The following is an older script I wrote to automate the backup of a bunch of Citrix NetScaler appliances. Previously I posted an F5 backup script; which was based on this original script. NetScalers are awesome appliances! Not only are they insanely easy to manage; their configs are very straight forward to backup and restore. Very similar to the F5 backup script, posted earlier, we rely on SSH in this script. Except here I use SSHFS to mount the NS:/nsconfig directory and create an archive of it. The reason why I decided to use SSHFS was originally was that I intended to grep out the configured hostname from the config before creating tarball output; below is an example…

DEST=”$BACKUPDIR/$(grep ^”set ns hostName” /tmp/nsbackup/ns.conf | awk ‘{print “ns-“$NF”__”}’ | sed ‘s/__$/'” [$(echo $NS | cksum | awk ‘{print $1}’)] $(date +%F)”‘.tar.xv/’)”

Just like the previous script, this can ran automatically from cron…
@weekly [ -f /srv/nsbackup/nsbackup.sh ] && { /srv/nsbackup/nsbackup.sh; } > /dev/null

For further reading please reference the following Citrix Support Documentation:

Feel free to review, modify or use this script however you see fit. Remember you do so at your own risk!

#!/bin/bash
## Backup /nsconfig directories against a list of Citrix Netscalers.
## 2016 (v1.0) - Script from www.davideaves.com
 
NSHOSTS="ns01 ns02"
NSPW="nsroot"
BACKUPDIR="/srv/nsbackup"
 
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
}
 
# Validate script requirements are meet.
type -p sshfs > /dev/null || DIE
 
# Main Loop.
for NS in $(echo $NSHOSTS | tr [:lower:] [:upper:]); do
 
 # Create backup directory and mount nsconfig using sshfs.
 mkdir /tmp/nsbackup && echo "$NSPW" | sshfs nsroot@$NS:/nsconfig/ /tmp/nsbackup -o password_stdin,StrictHostKeyChecking=no
 
 if [ -f "/tmp/nsbackup/ns.conf" ]; then
 
  # Figure out backup destination file.
  DEST="$BACKUPDIR/$NS$(echo $NS | cksum | awk '{print "_"$1}') ($(date +%F)).tar.xv"
 
  # Delete backup files older than 90 days.
  find "$BACKUPDIR" -maxdepth 1 -type f -name "*$(echo $NS | cksum | awk '{print "_"$1}')\ *.tar.xv" -mtime +90 -exec rm {} \;
 
  # Create backup file.
  if [ ! -f "$DEST" ]; then
   cd /tmp/nsbackup
   tar cfJ "$DEST" * && sync
   cd ..
  else
   echo "$DEST: Backup already exists..."
  fi
 
 fi
 
  # Unmount and remove backup directory.
  [ -d "/tmp/nsbackup" ] && { fusermount -u /tmp/nsbackup; }
  [ -d "/tmp/nsbackup" ] && { rmdir /tmp/nsbackup; }
 
done
26. August 2016 · Comments Off on Backing up your F5 load balancers. · Categories: F5, Linux, Linux Scripts, Load Balancing, Networking · Tags: , , , , ,

The following script is for performing scheduled backups of F5 load balancers. The Script initiates a backup against the F5 via SSH and then SCP’s the UCS output file off the box. It is meant to be ran in the crontab, on a Linux box, against the F5’s in an environment.

For further reading please reference the following F5 Support Documentation:

Feel free to review, modify or use this script however you see fit. Remember you do so at your own risk!

#!/bin/bash
## Create/Backup a UCS file against a list of F5 loadbalancers.
## 2016 (v1.0) - Script from www.davideaves.com
 
F5HOSTS="bigip01 bigip02"
BACKUPDIR="/srv/f5backup"
 
# FUNCTION: End Script if error.
DIE() {
 echo "ERROR: Validate \"$_\" is installed and working on your system."
 exit 0
}
 
# FUNCTION: Fetch the UCS or private id_rsa keyfile.
UCSFETCH() {
 if [ -e "$BACKUPDIR/.$F5.identity" ]
  then
        printf "$F5 "
 
        # Delete backup files older than 90 days.
        find "$BACKUPDIR" -maxdepth 1 -type f -name "$F5*.ucs" -mtime +90 -exec rm {} \;
 
        # Create the UCS backup file.
        ssh -q -o StrictHostKeyChecking=no -i "$BACKUPDIR/.$F5.identity" root@$F5 "tmsh save /sys ucs $(echo $F5) > /dev/null 2>&1"
 
        # Copy down the UCS backup file.
        scp -q -o StrictHostKeyChecking=no -i "$BACKUPDIR/.$F5.identity" root@$F5:/var/local/ucs/$F5.ucs "$BACKUPDIR/" && UCSRENAME
 else
        printf "\n$F5 "
 
        # Copy down the F5's private id_rsa keyfile for root user.
        scp -o StrictHostKeyChecking=no root@$F5:/var/ssh/root/identity "$BACKUPDIR/.$F5.identity" 2> /dev/null
 fi
}
 
# FUNCTION: Rename the UCS file.
UCSRENAME() {
 mv "$BACKUPDIR/$F5.ucs" "$BACKUPDIR/$F5$(echo $F5 | cksum | awk '{print "_"$1}') ($(date +%F -d "$(file "$BACKUPDIR/$F5.ucs" | awk -F': ' '{print $NF}' | awk -F',' '{print $1}')")).ucs"
}
 
# Validate script requirements are meet.
type -p scp > /dev/null || DIE
 
### Main Loop ###
for F5 in $(echo $F5HOSTS | tr [:lower:] [:upper:]); do
 
 # Validate host is pingable before fetching UCS file.
 ping -c1 $F5 > /dev/null 2>&1 && UCSFETCH
 
done; echo
18. April 2016 · Comments Off on Pre-shared Key Recovery on a Cisco ASA · Categories: Cisco, Firewall, Networking · Tags: , , , ,

This quickie post is mainly for my own future benefit… The following is how you perform a pre-shared key recovery on a Cisco ASA. When you configure a PSK on a Cisco ASA and then review the configuration by doing a “show running-config“, all the passwords will be displayed as a bunch of ***’s from then on. There is a publicized, but not well know, way to view the full running-config by doing a “more: more system:running-config” which will allow you to view the running-config in its entirety. This command is nothing new and has apparently has been around since the PIX days.

 

Ref: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ref_cli.html#52156

22. February 2016 · Comments Off on Cisco 4000 series ISR Base UCS-E Configuration · Categories: Cisco, Networking · Tags: , , , ,

I have been replacing a lot of older Cisco ISR routers with 4000 series ISR’s lately. One of the more common things I have seen companies order with the new 4000 series routers are UCS-E blades; especially for smaller sites that don’t any servers. Unfortunately IOS-XE is still relatively new and it can be difficult to find proper configuration guides or working configs. As a result I have seen a lot of bad setups where engineers do not use the internal EVC link for UCS-E connectivity. Instead they cable the UCS-E external ports directly back into the router or cable it directly to the LAN switch. While this works, they are essentially running it as it was a separate device on the network and not part of the router. In this post I will provide a base UCS-E configuration to get people quickly up and running.

UCS-E140S-M2

Example IP allocation:

  • /29 for CIMC & ESXi Management.
    (Example: 10.0.0.240/29)
  • /27 for UCS-E Server Vlan.
    (Example: 10.0.0.128/27)

When push comes to shove its best to view/treat the BDI interface, that’s tied to the ucse1/0/1 service instance, no different than a SVI on a L3 switch.
 

ucse subslot 1/0
 imc access-port shared-lom console
 imc ip address 10.0.0.242 255.255.255.248 default-gateway 10.0.0.241
!
interface ucse1/0/0
 description *** UCS - Internal L3 Management (10.0.0.240/29) ***
 ip address 10.0.0.241 255.255.255.248
 negotiation auto
 switchport mode trunk
!
interface ucse1/0/1
 description *** UCS - Internal L2 Interface ***
 no ip address
 negotiation auto
 switchport mode trunk
 !
 service instance 1 ethernet
  description *** Server Vlan EVC ***
  encapsulation dot1q 1
  bridge-domain 1
 !
!
interface BDI1
 description Server Vlan (10.0.0.128/27)
 ip address 10.0.0.129 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation dot1Q 1

For further reading on EVC’s the following blog post is really good: http://ccie-in-3-months.blogspot.com/2009/09/evc-flexible-service-mapping.html

14. January 2016 · Comments Off on Monitoring Cisco AP Dot11 Associations in Cacti · Categories: Cacti, Cisco, Networking, Wireless · Tags: , , , , , ,

This Cacti template should work with any autonomous Cisco AP. It will SNMP poll and display all active Cisco AP Dot11 Associations in Cacti. Note the AP I am testing with has an AIR-RM3000AC-A-K9 module, giving me an extra radio.

Cisco Dot11 - Active Wireless Clients

If you do not have a 802.11AC radio installed in your AP then after importing you may need to modify the Graph Template and remove all the Radio2 graph template items; not doing so may cause the graph not to display properly.

SNMP OIDs queried: [SOURCE]

ActiveWirelessClients (for 2.4Ghz radio) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.1
ActiveWirelessClients (for 5Ghz radio) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.2
ActiveWirelessClients (AIR-RM3000AC-A-K9) = OID: .1.3.6.1.4.1.9.9.273.1.1.2.1.1.10

This Cacti template will import/update the following items:

GPRINT Preset

  • Normal
  • Exact Numbers

Data Input Method

  • Get SNMP Data

Data Template

  • Cisco Dot11 – Radio0 Associations
  • Cisco Dot11 – Radio1 Associations
  • Cisco Dot11 – Radio2 Associations

Graph Template

  • Cisco Dot11 – Active Wireless Clients