Networking
Network Ports
TCP
21 ftp
22 ssh
23 telnet
6642 TIPCO Spotfire Pro Server
8111 Isentris application server (main web gui used in URL)
8405 Isentris admin
23221 Isentris back end server
UDP
Network technologies, standards, info.
802.3ad IEEE standard for link aggregation, replacing old proprietary protocol
such as Cisco EtherChannel which req same brand fn.
Provides more bandwidth and redundancy. 1999.
802.3af Power over Ethernet (existing cat 5) over 4 wires.
48 V AC, 350 mA, 12.95 Watts.
Contain detection mechanism, only equip w/ signature auth will get power,
thus safe for mixing old and new equip.
802.1q aka dot1q. VLAN Tagging.
802.11 WiFi. b=11 Mbps, a=55 in new freq, g=11/55 in same freq of b. n=110
looseends
List different configuration files that need to be updated when moving machine from one ip/subnet to another.
solaris:
/etc/hostname.hme0 {name or ip}
/etc/nodename
/etc/inet/hosts
/etc/inet/netmasks
172.27.4.0 255.255.252.0 # fffffc00 quad class C .4, .5, .6 + .7
# broadcast is 172.27.7.255
172.27.28.0 255.255.255.0 # normal class C.
/etc/resolv.conf
/etc/nsswitch.conf
/etc/defaultrouter
/etc/defaultdomain {used to set domainname for NIS domain name}
/var/yp/binding/`domainname`/ypservers {bind use this to find list of NIS servers}
note that a damn system that uses NIS, but don't have network setup properly,
will have issues at boot time as NIS hangs boot process. it is before even inetd starts,
so can't even telnet in (normally, start NIS so that telnet can authenticate NIS users).
Switch Port Tech
Port Speed Technology SERDES lane Cable plug type
------ ------- -------------- ------------- ---------------
gbic? 1-10G very old now SC-SC
sfp
sfp+ 10G 10G ethernet LC-LC
SDR
DDR
qsfp+? 40G QDR 4x10 Gbps
qsfp2? 56G FDR
qsfp28 100G HDR100, EDR 4x25 Gbps MTP aka MPO
qsfp56 200G HDR200 4x50 Gbps
qsfp are wider than sfp ports, but not 4x as wide, at least not physically :P
NOTE:
Each cycle at 1 GHz takes 1 ns
It takes about 1 ns for light in vacum to travel 1 foot.
MMF = MultiMode Fiber - only for SR short range (distance), eg up to ~100m. Cheaper optics and cables. eg 850nm wavelegth.
SMF = SingleMode Fiber - typically for LR long range (distance). eg km. LR4 carry multiple 4 wavelegths thus serve multiple SERDES lane on single fiber. eg 1310nm, 1305,1301,1296nm.
fiber type color typical use
---- ---- ------- --------------------
OM2 MMF? orange 56 Gbps? FDR
OM3 MMF? aqua 100 Gbps EDR
OM4 MMF? magenta 200 Gbps HDR200
OM4? SMF? orange 100 Gbps?
Ref:
Understanding 100G Transceiver Transmission Principles
Difference between QSFP+ SingleMode vs MultiMode
Cisco
config term
interface fa0/37
no shutdown
spanning-tree portfast # immediate enable port, run spanning tree later.
Implications:
If a switch is plugged into a port that is not pre configured to allow spanning tree,
it will be blocked, and not even link light will come up.
'no shutdown' will free up the port for use again.
spanning-tree fast port, or something like that, enables the spanning tree alg on that port,
thus allowing the switch to be cascaded.
--
show running-config interface gi6/48 ! see config for specific interface
show running-config vlan ! see list of avail vlan, no ports
show vlan brief ! list all vlan and its member ports
show vlan id 1 ! show only info for vlan 1
show interfaces port-channel 2
show etherchannel summary ! (P) means port is up as part of port-channel
show etherchannel 13 summary
show etherchannel port-channel
show int port-channel 14
! when looking at running-config
! etherchannel are setup without any port listing
! search for port-group PO# under each interface definition to see
! what ports are in a given ether-channel.
show inter status ! auto/half/100/etc info
show inter status | include a-10 ! include is similar to grep but more exact match.
show inter accountin ! statistics, pkg in/out count.
show interface stat
show interface counters
show mac-address-table int gi5/12 ! mac seen on specific port
sh ip arp ! find mac and pair up with IP
! need to run in L3 (router) to have IP info.
show mac-address-table dynamic vlan 30 ! list all mac address fwd table.
! not sure what fwd means...
show mac-address-table dynamic | include Fa0/9 ! get mac address on putter on the specified port
--
clear arp ! clean all arp entries
! no way to erase single ip/arp entry
logging console ! get alert when things change
! how?
Cisco MDS SAN switch
Cisco MDS 9124 Fibre Channel switch.
Cisco MDS 9222i FCIP switch.
show terminal # display term char
terminal length 0 # disable --more-- paging
terminal session-timeout 0 # expect this to disable auto logout, but then take out "callhome" from running-config
terminal session-timeout 525600 # set to max allowed timeout, no changing "callhome" from running-config
show tech-support details # grab tons of info
show tech-support details create # suppose to prompt for ftp server to put output info to
show running-config diff # see changes that are not saved to startup yet
show accounting log # show a log of changes made on the switch, good to find vsan config changes, etc.
copy running-config startup-config # save run time config to permanent config store
config term # get into config mode using terminal
do (cmd) # run exec mode command while in config mode.
show interface brief # see which port is up, what VSAN it is assigned to, etc
show interface fc1/4 # see all info about port, but not wwn of dev connected to it.
show int mgmt 0 # find IP assigned to the device
show fcs database # see wwn of attached devices (sort by vsan, interface)
show fcs database vsan 300 # for specific vsan (instead of all)
show flogi database # similar to "fcs" above, good in telling vsan assignment problem.
show device-alias database # list attached-pWWN wwn to name map database
show device-alias pending # list what will become live once commit will run
show device-alias pending-diff # diff b/w live database and pending
show zone
show zoneset # display zone info in slightly diff format that show running-conf
show zoneset active # any pwwn that is not active has missing * in the front, good to spot problem!
show vsan # list all vsan and which port is assigned to which vsan
show wwn ... # wwn info for switch/port internal wwn
show cli alias # list command aliases
GUI tool.
http://switch-mgnt-ip
download java program.
- device manager: control port, link status, etc. login directly to the switch using switch username credentials.
- fabric manager: control zoning info. login to localhost, admin/password,
then discover the switch by entering its IP, and username+password that is
in the switch.
EMC recommended best practice is one initator and one terminator per zone.
In practice I found placing both terminator of the Clariion on the same zone to have no adverse effect and make for smaller list of zones.
One host for each zone. Even in a cluster access environment, zoning does not include multiple host. Storage group configurtaion in Navishere provides LUN access to multiple hosts.
! (config term)
device-alias database
device-alias name JAWS3_HBA1 pwwn 10:00:00:00:c9:5f:2e:95
! pwwn can be found from "show fcs database" under attached-pWWNs
! pwwn match "PortName" in FLOGI tab of GUI
exit
! (do) show device-alias pending-diff
! ! will show new entry as not commited (live?) yet
device-alias commit
! zoning is done per wwn of the attached devices
! not the physical port number of the switch
zone name JAWS3_HBA1-cX3_1828_SPB1 vsan 30
member device-alias JAWS3_HBA1
member device-alias CX3_1828_SPB1
exit
! show running-config will translate above to
zone name JAWS3_HBA1-cX3_1824_SPB1 vsan 30
member pwwn 10:00:00:00:c9:5f:2e:95
! [JAWS3_HBA1]
member pwwn 50:06:01:69:41:e0:7b:37
! [CX3_1828_SPB1]
zoneset name vsan30_prod vsan 30
member JAWS3_HBA1-cX3_1824_SPB1
! above will add member, not replace any existing
! to remove, use "no member"
zoneset activate name vsan30_prod vsan 30
! activation IS needed !!
! can be verified by "show zoneset active"
! add the same host with the alternate SP :
zone name JAWS3_HBA1-cX3_1828_SPA3 vsan 30
member device-alias JAWS3_HBA1
member device-alias CX3_1828_SPA3
zoneset name vsan30_prod vsan 30
member JAWS3_HBA1-cX3_1828_SPA3
zoneset activate name vsan30_prod vsan 30
copy running-config startup-config
Changing a specific port's vsan membership.
In addition to definining zoning info, the switch port that a host is plugged into need to have its VSAN defined, or else data won't flow thur it!
! (config term)
vsan database
vsan 30 interface fc1/2
vsan 30 interface fc1/3
vsan 50 interface fc2/2
vsan 50 interface fc2/3
! etc...
exit
! show flogi database
! is a good way to see if a swich port (host node) is in the desired vsan.
! show interface brief
! should list all switch ports and which VSAN they belongs to.
! no assignment will default to VSAN 1
Cascaded (ISL Linked) Switches
In a cascaded switch environment, Inter Switch Link (ISL) can be used to
daisy chain the switches. Port Trunking can be used, and all VSANs data would be carried on this trunk if it is not explicitly coded to do certain VSAN.
One switch would act as the "main" and would usually get all the config.
All zone config should be done on the primary, and when downstream switch come online, they will read such config.
Downstream switch would have some basic info specific to them.
eg Port VSAN config would be on each switch.
One piece that I am still no clear is that, ISL linked switch exchange zone config info. A copy running-config startup-config would write down such config on both switches. When one issue commands to remove zoning info, it will probably mean doing the copy run start on both switches, less the partner has some old info and re-add such info to the runnig-config when it reboots...
To be safe, config should be saved on all switches, upstream and downstream.
If downstream don't have any zoning config at all, then it is fine and when it reload, it will get the info from the upstream switch. But in a failure scenario, it seems to work out better if each switch has the config. It also
prevent other tool like ESRS making configs that diverges and create DB discrepancy when both swtiches reboot,
creating a whole SAN zoning mess up.
If the running config is the same on both switch and they reboot, then they will at least provide basic consistency.
Config should be done on "principle" switch. But if there are NPIV switch involved, then zoning config should be done
on the CORE NPIV switch, even if it is not the priciple swithc. Again, save running-config on all switches, check that
there "show zoneset active" matches up on both switches!!
Show fcs ie
# Figuring out switch connectivity/topology, figure out switch's WWN
# loc = switch command ran on
# adj = peer switch (upstream/downstream not showed)
Show fcdomain domain-list
# see which one is principal (upstream) switch
# each vsan has a principal swtich, though ISL linked swich, each one could be principal for diff vsan
# zone config should be done on principal switch to avoid sync problems
# but if NPIV is used, the zoning should be done on NPIV core switch even if it is not the principal for the vsan
---
Show zone pending-diff
# see what changes would take place when making a zoneset live
Show zone status
# see how many zones and zoneset are there, sync status with other switches
clear zone database vsan
# hopefully never need to use this
# clear the (full zone database?) on a switch, not sure if it affect the linked switch (parent/child)
Zoneset import interface fcX/Y vsan #
# import (all?) zoneset from one switch to another
# eg use after zone info has been cleared
# or force direction of DB sync when two linked switch has out-of-sync DB.
zoneset import interface port-channel # vsan #
# altered form when ISL port channel is in use b/w linked switch
# ISL can be "bonded" together to create port-channel, just like cisco ethernet switch
Zone copy active-zoneset full-zoneset vsan #
# copy the active zoneset into a "full-zoneset" db,
# ie, creating the passive "full zoneset" db from the live current config
# maybe needed if full-zoneset db is out of sync
# but live running config from active zoneset is correct
# bottom line
# if the active zoneset on the ISL linked switch are the same
# then config is stable
# copy run start (on all switches) from this point would produce consistent result
# (this should dump active zoneset config to config that will be loaded at boot)
Non-ISL Linked / "Dumb" Access Gateway switch
If the complexity is not overwhelming and Access Gateway (NPV+NPIV) mode
can be used, this seems to be a much easier config than using ISL.
ISL is good for large fabric interconnect that need multiple VSAN traffic, trunk port, etc.
Access Gateway mode should be simple and efficient to add ports to connect
more hosts or tape drives than is available from a single switch,
and just need a simple extension to add more ports.
Tech jargons:
NPIV - allows switch to see multiple WWN on the same port w/o configuring ISL.
NPV - kind of turn switch into "HBA mode", where multiple blades can be viewed as VM on the same server, and NPV mode switch port is viewed like an HBA port that presents multiple WWN to "upstream" switch. NPV is like emulating server.
Brocade don't seems to emphasize the diff between NPIV and NPV. It calls the "dumed" switch in "Access Gateway" mode, so that no programming is done on it.
It marely pass traffic and WWN to upstream/parent switch (the non-Access Gateway switch), which has all zoning info. This has benefits of saving Domain ID (limited to 16?), removing inter-vendor interoperability problem (because it does not need ISL config). The tech allows "merging" multiple physical switch into a single larger virtual switch with many more ports.
See Access Gateway whitepaper for more details.
eg In Dell blade chassis switch where multiple
host is consolidated into a single physical port. In Access Gateway mode, the 4 WWN will show up,
but the fc switch act transparently, so avoid the need to have an inter-switch link config,
which could be quite painful when diff vendors switches are mixed.
With Access Gateway mode, the zoning is all done by the smart switch, and the blade chassis switch is like "dummy" or
transparent to all the config.
Technically, E_Port are used to connect switches together. F_Ports are the port on the switch that HBA/host node connects to. N_Port is the port on the HBA card itself. Access Gateway essentially makes the switch in the blade chassis "disapear" from the logical view of the fabric config, and upstream switch will see N-port WWN connected to it when in fact it is connected to the Access Gateway switch. E_Port will not show up as ISL is not used.
Essentially, the "smart" (upstream) switch is the NPIV switch, and the "dumb" (downstream, access gateway mode) switch is the NPV switch.
If want to worry the difference between NPIV (N-port ID Virtualization) vs NPV (N-Port Virtualization), here are a couple of blogs explaining it:
Config
feature npiv # enable the npiv feature (off by default in stand alone switch)
Borcade switch that fit inside a blade chasis has Access Gateway config as default. If not, issue:
siwtchMode access gateway mode
need to go into command config mode via
cmsh
(get to ethernet portion of switch), show run, copy run etc will work in here.
FCoE is default, FCoE has special vlan 1002 dedicated to it.
switchport converged allow vlan all
Cisco Terminal Server
Cisco Terminal Server ref commands
(aka Communitaion Server?)
to dig out the online doc, go to section inside IOS
(they don't have terminal server listed as its own section! A site map may help):
-Cisco Product Documentation
-Cisco IOS Software config
-System Software Release 9.21 (or whatever newest number)
-Then find secions called Communication Server ...
(IOS 8.3 and 9.0 has it listed as Terminal Server)
---
(machine at cc is cisco 2600 series, maybe 2621 (or 2632?)
Connection to machine via terminal server:
telnet axecess
> telnet 2.2.2.2 2036
or, for named connections, just enter telnet db03.
other connection exist, like
connect db03
rlogin db03
to disconnect from a 'telnet' session to a server, use:
CTRL-6 x, then type 'disc' at the axecess prompt
to generate a BREAK:
CTRL-6 b
other telnet escape seq inside the terminal server:
first hit ctrl+shift+6 (ie ctrl+^),
then enter ? for list of escape seq for the specific telnet session
with the cisco terminal server.
---
clearing existing connection (to free up for use again)
axecess> enable
password:
axecess# clear line 36
[confirm]
(line 36 was the line of connector 1 line 4, listed as 2036)
(add 2032 to the line cable number that want to connect)
[ from joanne email
really just 2000+ line number,
but somehow internally already reserved 32 async lines.
thus the module we add need 32 + cable number, prepended with 20 in front.
connector 1 would be 2033 to 2040,
connector 2 would be 2041 to 2048, etc
(TBD: cisco*config sample config files after clean up and masking)
Juniper
JunOS
this OS seems pretty weird.
Trying to just find out if a machine is propertly connected to it was mission impossible.
can't even find the mac address of the host as seen by the switch :(
I dont like it
Port starts at 0
show version
show | compare
show virtual-chassis
show chassis alarms
show config
# see config of a port
show config interface xe-0/2/1 | display set
show config interface xe-0/2/1 | display inheritance no-commnents
# get mac address of port:
show ethernet-switching table interface xe-0/2/1 # specific port
show ethernet-switching table # all mac
# find which port a given mac is connected
show ethernet-switching table | match 90:e2:ba:85:59:74
# check shut status of a port, and way to shut, no shut the port
show interfaces ge-0/0/18 detail
# disable a port: it is updating the config file, then making it live
# no simple/immediate port shut / no port shut?
edit (private|exclusive)
set interfaces ge-0/0/18 disable
show | compare
commit check
commit
# re-enable a port
# essentially, delete the config like that says disable
edit (private|exclusive)
delete interfaces ge-0/0/18 disable
show | compare
commit check
commit
# no exact good way to get a compact port list of up/down, try these:
show interfaces | match "interface|description" | except "index|flags|statistics"
show interfaces terse
# but port without explicit written description dont show up
show interfaces descriptions
show interface # long output with lots of details.
show interface ge-0/0/18.0 # specific interface info
show interface xe-1/2/0 # it will error if nothing plugged in? ie when dont even sfp module plugged in
show interface xe-1/2/0 extensive # but still doesn't seems to show mac of the connected host. (mac is that of the switch's own port??!)
show interfaces mac-database ge-0/0/18 # I am getting "error: MAC accounting and policing not supported"
# https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-map/mac-accounting.html
# have ways to enable global-mac-statistics, but not obvious how to edit/config, or doesn't work for my switch.
# isnt mac basic element in L2 switch??!! *sigh*
show ethernet-switching table # not that many entires, it is not full arp table known by switch dont think...
show arp
show arp expiration-time state no-resolve # dont seems complete either.
show ethernet-switching mac-learning-log | find xe-0/2/1 # find is grep in switch os world
show ethernet-switching mac-learning-log | find 90:e2:ba:85:59:74 # n0169 p5p1's mac
show ethernet-switching mac-learning-log | find c8:1f:66:ea:bc:b1 # n0169 em1's mac
show ethernet-switching mac-learning-log | find ge-0/0/18 # ge=rj45 1g. xe=10g
show ethernet-switching interface xe-0/2/1 extensive # still no mac address of connected device ??
ping 10.0.1.171 record-route # there are interface and mac clause, didn't work, or i don't know how to use it.
show interface descriptions # only those with descriptions?
show interfaces mac-database ge-0/0/18.0
show interfaces detail ge-0/0/18
show interfaces media xe-0/2/1 # mac is Juniper's! 44:f4:77:... pff!
show interface statistics
show interface brief
show interface tearse | find xe-0 # shorter summary of port and link status, no mac. and find seems to allow things that grep wouldnt. not sure what's going on with JunOS.
sub commands for (in addition to just bunch of port names)
show interface
controller Show controller information
destination-class Show statistics for destination class
detail Display detailed output
diagnostics Show interface diagnostics information
extensive Display extensive output
far-end-interval Show far end interval statistics
filters Show interface filters information
ifl-class IFL classification
interval Show interval statistics
l2-routing-instance Show l2 routing instance data structure
lib-clients Show library clients of DCD
load-balancing Show load-balancing status
mac-database Show media access control database information
media Display media information
policers Show interface policers information
queue Show queue statistics for this interface
redundancy Show redundancy status
routing Show routing status
routing-instance Name of routing instance
smart-sfp-defects Smart SFP defect status
smart-sfp-statistics Smart SFP counters
snmp-index SNMP index of interface
source-class Show statistics for source class
statistics Display statistics and detailed output
terse Display terse output
transport Show interface transport information
like tcpdump?
monitor traffic
# this is like tcpdump on a port, default to brief which is just a packet count?
monitor traffic interface xe-1/2/0
monitor traffic interface xe-0/2/1 no-resolve size 1500 detail
monitor interface xe-1/2/0
rebooting switch, clear out possibly hanging edit session
request system reboot in 0 # reboot switch right away (there is still a confirmation)
Arista
arista command line very similar to cisco ios
port start at 1 (0 in cisco? or juniper?)
show runing interface eth1
show runing interface eth51/1 # sfp28 port (ib/100g) can be a break out into 4 port, thus the blade syntax
show runing interface eth1,7 # port list 1 and 7
show runing interface eth1-7 # port range 1 thru 7
clear couter eth 30 # reset counter for specific port (eg eth/30)
switchport access vlan # ie not tagged
! example of "traditional" network port for host without vlan tagging
interface Ethernet4
switchport access vlan 5
spanning-tree portfast
!
! example of network ports with vlan tag, also allow "untagged" as natively default to vlan 21
interface Ethernet3
switchport trunk native vlan 21
switchport trunk allowed vlan 20-21
switchport mode trunk
spanning-tree portfast
!
# a switch to switch trunk would allow all vlan?
...
int eth 29/1
description "100G link to core switch"
swich port mode trunk
switchj port trunk allowed vlan add 1000
end
# create static route
ip route 10.21.0.0/16 10.8.23.1
ip route 10.22.0.0/16 10.8.23.1
vlan 1000
name bldg-A-to-bldg-B
!
end
int vlan 1000
desc bldg-A-to-bldg-B
ip address 10.22.255.254/30
end
# brand new switch, disable zeroconfig
zeroconf reset # or was it zeroconf clear ? it reboots right away!
# misc one time settings
term length 50
no log console # disable sending log to the console
# create admin acc so can ssh in
username admin role network-admin secret sha512 $6$pl/qPWc8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.WI.kE.KXS5M7wsLubNZkBtC5nyj6ZF/S/LlUNeitL59I8KJ1
show running-config > scp:tin@10.2.22.2/tmp/run.txt
show startup-config > scp:tin@10.2.22.2/tmp/startup-config.txt
<<**>> #### mask out the username ... sha password entry near the beginning of the config file #### <<**>>
copy run start # or write mem
Troubleshooting commands
show interface status # brief table view of port, desc, link status, vlan
show interface status | egrep Et[23]
show mac address-table # arp table, vlan, mac, port
show mac address-table interface eth 24 # mac of remote host on that switch port
show mac address-table | include Et3 # port 3
show mac address-table | include ac1f.6b # search which port has a given mac
# cycle a port
config term
interface ethernet 4
shutdown
no shutdown
show active
end
# remember branding has to match!
show int eth29/1 transceiver properties
Foundry
foundry network gear commands
allegedly extremely similar to cisco, direct competitor
thoug tab completion is not as nice as extreme net gears.
load balancer:
enable = enter into priviledged (admin) mode.
show config = show configuration
show version = show sw and hw version
show flash = show firmware/image version number
show tech = pull all info that can possilbly have so that tech support has absolutely everything
show interface ethernet 1 = show eth1 info (duplex, utilization, collision, etc)
show interface = show all interface information
---
change network mask to /24 bit (from /20)
ie change ip from 172.16.0.5/20 to 172.16.0.5/24
the ip is inside a vlan
show vlan on the switch had:
PORT-VLAN 361, Name [None], Priority level0, Spanning tree Off
Untagged Ports: None
Tagged Ports: 1 2 ! trunk port 1 and 2 into 2 GigE pipe
Uplink Ports: None
config term
vlan 361 ! specify the vlan of the network to be configured
! this case, 361 is for the vlan of 172.16.0.0
ip-subnet 172.16.0.0 255.255.255.0 name shared5-1
end
! note that no changes were done on Tagged, so old settings remain
! presumably, for tftp config image, better specify everything
! so as to not leave residue from previous config and get unexected result
! then again, tftp config should completely wipe out old setting.
config term
ip address 172.16.0.5/24 ! config ip and subnet of the load balancer itself
end
write mem
---
updating firmware (OS)
login via serial (for later reboot monitoring)
enter into enable mode
backup running config (to tftp server):
copy running tftp ServerIP SavedFileName
eg: copy run tftp 10.0.1.103 nlb.cfg
Note that cuz of permission problems, one may need to create a file (size 0) in the tftp
server storage dir so that the uploaded file can be written to disk, and not get failure errors.
actually get the image:
copy tftp flash SvrIP FILENAME primary
eg: copy tftp flash 10.0.1.103 BSI07118T8.bin primary
save old running config:
write memory
reboot the load balancer for the new firmware/OS to kick in
reload
verify version after reboot.
show ver
---
copy cmd is of form [FROM] [TO] [additional params]
---
# erase virutal server stuff
# will see these info in 'show server bind'
no server real
no server virtual
# erase ALL config!!
erase start
----
some additional cmds used in cifs but not documented.
show server bind
show server
tcp-age
sticky-age
session-age
server real
no health check
server virtual
no port default translate
no port default dsr (direct server response)
port default 5001
Extreme Network
telnet IP
login...
show config = like cisco, config of the switch
show port config = show A=active, R=ready, 10/100 half/full/auto
show port rxerrors = show receive errors
show port txerrors = show transmit errors
show port collisions
config:
config port 1:10 auto on = autosensing config
config port 1:10 auto off duplex full speed 100 = forced config
port id of 1:10 is blade 1, port 10. range can be specified as 1:10-1:20, or comma list as 1:10,1:15
save config
save the configuration, so boot will come back to this state
option to save as primary.
(contrast to cisco write mem)
show vlan = list configured vlan
show vlan = list ports used for the specified vlan
show iparp = show arp table
show iparp = detailed info about specific ip, arp level.
show iproute
show ip routing info
r = rip
d = dynamic, from other router
s = static
show ipr IP / bitMask
show routing info of specific ip range
eg. 192.168.0.0 / 16 will be for all address starting 192.168.*.*,
even if no specific class B net defined
show ipr stat = show packet discard info per vlan
show ipconfig = ip config, some vlan info
show flow-redirect
policy based flow control
limit what source ip packets go to which output
delete {flow}
remove a specific policy rule about flow control.
show access-list
port blocking features, include ICMP and sub protocols
delete {access-list}
remove a specific acl, eg deny-icmp,
which block certain traceroute info (extreme bug?).
download image file prim
should be the one to download a new os into the primary store.
ExtremeNet seems to support a secondary etc.
i guess bootable via alternate cmd.
clear couter eth 30
reset counter for specific port (eg eth/30)
clear couter
reset all counters (collision stats, etc)
upload config tftpSvrIP Filename
save the configuration to the tftp server at IP with name filename
Note that tftp server may need to have the file with mode 666 to write.
download config tftpSvrIP Filename
grab complete config for the switch from a file at the remote tftp svr.
(never tried)
---
some brief notes when adding an ip to the switch, and upgrading the os via tftp.
conf default de port 23
create vlan temp
conf temp ipaddr 172.16.17.50 /20
conf temp add port 23
en ipf temp
--
change the netmask of the switch (by specifiying the ip and new netmask bit numbers on the main vlan?
Or, I suppose for each vlan, the switch has an IP, thus specify that IP and the netmask for it)
conf shared5-1 ipaddress 172.16.0.1/24
shared5-1 is the vlan name shown in show vlan
/24 indicate a class C network, and system automatically convert to use the netmask of 255.255.255.0
note that /20 would convert to netmask of 255.255.240.0
---
trunking:
ports that are grouped together to form a trunk is called tagging in ExtremeNet.
Thus, a tag on port 1 and 2 would form a 2 GigE trunk
---
configuring switch from ground up.
this was done by jacinto for ngw1, i copy over, might have missed a few commands.
# This will ERASE EVERYTHING on the config of the switch, and
# reset to factory defaults.
unconfigure switch all
# do not use bootp, which may get ip, config, etc that we don't want
disable bootp default
config snmp sysName ngw1-nsw1
# create account for user admin
config account admin
# ngw1-1 is the primary vlan where all linux modules are in
create vlan ngw1-1
config ngw1-1 ipaddress 172.24.53.1/24
config ngw1-1 add port 1:1-1:32
enable ipf ngw1-1
enable rip
config rip add vlan ngw1-1
# ??
config rip txmode v1compatible vlan ngw1-1
# this one assign a vlan id to the vlan ngw1-1.
# will need to match on switch for them to actually talk correctly.
config ngw1-1 tag 422
# this is the vip for the load balancer
create vlan ngw1-vip1
config ngw1-vip1 ipaddress 192.168.214.1/24
enable ipf ngw1-vip1
config ngw1-vip1 tag 766
enable rip ngw1
# then are some port config tagging that i did not fully get.
# port 3:1 is the uplink port (separate vlan)
# port 3:2 is the load balancer
# End result is:
# ngw1-vip1 has 2 ports: untag: 3:1 tag: 3:2
# ngw1-1 has ports 1:1 - 1:32 and tag 3:2
config rip add ngw1-vip1
config ngw1-1 add port 3:2
config ngw1-vip2 add port 3:1
---
loading new firmware to switch
download image 10.0.1.80 FILENAME primary
# also recommend download to secondary so it can boot in case of disaster
can change use of primary or secondary by: use config ... (?)
show ver
---
blocking most of the ICMP access list in the cluster
(needed to emulate production config, where gateway in compute modules dying will NOT send ICMP to client to reset NFS moutns).
create access-list permit-icmp-vm1-1 icmp dest 172.24.67.0 /24 source any type 3 code 3 permit ports any precedence 10
create access-list deny-icmp icmp dest any source any type 3 code 3 deny ports any precedence 100
The precedence number is to sort how the switch analyzed these rules.
lowest number = highest priority = applied first (#1).
largest, last applied rule is #25600.
The above eg, ICMP from outside to the internam machines are allowed.
The next rule to be analyzed block all otherwise not specified ICMP to be blocked.
Thus effectively blocking any ICMP originating from the cluster machine to the outside are blocked.
I have no details of what kind of ICMP commands are in type 3 code 3.
---
vlan tag stuff, self notes after layoff.
config vlan
add ip address
add tag
add port X tag
add port y,z untag
multiple vlan can use the same port as long as the port is added as tag.
the tag will defferentiate the vlan.
the peer router will have the port as multiple vlan also, and will therefore
be able to route them as necessary.
switch to switch vlan tag, then the port will just behave as if they were separate switch port.
or think of port needing to identify it into a vlan.
in each subnet, only port that need to be shared with other subnet need to be tagged.
port that goes to computer don't need to be tagged.
note that if tag does not match peer switch/router, then there will be no traffic flowing thru them.
Router
FireWall
PIX
enable
config terminal
conduit permit tcp host 64.41.188.93 eq 22 host 65.5.190.138
write memory
exit
(TBD, mask, clean up and combine ~/ref/pix.ref cc*)
CheckPoint
Check Point Firewall-1 commands:
cplic print # print licenses info (expiration, modules)
fwinstall # install check point fw s/w ??
fw commands:
fw ver [-h] ... # Display version
fw kill [-sig_no] procname # Send signal to a daemon
fw putkey ... # Client server keys
fw sam ... # Control sam server
fw fetch targets # Fetch last policy
fw tab [-h] ... # Kernel tables content
fw monitor [-h] ... # Monitor VPN-1/FW-1 traffic
fw ctl [args] # Control kernel
fw lichosts # Display protected hosts
fw log [-h] ... # Display logs
fw logswitch [-h target] [+|-][oldlog] # Create a new log file;
# the old log is moved
fw repairlog ... # Log index recreation
fw mergefiles ... # log files merger
fw lslogs ... # Remote machine log file list
fw fetchlogs ... # Fetch logs from a remote host
/etc/ipsoinfo # get info for troubleshooting, save to tar.gz file
# password recovery for Nokia IP120 (FreeBSD based).
-s # at boot prompt of Nokia IP120, boot into single user mode, no password
/etc/overpw # reset to temp password, eg to blank.
dbpasswd admin newpassword "" # reset network voyager password.
Load Balancer
ArrowPoint
ArrowPoint ContentSwitch Load Balancer (Now part of Cisco CSM)
Ref:
ArrowPoint/Cisco
Content Smart Web Switch
Configuration Guide
(700+ page doc Mike Kail printed from online doc)
Adding user:
(config)# username password {superuser}
Add the keyword superuser at the end to indicate account can access priviledged sueruser commands. (like the default admin account)
Listing user:
(config)# no username ?
Note: default admin acc can be erased, but make sure has other user with superuser priviledges!
Showing user info:
(config)# show user-database
Erasing user:
no username
---
Show runtime config, such as prompt, hostnae, ip, etc
(config)# show running-config global
---
Setting the hostname:
host
---
changing CLI prompt:
prompt
hoti1
"ting"
