Pages

Thursday, February 20, 2014

Juniper SRX tacacs+ with Cisco ACS 5.x

SRX configuration

# Authentication order with TACACS+ first and the server details
authentication-order [ tacplus password ];

tacplus-server {
    xxx.xxx.xxx.xxx {
        secret "sharedkey"; ## SECRET-DATA
        single-connection;
      }
    yyy.yyy.yyy.yyy {
        secret "sharedkey"; ## SECRET-DATA
        single-connection;
    }
}

# Remote user templates 
login {
       user netadmin {
        full-name "remote super-user template";
        uid 100;
        class super-user;
    }
    user remote-monitor {
        full-name "remote operator template";
        uid 101;
        class operator;                
    }                                  
}                                      

# tacacs+ accounting 
accounting {
    events [ login change-log interactive-commands ];
    destination {
        tacplus {
            server {
                xxx.xxx.xxx.xxx {
                    secret "sharekey"; ## SECRET-DATA
                    single-connection;
                }
                yyy.yyy.yyy.yyy {
                    secret "sharedkey"; ## SECRET-DATA
                    single-connection;
                }
            }
        }
    }
}

Cisco ACS

The key to Cisco ACS setup is to define "Policy Element" -> "Authorization and Permissions" -> "Device Administrator" -> "Shell Profiles".  Need to create custom shell profile for each "local-user-name" group. Below is an example for the "netadmin" group.




Tuesday, July 31, 2012

Cisco Prime LMS 4.2.1 Customizable Interface Group

need to remove certain alarms for only certain type of interfaces, and worked many days and finally worked with help from TAC.

1.       Modified group rule for a customizable interface group with a valid group rule (Example: Customizable Interface Group 1) from Admin > System > Group Management > Fault.

2.      Modified the priority of that Interface Threshold Group  to higher priority from Monitor > Fault Settings > Setup > Priority Settings so that the interfaces satisfying the rule will fall under higher priority group.


3.       Apply changes after modifying the priority to apply all changes to in charge server  from Monitor > Fault Settings > Setup > Apply Changes.

4.       Then apply threshold values from Monitor > Fault Settings > Setup > Threshold Settings.

5.      Then apply changes to apply all threshold value changes to in charge server  from Monitor > Fault Settings > Setup > Apply Changes

Ciscoworks Prime LMS 4.2 DFM change of fault threshold

Below is an example of what I have to do to get rid of tons of OutOfRange Temperature o rVoltage Sensors Alerts:


First Stop daemon
  /etc/init.d/dmgtd stop

Modify the entry (please note the highlighted part)for my devices in oid2type_cisco.conf file (<NMSROOT>/objects/smarts/conf/discovery/oid2type_cisco.conf)  as shown below:

# Cisco Nexus 7000

 .1.3.6.1.4.1.9.12.3.1.3.612 {

    TYPE = Switch

    VENDOR = Cisco

    MODEL = N7K-C7010

    CERTIFICATION = CERTIFIED

    CONT = Cisco-EntityRF-Switch

    HEALTH = Nexus-Entity-EntSensor

    BRIDGE = Cisco

    NEIGHBOR = Cisco-Cdp

INSTRUMENTATION:

     Environment                     = CiscoEntityFRU:DeviceID

    Card-Fault                      = CiscoEntityFRU:DeviceID

    CPU/Memory                      = CiscoSystem:DeviceID

     Interface-Fault                 = MIB2

    Interface-Performance           = MIB2

    Port-Fault                      = MIB2

    Port-Performance                = MIB2
}

# Cisco ASR Router - 1004
.1.3.6.1.4.1.9.1.924 {
TYPE = Router
VENDOR = Cisco
MODEL = ASR1004
CERTIFICATION = TEMPLATE
CONT = Cisco-EntityFRU
NEIGHBOR = Cisco-Cdp
HEALTH = Cisco-Router-CRS-EntSensor

INSTRUMENTATION:
Environment = CiscoEntityFRU:DeviceID
CPU/Memory = CiscoRouter:DeviceID
Card-Fault = CiscoEntityFRU
Interface-Fault = MIB2
Interface-Performance = CiscoRouter
Interface-Ethernet-Performance = CiscoRouter_Ethernet

# Cisco VSS Switch 
.1.3.6.1.4.1.9.1.896 {
    TYPE = Switch
    VENDOR = Cisco
    MODEL = VSS-1440
    CERTIFICATION = CERTIFIED
    CONT = Cisco-VSS-Switch
    VLAN = Cisco-Membership
    BRIDGE = Cisco
    NEIGHBOR = Cisco-Cdp
    HEALTH = Cisco-Router-CRS-EntSensor

INSTRUMENTATION:
    Environment                         = CiscoEntityFRU:DeviceID
    CPU/Memory                          = CiscoRouter:DeviceID
    Card-Fault                          = CiscoEntityFRU:DeviceID
    Interface-Fault                     = MIB2
    Interface-Performance               = MIB2
    Port-Fault                          = MIB2
    Port-Performance                    = MIB2
    Port-Ethernet-Performance           = dot3_Ethernet
}


Restart daemon
  /etc/init.d/dmgtd start

Re-discover the devices





Saturday, July 14, 2012

exchange server out off disk space due to excessive amount of log files

an old friend called for help.  found exchange 2003 server mtadata folder filled with huge amount of log files (E00....log).   I ran ntbackup and did a exchange information store backup, immediately cleaned all the E00...log files, and reclaimed over 50 GB disk space.

Wednesday, May 30, 2012

EEM - CDP to monitor connected devices up and down

Based on a post from cisco EEM forum, I created a EEM applet to email on cdp "add" and "del" events.  This pretty cool!  Took me few hours to get all the syntax right and found out this Cisco post.  "show event manager detector .. detailed" commands is really helpful to get the built-in environment variables.


event manager environment email_to ywang@xyz.com
event manager environment email_server xxx.xxx.xxx.xxx
event manager session cli username "xyz"


event manager applet cdp-neighbor-down
 description track device down from cdp event
 event neighbor-discovery interface regexp FastEthernet cdp delete
 action 1.0 info type routername
 action 2.0 mail server "$email_server" to "$email_to" from "eem@$_info_routername" subject "$_nd_cdp_entry_name Down" body "$_event_pub_time: $_nd_cdp_entry_name down at $_nd_local_intf_name"


event manager applet cdp-neighbor-up
 description track device up from cdp event
 event neighbor-discovery interface regexp FastEthernet cdp add
 action 1.0 info type routername
 action 2.0 cli command "enable"
 action 3.0 cli command "config t"
 action 4.0 cli command "interface $_nd_local_intf_name"
 action 5.0 cli command "description $_nd_cdp_entry_name:$_nd_port_id"
 action 6.0 mail server "$email_server" to "ywang@xyz.com" from "eem@$_info_routername" subject "$_nd_cdp_entry_name Up" body "$_event_pub_time: $_nd_cdp_entry_name Up at $_nd_local_intf_name"



--https://supportforums.cisco.com/docs/DOC-24529

In preparing for CiscoLive! in San Diego, I am provisioning our access layer 3560-E switches.  Since things have a tendency to change a lot at an event like CiscoLive! I thought it would be best to make sure our port descriptions are always up-to-date when it comes to reflecting what devices are connected.  To help me do that, I wrote up this small EEM applet policy.  It will update the port's description based on the CDP neighbor learned on that port.  This policy requires EEM 3.2, so you're looking at 12.2(55)SE or higher for the 3560s.  It will also work on 3750s and ISR G2 routers running 15.x code.

event manager applet update-port-description
 event neighbor-discovery interface regexp GigabitEthernet.* cdp add 
 action 1.0 cli command "enable"
 action 2.0 cli command "config t"
 action 3.0 cli command "interface $_nd_local_intf_name"
 action 4.0 cli command "description $_nd_cdp_entry_name:$_nd_port_id"

The result of this will be a description like the following on switch ports:

description SDCC_IDF_1.11:TenGigabitEthernet0/1

Friday, March 2, 2012

Reset Cisco Light Weight AP 1242 to factory default

Struggled a while to figure it out.  "write erase" does not work, and pushing the mode button does not work either.  The command is get to the console and use "clear capwap private-configure" or "clear lwapp private-config".

Tuesday, February 28, 2012

IEEE 802.1Q Tunneling


 IEEE 802.1Q Tunneling



I wanted to extend a test lab extended to a mini switch at my desk over corporate LAN.  Here is the setup and configure.  It is very neat, now i can connect to my Lab network VLAN 100 at my desk.


referenced Cisco Doc at http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dot1qtnl.html