Back to Details

cisco-ios-patterns

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Cisco IOS Patterns

Cisco IOS 检查模式

Use this skill when reviewing Cisco IOS or IOS-XE snippets, building a change-window checklist, or explaining how to collect evidence from a router or switch without making the incident worse.
当你需要审查Cisco IOS或IOS-XE配置片段、构建变更窗口检查清单,或是讲解如何在不加重故障的前提下从路由器或交换机收集证据时,可以使用本技能。

When to Use

使用场景

  • Reviewing IOS or IOS-XE configuration before a planned change.
  • Choosing read-only 
    show
    commands for troubleshooting.
  • Checking ACL wildcard masks and interface direction.
  • Explaining global, interface, routing process, and line configuration modes.
  • Verifying that a change landed in running config and was saved intentionally.
  • 计划变更前审查IOS或IOS-XE配置。
  • 选择只读
    show
    命令进行故障排查。
  • 检查ACL通配符掩码和接口方向。
  • 讲解全局、接口、路由进程及线路配置模式。
  • 验证变更是否已生效到running-config且是有意保存的。

Operating Rules

操作规则

Treat IOS examples as patterns, not paste-ready production changes. Confirm the platform, interface names, current config, rollback path, and out-of-band access before making changes on a real device.
Prefer this workflow:
  1. Capture current state with read-only commands.
  2. Review the exact candidate config.
  3. Confirm management access cannot be locked out.
  4. Apply the smallest change in a maintenance window.
  5. Re-read state, compare to the baseline, then save only after validation.
将IOS示例视为参考模式,而非可直接粘贴用于生产环境的变更内容。在真实设备上执行变更前,务必确认平台型号、接口名称、当前配置、回滚路径以及带外访问方式。
推荐遵循以下工作流程:
  1. 使用只读命令捕获当前状态。
  2. 审查候选配置的具体内容。
  3. 确认管理访问不会被锁定。
  4. 在维护窗口中执行最小化变更。
  5. 重新读取状态,与基线对比,验证通过后再保存配置。

Mode Reference

模式参考

text
Router> enable
Router# show running-config
Router# configure terminal
Router(config)# interface GigabitEthernet0/1
Router(config-if)# description UPLINK-TO-CORE
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# end
Router# show running-config interface GigabitEthernet0/1
running-config
is active memory. 
startup-config
is what survives reload. Do not save a change just because a command was accepted; validate behavior first, then use 
copy running-config startup-config
if the change is approved.
text
Router> enable
Router# show running-config
Router# configure terminal
Router(config)# interface GigabitEthernet0/1
Router(config-if)# description UPLINK-TO-CORE
Router(config-if)# no shutdown
Router(config-if)# exit
Router(config)# end
Router# show running-config interface GigabitEthernet0/1
running-config
是设备的活跃内存配置。
startup-config
是设备重启后会保留的配置。不要仅仅因为命令被接受就保存变更;应先验证行为,确认变更获批后再使用
copy running-config startup-config
命令保存。

Read-Only Collection

只读信息收集

text
show version
show inventory
show processes cpu sorted
show memory statistics
show logging
show running-config | section line vty
show running-config | section interface
show running-config | section router bgp
show ip interface brief
show interfaces
show interfaces status
show vlan brief
show mac address-table
show spanning-tree
show ip route
show ip protocols
show ip access-lists
show route-map
show ip prefix-list
Collect the specific section you need instead of dumping full config into a ticket when the config may contain secrets, customer names, or private topology.
text
show version
show inventory
show processes cpu sorted
show memory statistics
show logging
show running-config | section line vty
show running-config | section interface
show running-config | section router bgp
show ip interface brief
show interfaces
show interfaces status
show vlan brief
show mac address-table
show spanning-tree
show ip route
show ip protocols
show ip access-lists
show route-map
show ip prefix-list
当配置中可能包含机密信息、客户名称或私有拓扑时,只收集你需要的特定部分,而非将完整配置粘贴到工单中。

Wildcard Masks

通配符掩码

IOS ACL and many routing statements use wildcard masks, not subnet masks.
text
Subnet mask       Wildcard mask
255.255.255.255   0.0.0.0
255.255.255.252   0.0.0.3
255.255.255.0     0.0.0.255
255.255.0.0       0.0.255.255
Review wildcard masks before deployment. A subnet mask accidentally used as a wildcard can match far more traffic than intended.
text
ip access-list extended WEB-IN
  10 permit tcp 192.0.2.0 0.0.0.255 any eq 443
  999 deny ip any any log
Every ACL has an implicit deny at the end. Add an explicit logged deny when the operational goal includes observing misses, and confirm logging volume is safe.
IOS ACL及许多路由语句使用通配符掩码,而非子网掩码。
text
Subnet mask       Wildcard mask
255.255.255.255   0.0.0.0
255.255.255.252   0.0.0.3
255.255.255.0     0.0.0.255
255.255.0.0       0.0.255.255
部署前务必审查通配符掩码。如果误将子网掩码用作通配符,可能会匹配远超预期的流量。
text
ip access-list extended WEB-IN
  10 permit tcp 192.0.2.0 0.0.0.255 any eq 443
  999 deny ip any any log
每个ACL末尾都有一个隐式拒绝规则。当操作目标需要观察未匹配流量时,添加一个显式的带日志拒绝规则,并确认日志量在安全范围内。

ACL Placement Review

ACL部署审查

Before applying an ACL to an interface, answer these questions:
  • Which traffic direction is being filtered, 
    in
    or 
    out
    ?
  • Is management traffic sourced from a known jump host or management subnet?
  • Is there an explicit permit for required routing, DNS, NTP, monitoring, or application traffic?
  • Are hit counters available from a safe test source?
  • Is there a rollback command and an active console or out-of-band path?
Do not test reachability by removing firewall or ACL protections. Read counters, logs, and route state first.
在将ACL应用到接口前,先回答以下问题:
  • 要过滤的是哪个方向的流量,
    in
    还是
    out
  • 管理流量是否来自已知的跳转主机或管理子网?
  • 是否有针对必要路由、DNS、NTP、监控或应用流量的显式允许规则?
  • 是否可以从安全测试源获取命中计数器?
  • 是否有回滚命令以及可用的控制台或带外访问路径?
不要通过移除防火墙或ACL保护来测试可达性。应先查看计数器、日志和路由状态。

Interface Hygiene

接口规范

text
interface GigabitEthernet0/1
 description UPLINK-TO-CORE
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 999
 no shutdown
Use clear descriptions, explicit switchport mode, and documented native VLANs. On routed interfaces, confirm the mask, peer addressing, and routing process before assuming link state means forwarding is correct.
text
interface GigabitEthernet0/1
 description UPLINK-TO-CORE
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 999
 no shutdown
使用清晰的描述、明确的switchport模式以及有文档记录的native VLAN。对于路由接口,不要仅根据链路状态就认为转发正常,需确认掩码、对等体地址和路由进程。

Change-Window Verification

变更窗口验证

Use before/after checks that match the actual change.
text
show running-config | section interface GigabitEthernet0/1
show interfaces GigabitEthernet0/1
show logging | include GigabitEthernet0/1|changed state|line protocol
show ip route <prefix>
show ip access-lists <name>
For routing changes, also capture neighbor state and route tables before and after the change. For ACL changes, compare hit counters from a planned test source rather than relying on a generic ping.
使用与实际变更匹配的前后检查命令。
text
show running-config | section interface GigabitEthernet0/1
show interfaces GigabitEthernet0/1
show logging | include GigabitEthernet0/1|changed state|line protocol
show ip route <prefix>
show ip access-lists <name>
对于路由变更,还需在变更前后捕获邻居状态和路由表。对于ACL变更,应对比来自计划测试源的命中计数器,而非依赖通用的ping测试。

Anti-Patterns

反模式

  • Applying a generated config without a device-specific diff.
  • Saving configuration before post-change checks pass.
  • Using a subnet mask where IOS expects a wildcard mask.
  • Applying an ACL to the wrong interface direction.
  • Troubleshooting by disabling ACLs, route policies, or authentication.
  • Pasting full configs into public tools without sanitizing secrets and topology.
  • 未进行设备特定差异对比就应用生成的配置。
  • 变更后检查未通过就保存配置。
  • 在IOS期望使用通配符掩码的地方使用子网掩码。
  • 将ACL应用到错误的接口方向。
  • 通过禁用ACL、路由策略或认证来排查故障。
  • 未清理机密信息和拓扑就将完整配置粘贴到公共工具中。

See Also

另请参阅

  • Agent: 
    network-config-reviewer
  • Agent: 
    network-troubleshooter
  • Skill: 
    network-config-validation
  • Skill: 
    network-interface-health
  • Agent: 
    network-config-reviewer
  • Agent: 
    network-troubleshooter
  • Skill: 
    network-config-validation
  • Skill: 
    network-interface-health