Tuesday, April 27, 2010

100M ethernet over copper/RJ45. I hate it.

As near as I can tell, way too many networking vendors handle autonegotation incorrectly for 100M ethernet.

I mean, it could be worse -- things could fall back to 10M.

If a fastethernet port is set to autonegotiate, when it sees link, it tries to - as you might guess - negotiate the speed and duplex. If the device at the far side doesn't negotiate in a compatible fashion or at all, a port set to autonegotiate will fall back to half duplex.

If this happens, then at best you end up with both sides at half duplex (annoying but not catastophic) or with a duplex mismatch. A duplex mismatch can totally hose your performance.

Honestly, when dealing with 100M, I'd just as soon hard-set everything to full duplex and be done with it.

Sunday, April 25, 2010

Chicks in IT

I'm a bit busy, so this is just a bunch of links that I have found interesting as a woman working in the IT field.

Back in 1991, Ellen Spertus wrote an excellent piece "Why Are There So Few Women in Computer Science". Some things have changed since then, but not as much as one might hope.

Some linux folks carried on with How to Encourage Women in Linux

A good bit on reddit from "TwoXChromosomes" with some information snippets about women in computing and other fields.

An LA Times article "Men Who Explain Things. Ahh. Male Answer Syndrome.

Tuesday, April 20, 2010

"No, I thought *you* were supposed to keep track of the password!"

"Would your holiness care to change her password?" --Hackers

Password recovery on the cisco 2900 series is a little bit more involved than password recovery on a 2800 -- you need physical access to the switch to push a button. Remote control power outlets won't help you, here. Instead of typing the "break" sequence at boot time, you need to push the "MODE" button.

picture of a Cisco 2960 with the 'MODE' button indicated

So, yeah, connect up your console, power cycle the router (there's no power switch, so you have to unplug/replug it), and the press and hold the "MODE" button as you power it up.

The top LED above the MODE button is labelled "SYST". This LED will begin to flash green during the POST, and - if you are holding down the "MODE" button -- will eventually turn solid green. At that point, you can release the "MODE" button.

You should see console output that looks something like this:

Base ethernet MAC Address: de:ad:be:ef:ca:fe
Xmodem file SYSTem is available.
The password-recovery mechanism is enabled.
Initializing Flash...

Base ethernet MAC Address: 00:1a:a1:44:f5:00
Xmodem file SYSTem is available.
The password-recovery mechanism is enabled.

The SYSTem has been interrupted prior to initializing the
flash fileSYSTem. The following commands will initialize
the flash fileSYSTem, and finish loading the operating
SYSTem software:



Next, issue the "flash_init" command so it notices its flash memory and the "load_helper" command:
switch: flash_init
Initializing Flash...
flashfs[0]: 602 files, 19 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 32514048
flashfs[0]: Bytes used: 12889088
flashfs[0]: Bytes available: 19624960
flashfs[0]: flashfs fsck took 10 seconds.
...done Initializing Flash.
Boot Sector FileSYSTem (bs) installed, fsid: 3
Setting console baud rate to 9600...

switch: load_helper


If you do a directory listing of the flash drive, you should see a file named "config.text", which contains the startup configuration for your device. Renaming that to something other than "config.text" (or, if you want to do a full wipe, deleting it) will cause the switch to boot up without a startup config.

switch: rename flash:config.text flash:config.old

Issuing the "boot" command will start the rest of the boot process. Once its up and ready, answer "no" to the initial configuration prompt.

switch: boot
Loading "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"...@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File "flash:c2960-lanbasek9-mz.122-25.SEE4.bin" uncompressed and installed, entry point: 0x3000

Restricted Rights Legend
Switch Ports MODEl SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT-L 12.2(25)SEE4 C2960-LANBASEK9-M

Press RETURN to get started!

Would you like to enter the initial configuration dialog? [yes/no]: no

Since the switch doesn't have a config, you can go into enable MODE without needing to use a password. Then you can load the old config into running memory.

Switch#copy flash:config.old running
Destination filename [running-config]?
Failed to generate persistent self-signed certificate.
3298 bytes copied in 0.361 secs (9136 bytes/sec)

And now you can change the password to whatever you want.

My-Pet-Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
My-Pet-Switch(config)#ena sec Y0ullNeverGuess
My-Pet-Switch(config)#line con 0
My-Pet-Switch(config)#pass ThisIsMyPW
My-Pet-Switch(config)#line vty 0 15
My-Pet-Switch(config)#pass ThisIsMyPW
My-Pet-Switch(config)#wr mem

Don't forget to save the config to memory!

If you want to keep the old config for some archival purpose, you can tftp it off. Otherwise, you can delete it with the "delete flash:config.old" command.

Friday, April 16, 2010

"Wait, I thought you knew the password..."

"My voice is my passport. Verify me."

So, there you are, with a cisco 2800 series router that you need to reconfigure. And you're all set to take some down time, reconfigure it, and drop back into service.

Only you don't have the password for it. The password is lost, or forgotten, or was typo'd initially. Something like that. Which makes any further configuration tasks kind of difficult.

Password recovery on the cisco 2800 is pretty trivial. You don't even have to do a full wipe to factory defaults, so no configuration data is lost. You need to be able to power cycle the router, so you need to have either physical access or the ability to remotely control whatever outlet is feeding your router. If you've got that, then it just takes a console connection and about 10 minutes of downtime. Non-enable exec access to the unprivileged command line interface is helpful, but not required.

First, make sure you know how to send a "break" signal with whatever you're using to connect to the console - whether directly to the console from a serial port on your computer, or via some kind of remote console server.

Connect to your router's console port. If you've got the CLI access, run the command "sh ver | inc register". Your output should be something like:
Configuration register is 0x2102

Make a note of that octal number. If you don't have CLI access, just assume it's 0x2102, because that's almost certainly what it is.

This is the configuration register, which tells the router important things at boot time, like "Should I load IOS? Should I load the config that's in my NVRAM?" What you need to do is tell it that, in fact, it should not load the NVRAM config on boot. This is done by modifying the config register. To do that, you need to get into "rommon" mode.

Power cycle your router, and then send the "break" sequence within the first 60 seconds of power-on.

It should display a message "System received an abort due to break key", and then a bit more text, and then the "rommon 1>" prompt. If it starts to self-decompress its IOS image, you've missed your opportunity and you'll need to power cycle the router and try sending the break sequence again.

Change the value for the configuration register with the command
confreg 0x2142

Reset the router with the "reset" command. At this point, the router should go through it's normal boot sequence, decompressing the IOS image and starting up IOS. But since it's not loading the configuration from NVRAM, it will ask you if you want to go through the initial configuration dialog, just as if it were a new router out of the box. You don't want the guided setup, so you can answer "n" to the question:

--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

Hit return a few times to get to the "Router>" prompt, and then go into enable mode -- you will not be prompted for a password -- and then tell the router to load the "startup-config" configuration from NVRAM into running memory.

Router#copy startup-config running-config
Destination filename [running-config]?

You should then see messages about interfaces coming up and other normal messages as the router processes your config information. Once it's done with that, you should have a prompt for the configured hostname of your router. At this point, you can change the passwords and enable secrets as normal, enable your live interfaces, and then save the config to NVRAM to save your changes.

MyPetRouter# conf t
Enter configuration commands, one per line. End with CNTL/Z.
MyPetRouter(config)# (stuff to bring your interfaces up)
MyPetRouter(config)#ena sec Y0ullNeverGuess
MyPetRouter(config)#line con 0
MyPetRouter(config)#pass ThisIsMyPW
MyPetRouter(config)#line vty 0 15
MyPetRouter(config)#pass ThisIsMyPW
09:22:00: %SYS-5-CONFIG_I: Configured from console by console
MyPetRouter#wr t
Building configuration...

Take a look at the configuration, and the interfaces, and verify that the router looks like you want it to -- that interfaces are up and happy. You don't want to be accidentally saving a config that has all your interfaces in "shutdown" mode. Since "no shut" is the default state, the config you loaded won't include the "no shut" commands explicitly. So make sure all your active interfaces are up.

Now, you need to reset the configuration register to the previous value so that the next time the router reboots, it will read the NVRAM config.

MyPetRouter(config)#config-register 0x2102
09:29:00: %SYS-5-CONFIG_I: Configured from console by console

Do a "sh ver" to make sure the configuration register reads "0x2102". If you have the spare time in your downtime window and you want to be extra sure, do a clean reload on the router and make sure it comes up happily. Because nothing sucks like being locked out of a router because of something you did in an attempt to not be locked out of a router.

Wednesday, April 14, 2010

A few links - pinouts and pictures

AllPinouts has a wiki full of pinout data: http://www.allpinouts.org/

Pictures of other people's stuff!
Via techrepublic... Server room cabling nightmares

On the other side, A company in Sweden has a computing environment fit for a James Bond Villain.

Big data centers! A list from datacenterknowledge.com

And also from datacenterknowledge, articles about the growing trend of Data Centers in a box.

Sunday, April 11, 2010


The Kandinsky is painted on both sides! -- "Six Degrees of Separation"

Don't just label your gear, label it on both the front and the back. (Or the sides/top/bottom -- whatever sides people are going to be using to identify the equipment and work on it.)

This sounds kind of obvious, but I've worked in places where this seemed to be a strange new concept.

Clear labeling of your network equipment, on both the front and the back can speed troubleshooting - particularly if you've got someone doing the hands-on work who is less familiar with the setup. If you're likely to have colo staff doing remote hands work, be even more fastidious about your labeling.

Make sure that the label is visible. If your machine has a separate faceplate that needs to be removed for maintenance access, label the faceplate and label the surface under the faceplate. That way, if someone puts the wrong faceplate back on the machine, a person doing maintenance can see the mismatch.

Make sure that the label is well-secured. If it's falling off or has lost its adhesive, replace it or tape over it with clear adhesive tape to re-secure it.


About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.