I struggled to configure external authentication on a APIC-EM Controller, i followed the official cisco guide. According to the guide the radius server should return ‘Scope: Scope:ALL, Role:ROLE_ADMIN’ but this is wrong!
Correct is ‘Scope=ALL: Role=ROLE_ADMIN’
Before that i always got a ‘Invalid Login Credentials’, not the best error message π
I wrote a small python script that can decrypt cisco type 7 passwords.
Cisco7Decrypt on Github
You can decrypt password directly through the CLI:
β python cisco7decrypt.py 12090404011C03162E password
If you want the command accessible from anywhere, just link it to a folder that’s included in your Path. In this example ‘~/bin’
ln -sn `pwd`/cisco7decrypt.py ~/bin/cisco7decrypt
On the IOS XR it’s a bit different, but still pretty easy.
RP/0/RSP0/CPU0:router01#conf t RP/0/RSP0/CPU0:router01(config)#commit replace This commit will replace or remove the entire running configuration. This operation can be service affecting. Do you wish to proceed? [no]: yes RP/0/RSP0/CPU0:ios(config)#
We moved an internal tool to docker (docker-compose), this includes the required MySQL Database.
I looked for a easy solution todo a backup through mysqldump and found something great π
This is the relevant docker-compose part:
mysql:
networks:
- back_net
If this docker-compose is running, the mysql container get the following name ‘ourtool_mysql_1’
The network gets the compose name added:
docker network ls NETWORK ID NAME DRIVER SCOPE 4d42f74cfe7e ourtool_pub_net macvlan local
We want our backups in the host folder /mnt/Backups/ourtool/sql (This is a nfs mounted folder).
Now we just put this information together:
docker run -it \ --net=ourtool_pub_net \ -v /mnt/Backups/ourtool/sql:/var/backup \ --rm mysql \ sh -c "exec mysqldump -h ourtool_mysql_1 -uroot -pYOURPASSWORD YOURDATABASE > /var/backup/mysql.dump"
That’s it, it runs, after that the temporary container gets destroyed and you can find the data on the host itself (‘/mnt/Backups/ourtool/sql’ in my case)
We now just run this as a cronjob
cat /etc/cron.daily/backup_ourtool #!/bin/sh FILENAME="ourtool-`date -I`.sql" docker run -it \ --net=ourtool_pub_net \ -v /mnt/Backups/ourtool/sql:/var/backup \ --rm mysql \ sh -c "exec mysqldump -h ourtool_mysql_1 -uroot -pYOURPASSWORD YOURDATABASE > /var/backup/$FILENAME"
Get the standalone software here
First you have to copy the new nexus 9000 standalone firmware to the APIC:
admin@apic1:~> scp richy@YOURIP:Downloads/nxos.7.0.3.I2.2a.bin . nxos.7.0.3.I2.2a.bin 100% 513MB 9.2MB/s 00:56
And now you can push it to the appropriate Nexus 9000. (The user/password matches the APIC)
admin@apic1:~> scp nxos.7.0.3.I2.2a.bin admin@leaf02:bootflash Password: nxos.7.0.3.I2.2a.bin 100% 513MB 7.0MB/s 01:13
Now reboot the switch and break into the load prompt, this can be done with Control+C in Putty.
loader > loader > boot nxos.7.0.3.I2.2a.bin
After the switch is booted up you got the default prompts (POAP, Secure Admin PW, etc..) When you finaliy reach the CLI you have to Set the Boot Path!
switch(config)# boot nxos bootflash:///nxos.7.0.3.I2.2a.bin Performing image verification and compatibility check, please wait....
Also save the config!
switch# copy running-config startup-config [########################################] 100% Copy complete.
Now is time to verify that everything is fine with the new image (should, as it already booted ;-))
switch# show boot
Current Boot Variables:
sup-1
NXOS variable = bootflash:/nxos.7.0.3.I2.2a.bin <---- Good
No module boot variable set
Boot Variables on next reload:
sup-1
NXOS variable = bootflash:/nxos.7.0.3.I2.2a.bin <---- Good
No module boot variable set
switch# show install all impact
.
.
.
Compatibility check is done:
Module bootable Impact Install-type Reason
------ -------- -------------- ------------ ------
1 yes non-disruptive none
Images will be upgraded according to following table:
Module Image Running-Version(pri:alt) New-Version Upg-Required
------ ---------- ---------------------------------------- -------------------- ------------
1 nxos 7.0(3)I2(2a) 7.0(3)I2(2a) no
1 bios v07.41(10/12/2015):v07.17(09/10/2014) v07.34(08/11/2015) no
That’s it, make a final boot and your switch is now ACI-Free!
Maybe there is the time you want to go back to ACI, check out my new post!
Cisco continues its strategy to merge the whole Campus Switch platform to a single Image, the newest step in this process is IOS XE 16.1.1. Currently only available for the Cat3k Platform (3650, 3850) but releases for the other Catalyst platforms should follow.
In this post i show you how to upgrade your Cisco 3650/3850 Switch from 3.x to 16.1.1
Frist, grab the software here:
IOS XE Denali 16.1.1 on Cisco.com
Just copy it to your switch
Switch#copy ftp://x:x@10.32.31.15/cat3k_caa-universalk9.16.01.01.SPA.bin flash: Destination filename [cat3k_caa-universalk9.16.01.01.SPA.bin]? Accessing ftp://*****:*****@10.32.31.15/cat3k_caa-universalk9.16.01.01.SPA.bin...!!!!!!! *Dec 16 08:22:42.371: Loading cat3k_caa-universalk9.16.01.01.SPA.bin !!!!!!!!!!!!!... ... !!! [OK - 469677062/4096 bytes] 469677062 bytes copied in 432.250 secs (1086587 bytes/sec)
After that you can install the OS as always
Switch#software install file flash:cat3k_caa-universalk9.16.01.01.SPA.bin new
Preparing install operation ...
[1]: Starting install operation
[1]: Expanding bundle flash:cat3k_caa-universalk9.16.01.01.SPA.bin
[1]: Copying package files
[1]: Package files copied
[1]: Finished expanding bundle flash:cat3k_caa-universalk9.16.01.01.SPA.bin
[1]: Verifying and copying expanded package files to flash:
[1]: Verified and copied expanded package files to flash:
[1]: Starting compatibility checks
[1]: Finished compatibility checks
[1]: Starting application pre-installation processing
[1]: Finished application pre-installation processing
[1]: Old files list:
Removed cat3k_caa-base.SPA.03.03.05SE.pkg
Removed cat3k_caa-drivers.SPA.03.03.05SE.pkg
Removed cat3k_caa-infra.SPA.03.03.05SE.pkg
Removed cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
Removed cat3k_caa-platform.SPA.03.03.05SE.pkg
Removed cat3k_caa-wcm.SPA.10.1.150.0.pkg
[1]: New files list:
Added cat3k_caa-rpbase.16.01.01E.SPA.pkg
Added cat3k_caa-srdriver.16.01.01E.SPA.pkg
Added cat3k_caa-wcm.16.01.01E.SPA.pkg
Added cat3k_caa-webui.16.01.01E.SPA.pkg
[1]: Creating pending provisioning file
[1]: Finished installing software. New software will load on reboot.
[1]: Committing provisioning file
[1]: Do you want to proceed with reload? [yes/no]: yes
System configuration has been modified. Save? [yes/no]: yes
Building configuration...
Compressed configuration from 2991 bytes to 1553 bytes[OK]
[1]: Reloading
It takes some time to boot up again, after that you can see the new Version is running
Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- * 1 32 WS-C3850-24P Denali 16.1.1 CAT3K_CAA-UNIVERSALK9 INSTALL
After that i created a user with priv 15
Switch(config)#username cisco privilege 15 secret cisco
Now you can head to the new WebGui, i attached two impressions of the new GUI. Compared to the old cisco switch GUIs it looks really nice. But if it ever is used?… π
If you want to reset one or all of your APIC Controllers to factory default, there is a easy command for that ‘eraseconfig setup’
β ssh admin@10.127.129.50 Application Policy Infrastructure Controller admin@10.127.129.50's password: apic1# bash ---> Only required with Version 1.2+ admin@apic1:~> eraseconfig setup Do you want to cleanup the initial setup data? The system will be REBOOTED. (Y/n):
When your intention is to reset a whole fabric, it’s recommended to reset the switches first:
Reset a ACI Spine/Leaf Switch
If you reset the APIC Controller first, you have to do this step through console afterwards.
Cisco introduced a NX-OS like CLI for the Cisco ACI Solution with release 1.2(1i).
In this post i will demonstrate some of the things that can be achieved through the NX-OS CLI.
!Important!
There is no safety net, if you issue something like ‘no tenant XXX‘ the configuration is gone!
No commit, warning or similar!
!Important!
The NX-OS like CLI is the new default if you connect via SSH to the APIC
β ssh admin@10.127.129.50 Application Policy Infrastructure Controller admin@10.127.129.50's password: apic1#
Cisco released the newest ACI Software this Week, called 1.2(1i).
There are a lot of great new features that i will try to cover in more detail in the future, for now the overview from the release notes.
To install this new software, you can follow one of my blog posts:
Through GUIΒ orΒ Through CLI
Today i learnt that the Production Year and Week is ‘hidden’ in the Cisco Serials π
The format of the serial is always like ‘xxxYYWWxxxx’, ‘YY’ is Code for the Year, but not the Year itself! ‘WW’ is the week of manufacture.
| Code | Year |
|---|---|
| 01 | 1997 |
| 02 | 1998 |
| 03 | 1999 |
| 04 | 2000 |
| 05 | 2001 |
| 06 | 2002 |
| 07 | 2003 |
| 08 | 2004 |
| 09 | 2005 |
| 10 | 2006 |
| 11 | 2007 |
| 12 | 2008 |
| 13 | 2009 |
| 14 | 2010 |
| 15 | 2011 |
| 16 | 2012 |
| 17 | 2013 |
| 18 | 2014 |
| 19 | 2015 |
| 20 | 2016 |
Code
Week
1-5
January
6-9
February
10-14
March
15-18
April
19-22
May
23-27
June
28-31
July
32-35
August
36-40
September
41-44
October
45-48
November
49-52
December