Content-Length: 276

v=0
o=pvp 305419896 305419896 IN IP4 67.231.0.125
s=-

! MEDIA GATEWAY - this is the carrier your SIP provider is having route your call. The IPs may change even if it's the same carrier but an IP whois lookup will show you which carrier your call is routing through. 
c=IN IP4 67.231.0.125

t=0 0
m=audio 24396 RTP/AVP 0 18 101
a=rtpmap:0 PCMU/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=maxptime:40
a=sendrecv