**__CLI TRICKS & SHORTCUTS - CISCO JEDI CLI__**\\ [[http://etherealmind.com/series/cisco-ios-cli-tricks-tips/]] This is to make OR: show interface | include is up|BW|load For example, this one will show us both sections sh run | s policy|class|access This one is useful to know in which object group the IP 199.242.6.15 is: sh run | inc object-group | 199.242.6.15 Create vlans (old style (for gns3))\\ Switch# vlan database Switch(vlan)# vlan vlan_ID Switch(vlan)# vlan vlan_ID state active Switch# show vlan Truly replace the running configuration with the startup configuration, just as if you had rebooted the router. configure replace \\ To show all implicit commands in the configuration: show run all \\ To make dangerous changes: reload in 5 cancel reload \\ To control vty logging # terminal monitor # to send log messages to the vty # terminal no monitor # to stop it ---- __**IOS NEW HARDWARE SETUP INITIAL CONFIGURATION**__\\ - If this is a used device, remove the configuration and the vlan database - write erase ; reload **without saving the configuration** - delete flash:vlan.dat # note that default location is flash: - reload again - Add IP in the mgmt interface. Normally g0/0 - Add a static route in mgmt interface. It needs to be in the mgmt vrf - enable ssh: - crypto key generate rsa modulus 1024 - ip ssh version 2 ; time-out 60 ; authentication-retries 2 - do not add any aaa configuration as yet - Add the device to TACACS server (eg: to cisco ISE via the GUI) ---- __**COPY FILES FROM AND TO LINUX BOX**__\\ ** scp needs to be enabled in the switch. Also in some cases this aaa needs to be in for authentication ** \\ Regarding TFTP, remember that it uses udp-69 just for the initial message but then it uses 64001 through 65000 as ports are specific per each session (both in src and dst). aaa new-model aaa authentication login default local aaa authorization exec default local if-authenticated \\ (IOS)#copy scp://sfuller@192.168.11.100//app/tftpboot/poap.py flash: (IOS)#cd ? ! To show available file systems (IOS)#delete flash: ! To delete a file in flash LINUX# copy scp://10.50.254.204/var/tmp/n5000-uk9.7.0.3.N1.1.bin bootflash: \\ (linux)# scp test1 netrobot@10.8.90.21:flash:/test ! be sure router is scp server !! To see contents of a file in IOS: #more flash:Myconfig.txt \\ So from linux to cisco So basically the syntax is simplified, we can put user and password together and we don’t use the colon before the file location:{{ :network_stuff:cisco:copyformats.png?699 |}} Configure R1 as an HTTP server, and set R8 to transfer the IOS image from R1, oversubscribing the shaped Ethernet sub-interface. Then, generate a flow of ICMP packets from R6 to R5, simulating the SCAVENGER class traffic. username admin privilege 15 password cisco ip http authentication local ip http server ip http path bootflash: ---- TERMINAL SERVER:\\ Access a line: telnet # define in corresponfing 'ip host' Clear a busy line: show line clear line control-shift-6 then x ! disconnects session ---- **SOFTWARE UPGRADES:** \\ __ASA UPGRADES__: [[http://evilrouters.net/2012/02/15/how-to-upgrade-cisco-asa-software-and-asdm/]] \\ ASA: Apply lincense: UK02-ASAVPN01(config)# activation-key b92afe7f 844fcec7 80a19dfc 8a240424 8d101598 \\ FORCE FAILOVER: failover active Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit. no failover active # Forces a failover when entered on the active unit To show just the ipsec config: show run brief | s crypto|isakmp|access-list \\ __IOS (ios-xe) UPGRADE__: [[https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3850-series-switches/117552-technote-cat3850-00.html|External Link]]\ Old way: upload the image and change the boot command boot system switch all flash:c3750-ipbasek9-mz-122-55.SE1.bin New way: software install file flash:cat3k_caa-universalk9.SPA.03.03.01.SE.150-1.EZ1.bin ---- AAA RADIUS TACACS+ \\ To verify AAA authentication: # test aaa-server authentication MKTX_TACACS username jsantos password 55336802 Server IP Address or name: 10.50.254.200 INFO: Attempting Authentication test to IP address <10.50.254.200> (timeout: 17 seconds) INFO: Authentication Successful \\ BASIC AAA CONFIGURATION ON IOS \\ aaa authentication [default|] * Local method. Uses the local user database with their passwords. You populate the database by using the username command. * Line method. Uses the password configured on the line used to access the router. This includes VTY lines as well. * Enable method. Uses the globally configured list of enable passwords associated with their levels. * Group TACACS+ or RADIUS method. Uses the remote AAA servers group configured globally in the router. * None method. Do not attempt to validate user identity, just allow access. [[http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/]] * Create a backup user account * Enabling AAA * Configuring the TACACS+ servers * Define the AAA method lists: aaa authentication login ! user login authentication aaa authentication enable ! access the privileged command level aaa authentication http console ! AAA asdm aaa authentication ssh console ! aaa authentication enable serial console ! aaa authentication enable match ! And separatey: aaa authorization exec VTY group tacacs+ if-authenticated # exec is to determined if the user is authorised to run an exec shell and how many/which commands * Enforcing AAA authentication on terminal lines ---- CISCO USER MODES - User EXEC mode ! privilege level 1 ( > ). Is like plain 'user mode' - Privileged EXEC mode ! privilege level 15 ( #) show privilege router(config)# username test password test privilege 3 ---- SMMP On the client (if *nix) we can verify validity of a string with: snmpwalk -v 2c -c {SNMPCOMMUNITY} 10.50.4.250 snmpwalk -v3 -l authPriv -u snmp-poller -a SHA -A "PASSWORD1" -x AES -X "PASSWORD1" 10.10.60.50 On the router/firewall, we can see the snmp value with: more system://running-config | in snmp ---- \\ **IOS NAMING CONVENTION**\\ For the ios version: Train (SETM), Throttle (features), Build (fixes) :\\ [[http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-release-1513t/200095-Understanding-Cisco-IOS-Naming-Conventio.html|http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-release-1513t/200095-Understanding-Cisco-IOS-Naming-Conventio.html]]\\ \\ For the ios file name!:Note letters/phrase for feature set and Run location/compression\\ * Platform. Diffe * Feature set (base, service, advanced, enterprise). k9 means encryption included. * Run location and compression. mz indicates 'compressed' * Version \\ [[http://computernetworkingnotes.com/ccna-study-guide/cisco-ios-naming-convention-explained-with-examples.html|http://computernetworkingnotes.com/ccna-study-guide/cisco-ios-naming-convention-explained-with-examples.html]] ---- **SHOW CONFIGURATION WITHOUT BREAKS - NO STOP SCROLL** terminal length 0 # For IOS pager 0 # for ASA ---- **MULTI-USE EXPLORING/TROUBLESHOOTING**\\ __Approach 1:__\\ Go to the edge device. I know the flow belongs to mpls and also the source of my flow 10.30.143.71 therefore: DC03-DMZR01#sh ip route vrf mpls-dmz01 10.30.143.71 Routing entry for 10.30.0.0/16 Known via "bgp 65103", distance 200, metric 0, type internal Last update from 10.255.30.100 7w0d ago Routing Descriptor Blocks: * 10.255.30.100, from 10.255.30.100, 7w0d ago Route metric is 0, traffic share count is 1 AS Hops 0 MPLS label: none MPLS Flags: NSF DC03-DMZR01#sh ip cef vrf mpls-dmz01 10.255.30.100 10.255.30.100/32 nexthop 10.30.165.8 Vlan165 !!! OR DC03-DMZR01#sh ip cef vrf mpls-dmz01 10.255.30.100 10.255.30.100/32 nexthop 10.30.165.8 Vlan165 !!! DC03-DMZR01#sh run int Vlan165 Building configuration... Current configuration : 462 bytes ! interface Vlan165 description MPLS-FWALL-OUT interface <<<<< vrf forwarding mpls-dmz01 mac-address c000.0165.0011 mtu 8500 ip address 10.30.165.11 255.255.255.0 no ip redirects no ip proxy-arp ip flow ingress ip flow egress ip pim dr-priority 5 ip pim sparse-mode ip igmp version 3 glbp 165 ip 10.30.165.1 glbp 165 priority 105 glbp 165 preempt no glbp 165 load-balancing glbp 165 name MPLS-FWALL-OUT-GLBP mls netflow sampling no mop enabled end !! Not just we can check the description but also use cdp. Or: ! show mac address table ! sh arp vrf ! And follow the prefix until the destination ! if the device is behind a transparent firewall it'll show same mac address in two different vlans 1st column \\ __Approach 2:__\\ \\ dc04-nx7k01-mktx-dr01# sh ip arp vrf all | inc 10.40.70.125 dc04-nx7k01-mktx-dr01# sh run int Vlan70 ! To see the description dc04-nx7k01-mktx-dr01# sh ip route vrf sysmgmt 10.8.70.125 ! To see the next hop. NOTE: DESTINATION!! dc04-nx7k01-mktx-dr01# sh ip bgp vrf sysmgmt ! To see the next hop Now I know this is in the dmz, so I go to :\\ DC04-DMZR01#sh ip route vrf main-dmz01 10.8.70.125 DC04-DMZR01#sh ip arp vrf main-dmz01 10.40.185.8 DC04-DMZR01#sh mac-address-table | inc 001c.7f34.d54 ! This is telling the physical port i'm going out from ---- **__BUILDING SERVICE POLICIES__** ciscoasa(config)# access-list icmp_inspect extended permit icmp 10.1.1.0 255.255.255.0 host 1.1.1.1 log ciscoasa(config)# access-list ratelimit_inside extended permit ip 10.1.1.0 255.255.255.0 any log Now define the Layer 3-4 class map by referencing the above ACLs in it. ciscoasa(config)# class-map ratelimit_class ciscoasa(config-cmap)# match access-list ratelimit_inside ciscoasa(config-cmap)# class-map icmp_class ciscoasa(config-cmap)# match access-list icmp_inspect 2. Define a Layer 3-4 policy-map ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class icmp_class ciscoasa(config-pmap-c)# inspect icmp \\ ciscoasa(config)# policy-map company_policy ciscoasa(config-pmap)# class ratelimit_class ciscoasa(config-pmap-c)# police input 41943000 4194304 ciscoasa(config-pmap-c)# police output 41943000 4194304 \\ 3. Apply the policy-map to the appropriate interfaces ciscoasa(config)# service-policy company_policy interface inside ---- __**CISCO 6500-E to 6807-XL**__\\ Status of each of the chassis (useful in vss) sh module switch 1/2 To show basic VSS informations: #show switch virtual To identify the role/priority of the two switches: #show switch virtual role To find more informations about the VSS status: #show switch virtual redundancy [[http://www.ciscozine.com/cisco-vss-configuration/]] Integrated Service Modules * ACE: Application Control Engine (Load Balancer) * NAM: Network Analysis Module * ASASM: ASA FW \\ **__VSS__**\\ A useful analogy is: Catalyst VSS is like juniper VC. VSS operates on a unified control plane with a distributed forwarding architecture in which the active supervisor (or switch) is responsible for actively participating with the rest of the network and for managing and maintaining control plane information. \\ * [[http://networkphil.com/2016/01/18/short-and-sweet-cisco-vss/?utm_content=bufferd7644&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer]]\\ * [[http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117564-technote-issu-00.html]] \\ **LOG INTO CARDS/SLOTS (we use this for the ASA)**\\ session slot 9 processor 1 **CONTEXTS (we use this for the ASA)**\\ To enable multiple mode, enter the following command: hostname(config):mode multiple To change to a context, enter the following command (**changeto**..) hostname# changeto context name From the system execution space, view all contexts by entering the following command: hostname# show context [name | detail| count] We can Create a context and assign resources (eg interfaces) like this: context qad-transfwall allocate-interface Port-channel10.2142-Port-channel10.2545 allocate-ips vsDIST config-url disk0:/qad-new.cfg \\ **EtherChannels** Deterministic Hash-based Channel Load-Balancing\\ Load Sharing is always Per Flow (Not Per Packet).L2, L3 and / or L4 addresses.\\ \\ \\ **vrf/mpls - ** MP-BGP by RD. Show only vpn routes for this rd show bgp vpnv4 unicat rd 10:10 Show all received MP-BGP routes. We can further limit this with the vrf where we consider they should end up\\ sh bgp vpnv4 neighbors 5.5.5.5 advertised-routes Similar: sh bgp vpnv4 unicast vrf ONE ---- **__UPGRADING THE 6500__**\\ [[http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117564-technote-issu-00.html]] \\ * Copy from device to linux server: UK02-CR01#copy bootdisk:s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin scp: Address or name of remote host []? 10.8.100.204 Destination username [jsantos]? Destination filename [s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin]? Writing s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin Password: ! Sink: C0644 118655448 s2t54-advipservicesk9-mz.SPA.151-2.SY7.bin !!!!!!!!!!! * Fast Software Upgrade. This process requires downtime corresponding to the RPR switchover time: [[http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1169328]] * From this 12.2(33)SXI supports enhanced fast software upgrade (eFSU) of the VSS using SSO:[[http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html]] ---- **TROUBLESHOOTING** Layer 2 table: show mac address-table IPv4 forwarding status: show platform hardware capacity forwarding show platform hardware cef [IP] Netflow status: show platform hardware capacity netflow show mls sampling show ip flow export # To see see Netflow packets being exported from router show mls nde # Netflow Data Export show mls netflow table-contention summary # To see if there is excessive Netflow CAM Utilization (and potential buffer overflows) \\ CEF:\\ show cef state show ip cef summary show ip cef detail show ip cef ! ! To see interface for a route show ip cef ! To see routes pointing to a certain interface show ip cef exact-route show ip cef 10.1.93.0/24 internal ! This shows the hash packets when the route has more than one equal cost path [[http://packetlife.net/blog/2011/may/27/show-ip-cef/]] \\ * receive: for connected IP subnets for the base address of the IP subnet and for the local IP address in the IP subnet. * attached * drop * just-the-ip \\ **CAPTURE PACKETS PCAPS** monitor capture 1 interface eth1 both monitor capture 1 match any monitor capture 1 start show monitor capture 1 buffer monitor capture 1 export tftp \\ \\ **__BGP__** show ip bgp !! EXPLAINED x.x.x.x from y.y.y.y (z.z.z.z) * x: NEXT HOP. inserted as next hop into the IP routing table, sent in the BGP update "next hop" field * y: SOURCE INTERFACE (aka: taken from remote-as" local) * z: RID: learned through BGP setup messages. note: With eBGP usually IPs 1 and 2 are identical and IP no. \\ ---- **__JUNIPER JUNOS JEDI__**\\ Copy files between linecards: file copy fpc2:/var/tmp/xxx.0.tgz fpc0:/var/tmp/xxx.0.tgz # to copy files between members Connect to a different linecard: request session ---- **__CLI TRICKS & SHORTCUTS - JUNIPER JEDI CLI__**\\ **CONFIGURATION MANAGEMENT**:\\ To check Previous Commits. Current and past (50) configs are in /config/juniper.conf.x show system commit > show system commit 0 2017-07-22 12:15:05 UTC by jaime_santos via cli commit synchronize show system rollback 2 compare 0 # to compare rollback 2 # to jump to the state in 2 show | compare rollback 3 # To see previous states (from the config mode): \\ Config files location: [[https://forums.juniper.net/t5/Junos/What-are-the-config-files-and-where-are-they-located-on-a-JUNOS/td-p/14552|External Link]]. Current config in /config . Past configs in /config & /var/db/config \\ Apply configurations. See this [[https://www.juniper.net/documentation/en_US/junos/topics/example/junos-software-config-file-loading.html|Link]] for examples: [edit] user@host# load (factory-default | merge | override | patch | replace | set | update) filename # load patch terminal # load merge relative terminal # loads in the same hierarchical manner we see it in the config. # load merge ftp://username:password@172.30.36.59/switch_juniper.conf.gz_20080304_141543 # Loads it from a file. note it Requires to be zipped! ---- To make dangerous changes: commit confirmed {minutes} commit # to cancel the rollback ---- **LINUX JEDI** for host in cc0{1..8}; do echo $host $(ssh $host '(ip r get 8.8.8.8; curl -s ipecho.net/plain)'); done This is to check if a route is installed. If yes, do nothing, if not, install it. This can be set as a one liner in the cron file (ip route show |grep -q '100.100.100.100 dev eno1') || ip route add 100.100.100.100 dev eno1 # grep -q means 'quiet' This one liner goes though all servers and modifies the mtu (note use of 'seq' to generate a squence, read [[https://www.lifewire.com/uses-of-linux-seq-command-4011324|this]] for info about formatting: for host in $(seq --format='cc%02.0f' 01 17); do ssh $host "/sbin/ip link show|egrep '(em|eth|bond)[0-9]:' | cut -d: -f 2"| xargs -n 1 ssh $host ip link set mtu 9000 dev ; done **__TEMPLATE__** for host in $(seq --format='sw-e%02.0f' 12 20); do sshh jaime_santos@"$host".dc.mycompany1.co.uk "sh config | match 401"; done To send a bunch of commands (e.g.: edit, configuration and commit, contained in a file called 'commands'): for host in $(seq --format='sw-e%02.0f' 12 20); do cat commands | sshh jaime_santos@"$host".dc.mycompany1.co.uk ; done \\ PIPE NOT AVAILABLE \\ Have a file with the symbol and do this echo $(echo "sdh") $(cat /pipe) \\ Extract current IPs in dns server ssh root@marrow "egrep "10.8.8" /var/named/db.dc.mycompany1.co.uk | awk '{print $4}' | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | uniq" ssh root@marrow "egrep "10.8.8" /var/named/db.dc.mycompany1.co.uk | awk '{print $1}' | egrep -v ";" | egrep -v '\$' | egrep -v mgt | sed -e 's/$/.dc.mycompany1.co.uk/' \\ ping jumbo from linux: ping -M do -s 8972 [destinationIP] ---- BGP COMMUNITY: \\ 1.- Set the communitity (node a) ip bgp-community new-format route-map set_community 10 permit match ip address prefix-list LOOPBACK set community 109 route-map set_community 20 permit neighbor 5.5.5.5 send-community neighbor 5.5.5.5 route-map xxx out ! 2.- Match on the other side (node b ): ip community-list expanded AS100 100:[0-9]+ ! any community coming from asn100 route-map set_weight permit 10 match community AS100 set local-preference 120 route-map set_weight permit 20 neighbor 151.100.1.1 send-community neighbor 151.100.1.1 route-map xxx out ! 'out' is correct, basically the AS100 community is learnt via any (other neighbor) 3.- TO REMOVE/DELETE PART OF A COMMUNITY LIST ip community-list expanded AS200 permit 200:[0-9]+_ route-map RESET_COMMUNITY permit 10 match as-path 1 set comm-list AS200 delete neighbor 192.168.1.1 route-map RESET_COMMUNITY in 4.- To show community ISP1#show ip bgp 10.10.10.10 BGP routing table entry for 10.10.10.10/32, version 6 Paths: (1 available, best #1, table Default-IP-Routing-Table) Advertised to update-groups: 1 2 10 192.168.10.10 from 192.168.10.10 (10.10.10.10) Origin IGP, metric 0, localpref 100, valid, external, best Community: 4258791424 ! <<< ---- SERVICE INSERTION: WCCP: web cache control protocol (transparent web cache/old school best standard for service insertion) ---- **CABLE TESTING**:\\ test cable-diagnostics tdr interface ! it resets the state machine for that interface show cable-diagnostics tdr interface gigabitEthernet 1/0/1 ---- ==== CISCO DNAC AND NDO ==== ( CATALYST CENTER AND NEXUS DASHBOARD ORCHESTRATOR ) * You cannot run Catalyst Centre (DNAC) and NDO on the same VM/ Appliance. * Cisco have DNAC/ NDO appliances which are built on UCS platforms but sold as appliances (bundled h/w s/w). === DNAC platform support=== * DNAC offers flexible deployment options. It can be deployed on a hardware appliance or as a virtual appliance, on either VMware ESXi or AWS. * DNAC can be run as 1 node 3 or 5 node clusters – base level is 1 node for **lifecycle and assurance** (recommend 3+nodes for fabric deployments) [[https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-center/nb-06-dna-center-data-sheet-cte-en.html|External Link]] === NDO platform support === * NDO Cisco Nexus Dashboard portfolio comprises physical, virtual, and cloud form factors also – base level is 1 to 3 nodes (up to 9 in a cluster) * [[https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/nexus-dashboard/datasheet-c78-744371.html|External Link]] – details NDO features and platform options (appliance, Vmware, KVM, AWS, Azzure) * [[https://www.cisco.com/c/dam/en/us/td/docs/dcn/tools/nd-sizing/index.html|External Link]]Cisco Nexus Dashboard Capacity Planning – details appliances required for deployment * NOTE: Onboarding standalone switches is supported only on 3-node physical clusters. Virtual Nexus Dashboard clusters, 1-node physical clusters, and 6-node clusters do not support this use case. See Nexus Dashboard [[https://www.cisco.com/c/en/us/td/docs/dcn/ndi/6x/release-notes/dcnm/cisco-ndi-ndfc-release-notes-641.html|External Link]]