TCAM INTERRUPT: October 2010

Monday, October 18, 2010

CiscoSecure ACS for Windows Router PPTP Authentication

If you need to migrate your PPTP users from a IOS device/PIX to a Cisco ACS, this is a good starting point:

Configuring CiscoSecure ACS for Windows Router PPTP Authentication

I was having an odd issue with this configuration, everything seemed fine but on my Windows 7 Test client I got the Error 742: "The remote server does not support encryption" every time I tried to connect, the ACS 4.2 showed the authentication as successful and nothing else, the debug on the router pretty much the same thing with the exception of :

"Vi1 MPPE: RADIUS keying material missing"

After 2 weeks with TAC, We came to the conclusion that the issue was caused by the fact that starting with Vista, MS-CHAP v1 is deprecated, so in order for MS-CHAP v2 to work we needed to enable the extra MPPE Attributes:

[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key

In the new Cisco ACS 5.x family, enabling the these particular attributes does not seem to be necessary since "These are added to the profile as required".

Saturday, October 16, 2010

EIGRP K Values

Just for reference:

K1 = bandwidth
K2 = load
K3 = delay
K4 = reliability
K5 = Additional Reliability modifier [reference]

Good sumary here

Cisco docs

Thursday, October 14, 2010

VMWare ESXi Hardware Monitoring

So I have some ESXi servers running and needed to do hardware monitoring with Nagios.

I found check_esx_wbem.py a Python script that uses VMWare CIM (if you need to enable CIM, read more here)

The script requires python and the pywbem module. In my case, I did aptitude install ;)

The usage is simple really:

Usage : ./check_esx_wbem.py hostname user password [verbose]
Example : ./check_esx_wbem.py https://myesxi:5989 root password

Using verbose, you get a lot of output such as this:

20101014 17:09:14 Check classe CIM_ComputerSystem
20101014 17:09:15 Element Name = System Board 7:1
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:2
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:3
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:4
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:5
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:6
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:7
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:8
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Board 7:9
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:1
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:2
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:3
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:4
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:5
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:6
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = System Internal Expansion Board 16:7
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Element Name = esxi.example.com
20101014 17:09:15 Element Name = Hardware Management Controller (Node 0)
20101014 17:09:15 Element Op Status = 0
20101014 17:09:15 Check classe CIM_NumericSensor
20101014 17:09:15 Element Name = System Board 8 Power Meter
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Board 7 Temp 24
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Board 6 Temp 23
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Board 5 Temp 22
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Drive Backplane 1 Temp 21
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 9 Temp 20
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Processor 3 Temp 19
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 7 Temp 18
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 6 Temp 17
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 5 Temp 16
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 4 Temp 15
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 3 Temp 14
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 2 Temp 13
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Internal Expansion Board 1 Temp 12
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 8 Temp 11
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 7 Temp 10
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 6 Temp 9
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 4 Temp 7
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 3 Temp 6
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 2 Temp 5
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Memory Module 1 Temp 4
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = Processor 1 Temp 2
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = External Environment 1 Temp 1
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Board 4 Fans
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Board 2 Fan 2
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Element Name = System Board 1 Fan 1
20101014 17:09:15 Element Op Status = 2
20101014 17:09:15 Check classe CIM_Memory
20101014 17:09:16 Element Name = Proc 1 Level-1 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-1 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-1 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-1 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-2 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-2 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-2 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-2 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Proc 1 Level-3 Cache
20101014 17:09:16 Element Op Status = 0
20101014 17:09:16 Element Name = Memory
20101014 17:09:16 Element Op Status = 2
20101014 17:09:16 Check classe CIM_Processor
20101014 17:09:16 Element Name = Proc 1
20101014 17:09:16 Element Op Status = 2
20101014 17:09:16 Check classe CIM_RecordLog
20101014 17:09:16 Element Name = IPMI SEL
20101014 17:09:16 Element Op Status = 2
20101014 17:09:16 Check classe OMC_DiscreteSensor
20101014 17:09:16 Element Name = Power Supply 3 Power Supplies
20101014 17:09:16 Element Op Status = 2
20101014 17:09:16 Element Name = System Chassis 3 Ext. Health LED
20101014 17:09:16 Element Name = System Chassis 2 Int. Health LED
20101014 17:09:16 Element Name = System Chassis 1 UID Light
20101014 17:09:16 Check classe VMware_StorageExtent
20101014 17:09:16 Check classe VMware_Controller
20101014 17:09:17 Check classe VMware_StorageVolume
20101014 17:09:17 Check classe VMware_Battery
20101014 17:09:17 Check classe VMware_SASSATAPort
OK

Nagios Integration

Create a check command definition in nagios such as this:

define command {
   command_name check_esxi
   command_line /usr/bin/python /usr/lib/nagios/plugins/check_esx.py https://'$HOSTADDRESS$':5989 '$ARG1$' '$ARG2$' verbose
}

Create a service tied to a host:

define service {
   host_name ESXi-server
   service_description Hardware ESXi
   use generic-service
   check_command check_esxi!root!password
   register 1
   }

Restart Nagios and Presto, now you are monitoring the hardware on your ESXi server.

Friday, October 8, 2010

Free CCIE INE vSeminars

From INE:

"As Anthony announced last week, we have a few new vSeminars coming up shortly, and I wanted to post the details of exactly when they would be, as well as provide a link to register for them.
Routing and Switching:

October 15, 2010 – 11:00 AM EST
Instructor: Anthony Sequeira, CCIE #15626
Topic: Developing Tier 2 Knowledge

November 10, 2010 – 03:00 PM EST
Instructor: Anthony Sequeira, CCIE #15626
Topic: “I CANNOT REACH THE BACKBONE!”

Voice:

October 22, 2010 – 03:00 PM EST
Instructor: Mark Snow, CCIE #14073
Topic: Unified Mobility Interactions with Local Route Group and Globalization

December 14, 2010 – 03:00 PM EST
Instructor: Mark Snow, CCIE #14073
Topic: LDAP Synchronization and Authentication in Unified Communications

To register for any of these, simply click here and fill in your name and email, and you will be notified via email the week of the event."

Thursday, October 7, 2010

Cisco ACS 4.2:: Quick and easy way to admin devices via TACACS+

A quick template for Cisco ACS 4.2 TACACS+ administration for IOS devices.

On the IOS device (taken from a switch):

enable secret <SECRET>
no enable password
no username <ANY CURRENT USERS>
username panicuser secret 0 <PANIC USER PASSWORD>

ip tacacs source-interface <MANAGEMENT INT>

tacacs-server directed-request
tacacs-server key <SECRET>
tacacs-server host <ACS IP>

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no-tacacs none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa authorization console

Exit the IOS device and enter with an ACS username:

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

Cisco ACS:

Interface Configuration->TACACS+ (Cisco IOS)->Advanced TACACS+ Features and Display enable default (Undefined) service configuration

Network Configuration-> AAA Clients Add Entry-> IOS Device IP Address/Secret/TACACS+ (Cisco IOS)

Group Setup-> The group you want to use->Rename Group-> Meaningful name (Eg: Networking Admins)

Group Setup-> Networking Admins->Edit Settings:

->Enable Options->Level 15
->TACACS+ Settings->Shell (exec)
->TACACS+ Settings->Privilege level->15
->TACACS+ Settings->Shell Command Authorization Set->Per Group Command Authorization->Permit
->Submit + Restart

User Setup->Name of the user to create->Add/Edit

->User Setup->Password
   ->User Setup->Group to which the user is assigned:->Networking Admins
   ->Advanced TACACS+ Settings-> TACACS+ Enable Control:->Use Group Level Setting
   ->Advanced TACACS+ Settings-> TACACS+ Enable Password->Use CiscoSecure PAP password
->Submit

That's it, now everything AAA related goes to the TACACS+ and if the IOS device can't reach it, you have the panicuser that gives you local access to the device.

Sunday, October 3, 2010

Odds & evens

0.0.0.0 255.255.254.255
0.0.1.0 255.255.254.255

Friday, October 1, 2010

CCIE INE::Mark Your Calendar for Upcoming Free vSeminars

From the INE Blog:

"We have some exciting free vSeminars on the way. More details will follow, but I wanted everyone to mark the dates now. These events will be recorded and added to:

http://www.ine.com/free-ccie-vseminar.htm

Routing and Switching

October 15, 2010 – Developing Tier 2 Knowledge

November 10, 2010 – “I CANNOT REACH THE BACKBONE!”

Voice

October 22, 2010 – Unified Mobility Interactions with Local Route Group and Globalization

December 14, 2010 - LDAP Synchronization and Authentication in Unified Communications"