Wednesday, December 1, 2010

Cisco Switch POST Results

I recently discovered a new switch command. If you are working on a Cisco switch and you suspect any hardware errors and problems you can run this command:

"show post"

This command will show you the results of the POST when the switch was turned on.

!!NOTE!!
I don't think this command works on all Cisco switches, but I don't have a list for you. The example output is from a 2960S switch.


*****EXAMPLE OUTPUT*****

Switch 2
---------

POST: MA BIST : Begin
  FC 1   MBIST Test Passed.
  DP Sg1 MBIST Test Passed.
  DP Xg1 MBIST Test Passed.
  NI 1   MBIST Test Passed.
  FC 0   MBIST Test Passed.
  DP Sg0 MBIST Test Passed.
  DP Xg0 MBIST Test Passed.
  NI 0   MBIST Test Passed.
  UPB    MBIST Test Passed.
POST: MA BIST : End, Status Passed

POST: TCAM BIST : Begin
POST: TCAM BIST : End, Status Passed

POST: Inline Power Controller Tests : Begin
POST: Inline Power Controller Tests : End, Status Passed

POST: Thermal, Fan Tests : Begin
POST: Thermal, Fan Tests : End, Status Passed

POST: PortASIC Stack Port Loopback Tests : Begin
POST: PortASIC Stack Port Loopback Tests : End, Status Passed

POST: PortASIC Port Loopback Tests : Begin
POST: PortASIC Port Loopback Tests : End, Status Passed

POST: EMAC Loopback Tests : Begin
POST: EMAC Loopback Tests : End, Status Passed

Tuesday, November 30, 2010

Troubleshooting Spanning Tree

Have you ever suspected spanning tree to be an issue in your network and all you want to know is when the last spanning tree change was?

I have always used this command:
"show spanning-tree active detail"

The highlighted area is all I am really wanting to know, but you get a lot more to sort through. If you have multiple spanning trees for all your VLANs you will have to pick through the output to find this information for each VLAN. Look below the example output for a better command.

*****EXAMPLE OUTPUT*****

VLAN0001 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, sysid 1, address fcfb.fb30.5380
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 32769, address 0012.7f12.0680
  Root port is 513 (GigabitEthernet5/1), cost of root path is 4
  Topology change flag not set, detected flag not set
  Number of topology changes 545 last change occurred 00:28:02 ago
          from TenGigabitEthernet9/2
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 480

 Port 15 (GigabitEthernet1/15) of VLAN0001 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.15.
   Designated root has priority 32769, address 0012.7f12.0680
   Designated bridge has priority 32769, address fcfb.fb30.5380
   Designated port id is 128.15, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1410218, received 0

 Port 26 (GigabitEthernet1/26) of VLAN0001 is designated forwarding
   Port path cost 4, Port priority 128, Port Identifier 128.26.
   Designated root has priority 32769, address 0012.7f12.0680
   Designated bridge has priority 32769, address fcfb.fb30.5380
   Designated port id is 128.26, designated path cost 4
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is point-to-point by default
   BPDU: sent 1039830, received 0

--------------------------------------------------------------------------------------

Try this command instead:
"show spanning-tree active detail | inc executing|y changes | from"

See how much more concise this command is. You can quickly see which VLAN has experienced changes and from which port.

*****EXAMPLE OUTPUT*****


VLAN0001 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 544 last change occurred 02:42:39 ago
          from TenGigabitEthernet9/2
 VLAN0010 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 290 last change occurred 02:42:39 ago
          from TenGigabitEthernet9/2
 VLAN0011 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 133 last change occurred 4w3d ago
          from GigabitEthernet1/29
 VLAN0012 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 134 last change occurred 4w3d ago
          from GigabitEthernet2/33
 VLAN0013 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 134 last change occurred 4w3d ago
          from GigabitEthernet2/33
 VLAN0014 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 139 last change occurred 4w3d ago
          from GigabitEthernet2/33
 VLAN0015 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 147 last change occurred 3w0d ago
          from GigabitEthernet2/35
 VLAN0016 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 133 last change occurred 4w3d ago
          from GigabitEthernet2/33
 VLAN0017 is executing the ieee compatible Spanning Tree protocol
  Number of topology changes 135 last change occurred 4w3d ago
          from GigabitEthernet2/33

Monday, October 18, 2010

How to use Cisco Access List to Secure Guest Wireless or Network

*****NOTE*****
Always be careful with debugs, but particularly packet-level debugs! They can
produce a lot of information. If you do not practice caution you can cause your
router to become unresponsive.
**************

Example Network:

VLAN 1                     192.168.1.0 /24
VLAN 2                     192.168.2.0 /24
VLAN 3                     192.168.3.0 /24
VPN Range                10.10.10.0 /24
Guest VLAN 122       172.16.22.0 /24 - Default Gateway 172.16.22.1

Objective:
Secure the network to prevent users on the Guest VLAN from accessing the protected networks while
        still providing access to the internet.

*****Prevents access to ALL 192.168.0.0 /16 networks.
access-list 122 deny   ip any 192.168.0.0 0.0.255.255

*****Prevents access to the 10.10.10.0 /24 VPN network.
access-list 122 deny   ip any 10.10.10.0 0.0.0.255

*****Prevents Management access to the Default Gateway on the Guest VLAN. The ports include telnet,
          SSH, HTTP, HTTPS, and SNMP.
access-list 122 deny   tcp any host 172.16.22.1 eq telnet
access-list 122 deny   tcp any host 172.16.22.1 eq 22
access-list 122 deny   tcp any host 172.16.22.1 eq 80
access-list 122 deny   tcp any host 172.16.22.1 eq 443
access-list 122 deny   tcp any host 172.16.22.1 eq 161
access-list 122 deny   udp any host 172.16.22.1 eq 161

*****Allows access to the Default Gateway for Internet access.
access-list 122 permit ip 172.16.22.0 0.0.0.255 any


***** The access list without comments*****

access-list 122 deny   ip any 192.168.0.0 0.0.255.255
access-list 122 deny   ip any 10.10.10.0 0.0.0.255
access-list 122 deny   tcp any host 172.16.22.1 eq telnet
access-list 122 deny   tcp any host 172.16.22.1 eq 22
access-list 122 deny   tcp any host 172.16.22.1 eq 80
access-list 122 deny   tcp any host 172.16.22.1 eq 443
access-list 122 deny   tcp any host 172.16.22.1 eq 161
access-list 122 deny   udp any host 172.16.22.1 eq 161
access-list 122 permit ip 172.16.22.0 0.0.0.255 any

*****NOTE*****
The order is VERY important. With any access list there is an implicit deny all
rule. Access lists are processed from the top down. The first rule that matches
the traffic is the rule that is applied.
**************

If you want to edit the access list you need to copy it to a text document and
edit it with the new rules you want to add. Then you have two options.

1. Delete the access list by using the "no access-list 122" command and then
    paste it back in with the new rules.

2. Give the new access list a new number, such as access-list 123. You will need
     to change the access-list number on each line before pasting it in.

If you go with option number 2 you will need to go into the interface and apply the access list. More info on that procedure later.

*****NOTE*****
With option number 2 there is no time that your interface is completely open. You
simply switch from one access list to another. With option number 1 you will have
a few moments that an access list is not applied because it does not exist.
**************

If you are working remotely I would highly suggest option number 2. It will allow you to get all of your rules in place before they apply to the interface. Consider pasting the example access list in. When the first rule of an access list is applied you have an implicit deny rule. The first rule in the example is a very specific deny rule, but combined with the implicit deny all rule you have stopped all traffic from going through this interface. If you are using this interface to connect remotely you will lose connection.

When you have your access list ready you can apply it to your interface. In this example we will apply the access list to the Guest VLAN Default Gateway. It is a virtual interface called "vlan 122".

After logging in go into enable mode if necessary. Then enter the following commands:

configure terminal
interface vlan 122
ip access-group 122 in

These commands will apply your access list rules to all traffic coming into "interface vlan 122".

*****NOTE*****
Don't forget to save your config before exiting.
"write mem"
**************

If you would like to debug your access list you will need to issue the "term mon" command. This will show debug output on your session. To stop the output issue "term no mon".

The following command will debug our example access list:

debug ip packet 122 detail

Now produce traffic to get your debug output.

Monday, October 4, 2010

How to Add Sysprep file to VMWare vCenter Server

In order to create templates or customize the Windows OS on a cloned virtual machine in vCenter you must add the necessary sysprep files to the proper directory on your vCenter server.

*****NOTE*****
vCenter 4 and up has native support for Windows Server 2008. No sysprep files are necessary.
**************

In Windows Server 2008 the sysprep directory is:
c:\Program Data\VMWare\VMWare Virtual Center\sysprep


In Windows Server 2003 the sysprep directory is:
C:\Documents and Settings\All Users\Application Data\VMWare\VMWare VirtualCenter\sysprep


Choose the appropriate OS for the sysprep files downloaded from Microsoft and extract them to the proper directory using one of the following procedures:

If your sysprep file is an exe file:

(1) Go to "Start, Run"
(2) Enter the path to your sysprep files and run it with a "/x"
      ie:     c:\sysprep files\WindowsXPxxxxxx.exe /x

This command will run and ask you where to extract the sysprep files. Choose the appropriate sysprep directory.


If your sysprep file is a cab file:

(1) Open your cab file.
(2) Press ctrl-A to select all.
(3) Right click and extract to the appropriate sysprep directory.


*****Here's a link to a KB article from VMWare with more info.*****

VMWare KB Article 1005593

Tuesday, September 28, 2010

UC560 CUE 8.02 Choppy Voice Mail / Auto Attendant

This was posted by a friend of mine as a comment. I thought it warranted a separate posting. Thanks Mike.


Here's his LinkedIn page.
http://www.linkedin.com/in/mfoster670


As of today we have a good idea of what the issue is with the Choppy Voice Mail and AA when upgrading to 8.0.2 version of CUE. However there is still not a permanent fix for this issue. First work around is creating a script that reboots CUE everyday at a certain time. The example listed below is for 4 am every day.



config t
event manager applet cue_reset
event timer cron cron-entry "0 4 * * *" (there are spaces between each entry)
action 1 cli command "enable"
action 2 cli command "service-module integrated-Service-Engine 0/0 reset" pattern "confirm"
action 3 cli command "y" 

Monday, September 27, 2010

How to Downgrade Cisco Lightweight AP to Autonomous AP

Revert your Cisco AP using a TFTP server and a new IOS File:

1- The PC on which your TFTP server software runs must be configured with a static IP address in the range    of 10.0.0.2 to 10.0.0.30. The subnet mask will be 255.0.0.0.

2- Make sure that the PC contains the access point image file in the TFTP server folder and that the TFTP server is activated. An example IOS file would be c1130-k9w7-tar.124-10b.JDA3.tar for an 1100 series access point.

3- Rename the access point image file in the TFTP server folder to the default image name. It will be c1200-k9w7-tar.default for a 1200 series AP or c1130-k9w7-tar.default for an 1130 series AP.

4- Connect the PC to the access point using an Ethernet cable.

5- Disconnect power from the access point.

6- Press and hold the MODE button while you reconnect power to the access point.

7- Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds), and release the MODE button. For the 1130 APs, hold the button until the console indicates that the button is pressed (the R LED will be solid red): Console will read something like this: button is pressed, wait for button to be released...

Once it starts uploading, the E & R LEDs will both be blinking (1130 AP). Once you release the button, you should see the console extracting files from the tarball on the TFTP server.

**NOTE** - I have had some TFTP server software fail to start the download. If you run into this issue try a different TFTP server software.

Links to my favorite free TFTP software:
TFTPD32
3COM 3CDaemon

8- Wait until the access point reboots. The best way to see when it has rebooted is to watch the console.

9- After the access point reboots, reconfigure the access point using the GUI or the CLI

CLI REFERENCE (You will need a Cisco Login to Access the following link)

http:/www.cisco.com/en/US/partner/docs/wireless/access_point/ios/release/notes/b311jx1.html

Thursday, September 23, 2010

Vizioncore VReplicator Jobs Failing?

Vizioncore vReplicator
When jobs are failing check these things.
For Changed Block Tarcking (CBT) to work all VMDKs must have a single partition and it must be primary.

If you have issues with jobs failing try this:
 
The CBT file is stale and needs to be recreated
1.  In vReplicator, click on Tools -> Change Block Tracking Options
2.  Find the VM and uncheck CBT
3.  Delete the vreplicator job and recreate it
5.  In VCenter, create a snapshot
6.  In vReplicator, check CBT for the VM
7.  In VCenter, delete the snapshot
8.  Retry the replication.

NetApp Losing IP Config After Reboot


If your interfaces are losing configuration you must edit the /etc/rc file. The filer uses this file at boot for settings. You can change this file by:

1.Running setup again.
2. Edit etc rc file

*****Makes sure you read the /etc/rc file into memory first using:   rdfile /etc/rc *****

CAUTION: If you make a change using wr file and you have NOT run the rdfile command first you will delete the original rc file. 

I would reccomend copying the return of the rdfile command to a notepad just in case.

The command to append your changes to the rc file is:     wrfile -a /etc/rc

**Example RC File**

hostname SAN1
vif create multi Prod1 -b ip e0a e0b
ifconfig Prod1 `hostname`-Prod1 mediatype auto netmask 255.255.255.0 partner Prod2
route add default 10.10.20.1 1
routed on
options dns.enable off
options nis.enable off
savecore

**Example command to append an interface configuration to the file

wrfile -a /etc/rc ifconfig e0P 10.10.10.31 netmask 255.255.255.0 mediatype auto

** Example of the rdfile output after running wrfile -a

hostname SAN1
vif create multi Prod1 -b ip e0a e0b
ifconfig Prod1 `hostname`-Prod1 mediatype auto netmask 255.255.255.0 partner Prod2
route add default 10.10.20.1 1
routed on
options dns.enable off
options nis.enable off
savecore
ifconfig e0P 10.10.10.31 netmask 255.255.255.0 mediatype auto




Can't Connect to vCenter After Changing the ESX Service Console IP Address

-------------------------------------------------------------------
GIVE ROOT SSH ACCESS

Connect via VIClient

Create a user and add it to the "wheel" group

Reset Root user password to what it needs to be
-------------------------------------------------------------------
PERMIT ROOT LOGIN

SSH to ESX Host and login as new user
After connecting do the following:

su
(type root password)
vi /etc/ssh/sshd_config        <- This will open a file to be edited
Find the line that says "PermitRootLogin no"
hit the "i" key for insert
cursor to the line and change it to "PermitRootLogin yes"
hit "esc" to exit insert mode
Save your changes type ":wq" and hit enter

(To make canges work you must restart the sshd service)
/etc/init.d/sshd restart
-------------------------------------------------------------------

Packet Capture on a Cisco ASA

*****DEFINE INTERESTING TRAFFIC*********************

For example: The following access-list will capture traffic going to 192.168.25.100 from any source and the second line will capture traffic coming from 192.168.25.100 to any destination.

access-list capture-list extended permit ip any host 192.168.25.100
access-list capture-list extended permit ip host 192.168.25.100 any
*******************************************************


*****START THE CAPTURES*****************************

ASA# capture <name> interface (interface) access-list (access list) buffer (bytes to capture) packet 1522

For example:

ASA# capture incoming-cap interface inside access-list cap-list buffer 1000000 packet 1522
ASA# capture outgoing-cap interface outside access-list cap-list buffer 1000000 packet 1522
*******************************************************


*****GENERATE TRAFFIC*******************************

This can be done by producing any network traffic that falls within the access lilst you created earlier.
******************************************************


*****VIEW CAPTURES*********************************

Show capture incoming-cap
show capture outgoing-cap
******************************************************


*****REMOVE CAPTURES******************************

no capture incoming-cap
no capture outgoing-cap
******************************************************

Wednesday, September 22, 2010

See the Pre-shared key for a VPN Tunnel on a Cisco Device

Ever need to see the tunnel pre-shared key in a show run on a Cisco device?

For example:

tunnel-group VPNACCESS ipsec-attributes
 pre-shared-key *



Run this command: "more system:running-config"

This will start a new show run and you will see what was left out

For Example:
tunnel-group VPNACCESS ipsec-attributes
 pre-shared-key VpnK3yH@sB33nCh@ng3d