Yesterday I received my first ever fan mail. I am grateful the blog is proving useful to some, and as my content grows hopefully the usefulness of the blog also grows. If anyone want to send me mail or anything else I am open to that. I accept : IOU’s, Gift Cards, Cash, Precious Gems, Hugs, and IT equipment. In all honesty I am over the moon its helping someone.
Open Gear : Basic Commands
Here are some basic commands to help you get around when using Open Gear Terminal Server. These devices are incredibly useful for accessing Network Devices Out of Band. On the newer models you can use them with Cellular Access and a Static IP, so when your Device or Network goes down you can still access your devices Out of Band.
To view all ports
pmshell
To exit from one device
~. <Enter>
$ pmshell
(standard user)
or
# pmshell
(root user)
For example, enter a device to be managed:
2: CISCOASA 3: CISCOSWITCH 4: CISCOROUTER
> 3
Once the selection has been made, type one of the following selections:
CISCOASA> ~? (Note: Typing this ESCAPE sequence should not be visible for this to work. Should you start to see typing, hit enter 1-2 times to refresh)
Help Menu: ~~? —> double tilde is required for ALL OpenSSH based terminals (Mac & Linux)
Shell Commands:
~b – Generate BREAK
~h – View history
~p – Power menu
~m – Connect to port menu
~. – Exit pmshell
~? – Show this message
PMSHELL Command Breakdown:
~b –> (BREAK sequence) often used in device recovery situations.
~h –> recent port history of RX/TX operations
~p –> (optional) if a managed PDU has been configured, the device would have the ability to pull-up the power menu directly from the device.
~m –> at any point when connected to an active console session, this will return you back to the main pmshell selection menu.
~. –> (tilde period) exit the pmshell system when actively connected to a console session.
~? –> displays pmshell command usage information.
Cisco : Serial Numbers
Today I have spent some time trying to find serial numbers on multiple Cisco devices, some Routers, Switches, Firewalls and Wireless LAN Controllers. Here is 7 ways I have found:
- Locate the serial number tag on the device chassis.
- The serial number is displayed in the banner during boot.
- “show version” command. (Look for Processor board ID or S/N)
- “show inventory” command. (Look for Hw Serial# or SN:)(Also works on WLC’s)
- “show diag” command. (Look for Chassis Serial Number)
- “show hardware” command. (Look for Processor board ID or S/N)
- “show tech-support” command.
SecureCRT : Logging
Logging your session when doing any kind of network work is very important and can save your ass. It has saved mines on multiple occasions. One reason is it allows you to look back and see what you may have done wrong, so you can troubleshoot a issue more effectively. Other reasons are it give you the user a quick way to backup a device if you show the configuration file when working on it. I make it a habit of showing the configuration file before I do any work, so I always have a back out strategy incase something goes wrong.
SecureCRT Logging
Options > Edit Session Defaults
File path to where you are storing your logs /Logs/%M-%D-%Y/%S (%H) — %h-%m.log
Start Log Upon Connect
Append to File
Start recording S (%H) – %h:%m:%s
Stop recording S (%H) – %h:%m:%s
Happy Logging!
Cisco/Brocade : Basic Similar Commands
- Here are some basic switch commands and the Cisco to Brocade differences, even though the OS’s are similar they have some subtle differences.
|
Task |
Cisco |
Brocade |
|
Configure a VLAN |
Interface vlan 2 |
Vlan 2 |
|
Configure a trunk port |
Int fa0/1 Switchport trunk encap dot1q Switchport mode trunk |
Vlan 2 Tagged eth 0/1/1 Vlan 3 Tagged eth 0/1/1 Vlan 4 Tagged eth 0/1/1 Interface ethernet 0/1/1 Dual-mode 1 |
|
Configure a access port |
Int fa0/1 Switchport access vlan 2 |
Vlan 2 Untagged eth 0/0/1
|
|
Configure an IP address on a VLAN |
Int vlan2 Ip address 192.168.1.1 255.255.255.0 |
Vlan 2 Router interface ve 1 Interface ve1 Ip address 192.168.1.1 255.255.255.0 |
|
Configure a range of ports |
Int range fa0/1-10 |
Int eth 0/1/1 to 0/1/5 |
|
Configure a port for both voice and data vlans |
Int fa0/1 Switchport access vlan2 Switchport voice vlan3 |
vlan2 Tagged eth 0/1/1 vlan3 Tagged eth 0/1/1 Inter eth 0/1/1 Dual-mode 1 Voice-vlan 3 Inline power |
|
Show the interface status of a port/vlan |
Sh int fa0/1 |
Show int eth 0/1/1 |
|
See CDP Neighbors |
Show cdp neighbors |
Show fdp neighbors |
Ruckus/Brocade : Configure Spanning Tree 802.1w/RSTP
I want to point out that Ruckus/Brocade has 2 commands that contradict each other when configuring Spanning Tree:
Brocade(config-vlan-1)#spanning-tree ?
802-1w Enable Rapid Spanning Tree IEEE 802.1w
rstp Enable Rapid Spanning Tree
Since RSTP is the same as 802.1w further clarification is needed.
Brocade(config-vlan-1)#spanning-tree rstp is a Brocade early implementation of the IEEE 802.1W which provided only a subset of the standard, whereas the
Brocade(config-vlan-1)#spanning-tree 802-1w feature provides the full standard, so basically you should use 802.1w.
How to configure Spanning Tree on Brocade
Ran mainly on a per VLAN basis.
Brocade# conf t
Brocade (config)#vlan 1
Brocade (config-vlan-1)# spanning-tree 802-1w – enabled spanning tree basic mode
Brocade (config-vlan-1)# show 802-1w – shows spanning tree information
Brocade (config-vlan-1)# spanning-tree 802-1w priority 0 – to designate that switch Root bridge
If you know there is a point to point link between 2 rapid spanning tree devices you have to turn that on at the interface level
Point-to-Point/Uplinks
Brocade (config-vlan-1)#int e 1/1/1
Brocade (config-if-e10000-1/1/1)# spanning-tree 802-1w admin-p2pt-mac – don’t allow for a broadcast domain, assume there is a link between 2 rapid spanning tree root bridges/uplinks ( without this it will fail over in 2 seconds or less, but fail back takes the traditional 30 of listening and learning, but this allows it to fail forward and back in 2 seconds or less
Access/Edge-Ports
Brocade (config-if-e10000-1/1/1)# int e 1/1/3 to 1/1/24
Brocade (config-if-e10000-1/1/3-1/1/24)# spanning-tree 802-1w admin-edge-port (not really required, just means topology changes on the edge is not going to cause re-convergence on the core links or vice versa
Brocade (config-if-e10000-1/1/3-1/1/24)# show run – will see spanning tree on the VLAN and the int ports
***DO NOT USE VLAN1 IN PRODUCTION, THIS IS PURELY FOR DEMONSTRATION PURPOSES***
The Packet Wizard : Update May 11th 2017
Since I started this blog a few weeks ago, I have not been able to post once per week as I would have liked, there have been a number of reasons, mostly though, time.
I have been working like a maniac at work and learning a bunch of new stuff, which in turn will provide some awesome blog material. I hope to finish up writing these in the next week or so between work travel to Montreal, A full week of Palo Alto Firewall Training and another 2 week work trip to Australia.
Upcoming blog material will include : Palo Alto and Amazon Web Services AWS (which I spent 2 weeks working on and configuring). All very fascinating stuff.
Brocade : SSH Setup
Delete Crypto Key
Conf t
Crypto key zeroize
Generate Key Pair
Conf t
Crypto key generate <CR> – will create a DSA Key pair
crypto key generate rsa modulus 2048 – 2048 RSA Key
Create Local Username and Password
Username nocadmin password <password>
Enable AAA
Aaa authentication login default local
Verify
Show who – shows SSH connections
Palo Alto : Initial Configutation
I have recently started a new job and they use Palo Alto’s Firewalls, which I have never used, so I am learning from the beginning.
There are 2 modes in Palo Alto Firewalls
Initial mode – >
Configure – #
PA> request system private-data-reset – this wipes out the log and the configs
Default Login: admin/admin
Run the following commands via the CLI to change the terminal height and width since by default it overwrites itself on the terminal after 40 lines which is annoying.
PA> set cli terminal height 500
PA> set cli terminal width 500
Or
PA# run set cli terminal height 500
PA# run set cli terminal width 500
Setup Management IP
PA>set deviceconfig system ip-address 192.168.1.2 netmask 255.255.255.0 default-gateway 192.168.1.1
Setup SSH is enabled by default and GUI will be available on https://192.168.1.2
Add to Panorama – this is the name of the centralized management server for Palo Alto
PA#set deviceconfig system panorama-server 192.168.1.254
When adding to Panorama you will need to get serial number
PA>show system info
Save your work
PA>Commit
** Best Practice to add device to Panorama at the start otherwise its super tedious to remove everything. Manage only HA locally.**
Cisco : IOS Upgrade to Denali
CATALYST IOS UPGRADE TO DENALI
You can copy the files to the router from your local pc with the Fenix web server.
Right click on the file in the Fenix web browser > copy link > use the copy command on the device.
Copy OS file to flash:
Copy usbflash0:<filename> flash:<filename>
verify /md5 bootflash:<image_file>
On XE 3.x
software install file flash:<filename> new force
On Denali 16.x
request platform software package install switch all file flash: <filename> auto-copy
Troubleshooting
Clean OS’s in Denali
Request platform software package clean switch all file flash:
If Versions are Mismatches in XE
% Switch # is running incompatible software.
Compatible software must be installed on this switch before performing the current operation.
Switch#software auto-upgrade
If Versions are Mismatches in Denali
device(config)#software auto-upgrade enable
UPGRADE 3.6+ IF MASTER SWITCH IS ON DENALI 16.3
request platform software package install autoupgrade