Cisco ACI – Connect to the leaf/spine switches with the NX-OS

Posted on November 6, 2016November 7, 2016 by richardstrnad Leave a comment

Some time ago i posted how you can connect to a spine or leaf switch -> Connect to a leaf/spine switch
With the introduction of NX-OS, the syntax changed a bit. You have now first to drop back to the bash shell and then you can attach the switches. Password is still the same as for the APIC.

apic1# bash
admin@apic1:~> attach leaf01
This command is being deprecated on APIC controller, please use NXOS-style equivalent command
# Executing command: ssh leaf01 -b 10.127.240.1

Password:
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
leaf01#

There is also the possibility to directly run show commands from the APIC.
Run Commands on the Fabric Switches from your APIC

Acitoolkit – Get all Nodes

Posted on October 27, 2016November 3, 2016 by richardstrnad Leave a comment

Example script to print all your fabric nodes.

from acitoolkit.acitoolkit import Session
from acitoolkit.aciphysobject import Node

url = 'https://apic'
user = 'user'
pw = 'pw'

session = Session(url, user, pw)
session.login()

nodes = Node.get(session)
for node in nodes:
    print('=' * 50)
    print('Pod: {}'.format(node.pod))
    print('Node: {}'.format(node.node))
    print('Mode: {}'.format(node.mode))
    print('Model: {}'.format(node.model))
    print('Vendor: {}'.format(node.vendor))
    print('Serial: {}'.format(node.serial))

Nexus 1000v – Port-Profile Error ‘MSP-5-PP_UPDATE_FAILED’

Posted on October 18, 2016October 17, 2016 by richardstrnad Leave a comment

I tried to create a new port-profile on a Nexus 1000V and got the error

2016 Oct 14 10:33:35 N1Kv %MSP-5-PP_UPDATE_FAILED: Update of port-profile 'New-Port-Group' on the vCenter Server failed. Please  verify port-profile config.

This error can appear if you configure more max-ports on the port-profiles than you specified in the ‘svs connection vcenter’. In my case i had overprovisioned the port-profiles with ‘max-group 512’, so i just reduced the max-port on some port-profiles and this solved the issue.

APIC-EM – External Authentication ‘Invalid Login Credentials’

Posted on October 12, 2016 by richardstrnad Leave a comment

I struggled to configure external authentication on a APIC-EM Controller, i followed the official cisco guide. According to the guide the radius server should return ‘Scope: Scope:ALL, Role:ROLE_ADMIN’ but this is wrong!

Correct is ‘Scope=ALL: Role=ROLE_ADMIN’

Before that i always got a ‘Invalid Login Credentials’, not the best error message 🙂

Python – Building a Cisco Type 7 Decrypt Tool

Posted on October 12, 2016October 11, 2016 by richardstrnad Leave a comment

I wrote a small python script that can decrypt cisco type 7 passwords.
Cisco7Decrypt on Github

You can decrypt password directly through the CLI:

→ python cisco7decrypt.py 12090404011C03162E
password

If you want the command accessible from anywhere, just link it to a folder that’s included in your Path. In this example ‘~/bin’

ln -sn `pwd`/cisco7decrypt.py ~/bin/cisco7decrypt

Reset Cisco IOS XR Device (Factory Reset)

Posted on October 11, 2016October 24, 2016 by richardstrnad Leave a comment

On the IOS XR it’s a bit different, but still pretty easy.

RP/0/RSP0/CPU0:router01#conf t
RP/0/RSP0/CPU0:router01(config)#commit replace 
This commit will replace or remove the entire running configuration. This
operation can be service affecting.
Do you wish to proceed? [no]: yes
RP/0/RSP0/CPU0:ios(config)#

Docker MySQL Backup

Posted on September 22, 2016July 12, 2019 by richardstrnad Leave a comment

We moved an internal tool to docker (docker-compose), this includes the required MySQL Database.
I looked for a easy solution todo a backup through mysqldump and found something great 🙂
This is the relevant docker-compose part:

  mysql:
   networks:
     - back_net

If this docker-compose is running, the mysql container get the following name ‘ourtool_mysql_1’
The network gets the compose name added:

docker network ls
NETWORK ID          NAME                          DRIVER              SCOPE
4d42f74cfe7e        ourtool_pub_net    macvlan             local

We want our backups in the host folder /mnt/Backups/ourtool/sql (This is a nfs mounted folder).
Now we just put this information together:

docker run -it \
--net=ourtool_pub_net \
-v /mnt/Backups/ourtool/sql:/var/backup \
--rm mysql \
sh -c &quot;exec mysqldump -h ourtool_mysql_1 -uroot -pYOURPASSWORD YOURDATABASE &gt; /var/backup/mysql.dump&quot;

That’s it, it runs, after that the temporary container gets destroyed and you can find the data on the host itself (‘/mnt/Backups/ourtool/sql’ in my case)

We now just run this as a cronjob

cat /etc/cron.daily/backup_ourtool
#!/bin/sh

FILENAME=&quot;ourtool-`date -I`.sql&quot;
docker run -it \
--net=ourtool_pub_net \
-v /mnt/Backups/ourtool/sql:/var/backup \
--rm mysql \
sh -c &quot;exec mysqldump -h ourtool_mysql_1 -uroot -pYOURPASSWORD YOURDATABASE &gt; /var/backup/$FILENAME&quot;

ACI/N9K – How to convert a Nexus 9000 from ACI Mode to NX-OS (Standalone)

Posted on February 29, 2016April 12, 2017 by richardstrnad 5 Comments

Get the standalone software here

First you have to copy the new nexus 9000 standalone firmware to the APIC:

admin@apic1:~> scp richy@YOURIP:Downloads/nxos.7.0.3.I2.2a.bin .
nxos.7.0.3.I2.2a.bin                          100%  513MB   9.2MB/s   00:56

And now you can push it to the appropriate Nexus 9000. (The user/password matches the APIC)

admin@apic1:~> scp nxos.7.0.3.I2.2a.bin admin@leaf02:bootflash
Password:
nxos.7.0.3.I2.2a.bin                          100%  513MB   7.0MB/s   01:13

Now reboot the switch and break into the load prompt, this can be done with Control+C in Putty.

loader >
loader > boot nxos.7.0.3.I2.2a.bin

After the switch is booted up you got the default prompts (POAP, Secure Admin PW, etc..) When you finaliy reach the CLI you have to Set the Boot Path!

switch(config)# boot nxos bootflash:///nxos.7.0.3.I2.2a.bin
Performing image verification and compatibility check, please wait....

Also save the config!

switch# copy running-config startup-config
[########################################] 100%
Copy complete.

Now is time to verify that everything is fine with the new image (should, as it already booted ;-))

switch# show boot
Current Boot Variables:

sup-1
NXOS variable = bootflash:/nxos.7.0.3.I2.2a.bin <---- Good
No module boot variable set

Boot Variables on next reload:

sup-1
NXOS variable = bootflash:/nxos.7.0.3.I2.2a.bin <---- Good
No module boot variable set


switch# show install all impact

.
.
.

Compatibility check is done:
Module  bootable          Impact  Install-type  Reason
------  --------  --------------  ------------  ------
     1       yes  non-disruptive          none



Images will be upgraded according to following table:
Module       Image                  Running-Version(pri:alt)           New-Version  Upg-Required
------  ----------  ----------------------------------------  --------------------  ------------
     1        nxos                              7.0(3)I2(2a)          7.0(3)I2(2a)            no
     1        bios     v07.41(10/12/2015):v07.17(09/10/2014)    v07.34(08/11/2015)            no

That’s it, make a final boot and your switch is now ACI-Free!
Maybe there is the time you want to go back to ACI, check out my new post!

Cisco IOS XE – Install the New release 16.1.1 (Denali) on 3850

Posted on December 21, 2015October 5, 2016 by richardstrnad 2 Comments

Cisco continues its strategy to merge the whole Campus Switch platform to a single Image, the newest step in this process is IOS XE 16.1.1. Currently only available for the Cat3k Platform (3650, 3850) but releases for the other Catalyst platforms should follow.

In this post i show you how to upgrade your Cisco 3650/3850 Switch from 3.x to 16.1.1

Frist, grab the software here:
IOS XE Denali 16.1.1 on Cisco.com

Just copy it to your switch

Switch#copy ftp://x:x@10.32.31.15/cat3k_caa-universalk9.16.01.01.SPA.bin flash:
Destination filename [cat3k_caa-universalk9.16.01.01.SPA.bin]?
Accessing ftp://*****:*****@10.32.31.15/cat3k_caa-universalk9.16.01.01.SPA.bin...!!!!!!!
*Dec 16 08:22:42.371: Loading cat3k_caa-universalk9.16.01.01.SPA.bin !!!!!!!!!!!!!...
...
!!!
[OK - 469677062/4096 bytes]

469677062 bytes copied in 432.250 secs (1086587 bytes/sec)

After that you can install the OS as always

Switch#software install file flash:cat3k_caa-universalk9.16.01.01.SPA.bin new
Preparing install operation ...
[1]: Starting install operation
[1]: Expanding bundle flash:cat3k_caa-universalk9.16.01.01.SPA.bin
[1]: Copying package files
[1]: Package files copied
[1]: Finished expanding bundle flash:cat3k_caa-universalk9.16.01.01.SPA.bin
[1]: Verifying and copying expanded package files to flash:
[1]: Verified and copied expanded package files to flash:
[1]: Starting compatibility checks
[1]: Finished compatibility checks
[1]: Starting application pre-installation processing
[1]: Finished application pre-installation processing
[1]: Old files list:
    Removed cat3k_caa-base.SPA.03.03.05SE.pkg
    Removed cat3k_caa-drivers.SPA.03.03.05SE.pkg
    Removed cat3k_caa-infra.SPA.03.03.05SE.pkg
    Removed cat3k_caa-iosd-universalk9.SPA.150-1.EZ5.pkg
    Removed cat3k_caa-platform.SPA.03.03.05SE.pkg
    Removed cat3k_caa-wcm.SPA.10.1.150.0.pkg
[1]: New files list:
    Added cat3k_caa-rpbase.16.01.01E.SPA.pkg
    Added cat3k_caa-srdriver.16.01.01E.SPA.pkg
    Added cat3k_caa-wcm.16.01.01E.SPA.pkg
    Added cat3k_caa-webui.16.01.01E.SPA.pkg
[1]: Creating pending provisioning file
[1]: Finished installing software.  New software will load on reboot.
[1]: Committing provisioning file

[1]: Do you want to proceed with reload? [yes/no]: yes

System configuration has been modified. Save? [yes/no]: yes
Building configuration...
Compressed configuration from 2991 bytes to 1553 bytes[OK]
[1]: Reloading

It takes some time to boot up again, after that you can see the new Version is running

Switch Ports Model              SW Version        SW Image              Mode
------ ----- -----              ----------        ----------            ----
*    1 32    WS-C3850-24P       Denali 16.1.1     CAT3K_CAA-UNIVERSALK9 INSTALL

After that i created a user with priv 15

Switch(config)#username cisco privilege 15 secret cisco

Now you can head to the new WebGui, i attached two impressions of the new GUI. Compared to the old cisco switch GUIs it looks really nice. But if it ever is used?… 🙂

Cisco ACI – Reset a APIC

Posted on December 19, 2015November 3, 2016 by richardstrnad Leave a comment

If you want to reset one or all of your APIC Controllers to factory default, there is a easy command for that ‘eraseconfig setup’

→ ssh admin@10.127.129.50
Application Policy Infrastructure Controller
admin@10.127.129.50's password:
apic1# bash ---> Only required with Version 1.2+

admin@apic1:~> eraseconfig setup
Do you want to cleanup the initial setup data? The system will be REBOOTED. (Y/n):

When your intention is to reset a whole fabric, it’s recommended to reset the switches first:
Reset a ACI Spine/Leaf Switch
If you reset the APIC Controller first, you have to do this step through console afterwards.