Cisco delivers "monster" Catalyst switch in major product refresh

Network World - Cisco this week will significantly update its enterprise network line-up with programmable campus and branch switches and routers designed to tightly bind applications to network hardware and services.

The new products include the Catalyst 6800 backbone switching line, a new supervisor engine for Cisco’s 4500-E chassis-based access switch, a new high-end ISR branch router and application performance extensions to the ASR 1000 edge router.

Cisco 6800

[ FIRST LOOK: Cisco Catalyst 6800 switch and friends ]

“Cisco has…delivered a monster Catalyst,” says Bill Carter, senior business communications analyst at value-added reseller Sentinel Technologies in Springfield, Ill. “This gives customers a core switch with 10G/40G/100G with the feature set required in the campus.”

The company, which this week hosts itsCisco Live event in Orlando, says its new products fit within an Enterprise Network Architecture under which applications, network services software and hardware networking functions all work together.

Much of this synergy is facilitated by Cisco’s ONE API framework for programmable networking and associated ASICs optimized for Cisco ONE programmability. Cisco ONE and its onePK API set is Cisco’s response to software-defined networking (SDN), in which many of the functions of network behavior are divorced from hardware and centrally administered by software controllers.

[UPDATE: Cisco enterprise boss reports on programmability]

SDN makes network functions less reliant on specific hardware and operating systems, and more accommodating to commodity switching and open source software. It threatens Cisco’s dominance and fat profits in routers and switches.
Cisco is combatting the SDN trend by attempting to tightly link software programmability of network infrastructure to custom-developed ASIC hardware and hardware-specific operating systems, and defending its incumbency and massive installed base. These new products are instantiations of that strategy.

Cisco says it will support onePK across its entire enterprise routing and switching portfolio within the next 12 months, beginning with the ISR 4451-AX and ASR 1000-AX routers announced this week, which will support onePK in late summer/early fall.

The Catalyst 6800 is an outgrowth of the ubiquitous – and 10+ year old – Catalyst 6500. The 6800 is targeted at campus backbone 10/40/100Gbps services. In addition to network programmability, the 6800 is supervisor- and line card-compatible with the 6500, Cisco says, adding that there is still no date set for retiring the 6500.

“I see the Cat 6800 as a natural evolution of the 6500 platform,” says IDC analyst Rohit Mehra. “While scale and performance are going to be important, so will the need for providing agility and deploying programmable platforms. That's what the 6800 brings to the table with added simplicity, while maintaining operational consistency and continuity with the 6500 product suite.”

Sources say Cisco still has a vibrant roadmap for the Catalyst 6500, including a 10Tbps supervisor engine in the works. Cisco confirmed that a 10T supervisor engine is planned for both the 6500 and 6800 switches. The company would not say when it's coming.

Courtesy: networkworld

Check Point SPLAT Commands

This is a list of several Check Point SPLAT commands that I use frequently. Perhaps this CLI tip sheet for Secure Platform is useful to you too:

clock	display date and time on firewall
cpconfig	change SIC, licenses and more
cphaprob ldstat	display sync serialization statistics
cphaprob stat	list the state of the high availability cluster members. Should show active and standby devices.
cphaprob syncstat	display sync transport layer statistics
cphastop	stop a cluster member from passing traffic. Stops synchronization. (emergency only)
cplic print	license information
cpstart	start all checkpoint services
cpstat fw	show policy name, policy install time and interface table
cpstat ha	high availability state
cpstat os -f all	checkpoint interface table, routing table, version, memory status, cpu load, disk space
cpstat os -f cpu	checkpoint cpu status
cpstat os -f routing	checkpoint routing table
cpstop	stop all checkpoint services
cpwd_admin monitor_list	list processes actively monitored. Firewall should contain cpd and vpnd.
expert	change from the initial administrator privilege to advanced privilege
find / -type f -size 10240k -exec ls -la {} \;	Search for files larger than 10Mb
fw ctl iflist	show interface names
fw ctl pstat	show control kernel memory and connections
fw exportlog -o	export the current log file to ascii
fw fetch 10.0.0.42	get the policy from the firewall manager (use this only if there are problems on the firewall)
fw log	show the content of the connections log
fw log -b	search the current log for activity between specific times, eg fw log -b "Jul 23, 2009 15:01:30" "Jul 23,2009 15:15:00"
fw log -c drop	search for dropped packets in the active log; also can use accept or reject to search
fw log -f	tail the current log
fwm logexport -i -o	export an old log file on the firewall manager
fw logswitch	rotate logs
fw lslogs	list firewall logs
fw stat	firewall status, should contain the name of the policy and the relevant interfaces, i.e. Standard_5_1_1_1_1 [>eth4] [eth0.900] [
fw stat -l	show which policy is associated with which interface and package drop, accept and reject
fw tab	displays firewall tables
fw tab -s -t connections	number of connections in state table
fw tab -t xlate -x	clear all translated entries (emergency only)
fw unloadlocal	clear local firewall policy (emergency only)
fw ver	firewall version
fwm lock_admin -h	unlock a user account after repeated failed log in attempts
fwm ver	firewall manager version (on SmartCenter)
ifconfig -a	list all interfaces
log list	list the names of the logs
log show	display a specific log, ‘log show 33′ will display "Can’t find my SIC name in registry" if there are communication problems
netstat -an | more	check what ports are in use or listening
netstat -rn	routing table
passwd	change the current user’s password
ps -ef	list running processes
sysconfig	configure date/time, network, dns, ntp
upgrade_import	run ‘/opt/CPsuite-R65/fw1/bin/upgrade_tools/upgrade_import’ after a system upgrade to import the old license and system information.
hwclock	show the hardware clock. If the hardware and operating system clocks are off by more than a minute, sync the hardware clock to the OS with "hwclock –systohc"
fw fetch 10.0.0.42	Manually grab the policy from the mgmt server at 10.0.0.42
fw log -f	Shows you realtime logs on the firewall – will likely crash your terminal

ACS patch 5-2-0-26-11 installation

You can define a repository in the web admin page as well as the CLI. It might be easier for you to create it in the web first if you are unfamiliar with ACS.

To create a repository, navigate to System Administraton > Operations > Software Repositories. At the bottom of the page will be a button for 'Create'

I’ve never had a lot of luck trying to patch ACS using TFTP or SCP, but it seems to work when I use FTP so I would recommend using FTP as the protocol for the repository.

The procedure is pretty simple:

• Download your patch.
  • Usually it will download as {patchname}.tar.tar so you will have to rename it to{patchname}.tar.gpg
• Place the patch on your FTP server.
• Create a repository in ACS that points to the FTP server.
  • For instance, if your FTP server has the IP address of 192.168.1.130 and you copied the patch to the root of the FTP directory you would create a repository as follows:
    • Name: patches
    • Protocol: FTP
    • Server Name: 192.168.1.130
    • Path:/
    • Username: {Your FTP username}
    • Password: {Your FTP password}
• Log in to the ACS CLI with SSH.
• Issue the command: acs patch install 5-2-0-26-4.tar.gpg repository patches.

This should start the FTP download and once it’s complete it will start installing the patch. Make sure you keep an eye on the command line because it will likely be asking you if it’s ok to stop the ACS service.

More information on repositories can be found here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/admin_operations.html#wp1053302

Good luck!!

Using the ROMMON to load a new image on Cisco ASA Firewall

If for any reason the software image on your Cisco ASA appliance is corrupted and the device does not boot to normal operating mode, then you can load a new image using ROMMON (ROM monitor mode) and TFTP. Follow the steps below to get into ROMMON mode and then assign all necessary settings for uploading the new image file:

Step1: Connect to the ASA firewall using a console cable.

Step2: Power off the appliance and then power it on.

Step3: When the appliance starts, press the Escape key on your keyboard to force the appliance to enter ROMMON mode.

Step4: In ROMMON mode, configure all necessary settings for connecting to the TFTP server to load the new image. You need to connect a PC with TFTP server on a firewall port (e.g Ethernet0/0). Then enter the following commands on the ASA.

rommon #1> ADDRESS=192.168.1.10
rommon #2> SERVER=192.168.1.1
rommon #3> GATEWAY=192.168.1.1
rommon #4> IMAGE=asa800-232-k8.bin
rommon #5> PORT=Ethernet0/0
 

The above configuration will assign an IP address of 192.168.1.10 to interface Ethernet0/0 of the firewall appliance. It will also tell the firewall that the TFTP SERVER is at address 192.168.1.1 and the image to load is asa800-232-k8.bin

Step5: Execute the TFTP upload from the ASA using:

rommon #6> tftp

The above instructs the firewall to start uploading the image file from TFTP.

After the firewall reboots, login and check that the new image has been installed (show version)

cisco ios cheat sheet

ROUTER COMMANDS

TERMINAL CONTROLS:

·  Config# terminal editing - allows for enhanced editing commands

·  Config# terminal monitor - shows output on telnet session

·  Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks

HOST NAME:

·  Config# hostname ROUTER_NAME

BANNER:

·  Config# banner motd # TYPE MESSAGE HERE # - # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

·  Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level

CLOCK:

·  Config# clock timezone Central -6
# clock set hh:mm:ss dd month yyyy - Example: clock set 14:35:00 25 August 2003

CHANGING THE REGISTER:

·  Config# config-register 0x2100 - ROM Monitor Mode

·  Config# config-register 0x2101 - ROM boot

·  Config# config-register 0x2102 - Boot from NVRAM

BOOT SYSTEM:

·  Config# boot system tftp FILENAME SERVER_IP - Example: boot system tftp 2600_ios.bin 192.168.14.2

·  Config# boot system ROM

·  Config# boot system flash - Then - Config# reload

CDP:

·  Config# cdp run - Turns CDP on

·  Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180

·  Config# cdp timer 30 - Sets the update timer.The default is 60

·  Config# int Ethernet 0

·  Config-if# cdp enable - Enables cdp on the interface

·  Config-if# no cdp enable - Disables CDP on the interface

·  Config# no cdp run - Turns CDP off

HOST TABLE:

·  Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1
-or-

·  Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 205.23.4.2 199.2.3.2 - (for e0, s0, s1)

DOMAIN NAME SERVICES:

·  Config# ip domain-lookup - Tell router to lookup domain names

·  Config# ip name-server 122.22.2.2 - Location of DNS server

·  Config# ip domain-name cisco.com - Domain to append to end of names

CLEARING COUNTERS:

·  # clear interface Ethernet 0 - Clears counters on the specified interface

·  # clear counters - Clears all interface counters

·  # clear cdp counters - Clears CDP counters
STATIC ROUTES:

·  Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2

·  Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route
-or-

·  Config# ip default-network Net_Add - Gateway LAN network

IP ROUTING:

·  Config# ip routing - Enabled by default

·  Config# router rip
-or-

·  Config# router igrp 100

·  Config# interface Ethernet 0

·  Config-if# ip address 122.2.3.2 255.255.255.0

·  Config-if# no shutdown

IPX ROUTING:

·  Config# ipx routing

·  Config# interface Ethernet 0

·  Config# ipx maximum-paths 2 - Maximum equal metric paths used

·  Config-if# ipx network 222 encapsulation sap - Also Novell-Ether, SNAP, ARPA on Ethernet. Encapsulation HDLC on serial

·  Config-if# no shutdown
ACCESS LISTS:

IP Standard	1-99
IP Extended	100-199
IPX Standard	800-899
IPX Extended	900-999
IPX SAP Filters	1000-1099

IP STANDARD:

·  Config# access-list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on network 133.2.2.0
-or-

·  Config# access-list 10 permit host 133.2.2.2 - specifies a specific host
-or-

·  Config# access-list 10 permit any - allows any address

·  Config# int Ethernet 0

·  Config-if# ip access-group 10 in - also available: out

IP EXTENDED:

·  Config# access-list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq telnet
    -protocols: tcp, udp, icmp, ip (no sockets then), among others
    -source then destination address
    -eq, gt, lt for comparison
    -sockets can be numeric or name (23 or telnet, 21 or ftp, etc)
-or-

·  Config# access-list 101 deny tcp any host 133.2.23.3 eq www
-or-

·  Config# access-list 101 permit ip any any

·  Config# interface Ethernet 0

·  Config-if# ip access-group 101 out

IPX STANDARD:

·  Config# access-list 801 permit 233 AA3 - source network/host then destination network/host
-or-

·  Config# access-list 801 permit -1 -1 - “-1” is the same as “any” with network/host addresses

·  Config# interface Ethernet 0

·  Config-if# ipx access-group 801 out

IPX EXTENDED:

·  Config# access-list 901 permit sap 4AA all 4BB all
    - Permit protocol src_add socket dest_add socket
    -“all” includes all sockets, or can use socket numbers
-or-

·  Config# access-list 901 permit any any all any all
    -Permits any protocol with any address on any socket to go anywhere

·  Config# interface Ethernet 0

·  Config-if# ipx access-group 901 in

IPX SAP FILTER:

·  Config# access-list 1000 permit 4aa 3 - “3” is the service type
-or-

·  Config# access-list 1000 permit 4aa 0 - service type of “0” matches all services

·  Config# interface Ethernet 0

·  Config-if# ipx input-sap-filter 1000 - filter applied to incoming packets
-or-

·  Config-if# ipx output-sap-filter 1000 - filter applied to outgoing packets

NAMED ACCESS LISTS:

·  Config# ip access-list standard LISTNAME
    -can be ip or ipx, standard or extended
    -followed by the permit or deny list

·  Config# permit any

·  Config-if# ip access-group LISTNAME in
    -use the list name instead of a list number
    -allows for a larger amount of access-lists

PPP SETUP:

·  Config-if# encapsulation ppp

·  Config-if# ppp authentication chap pap
    -order in which they will be used
    -only attempted with the authentification listed
    -if one fails, then connection is terminated

·  Config-if# exit

·  Config# username Lab-b password 123456
    -username is the router that will be connecting to this one
    -only specified routers can connect
-or-

·  Config-if# ppp chap hostname ROUTER

·  Config-if# ppp chap password 123456
    -if this is set on all routers, then any of them can connect to any other
    -set same on all for easy configuration

ISDN SETUP:

·  Config# isdn switch-type basic-5ess - determined by telecom

·  Config# interface serial 0

·  Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1

·  Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2

·  Config-if# encapsulation PPP - or HDLC, LAPD

DDR - 4 Steps to setting up ISDN with DDR

1. Configure switch typeConfig# isdn switch-type basic-5ess - can be done at interface config
2. Configure static routesConfig# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to network 192.3.5.5 (through bri0)
3. Configure InterfaceConfig-if# ip address 192.3.5.5 255.255.255.0
   Config-if# no shutdown
   Config-if# encapsulation ppp
   Config-if# dialer-group 1 - applies dialer-list to this interfaceConfig-if# dialer map ip 192.3.5.6 name Lab-b 5551212
       connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
       can also use “dialer string 5551212” instead if there is only one router to connect to
4. Specify interesting trafficConfig# dialer-list 1 ip permit any
   -or-Config# dialer-list 1 ip list 101 - use the access-list 101 as the dialer list
5. Other OptionsConfig-if# hold-queue 75 - queue 75 packets before dialingConfig-if# dialer load-threshold 125 either
       -load needed before second line is brought up
       -“125” is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
       -can check by in, out, or either Config-if# dialer idle-timeout 180
       -determines how long to stay idle before terminating the session
       -default is 120

FRAME RELAY SETUP:

·  Config# interface serial 0

·  Config-if# encapsulation frame-relay - cisco by default, can change to ietf

·  Config-if# frame-relay lmi-type cisco - cisco by default, also ansi, q933a

·  Config-if# bandwidth 56

·  Config-if# interface serial 0.100 point-to-point - subinterface

·  Config-if# ip address 122.1.1.1 255.255.255.0

·  Config-if# frame-relay interface-dlci 100
    -maps the dlci to the interface
    -can add BROADCAST and/or IETF at the end

·  Config-if# interface serial 1.100 multipoint

·  Config-if# no inverse-arp - turns IARP off; good to do

·  Config-if# frame-relay map ip 122.1.1.2 48 ietf broadcast
    -maps an IP to a dlci (48 in this case)
    -required if IARP is turned off
    -ietf and broadcast are optional

·  Config-if# frame-relay map ip 122.1.1.3 54 broadcast

SHOW COMMANDS

·  Show access-lists - all access lists on the router

·  Show cdp - cdp timer and holdtime frequency

·  Show cdp entry * - same as next

·  Show cdp neighbors detail - details of neighbor with ip add and ios version

·  Show cdp neighbors - id, local interface, holdtime, capability, platform portid

·  Show cdp interface - int’s running cdp and their encapsulation

·  Show cdp traffic - cdp packets sent and received

·  Show controllers serial 0 - DTE or DCE status

·  Show dialer - number of times dialer string has been reached, other stats

·  Show flash - files in flash

·  Show frame-relay lmi - lmi stats

·  Show frame-relay map - static and dynamic maps for PVC’s

·  Show frame-relay pvc - pvc’s and dlci’s

·  Show history - commands entered

·  Show hosts - contents of host table

·  Show int f0/26 - stats of f0/26

·  Show interface Ethernet 0 - show stats of Ethernet 0

·  Show ip - ip config of switch

·  Show ip access-lists - ip access-lists on switch

·  Show ip interface - ip config of interface

·  Show ip protocols - routing protocols and timers

·  Show ip route - Displays IP routing table

·  Show ipx access-lists - same, only ipx

·  Show ipx interfaces - RIP and SAP info being sent and received, IPX addresses

·  Show ipx route - ipx routes in the table

·  Show ipx servers - SAP table

·  Show ipx traffic - RIP and SAP info

·  Show isdn active - number with active status

·  Show isdn status - shows if SPIDs are valid, if connected

·  Show mac-address-table - contents of the dynamic table

·  Show protocols - routed protocols and net_addresses of interfaces

·  Show running-config - dram config file

·  Show sessions - connections via telnet to remote device

·  Show startup-config - nvram config file

·  Show terminal - shows history size

·  Show trunk a/b - trunk stat of port 26/27

·  Show version - ios info, uptime, address of switch

·  Show vlan - all configured vlan’s

·  Show vlan-membership - vlan assignments

·  Show vtp - vtp configs

CATALYST COMMANDS
For Native IOS - Not CatOS

SWITCH ADDRESS:

·  Config# ip address 192.168.10.2 255.255.255.0

·  Config# ip default-gateway 192.168.10.1

DUPLEX MODE:

·  Config# interface Ethernet 0/5 - “fastethernet” for 100 Mbps ports

·  Config-if# duplex full - also, half | auto | full-flow-control

SWITCHING MODE:

·  Config# switching-mode store-and-forward - also, fragment-free

MAC ADDRESS CONFIGS:

·  Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port

·  Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
    -port 3 can only send data out port 2 with that mac
    -very restrictive security

·  Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port

VLANS:

·  Config# vlan 10 name FINANCE

·  Config# interface Ethernet 0/3

·  Config-if# vlan-membership static 10

TRUNK LINKS:

·  Config-if# trunk on - also, off | auto | desirable | nonegotiate

·  Config-if# no trunk-vlan 2
    -removes vlan 2 from the trunk port
    -by default, all vlans are set on a trunk port

CONFIGURING VTP:

·  Config# delete vtp - should be done prior to adding to a network

·  Config# vtp server - the default is server, also client and transparent

·  Config# vtp domain Camp - name doesn’t matter, just so all switches use the same

·  Config# vtp password 1234 - limited security

·  Config# vtp pruning enable - limits vtp broadcasts to only switches affected

·  Config# vtp pruning disable

FLASH UPGRADE:

·  Config# copy tftp://192.5.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

·  Config# delete nvram