Archive
The Wonderful awk command
I use awk quite a bit to parse output from a Cisco device.
cat filename | awk ‘{ print $1 }’
I had to parse from right to left today and learned about NF
cat filename | awk ‘{ print $(NF-1) }’
However running the awk command with NF, produced this error:
awk: (FILENAME=filename FNR=66) fatal: attempt to access field -1
It turns out that there was an empty line at line 66. Once I removed all the empty lines from the file, running the command worked just fine.
Here is another way to do this, not sure what benefits you get:
cat filename | while read line;
do
Mthd=`echo $line | awk ‘{print $(NF-1)}’`
echo $Mthd;
doneOne liner:
cat filename | while read line; do Mthd=`echo $line | awk ‘{print $(NF-1)}’`; echo $Mthd; done
Updated Aug 8, 2013
Today I wanted to grep on a second column. Again awk came through.
awk ‘ { if($2==”texttosearchfor”) print $0} ‘ somefilename
Determining the manufacture date
sh ver, the serial number will tell you:
ABC – Factory code
NN – Year of manufacture
NN – Week of manufacture
The year of manufacture is based on the year 1996.
So if your number is 16 then you add this to 1996 and you’ll get the year of manufacture of 2012.
https://supportforums.cisco.com/thread/2179427
https://groups.google.com/forum/?fromgroups=#!topic/comp.dcom.sys.cisco/15nCNlSpOks
Config-register 0x2101
0x2101
Boots the first system image in onboard Flash memory.
0x2102
Autoboots using image(s) specified by the BOOT environment variable. If more than one image is specified, the switch attempts to boot the first image specified in the BOOT variable. As long as the switch can successfully boot from this image, the same image will be used on a reboot. If the switch fails to boot from the image specified in the BOOT variable, the switch will try to boot from the next image listed in the BOOT variable. If the end of the BOOT variable is reached without the switch booting successfully, the switch attempts the boot from the beginning of the BOOT variable. The autoboot continues until the switch successfully boots from one of the images specified in the BOOT variable.
The factory default configuration register setting for systems and spares is 0x2101. However, the recommended value is 0x0102.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/25ew/configuration/guide/supcfg.html
Configuring MAC address filtering with WLC via Cisco ACS 4.2
Read this Cisco link:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
The Cisco article provides all the details you need to setup this up. You may want to offload the MAC address filtering from the WLC to the ACS because the WLC has a limitation on the number of MAC addresses it can hold in the local database. In addition, we have had to reboot our WLC once in a while due to high memory. We think the reboots are due to the MAC address filtering we use. We currently have approx 300 MAC addresses.
A couple of notes from the article, you really do need to type in the MAC address and NOT copy/paste. I thought a cope/paste from the notepad would work, but it did not. In the ACS, I created a new group called MAC_auth_users and placed the new accounts in this group.
Since the ACS does not let you copy/paste MAC addresses, I had to read about the ACS’ bulk import features.
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_tech_note09186a00801ddba8.shtml
In the ACS
Interface Configuration > Advance Options > enable RDBMS Synchronization
System Configuration > RDBMS Synchronization
Here is an example CSV file that will add the username acct (mac address) and also add the Real Name and Description fields. There is a Cisco white paper that says to use USER_DEFINED_FIELD_1 and USER_DEFINED_FIELD_2, however I got the sync working with USER_DEFINED_FIELD_0 and USER_DEFINED_FIELD_1. I’m not sure if the UDF name is different for different ACS versions or not.
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
1,0,a0:88:b4:92:c6:52,mac_auth_users,100,,a0:88:b4:92:c6:52,,,Wed 08/29/2007 2:18:54.45,0,,,0
2,0,a0:88:b4:92:c6:55,mac_auth_users,100,,a0:88:b4:92:c6:55,,,Wed 08/29/2007 2:18:54.45,0,,,0
3,0,a0:88:b4:92:c6:52,,1,USER_DEFINED_FIELD_0,James Paterson,TYPE_STRING,,Wed 08/29/2007 2:18:54.45,0,,APP_CSAUTH ,0
4,0,a0:88:b4:92:c6:55,,1,USER_DEFINED_FIELD_0,Tom Dickson,TYPE_STRING,,Wed 08/29/2007 2:18:54.45,0,,APP_CSAUTH ,0
5,0,a0:88:b4:92:c6:52,,1,USER_DEFINED_FIELD_1,System Admin,TYPE_STRING,,Wed 08/29/2007 2:18:54.45,0,,APP_CSAUTH ,0
6,0,a0:88:b4:92:c6:55,,1,USER_DEFINED_FIELD_1,User Admin,TYPE_STRING,,Wed 08/29/2007 2:18:54.45,0,,APP_CSAUTH ,0
Cisco 3750 switch with a failing ASIC chipset
We lost IP connectivity to the switch. The switch was still passing frames (Layer 2 OK). Console didn’t work. IP connectivity came in and out (every 2 hours or so). When I could SSH into it, I saw this in the log:
Feb 28 19:59:53 CST: %SUPERVISOR-3-FATAL: MIC exception error 4 0 0 0
-Traceback= 53D56C 53FD3C 4D6E90 4D6E38 4D9368 4D966C 4D6F40 68BEB8
*Feb 28 19:59:53 CST: ***********************************************************
*Feb 28 19:59:53 CST: * ManagementInterfaceInitialized exception in port-asic 0
*Feb 28 19:59:53 CST: ***********************************************************
*Feb 28 19:59:53 CST: ***********************************************************
*Feb 28 19:59:53 CST: * ManagementInterfaceInitialized exception in port-asic 1
*Feb 28 19:59:53 CST: ***********************************************************
Opened a ticket with Cisco TAC and they told me the ASIC chip was failing. Replaced the switch and all is good again.
Cisco bug(?) verify command on 3750 switch
The other day, I had to reload an IOS image on a switch via rommon mode. After the image file copied over, I entered the verify command to verify the file was good. I got the below message and it was a bit disconcerning. Appears there is some sort of bug with the verify command and Cisco 3750 switches.
Switch#verify flash:c3750e-universalk9-mz.122-55.SE5.bin
01:02:42: %SIGNATURE-3-NOT_ABLE_TO_PROCESS: %ERROR: Not able to process Signature in flash:c3750e-universalk9-mz.122-55.SE5.
File system hash verification failed for file flash:c3750e-universalk9-mz.122-55.SE5.bin(No such file or directory).
Cisco ASA Static command to create a translation
In ASA 8.2
static (real,mapped) mapped, real
static (dmz,outside) 1.1.1.1 192.168.45.50 netmask 255.255.255.255 (Connections to 1.1.1.1 would be translated to the DMZ host)
static (dmz,inside) 10.114.38.50 192.168.45.50 netmask 255.255.255.255 (Inside hosts can reach the DMZ host via 10.114.38.50. Inside are talking to a DMZ host and not even know it since the inside IP address appears to be an internal IP address)
In the last static example, we were having a brain fart and trying to translate the inside IP address to a different subnet. The ASA inside IP address is: 10.114.38.1 and the server VLAN is: 10.114.45.x. We were trying to NAT to 10.114.45.50, but it didn’t work. Took me a couple of hours of troubleshooting to finally realize it needs to be on the same subnet as the ASA inside IP address.
In ASA 8.3
object network DMZ_192.168.45.50
host 192.168.45.50
object network DMZ_192.168.45.50
net (dmz,outside) static 1.1.1.1
nat (pre-nat,post-nat) source static real sourced mapped sourced destination static mapped dest real dest
Again more notes regarding the different syntax changes in 8.2 and 8.3.
Converting Putty SSH keys to SecureCRT keys
Use these steps if you have SSH keys that were created with PuttyGen and you now wish to use them in SecureCRT.
2. Select Conversions and export the key to OpenSSH format
3. Export your private key and named it identity
5. Both Files should be in the same folder
SecureCRT
1. Under the “Authentication” session, Check “PublicKey” and uncheck the other options
2. Click “Properties”
3. Choose “Use Global public key setting”
4. Under “Use identity or certificate file” and choose your identity.pub.
Using Cisco ACS to limit commands (Shell Command Authorization Sets)
We have a situation where we have a group that manages some switches for us. In the past, we have created different username/passwords and en password for these switches so that we can’t log into our corporate switches. It worked ok, but sometimes we would see odd configs on some of these switches…
We recently got a Cisco ACS box so it would a good opportunity to create a new profile in TACACS to limit what the techs can enter under config t.
This Cisco white paper does a great job of explaining how to set up the profiles and what settings needs to be enabled for it to work.
The additional Cisco IOS commands (in red):
aaa authentication login vty group tacacs+ local-case
aaa authorization config-commands
aaa authorization exec vty group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ localaaa accounting exec vty start-stop group tacacs+
aaa accounting commands 0 vty start-stop group tacacs+
aaa accounting commands 1 vty start-stop group tacacs+
aaa accounting commands 15 vty start-stop group tacacs+
aaa session-id common
In the allow commands profile, we have let the techs performed all sh commands, ping, trace, change vlans, port security, shut/no shut, and wr mem.
Cisco Netflow notes
So the other day, I was looking at a 2901 router running IOS 15.0 and Netflow just wasn’t working. I checked the netflow commands and everything looked right. After 30-45 mins, I finally noticed that ip cef wasn’t turned on the router. I didn’t initially configure this router 🙂
Here is the config for netflow on an ASA:
ASA uses NSEL for NetFlow
sh flow-export counters
movement3 
You must be logged in to post a comment.