Jump to content

About This Club

Cisco Operating System and Hardware Support
  1. What's new in this club
  2. For us what you need to do is Find what VRF USZAH-001# show vrf [offtopic]VRF-Name VRF-ID State Reason FCR 3 Up -- default 1 Up -- management 2 Up --[/offtopic] the command works is [offtopic]show ip arp vlan 102 vrf FCR[/offtopic]
  3. So I have myself either a Mac-Address or Hardware Address that I need to find on a Cisco Nexus Switch (NX-OS) so how do I do it. First I start at the core switch then depending if I know the mac-address or not... if not I first find out what it is I ping the IP Address from the switch to make sure the address is in the ARP table Then I look at the arp table for that IP Address to see what the mac-address is Now I have the mac-address and I can continue That may have told you what interface but in my case I have to keep digging because it said it belongs to Po201 (Port Channel 201), so let me figure out what switch that is by first finding out what intefaces belong to Po201 show interface po201 I get a bunch of info but looking mainly at Now I do a show cdp nei and it shows the same hostname for all the interfaces listed from the last command Time to connect to that switch (of course if you can't connect via FWDN, just ping the FQDN to find the ip and try with that instead) Once connected, run your command again And there ya go
  4. So with Cisco we have the ability to assign VLANs from 1-4094. That's alot of VLANs. So what does someone do, just randomly grab a VLAN number and assign it? Not me.. I'm more of a standards type of guy so I utilize the following template which seems to work well for large offices that doesn't have more than 4600 users per floor (which I use a max of 9 /23 subnets since I think any larger than a /23 is just too big and you notice a performance degradation).
  5. Step-by-Step Procedure Complete these steps to recover your password: Note: Make sure that you have physical access to the switch and that you use console access to the Supervisor Engine module while you perform these steps. For details on the switch console connection, refer to Connecting a Modem to the Console Port on Catalyst Switches. Tip: Configuration of the switch is not lost if the procedure is followed as mentioned. As a best practice, Cisco recommends that you have a backup copy of the configuration of all Cisco devices at the TFTP server or a Network Management server. Power cycle the device. In order to power cycle, turn the device off, then back on. Press Ctrl-C within 5 seconds to prevent autoboot. This action puts you in ROM monitor (ROMmon) prompt mode. !--- Here, you power cycle the switch. ********************************************************** * * * Welcome to ROM Monitor for WS-X4014 System. * * Copyright © 1999-2000, 2001 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** ROM Monitor Program Version 12.1(10r)EY(1.21) Board type 1, Board revision 7 Swamp FPGA revision 16, Dagobah FPGA revision 43 Timer interrupt test passed. MAC Address : 00-02-b9-83-af-fe IP Address : 172.16.84.122 Netmask : 255.255.255.0 Gateway : 172.16.84.1 TftpServer : Not set. Main Memory : 256 MBytes ***** The system will autoboot in 5 seconds ***** Type control-C to prevent autobooting. !--- At this point, press Ctrl-C . Autoboot cancelled......... please wait!!! Autoboot cancelled......... please wait!!! rommon 1 > [interrupt] !--- The module ended in the ROMmon. rommon 1 > [interrupt] Issue the confreg command at the rommon prompt. Make the selections that appear here in boldface for password recovery: rommon 1 > set rommon 1 > confreg Configuration Summary : => load ROM after netboot fails => console baud: 9600 => autoboot from: commands specified in 'BOOT' environment variable do you wish to change the configuration? y/n : y enable "diagnostic mode"? y/n : n enable "use net in IP bcast address"? y/n : n disable "load ROM after netboot fails"? y/n : n enable "use all zero broadcast"? y/n : n enable "break/abort has effect"? y/n : n enable "ignore system config info"? y/n : y change console baud rate? y/n : n change the boot characteristics? y/n : n Configuration Summary : => load ROM after netboot fails => ignore system config info => console baud: 9600 => autoboot from: commands specified in 'BOOT' environment variable do you wish to save this configuration? y/n : y You must reset or power cycle for new configuration to take effect Note: You can also use the confreg 0x2142 command at the ROMmon prompt in order to set the configuration register value to bypass the startup configuration stored in NVRAM. rommon 1 >confreg 0x2142 You must reset or power cycle for the new configuration to take effect. Issue the reset command so that the module reboots. Due to the changes that you made in step 2, the module reboots but ignores the saved configuration. rommon 2 > reset Resetting ....... rommon 3 > ********************************************************** * * * Welcome to ROM Monitor for WS-X4014 System. * * Copyright © 1999-2000, 2001 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** !--- Output suppressed. Press RETURN to get started! !--- Press Return . 00:00:21: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai 00:00:21: %SNMP-5-COLDSTART: SNMP agent on host Switch is undergoing a cold start Switch> Make sure that the configuration register value is 0x2142. This value makes the module boot from Flash without a load of the saved configuration. Issue the enable command at the Switch prompt to go to enable mode. Then, issue the show version command to check the configuration register value. Switch> enable Switch# show version Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, data-base: 0x00AA2B8C ROM: 12.1(10r)EY(1.21) Switch uptime is 5 minutes System returned to ROM by reload Running default software cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX04183666 Last reset from Reload 32 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of non-volatile configuration memory. Configuration register is 0x2142 Switch# Issue the configure memory command or the copy startup-config running-config command to copy the NVRAM into memory. Do not issue the configure terminal command, which shows the default configuration on the module. Switch#configure memory Uncompressed configuration from 1307 bytes to 3014 bytes Switch# 00:13:52: %SYS-5-CONFIG_I: Configured from memory by console c-4006-SUPIII# Issue the show ip interface brief command to make sure that the interfaces that were in use earlier show an "up up" status. If any of the interfaces that were in use before the password recovery show "down", issue the no shutdown command on that interface to bring the interface up. Issue the write terminal command or the show running-config command to display the saved configuration on the module. c-4006-SUPIII#show running-config Building configuration... Current configuration : 3014 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption service compress-config ! hostname c-4006-SUPIII ! boot system flash bootflash: ! vtp mode transparent !--- Output suppressed. line con 0 stopbits 1 line vty 0 4 login ! end c-4006-SUPIII# Now you are ready to change the password on the module. Issue these commands to change the password: c-4006-SUPIII#configure terminal Enter configuration commands, one per line. End with CNTL/Z. c-4006-SUPIII(config)# no enable secret !--- This step is necessary if the switch had an enable !--- secret password. c-4006-SUPIII(config)# enable secret < password > !--- This command sets the new password. Make sure that you change the configuration register value back to 0x2102. Complete these steps at the config prompt to change and verify the configuration register value. c-4006-SUPIII(config)#config-register 0x2102 c-4006-SUPIII(config)# ^Z c-4006-SUPIII# 00:19:01: %SYS-5-CONFIG_I: Configured from console by console c-4006-SUPIII# write memory !--- This step saves the configuration. Building configuration... Compressed configuration from 3061 bytes to 1365 bytes c-4006-SUPIII# show version !--- This step verifies the value change. Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, database: 0x00AA2B8C ROM: 12.1(10r)EY(1.21) c-4006-SUPIII uptime is 20 minutes System returned to ROM by reload Running default software cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX04183666 Last reset from Reload 32 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of nonvolatile configuration memory. Configuration register is 0x2142 ( will be 0x2102 at next reload ) c-4006-SUPIII# At this point, you have changed the password. Sample Output/Example Procedure This sample output is the result of the password recovery procedure on a Catalyst 4000 Supervisor Engine III. c-4006-SUPIII> enable Password: Password: Password: % Bad secrets !--- Here, you power cycle the switch. ********************************************************** * * * Welcome to ROM Monitor for WS-X4014 System. * * Copyright © 1999-2000, 2001 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** ROM Monitor Program Version 12.1(10r)EY(1.21) Board type 1, Board revision 7 Swamp FPGA revision 16, Dagobah FPGA revision 43 Timer interrupt test passed. MAC Address : 00-02-b9-83-af-fe IP Address : 172.16.84.122 Netmask : 255.255.255.0 Gateway : 172.16.84.1 TftpServer : Not set. Main Memory : 256 Mbytes ***** The system will autoboot in 5 seconds ***** Type control-C to prevent autobooting. !--- At this point, press Ctrl-C . Autoboot cancelled......... please wait!!! Autoboot cancelled......... please wait!!! rommon 1 > [interrupt] rommon 1 > [interrupt] rommon 1 > confreg Configuration Summary : => load ROM after netboot fails => console baud: 9600 => autoboot from: commands specified in 'BOOT' environment variable do you wish to change the configuration? y/n : y enable "diagnostic mode"? y/n : n enable "use net in IP bcast address"? y/n : n disable "load ROM after netboot fails"? y/n : n enable "use all zero broadcast"? y/n : n enable "break/abort has effect"? y/n : n enable "ignore system config info"? y/n : y change console baud rate? y/n : n change the boot characteristics? y/n : n Configuration Summary : => load ROM after netboot fails => ignore system config info => console baud: 9600 => autoboot from: commands specified in 'BOOT' environment variable do you wish to save this configuration? y/n : y You must reset or power cycle for new configuration to take effect rommon 2 > reset Resetting ....... rommon 3 > ********************************************************** * * * Welcome to ROM Monitor for WS-X4014 System. * * Copyright © 1999-2000, 2001 by Cisco Systems, Inc. * * All rights reserved. * * * ********************************************************** ROM Monitor Program Version 12.1(10r)EY(1.21) Board type 1, Board revision 7 Swamp FPGA revision 16, Dagobah FPGA revision 43 Timer interrupt test passed. MAC Address : 00-02-b9-83-af-fe IP Address : 172.16.84.122 Netmask : 255.255.255.0 Gateway : 172.16.84.1 TftpServer : Not set. Main Memory : 256 Mbytes ***** The system will autoboot in 5 seconds ***** Type control-C to prevent autobooting. . . . . . ******** The system will autoboot now ******** config-register = 0x2142 Autobooting using BOOT variable specified file..... Current BOOT file is --- bootflash: Rommon reg: 0x2B004180 Decompressing the image : ########################### ##################################################### ####################################### k2diags version 1.6 prod: WS-X4014 part: 73-6854-07 serial: JAB0546060Z Power-on-self-test for Module 1: WS-X4014 Status: (. = Pass, F = Fail) Traffic using serdes loopback (L2; one port at a time)... switch port 0: . switch port 1: . switch port 2: . switch port 3: . switch port 4: . switch port 5: . switch port 6: . switch port 7: . switch port 8: . !--- Output suppressed. Module 1 Passed Exiting to ios... Rommon reg: 0x2B000180 Decompressing the image : ########################## !--- Output suppressed. ######################################################### Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph © of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph © (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, database: 0x00AA2B8C cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX04183666 Last reset from Reload 32 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of nonvolatile configuration memory. Press RETURN to get started! 00:00:21: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai 00:00:21: %SNMP-5-COLDSTART: SNMP agent on host Switch is undergoing a cold start Switch> enable Switch# show version Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, database: 0x00AA2B8C ROM: 12.1(10r)EY(1.21) Switch uptime is 5 minutes System returned to ROM by reload Running default software cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX04183666 Last reset from Reload 32 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of nonvolatile configuration memory. Configuration register is 0x2142 Switch# Switch# configure memory Uncompressed configuration from 1307 bytes to 3014 bytes c-4006-SUPIII# 00:13:52: %SYS-5-CONFIG_I: Configured from memory by console c-4006-SUPIII# show running-config Building configuration... Current configuration : 3014 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption service compress-config ! hostname c-4006-SUPIII ! boot system flash bootflash: ! vtp mode transparent ! vlan 20 private-vlan primary ! vlan 100 ! vlan 202 private-vlan association 440 ! vlan 440 private-vlan isolated ! vlan 500 ip subnet-zero no ip domain-lookup ! ip multicast-routing ! ! interface GigabitEthernet1/1 no switchport ip address 10.1.1.1 255.255.255.0 ip pim dense-mode ! interface GigabitEthernet1/2 no switchport ip address 20.1.1.1 255.255.255.0 ! !--- Output suppressed. ! interface Vlan1 ip address 172.16.84.140 255.255.255.0 ip pim dense-mode ! interface Vlan2 no ip address shutdown ! interface Vlan20 no ip address shutdown ! !--- Output suppressed. ! line con 0 stopbits 1 line vty 0 4 login ! end c-4006-SUPIII# configure terminal Enter configuration commands, one per line. End with CNTL/Z. c-4006-SUPIII(config)# no enable secret !--- This step is necessary if the switch had !--- an enable secret password. c-4006-SUPIII(config)# enable secret < password > c-4006-SUPIII(config)# config-register 0x2102 c-4006-SUPIII(config)# ^Z c-4006-SUPIII# 00:19:01: %SYS-5-CONFIG_I: Configured from console by console c-4006-SUPIII# write memory Building configuration... Compressed configuration from 3061 bytes to 1365 bytes c-4006-SUPIII# show version Cisco Internetwork Operating System Software IOS Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(8a)EW, RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright © 1986-2002 by cisco Systems, Inc. Compiled Thu 24-Jan-02 17:34 by ccai Image text-base: 0x00000000, database: 0x00AA2B8C ROM: 12.1(10r)EY(1.21) c-4006-SUPIII uptime is 20 minutes System returned to ROM by reload Running default software cisco WS-C4006 (MPC8245) processor (revision 7) with 262144K bytes of memory. Processor board ID FOX04183666 Last reset from Reload 32 Gigabit Ethernet/IEEE 802.3 interface(s) 467K bytes of nonvolatile configuration memory. Configuration register is 0x2142 (will be 0x2102 at next reload) c-4006-SUPIII#
  6. A Cat6513 with dual sup720-3Bs, 11 6548-GE-45AF blades, and assuming 5W PoE per port (I've been told that the Avaya 4621SW phone typically takes 4.9W) times 432 ports (2 of the 6548s don't have PoE devices connected), the total power draw will be 4749.57W. How long a UPS can sustain delivery of this amount of power is something I can't answer. As for the Cat6509, the only change is that the PoE ports go down to 240 (5 x 48 = 240). The total power draw is 2992.19W. As for the 4507R, I'll assume dual 4516 sups, five 4548-GB-RJ45V blades (is that right?), plus 144 PoE devices. The total power draw is 1465.99W. P.S. BTW, if you had a CCO ID, this is one of the tools you'd have access to directly. http://tools.cisco.com/cpc/
  7. PRODUCTION logging buffered 20480 debugging logging console informational logging monitor informational enable secret 5 $1$MBrN$ottZrqMPOB3jZEo0QFEQA0 ! aaa new-model aaa authentication attempts login 6 aaa authentication login default group tacacs+ line aaa authentication enable default group tacacs+ enable aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default stop-only group tacacs+ ! aaa session-id common tacacs-server host 10.59.245.27 tacacs-server host 10.59.245.28 tacacs-server attempts 6 tacacs-server directed-request tacacs-server key 7 03075A1F120E2840 banner motd _ ******************************************************************** Use of this system is restricted to authorized users. User activity is monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and recording. BE ADVISED: if possible criminal activity is detected, system records, along with certain personal information, may be provided to law enforcement officials. (Rev hosangit2.55) ******************************************************************** _ privilege exec level 1 traceroute privilege exec level 1 ping privilege exec level 1 show configuration privilege exec level 1 terminal monitor privilege exec level 1 terminal privilege exec level 1 dir ! LAB ! aaa new-model aaa authentication attempts login 6 aaa authentication login default group tacacs+ line aaa authentication enable default group tacacs+ enable aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default stop-only group tacacs+ ! aaa session-id common tacacs-server host 10.6.56.244 tacacs-server key 0 bl@hbl@hwh@t3v3r ! privilege exec level 1 traceroute privilege exec level 1 ping privilege exec level 1 show configuration privilege exec level 1 terminal monitor privilege exec level 1 terminal privilege exec level 1 dir ! tacacs-server notify enable enable use-tacacs GENERIC aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 10.6.56.244 tacacs-server key 0 bl@hbl@hwh@t3v3r enable use-tacacs reload in 20 reload cancel show reload LAB RADIUS aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 radius-server host 10.6.56.244 auth-port 1812 acct-port 1813 key Cis$ko conf t radius-server host 10.6.56.244 radius-server key Cis$ko radius-server auth-port 1812 aaa authentication login default group radius aaa new-model radius-server host 10.6.56.244 auth-port 1812 acct-port 1813 key Cis$ko aaa authentication login default group radius local aaa authorization exec default group radius local aaa accounting exec default start-stop group radius aaa accounting system default start-stop group radius
  8. How to configure an NTP server and peer. BEFORE YOU BEGIN Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command. Make sure you know the IP address or DNS names of your NTP server and its peers. If you plan to use CFS to distribute your NTP configuration to other devices, then you should have already completed the following: –Enabled CFS distribution using the "Configuring CFS Distribution" section. –Enabled CFS for NTP using the "Enabling CFS Distribution for NTP" section. SUMMARY STEPS 1. config t 2. [no] ntp server {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name] 3. [no] ntp peer {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name] 4. (Optional) show ntp peers 5. (Optional) copy running-config startup-config DETAILED STEPS Step 1 config t Example: switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# Places you in global configuration mode. Step 2 [no] ntp server {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name] Example: switch(config)# ntp server 192.0.2.10 Forms an association with a server. Use the key keyword to configure a key to be used while communicating with the NTP server. The range for the key-id argument is from 1 to 65535. Use the maxpoll and minpoll keywords to configure the maximum and minimum intervals in which to poll a peer. The range for the max-poll and min-poll arguments is from 4 to 16 seconds, and the default values are 6 and 4, respectively. Use the prefer keyword to make this the preferred NTP server for the device. Use the use-vrf keyword to configure the NTP server to communicate over the specified VRF. The vrf-name argument can be default, management, or any case-sensitive alphanumeric string up to 32 characters. Note If you configure a key to be used while communicating with the NTP server, make sure that the key exists as a trusted key on the device. For more information on trusted keys, see the "Configuring NTP Authentication" section. Step 3 [no] ntp peer {ip-address | ipv6-address | dns-name} [key key-id] [maxpoll max-poll] [minpoll min-poll] [prefer] [use-vrf vrf-name] Example: switch(config)# ntp peer 2001:0db8::4101 Forms an association with a peer. You can specify multiple peer associations. Use the key keyword to configure a key to be used while communicating with the NTP peer. The range for the key-id argument is from 1 to 65535. Use the maxpoll and minpoll keywords to configure the maximum and minimum intervals in which to poll a peer. The range for the max-poll and min-poll arguments is from 4 to 17 seconds, and the default values are 6 and 4, respectively. Use the prefer keyword to make this the preferred NTP peer for the device. Use the use-vrf keyword to configure the NTP peer to communicate over the specified VRF. The vrf-name argument can be default, management, or any case-sensitive alphanumeric string up to 32 characters. Step 4 show ntp peers Example: switch(config)# show ntp peers (Optional) Displays the configured server and peers. Note A domain name is resolved only when you have a DNS server configured. Step 5 copy running-config startup-config Example: switch(config)# copy running-config startup-config (Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. This example shows how to configure an NTP server and peer: switch# config t Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ntp server 192.0.2.10 key 10 use-vrf Red switch(config)# ntp peer 2001:0db8::4101 prefer use-vrf Red switch(config)# show ntp peers -------------------------------------------------- Peer IP Address Serv/Peer -------------------------------------------------- 2001:0db8::4101 Peer (configured) 192.0.2.10 Server (configured) switch(config)# copy running-config startup-config 100% switch(config)#
  9. Here is what I do when I upgrade my Cisco 3750 just for something different dir flash: ! delete /f /r flash1:c3750-ipbase-mz.122-25.SEB2 ! copy ftp flash ! dir flash ! show boot BOOT path-list : flash:c3750-ipbase-mz.122-25.SEB2/c3750-ipbase-mz.122-25.SEB2.bin Config file : flash:/config.text Private Config file : flash:/private-config.text Enable Break : no Manual Boot : no HELPER path-list : Auto upgrade : yes ! config t ! boot system switch all flash:c3750-ipservicesk9-mz.122-55.SE6.bin ! show boot BOOT path-list : flash:c3750-ipservicesk9-mz.122-55.SE6.bin Config file : flash:/config.text Private Config file : flash:/private-config.text Enable Break : no Manual Boot : no HELPER path-list : Auto upgrade : yes ! copy running-config startup-config ! reload ! show versionNOTE: very important to delete old image or during a reload it can grab that imageIf you run into issues, plug a console cable into the switch and run the following flash_init load_helper dir flash: boot flash:c3750-ipservicesk9-mz.122-55.SE6.bin
  10. Here is my SNMP configuration which works except I can not pull the Configs using Solarwinds. I may be to change to SNMP v3 which you said works. snmp-server contact MyWiseGuys Helpdesk or MyWiseGuys NOC snmp-server location 9999 Hosang Blvd,, Grand Blanc, MI, 48439, Cabinet DL07 snmp-server source-interface trap mgmt0 snmp-server user admin network-admin auth md5 0xb477afdb0a14be4b8f3adcda26cea26d priv 0xb477afdb0a14be4b8f3adcda26cea26 d localizedkey snmp-server host 199.68.86.164 traps version 1 Winter!01 snmp-server host 199.68.86.164 use-vrf management snmp-server enable traps callhome event-notify snmp-server enable traps callhome smtp-send-fail snmp-server enable traps cfs state-change-notif snmp-server enable traps cfs merge-failure snmp-server enable traps aaa server-state-change snmp-server enable traps upgrade UpgradeOpNotifyOnCompletion snmp-server enable traps upgrade UpgradeJobStatusNotify snmp-server enable traps feature-control FeatureOpStatusChange snmp-server enable traps sysmgr cseFailSwCoreNotifyExtended snmp-server enable traps config ccmCLIRunningConfigChanged snmp-server enable traps snmp authentication snmp-server enable traps link cisco-xcvr-mon-status-chg snmp-server enable traps vtp notifs snmp-server enable traps vtp vlancreate snmp-server enable traps vtp vlandelete snmp-server enable traps poe portonoff snmp-server enable traps poe pwrusageon snmp-server enable traps poe pwrusageoff snmp-server enable traps poe police snmp-server enable traps bridge newroot snmp-server enable traps bridge topologychange snmp-server enable traps stpx inconsistency snmp-server enable traps stpx root-inconsistency snmp-server enable traps stpx loop-inconsistency snmp-server community Winter!01 group network-operator snmp-server community Freeze#01 group network-admin snmp-server community Winter!01 use-acl SNMP_Access snmp-server community Freeze#01 use-acl SNMP_Access
  11. Setup Logging to our Solarwinds Server BEFORE YOU BEGIN Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command. SUMMARY STEPS switch to vdc terminal monitor config t logging console 6 show logging console logging monitor 6 show logging monitor logging message interface type ethernet description copy running-config startup-config Setup SNMP on your NX-OS BEFORE YOU BEGIN Make sure that you are in the correct VDC. To change the VDC, use the switchto vdc command. SUMMARY STEPS switchto vdc config t snmp-server user name [auth {md5 | sha} passphrase [priv passphrase] ] snmp-server user Admin auth sha abcd1234 priv abcdefgh snmp-server host ip-address {traps | informs} version 2c community [udp_port number:ca21d44f] switch(config)# snmp-server host 192.0.2.1 informs version 2c public snmp-server host ip-address filter-vrf vrf_name [udp_port number:ca21d44f] switch(config)# snmp-server host 192.0.2.1 filter-vrf Red snmp-server enable traps snmp-server contact ???? snmp-server location ???? show snmp user snmp-server community name group {ro | rw} copy running-config startup-config configure your nexus snmp sever: 1- create the snmp context and map it to the second VRF : snmp-server context (context name) vrf (second vrf name) 2- define the second community: snmp-server community second_community_string 3- set the mib parameters for the second context snmp-server mib community-map (second_community_string) context (second vrf name) NOTE:: This is an ongoing article that I am updating as I learn more. Solarwinds isn't downloading the configs but I found since snmp v1 and 2 are insecure, using snmp-v3 for discovery and inventory not only solves the security issue, but it works great. Use SSH and get all Nexus configs without issue
  12. Here are some configurations you can use !! ----- NX-OS RADIUS Config Feature TACACS tacacs-server key 7 "" tacacs-server host 10.43.208.11 tacacs-server host 10.47.208.11 aaa group server tacacs+ tacacs server 10.43.208.11 server 10.47.208.11 use-vrf core (change out with the value of the VRF that has IP reachability to ACS Server) aaa accounting default group tacacs AAA authentication login default group Radius no aaa user default-role (this defines if we have a default role for TACACS users with non-defined roles in ACS) tacacs-server directed-request Below is the RADIUS configuration for IOS
  13. Our goal is to figure out how to utilize the Cisco ACS 5.3 as our RADIUS server to point our devices to which will use Active Directory Group membership to assign a role (ACS-ReadOnly, ACS-ReadWrite) Devices we will need to configure to point to the Cisco ACS/RADIUS/AD include : • Switch running IOS • Switch running NX-OS • Wireless Lan Controller (WLC) • Wireless Access Point (WAP) • Cisco CPT If I could configure one of each to use RADIUS in the Cisco ACS 5.3 box with Active Directory then I would be set. I just need that example and I am unable to find anything online to help me solve this. Now Cisco ACS 5.3 – TACACS – Active Directory works great for the Cisco hardware running IOS. That has been tested and verified but I heard that issues with running TACACS on NX-OS and CPT. Any help is most appreciated. My GNS lab on my Mac is limited and I can’t seem to virtualize nothing besides just IOS.
  14. Here is how you configure TACACS+ for Cisco IOS device !!!!TACACS_IOS ! !--- Enable TACACS+ on the device. aaa new-model aaa group server tacacs+ tacacs_acs aaa authentication login linecon group tacacs+ local aaa authentication login linevty group tacacs+ local aaa authorization exec default local aaa authorization exec execauthnone none aaa authorization exec execauth group tacacs+ aaa authorization commands 15 commandauthnone none aaa authorization commands 15 commandauth group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting send stop-record authentication failure aaa accounting update newinfo aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 7 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting network 15 start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting connection 15 start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ aaa session-id common ! !--- Mention the IP address of the tacacs-servers tacacs-server host 10.43.208.11 tacacs-server host 10.47.208.11 tacacs-server directed-request tacacs-server key DPSWy1qpokXT Here is how you configure TACACS+ for Cisco Nexus (NX-OS) device !!!!TACACS_NX-OS ! !--- Enable TACACS+ on the device. feature tacacs+ tacacs-server host 10.0.0.1 key 7 DPSWy1qpokXT tacacs-server host 10.0.0.2 key 7 DPSWy1qpokXT tacacs-server directed-request !--- Provide the name of your ACS server. aaa group server tacacs+ ACS !--- Mention the IP address of the tacacs-servers !--- referred to in the "tacacs-server host" command. server 10.43.208.11 server 10.47.208.11 !--- Telnet and ssh sessions. aaa authentication login default group ACS local !--- Console sessions. aaa authentication login console group ACS local !--- Accounting command. aaa accounting default group ACS NOTE: The Nexus operating system does not use the concept of privilege levels instead it uses roles. By default you are placed in the network-operator role. If you want a user to have full permissions, you must place them in the network-admin role, and you must configure the TACACS server to push down an attribute when the user logs in. For TACACS+, you pass back a TACACS custom attribute with a value of roles="roleA". For a full access user, you use: cisco-av-pair*shell:roles="network-admin" cisco-av-pair*shell:roles="network-admin"(The * makes it optional) shell:roles="network-admin"
  15. I just run the following (NOTE: You must have a K9 image) crypto key generate rsa 2048 ip ssh time-out 60 ip ssh authentication-retries 2 ! ! show crypto key mypubkey rsa ! line vty 0 4 ! transport input ssh
  16. Here is a config for RADIUS AAA authentication !!! IOS !!! aaa new-model aaa authentication login default group radius local aaa authorization exec default group radius local aaa accounting network default start-stop group radius aaa accounting exec default start-stop group radius username netadm1n privilege 15 secret teleco0mm radius-server host 10.43.208.11 radius-server key DPSWy1qpokXT Router# debug radius
  17. EXAMPLE of grep AND command in the linux world the command would be
  18. What I did to get this working with multicast using a Cisco 6509 Series as my core and a Cisco 3750 as my access switch. At the 6509 switch: ip multicast routing (global) ip pim sparse mode at l3 interfaces level (or else dense or sparse-dense mode at l3 interface command level) ip sparse mode, so i defined 2 RP's. At the 3750 switch: ip igmp snooping Commands to run to verify: Switch: show ip igmp snooping (is it enabled? ) Router: show ip igmp membership (How many mc sessions are there, what are they, is "my" multicast sesion there? How many members has it) I also use wireshark at the server and at a client (do i see multicast packets, and what is the mc address) show ip igmp membership | i This outputs hosts which are member of that session. I know that much of the success depends on how the Windows servers are configured for distribution with multicast, so make sure the Windows servers are configured correctly or have it double checked.
  19. Could you please provide some information on how to configure my Cisco Switch to support imaging multiple machines at the same time?
  20. If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The following are the default ports to be opened: Protocol Port number LDAP 389/udp SMB 445/tcp KDC 88/tcp Global catalog 3268/tcp KPASS 464/tcp NTP 123/udp
  21. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with.
  22. Cisco ACS require ports to function: Service Name UDP TCP DHCP 68 - RADIUS Authentication and Authorization (original draft RFC) 1645 - RADIUS Accounting (original draft RFC) 1646 - RADIUS Authentication and Authorization (revised draft RFC) 1812 - RADIUS Accounting (revised draft RFC) 1813 - TACACS+ AAA - 49 Replication and RDBMS Synchronization - 2000 Cisco Secure ACS Remote Logging - 2001 Cisco Secure ACS Distributed Logging (appliance only) - 2003 HTTP Administrative Access (at login) - 2002 Administrative Access (after login) Port Range - Configurable (default 1024-65535)*
  23. Here are the implementation steps for you to use. DEVICE = MWGNMISOU01-FSR01 IP = 10.1.50.240 *********************************************************************************** * * * ********* IMPLEMENTATION STEPS SECTION ******** * * * * Each implementation step MUST include validation commands to ensure the * * configuration changes are properly implemented. Expected results MUST also * * be explained. * * * * At the end of of each configuration change, you must save the config using * * the "copy run start" command. * * * *********************************************************************************** ----------------------------------------------------------------------------------- IMP STEP 1 - Adding ssh and telnet both commands ----------------------------------------------------------------------------------- MWGNMISOU01-FSR01 BEGIN (10.1.50.240) Conf t ! ip domain-name MWGNMISOU01-FSR01.na.mywiseguys.com ip ssh version 2 crypto key generate rsa ! ip ssh source-interface Loopback0 ! line vty 0 4 transport input ssh telnet ! line vty 5 7 transport input ssh telnet ! line vty 8 15 transport input ssh telnet ! line aux 0 transport input ssh telnet End NOTE: while executing the command "crypto key generate rsa" (1)it will ask for modulus length value, please use 1024 (2)if it asks for rsa keypair-name, please use the command ip ssh rsa keypair-name MWGNMISOU01-FSR01.MWGNMISOU01-FSR01.na.mywiseguys.com ****************************************Validation Steps*************************************************** ssh MWGNMISOU01-FSR01 ! please use user ID and pasword to login. telnet MWGNMISOU01-FSR01 ! Please login using user ID and password to login. Should be able to authenticate ****************************************End of Validation Steps********************************************* (D) Remove telnet access MWGNMISOU01-FSR01 BEGIN (10.1.50.240) Conf t line vty 0 4 transport input ssh ! line vty 5 7 transport input ssh ! line vty 8 15 transport input ssh ! line aux 0 transport input ssh End *************************************** Validation Steps******************************************** telnet MWGNMISOU01-FSR01 ! The Telnet connection should be refused. ssh MWGNMISOU01-FSR01 ! please use user ID and pasword to login. If NOT authenticated then proceed to backout steps If able to authenicate and login, please save the configuration *************************************** End of Validation Steps*******************************************
  24. Steps to integrate ACS with AD Windows Server 2008 configuration Synchronize with time server using NTP Create Cisco Administrators security group Assign users to created security group Cisco ACS configuration Synchronize with time server using NTP Define correct DNS Define AD connection and Security Group mapping Define Shell Profile Define Access Policy – Edit Default Device Admin Identity Authorization Define Access Policy – Define Service Selection Rule Cisco router configuration for AAA support Windows Server 2008 configuration - Synchronize with time server using NTP Log into your PDC Server and open the command prompt Stop the W32Time service: (C:\net stop w32time) Configure the external time sources: (c:\w32tm /config /syncfromflags:manual /manualpeerlist:â€192.168.1.5â€) Make your PDC a reliable time source for the clients (c:/w32tm /config /reliable:yes) Start the W32Time Service: (C:\net start w32time) The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: c:\w32tm /query /configuration Check the Event Viewer for any errors Windows Server 2008 configuration - Create Cisco Administrators security groupWindows Server 2008 configuration - Assign users to created security group Click on user and then click on Member of Tab Click Add Type in the created security group Click on Check Names to verify then click OK and OK again to close user. Cisco ACS configuration - Synchronize with time server using NTP enter on ACS CLI: clock timezone US/Eastern (verify by typing: show clock)US/Indiana-Starke US/Pacific US/Michigan US/Mountain US/Central US/Samoa US/Arizona US/Eastern US/Alaska US/East-Indiana US/Hawaii US/Aleutian enter on ACS CLI: ntp server 192168.1.5 (verify by typing: show ntp) Cisco ACS configuration - Define correct DNSenter on ACS CLI: ip name-server 192.168.2.6 (verify by typing: ping dc.mywiseguys.com) Cisco ACS configuration - Define AD connection and Security Group mappingbrowse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin browse to Users and Identity Stores - External Identity Stores - Active Directory Enter: General Tab: Active Directory Domain Name General Tab: Credentials used to join this machine to the AD domain (username and password) - Click Test Connection to verify (NOTE1: password must not contain certain special characters like # or $ or " , etc , which does not work on cisco devices.)(NOTE2: Predefined user in AD. AD account required for domain access in ACS should have either of the following: Add workstations to domain user right in corresponding domain OR Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.) General Tab: Click Save General Tab: Look at bottom under Connection Status and verify it says CONNECTED Directory Groups: click Select and place checkmark in created security group and click OK Directory Groups: click Save Cisco ACS configuration - Define Shell Profilebrowse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin browse to Policy Elements - Authorization & Permissions - Device Administratrion - Shell Profiles click Create General Tab: Name = ENABLE Common Tasks Tab: Default Privilege = Static Value = 15 Click Submit browse to Access Policies - Default Device Admin - Identity Click Select and choose AD1 (gets created automatically once the connection to AD was established) Click OK Click Save Changes browse to Access Policies - Default Device Admin - Authorization Click on Customize Select Compound Condition and click on arrow to move to the right (Compound Condition allows us to select AD group during policy/rule creation) Click OK Place a checkmark next to a rule and click Edit Uncheck any checkmarks and place a checkmark next to Compound Condition Now you can select AD-AD1 from the Dictionary Select attribute: External Groups Select Value: your security group you created earlier and click OK Under Current Condition Set click on Add V Under Results click Select and choose the Shell Policy you created earlier (ENABLE) and click OK and click OK again to close Click Save Changes browse to Access Policies - Service Selection Rules Select Rule based result selection and click OK to warning if it pops up Click Create (notice you only have Compound Condition) click Cancel Click Customize Click Protocol and click on the arrow to move it to the right then click OK Click Create place checkmark next to protocol, match and click Select and choose TACACS and click OK Change Results to Default Device Admin and Click OK Click Save Changes browse to Network Resources - Network Devices and AAA Clients Click Create Enter a Name Place a checkmark next to TACACS and enter shared secret Enter IP Address Click Submit Configure Cisco IOS to connect enter: aaa new-model enter: aaa authentication login default group tacacs+ local enter: aaa authorization exec default group tacacs+ local enter: aaa authorization console enter: tacacs-server host 192.168.2.201 enter: tacacs-server key cisco enter: debug aaa authentication enter: debug tacacs
  25. Alot of businesses have Power over Ethernet VoIP phones plugged in and sometimes it would come in handy to reboot those phones remotely. Here is an idea on how.. shut off the power to them and then turn it back on. Shut off PoE on a switch port / interface (you could use the interface range command to shutoff multiple interfaces instead of just one) Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet 5/2 Switch(config-if)# power inline never Switch(config-if)# end Switch# Now turn the power back on for that interface Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet 4/1 Switch(config-if)# power inline auto Switch(config-if)# end Switch# show power inline fastethernet 4/1 Available:677(w) Used:11(w) Remaining:666(w) Interface Admin Oper Power(Watts) Device Class From PS To Device --------- ------ ---------- ---------- ---------- ------------------- ----- Fa4/1 auto on 11.2 10.0 Ieee PD 0 Interface AdminPowerMax AdminConsumption (Watts) (Watts) ---------- --------------- -------------------- Fa4/1 15.4 10.0 Switch# [/code]
  26. A helpful tool on the Cisco Layer 3 hardware to assist in troubleshooting bandwidth concerns is to run ip accounting. IP Accounting is a very useful accounting feature in Cisco IOS, but it’s not as well known as other features, such as NetFlow. IP Accounting (Layer 3) collects the number of bytes and packets processed by the network element on a source and destination IP address basis. Only transit traffic that enters and leaves the router is measured, and only on an outbound basis. To provide the operator with the opportunity of “snapshot†collections in the network, IP Accounting (Layer 3) maintains two accounting databases: an active database and a checkpoint database. The active collection process always updates the active database and therefore constantly increments the counters while packets pass the router. To get a snapshot of the traffic statistics, a CLI command or SNMP request can be executed to copy the current status from the active database to the checkpoint database. This copy request can be automated across the network to be executed at the same time, and a Network Management application can later retrieve the accounting details from the checkpoint database to present consistent accounting data to the operator. The checkpoint database offers a “frozen†snapshot of the complete network. Trying to achieve the same result by synchronously polling entire MIB tables across multiple network elements would introduce some inaccuracies, and hence no real “frozen†snapshots. The collected data can be used for performance and trending applications that require collections at regular intervals. The snapshot function is unique to IP Accounting. router(config-if)# ip accounting output-packets enables IP Accounting (Layer 3) for output traffic on the interface. router(config)# ip accounting-list [ip address:0a1776f5] [ip address mask:0a1776f5][/code] defines filters to control the hosts for which IP Accounting (Layer 3) information is kept. The filters are similar to an aggregation scheme and can be used to reduce the number of collected records. If filters are applied, details such as number of packets and bytes are kept only for the traffic that matches the filters, while all others are aggregated into “transit records.†router(config)# ip accounting-transits count controls the number of transit records that are stored in the IP Accounting (Layer 3) database. Transit entries are those that do not match any of the filters specified by the global configuration command ip accounting-list. If no filters are defined, no transit entries are possible. The default number of transit records that are stored in the IP Accounting (Layer 3) database is 0. Note that the term “transit†in this case refers to packets that are not matched by the filter statements. In the IP Accounting (Layer 3) definition, “transit†refers to packets that traverse the router, compared to traffic that is generated at the router or destined for the router. router(config)# ip accounting-threshold count sets the maximum number of accounting entries to be created. The accounting threshold defines the maximum number of entries (source and destination address pairs) that are accumulated. The default accounting threshold is 512 entries, which results in a maximum table size of 12,928 bytes. The threshold counter applies to both the active and checkpoint tables. The threshold value depends on the traffic mix, because different traffic types create different records for the source and destination address pairs. Whenever the table is full, the new entries (overflows) are not accounted. However, show ip accounting displays the overflows: “Accounting threshold exceeded for X packets and Y bytes.†Alternatively, these values are available in the MIB: actLostPkts (lost IP packets due to memory limitations) and actLostByts (total bytes of lost IP packets). You should monitor the overflows number, at least during the deployment phase, to find the right balance between the number of entries and memory consumption. router# show ip accounting output-packets displays the active accounting or checkpoint database. router# clear ip accounting copies the content of the active database to the checkpoint database and clears the active database afterward. router# clear ip accounting checkpoint clears the checkpoint database. The IP Accounting (Layer 3) configuration is straightforward: router(config)#int serial 0/0 router(config-if)#ip accounting output-packets router(config-if)#exit After configuring IP Accounting (Layer 3), the active database populates: router#show ip accounting output-packet For this example, IP Accounting ACL is configured in addition to IP Accounting (Layer 3); however, it can be configured independently of IP Accounting (Layer 3). An access list is inserted, which blocks the traffic coming from the source IP address 192.1.1.110 and going to the destination IP address 192.1.1.97: router(config)#access-list 107 deny ip host 192.1.1.110 host 192.1.1.97 router(config)#access-list 107 permit ip any any router(config)#int serial 0/0 router(config-if)#ip accounting output-packets router(config-if)#ip accounting access-violations router(config-if)#ip access-group 107 out router(config-if)#exit Afterwards, the following results can be retrieved from the router: router#show ip accounting access-violations Source Destination Packets Bytes ACL 192.1.1.110 192.1.1.97 Accounting data age is 3
  27.  
×
×
  • Create New...