Skip to Content

How to setup NX-OS feature password encryption

Command Line

If you are familiar with the service password-encryption feature on IOS, you'll be happy to find that there's a similar option in NX-OS on the 7K that will encrypt all the weak (type 7) or plain text passwords in your config. Here's how it works:

First, create a config-key using the following syntax:

nxos# key config-key ascii
New Master Key: <enter text here - Master-key length should be between 16-64 chars>
Retype Master Key: <enter same text here>

Now enable the feature:

nxos# config t
nxos(config)#feature password encryption aes

The feature is now enabled, however if you look at the running config, existing passwords are still weak. To encrypt the existing passwords, type the following:

Password Recovery on a Cisco MDS 9000

If you have a Cisco MDS 9000 and need to recover the password, start by booting it up. If it's currently running, type reload, otherwise power it on.

When you see the following lines, start typing CTRL+]

Starting kernel...
INIT: version 2.85 booting

This shows up after the initial BIOS screen on the console, about 15 seconds into the boot.

It might take a few seconds for it to do anything, just keep typing CTRL+]. You'll eventually get the following prompt:


Now enter config terminal mode and set the admin-password:

switch(boot)# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
switch(boot)(config)# admin-password ?
  <WORD>  Password for user admin (Max Size - 64)

Type in a complex enough password to get past the systems base requirement (in my case, 8 character minimum with upper/lower/special)

Troubleshoot Cisco Nexus sfpInvalid Error Status

If you have a connection to a server that won't connect, as simple as it sounds, don't forget to check the speed. Look at the following show command output for example:

N5K5(config-if-range)# show int status

Port       Name     Status    Vlan      Duplex  Speed   Type
Eth1/1     --       sfpInvali 10        full    10G     SFP-1000BAS

It is subtle, but a keen eye will notice the sfpInvalid status is due to the 10G speed of the port with a 1G SFP inserted. To fix this, simply change the speed to 1000.

How to turn off Apple Music automatic subscription renewal

The iOS music app was updated today which provides three free months of the Apple Music service.  Once you update your iOS device, you will have the option to subscribe to the service when you launch the updated music app. When enabling the service you are basically signing up for the $9.99 or 14.99/mo subscription. However the fee is curbed for the first 3 months. Don't want to pay though? Read on.

After you are all signed up, perform the following steps to disable the auto-renewal which kicks in after the free trial.

  1. Open Settings and select iTunes & App Store
  2. Tap your Apple ID and enter your password
  3. Tap View Apple ID
  4. Tap Manage
  5. Tap the Automatic Renewal option so it slides to Off

Now you shouldn’t be charged automatically. That said, if you like the service and plan to keep it, leaving the automatic renewal on will save you some time in the future.


FCoE for the IP Engineer

If you are interested in learning more about Fiber Channel over Ethernet (FCoE), then take a couple hours and watch the Cisco Live BRKDCT-1044 - FCoE for the IP Network Engineer. It can also work as a great sleeping aid if you aren't interested in FCoE ;-)

Here's a link to the Cisco Live 2013 Orlando session:

Here's another session from Cisco Live 2014 San Francisco:

Cisco Unified Computing System (UCS) Platform Emulator

I have been playing with more Nexus and UCS stuff as of late and thought I'd share some info and lessons learned about Cisco's UCS Platform Emulator.

What is UCS?

If you haven't heard of UCS or maybe you heard of it but don't know what it is, UCS is Cisco's server (a.k.a. Compute) solution. Unified Computing System is more than just servers though, it's a platform that takes standard computer components and bundles them in a very efficient and scaleable way better than just about any other vendor has thus far (in my opinion).

What is UCS PE?

If you are looking to get some experience with Cisco UCS and your employer doesn't have a spare one for you to play with, Cisco has kindly released an emulator that looks and feels just like UCS Manager (the fancy interface you use to manage UCS) so you can practice to your heart's content.

How to setup an inband management interface on a Cisco Nexus Switch

If you are configuring a Cisco Nexus switch to replace a Catalyst switch, you may have noticed that the management vrf steers you away from in-band management of the device. This is fine and the management interface works well in most settings. However, sometimes it is nice to be able to test in-band connectivity from a switch using a management vlan. If you want to learn how to configure an in-band management SVI on a Nexus switch, then read on.

Start by creating a regular vlan on the switch and trunking it from your distribution (or agg) peer.

switch#config t
switch(config) vlan 250
switch(config-vlan)# exit
switch(config)# int po1
switch(config-if)# switchport trunk allow vlan add 250
switch(config-if)# exit

Now create a VLAN interface or SVI for your management vlan and have an IP address ready to go.

How to enable OTV on a Nexus 7700 with F3 linecards

If you need to configure OTV (Overlay Transport Virtualization) on a 7700 with F3 cards, you might find it strange that the OTV feature appears to not be supported even when there are ONLY F3 cards in the system.  Here's the error message you would see when trying to enable the otv feature:

OTV(config)# feature otv
Feature otv not supported in F2E without M1, M1XL or M2XL VDC

To fix this, switchback to the default VDC and change the following setting:

vdc OTV id 3
  limit-resource module-type f2e f3

Change this to list only f3 and otv will work:

How to rate limit DNS on an Infoblox appliance


If your company runs Infoblox appliances as their external DNS servers, then there is a simple feature you can enable to help protect your zones against one form of DDOS attack. DNS Rate Limiting is a feature that monitors the amount of queries coming in and where they are originating. Once enabled, if the number of queries per minute are exceeded, then remaining queries are dropped for the remainder of the 1 minute interval. How you write your rules determines if both good and bad queries are dropped, however you can take some steps to limit the impact to known good sources. Also note this isn't a complete solution for edge security, but it is yet another layer that can be added as part of a defense in depth strategy.

To enable the rate limit feature, use the set ip_rate_limit on command:

How to force Linux to immediately set its time to match NTP


I recently had to restore a Linux server from a vmware snapshot and noticed the date and time were off by a day (when the snapshot was taken). Instead of waiting around for NTP to update the clock slowly, you can manually force the time to sync with reality using a simple set of commands.

sudo service ntp stop
sudo ntpd -gq
sudo service ntp start

Here is some sample output from the CLI:

Remotely enable SSH on a VMware 5.x Host using vSphere Client

If you  setup a VMware ESXi Host and forgot to enable SSH access while you were on the console, don't fret. You can easily enable it using the vSphere Client.

Begin by logging in to the host via the vSphere client as root.

Go to the Configuration tab, then select Security Profile on the lower left.

How to disable useless logs on a Cisco ASA

If you've ever watched the Real-Time Log Viewer in the ASDM, the default settings can make it nearly useless to see specific traffic amongst the noise. Using the filter helps if you are looking for specific traffic, but if you just want to see what what legitimate traffic is scrolling by, then it can be challenging to wade through the copious amounts of data that include logs like:

%ASA-6-302016: Teardown UDP connection 118314 for outside:95.101....
%ASA-6-302015: Built outbound UDP connection 118316 for DMZ...
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.0....
%ASA-7-609001:  Built local-host outside:96.7...

It's pretty simple to exclude these types of log messages from being recorded. Simply login to the CLI and type the following:

How to Start, Stop, and Restart OpenSSH on Ubuntu

Ubuntu Logo

On some Linux systems, typing /etc/init.d/sshd restart will bounce the sshd process. However, on Ubuntu Server 14.04, it didn't seem to work for me. I found the following syntax to get the task done:

> sudo restart ssh
ssh start/running, process 2654

You can use similar syntax to stop or start the process:

> sudo stop ssh
> sudo start ssh

And you can get status of the process by using the status keyword:

> sudo status ssh
[sudo] password for penguin:
ssh start/running, process 2711

How to Configure a Static IP Address and IPv6 Address on Ubuntu Server 14.04

Ubuntu Logo

If you have a new installation of Ubuntu Server, you may want to set a static IP address on it instead of relying on DHCP for a server. It's not as simple as some platforms, but here's the quick and dirty instructions on setting static IPs in Ubuntu Server 14.04:

1. Login with the admin user you created during the install.

2. Check out the contents of the /etc/network/interfaces file:

penguin@wwwsvr07:~$ more /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface # This is an autoconfigured IPv6 interface auto eth0 iface eth0 inet6 auto penguin@wwwsvr07:~$ 

As you can see, it's setup for IPv6 auto config by default in my case.

Caffeine for your Mac

If you have a Mac and have the screensaver enabled, then you must check out the Caffeine utility! It is a simple little app that runs in the menu bar and with one click, it delays your screensaver from starting for a preset amount of time (2 hours). You can also right click on the little coffee cup icon and select how long you want to delay the screen saver.

This is super handy when you are reading something or working on task off screen, but don't want the screensaver to kick in because you need to reference something on screen. If you've never used this before, it's definitely a must have!

Syndicate content