This quickie post is mainly for my own future benefit… The following is how you perform a pre-shared key recovery on a Cisco ASA. When you configure a PSK on a Cisco ASA and then review the configuration by doing a “show running-config“, all the passwords will be displayed as a bunch of ***’s from then on. There is a publicized, but not well know, way to view the full running-config by doing a “more: more system:running-config” which will allow you to view the running-config in its entirety. This command is nothing new and has apparently has been around since the PIX days.

 

Ref: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ref_cli.html#52156

22. February 2016 · Comments Off on Cisco 4000 series ISR Base UCS-E Configuration · Categories: Cisco, Networking · Tags: , , , ,

I have been replacing a lot of older Cisco ISR routers with 4000 series ISR’s lately. One of the more common things I have seen companies order with the new 4000 series routers are UCS-E blades; especially for smaller sites that don’t any servers. Unfortunately IOS-XE is still relatively new and it can be difficult to find proper configuration guides or working configs. As a result I have seen a lot of bad setups where engineers do not use the internal EVC link for UCS-E connectivity. Instead they cable the UCS-E external ports directly back into the router or cable it directly to the LAN switch. While this works, they are essentially running it as it was a separate device on the network and not part of the router. In this post I will provide a base UCS-E configuration to get people quickly up and running.

UCS-E140S-M2

Example IP allocation:

  • /29 for CIMC & ESXi Management.
    (Example: 10.0.0.240/29)
  • /27 for UCS-E Server Vlan.
    (Example: 10.0.0.128/27)

When push comes to shove its best to view/treat the BDI interface, that’s tied to the ucse1/0/1 service instance, no different than a SVI on a L3 switch.
 

ucse subslot 1/0
 imc access-port shared-lom console
 imc ip address 10.0.0.242 255.255.255.248 default-gateway 10.0.0.241
!
interface ucse1/0/0
 description *** UCS - Internal L3 Management (10.0.0.240/29) ***
 ip address 10.0.0.241 255.255.255.248
 negotiation auto
 switchport mode trunk
!
interface ucse1/0/1
 description *** UCS - Internal L2 Interface ***
 no ip address
 negotiation auto
 switchport mode trunk
 !
 service instance 1 ethernet
  description *** Server Vlan EVC ***
  encapsulation dot1q 1
  bridge-domain 1
 !
!
interface BDI1
 description Server Vlan (10.0.0.128/27)
 ip address 10.0.0.129 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation dot1Q 1

For further reading on EVC’s the following blog post is really good: http://ccie-in-3-months.blogspot.com/2009/09/evc-flexible-service-mapping.html

14. January 2016 · Comments Off on Monitoring Cisco AP Dot11 Associations in Cacti · Categories: Cacti, Cisco, Networking, Wireless · Tags: , , , , , ,

This Cacti template should work with any autonomous Cisco AP. It will SNMP poll and display all active Cisco AP Dot11 Associations in Cacti. Note the AP I am testing with has an AIR-RM3000AC-A-K9 module, giving me an extra radio.

Cisco Dot11 - Active Wireless Clients

If you do not have a 802.11AC radio installed in your AP then after importing you may need to modify the Graph Template and remove all the Radio2 graph template items; not doing so may cause the graph not to display properly.

SNMP OIDs queried: [SOURCE]

ActiveWirelessClients (for 2.4Ghz radio) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.1
ActiveWirelessClients (for 5Ghz radio) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.2
ActiveWirelessClients (AIR-RM3000AC-A-K9) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.10

This Cacti template will import/update the following items:

GPRINT Preset

  • Normal
  • Exact Numbers

Data Input Method

  • Get SNMP Data

Data Template

  • Cisco Dot11 – Radio0 Associations
  • Cisco Dot11 – Radio1 Associations
  • Cisco Dot11 – Radio2 Associations

Graph Template

  • Cisco Dot11 – Active Wireless Clients
05. January 2016 · Comments Off on Traceroute script to detect route changes. · Categories: Linux, Linux Scripts, Networking · Tags: , , ,

The following script relies on MTR and is meant to be run in cron. It could be useful to log and/or detect route changes you the downstream provider path to multiple endpoint IP’s. Additionally the log-file is compressed using XZ tools so you do not have to worry about the logs growing to an unmanageable size very quickly.

#!/bin/bash
## Crontab Example: @hourly /opt/mtreport.sh -p
 
HOSTS="10.100.100.43 192.168.3.4 172.16.16.10"
LOGFILE="/srv/mtreport.log.xz"
 
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
}
 
MTRRUN() {
 /usr/sbin/mtr --report --report-cycles 1 --raw --no-dns $HOST |\
  awk 'NR%2==1 {printf  " "$NF;} NR%2==0 {printf "|"$NF/1000;}'
}
 
# Validate script requirements are meet.
type -p /usr/sbin/mtr > /dev/null || DIE
 
if [ "$1" == "-p" ]; then
 
 # Main Loop.
 for HOST in $HOSTS
  do echo "$(date +%s)$(MTRRUN)" | xz -9 -c >> "$LOGFILE"
 done
 
elif [ ! -z "$1" ]; then
 
 xzgrep "$1" "$LOGFILE" | while read LINE
  do ARRAY=( $LINE )
 
   ## Show the Timestamp ##
   echo; date -d @${ARRAY[0]} +'%Y/%m/%d_%H:%M:%S'
   ARRAY=("${ARRAY[@]:1}") # Drop the timestamp array element
 
   ## Itirate through hops ##
   for HOP in "${ARRAY[@]}"
    do [ -z "$COUNT" ] && { COUNT=0; }
     echo "$COUNT|$HOP ms"
     let COUNT++ # Increment Hop Count
    done | column -ts\|
   done
 
else
 
 echo "Poll --> $0: -p"
 echo "View --> $0: x.x.x.x"
 
fi
28. December 2015 · Comments Off on Config example of a Cisco router as a DNS server/forwarder. · Categories: Cisco, Networking · Tags: , , ,

For a quick and dirty DNS server you can configure a Cisco router. In the following config snippet I have configured a router as a DNS forwarder. Any ip host statements entered in the router will be resolvable by the clients.

!!! Host statements will be resolvable by clients !!!
ip host rtr.SITE.LAN     192.168.0.1
ip host gi0-0-0.SITE.WAN 10.0.0.254
ip host gi0-0-1.SITE.LAN 192.168.0.1
ip host servera.SITE.LAN 192.168.0.10
ip host serverb.SITE.LAN 192.168.0.11
ip host serverc.SITE.LAN 192.168.0.12
ip host serverd.SITE.LAN 192.168.0.13
ip host servere.SITE.LAN 192.168.0.14
 
!!! ACL to limit who can query the DNS server service !!!
ip access-list standard RFC1918-dns
 permit 10.0.0.0 0.255.255.255
 permit 172.16.0.0 0.15.255.255
 permit 192.168.0.0 0.0.255.255
 
!!! DNS name-list is used to control what zones/hosts can be queried !!!
ip dns name-list 1 permit .*
 
!!! Create a DNS view !!!
ip dns view default
 domain name-server 8.8.8.8
 domain name-server 8.8.4.4
 domain name SITE.LAN
 dns forwarding source-interface GigabitEthernet0/0/0
 
!!! Create a DNS view-list !!!
ip dns view-list LAN
 view default 1
  restrict source access-group RFC1918-dns
  restrict name-group 1
 
!!! Enable DNS server service and use the view-group !!!
ip dns server view-group LAN
ip dns server

If running an ISR g3 I recommend upgrading to at least 15.5(3)S1a.