|
So this isn't specifically a Cisco question but, I'm trying to login to Cisco's ftp server (ftp.cisco.com) and I need to login in anonymously with an email. but I don't know the FreeBSD commands to do this. [root@nyc/]# ftp ftp.cisco.com But then what, the syntax description is basically useless, because linux is just supposed to be magical or something. I assume I need something like ftp ftp.cisco.com:anonymous@email.com? I've tried a few iterations and none of them are working. I'm trying to download a few MIBs for some 6500's but that is a pain by itself. E: Hmm so I finally got in by running ftp anonymous@ftp.cisco.com then putting in a random email, but now i can't get my mibs I hate snmp. ate shit on live tv fucked around with this message at 22:56 on Feb 1, 2010 |
# ? Feb 1, 2010 22:50 |
|
|
# ? May 31, 2024 19:26 |
|
Can you download them to your desktop then WinSCP them over?
|
# ? Feb 1, 2010 23:21 |
|
Thats the problem, I've never done ANYTHING with SNMP before. So maybe I can, but I can't find where to download them from, then when I do download them, I don't know what to DO with them on the Cisco side. I assume I copy them to the flash, but I don't know if I need to reboot the routers or what. Is there some IOS command that I can run that will load all the new MIBs into the SNMP process?
|
# ? Feb 2, 2010 02:47 |
|
Powercrazy posted:Thats the problem, I've never done ANYTHING with SNMP before. So maybe I can, but I can't find where to download them from, then when I do download them, I don't know what to DO with them on the Cisco side. So, I've never done any kind of importing SNMP MIBs to a router before - typically it's imported into a monitoring suite to make intelligent readings about what a trap that your core switch just spit out saying '1.83.28.14.39.1.1.1.1.4.38' means.
|
# ? Feb 2, 2010 03:10 |
|
What are you trying to do with the MIBs? The MIB tells an SNMP application what OIDs translate into, how to interpret tables, how to definite traps, blah blah blah. If you can specify what you're trying to do with the MIBs, I can probably help you do that (being that most of my job revolves around SNMP).
|
# ? Feb 2, 2010 03:20 |
|
chutwig posted:What are you trying to do with the MIBs? The MIB tells an SNMP application what OIDs translate into, how to interpret tables, how to definite traps, blah blah blah. If you can specify what you're trying to do with the MIBs, I can probably help you do that (being that most of my job revolves around SNMP). Well there we go. Ok I'm trying to get a few pieces of information from our 6509 Edge Switches, I know how to get the relevant data to show from the command line but I don't know how to get that data remotely via (i assume) SNMP. I assume we could write a script to login, and capture the data that way, but we already have some nice net flow graphs taht are retrieved via snmp, so I assume all I need are the OIDs of these commands, but I cannot find them, or when I think I've found them, the OIDs are not recognized. These are the commands: show ip igmp groups show ip flow top-talkers show log (the log will be for the top talker layer 2 switches, but regardless the OIDs should be the same.) So what are the OIDs and what do I do if I find the OIDs and they don't work?
|
# ? Feb 2, 2010 06:58 |
|
You won't be able to read that informtion using SNMP, it was not designed for that kind of information. Your other solution (script) is the only sensible solution.
|
# ? Feb 2, 2010 09:22 |
|
Well what about this? http://www.oidview.com/mibs/9/CISCO-NETFLOW-MIB.html specifically: cnfTopFlows 1.3.6.1.4.1.9.9.387.1.7 and cnfTopFlowsTable 1.3.6.1.4.1.9.9.387.1.7.8
|
# ? Feb 2, 2010 13:35 |
|
It looks like you're in the right place. It's probably easiest to think of a MIB as being kind of like DNS for SNMP. Without a MIB, you can look at an OID directly (like you can do a walk on 1.3.6.1.4.1.9.9.387.1.7.8.1 without having CISCO-NETFLOW-MIB installed), but the SNMP app won't know how to resolve the OID to a friendly name and won't have any extra information on how to interpret and display the data other than the datatype sent by the SNMP agent on the other end. With the appropriate MIBs, the OID above becomes CISCO-NETFLOW-MIB::cnfTopFlowsTableEntry, and the SNMP app will appropriately index the table and show everything in as nice a fashion as SNMP can. Cisco has a tool called the SNMP Object Navigator which is pretty useful for determining what MIBs you need to best look at a certain OID. http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.387.1.7.8.1 What you want to do here is click on the name CISCO-NETFLOW-MIB where it says MIB in the table. This will lead you to another page where you download the various MIBs and its dependencies. Since you said you're on FreeBSD, I'm assuming you're using net-snmp. I forget exactly what MIBs it comes with by default, but start by downloading BRIDGE-MIB and everything below that in the table. Put all those files in their own separate directory. Once you've done that, you'll need to make the SNMP commands aware of the new MIBs in there. To do so, you can either create ~/.snmp/snmp.conf and put config directives for the current user in there, or you can do it right on the command line. I think from the command line what you want to execute is something like "snmpwalk -M '+/home/powercrazy/MIBsHere'", replacing that directory with where they actually are, and that will cause it to use those MIBs in this query in addition to its default MIBs. In addition, you will need to provide the auth information for the SNMP agent (hopefully you're using v3, if not, start), then the hostname where the SNMP agent lives, and finally the OID or the name of the object to search. The final command will probably look something like snmpwalk -M '+/home/powercrazy/MIBsHere' -u username -A 'AuthPass' -X 'PrivPass' router-name.router.blah.com cnfTopFlowsTable and that should return all the entries in the top flows table, assuming that OID is available on your router, which it may not be. Our routers send their NetFlow information to an Arbor PeakFlow collector and don't make that information available over SNMP.
|
# ? Feb 2, 2010 14:18 |
|
Thanks for the info, the only question I have now is what do I do if the OID is not available on the router. Other than upgrading code, which isn't desirable to do, is there anyway I can add them? e: I just found out my CIO literally wrote the book on OpenBSD, "Secure Architectures with OpenBSD" guess I shouldn't have asked him how to make a directory ate shit on live tv fucked around with this message at 15:25 on Feb 2, 2010 |
# ? Feb 2, 2010 14:57 |
|
Powercrazy posted:Thanks for the info, the only question I have now is what do I do if the OID is not available on the router. Other than upgrading code, which isn't desirable to do, is there anyway I can add them? If the OID isn't available on the router but is in a code upgrade, your only solution is to upgrade the code or get the info via a script. You cannot add OIDs to the IOS code yourself.
|
# ? Feb 2, 2010 16:08 |
|
Anyone use VMPS? I'm trying to figure out if there's a way to use wildcards in the MAC address. We have about 2k client devices and don't want to enter them all individually, but there would only be a handful of manufacturers/models of devices. So a couple dozen entries is much easier then 2 thousand or more. The longer story is I'm looking for a cheap (or basically free) NAC solution until a better option can be budgeted. Dot1x with IAS looks like it'd be problematic with our phones (Avaya IP Phones). MAB may be an option but again looking to avoid the inputting every single device's MAC into a system somewhere.
|
# ? Feb 2, 2010 16:16 |
|
routenull0 posted:If the OID isn't available on the router but is in a code upgrade, your only solution is to upgrade the code or get the info via a script. You cannot add OIDs to the IOS code yourself. Yea, that is what it looks like. Oh well, guess some scripts are needed.
|
# ? Feb 2, 2010 17:25 |
|
zenless posted:Anyone use VMPS? I'm trying to figure out if there's a way to use wildcards in the MAC address. We have about 2k client devices and don't want to enter them all individually, but there would only be a handful of manufacturers/models of devices. So a couple dozen entries is much easier then 2 thousand or more. I think VMPS is largely deprecated? 802.1x is the way forward, I guess. You can bypass the 802.1x requirement for the voice VLAN, FYI. That might be worth considering. FreeNAC is maybe something to consider also, but I have no idea how production-ready it is.
|
# ? Feb 2, 2010 18:43 |
|
Powercrazy posted:Yea, that is what it looks like. Oh well, guess some scripts are needed. There are some boilerplate perl scrips out there for logging into switches and issuing commands, you can then dump the results to files and go from there. We use this to send out daily reports on defective PSU modules for example.
|
# ? Feb 2, 2010 20:15 |
|
And now for something completely different. Anyone know of a "4-eyes" administration system. Where say any one of a group of people can make a change to any of the production devices, but the change won't be committed until one of the others approves it. Its not a trust issue, its an external auditing issue. We only know of one application that will do it, tripwire, but we don't want to use that one. Any other suggestions?
|
# ? Feb 2, 2010 21:38 |
|
Powercrazy posted:And now for something completely different. Anyone know of a "4-eyes" administration system. Where say any one of a group of people can make a change to any of the production devices, but the change won't be committed until one of the others approves it. Its not a trust issue, its an external auditing issue. Another one I was evaluating is ManageEngine DeviceExpert. It's much cleaner and works better but it's missing a few features that we use from BCAN. I'd say demo DeviceExpert first then try BCAN if it doesn't suffice. falz fucked around with this message at 01:58 on Feb 3, 2010 |
# ? Feb 3, 2010 01:52 |
|
What do I do if I don't have a serial port on any of my machines and I want to configure a cisco device? I have the console cable and I THOUGHT I had a serial port on my laptop but I was obviously mistaken. Do I have options or do I need to buy a card? I can't just plug this RJ-45 right into my NIC can I? edit: Nevermind, sort of. I dug up a very old computer that has a serial port on it but now I have another problem. I tried plugging the console port from 3 different Cisco devices (a 2501 router, a 3640 router and a catalyst 1900) and I tried to connect to them through COM1 in TeraTerm at 9600 bauds, 8 bit data, no parity, 1 bit stop and no flow control but it doesn't seem to do anything. I hit new connection and it just hangs there for all 3 devices. If I go to COM2, 3 or 4 I get an error, though. The OS is Windows 2003 Server if that matters at all. IratelyBlank fucked around with this message at 04:23 on Feb 3, 2010 |
# ? Feb 3, 2010 03:11 |
|
IratelyBlank posted:What do I do if I don't have a serial port on any of my machines and I want to configure a cisco device? I have the console cable and I THOUGHT I had a serial port on my laptop but I was obviously mistaken. Do I have options or do I need to buy a card? I can't just plug this RJ-45 right into my NIC can I? Sounds like your serial port is hosed. They make usb to serial adapters. I've used ones from Belkin (poo poo), Codi (good), Keyspan (good). The Codi and Keyspan also have *nix and OS X support.
|
# ? Feb 3, 2010 04:31 |
|
Something with a Prolific chipset, like this should work fine on anything. We use them on FreeBSD, Linux, OSX, Win32. Monoprice also has serial PCI cards if you wanted to put one in a machine.
|
# ? Feb 3, 2010 14:22 |
|
Which chipset on the usb -> serial doesn't cause blue screens in Windows 7? I know my prolific one does (and always right in the middle of troubleshooting which leads to additional drinking).
|
# ? Feb 3, 2010 18:39 |
|
Harry Totterbottom posted:Which chipset on the usb -> serial doesn't cause blue screens in Windows 7? I know my prolific one does (and always right in the middle of troubleshooting which leads to additional drinking). Hahahaha so true. I like that the drat thing works... when it works. But gently caress if that prolific driver isn't the most unstable POS out there. For me the drivers get flakey whenever I sleep/hibernate my laptop.
|
# ? Feb 3, 2010 18:55 |
|
Apparently some idiot is downloading public torrents on our corporate network. I assume it's easy to run a report on the amount of traffic done on each port over a certain time period?
|
# ? Feb 5, 2010 19:21 |
|
wang souffle posted:Apparently some idiot is downloading public torrents on our corporate network. I assume it's easy to run a report on the amount of traffic done on each port over a certain time period?
|
# ? Feb 5, 2010 19:55 |
|
Hey guys, I'm trying to get our VPN working again. I've gotten it to the point where I can connect, get an IP, and even ping the IP of the VPN router, but I cannot talk to other computers on the remote LAN. I assume there is a setting to allow this or you have to do it with ACL's. Also, when I do a whatismyip.org, I get the IP of my house instead of the VPN IP. I want all traffic redirected through the VPN.code:
Eyecannon fucked around with this message at 03:21 on Feb 6, 2010 |
# ? Feb 5, 2010 23:59 |
|
Does it even route traffic? It looks like you're missing a NAT command. I'm guessing ACL 100 was intended for a nat command like:code:
|
# ? Feb 6, 2010 06:16 |
|
falz posted:Does it even route traffic? It looks like you're missing a NAT command. I'm guessing ACL 100 was intended for a nat command like: It used to do some nat, but I removed everything except for that line accidentally. What is the deal here? I've used SDM to recreate the VPN and it is always the same, I can ping the internal IP of the router, but none of the other internal network, and I cannot access the internet at all when the VPN is active. The main purpose of this is so people can use the internet through the VPN as if then were at work.
|
# ? Feb 6, 2010 10:15 |
|
Do machines on your 10.0.0.0/8 VLAN know to route to this router to reach the 192.168.2.0/24 subnetwork?
|
# ? Feb 6, 2010 16:25 |
|
I have a troubleshooting question: Technician calls and says they "can't connect to the network" and supply me the port. I ssh into the switch and the port in question has a mac address entry for the computer when I do sh mac-address-table. I ssh into the edge switch for that facility and that computer's mac address is listed there. Beyond the obvious answer, which in my mind is, try another device on that port, what else can I do remotely to see what's going on? *edit* All other PCs on that facility are working. Weissbier fucked around with this message at 17:37 on Feb 6, 2010 |
# ? Feb 6, 2010 17:29 |
|
jwh posted:Do machines on your 10.0.0.0/8 VLAN know to route to this router to reach the 192.168.2.0/24 subnetwork? Where am I supposed to define this? Right now I have the vpn group statement with 'acl 160' code:
|
# ? Feb 6, 2010 18:59 |
|
Put in the NAT line and ACL suggestion I made earlier. If the router config you pasted is the default gateway for 10.0.0.0/24 you're fine. If this router isn't their default gatway, whatever the gateway is needs a route to 192.168.2.0 via 10.0.0.5.
|
# ? Feb 6, 2010 19:10 |
|
Weissbier posted:I have a troubleshooting question: Mirror the traffic to a port you can sniff. Bonus point for doing this via EoMPLS.
|
# ? Feb 6, 2010 19:21 |
|
falz posted:Put in the NAT line and ACL suggestion I made earlier. If the router config you pasted is the default gateway for 10.0.0.0/24 you're fine. If this router isn't their default gatway, whatever the gateway is needs a route to 192.168.2.0 via 10.0.0.5. Are you staying you have to have NAT setup to do this road warrior type VPN? The thing is, that the Cisco router (10.0.0.5) isn't the default gateway for 10.0.0.0/24, there is a pfsense router (10.0.0.1) that is. However, it would be ok for VPN clients on the Cisco to use it's WAN connection as their default gateway. EDIT: OK, I made a little progress, I changed the VPN client pool to 10.0.0.16/28 and now I can ping everything on 10.0.0.0/24 and even hit the webserver on it's internal address. Good. But now when I try to ping stuff on the internet, I get name resolution, but the ping fails. Any ideas? Eyecannon fucked around with this message at 22:30 on Feb 6, 2010 |
# ? Feb 6, 2010 20:26 |
|
OK, here's where I am right now, hope this clears it up a little: - I can get on the VPN, get an IP address in the 10.0.0.16/28 range. - I can ping anything on 10.0.0.0/24, I can hit internal websites, however, strangely if I nmap any host on the network, everything shows as filtered. - I have set up NAT overload, but I don't think it's working since I never see anything with a 'sh ip nat translations'. - Even when I force the gateway on the remote VPN client to be 10.0.0.1, for some reason, no requests for anything on the internet actually go to the router at 10.0.0.1. I can see requests made to 10.0.0.0/24 on 10.0.0.1, though. - I can ping anything on the internet from the VPN router directly, so it's default route seems to be working. Can someone please check out my NAT set up? code:
Eyecannon fucked around with this message at 02:39 on Feb 7, 2010 |
# ? Feb 7, 2010 02:36 |
|
I've decided on a slightly different approach, I am now giving VPN clients 192.168.1.0/24, and instead of dealing with my internal network at all, I just want these clients to talk out of the one router. The problem I think I have now is that both of these things are happening on the same port, is this possible? What I'm saying is that I connect to the VPN on Fa/0 on it's public IP, and I am given a private IP, then I want those clients talking out of Fa/0. I think I need to do NAT here, but is it impossible to have 'ip nat inside' and 'ip nat outside' on the same interface?
|
# ? Feb 8, 2010 03:42 |
|
Another question. Is there any way within the IOS of a 3560 to cross reference a MAC address to an IP address. sh arp just gives me the other l3 switches it sees.
|
# ? Feb 8, 2010 04:14 |
|
sh mac-address-table?
|
# ? Feb 8, 2010 06:18 |
|
sh arp on a L3 device to go from IP to MAC, sh mac-address-table on a L2 device to track this down to a specific port. L2 devices don't care about what the ip is, only the mac, so you need to go to the device which has the gateway for the vlan and track it down there.
|
# ? Feb 8, 2010 08:41 |
|
How can I specify a different default gateway for the clients of a vpn connection?
|
# ? Feb 8, 2010 15:40 |
|
|
# ? May 31, 2024 19:26 |
|
Eyecannon posted:How can I specify a different default gateway for the clients of a vpn connection? You can specify the router/gateway in the dhcp pool that the vpn connection will use.
|
# ? Feb 8, 2010 16:17 |