msgbartop
msgbarbottom

28 Mar 17 Finding information in Linux

Linux Commands To Find Information

Linux is very flexible and people do all kinds of things with Linux so that it can be utilized in a best way possible depending on the environment. Linux allows some awesome command line tools and the list is huge but few recent ones I used, I’d like to share here for future reference and I might keep adding to this list as I encounter more.

grep – This basically allows you to find files and even lets you search text with in files. It is a pretty powerful command and gets used a lot especially by Linux Admins. I recently had a need where I needed to verify some information from a whole bunch of files in a directory and confirm if a specific IP Address is in any of the files. Opening each file and trying to find it was not an option. That is where grep saved the day.

grep -R “1.1.1.1” /dir/next-dir/

This command basically allowed me to search for the IP Address 1.1.1.1 in all files located in that directory. I was able to replace the IP Address with something else and searched for that as well. I’m sure it can be used in so many other ways depending on the situation and need.

netstat -an | grep PORTNUMBER | grep -i listen

This particular command basically allowed me to confirm if a specific port is open or not as I was trying to troubleshoot issues with connectivity to a particular system and firewall rules.

ip route get “ip-address”

This particular command allowed me to find out if there is a route available to a specific IP Address.

Tags: , ,

13 Feb 17 Brocade ICX 6450-24P PoE and PoE+

Brocade ICX 6450-24P PoE and PoE+ Limitations and Configuration

Recently ran into a minor issue when I was connecting Cisco Meraki MR72’s to a Brocade ICX 6450-24P. Connected 13 Cisco Meraki MR72’s. I was consoled into the switch so I noticed all ports showed getting power but the PoE was denied on port ethernet1/1/24. Looking at the command show inline power I noticed that all Cisco Meraki MR72’s were showing up as Class 4 and ports were doing by default 802.3at/30,000mWatts which means my 13th Access Point was not getting any power because ethernet1/1/24 had only 10,000mWatts left.

In order to resolve this so that I can get the last Cisco Meraki MR72 online. I first confirmed the power these Access Points require. And according to the documentation for Cisco Meraki MR72’s they do support 802.3af. My next step was to update the ports on the Brocade ICX 6450-24P as follows:

interface ethernet 1/1/24
dual-mode 1
disable
spanning-tree root-protect
spanning-tree 802-1w admin-edge-port
inline power power-limit 15400 (THIS COMMAND BASICALLY FORCED THE PORT TO LIMIT THE POWER)
stp-bpdu-guard

After I ran the above command inline power power-limit 15400 under couple of ports I had enough power available and was able to successfully bring up all 13 Access Points online. Here is a document that shows ICX 6430 – 6450 Data Sheet. Also check out the picture below, basically on a 24 port switch if you want all 24 ports to be able to operate at PoE+ you will need additional power supply.

Tags: , , ,

01 Feb 17 My CCNA Wireless Journey

My CCNA Wireless Journey, Study Methods and Resources

So finally Jan 9th, 2017 I was able to pass my CCNA Wireless. This has been long overdue and I have been so busy that I never had the chance to sit for the exam. I’d like to share some excellent websites, articles, blogs that I utilized while studying for my CCNA Wireless. I’m listing them all here so that I can utilize the in future as well as I am planning on taking more wireless certifications
Cisco WLC Best Practices
WLC Best Practices – Cisco
Configuring RADIUS Server Cisco ISE
Load Balancing and Band Select
Wired Guest Access – Cisco
MIMO for dummies
MIMO – Meraki
Cisco WLC Products
Cisco Wireless Design Guides

Some good sites on Medium Contention, Traffic Flow
802.11 DCF
802.11 Medium Contention
DCF and PCF
Traffic Flow

These are some excellent blogs that I spent lot of time on. They cover a wide range of topics such as security, mobility, product knowledge etc
Jennifer Huber Blog
MRN CCIEW Blog
George Stefanick’s Blog

18 Jan 17 Using SNMPWALK and PortQry tools

SNMPWALK and PortQry tools in Windows

We all know that Linux offers some built in tools that are great for troubleshooting purposes, however Windows Operating Systems have limitations. Me being a Windows user primarily (fan of CLI and CLI based tools), I am always looking for different tools. In this post I want to mention two tools that I have been able to use successfully.

My recent use was trying to troubleshoot SNMP on two switches. I was able to use snmpwalk to test SNMP and then utilize PortQry to check the ports via CLI. Here is my method and results:

Non Working – snmpwalk
COMMAND SYNTAX: snmpwalk -r:”ip-address” -c:”community-name” -v:2

Non Working PortQry Test
COMMAND SYNTAX: pq -n “ip-address” -cn !community-name! -e 161 -p udp

So above I have SNMP testing to a Non Working Switch. snmpwalk fails right away and the PortQry shows that the port is filtered, should say “LISTENING” like in the next example.

Working – snmpwalk
COMMAND SYNTAX: snmpwalk -r:”ip-address” -c:”community-name” -v:2

Working PortQry Test
COMMAND SYNTAX: pq -n “ip-address” -cn !community-name! -e 161 -p udp

Tags: , , ,

25 Nov 16 Cisco 1142 not joining Cisco 2504 WLC

%PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID

Recently I was setting up my lab environment with a Cisco 1142 Access Point and a Cisco 2504 Wireless LAN Controller and I ran into a minor issue. Cisco 1142 Access Point was not joining the WLC. I was getting the following error message when I consoled into the access point.

*Jan 1 04:35:10.126: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Jan 1 04:35:10.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.10.41 peer_port: 5246
*Jan 1 04:35:10.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Jan 1 04:35:10.316: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 4E0E3D20000000116445) is not yet valid Validity period starts on 21:44:46 UTC Dec 7 2011
*Jan 1 04:35:10.317: %LWAPP-3-CLIEN2.16TERRORLOG: Peer certificate verification failed
*Jan 1 04:35:10.317: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Jan 1 04:35:10.317: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:333 Certificate verified failed!
*Jan 1 04:35:10.317: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP: 192.168.10.41
*Jan 1 04:35:10.318: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to 192.168.10.41:5246
*Jan 1 04:35:10.318: %DTLS-3-BAD_RECORD: Erroneous record received from 19: Malformed Certificate

Initially I kinda jumped on the certificate issue and ran the following commands to resolve the issue, thinking perhaps there actually is an issue with the certificate on the WLC or the Access Point:

(WLC1) >show certificate summary
Web Administration Certificate………………. 3rd Party
Web Authentication Certificate………………. Locally Generated
Certificate compatibility mode:……………… off
Lifetime Check Ignore for MIC ………………. Disable
Lifetime Check Ignore for SSC ………………. Disable

(WLC1) >config ap cert-expiry-ignore mic enable

(WLC1) >config ap cert-expiry-ignore ssc enable

(WLC1) >show certificate summary
Web Administration Certificate………………. 3rd Party
Web Authentication Certificate………………. Locally Generated
Certificate compatibility mode:……………… off
Lifetime Check Ignore for MIC ………………. Enable
Lifetime Check Ignore for SSC ………………. Enable

This however did not resolve my issue and Cisco 1142 still was not joining the 2504 WLC. With a little bit more checking I felt pretty embarrassed because I realized that the time on the Cisco 2504 WLC was wrong. So I fixed the time and date on the Cisco 2504 WLC, end result Cisco 1142 Access Point Successfully joined the Controller.
Lesson in this is sometimes issue is right there in front of you and is pretty simple :). By the way here is a good write up on Access Points and certificates. Lightweight AP – Fail to create CAPWAP/LWAPP connection due to certificate expiration

Tags: , ,

11 Nov 16 Brocade ICX 6450 PoE Configuration

Enabling Power over Ethernet on Brocade ICX6450

Recently I configured a Brocade ICX6450 PoE switch on the network and all was working well until my customer hooked up a phone to one of the ports I configured. I was told that the phone won’t power on. Now on a Cisco PoE Switch, I’m used to just simply plugging in phones and getting power. With the Brocade ICX6450 I needed to perform some additional steps to get it working.

First I ran the following command to check the PoE Status on the port in question:


show inline power 3/1/17
This gave me the following results:
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
3/1/17 Off Off 0 0 n/a n/a 3 n/a

As you can see under the “Admin State/Oper State” both are showing “Off”. Which means there is no Power over Ethernet is enabled on these ports. So in order to enable it I needed to do the following:


conf t
!
interface ethernet 3/1/17 to 3/1/24
inline power (***note: no inline power will disable it)
-------------------------------------------------------------------
Now lets look at it again
Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
3/1/17 On Off 0 0 n/a n/a 3 n/a


Port Admin Oper ---Power(mWatts)--- PD Type PD Class Pri Fault/
State State Consumed Allocated Error
--------------------------------------------------------------------------
3/1/1 Off Off 0 0 n/a n/a 3 n/a
3/1/2 Off Off 0 0 n/a n/a 3 n/a
3/1/3 Off Off 0 0 n/a n/a 3 n/a
3/1/4 Off Off 0 0 n/a n/a 3 n/a
3/1/5 Off Off 0 0 n/a n/a 3 n/a
3/1/6 Off Off 0 0 n/a n/a 3 n/a
3/1/7 Off Off 0 0 n/a n/a 3 n/a
3/1/8 Off Off 0 0 n/a n/a 3 n/a
3/1/9 Off Off 0 0 n/a n/a 3 n/a
3/1/10 Off Off 0 0 n/a n/a 3 n/a
3/1/11 Off Off 0 0 n/a n/a 3 n/a
3/1/12 Off Off 0 0 n/a n/a 3 n/a
3/1/13 Off Off 0 0 n/a n/a 3 n/a
3/1/14 Off Off 0 0 n/a n/a 3 n/a
3/1/15 Off Off 0 0 n/a n/a 3 n/a
3/1/16 Off Off 0 0 n/a n/a 3 n/a
3/1/17 On Off 0 0 n/a n/a 3 n/a
3/1/18 On Off 0 0 n/a n/a 3 n/a
3/1/19 On Off 0 0 n/a n/a 3 n/a
3/1/20 On Off 0 0 n/a n/a 3 n/a
3/1/21 On Off 0 0 n/a n/a 3 n/a
3/1/22 On Off 0 0 n/a n/a 3 n/a
3/1/23 On Off 0 0 n/a n/a 3 n/a
3/1/24 On On 2441 4955 802.3af Class 2 3 n/a

Now you can see that the “Admin State” of Power over Ethernet is showing “On”. When my customer plugged in the phone, it came online successfully. I do not know why Brocade ICX6450 has it like this, seems very unproductive but oh well its Brocade.

I’d like to also add a link to Brocades Switch Administration Guide that has some additional details if someone is interested. FastIron Ethernet Switch Administration Guide Supporting FastIron Software Release 08.0.30

Tags: , ,

07 Oct 16 Brocade 6450 switching to Routing Code

Brocade 6450 switching to routing Code

So recently I had to work on a Brocade 6450 Switch. I needed to create SVI’s on the switch but I was not able to do that with a switch right out of the box. Reason is because by default it uses the “switching code”, when you do “show ver” you will see “S” in the code. But you can do “show flash” and you will see a secondary flash code with “R” in there. That is the code that allows you to make it a L3 switch. Here is what I did to make it a L3 switch:

conf t
!
boot system flash secondary
wr mem
##### Verify ######
show boot (Make sure secondary is default)
###################
reload

Once the switch comes back up now you it was in L3 mode and I was able to create SVI’s. This was done on a switch with no configuration on it. If someone decides to do it on a production switch make sure you back up your configuration and keep in mind that this process will cause down time.

Tags:

29 Aug 16 Password Recovery Cisco 1841 Router

Password Recovery on Cisco Router

This is just a quick post for my reference on how to do password recovery on a Cisco Router. Recently I had to do it on a Cisco 1841. Here are my steps:

    Boot up the router with a console cable and then from terminal emulation software hit pause/break
    Router will get to prompt
    Type confreg 0x2142
    Next prompt
    Type reset
    Once the router reloads it will not have a password.

First thing I like to do is right away run the following commands other wise if I reboot the router it will continue to go back to the default settings and nothing will be saved.

config t
!
config-register 0x2102

Tags: , ,

21 Apr 16 PRI Error – L2IF_SendPkt Failed

Voice PRI Error on Cisco Router – TEI_ASSIGNED – **ERROR**: L2IF_SendPkt: idb is NULL – **ERROR**: process_rxdata:L2IF_SendPkt Failed

Recently I ran into a voice PRI issue. Customer was unable to make any calls and the command show isdn status displayed the following result:

Global ISDN Switchtype = primary-ni
ISDN Serial0/1/0:23 interface
dsl 0, interface ISDN Switchtype = primary-ni
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x807FFFFF
Number of L2 Discards = 0, L2 Session ID = 33
Total Allocated ISDN CCBs = 0

After reviewing everything in the Cisco Call Manager and physical connectivity as well as verifying that circuit is good I decided to run a debug with the following command. debug isdn q921. I received the following output:

Apr 5 15:08:15.976: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:15.976: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:15.976: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:16.980: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:16.980: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:16.980: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:17.984: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:17.984: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:17.984: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:19.036: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:19.036: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:19.036: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:30.028: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:30.028: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:30.028: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:31.032: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:31.032: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:31.032: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:32.036: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:32.036: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:32.036: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed Apr 5 15:08:33.036: ISDN Se0/1/0:23 Q921: User RX <- SABMEp sapi=0 tei=0 Apr 5 15:08:33.036: ISDN Se0/1/0:23 **ERROR**: L2IF_SendPkt: idb is NULL Apr 5 15:08:33.036: ISDN Se0/1/0:23 **ERROR**: process_rxdata:L2IF_SendPkt Failed

After some research and looking at the router config this ended up being the culprit:

interface Serial0/1/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager (THIS COMMAND WAS MISSING)
no cdp enable

After I added that command isdn bind-l3 ccm-manager back under the interface calls started to work and my show isdn status returned to MULTIPLE_FRAME_ESTABLISHED. You can see actually between the two results working one shows that q.931 is backhauled to CCM Manager however non working one does not say that.

Global ISDN Switchtype = primary-ni

%Q.931 is backhauled to CCM MANAGER 0x0003 on DSL 0. Layer 3 output may not apply

ISDN Serial0/1/0:23 interface
dsl 0, interface ISDN Switchtype = primary-ni
L2 Protocol = Q.921 0x0000 L3 Protocol(s) = CCM MANAGER 0x0003
Layer 1 Status:
ACTIVE
Layer 2 Status:
TEI = 0, Ces = 1, SAPI = 0, State = MULTIPLE_FRAME_ESTABLISHED
Layer 3 Status:
0 Active Layer 3 Call(s)
Active dsl 0 CCBs = 0
The Free Channel Mask: 0x807FFFFF
Number of L2 Discards = 0, L2 Session ID = 33
Total Allocated ISDN CCBs = 0

Tags: , , ,

09 Apr 15 ip nat outside

IP NAT Outside

NAT – Network Address Translation, at times can be a complicated process depending on what you are trying to do and how it gets configured on a Cisco Router vs Cisco ASA’s is a bit different as well. This post is about recent NAT – Network Address Translation on a Cisco Router configuration that I had to do. Need was to translate an Outside IP address that belonged to a server in our Data Center (Outside Global) into another IP address at a branch location as an Outside Local. Example Network scenario:

Local Subnet at Branch = 172.16.1.0/24
Server IP at Data Center = 10.10.10.250
NAT IP for the server = 2.2.2.2

Basically the need was to translate 10.10.10.250 to 2.2.2.2 at the local branch. Usually it is the other way around where we NAT all the internal IP Addresses going out. However in this case we were trying to do the reverse. Following commands were used:

ip nat outside source static 10.10.10.250 2.2.2.2
!
Interface fa0/0
description ### WAN ###
ip nat outside
!
interface fa0/1
description ### LAN ###
ip nat inside

Now when the clients from 172.16.1.0/24 network attempted to connect to 2.2.2.2, branch router would translate that to 10.10.10.250 and route it to the Data Center server. Return packet would come from 10.10.10.250 and would get translated to 2.2.2.2 and then to the client(s) on the 172.16.1.0/24 network.

Tags: , ,

WordPress SEO