Monday, December 23, 2013

Easy transfer of files to/from Cisco Router

As a consultant, I'm constantly working remotely with people but still need an easy way of transferring files with a router (captures, OS files, etc).  This tip is 101 stuff but since I needed to help someone today with this I thought I would pass it along.

My little scenario here is an example using IOS routers but I've also tested it on XE.

When I need to upload or download files to/from a router, I like to use SCP to transfer the files.  I like this better then trying to stand up an FTP or TFTP server.  This is especially handy when working with devices outside the firewall.  SCP uses Secure Shell (SSH) to securely copy files.  With SCP you connect directly to the device and transfer files back and forth.  This is useful for transferring captures or OS files.

On the router, you'll need to enable SSH, AAA, and SCP.

ip domain-name company.com

hostname routername

crypto key generate rsa general-keys modulus 2048

ip ssh version 2

username someuser privilege 15 secret somepassword

aaa new-model

aaa authentication login default local

aaa authorization exec default local

Enable SCP on the router.

ip scp server enable

Starting in 6.0(2)N1(1), NX-OS also supports SCP.
Enable with:

feature scp-server

On Mac or Linux, to push or pull the files, you can use the built in command line.

You don't have to but I suggest going to the directory on your computer where the file you want to upload is or where you want to download the file to.  Open terminal on your Mac or Linux to run the commands below.

Download file:
In this example I'm downloading the file callfail to the current local directory.  In case you don't catch it, the dot at the end means the current local directory.
scp username@5.5.5.5:flash:callfail .

In this example I'm downloading the file callfail to my Documents folder.
scp username@5.5.5.5:flash:callfail Documents/


Upload file:
In this example I'm uploading the IOS from the local directory to the router.
scp c2900-universalk9-mz.SPA.151-4.M7.bin username@5.5.5.5:flash:c2900-universalk9-mz.SPA.151-4.M7.bin

If you happen to be on Windows, WinSCP and PSCP (from the makers of putty) are pretty popular.  WinSCP is a GUI based option, PSCP is CLI like above.

Cisco Reference Doc:
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_secure_copy_ps6922_TSD_Products_Configuration_Guide_Chapter.html

I recommend disabling the SCP server when not needed.

Update: I received a response on Twitter from John Spade (@DaSpadeR) that he once had an IOS router that would reboot when accessed this way.

So, as with everything in our field your mileage may vary.

Monday, December 09, 2013

Cisco Jabber on iPhone through ASA VPN bug

When you are the 'network person', you need to troubleshoot the network to prove the network is not the problem.  I'm writing about this bug because I couldn't find anything online about it and Cisco TAC says it has not been published yet.

Problem

Cisco Jabber 9.5 on the iPhone works on the network internally but not through the ASA VPN.

Confirm it actually does work internally: check
Everything else works through VPN, on the phone: check
Simple ping to CUPS server on the phone: check
Can bring up web page of CUPS server via DNS through the phone: check
No over-engineered filters or acl's in place hindering traffic: check

I'm not much of a voice tech so I had one of the voice engineers check the configs on CallManager.  Says everything is good to go.

I ran a capture on the ASA and see traffic going back and forth to the client as expected.  Not sure if it's the correct ports, but whatever I see bidirectional traffic.

Sadly, I opened a TAC case.  Worked with both the application team and ASA team.  Ran captures on the ASA again, iPhone Anyconnect Client and also on the CUPS server.

The Apps person found this error:

OnLoginError: LERR_JABBER_UNREACHABLE:

TAC Suggested the phone client couldn't not resolve the name of the CUPS server through the VPN.  This didn't make sense to me since I could resolve the name (hostname, and FQDN).

Resolution:

Luckily, they had a fix on the CUPS server that would actually resolve the issue:
Change the xmpp server name to the IP address.

Step1. Login CUP server as admin. Click menu "System"  -  "Cluster Topology".
Check the picture below.



Step2.  After Step1, You will see the CUP servers listed in the Subcluster.  The CUP nodes are shown as xmpp server names, in this example as “cups1” and “cups2.” Click the node. You can change the name to the IP address.  In the picture below the node name was cups1, and I changed it to "10.201.216.201".




After you change the node name to the IP address, you can now test over VPN.  This change was not service impacting, but it may be best to perform this change after business hours.  You never know.

The bug id is not yet public: CSCul54468
According to Cisco, this should be fixed in Q4 2013 but posting here in case anyone runs in to this problem during troubleshooting.

Side note: If you are curious on the ping client I used on the iPhone, it was iSys.



Monday, November 04, 2013

Terminal Alias commands on Mac

One of the little things I enjoyed on Linux was using alias commands on the terminal.  Alias commands allow for quick shortcuts to longer commands that you may want run in the terminal.

I'm including a few I use on the Mac.

In order to use a terminal alias, you need a .bash_profile.  The . makes it a hidden file.  A default Mac build likely doesn't have a .bash_profile.  If you've installed things like MacPorts then one may have been created already.  You can add to an existing file.

Open up terminal.  If you don't know how to open terminal, close the browser, go get some ice cream and don't come back.

In terminal type
cd ~
 - This takes you to your home directory

Type
ls -al | grep .bash

 - This lists all the files starting with .bash.  Do you see .bash_profile?  If yes, then you can just edit that, if not it needs to be created.  That character between -al and grep is the pipe.  (Shift \).

To create a new one type
touch .bash_profile

In order to edit the file, you need to open a text editor of some sort.  I like vi but if you don't know what it is, don't use it.
Default TexEdit:
open -e .bash_profile

Have TextWrangler?
open -a /Applications/TextWrangler.app/ .bash_profile


Add the following commands in to the file.

# reload your bash config

alias src="source ~/.bash_profile"



# CPU and Memory stats

alias cpu='top -o cpu'

alias mem='top -o rsize' # memory



# DNS

alias flush="sudo killall -HUP mDNSResponder"

alias dns="cat /etc/resolv.conf"



# Get local IP info - removes loopback and static VMware fusion

alias ip='ifconfig | grep "inet " | grep -v 127.0.0.1 | grep -v 192.168.223.1 | grep -v 192.168.210.1'



# Get Local default gateway

alias gw="netstat -rn | grep default"



# Get VPN Routes when connected

alias vrt="netstat -rn | grep utun | grep UGSc"



# Get Public IP

alias pubip="curl ifconfig.me"


Save the file.
The commands won't work right off the bat, you'll need to load/reload the profile.
"source ~/.bash_profile"
Once done, you can just use "src" in the future (the first alias) to reload the profile after you make additional changes.

The shortcut is the word after alias and before the =.  The real command is after the =.

One note, the Local IP info string strips out the loopback IP and my VMware fusion IP's.  You can find yours by just running a straight ifconfig to see what IP's you need to strip out.

Also, I found some of the commands on the Web, some I created.   Have fun.

Thursday, June 27, 2013

Cisco Live 2013 Experience

Cisco Live 2103 in Orlando is over and and I'm reflecting on my first time experience.  In short, I loved it.

I flew in Sunday without any hassle.  My airport for this particular trip was DCA.  I was sitting there reading on the iPad when another passenger sat next to me.  He had the look of someone going to Cisco Live so we started talking.  Eventually, the flight was ready to go so we exchanged information and headed out. Dude sent me a linked in request from his wifes account which was pretty strange but whatever.

Arrived in Orlando and looked for a cab.  I was quoted $50 or something crazy.  Forget that.  I looked for a shuttle and that was $30 round trip I believe.  

I arrived before I could check in to the Rosen Centre hotel so I left my baggage and walked around the convention center.  Place was huge.  I'm so glad I researched the hotel before booking and picked the one with the connecting walkway.  I registered with Cisco Live registration, picked up by badge and all was good.  I mostly walked around getting a gauge where everything was.  Posted a tweet so I could see my picture on the screen.




I'm not a social person at all but thought I would give the Social Meetup a try.  Before the trip I read some tweets about the social media badge and someone complaining they were going to be handwritten so I created a twitter handle label before heading down and it seemed to work pretty well for my badge.  The meetup was pretty interesting.  I approached a few people on twitter that I follow such as @swackhap, @networkingnerd, @ecbanks, @etherealmind, @pjwelcher, @icemarkom, and Cisco Social Queen Bee @commsninja.  Dr. Welcher explained his views on SDN which were interesting.  I hope to see some posts from him on the subject.  It was great to meet the guys behind the packetpushers podcast, certainly a podcast I enjoy listening to.  To my surprise no one was bugging Amy at the moment so I decided to.  I mentioned the geek whispers podcast and spoke briefly about Cisco social media.  I also spoke to quite a few people in the room. Basically if I saw someone standing alone or maybe 2 people alone, I would walk up and start talking.  I actually ran in to someone who knows one of our AM's from our PA branch (that I was meeting with the next day).  One thing I will say is I did notice a few people who would just look at a badge.  If they didn't recognize the name they would move on.  I saw a couple of very awkward interactions between people that made me chuckle actually.  (not saying mine weren't, it was just funny to watch!).  Eventually I bolted and caught up with an old coworker who also showed up at the convention.  I did make the group picture though :)  I also saw the IT youtube guy interviewing the old Cisco Live host?



The rest of my conference was filled with sessions sprinkled with visits to World of Solutions.  I visited the Cert lounge and picked up a space pen and CCIE mouse.  Talked to a few vendors for real, some for free junk and T-shirts I'll never wear.  When possible I got smaller sizes for my son to tear up!  I did get the VCE lego set which is pretty funny I think.  It will go good with my lego phone holder on my desk my son made.  Perhaps I can have him make a lego data center to put the vBlock in :)



Monday night was nuts.  I met with a customer team and an AM with his girlfriend who happened to be in the area..  All I'll say is a series of events occurred where my wife said it sounded like a hangover movie.  I did nothing illegal. If you know me personally and want to know, just remind me the next time we talk.

I went to the CCIE event the next night which was interesting.  It was funny seeing the signs and jumbo tron with the CCIE logo.  I basically got some food, stood around, and left before they even opened the ride part.  I generally leave alcohol drinking for others.  Mostly to try and avoid situations like in the previous paragraph.  For the record, I didn't drink anything Monday.  One guy even came up to me to strike up a conversation about how it seemed we were the only 2 drinking water, ha.



I thought about going to the Customer Appreciation Event (CAE) but didn't feel like having the same type of food as the previous night.  My wife loves live music, I don't, so why tortue myself.  Plus, I just don't see myself going on rides without my kids but with other middle aged adults. I did hear the food was good though so that was a miss on my part.

I wish I had made more effort to schedule time with Experts or table talks I just didn't have a particular agenda.  My sessions were all over the map.  OTV, LISP, ISE, Multicast on NX-OS, Wireless, PfR, IGRP (jk).  Man, hearing the sessions from some of the guys who wrote the books on their subjects was just great.  So much comfort in their technologies.



Other news item was I passed my CCDE written which was nice.  I actually forgot it would renew my CCIE so I'm good til 2016 now.  I may hook up with an old coworker/Barry to take the practical.  Not sure I want to go down that route yet with the studying.

One thing that was different to me then what I've read is how exhausted people were after the event.  If this sort of thing wears you out, you must not work for a VAR!  I couldn't get enough info, I wish I could have fit more in.  Honestly, I wish it was 24/7.  Sessions during the day, labs open day and night to reinforce items.

Other thing I forgot to mention were keynotes.  I started walking in to the first one, screw that.  I turned around, grabbed a coffee, parked on a comfy couch and watched on my iPad while catching up on work.  I missed Richard Bransons close out but I had no interest in that anyway.  If he was going to show me something like best practices on the ASA I'd be in, otherwise go back to flying planes or whatever he does.

Thursday, June 13, 2013

Attended first VMware VMUG #PRVMUG

I attended my first VMUG in Washington DC today.  I have to say it was an enjoyable experience.




The day was looking shaky as we were supposed to get terrible storms in the area but it didn't affect the conference at all.  I headed out early to get to the conference but sadly I arrived a little late due to traffic and my GPS getting all upset about Rock Creek Pkwy not being available.  I arrived in time to hear the keynote from Chris Colotti.  Keynote focused mostly on vCloud but it was still interesting.  Chris was engaging.

I met with a few vendors.  Everyone was respectful.  A few vendors we are already partners with (Cisco, EMC, VMware, VEEAM) so it was good to see them again.  New vendors had some interesting products I need to follow up on.  I'm sure they'll call me to remind me.  My son got tons of toys from the event, he loves this stuff :)

The first session I hit today was Evolving the Data Center to Private Cloud by Cisco.  The presentation was mostly basic level Nexus 1000v and Cisco UCS.  It was interesting hearing some of the questions from the crowd.  So unfamiliar with even the basic idea of UCS.  It was surprising to me but I guess that's why you have presentations :).

My second session was Tales from the Field, Don't Let This Happen to Your VM's by VEEAM.  The presenter did a good job presenting his material.  The presentation was more about what VEEAM is then Tales from the Field.  I was hoping for some war stories and how VEEAM saved the day.  They had a couple of tweet quotes about the speed of VEEAM, I suppose thats a Tale from the Field.

Lunch was good, no complaints there.  Some of the conference rooms were a little warm.  Coffee kept flowing (probably the most important thing to me overall!).  I ran in to one of our good customers at the end of lunch.  I had no idea he was coming to the VMUG but glad he did.  We actually hit all the same sessions in the afternoon.  I also briefly met Greg Stuart (vDestination).  Nice Guy.  Great Blog you should check. --> http://vdestination.com/

The Q&A session was ok..  I didn't ask any questions so I can't really complain.  Some other attendees asked some network virtualization questions and the experts responded with I wish Scott Lowe was here.  They answered the questions but didn't seem to care to.  It's funny how virtualization guys view networking.

My afternoon sessions were Performance Best Practice for vSphere, A Guide to vSphere Distributed Switch (DRS) Deployments, and vCenter 5.1 Technical Deep Dive.  All 3 sessions were run by VMware.  My favorite sessions of the day were performance and the deep dive, both presented by Aries Youssefian.  He obviously works in the trenches and his presentation showed it.  Performance mostly showed use cases for ESXtop, obviously a tool I need to become more familiar with.  The deep dive session focused on SSO for the most part, but I didn't mind it, they only had 45 minutes for a session after all.  Thats probably the biggest pain point of 5.1.  The DRS session was hurting a little but I think that is because they had a last minute change for the presenter.

Overall, I enjoyed the conference.  I'm glad I went and look forward to more.  I encourage people to sign up to their local VMUG!!  It's free!!!  Just wish I could go to VMworld :)

http://www.vmug.com/


Sunday, June 09, 2013

Cisco Console Access on Mac

When I switched over to Mac, one of the first things I needed to get working was telnet/ssh/console access to networking devices.  I browsed around the google for suggestions.  In linux I used the built in console for telnet/ssh and minicom for console access and these worked well for me but I did wish at times that I had 1 tool to rule them all.  Just never got around to figuring that out.

On the MAC, I didn't care much for the standard terminal client.  I quickly found iTerm2.  iTerm2 doesn't support serial console connections natively.  The Networking Nerd, Tom Hollingsworth (great blog you should follow) suggests using ZTerm.  I was really hoping to get away with just using iTerm2 though.  Basically I settled on using a program that is built in to the Mac called screen and have iTerm2 call it up when needed.

I use 2 console cables.

Trendnet TU-S9 USB to RS232 Serial:













Cisco Console mini USB Type-B to Type-A









My MBP has 2 USB ports, 1 on the left side, 1 on the right.  When you attach a USB cable to your Mac the device will show up in your dev folder.  The dev folder sits at root / and contains all files that represent peripheral devices.  Check it out.  Open terminal and run "ls /dev".  This lists everything in /dev.
Plug in your usb cable, from what I understand, most serial/usb adapters are pretty similar and show up as PL2303-####.

Check by running "ls /dev | grep PL" in terminal, you should see serial the cable.

Mikes-MacBook-Pro:~ mikemunoz$ ls /dev | grep PL
cu.PL2303-00001014
tty.PL2303-00001014
Mikes-MacBook-Pro:~ mikemunoz$

You'll want to make note of the tty for both cables on all USB ports.

iTerm2 allows you to use profiles to set parameters for different sessions.  This is what I used to have iTerm2 run serial connections.
I created 4 profiles so I could use the serial or USB cables.  Left side has serial and USB, Right side has  serial and USB.  You'll notice that when you look at the TTY when plugging in the cables, it changes slightly depending on the USB port used.

Open iTerm2
Go to Profiles
 - Open Profiles
 - Edit Profiles
  - Bottom Left +

I named my profiles
 Right-Serial
 Left-Serial
 Right-CiscoUSB
 Left-CiscoUSB

On the command line you type in screen /dev/tty.PL2303-00002014 9600.
Basically you are calling screen up to use the device with the standard 9600 baud rate.
My settings:


Look through other settings, change what you like.

When needed I just call up the Profile and select the one I need.  (⌘O)  You could set shortcuts under each profile if thats your thing.

I will add that I ran in to a common problem when first using the serial adapter, it would crash the Mac when going to sleep or just yanking out the cable without exiting the terminal.

Installing the md_PL2303_MacOSX10.6up drivers by Prolific resolved this problem for me.
The Prolific site requires you to log in to download the drivers (GUEST for user and pass).  Download

Monday, June 03, 2013

EMC Unisphere Service Manager (USM) problems with VMware Fusion

I recently tried to get Unisphere Service Manager (USM) running on my Mac with VMware Fusion and was having a terrible time with it.  I would see the spinning ball logo and it would never completely load.


For the life of me I could not get this thing to load.
I'm running a MacBook Pro 2.7 GHz 10.8.3 - 16 GB memory.
Fusion is loaded with Windows 7 64 bit.
I tried different versions of Java, different versions of USM, nothing changed.
I even loaded new VM's thinking maybe I loaded software that conflicted.  No change.
Loaded 32 bit and 64 bit VM's, same thing.

I gave the USM to my son to load on his MBA with Fusion and it worked!?  After laughing at me and giving me the manual he was nice enough to share his Fusion VM with me.  I loaded the VM and it worked on my machine..  I started working my way backwards to set his VM like mine as close as possible.  I finally found the problem.  The desktop tab on Mirrored Folders was causing the problem for me.  Checked, it won't load.  Unchecked, loads great.  If you try this yourself, the system will force you to log out for the change to take effect.



Select your VM - Settings - Sharing


I went back to my VM and once the Desktop option was unchecked, the system logs out and back in and now I can load USM no problem.

These options are automatically set when loading the VM in seamless mode.  I suppose if I had loaded isolated mode, this would not have been an issue.  Hopefully this helps the next person.

Friday, April 12, 2013

BGP Email Alert from Router using Cisco EEM

Here was a fun thing.  A customer wanted to get email alerts when BGP changed status on their routers.  I used Cisco Embedded Event Manager (EEM) Scripting to achieve this.

I was able to run this on IOS 15.1.(4).


router bgp xx
bgp log-neighbor-changes

event manager environment _email_to customeremail@customer.com
event manager environment _email_server customer-mail-server.com
event manager environment _email_from Router-Hostname@customer.com
event manager applet BGP-Alert
event syslog pattern "%BGP-5-ADJCHANGE:*"

action 1.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time:" body "$_syslog_msg"

action 1.5 syslog priority notifications msg "BGP Message - Mail Sent"


Configure the BGP process to log neighbor changes.
When the router matches a syslog entry for %BGP-5-ADJCHANGE: an email will be generated using the environment paramaters you set.
The router will also log a message in syslog that the mail was sent.

Keep in mind the IP's for the interfaces will need to be allowed to send mail on your mail server.  If this isn't working for you, run a debug on eem.  If the problem is the mail server rejecting the mail, it is pretty easy to decipher.

Sample down message:

From: Router-Hostname@customer.com

2883577: .Apr 10 02:45:59.928 EDT: %BGP-5-ADJCHANGE: neighbor 5.5.5.5 Down Interface flap


Cisco EEM Best Practices:
https://supportforums.cisco.com/docs/DOC-12757

Cisco EEM Basic Overview and examples:
https://supportforums.cisco.com/docs/DOC-27996