Tuesday, November 20, 2012

Nexus Port Profiles


Real short one today. This post is about Nexus port profiles. Port profiles are great for ensuring consistency across port configurations. They allow us to configure a template which is inherited by a group of ports. There are three types of port-profiles: Ethernet, Interface-VLAN (SVI) and Port-Channel. In my example, we’ll be configuring several ports as “VM Server” ports. Some may be asking why one would choose these over the simple “interface range” command. In my opinion, port profiles are more strict. The range command configures any range of ports where a port profile configures ALL ports which inherit it. Any new configuration added to the profile is pushed to the inheriting ports as well.
Here’s an example:
n5k-1(config)# port-profile type ethernet VM
n5k-1(config-port-prof)# switchport access vlan 225
n5k-1(config-port-prof)# spanning-tree port type edge
n5k-1(config-port-prof)# spanning-tree bpduguard enable
n5k-1(config-port-prof)# state enabled
Pretty basic. We create an “ethernet” port profile named VM and assign some config to it. The command “state enabled” makes this profile usable, without this command we wouldn’t be able to inherit the profile on a port.

Here is how we assign the config to a group of ports:
n5k-1(config)# int e1/22 - 25
n5k-1(config-if-range)# inherit port-profile VM
We select a range of ports and tell them to inherit the VM profile. That’s all.

Now we will do some verification:
n5k-1(config-port-prof)# sh port-profile
port-profile VM
 type: Ethernet
 description:
 status: enabled
 max-ports: 512
 inherit:
 config attributes:
  switchport access vlan 225
  spanning-tree port type edge
  spanning-tree bpduguard enable
 evaluated config attributes:
  switchport access vlan 225
  spanning-tree port type edge
  spanning-tree bpduguard enable
 assigned interfaces:
  Ethernet1/22
  Ethernet1/23
  Ethernet1/24
  Ethernet1/25
This command tells us everything. We see our that the profile is enabled, the config it’s using and what ports are inheriting it.
Here’s another way to find profile information:
n5k-1(config-port-prof)# sh run port-profile
port-profile type ethernet VM
  switchport access vlan 225
  spanning-tree port type edge
  spanning-tree bpduguard enable
  state enabled
 
interface Ethernet1/22
  inherit port-profile VM
 
interface Ethernet1/23
  inherit port-profile VM
 
interface Ethernet1/24
  inherit port-profile VM
 
interface Ethernet1/25
  inherit port-profile VM

That’s it. Pretty simple to understand and configure, but also very useful.

Monday, October 31, 2011

ASA 5510 IOS 8.x ASDM firewall dashboard IOS commands

As of 8.x, the ASDM has some excellent features to allow you to track down top talkers and get a better view into your traffic flows, but each of these features (especially the Top 10 Services) uses a good bit of RAM. If you are running a 5510 or smaller, that can cause you to run out of RAM. While the ASDM gives you the option to enable these features, you need to disable them via command line.

Use the 'no' keyword in front of the commands below to disable those functions:

Top 10 Access-Lists
======================================
enable
threat-detection statistics access-list
disable
no threat-detection statistics access-list

Top 10 Services (Very Memory Intensive - use only when troubleshooting)
======================================
enable
threat-detection statistics port
threat-detection statistics protocol
disable
threat-detection statistics port
threat-detection statistics protocol

Top 10 Sources / Top 10 Destinations (same command)
======================================
enable
threat-detection statistics host
disable
threat-detection statistics host

Tuesday, October 11, 2011

Using the Apple iPad/iPhone Configuration Utility for VPN

For my VPN profile I will call it “com.tobiasvpn.profile”.

Select the “VPN” section and click “Configure” to configure our settings.

Here I’ll setup the specifics for my VPN connection.

“Connection Name”     Tobias’ Home VPN
“Connection Type”    L2TP
“Server”        myhouse.fatofthelan.com
“Account”        admin
“User Authentication”    Password
“Shared Secret”        mysooooperpassword
“Send All Traffic”    Checked

Now I have a very basic configuration that will automatically configure the VPN client on my iPhone to connect back to my house. Next I have to get it to my iPhone. The easiest way for me to get it on my iPhone is to email the profile to myself so I can install it. To do this click the “Share” button and you’ll be presented with the option to sign the profile before sending it. I just accepted the default option to “Sign Configuration Profile” and click “Share”. This should open up a new email message and attach the profile file to it, ready to email to myself. Send the email and look for it in your email on your iPhone.

When I check my email on my iPhone I see the profile as an attachment, I touch to begin the install of my newly created profile.

Now I’m taken to the “Install Profile” screen where I touch “Install”.

I get a notification that the profile is unverified and do I want to continue. Touch “Install Now”. Note you will be prompted for your PIN number if enabled.

Next I’m asked for the password for my account name. I enter it and touch “Next”.

And finally it’s finished installing.

Now to test it out. I touch “Settings” and see that there is a new menu item, “VPN”.

I touch the “VPN” switch to begin connecting.

It connects! You should see a little blue icon on the menu bar showing that it is connected.
From here I can get in to anything on my home network just like I was there.