ETC
Network technologies, standards, info.
802.3ad IEEE standard for link aggregation, replacing old proprietary protocol
such as Cisco EtherChannel which req same brand fn.
Provides more bandwidth and redundancy. 1999.
802.3af Power over Ethernet (existing cat 5) over 4 wires.
48 V AC, 350 mA, 12.95 Watts.
Contain detection mechanism, only equip w/ signature auth will get power,
thus safe for mixing old and new equip.
802.11 WiFi. b=11 Mbps, a=55 in new freq, g=11/55 in same freq of b. n=110
looseends
List different configuration files that need to be updated when moving machine from one ip/subnet to another.
solaris:
/etc/hostname.hme0 {name or ip}
/etc/nodename
/etc/inet/hosts
/etc/inet/netmasks
172.27.4.0 255.255.252.0 # fffffc00 quad class C .4, .5, .6 + .7
# broadcast is 172.27.7.255
172.27.28.0 255.255.255.0 # normal class C.
/etc/resolv.conf
/etc/nsswitch.conf
/etc/defaultrouter
/etc/defaultdomain {used to set domainname for NIS domain name}
/var/yp/binding/`domainname`/ypservers {bind use this to find list of NIS servers}
note that a damn system that uses NIS, but don't have network setup properly,
will have issues at boot time as NIS hangs boot process. it is before even inetd starts,
so can't even telnet in (normally, start NIS so that telnet can authenticate NIS users).
Cisco
config term
interface fa0/37
no shutdown
spanning-tree portfast # immediate enable port, run spanning tree later.
Implications:
If a switch is plugged into a port that is not pre configured to allow spanning tree,
it will be blocked, and not even link light will come up.
'no shutdown' will free up the port for use again.
spanning-tree fast port, or something like that, enables the spanning tree alg on that port,
thus allowing the switch to be cascaded.
--
show vlan brief ! list all vlan
show vlan id 1 ! show only info for vlan 1
show inter status ! auto/half/100/etc info
show inter status | include a-10 ! include is similar to grep but more exact match.
show inter accountin ! statistics, pkg in/out count.
show interface stat
show interface counters
show mac-address-table dynamic vlan 30 ! list all mac address fwd table.
! not sure what fwd means...
show mac-address-table dynamic | include Fa0/9 ! get mac address on putter on the specified port
--
clear arp ! clean all arp entries
! no way to erase single ip/arp entry
Cisco Terminal Server
Cisco Terminal Server ref commands
(aka Communitaion Server?)
to dig out the online doc, go to section inside IOS
(they don't have terminal server listed as its own section! A site map may help):
-Cisco Product Documentation
-Cisco IOS Software config
-System Software Release 9.21 (or whatever newest number)
-Then find secions called Communication Server ...
(IOS 8.3 and 9.0 has it listed as Terminal Server)
---
(machine at cc is cisco 2600 series, maybe 2621 (or 2632?)
Connection to machine via terminal server:
telnet axecess
> telnet 2.2.2.2 2036
or, for named connections, just enter telnet db03.
other connection exist, like
connect db03
rlogin db03
to disconnect from a 'telnet' session to a server, use:
CTRL-6 x, then type 'disc' at the axecess prompt
to generate a BREAK:
CTRL-6 b
other telnet escape seq inside the terminal server:
first hit ctrl+shift+6 (ie ctrl+^),
then enter ? for list of escape seq for the specific telnet session
with the cisco terminal server.
---
clearing existing connection (to free up for use again)
axecess> enable
password:
axecess# clear line 36
[confirm]
(line 36 was the line of connector 1 line 4, listed as 2036)
(add 2032 to the line cable number that want to connect)
[ from joanne email
really just 2000+ line number,
but somehow internally already reserved 32 async lines.
thus the module we add need 32 + cable number, prepended with 20 in front.
connector 1 would be 2033 to 2040,
connector 2 would be 2041 to 2048, etc
(TBD: cisco*config sample config files after clean up and masking)
Foundry
foundry network gear commands
allegedly extremely similar to cisco, direct competitor
thoug tab completion is not as nice as extreme net gears.
load balancer:
enable = enter into priviledged (admin) mode.
show config = show configuration
show version = show sw and hw version
show flash = show firmware/image version number
show tech = pull all info that can possilbly have so that tech support has absolutely everything
show interface ethernet 1 = show eth1 info (duplex, utilization, collision, etc)
show interface = show all interface information
---
change network mask to /24 bit (from /20)
ie change ip from 172.16.0.5/20 to 172.16.0.5/24
the ip is inside a vlan
show vlan on the switch had:
PORT-VLAN 361, Name [None], Priority level0, Spanning tree Off
Untagged Ports: None
Tagged Ports: 1 2 ! trunk port 1 and 2 into 2 GigE pipe
Uplink Ports: None
config term
vlan 361 ! specify the vlan of the network to be configured
! this case, 361 is for the vlan of 172.16.0.0
ip-subnet 172.16.0.0 255.255.255.0 name shared5-1
end
! note that no changes were done on Tagged, so old settings remain
! presumably, for tftp config image, better specify everything
! so as to not leave residue from previous config and get unexected result
! then again, tftp config should completely wipe out old setting.
config term
ip address 172.16.0.5/24 ! config ip and subnet of the load balancer itself
end
write mem
---
updating firmware (OS)
login via serial (for later reboot monitoring)
enter into enable mode
backup running config (to tftp server):
copy running tftp ServerIP SavedFileName
eg: copy run tftp 10.0.1.103 nlb.cfg
Note that cuz of permission problems, one may need to create a file (size 0) in the tftp
server storage dir so that the uploaded file can be written to disk, and not get failure errors.
actually get the image:
copy tftp flash SvrIP FILENAME primary
eg: copy tftp flash 10.0.1.103 BSI07118T8.bin primary
save old running config:
write memory
reboot the load balancer for the new firmware/OS to kick in
reload
verify version after reboot.
show ver
---
copy cmd is of form [FROM] [TO] [additional params]
---
# erase virutal server stuff
# will see these info in 'show server bind'
no server real
no server virtual
# erase ALL config!!
erase start
----
some additional cmds used in cifs but not documented.
show server bind
show server
tcp-age
sticky-age
session-age
server real
no health check
server virtual
no port default translate
no port default dsr (direct server response)
port default 5001
Extreme Network
telnet IP
login...
show config = like cisco, config of the switch
show port config = show A=active, R=ready, 10/100 half/full/auto
show port rxerrors = show receive errors
show port txerrors = show transmit errors
show port collisions
config:
config port 1:10 auto on = autosensing config
config port 1:10 auto off duplex full speed 100 = forced config
port id of 1:10 is blade 1, port 10. range can be specified as 1:10-1:20, or comma list as 1:10,1:15
save config
save the configuration, so boot will come back to this state
option to save as primary.
(contrast to cisco write mem)
show vlan = list configured vlan
show vlan = list ports used for the specified vlan
show iparp = show arp table
show iparp = detailed info about specific ip, arp level.
show iproute
show ip routing info
r = rip
d = dynamic, from other router
s = static
show ipr IP / bitMask
show routing info of specific ip range
eg. 192.168.0.0 / 16 will be for all address starting 192.168.*.*,
even if no specific class B net defined
show ipr stat = show packet discard info per vlan
show ipconfig = ip config, some vlan info
show flow-redirect
policy based flow control
limit what source ip packets go to which output
delete {flow}
remove a specific policy rule about flow control.
show access-list
port blocking features, include ICMP and sub protocols
delete {access-list}
remove a specific acl, eg deny-icmp,
which block certain traceroute info (extreme bug?).
download image file prim
should be the one to download a new os into the primary store.
ExtremeNet seems to support a secondary etc.
i guess bootable via alternate cmd.
clear couter
reset all counters (collision stats, etc)
upload config tftpSvrIP Filename
save the configuration to the tftp server at IP with name filename
Note that tftp server may need to have the file with mode 666 to write.
download config tftpSvrIP Filename
grab complete config for the switch from a file at the remote tftp svr.
(never tried)
---
some brief notes when adding an ip to the switch, and upgrading the os via tftp.
conf default de port 23
create vlan temp
conf temp ipaddr 172.16.17.50 /20
conf temp add port 23
en ipf temp
--
change the netmask of the switch (by specifiying the ip and new netmask bit numbers on the main vlan?
Or, I suppose for each vlan, the switch has an IP, thus specify that IP and the netmask for it)
conf shared5-1 ipaddress 172.16.0.1/24
shared5-1 is the vlan name shown in show vlan
/24 indicate a class C network, and system automatically convert to use the netmask of 255.255.255.0
note that /20 would convert to netmask of 255.255.240.0
---
trunking:
ports that are grouped together to form a trunk is called tagging in ExtremeNet.
Thus, a tag on port 1 and 2 would form a 2 GigE trunk
---
configuring switch from ground up.
this was done by jacinto for ngw1, i copy over, might have missed a few commands.
# This will ERASE EVERYTHING on the config of the switch, and
# reset to factory defaults.
unconfigure switch all
# do not use bootp, which may get ip, config, etc that we don't want
disable bootp default
config snmp sysName ngw1-nsw1
# create account for user admin
config account admin
# ngw1-1 is the primary vlan where all linux modules are in
create vlan ngw1-1
config ngw1-1 ipaddress 172.24.53.1/24
config ngw1-1 add port 1:1-1:32
enable ipf ngw1-1
enable rip
config rip add vlan ngw1-1
# ??
config rip txmode v1compatible vlan ngw1-1
# this one assign a vlan id to the vlan ngw1-1.
# will need to match on switch for them to actually talk correctly.
config ngw1-1 tag 422
# this is the vip for the load balancer
create vlan ngw1-vip1
config ngw1-vip1 ipaddress 192.168.214.1/24
enable ipf ngw1-vip1
config ngw1-vip1 tag 766
enable rip ngw1
# then are some port config tagging that i did not fully get.
# port 3:1 is the uplink port (separate vlan)
# port 3:2 is the load balancer
# End result is:
# ngw1-vip1 has 2 ports: untag: 3:1 tag: 3:2
# ngw1-1 has ports 1:1 - 1:32 and tag 3:2
config rip add ngw1-vip1
config ngw1-1 add port 3:2
config ngw1-vip2 add port 3:1
---
loading new firmware to switch
download image 10.0.1.80 FILENAME primary
# also recommend download to secondary so it can boot in case of disaster
can change use of primary or secondary by: use config ... (?)
show ver
---
blocking most of the ICMP access list in the cluster
(needed to emulate production config, where gateway in compute modules dying will NOT send ICMP to client to reset NFS moutns).
create access-list permit-icmp-vm1-1 icmp dest 172.24.67.0 /24 source any type 3 code 3 permit ports any precedence 10
create access-list deny-icmp icmp dest any source any type 3 code 3 deny ports any precedence 100
The precedence number is to sort how the switch analyzed these rules.
lowest number = highest priority = applied first (#1).
largest, last applied rule is #25600.
The above eg, ICMP from outside to the internam machines are allowed.
The next rule to be analyzed block all otherwise not specified ICMP to be blocked.
Thus effectively blocking any ICMP originating from the cluster machine to the outside are blocked.
I have no details of what kind of ICMP commands are in type 3 code 3.
---
vlan tag stuff, self notes after layoff.
config vlan
add ip address
add tag
add port X tag
add port y,z untag
multiple vlan can use the same port as long as the port is added as tag.
the tag will defferentiate the vlan.
the peer router will have the port as multiple vlan also, and will therefore
be able to route them as necessary.
switch to switch vlan tag, then the port will just behave as if they were separate switch port.
or think of port needing to identify it into a vlan.
in each subnet, only port that need to be shared with other subnet need to be tagged.
port that goes to computer don't need to be tagged.
note that if tag does not match peer switch/router, then there will be no traffic flowing thru them.
Router
FireWall
PIX
(TBD, mask, clean up and combine ~/ref/pix.ref cc*)
CheckPoint
Check Point Firewall-1 commands:
cplic print # print licenses info (expiration, modules)
fwinstall # install check point fw s/w ??
fw commands:
fw ver [-h] ... # Display version
fw kill [-sig_no] procname # Send signal to a daemon
fw putkey ... # Client server keys
fw sam ... # Control sam server
fw fetch targets # Fetch last policy
fw tab [-h] ... # Kernel tables content
fw monitor [-h] ... # Monitor VPN-1/FW-1 traffic
fw ctl [args] # Control kernel
fw lichosts # Display protected hosts
fw log [-h] ... # Display logs
fw logswitch [-h target] [+|-][oldlog] # Create a new log file;
# the old log is moved
fw repairlog ... # Log index recreation
fw mergefiles ... # log files merger
fw lslogs ... # Remote machine log file list
fw fetchlogs ... # Fetch logs from a remote host
/etc/ipsoinfo # get info for troubleshooting, save to tar.gz file
# password recovery for Nokia IP120 (FreeBSD based).
-s # at boot prompt of Nokia IP120, boot into single user mode, no password
/etc/overpw # reset to temp password, eg to blank.
dbpasswd admin newpassword "" # reset network voyager password.
Load Balancer
ArrowPoint
ArrowPoint ContentSwitch Load Balancer (Now part of Cisco CSM)
Ref:
ArrowPoint/Cisco
Content Smart Web Switch
Configuration Guide
(700+ page doc Mike Kail printed from online doc)
Adding user:
(config)# username password {superuser}
Add the keyword superuser at the end to indicate account can access priviledged sueruser commands. (like the default admin account)
Listing user:
(config)# no username ?
Note: default admin acc can be erased, but make sure has other user with superuser priviledges!
Showing user info:
(config)# show user-database
Erasing user:
no username
---
Show runtime config, such as prompt, hostnae, ip, etc
(config)# show running-config global
---
Setting the hostname:
host
---
changing CLI prompt:
prompt
"LYS on the outside, LKS in the inside"
"AUHAUH on the outside, LAPPLAPP in the inside"
