May 23

Extreme XOS switch initial configuration cheat sheet

Here is a quick cheat sheet of commands that I use during the initial setup of an Extreme switch.

 

Showing Configuration:

show config
show config detail

NTP, Clock and Time
You can see clock and time by either the show system or show switch commands
configure timezone name EST -360 autodst name EDT
enable ntp
configure ntp server add 192.168.1.200
configure time 1 19 2016 7 55 55
Show Switch time in use counters

show odometers

See which config is used:

show switch

Continue reading

Oct 15

IOS Upgrade on a Cisco ASR

I was recently tasked with upgrading all the IOS on our ASRs as we move over to running PFRv3.  Like most any other cisco router upgrade the process is pretty straight forward but there are a few caveats in the syntax used on the ASRs.  For those that may have never performed a IOS upgrade I will run through the entire process.

Check the current IOS Version

Like any upgrade you need to know where you are starting to see what is going to be needed to get you to where you want to be.  If you are jumping several versions of major code then you may need to upgrade to an intermediate code in between to get to the final version you wish to run.

Run a show version

Running the “show version” command will provide you the current system image file that your ASR is running.

Show Version Continue reading

Jul 30

CCNP Route Lab – EIGRP OSPF Redistribution Sim

OSPFEIGRPRed

EIGRP OSPF Redistribution Sim:

 

  • R2 is an ASBR for EIGRP 100 and OSPF AREA 24
  • R3 is an ASBR for EIGRP 100 and OSPF AREA 34

(note: so there are TWO separate areas on TWO separate ASBRS thus you need to do redistribution on R2 and R3)

  • R1 is ONLY in EIGRP 100, and is THE ONLY router you can ping from.
  • R4 has a loopback interface that must be pinged from R1.
  • R4 is running OSPF and has redundant link to EIGRP network over R3 router.
  • Traffic from R1 should go to the most optimal route to reach 172.16.100.0/24 network

Notice: You should be able to ping from R1 to the 172.16.100.1 network to make sure everything is working correctly when you have completed Redistribution. Continue reading

Jan 23

VPN Troubleshooting – Phase 1 – ISAKMP (IKE) Status Messages MM_WAIT_MSG#

When troubleshooting Phase 1 of a VPN tunnel the MM_WAIT_MSG state can be a great clue as to why your tunnel is not forming. If your firewall hangs at a certain state then this will show you where in the path your VPN is failing.Phase1

MM_WAIT_MSG2

What is happening

                Initiator sends its hashed IKE policy details to the receiver to create the initial contact.  Initiator will stay in this state until it receives a response back from the remote peer.

Continue reading

Dec 17

How to perform a pcap packet capture and copy the file off of a Cisco ASA

Cisco uses a different way to run and save packet captures on its ASA firewall than a popular Linux tcpdump/Wireshark tools. Below is a quick guide to capture and then copy out a pcap file from the firewall for offline analysis.

Setting up your Packet Capture

The basic syntax is:

#capture <Name for capture> type raw-data match ip  <source IP/Network> <Network Mask> <destination IP/Network> <Network MAsk>
#capture <Name for capture> packet-length 1522 buffer 524288
#capture <Name for capture> interface <Name of interface to capture on>

Continue reading

Oct 11

Ping Multiple IP’s from a Windows Command Prompt

Here is a very easy script for windows CMD line to ping multiple IP addresses very quickly and output the results as a file. This is really nice for doing ping tests from remote servers so you don’t have to install any software.

1) I used Excel and created a list of IP’s I want to pingExcel Example
a. Open excel, type in the first IP in the range of IP’s you want to ping.
b. If you grab the bottom right hand of the cell (you will see a + sign) and pull down, it will auto fill the next number in the range and just keep pulling down until you have all the IP’s you want.

c. Highlight all the IP’s and copy them to the clipboard. Continue reading

Sep 20

Looking up a VPN PSK on a Cisco ASA

When you have VPN tunnels out to 3rd party customers there comes a time when something is going to go wrong and at least one end of the tunnel is going to have to be rebuilt.  More often than not commanddocumentation got lost or was not updated the last time things changed and now you have no idea what the PSK was that you used on that tunnel.  You quickly look at the configuration on the other end only to find that the PSK is stared out in the running config. Continue reading

Sep 20

The Use of Prefix Lists for Route Filtering

Using IP prefix lists has several advantages over using an ACL.  Prefix lists match on more than just an IP address, they also match on the prefix length of the route.  This as we have seen maybe an advantage but can also cause problems with routes being filtered that we didn’t intend.  Finally, the internal processing of the IP prefix lists uses an internal tree structure that results in faster matching of routes than with ACLs.

Much like ACLs,  Prefix configuration commands using the same name end up being in the same list.  As with named ACLs, each ip prefix-list command has a sequence number to allow later deletion of individual commands and insertion of commands into a particular sequence position.  Prefix lists are read in order, top to bottom and once a match is found the rest of the list does not get read. Each command has a permit or deny action, but because it is used only for matching routes, and not for packet filtering, the permit or deny keyword just implies whether a route is matched (permit) or not (deny).

Creating a Prefix list uses the following command syntax.

ip prefix-list list-name [seq seq-value] {deny | permit prefix/prefixlength}[ge gevalue] [le le-value]

EX.  Ip prefix-list FILTER_ADV_ROUTES seq 10 permit 172.31.26.0/23 ge 24 le 32

Continue reading