The following is an older script I wrote to automate the backup of a bunch of Citrix NetScaler appliances. Previously I posted an F5 backup script; which was based on this original script. NetScalers are awesome appliances! Not only are they insanely easy to manage; their configs are very straight forward to backup and restore. Very similar to the F5 backup script, posted earlier, we rely on SSH in this script. Except here I use SSHFS to mount the NS:/nsconfig directory and create an archive of it. The reason why I decided to use SSHFS was originally was that I intended to grep out the configured hostname from the config before creating tarball output; below is an example…

DEST=”$BACKUPDIR/$(grep ^”set ns hostName” /tmp/nsbackup/ns.conf | awk ‘{print “ns-“$NF”__”}’ | sed ‘s/__$/'” [$(echo $NS | cksum | awk ‘{print $1}’)] $(date +%F)”‘.tar.xv/’)”

Just like the previous script, this can ran automatically from cron…
@weekly [ -f /srv/nsbackup/ ] && { /srv/nsbackup/; } > /dev/null

For further reading please reference the following Citrix Support Documentation:

Feel free to review, modify or use this script however you see fit. Remember you do so at your own risk!

## Backup /nsconfig directories against a list of Citrix Netscalers.
## 2016 (v1.0) - Script from
NSHOSTS="ns01 ns02"
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
# Validate script requirements are meet.
type -p sshfs > /dev/null || DIE
# Main Loop.
for NS in $(echo $NSHOSTS | tr [:lower:] [:upper:]); do
 # Create backup directory and mount nsconfig using sshfs.
 mkdir /tmp/nsbackup && echo "$NSPW" | sshfs nsroot@$NS:/nsconfig/ /tmp/nsbackup -o password_stdin,StrictHostKeyChecking=no
 if [ -f "/tmp/nsbackup/ns.conf" ]; then
  # Figure out backup destination file.
  DEST="$BACKUPDIR/$NS$(echo $NS | cksum | awk '{print "_"$1}') ($(date +%F)).tar.xv"
  # Delete backup files older than 90 days.
  find "$BACKUPDIR" -maxdepth 1 -type f -name "*$(echo $NS | cksum | awk '{print "_"$1}')\ *.tar.xv" -mtime +90 -exec rm {} \;
  # Create backup file.
  if [ ! -f "$DEST" ]; then
   cd /tmp/nsbackup
   tar cfJ "$DEST" * && sync
   cd ..
   echo "$DEST: Backup already exists..."
  # Unmount and remove backup directory.
  [ -d "/tmp/nsbackup" ] && { fusermount -u /tmp/nsbackup; }
  [ -d "/tmp/nsbackup" ] && { rmdir /tmp/nsbackup; }
26. August 2016 · Comments Off on Backing up your F5 load balancers. · Categories: F5, Linux, Linux Scripts, Load Balancing, Networking · Tags: , , , , ,

The following script is for performing scheduled backups of F5 load balancers. The Script initiates a backup against the F5 via SSH and then SCP’s the UCS output file off the box. It is meant to be ran in the crontab, on a Linux box, against the F5’s in an environment.

For further reading please reference the following F5 Support Documentation:

Feel free to review, modify or use this script however you see fit. Remember you do so at your own risk!

## Create/Backup a UCS file against a list of F5 loadbalancers.
## 2016 (v1.0) - Script from
F5HOSTS="bigip01 bigip02"
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
# FUNCTION: Fetch the UCS or private id_rsa keyfile.
 if [ -e "$BACKUPDIR/.$F5.identity" ]
        printf "$F5 "
        # Delete backup files older than 90 days.
        find "$BACKUPDIR" -maxdepth 1 -type f -name "$F5*.ucs" -mtime +90 -exec rm {} \;
        # Create the UCS backup file.
        ssh -q -o StrictHostKeyChecking=no -i "$BACKUPDIR/.$F5.identity" root@$F5 "tmsh save /sys ucs $(echo $F5) > /dev/null 2>&1"
        # Copy down the UCS backup file.
        scp -q -o StrictHostKeyChecking=no -i "$BACKUPDIR/.$F5.identity" root@$F5:/var/local/ucs/$F5.ucs "$BACKUPDIR/" && UCSRENAME
        printf "\n$F5 "
        # Copy down the F5's private id_rsa keyfile for root user.
        scp -o StrictHostKeyChecking=no root@$F5:/var/ssh/root/identity "$BACKUPDIR/.$F5.identity" 2> /dev/null
# FUNCTION: Rename the UCS file.
 mv "$BACKUPDIR/$F5.ucs" "$BACKUPDIR/$F5$(echo $F5 | cksum | awk '{print "_"$1}') ($(date +%F -d "$(file "$BACKUPDIR/$F5.ucs" | awk -F': ' '{print $NF}' | awk -F',' '{print $1}')")).ucs"
# Validate script requirements are meet.
type -p scp > /dev/null || DIE
### Main Loop ###
for F5 in $(echo $F5HOSTS | tr [:lower:] [:upper:]); do
 # Validate host is pingable before fetching UCS file.
 ping -c1 $F5 > /dev/null 2>&1 && UCSFETCH
done; echo
18. April 2016 · Comments Off on Pre-shared Key Recovery on a Cisco ASA · Categories: Cisco, Firewall, Networking · Tags: , , , ,

This quickie post is mainly for my own future benefit… The following is how you perform a pre-shared key recovery on a Cisco ASA. When you configure a PSK on a Cisco ASA and then review the configuration by doing a “show running-config“, all the passwords will be displayed as a bunch of ***’s from then on. There is a publicized, but not well know, way to view the full running-config by doing a “more: more system:running-config” which will allow you to view the running-config in its entirety. This command is nothing new and has apparently has been around since the PIX days.



22. February 2016 · Comments Off on Cisco 4000 series ISR Base UCS-E Configuration · Categories: Cisco, Networking · Tags: , , , ,

I have been replacing a lot of older Cisco ISR routers with 4000 series ISR’s lately. One of the more common things I have seen companies order with the new 4000 series routers are UCS-E blades; especially for smaller sites that don’t any servers. Unfortunately IOS-XE is still relatively new and it can be difficult to find proper configuration guides or working configs. As a result I have seen a lot of bad setups where engineers do not use the internal EVC link for UCS-E connectivity. Instead they cable the UCS-E external ports directly back into the router or cable it directly to the LAN switch. While this works, they are essentially running it as it was a separate device on the network and not part of the router. In this post I will provide a base UCS-E configuration to get people quickly up and running.


Example IP allocation:

  • /29 for CIMC & ESXi Management.
  • /27 for UCS-E Server Vlan.

When push comes to shove its best to view/treat the BDI interface, that’s tied to the ucse1/0/1 service instance, no different than a SVI on a L3 switch.

ucse subslot 1/0
 imc access-port shared-lom console
 imc ip address default-gateway
interface ucse1/0/0
 description *** UCS - Internal L3 Management ( ***
 ip address
 negotiation auto
 switchport mode trunk
interface ucse1/0/1
 description *** UCS - Internal L2 Interface ***
 no ip address
 negotiation auto
 switchport mode trunk
 service instance 1 ethernet
  description *** Server Vlan EVC ***
  encapsulation dot1q 1
  bridge-domain 1
interface BDI1
 description Server Vlan (
 ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation dot1Q 1

For further reading on EVC’s the following blog post is really good:

14. January 2016 · Comments Off on Monitoring Cisco AP Dot11 Associations in Cacti · Categories: Cacti, Cisco, Networking, Wireless · Tags: , , , , , ,

This Cacti template should work with any autonomous Cisco AP. It will SNMP poll and display all active Cisco AP Dot11 Associations in Cacti. Note the AP I am testing with has an AIR-RM3000AC-A-K9 module, giving me an extra radio.

Cisco Dot11 - Active Wireless Clients

If you do not have a 802.11AC radio installed in your AP then after importing you may need to modify the Graph Template and remove all the Radio2 graph template items; not doing so may cause the graph not to display properly.

SNMP OIDs queried: [SOURCE]

ActiveWirelessClients (for 2.4Ghz radio) = OID: .
ActiveWirelessClients (for 5Ghz radio) = OID: .
ActiveWirelessClients (AIR-RM3000AC-A-K9) = OID: .

This Cacti template will import/update the following items:


  • Normal
  • Exact Numbers

Data Input Method

  • Get SNMP Data

Data Template

  • Cisco Dot11 – Radio0 Associations
  • Cisco Dot11 – Radio1 Associations
  • Cisco Dot11 – Radio2 Associations

Graph Template

  • Cisco Dot11 – Active Wireless Clients