Wednesday, August 22, 2012

Tip for Solarwinds NCM Users Facing SmartNet Renewals

It's time for our annual Cisco SmartNet renewals, which always results in much pain, wailing, and gnashing of teeth. If you use Solarwinds Network Configuration Manager, you already have your serial numbers and hostnames in the database. However, there's no canned report that gives you just those two items without a bunch of extra information. Here's a SQL query that makes it a bit easier by extracting the hostname and serial number of your devices:

select nodecaption,chassisid from nodes,cisco_chassis where nodes.nodeid=cisco_chassis.nodeid order by nodecaption asc

If you paste the results of this into a sheet in Excel, you can then use a VLOOKUP function in Excel to match the serial numbers your Cisco channel partner sends you to the hostnames recorded in NCM. This makes the true-up a lot easier.

Tuesday, August 21, 2012

IOS Quick Tip: Find Never Used Switch Ports

Here's a quick regex that allows you to find ports that aren't just currently inactive, but which have never been used since the switch was reloaded:

c3750-ASW2A#sh int counter | i \ 0\ +0\ +0\ +0
Fa1/0/2                0             0             0             0
Fa1/0/5                0             0             0             0
Fa1/0/6                0             0             0             0
Fa1/0/7                0             0             0             0

There's a space after each one of the backslashes. What we're really looking for is ports that show zero packets for all of their interface counters: hence, the regex shows lines that have four zeros preceded and followed by one or more spaces, followed by a zero.

Note: you don't actually need the backslashes in IOS; apparently spaces don't need to be escaped in the IOS regex parser. Using them is a habit formed by working with regexes in other OSes. For example:

c3750-ASW2A#sh int counter | i 0 +0 +0 +0
Fa1/0/2                0             0             0             0
Fa1/0/5                0             0             0             0

Initially, I used a $ at the end of the regex to match the zero at the end of the line, but this doesn't seem to work in all IOS versions; I suspect some of them must have whitespace after the zero. In later images, you can use the "count" filter to count the number of never-used ports. Note that because there are separate sections for input and output packets in "show interface counter", you'll need to divide the result by 2:

c3750-ASW2A#sh int counter | count \ 0\ +0\ +0\ +0
Number of lines which match regexp = 60 <-- divide this by 2

If you're running the command via SSH from a Unix-y shell, you can get just the interface names like this:

$ssh 'sh int counter | i 0 +0 +0 +0' | sort | uniq | cut -d ' '  -f 1 

Thursday, August 9, 2012

BroExchange 2012 Linkfest

I just went to the 2012 BroExchange, the conference for users of Bro-IDS. I am almost completely new to Bro, but had a great time learning from some seriously smart folks. Here's a random linkfest of stuff:

Brownian, a web front-end to an ElasticSearch back-end for Bro logs.
auditing-sshd, a version of OpenSSH that exports user activity data to Bro (or other log infra, I suppose)
parallel, a GNU tool for executing shell jobs in parallel.
cpacket, maker of mirror switches, similar to Gigamon.
Bro developer Seth Hall's github page
The awesome Security Onion Linux distro with Bro pre-installed.

I may add more as I decipher my notes.