Category: Cisco

A Few Easy Steps: Cisco IOS, Setup for Automation

In this session of A Few Easy Steps, we will be doing the initial setup for automation on a Cisco IOS Device. In General this will work on any Cisco IOS Device.  Session Prerequisites:

  • You have a Cisco Console Cable
  • You have a serial port
  • You have a Terminal Program that you can access your Serial Port

Session Assumptions:

  • Hostname is already set
  • Domain name is:  SPC.DEV
  • RSA modulus is  1024 bits
  • Our Admin interface is:  FA0/0
  • The Interface has already had its IP Address assigned
  • Enable Password is: password
  • Username is : pytest
  • Password is:  pytest
  • We are using VTY ports 0-5

Our goals of this session are:

  • Setup IP Domain Name
  • Create RSA key for SSH
  • Set Enable Password
  • Setup Username
  • Setup Password
  • Turn interface FA0/0 on
  • Enable SSH on VTY 0-5
  • Set Login to Local Authentication

Read more

What did you Expect? Part 1: Connecting to Cisco IOS

Most of my career I have been an network operator.  In that time there have been many repetitive tasks that I wish I could have automated but I simply did not not have the skill or knowledge to do anything about it.  So when Big Matt Stone sat down and showed me what writing code in Expect inside of Python was all about I was BLOWN AWAY!  This is part one of who knows how many in my series of starting to use Expect to automate network tasks. Read more

REPOST: The lemming way…how Cisco jumped off the cliff.

So I was talking to one of my guys at work tonight and he indicated that my shots have Cisco have been a recent thing in my career.  I told him he was wrong and went back to a post that I had taken private.  It ends up being this post.  I want to start by saying I took this private when I went to a Cisco Gold VAR.  I did so because after this post I had seen some good indications of change and I felt like it was a bit to hard of a slap in the face for people who were in large part paying my salary.  That said after re-reading it I think I had lots of things right.  So without further adieu here is my original post Published on: May 11, 2007 @ 13:52 taken right from my WP Dashboard.  Enjoy! Read more

All Good Things Come to an End: Cisco Aquires Meraki

I have been very lucky in my career.  There is pretty much no network vendor whose gear has not come across my desk and I have had the opportunity to install and play with on some level.  Last year we engaged Meraki to consider then for both their Cloud Controller based Access Points but also for their new Access Switch product line.  I did lots and lots of research and honestly found a mixed bag of info.  On one hand people were saying this is really amazing stuff and if you can handle a bit less than full enterprise class gear you should really look at it.  On the other hand I read a few articles like this one out of Canada that paints a picture of pretty shady practices from Meraki.

So I sat through their online demos, had local partners come in to tell me how amazing it was then I got my AP (Modle MR12) from them to play with and see what I thought.  In all honestly their AP and overall wireless product underwhelmed me.  My Cisco 1200 B only radio covered better and and my Cisco 1252 even in 2.4 only mode way out gunned this poor little guy.  But what they do very very well is the management of it all.  Even after I had decided that my company would not be moving to their access points nor the new switch line I decided to stick with System Manager because how good it was at managing remote devices and it was free!  So right off the bat I do not hate these guys or their products I actually think they are pretty cool but over just not the right fit for what we needed.

Then tonight it happened.  @MrFogg97 hit me up and said “Saw this on #meraki’s site when reading the announcement. http://twitter.com/MrFogg97/status/270346667495145472/photo/1 and yes I did say that and to this second I still believe its a great product.  But then I asked myself what announcement.  A quick trip to Meraki’s website told the tale.  Cisco announces intent to acquire Meraki   And that is why I am really writing this post. Read more

NAAATTT!!!!

 

Ok I know this will pull a significant amount of hate from all of the NAT haters.  99.9% of the time I would agree.  However our business is unique.  That is the first thing I am going to layout for sake of the discussion that will happen.

What we do:  We do real time video communication.

Who we do it for:  Medical Institutions.

How we deliver it:  Via Private MPLS from the client site to our call centers.  At the client side we ride their infrastructure.

Hopefully the issue becomes immediately clear.  If it does not let me help out.  I own my network and the MPLS links and CPE router.  I do not own, control, influence or have any visibility into the client infrastructure.  In most cases the answer would be who cares push it to the gateway NAT it and be done with it.  However real time communications using SIP first don’t natively like NAT (but I have that issue fixed…..I think.)  and these systems are not simple point to point communications.  Instead they are CientX to server, server to ClientY, ClientY to ClientX communications.  The solutions should be pretty obvious; Read more

Made it to the Bigs. Network Field Day 3.

Wow so here I am just a few days from flying to San Jose for Network Field Day #3. What an honor! A bit over a year ago I sadly had to decline Steve Foskett’s invitation to attend a field day. Ever since then I was hoping I had not blown my chance to be part of what I think is where our industry is heading in concern to vendor interaction. For so long the process has been ran by insiders and in a closed off to the majority of the comment. Tech Field Day’s opened the kimono and I can’t wait participate and share information from my perspective what we get to see and talk about while in San Jose.

I have been doing some thinking and homework prior to flying west and I figured I would share some of that here. First off I have to right up front and say that I am a client of three of six of the vendors that are presenting. Not sure if that is a good thing or bad thing for them but its how it goes. Read more

Fake it till ya make it!

So no one who is reading this should be in the dark about some of the interesting things I have been doing as of late.  But if you are here is a quick re-cap.

Language Access Network my employer is undergoing an installation of a first of its kind Video Call Center.  I will more on that to write soon.  As part of this process we had a WHOLE LOT of infrastructure put into place.  For starters we needed a “SAN”, we needed Servers, we needed DC Switching and we needed lots and lots of licensing and that all before the developers and engineers jump in to make the whole thing work.  The cool bits of this first part are what we did for “SAN”, Server and Network.  As you all know I am a past Cisco UCS zealot and I have a NetApp in my basement so you would think that it would be simple math as to what I would have installed.  You would be right.  UCS and NetApp were about $100,000 more than I could scrape out of my budget and still have anything left for other major components.  Before people get bent out of shape about me saying Cisco UCS and NetApp are to expensive, I did not say that.  Honestly I think within existing DC platforms they are both very well priced if you don’t bring next gen platforms into the mix.  In my case the next gen platform is Nutanix.  If you don’t know anything about these guys click the link and check them out.

In a nutshell Nutanix is 4 Blades of Compute and 20TB of Storage in a 2RU chassis with FusionIO, SSD and SAS Drives and no common backplane between the 4 nodes.  Along with my four pod node we added Arista 7124SX as our DC Switching/Fabric.  There are lots of details around this combination like currently Nutanix does not support using the Node for a bare metal server like you can do with UCS or other Blade Enclosures and the storage has limited access to the outside world (it is setup to presented to ESXi Hosts as iSCSI targets and VMs as ViSCSI targets) but so far I love the platform.  It gave me what I needed in the price point I needed and offers huge scale out options considering it is based of the GFS files system that Google uses across their DC’s. Read more

Storage Wars the Epic Battle Rages On

So tonight as I was getting into bed I did my normal scan twitter to see who I have pissed off or what might be going on that should rob me of sleep.  Well tonight @david_Strebel asked the following questions;

“Who thinks FCoE will win over iSCSI?”  and I responded “Not I” and then David asked the next logical question which was why not and here is what I had to say in the incredible detail that Twitter allows;  “l2 boundaries, specialized hardware other than nics, hate relationship from most network people.”

 

The problem with this answer is pretty clear though.  It does not really answer the question just gives a few power point bullets to appease the crowd.  I don’t feel like this is enough though.  So I am going to attempt to lay out my overall view on this issue of who will win iSCSI or FCoE and why.  For those of you who don’t want to read the whole article which might get a a tad windy I don’t think either will win.  But I don’t think FCoE will emerge as the leader until something better come along.  For those masochists who like this kind of crap read on.

Read more

Quick and Dirty…Ooohhhh….Yeahhhh

Quick and dirty is how I like it when I have 4000 menial tasks to get done.  So another oldy but goody that I had to dig up today was how to delete a full directory structure and its contents from a Cisco files system.  So here it is enjoy.

From normal enable mode:

delete /recursive /force flash:(enter the root file name)

So delete is the easy one.

/recursive sets the flag to recursively cycle through the whole directory structure you specified.  So you should probably never type

delete /recursive /force flash:  BAD DON’T DO IT!

And finally /force eliminates all the are you sure you don’t want to shoot yourself in the forehead messages.

Again quick and dirty saves time but if your dumb about using it can get you in trouble.

Welcome to the HP Dream world where reality does not apply.

So last night while working on a Scalable Compute and storage design for a client, this post popped up in my twitter stream from @ErinatHP;

“New HP blog post “In the light of day – the Cisco UCS hype doesn’t match the promise” ; UCS not all its marketed to be http://bit.ly/dKj88W”

So in my normal do not let a stupid dig by a lame duck player go unmatched I responded “Oh I can’t wait to read this FUD” (you can check me out on twitter @joshobrien77)

All the twitter marketing and pissing matches aside I meant what I said and I did look forward to reading the HP Spin on where their market is vanishing to.  And here are my responses, while they might not be the most technical they are not un-informed from the basis of the Cisco UCS platform or the HP C7000 with FLEX-10 Platform.  And remember at the end of the day I represent me not Cisco not my employer, just little old me.

Also just so if this gets nasty I want to make sure that I am crediting this correctly:

All of the HP Writes: Are direct Quotes from Duncan Campbel with HP on his blog which you can find here:  http://h30507.www3.hp.com/t5/Converged-Infrastructure/In-the-light-of-day-the-Cisco-UCS-hype-doesn-t-match-the-promise/ba-p/83537

PLEASE READ ALL of Duncan’s Post BEFORE you READ Mine.  I DO NOT PRETEND to REPRESENT HIS SIDE WELL AT ALL!

Read more

TACACS+ on Nexus 7000

I have been through a couple of these Nexus deployments now that use a combination of 7Ks, 5Ks, and 2Ks. If you know anything about this platform you know that TACACS and AAA only really apply to the 7K and 5Ks. Here is my working template of what it takes to get these guys talking to and ACS server.

tacacs-server key 0 YOUR.ACS.KEY
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
aaa group server tacacs+ GROUP.NAME
server X.X.X.X
server X.X.X.X
server X.X.X.X
source-interface YOUR.VLAN or YOUR.VRF or YOUR.ETHERNET

aaa authentication login default group GROUP.NAME
aaa authentication login console group GROUP.NAME
aaa authorization commands default group GROUP.NAME
aaa accounting default group GROUP.NAME
aaa authentication login error-enable Read more

Get Your ACS in Order!

ACS 1113 Appliance Password and IP Change Process:

1.  Insert ACS Recover CD into DVD-Drive
2.  Connect Console Cable (DB9 to DB9) to Laptop and Appliance
3.  Start Terminal Session with Following  (115200, 8, None, 1, NONE)
4.  Connect Monitor and Keyboard to ACS Appliance
5.  Power Cycle ACS Appliance
6.  Use Keyboard and mouse to Select Option 1 for Administrator Password Reset
7.  Remove Recovery CD from Appliance
8.  Press Enter on Keyboard to reboot appliance
9.  Disconnect Keyboard and mouse from Appliance
10. Wait approx 5 minutes for Console session to return.  (Don’t rush it, get a coffee or a snake then come back)
11. At login prompt user the Default = Administrator with no password.
12. You will be prompted to enter a new username.
13. You will be prompted to enter a new password, you will be prompted to enter this twice
14. Login with new Username and Password
15. Connect Ethernet Port 1 (Top Port) on Appliance to laptops ethernet port wait for green link light  (Without this step the appliance will not accept interface changes.)
16. Type “Set IP”  Follow the prompts to enter new IP information and select YES at the end
17. Type “Set domain” Follow the prompts to enter the new DNS prefix select YES at the end
18. Type reboot
19. Wait approx 5 minutes for Console session to return.  (Don’t rush it, get a coffee or a snake then come back)
20. Login with new Username and Password
21. Type Show to validate your config changes
22. Disconnect from laptop
23. Connect to production network
24. Done

ALL YOUR AP’s ARE BELONG TO CONTROLLER ….

Recently we got an order of Cisco 1142 Access Points in. What we discovered was that if you order a 5 pack you end up with Autonomous Access Points.  If you order the 10 pack you can choose Autonomous or LWAPP.  Anyway we needed the ones we ordered to be LWAPP for the environment they were destined for.  So we did what we normally do and we fired up the AP conversion tool…wait for it…but it does not support conversion of the 1142.  Yeah that’s right the conversion tool wont convert the 1142N APs.  So after about 3 seconds of digging I found this Convert 1142 to LWAPP.

That link gives you 99% of what you need to pull this off.  The rest is a valid CCO account and the hardware.  To do mine quickly I setup a spare 3750-PoE switch we had on our bench.  Keeping it quick and dirty I just set it up as follows using my console cable for the the CLI input:

 

Read more

Seven more reasons Packetlife.net ROCKS!

Stretch over at Packetlife goes above and beyond when it comes to practical network blogging.  Even more he publishes insanely good cheet sheets that I print, laminate and carry with me every day.  Often a customer will have a question and I pull out the handy cheet sheet and just leave it with them.  So today Strech posted Seven Free ways to improve your networks security so click through to it and do these things TODAY!  So often it is the little things that bite us in the ass when it comes to security and while letting just one little thing slip through is bad enough, so often we are lettting lots of little things through.  So start here and lets lockdown the tubes baby!

I HAVE THE POWER!!!!!!

It is funny how things cycle. We have been doing a bunch of Cisco 4500 installs ranging from 4506’s through the 4510 and even a few 6500s in the mix. And no matter how hard we try we have power issues with them every single time. We either are in a hurry and spec the wrong cables, the client requests the wrong cable, we don’t have the correct power to stage the equipment in our office or the client doesn’t have the right power for the unit. In many cases we temporarily fall back to using 110 power with NEMA 5-15/20T cables and then force the power supplies to combined mode in order to get enough power to bring up the entire chassis.  I should point out that this is usually only good for temp fix and that you should fix your power issue (usually installing bigger circuits) and move back to redundant mode.  But for that quick fix here is the command on a 4500 or 6500 chassis to combine the power supplies:

power redundancy-mode combined

This command should be ran from config mode and once your config is saved it will return to this state after reboot.

And for a bit of extra fun scream out BY THE POWER OF GREYSKULL as you type this in.

Where the Heck are My TenGigabit Interfaces?

Well the picture to the right shows exactly where they are.  In the past we have dealt with 1Gbps interfaces on supervisors that had both RJ-45 and SFP slots and it was an either/or decision if you wanted to use them.  In those cases you had a config entry that required you to state SFP or RJ-45 in the interface configuration.  No matter what you chose it was always shown Interface GigabitEthernet Mod#/Port#.  So when I dove  into the Sup720 I was configuring I decided it was supposed to be the same way because why would Cisco ever let me use all the ports on the front of my hardware?  Being the all knowing geek that I am I also ignored the config file that I have seen at least 30 times in the last hour and I just started typing Interface TenGigabitEthernet 5/1, and I kept getting this; Read more

Captain the warp subsystems are down what should we do?!!!

Over the last two years I have become quite the Mac/OSX fan.  For years I was down on apple and to this day think I had every right to be.  But with OS 10.4 and now 10.5 they have created a powerful and flexible unix distribution for the general user and the power users.  However I have from time to time notices funky issues with software such as the Cisco IpSec VPN client.

Most recently in 10.5.1 I kept getting the VPN subsystem could not be contacted.  Well here is the fix from nate,

“If you are running Cisco’s VPNClient on Mac OSX, you might be familiar with (or tormented by) “Error 51: Unable to communicate with the VPN subsystem”. The simple fix is to quit VPNClient, open a Terminal window, (Applications -> Utilities -> Terminal) and type the following:
sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart
and give your password when it asks. This will stop and start the “VPN Subsystem”, or in other words restart the CiscoVPN.kext extension.”

Thanks Nate and I hope this help everyone else out there keep their WARP core under control….later!

Open wide I need to see all your packets!

I have been doing alot of reading lately about network monitoring, IDS, network problem diagnosis and other such topics. Out of that reading I have been picking up on something that was totally left out of my education in the finer arts of networking. That something is the necessary use of network TAPS for full visibility of of traffic in a structured switched Ethernet network. I plan on discussing that issue more in the near future. But on the front end I have discovered the need to use the existing SPAN and port mirroring options to get a better view on a highly VLAN’d environment. This article from NetworkIntrusion was just what the doctor ordered. So until I can get my hands on some TAPS and get some articles out about how they have revolutionized my troubleshooting methodology I hope this use of tried and true tools for monitoring switches helps.

The Magical Disappearing ASA ACL.

I was on a client site about a month ago finishing an ASA install running PIX IOS 7.2.3. We were moving the client from flat ACLs to Object Group based ACLs, Object groups and named hosts. But for whatever reason we were having problems with the ACL. So from the command line I planned on using the tried and true no access-list “ACL NAME” to get rid of the offending ACL and start over. I was confused when the ACL did not go away. Well in reading 6200networks yesterday I came accross the the answer. From global config mode use clear configure access-list “id” and is should take care of that troublesome ACL. Thanks to Joe at 6200networks for the info.