I recently came across a great tool provided by Cisco. I hadn’t heard of it before, or seen it mentioned anywhere I frequent so I figured time to do a quick blog post.
Cisco CLI Analyzer (or analyser for the rest of us English speakers)
To start with, let’s link to the official page – https://cway.cisco.com/cli/
I happened across this product while checking for some new downloads for our Cisco products. I skimmed the article and immediately knew I had to download and try it for myself. This link should take you to the direct download page – https://software.cisco.com/download/home/286311499/type/286312309/os?catid=null
As you can see from the screenshot, the tool offers a range of really useful features.
I’m going to include a lot of the information from the Cisco page in this blog post so you can read it through with my thoughts.
Cisco CLI analyzer supports a wide range of platforms which is great to see. Initially I figured it might only be a few products but I’m pretty sure 99% of our kit is listed under platform support. According to the documentation, Cisco supports these platforms –
- IOS Software (IOS, IOS-XE, and IOS-XR)
- UCS B Series (Identification & System Diagnostics)
- UCS C Series (Identification)
- ASA (Adaptive Security Appliance)
- FXOS (Firepower OS)
- AireOS (WLC)
- ACI-OS (Application Centric Infrastructure)
- APIC (Application Policy Infrastructure Controller)
- ISE (Identity Services Engine)
While my primary role is not networking, I do spend time setting things up which I need or helping to troubleshoot issues. Typically this involves IOS, UCS, ASA, NX-OS and ISE – all of these products are supported and I am excited to share this with my colleagues.
Integrated TAC Tools
Cisco TAC is one of the best support systems in the tech world. Like any good support, they have access to tools which accelerate time to value. By extending these tools to an end user administrator we have greater ability to diagnose or cast light on issues.
- System Diagnostics
- Detects well-known system problems, configuration issues, and promotes best practices
- Crashinfo Analyzer
- Platforms: IOS / IOS-XE
- Given a crashinfo file, attempts to match that file against known issues to determine the root cause of the system reset
- Zone-Based Firewall Visualizer
- Platforms: IOS / IOS-XE
- Visualizes complex and nested zone-based firewall policies presently configured on the router
- Firewall Top Talkers
- ASA tool which helps determine which traffic-passing connections have the highest bit rate during peak periods
- Traceback Analyzer
- ASA tool which analyzes a crash and determines if it is related to a known bug
- Packet Tracer
- ASA traffic simulator that detects dropped packets and verifies whether the configuration is the root cause
- Packet Capture
- Guides you through the process of capturing and analyzing packets
- TAC Data Collection
- Provides automatic data collection for attachment to a Support Case
- IP Route Analysis
- Analyzes the output of the your routing table and reports route instability, route summaries, and much more
- Unused Policy Detector
- ASA tool scans for unused access lists, object groups and objects which may indicate configuration errors
- L2VPN Service Check
- IOS-XR tool helps determine the status of a L2VPN service. Select L2VPN Bridge-Domain or Xconnected from the dropdown menu to begin
That’s quite a selection of TAC tools! In my testing it does look like your Cisco account (which you authenticate in the app) appears to need access to these features. They will show up when you connect to a supported product but clicking the icon returned an alert saying the product wasn’t eligible.
I think this functionality can be great for new network engineers or team juniors. You can standardise on the CLI analyzer for your terminal client and encourage them to use these features to guide them.
No matter how well we look after systems there is always the risk of a problem occurring. Sometimes we can solve these issues ourselves but there may be a need to engage vendor support. The tool provides some great support features and reminds me of products from other vendors, for example VMware Skyline.
- Features automated collection of debugging information which can be attached to your case
- Ability to add additional notes and files to help us debug your issue
- View case status and support information
It’s really important to note that you will of course need the device you are working on to be covered by an active support agreement.
Contextual Help & Highlighting
If you’re like me and spend time working on a range of products, learning the CLI and what everything means can be a challenge. You have all these different CLI languages to learn along with what the vendor means by certain things. Having a terminal which provides feedback, be that highlighting or popups that educate is awesome.
The screenshot below is taken from the Cisco CLI analyzer page and shows how text highlighting and context windows are used to guide and instruct. I think this is a feature other vendors should review and think about offering something similar, especially when their products are heavily CLI driven.
Sometimes we are not the engineer directly connecting to a target. Perhaps we are providing support and relying on the information they provide. The tool allows us to further support our colleagues by providing the option to ingest file data or by pasting the content, for example from a show run. CLI analyzer will perform the same contextual analysis as seen in the previous section. This means we don’t have to terminal to the device, a colleague can retrieve the data and provide it to us for review.
- Analysis is performed offline. No need to connect to your device
- Allows either file or pasted command output
- Makes recommendations based on best practices
- Support added for zip, gzip, rar, and 7z compression formats
If you are a support company this could be pretty handy – you can ask customers to provide output and have the first review be run through the tooling.
Alongside the ‘headline’ features we’ve reviewed, Cisco also mention these recently added additions based on user feedback.
- Multi Window Display
- CLI Analyzer now supports multi window sessions! You can attach / detach windows allowing for side-by-side session comparisons
- Favorite Commands
- This feature adds the ability to configure up to ten favorite commands per supported device type. You can even link your favorite commands to hot keys
- Health Report
- Device cards now show summarized results of the latest system diagnostics
Product installation is simple – download the installer and run it! It’s a simple installation process which is essentially ‘next, next, next, finish’.
According to the documentation, the minimum requirements are –
- Windows 7 (32-bit or 64-bit) or later
- Mac OS X versions 10.9 (Mavericks) or later
- 2 gigabytes (GB) of RAM
- 512 megabytes (MB) of available space on the hard disk
Now we have the product installed let’s have a quick play.
When we launch the tool a splash screen is presented outlining the latest updates and giving us the choice to review release notes or dismiss the welcome screen and start using the tool.
Let’s take a look at the release notes – at the time of writing we’re on version 3.6.5. Regular releases and engagement with the community to guide development is something I like to see. We can see that Cisco are trying to provide the greatest value to those using the tool by implementing what they think is important and then listening to those who use it to ensure they are on point.
Master Password – Credential Saving
If you’re like me, you manage a lot of systems and streamlining access usually means leveraging tools which provide the option to save credentials. This can of course be risky – if somebody gets access to that credential repository and it isn’t properly secured, they can now authenticate as you! Bad for many reasons.
Cisco have provided the option to set a master password to protect saved credentials. I use this function with SecureCRT (my current terminal of choice) and it makes my life so much easier while still maintaining protection of credentials.
An important question to ask before we take advantage of this sort of feature is how are they storying the master password? Without proper protection we might be given a false sense of security and assume that everything is safe when perhaps an attacker can easily extract or reverse the solution.
According to the Cisco CLI anaylzer documentation, the master password is hashed using SHA-3 (Secure Hash Algorithm 3) and the hash value stored in the database.
I strongly recommend you consult with your security and governance teams before deploying the app and using the master password feature. Be sure that everyone has signed off and that they are happy with SHA-3 hashing for password storage. I would expect signoff to be straightforward but I can’t speak for your organisation and the standards you are expected to adhere to.
Once you have authenticated with your Cisco login you will be presented with the main tool interface, starting with the devices tab. Obviously when you first run the tool there isn’t going to be much to show on this page.
As an example, I connected to a Nexus 9000 switch and a UCS blade chassis – they now show on the devices tab as recent connections. This simplifies re-connection and of course the option to add favourite devices is welcome. There is the option to sort, filter devices by type, tag and of course the ability to search for devices.
A feature I really like is the ability to import multiple devices in a variety of ways. Cisco provide documentation for import via CSV, PuTTY and SecureCRT. I’ve included links to the help documentation for your reference.
- Import Devices from a CSV File
- ‘How to’ guide for CSV creation here
- Import Devices from PuTTY
- Import Devices from SecureCRT
New Session Tab
If we need to connect to a device which isn’t listed in our recent connection or favourites we can use the new session tab.
The default setting is to use SSH (Secure Shell) on port 22, fairly standard. You can of course change this to something else if you need to.
On first connection the terminal will prompt you to accept the device key. If you choose to, it will be added to the database as trusted and associated with the device in question.
Device Session Examples
Let’s take a look at a couple examples. Firstly we have a connection to a UCS blade chassis. On connection the terminal automatically runs a series of commands to allow it to determine device information and health. Along the top of the terminal window we have quick link buttons for system diagnostics and TAC data collection.
Below we have an example connecting to a Cisco Nexus 9k switch. The same sequence of events occurs, the terminal runs a few commands to gather data. I haven’t shown that in this screenshot, instead I ran the command show hsrp brief which provides the output you see. The ‘Active’ keyword is highlighted blue, if I hover my mouse over it a popup displays useful contextual help with a link to further documentation.
You will also notice that the quick link buttons along the top have a difference and a small > arrow symbol on the far right. This arrow will let us scroll through additional quick link support options relevant to the device type we are connected to.
I’ll add a few extra screenshots for our Nexus 9k which demonstrate other parts of the config which display highlighting.
Remember – any coloured text can be hovered over to provide additional information and useful links. You can also see session information along the bottom of the terminal.
If you don’t want (or can’t) connect directly to the device you wish to review, you can upload saved files or just paste the content directly into the output window. You can ask juniors or customers to export/copy the data and then drop it into the tool for a quick review. This should be an initial first step to quickly highlight obvious issues the tool can identify.
I’m not going to discuss every single setting, you can see them in the screenshots below. Please be mindful I’ve kept all the settings to their default so you can see how things are ‘out of the box’.
On the general tab we have some basic preferences and the option to set logging for sessions. I usually like to configure automatic logging for all my terminal programs. According to the documentation, the default log locations are –
- Windows: C:\Users\<userid>\Cisco-CLI-Analyzer_Session_Logs
- Mac OS X: /Users/<userid>/Cisco-CLI-Analyzer_Session_Logs
The connection settings will be familiar to anyone who terminals into devices over a network or physically by serial links.
The security page allows us to enable the master password option (assuming we didn’t on initial program launch) along with credential profiles and jump servers.
Jump server profiles are useful in environments where you are unable to connect directly to the target device and have to proxy through another system. If you want to see this in action, Cisco have a handy demonstration video.
Display options, such as choice of font and text size can be configured alongside colours for highlighting.
Finally we have the advanced settings which give us control over proxy settings, special keys and the option to backup or restore the tool configuration. One use for backup and restore would be to setup a default tool configuration that you want everyone to use. You can then provide the backup to colleagues for import. That way everyone is using the same settings and you have consistency across engineers. This can make documentation easier as you know they (should) all be setup in the same way.
Cisco CLI Analyzer Help Guide
The Cisco documentation is rich and covers all topics effectively, at least as far as I am concerned. There are more features and options than I cover in my post, please check out the full guide for more information.
I’m curious how many people working on Cisco equipment use this tool already. If not, then perhaps I can bring their attention to it and help with their work. Throughout my career I’ve tried to find ways to be more efficient with things I regularly do. Always be mindful that the goal is to generate value. If you can find a tool which speeds time to problem resolution then you’re generating value for yourself and your employer.
If you’re a Cisco customer and you have an account team it might be worth talking to them to see if they can give you a product run through. They can also advise what support is required on devices and generally help you adopt this great product.