Pages

10/28/2016

Map ports to ASIC on Cisco 7K

Map Port to ASIC on Cisco 7K Switch

From:  Nexus 7000 NXOS VDC Config Guide

Find the slot# of the module:
    show mod

Enter command:
    slot 3 show hardware internal dev-port-map

Sample Output:
--------------------------------------------------------------
CARD_TYPE:       48 port 10G
>Front Panel ports:48
--------------------------------------------------------------
 Device name             Dev role              Abbr num_inst:
--------------------------------------------------------------
> Clipper MAC            DEV_ETHERNET_MAC       MAC_0  12
> Clipper FWD            DEV_LAYER_2_LOOKUP     L2LKP  12
> Clipper XBAR           DEV_QUEUEING           QUEUE  12
> Sacramento Xbar ASIC   DEV_SWITCH_FABRIC      SWICHF 1
> PHY                    DEV_PHY                PHYS   12
> Clipper L3 Driver      DEV_LAYER_3_LOOKUP     L3LKP  12
+----------------------------------------------------------------+
+---------+++FRONT PANEL PORT TO ASIC INSTANCE MAP+++------------+
+----------------------------------------------------------------+
FP port |  PHYS | MAC_0 | L2LKP | L3LKP | QUEUE |SWICHF
   1       0       0       0       0       0       0
   2       0       0       0       0       0       0
   3       0       0       0       0       0       0
   4       0       0       0       0       0       0
   5       1       1       1       1       1       0
   6       1       1       1       1       1       0
   7       1       1       1       1       1       0
. . .

  • Port number = FP port column.
  • ASIC = MAC_0 column.
  • So, ASIC=int(Port/4) - 1

One port in each port group can be dedicated to 10Gb using the rate-mode command.


 

9/28/2016

Dig Web Interface

1.    Browse to http://www.digwebinterface.com/

2.    Enter the list of hosts you wish to test under Hostnames or IP addresses:

3.    Select Resolver under Name Servers:

4.    Check Trace under Options

5.    Click Dig

First section of results are root servers.
Next section are authoritative name servers for the TLD
Next section (your domain) are the NS records from the domain registry.
Next section (your domain) are the NS records provided an authoritative NS

Duplicate IP address registrations in DNS

Duplicate IP address registrations in DNS


https://blogs.technet.microsoft.com/askpfe/2011/06/03/how-dns-scavenging-and-the-dhcp-lease-duration-relate/


Very useful discussion of this issue and methods to address it.


Also a script to identify duplicate IP addresses in DNS:




#
#Import the Active Directory Module
import-module activedirectory

#Define an empty array to store computers with duplicate IP address registrations in DNS
$duplicate_comp = @()

#Get all computers in the current Active Directory domain along with the IPv4 address
#The IPv4 address is not a property on the computer account so a DNS lookup is performed
#The list of computers is sorted based on IPv4 address and assigned to the variable $comp
$comp = get-adcomputer -filter * -properties ipv4address | sort-object -property ipv4address

#For each computer object returned, assign just a sorted list of all 
#of the IPv4 addresses for each computer to $sorted_ipv4
$sorted_ipv4 = $comp | foreach {$_.ipv4address} | sort-object

#For each computer object returned, assign just a sorted, unique list 
#of all of the IPv4 addresses for each computer to $unique_ipv4
$unique_ipv4 = $comp | foreach {$_.ipv4address} | sort-object | get-unique

#compare $unique_ipv4 to $sorted_ipv4 and assign just the additional 
#IPv4 addresses in $sorted_ipv4 to $duplicate_ipv4
$duplicate_ipv4 = Compare-object -referenceobject $unique_ipv4 -differenceobject $sorted_ipv4 | foreach {$_.inputobject}

#For each instance in $duplicate_ipv4 and for each instance 
#in $comp, compare $duplicate_ipv4 to $comp If they are equal, assign
#the computer object to array $duplicate_comp
foreach ($duplicate_inst in $duplicate_ipv4)
{
    foreach ($comp_inst in $comp)
    {
        if (!($duplicate_inst.compareto($comp_inst.ipv4address)))
        {
            $duplicate_comp = $duplicate_comp + $comp_inst
        }
    }
}

#Pipe all of the duplicate computers to a formatted table
$duplicate_comp | ft name,ipv4address -a

Check DNS Propagation

Great online utility to check propagation of DNS changes.https://www.whatsmydns.net

5/26/2016

Packet Capture

The challenge I often have for capturing packets is that I need 2 interfaces on the machine doing the capture. It has been problematic to use the wired NIC on the span port and using the wireless NIC for remote access to the laptop. I am tempted to do the following: - setup the span port on the interface where the only wired NIC of the laptop is attached. But don't enable it yet. - remote control and setup wireshark to capture from the wired NIC. Start the capture. - enable the span port on the switch. This will prevent remote access to the laptop during the capture. - when ready, disable the span config on the NIC. - remote control to the laptop and stop the capture. The advantage is I could use whatever machine is available instead of having to get a local person to setup a laptop and (try to) tell me what the wireless IP address is.

4/21/2016

Cisco Nexus: EthAnalyzer

I've been fighting with getting EthAnalyzer trying to get it to do something useful.  But it always only showed me traffic to/from the switch itself, not packets that pass through it. 
Today I found the following information and EUREKA!
ethanalyzer data plane traffic analysis



ACLs and Ethanalyzer for Data Plane Sampling:
The Ethanalyzer captures only traffic on CPU, so seems as unsuitable solution for the data plane traffic analysis. However, this limitation can be avoided with a use of ACL logging to sample specific packets from data plane.
              .   .   .
When we use ACLs and the “log” keyword, access control entries (ACEs) with log keyword cause system to punt a copy of matching packets to supervisor CPU. Key point is that original traffic forwarded or dropped in hardware with no performance penalty. Note that punted copies subjected to hardware rate limiter, forwarding engine hardware enforces rate to avoid saturating inband interface/CPU.

So the following accomplished what I have been trying to do for a long time:
IP access list acl-cap

  10 permit ip 10.10.10.11/32 any log

  20 permit ip any any
Eth6/28
  ip port access-group acl-cap in

ethanalyzer local int inband limit-captured-frames 0 autostop duration 60 write bootflash:test-2.pcap




3/25/2016

powershell ssh

One method for using powershell to ssh to a router/etc:
powershelladmin


Unfortunately it doesn't accept a credential object.
One workaround would be something like the following pseudo code:




import-module ssh-sessions
$cred = get-credential
$user = $cred.getnetworkcredential().username
$pw = $cred.getnetworkcredential().password
(create log file)
(get $list of hosts from file)
(get $commands from file)
(for each $comp in $list)
 (output $comp to log file)
 $loginresult = new-sshsession $comp -username $user -password $pw
 (output $loginresult to log file)
 (for each $cmd in $commands)
  $sshresults = invoke-sshcommand -computername $host -command $cmd
  (output $sshresults to log file)
  }
 $logoutresult = remove-sshsession -computername $comp
 (output $logoutresult to log file)
 }

1/27/2016

tracetcp

tracetcp


The utility available at the link above is very useful.
Instead of requiring icmp, it will perform a traceroute using any TCP port you wish.


VERY useful for testing custom route-map just for tcp 443.  (I could make plain old traceroute work by adding icmp to the route-map, but that isn't really a test.)