I know more than once now the Cisco ISR/ISR-G2’s Series have been dubbed as the ‘Swiss Army Knife’ of networking devices, simply due to the amount of flexibility & the number of technologies available to you when deploying these devices. Luckily for us, these devices provide even more features available to us to assist with troubleshooting and maintaining the overall health of the network. What is even better is that many of these useful troubleshooting features exist on many of the other product families not just ISR/ISR-G2’s. I’ve had the pleasure to work on networks all around the world for some decent size companies so I wanted to kick off this list with what I consider to be the most useful tools built-in to Cisco devices that are not very well known out there.

1. Embedded Packet Capture (EPC) – There is no doubt about it, but the ability to perform a packet capture at key points throughout the network can make troubleshooting particular issues that much easier. Luckily this feature exists on many different devices:

1. ISR G2’s – Even the older ISR’s have this ability
2. ASA Firewalls
3. IOS-XE devices – From the powerful ASR’s to the newer Catalyst 3850
4. NX-OS devices – Granted on NX-OS you can capture packets that are process switched, there is an easy way around this by creating an Access-list to match the traffic you want to capture.
5. Even in Cisco UCS we can configure a traffic monitoring policy to capture traffic directly from particular servers and capture directly off the Fabric Interconnects. *This is more of a SPAN-type session than Embedded Packet Capture.

Once we are finished capturing the data, we can easily transfer the packets off the router to our own workstation so we can take a deeper look at the packets with our protocol analyzers.

2. Embedded Event Manager (EEM) – This is by far one of my favorite tools and in my opinion the most powerful tool we have built-in to many Cisco devices and now this feature has made its way to our Cisco ASA firewalls. The Embedded Event Manager allows us to apply a sense of logic in response to certain events that occur on the router or the network

The embedded event manager allows the router or firewall to react to certain circumstances that happen for example:

1. Syslog message
2. An IP SLA status
3. A particular command entered in the CLI

Those are just a few actions that can trigger an Embedded Event Manager action, there are many more:

Cisco IOS Infrastructure and Network Subsystems

Next we can define the action that is taken by the Embedded Event Manager, now the Embedded Event Manager can perform some very powerful action:

1. Issue CLI commands that we define.
2. Run a TCL script/policy

Event Detectors

With the power to define a set of CLI commands we have almost of unlimited potential of possibilities and few things we can do:

1. Reload a router
2. Re-configure routing, remove/add networks
3. Disable Interfaces, re-configure interfaces
4. Roll back an entire router configuration

3. Configuration Archives – Many of us have will have some type of ‘eye in the sky’ configuration management but we also have the ability for the routers themselves to keep a running archive of previous configurations. Now, while this feature itself might not sound ground breaking it gives us the ability to quickly view configuration differences without have to go search through management servers, and once this feature is configured we get the ability to use another very useful feature:
Configuration Rollback – Thats right, the router can roll back its configuration to its previous state if you do not confirm the change after a set amount of time. I don’t know about you but this is much quicker than issuing the ‘reload in 5’ command which we are all guilty of doing. Combining this with the Embedded Event Manager feature can offer you a great safety net when performing intrusive changes remotely.

4. Warm Reloads – This feature allows us to cut down the time it takes for a router reload by over 50%, and I don’t know about but sometimes it feels like eternity when I reboot certain devices. This works off the notion that the IOS software information is saved within memory, making so the router does not need to decompress the image startup as shown in the image below:

Warm Reloads

  • Warm Upgrade – This feature can also be used when performing IOS software updates, saving even more much time.

A few Additional Links regarding the topics discussed to get you started!

IOS Packet Capture
ASA Packet Capture
Nexus Ethanalyzer

Embedded Event Manager Overview
Embedded Event Manager Command Reference

Configuration Rollback

Warm Reload Feature
Warm Reload Configuration


Stephen Occhiogrosso

No Longer with Cisco