The following script is for performing scheduled backups of F5 load balancers. The Script initiates a backup against the F5 via SSH and then SCP’s the UCS output file off the box. It is meant to be ran in the crontab, on a linux box, against the F5’s in an environment.

For futher reading please reference the following F5 Support Documentation:

Feel free to review, modify or use this script however you see fit. Remember you do so at your own risk!

#!/bin/bash
## Created By: deaves 2016
# Collect UCS backups of your F5 Load Balancers.
 
F5HOSTS="bigip01 bigip02"
BACKUPDIR="/srv/f5backup"
 
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
}
 
# FUNCTION: Fetch the UCS or private id_rsa keyfile.
UCSFETCH() {
 if [ -e "$BACKUPDIR/.$F5.identity" ]
  then
        printf "$F5 "
 
        # Delete backup files older than 90 days.
        find "$BACKUPDIR" -maxdepth 1 -type f -name "$F5*.ucs" -mtime +90 -exec rm {} \;
 
        # Create the UCS backup file.
        ssh -q -o StrictHostKeyChecking=no -i "$BACKUPDIR/.$F5.identity" root@$F5 "tmsh save /sys ucs $(echo $F5) > /dev/null 2>&1"
 
        # Copy down the UCS backup file.
        scp -q -o StrictHostKeyChecking=no -i "$BACKUPDIR/.$F5.identity" root@$F5:/var/local/ucs/$F5.ucs "$BACKUPDIR/" && UCSRENAME
 else
        printf "\n$F5 "
 
        # Copy down the F5's private id_rsa keyfile for root user.
        scp -o StrictHostKeyChecking=no root@$F5:/var/ssh/root/identity "$BACKUPDIR/.$F5.identity" 2> /dev/null
 fi
}
 
# FUNCTION: Rename the UCS file.
UCSRENAME() {
 mv "$BACKUPDIR/$F5.ucs" "$BACKUPDIR/$F5 ($(date +%F -d "$(file "$BACKUPDIR/$F5.ucs" | awk -F': ' '{print $NF}' | awk -F',' '{print $1}')")).ucs"
}
 
# Validate script requirements are meet.
type -p scp > /dev/null || DIE
 
### Main Loop ###
for F5 in $(echo $F5HOSTS | tr [:lower:] [:upper:]); do
 
 # Validate host is pingable before fetching UCS file.
 ping -c1 $F5 > /dev/null 2>&1 && UCSFETCH
 
done; echo
18. April 2016 · Comments Off on Pre-shared Key Recovery on a Cisco ASA · Categories: Cisco, Firewall, Networking · Tags: , , , ,

This quickie post is mainly for my own future benefit… The following is how you perform a pre-shared key recovery on a Cisco ASA. When you configure a PSK on a Cisco ASA and then review the configuration by doing a “show running-config“, all the passwords will be displayed as a bunch of ***’s from then on. There is a publicized, but not well know, way to view the full running-config by doing a “more: more system:running-config” which will allow you to view the running-config in its entirety. This command is nothing new and has apparently has been around since the PIX days.

 

Ref: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ref_cli.html#52156

22. February 2016 · Comments Off on Cisco 4000 series ISR Base UCS-E Configuration · Categories: Cisco, Networking · Tags: , , , ,

I have been replacing a lot of older Cisco ISR routers with 4000 series ISR’s lately. One of the more common things I have seen companies order with the new 4000 series routers are UCS-E blades; especially for smaller sites that don’t any servers. Unfortunately IOS-XE is still relatively new and it can be difficult to find proper configuration guides or working configs. As a result I have seen a lot of bad setups where engineers do not use the internal EVC link for UCS-E connectivity. Instead they cable the UCS-E external ports directly back into the router or cable it directly to the LAN switch. While this works, they are essentially running it as it was a separate device on the network and not part of the router. In this post I will provide a base UCS-E configuration to get people quickly up and running.

UCS-E140S-M2

Example IP allocation:

  • /29 for CIMC & ESXi Management.
    (Example: 10.0.0.240/29)
  • /27 for UCS-E Server Vlan.
    (Example: 10.0.0.128/27)

When push comes to shove its best to view/treat the BDI interface, that’s tied to the ucse1/0/1 service instance, no different than a SVI on a L3 switch.
 

ucse subslot 1/0
 imc access-port shared-lom console
 imc ip address 10.0.0.242 255.255.255.248 default-gateway 10.0.0.241
!
interface ucse1/0/0
 description *** UCS - Internal L3 Management (10.0.0.240/29) ***
 ip address 10.0.0.241 255.255.255.248
 negotiation auto
 switchport mode trunk
!
interface ucse1/0/1
 description *** UCS - Internal L2 Interface ***
 no ip address
 negotiation auto
 switchport mode trunk
 !
 service instance 1 ethernet
  description *** Server Vlan EVC ***
  encapsulation dot1q 1
  bridge-domain 1
 !
!
interface BDI1
 description Server Vlan (10.0.0.128/27)
 ip address 10.0.0.129 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation dot1Q 1

For further reading on EVC’s the following blog post is really good: http://ccie-in-3-months.blogspot.com/2009/09/evc-flexible-service-mapping.html

14. January 2016 · Comments Off on Monitoring Cisco AP Dot11 Associations in Cacti · Categories: Cacti, Cisco, Networking, Wireless · Tags: , , , , , ,

This Cacti template should work with any autonomous Cisco AP. It will SNMP poll and display all active Cisco AP Dot11 Associations in Cacti. Note the AP I am testing with has an AIR-RM3000AC-A-K9 module, giving me an extra radio.

Cisco Dot11 - Active Wireless Clients

If you do not have a 802.11AC radio installed in your AP then after importing you may need to modify the Graph Template and remove all the Radio2 graph template items; not doing so may cause the graph not to display properly.

SNMP OIDs queried: [SOURCE]

ActiveWirelessClients (for 2.4Ghz radio) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.1
ActiveWirelessClients (for 5Ghz radio) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.2
ActiveWirelessClients (AIR-RM3000AC-A-K9) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.10

This Cacti template will import/update the following items:

GPRINT Preset

  • Normal
  • Exact Numbers

Data Input Method

  • Get SNMP Data

Data Template

  • Cisco Dot11 – Radio0 Associations
  • Cisco Dot11 – Radio1 Associations
  • Cisco Dot11 – Radio2 Associations

Graph Template

  • Cisco Dot11 – Active Wireless Clients
05. January 2016 · Comments Off on Traceroute script to detect route changes. · Categories: Linux, Linux Scripts, Networking · Tags: , , ,

The following script relies on MTR and is meant to be run in cron. It could be useful to log and/or detect route changes you the downstream provider path to multiple endpoint IP’s. Additionally the log-file is compressed using XZ tools so you do not have to worry about the logs growing to an unmanageable size very quickly.

#!/bin/bash
## Crontab Example: @hourly /opt/mtreport.sh -p
 
HOSTS="10.100.100.43 192.168.3.4 172.16.16.10"
LOGFILE="/srv/mtreport.log.xz"
 
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
}
 
MTRRUN() {
 /usr/sbin/mtr --report --report-cycles 1 --raw --no-dns $HOST |\
  awk 'NR%2==1 {printf  " "$NF;} NR%2==0 {printf "|"$NF/1000;}'
}
 
# Validate script requirements are meet.
type -p /usr/sbin/mtr > /dev/null || DIE
 
if [ "$1" == "-p" ]; then
 
 # Main Loop.
 for HOST in $HOSTS
  do echo "$(date +%s)$(MTRRUN)" | xz -9 -c >> "$LOGFILE"
 done
 
elif [ ! -z "$1" ]; then
 
 xzgrep "$1" "$LOGFILE" | while read LINE
  do ARRAY=( $LINE )
 
   ## Show the Timestamp ##
   echo; date -d @${ARRAY[0]} +'%Y/%m/%d_%H:%M:%S'
   ARRAY=("${ARRAY[@]:1}") # Drop the timestamp array element
 
   ## Itirate through hops ##
   for HOP in "${ARRAY[@]}"
    do [ -z "$COUNT" ] && { COUNT=0; }
     echo "$COUNT|$HOP ms"
     let COUNT++ # Increment Hop Count
    done | column -ts\|
   done
 
else
 
 echo "Poll --> $0: -p"
 echo "View --> $0: x.x.x.x"
 
fi