SRX configuration
# Authentication order with TACACS+ first and the server details
authentication-order [ tacplus password ];
tacplus-server {
xxx.xxx.xxx.xxx {
secret "sharedkey"; ## SECRET-DATA
single-connection;
}
yyy.yyy.yyy.yyy {
secret "sharedkey"; ## SECRET-DATA
single-connection;
}
}
# Remote user templates
login {
user netadmin {
full-name "remote super-user template";
uid 100;
class super-user;
}
user remote-monitor {
full-name "remote operator template";
uid 101;
class operator;
}
}
# tacacs+ accounting
accounting {
events [ login change-log interactive-commands ];
destination {
tacplus {
server {
xxx.xxx.xxx.xxx {
secret "sharekey"; ## SECRET-DATA
single-connection;
}
yyy.yyy.yyy.yyy {
secret "sharedkey"; ## SECRET-DATA
single-connection;
}
}
}
}
}
Cisco ACS
The key to Cisco ACS setup is to define "Policy Element" -> "Authorization and Permissions" -> "Device Administrator" -> "Shell Profiles". Need to create custom shell profile for each "local-user-name" group. Below is an example for the "netadmin" group.
Work Stuff
My world of Cisco, MicroSoft, RedHat, Sun, RSA, Riverbed, F5 BigIP, Juniper SRX, Palo Alto Networks.
Thursday, February 20, 2014
Tuesday, July 31, 2012
Cisco Prime LMS 4.2.1 Customizable Interface Group
need to remove certain alarms for only certain type of interfaces, and worked many days and finally worked with help from TAC.
1. Modified
group rule for a customizable interface group with a valid group rule (Example:
Customizable Interface Group 1) from Admin > System > Group Management > Fault.
2.
Modified the priority of that Interface
Threshold Group to higher priority from Monitor > Fault Settings > Setup > Priority Settings so that the interfaces satisfying the
rule will fall under higher priority group.
3. Apply
changes after modifying the priority to apply all changes to in charge
server from Monitor > Fault Settings > Setup > Apply Changes.
4. Then
apply threshold values from Monitor > Fault Settings > Setup > Threshold Settings.
5. Then
apply changes to apply all threshold value changes to in charge server
from Monitor > Fault Settings > Setup > Apply Changes
Ciscoworks Prime LMS 4.2 DFM change of fault threshold
Below is an example of what I have to do to get rid of tons of OutOfRange Temperature o rVoltage Sensors Alerts:
First Stop daemon
/etc/init.d/dmgtd stop
Modify
the entry (please note the highlighted part)for my devices in oid2type_cisco.conf
file (<NMSROOT>/objects/smarts/conf/discovery/oid2type_cisco.conf)
as shown below:
#
Cisco Nexus 7000
.1.3.6.1.4.1.9.12.3.1.3.612
{
TYPE = Switch
VENDOR = Cisco
MODEL = N7K-C7010
CERTIFICATION = CERTIFIED
CONT = Cisco-EntityRF-Switch
HEALTH = Nexus-Entity-EntSensor
BRIDGE = Cisco
NEIGHBOR = Cisco-Cdp
INSTRUMENTATION:
Environment
= CiscoEntityFRU:DeviceID
Card-Fault
= CiscoEntityFRU:DeviceID
CPU/Memory
= CiscoSystem:DeviceID
Interface-Fault
= MIB2
Interface-Performance
= MIB2
Port-Fault
=
MIB2
Port-Performance
= MIB2
}
# Cisco ASR Router - 1004
.1.3.6.1.4.1.9.1.924 {
TYPE = Router
VENDOR = Cisco
MODEL = ASR1004
CERTIFICATION = TEMPLATE
CONT = Cisco-EntityFRU
NEIGHBOR = Cisco-Cdp
HEALTH = Cisco-Router-CRS-EntSensor
INSTRUMENTATION:
Environment = CiscoEntityFRU:DeviceID
CPU/Memory = CiscoRouter:DeviceID
Card-Fault = CiscoEntityFRU
Interface-Fault = MIB2
Interface-Performance = CiscoRouter
Interface-Ethernet-Performance = CiscoRouter_Ethernet
}
# Cisco VSS Switch
.1.3.6.1.4.1.9.1.896 {
TYPE = Switch
VENDOR = Cisco
MODEL = VSS-1440
CERTIFICATION = CERTIFIED
CONT = Cisco-VSS-Switch
VLAN = Cisco-Membership
BRIDGE = Cisco
NEIGHBOR = Cisco-Cdp
HEALTH = Cisco-Router-CRS-EntSensor
INSTRUMENTATION:
Environment = CiscoEntityFRU:DeviceID
CPU/Memory = CiscoRouter:DeviceID
Card-Fault = CiscoEntityFRU:DeviceID
Interface-Fault = MIB2
Interface-Performance = MIB2
Port-Fault = MIB2
Port-Performance = MIB2
Port-Ethernet-Performance = dot3_Ethernet
}
Restart daemon
/etc/init.d/dmgtd start
Re-discover the devices
Saturday, July 14, 2012
exchange server out off disk space due to excessive amount of log files
an old friend called for help. found exchange 2003 server mtadata folder filled with huge amount of log files (E00....log). I ran ntbackup and did a exchange information store backup, immediately cleaned all the E00...log files, and reclaimed over 50 GB disk space.
Wednesday, May 30, 2012
EEM - CDP to monitor connected devices up and down
Based on a post from cisco EEM forum, I created a EEM applet to email on cdp "add" and "del" events. This pretty cool! Took me few hours to get all the syntax right and found out this Cisco post. "show event manager detector .. detailed" commands is really helpful to get the built-in environment variables.
event manager environment email_to ywang@xyz.com
event manager environment email_server xxx.xxx.xxx.xxx
event manager session cli username "xyz"
event manager applet cdp-neighbor-down
description track device down from cdp event
event neighbor-discovery interface regexp FastEthernet cdp delete
action 1.0 info type routername
action 2.0 mail server "$email_server" to "$email_to" from "eem@$_info_routername" subject "$_nd_cdp_entry_name Down" body "$_event_pub_time: $_nd_cdp_entry_name down at $_nd_local_intf_name"
event manager applet cdp-neighbor-up
description track device up from cdp event
event neighbor-discovery interface regexp FastEthernet cdp add
action 1.0 info type routername
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 4.0 cli command "interface $_nd_local_intf_name"
action 5.0 cli command "description $_nd_cdp_entry_name:$_nd_port_id"
action 6.0 mail server "$email_server" to "ywang@xyz.com" from "eem@$_info_routername" subject "$_nd_cdp_entry_name Up" body "$_event_pub_time: $_nd_cdp_entry_name Up at $_nd_local_intf_name"
--https://supportforums.cisco.com/docs/DOC-24529
event manager environment email_to ywang@xyz.com
event manager environment email_server xxx.xxx.xxx.xxx
event manager session cli username "xyz"
event manager applet cdp-neighbor-down
description track device down from cdp event
event neighbor-discovery interface regexp FastEthernet cdp delete
action 1.0 info type routername
action 2.0 mail server "$email_server" to "$email_to" from "eem@$_info_routername" subject "$_nd_cdp_entry_name Down" body "$_event_pub_time: $_nd_cdp_entry_name down at $_nd_local_intf_name"
event manager applet cdp-neighbor-up
description track device up from cdp event
event neighbor-discovery interface regexp FastEthernet cdp add
action 1.0 info type routername
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 4.0 cli command "interface $_nd_local_intf_name"
action 5.0 cli command "description $_nd_cdp_entry_name:$_nd_port_id"
action 6.0 mail server "$email_server" to "ywang@xyz.com" from "eem@$_info_routername" subject "$_nd_cdp_entry_name Up" body "$_event_pub_time: $_nd_cdp_entry_name Up at $_nd_local_intf_name"
--https://supportforums.cisco.com/docs/DOC-24529
In preparing for CiscoLive! in San Diego, I am provisioning our access layer 3560-E switches. Since things have a tendency to change a lot at an event like CiscoLive! I thought it would be best to make sure our port descriptions are always up-to-date when it comes to reflecting what devices are connected. To help me do that, I wrote up this small EEM applet policy. It will update the port's description based on the CDP neighbor learned on that port. This policy requires EEM 3.2, so you're looking at 12.2(55)SE or higher for the 3560s. It will also work on 3750s and ISR G2 routers running 15.x code.
event manager applet update-port-description
event neighbor-discovery interface regexp GigabitEthernet.* cdp add
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "interface $_nd_local_intf_name"
action 4.0 cli command "description $_nd_cdp_entry_name:$_nd_port_id"
The result of this will be a description like the following on switch ports:
description SDCC_IDF_1.11:TenGigabitEthernet0/1
Friday, March 2, 2012
Reset Cisco Light Weight AP 1242 to factory default
Struggled a while to figure it out. "write erase" does not work, and pushing the mode button does not work either. The command is get to the console and use "clear capwap private-configure" or "clear lwapp private-config".
Tuesday, February 28, 2012
IEEE 802.1Q Tunneling
IEEE 802.1Q Tunneling
I wanted to extend a test lab extended to a mini switch at my desk over corporate LAN. Here is the setup and configure. It is very neat, now i can connect to my Lab network VLAN 100 at my desk.
referenced Cisco Doc at http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/dot1qtnl.html
Subscribe to:
Posts (Atom)