Category Archives: Cisco

TACACS.net Server Cisco IOS NX OS Configurations TACACS+ AAA

“TACACS+ is an Authentication, Authorization, and Accounting (AAA) protocol originally developed for the U.S. Department of Defense for authentication to network devices such as routers, switches, and firewalls. Unlike RADIUS, it separates the Authentication and Authorization functionalities, which makes it more flexible for administrative access. The current version of the protocol standard was developed by Cisco Systems.”

That gives you a good idea of what TACACS+ is used for. TACACS.net is freeware application which makes any Windows Server installation a TACACS+ server. I found that it made most sense to place the TACACS+ server on the Domain Controller since lookups can be done locally with the fastest speed but if your security model requires them to be separated, then you must stay in compliance and separate the roles by spinning up another Windows server.

Below is the configuration for using a TACACS.net Server with Cisco MDS Series Fabric Switches with Cisco Nexus 7000 Network Switches. Both the Nexus and MDS share the same NX-OS operating system at the core but require separation in the TACACS.net server. These have been tested and verified working! Enjoy!

Configuration files for TACACS.net

  • tacplus.xml
  • authentication.xml
  • authorization.xml
  • clients.xml

Download the configuration bundle, TACACS+ Configuration Bundle

Cisco Nexus 7K/5K & MDS 9124/9148 Configuration

ip domain-name northwind.lan
ip name-server 10.10.10.1 10.10.10.2
feature tacacs+
tacacs-server key mds_preshared_key
tacacs-server host tacacs-server-1.northwind.lan
tacacs-server host tacacs-server-2.northwind.lan
aaa group server tacacs+ san_admin
server tacacs-server-1.northwind.lan
server tacacs-server-2.northwind.lan
exit
aaa authentication login default group san_admin local
tacacs+ enable

NOTE: The Nexus 7000 and the MDS series switches both run NX-OS, the commands are the same for the MDS series as it is for the Nexus series Cisco product lines. If you have an MDS switch running SAN-OS, the following commands will not work.

Cisco IOS Configuration

ip domain-name northwind.lan
ip name-server 10.10.10.1
ip name-server 10.10.10.2
aaa new-model
aaa authentication login default group network_admins local
aaa authentication enable default group network_admins enable
aaa authorization config-commands
aaa authorization commands 0 default group network_admins none
aaa authorization commands 1 default group network_admins none
aaa authorization commands 15 default group network_admins none
aaa accounting exec default start-stop group network_admins
aaa accounting commands 15 default start-stop group network_admins
tacacs-server host tacacs-server-1.northwind.lan key ios_preshared_key
tacacs-server host tacacs-server-2.northwind.lan key ios_preshared_key
Tagged , , , , , , , , , , ,

Upgrade NX-OS on Cisco MDS 9124 9148 Fabric Switch

Upgrading the NX-OS on a Cisco MDS 9148 Fabric Switch is a straight forward task. There are only three commands to upgrade the NX-OS, two copy commands and the install command which does all the work. First you need a TFTP server on the same network as the management interface to transfer the files over to the boot flash.

These are the only commands you need to upgrade the NX-OS.

copy tftp://192.168.1.2/m9100-s3ek9-kickstart-mz.5.2.1.bin bootflash:/
copy tftp://192.168.1.2/m9100-s3ek9-mz.5.2.1.bin bootflash:/
install all kickstart bootflash:/m9100-s3ek9-kickstart-mz.5.2.1.bin system bootflash:/m9100-s3ek9-mz.5.2.1.bin

This is the install process. After the process has verified the uploaded files press “Y” to continue the installation. Easy peasy.

mds9148# install all kickstart bootflash:/m9100-s3ek9-kickstart-mz.5.2.1.bin system bootflash:/m9100-s3ek9-mz.5.2.1.bin

Verifying image bootflash:/m9100-s3ek9-kickstart-mz.5.2.1.bin for boot variable "kickstart".
[####################] 100% -- SUCCESS

Verifying image bootflash:/m9100-s3ek9-mz.5.2.1.bin for boot variable "system".
[####################] 100% -- SUCCESS

Verifying image type.
[####################] 100% -- SUCCESS

Extracting "system" version from image bootflash:/m9100-s3ek9-mz.5.2.1.bin.
[####################] 100% -- SUCCESS

Extracting "kickstart" version from image bootflash:/m9100-s3ek9-kickstart-mz.5.2.1.bin.
[####################] 100% -- SUCCESS

Extracting "bios" version from image bootflash:/m9100-s3ek9-mz.5.2.1.bin.
[####################] 100% -- SUCCESS

Performing Compact Flash and TCAM sanity test.
[####################] 100% -- SUCCESS

Performing module support checks. 												   [####################] 100% -- SUCCESS

Notifying services about system upgrade. 										   [####################] 100% -- SUCCESS

Compatibility check is done:
Module  bootable          Impact  Install-type  Reason
------  --------  --------------  ------------  ------
     1       yes  non-disruptive         reset

Images will be upgraded according to following table:
Module       Image                  Running-Version(pri:alt)           New-Version  Upg-Required
------  ----------  ----------------------------------------  --------------------  ------------
     1      system                                   5.0(1a)                5.2(1)           yes
     1   kickstart                                   5.0(1a)                5.2(1)           yes
     1        bios     v1.0.18(01/07/10):  v1.0.18(01/07/10)     v1.0.19(02/01/10)           yes

Do you want to continue with the installation (y/n)?  [n]

Install is in progress, please wait.

Performing runtime checks.                                                         [####################] 100% -- SUCCESS

Notifying services about the upgrade.                                              [####################] 100% -- SUCCESS

Setting boot variables.
[####################] 100% -- SUCCESS

Performing configuration copy.
[####################] 100% -- SUCCESS

Module 1: Refreshing compact flash and upgrading bios/loader/bootrom.
Warning: please do not remove or power off the module at this time.
[####################] 100% -- SUCCESS

Upgrade can no longer be aborted, any failure will result in a disruptive upgrade.

Freeing memory in the file system.                                                 [####################] 100% -- SUCCESS

Loading images into memory.                                                        [####################] 100% -- SUCCESS

Saving linecard runtime state.                                                     [####################] 100% -- SUCCESS

Saving supervisor runtime state.                                                   [####################] 100% -- SUCCESS

Saving mts state.                                                                  [####################] 100% -- SUCCESS

Rebooting the switch to proceed with the upgrade.
All telnet and ssh connections will now be temporarily terminated.

After the installation has completed, it will drop your SSH session. Login and perform a “show version” to verify that the upgrade completed successfully.

mds9148# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_serie
s_home.html
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.

Software
  BIOS:      version 1.0.19
  loader:    version N/A
  kickstart: version 5.2(1)
  system:    version 5.2(1)
  BIOS compile time:       02/01/10
  kickstart image file is: bootflash:///m9100-s3ek9-kickstart-mz.5.2.1.bin
  kickstart compile time:  12/25/2020 12:00:00 [07/16/2011 23:02:15]
  system image file is:    bootflash:///m9100-s3ek9-mz.5.2.1.bin
  system compile time:     6/7/2011 13:00:00 [07/17/2011 01:17:25]

Hardware
  cisco MDS 9148 FC (1 Slot) Chassis ("1/2/4/8 Gbps FC/Supervisor-3")
  Motorola, e500v2  with 1036300 kB of memory.
  Processor Board ID JAF1529CJAE

  Device name: mds9148
  bootflash:    1015056 kB
Kernel uptime is 0 day(s), 0 hour(s), 1 minute(s), 48 second(s)

Last reset at 73485 usecs after  Thu Mar  1 06:37:44 2012

  Reason: Reset due to upgrade
  System version: 5.0(1a)
  Service:

After this you can clean up the old versions of the NX-OS on the boot flash once you’ve tested there are no reasons to revert back to the original version.

Tagged , , , , , , ,

Cisco MAC Address Flapping Causing High CPU Utilization

A MAC flap is caused when a switch receives packets from two different physical/logical interfaces with the same source MAC address. The switch then learns where the MAC address is and puts in to a table. This table has the physical/logical interface and the MAC address. When flapping occurs it causes this table to be updated whenever a packet is sent/received. The more data flowing through the interface that is flapping the higher your CPU Utilization is going to be which can have serious potential negative side effects. Such as dropped packets, laggy terminal session and complete drop of network connectivity.

The following will give you the commands you need to help identify MAC Address Flapping and High CPU Utilization on Cisco Catalyst series switch. This was performed to troubleshoot CPU utilization issues on a Cisco Catalyst 4500 series switch but the same commands should be available to other Cisco switches which run the IOS firmware.

cisco4500#show processes cpu
CPU utilization for five seconds: 38%/1%; one minute: 32%; five minutes: 32%
PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
27         524    250268          2  0.00%  0.00%  0.00%   0 TTY Background
28         816    254843          3  0.00%  0.00%  0.00%   0 Per-Second Jobs
29      101100      5053      20007  0.00%  0.01%  0.00%   0 Per-minute Jobs
30    26057260  26720902        975 12.07% 11.41% 11.36%   0 Cat4k Mgmt HiPri
31    19482908  29413060        662 24.07% 19.32% 19.20%   0 Cat4k Mgmt LoPri
32        4468    162748         27  0.00%  0.00%  0.00%   0 Galios Reschedul

The following will give you a Target CPU percent and the Actual Percent. Look for percents that greatly exceed the Target CPU percent. This will help identify what is eating your processing power on your device. This is used to troubleshoot other items than MAC Address Flapping such as Routing Loops and other bad things that can bring your network to a halt.

cisco4500#show platform health
%CPU   %CPU    RunTimeMax   Priority  Average %CPU  Total
Target Actual Target Actual   Fg   Bg 5Sec Min Hour  CPU
Protocol-aging-revie   0.20   0.00      2      0  100  500    0   0    0  0:01
Acl-Flattener          1.00   0.00     10      5  100  500    0   0    0  0:04
KxAclPathMan create/   1.00   0.00     10      5  100  500    0   0    0  0:21
KxAclPathMan update    2.00   0.00     10      6  100  500    0   0    0  0:05
KxAclPathMan reprogr   1.00   0.00      2      1  100  500    0   0    0  0:00
TagMan-InformMtegRev   1.00   0.00      5      0  100  500    0   0    0  0:00
TagMan-RecreateMtegR   1.00   0.00     10     14  100  500    0   0    0  0:18
K2CpuMan Review       30.00  91.31     30     92  100  500  128 119   84  13039:02
K2AccelPacketMan: Tx  10.00   2.30     20      0  100  500    2   2    2  1345:30
K2AccelPacketMan: Au   0.10   0.00      0      0  100  500    0   0    0  0:00

First enter enabled mode then configure terminal mode. Issue the following command to ensure there is logging for mac-move which will identify MAC Address Flapping.

cisco4500(config)#mac address-table notification mac-move

After a period of time, view the log to identify the MAC address that is flapping.

cisco4500(config)#do show log
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
...
*Oct  3 08:51:28.149: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.10.10.236)
*Oct  3 09:43:46.437: %C4K_EBM-4-HOSTFLAPPING: Host 00:60:48:1B:01:15 in vlan 400 is moving from port Gi2/40 to port Gi2/30
*Oct  3 09:43:48.629: %C4K_EBM-4-HOSTFLAPPING: Host 00:60:48:1B:01:15 in vlan 400 is moving from port Gi2/30 to port Gi2/40
*Oct  3 09:43:48.717: %C4K_EBM-4-HOSTFLAPPING: Host 00:60:48:1B:01:15 in vlan 400 is moving from port Gi2/40 to port Gi2/30
*Oct  3 09:43:49.581: %C4K_EBM-4-HOSTFLAPPING: Host 00:60:48:1B:01:15 in vlan 400 is moving from port Gi2/30 to port Gi2/40

Furthermore, issue the following command at random periods of time to illustrate the MAC address bouncing between two different physical ports.

cisco4500#sh mac address-table address 00:60:48:1B:01:15

Unicast Entries
vlan   mac address     type        protocols               port
-------+---------------+--------+---------------------+--------------------
400    0060.481b.0115   dynamic ip                    GigabitEthernet2/30

cisco4500#sh mac address-table address 00:60:48:1B:01:15
Unicast Entries
vlan   mac address     type        protocols               port
-------+---------------+--------+---------------------+--------------------
400    0060.481b.0115   dynamic ip                    GigabitEthernet2/40

It depends on how your configuration is but it is generally a good idea to disable one of the two interfaces or fix an issue with a logical interface such as EtherChannel/LACP.

For furhter information and Cisco official documentation, http://www.cisco.com/c/en/us/support/docs/switches/catalyst-4000-series-switches/65591-cat4500-high-cpu.html

Tagged , , , , , , , ,

SNMP v3 + Cisco IOS Crash Course

SNMPv3 allows for authentication and encryption (AES, DES, 3-DES) for managing core routers and switches. CiscoWorks LAN Manager Solution (LMS) requires SNMPv3 to be enabled and setup correctly for doing port VLAN tagging and a various other features through the LMS web interface. Here is a simple crash course on setting up SNMPv3 on an Cisco IOS device.

snmp-server view readview internet included
snmp-server view writeview internet included

This step will attach a view to a group. To keep things simple we will follow the same layout as the views, a group for read (readgroup) and a group for read/write (writegroup).

snmp-server group readgroup v3 priv read readview
snmp-server group writegroup v3 priv write writeview

Add a username to the readgroup or writegroup with an authpassword and a passphrase. Repeat this step for additional users.

snmp-server user <username> <group> v3 auth sha <authpass> priv aes 256 <passphrase>

Finally, specify access to the host and user that your monitoring software will use to connect to the Cisco Switch via SNMP.

snmp-server host <ipaddress/fqdn> version 3 priv <user>
Tagged , , , , , , , , ,