本文介绍Cisco设备管理的各种实用技巧,包括使用AutoSecure增强安全性、调整VPN空闲超时时间、查找设备序列号的方法、配置日志记录以跟踪配置更改、监控电源状态、无停机时间添加VLAN以及理解设备指示灯含义等。
Cisco IOS command list is getting longer , and it has been split into two posts:
1. Auto secure
Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:
auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]
2. Change Site-to-Site VPN Idle time out to 5 minutes
For IOS Router
|
R1(config)# crypto ipsec security-association idle-time 300 |
For ASA
|
ASA1(config)# group-policy GP_1.1.1.2 attributes ASA1(config-group-policy)# vpn-idle-timeout 300 ASA1(config-group-policy)# vpn-session-timeout none |
3. Find Cisco Devices Serial Number
Usually we could use ‘show version’ command to find out SN , but for Nexus you will have to use ‘show inventory’ to get Chassis SN
|
Nexus1# show inventory
NAME: “Chassis”, DESCR: “Nexus5548 Chassis” PID: N5K-C5548UP , VID: V01 , SN: SSI163604J NAME: “Module 1”, DESCR: “O2 32X10GE/Modular Universal Platform Supervisor” PID: N5K-C5548UP , VID: V01 , SN: FOC1645D5F NAME: “Fan 1”, DESCR: “Chassis fan module” PID: N5548P-FAN , VID: N/A , SN: N/A NAME: “Fan 2”, DESCR: “Chassis fan module” PID: N5548P-FAN , VID: N/A , SN: N/A NAME: “Power supply 1”, DESCR: “AC power supply” PID: N55-PAC-750W , VID: V02 , SN: ART16310D6 NAME: “Power supply 2”, DESCR: “AC power supply” PID: N55-PAC-750W , VID: V02 , SN: ART16310SQ NAME: “Module 3”, DESCR: “O2 Daughter Card with L3 ASIC” PID: N55-D160L3-V2 , VID: V01 , SN: FOC1637NT8 NAME: “FEX 101 CHASSIS”, DESCR: “N2K-C2248TP-1GE CHASSIS” PID: N2K-C2248TP-1GE , VID: V03 , SN: SSI1637FHK NAME: “FEX 101 Module 1”, DESCR: “Fabric Extender Module: 48x1GE, 4x10GE Supervi sor” PID: N2K-C2248TP-1GE , VID: V03 , SN: FOC1645WH9 NAME: “FEX 101 Fan 1”, DESCR: “Fabric Extender Fan module” PID: N2K-C2248-FAN , VID: N/A , SN: N/A NAME: “FEX 101 Power Supply 1”, DESCR: “Fabric Extender AC power supply” PID: N2200-PAC-400W , VID: V04 , SN: LIT16390H9 NAME: “FEX 101 Power Supply 2”, DESCR: “Fabric Extender AC power supply” PID: N2200-PAC-400W , VID: V04 , SN: LIT16390HH NAME: “FEX 102 CHASSIS”, DESCR: “N2K-C2248TP-1GE CHASSIS” PID: N2K-C2248TP-1GE , VID: V03 , SN: SSI16390DJ |
4. Show Commands Information
Flash: IOS
RAM: All tables and configuration when router is running. Info will be lost when power off.
ROM: POST, Bootstrap, Mini-IOS
NVRAM:Startup-config
5. SYSLOG Writing to Local Disk or Flash Card
|
Router(config)# logging persistent url disk0:/syslog size 134217728 filesize 16384
%Warning: the ratio between logging persistent size and logging persistent filesize is 134217728/16384, suggested ratio is less than 196 in order to achieve good system performace Router(config)# logging persistent url disk0:/syslog size 134217728 filesize 1342177 Router#sh log Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 8665 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: enabled, url disk0:/syslog, disk space 134217728 bytes, file size 1342177 bytes, batch size 4096 bytes No active filter modules. Trap logging: level debugging, 8669 message lines logged Logging to 10.2.2.3 (udp port 514, audit disabled, link up), 8668 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled Logging Source-Interface: VRF Name: Loopback0 Log Buffer (8192 bytes): 12 EST: %C7600_PLATFORM-SP-3-LOW_BATT: Low Voltage detected for NVRAM Battery ……..[Omitted] Router# copy disk0:/syslog ftp://myuser:[email protected]/syslog |
6. Check Routers Power Supply Status
|
Router#show environment SYSTEM POWER SUPPLY STATUS ========================== Internal Power Supply 1 Type: AC Internal Power Supply 1 12V Output Status: Normal Internal Power Supply 2 Type: AC Internal Power Supply 2 12V Output Status: Fail SYSTEM FAN STATUS ================= Fan 1 OK, Low speed setting Fan 2 OK, Low speed setting Fan 3 OK, Low speed setting Fan 4 OK, Low speed setting Fan 5 OK, Low speed setting SYSTEM TEMPERATURE STATUS ========================= Intake Left temperature: 25 Celsius, Normal Intake Right temperature: 22 Celsius, Normal Exhaust Right temperature: 29 Celsius, Normal Exhaust Left temperature: 31 Celsius, Normal CPU temperature: 24 Celsius, Normal Power Supply Unit 1 temperature: 24 Celsius, Normal REAL TIME CLOCK BATTERY STATUS ============================== Battery OK (checked at power up) CPU CORE TEMPERATURE STATUS =========================== CPU Core current reading, target = 24, reading = 62 : Normal CPU Core out of target history in past 1045868.0 mins: Consecutive out-of-range mins high water mark: 0.0 Total minutes out-of-range: 0.0 Last 5 minutes out-of-range: 0.0 Last 5 minutes consecutive out-of-range: 0.0 Last 5 minutes read failure count: 0 SYSTEM WATTAGE =============== Motherboard, EHWIC, PVDM, Power Supply and Fan Power consumption = 123.1 W Total System Power consumption is: 123.1 W Environmental information last updated 00:00:11 ago |
7. Portchannel Adding vlan without downtime
For trunk links, it is best to take out portfast and bpduguard from interface configuration.
no spanning-tree portfast no spanning-tree bpduguard enable
Always add or remove VLANs from the port-channel interface since the individual physical links will inherit the VLAN set automatically. If added a VLAN to a phyiscal layer2 interface instead of the logical layer2 port-channel, it will bring the etherchannel down.
For example, to add vlan 50 to etherchannel 3:
conf t
interface port-channel 3
switchport trunk allowed vlan add 50
end
show run interface gi0/3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-49
switchport mode trunk
channel-group 3 mode on
The last line “channel-group 1 mode on” indicates that this port is part of etherchannel 3. If you try to add a VLAN 50 to the etherchannel by adding the VLAN 50 to the physical port g0/3, this port will be removed from the etherchannel 3 and this will cause spanning tree to throw a wobbly.
8. Cisco Switch Lights Meaning
SYSTEM(SYST) Light
Overall status of the switch.
- Off: Switch is not powered on
- Green: Switch is working fine
- Amber: Switch is powered on but faulty
REDUNDANT POWER SUPPLY(RPS) Light
Provides backup power to the switch if the main supply goes off.
- Off: No RPS available,
- Green: RPS is working fine
- Blinking Green: Providing backup to some other device
- Amber: RPS is faulty
- Flashing Amber: RPS is providing backup(primary power off)
DUPLEX
Duplex status of the switch ports.
- Off: Switch port is half duplex
- Green: Switch port is full duplex
UTIL
Utilization status of the switch ports.
SPEED
Speed status of the switch ports.
- Off: Switch port is operating at 10Mbps
- Green: Switch port is operating at 100Mbps
- Flashing green: Switch port is operating at 1000Mbps
STAT
Status of the switch ports.
- Off: No device connected/port is administratively down.
- Green: Device is connected.
- Blinking green: Port is sending/receiving data.
- Alternating green amber: Fault in link/Frames experiencing error
- Amber: Port is blocked by Spanning Tree Protocol
9. Log Cisco Device Configuration Change
9.1 Cisco Switches and Routers Commands:
enable
configure terminal
archive
log config
logging enable
logging size 200
hidekeys
notify syslog
end
Output from command ‘show log‘:
000430: *Mar 9 22:28:47.046 EST: %SYS-5-CONFIG_I: Configured from console by john on vty0 (192.168.0.176)
000431: *Mar 9 22:29:49.936 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:archive
000432: *Mar 9 22:29:52.738 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:log config
000433: *Mar 9 22:29:56.966 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:logging enable
000434: *Mar 9 22:30:04.188 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:logging size 200
000435: *Mar 9 22:30:10.832 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:hidekeys
000436: *Mar 9 22:30:15.035 EST: %PARSER-5-CFGLOG_LOGGEDCMD: User:john logged command:notify syslog
000437: *Mar 9 22:30:22.727 EST: %SYS-5-CONFIG_I: Configured from console by john on vty0 (192.168.0.176)
9.2 Cisco ASA
The syslog number 111008 and 111010 will log the command that is entered by user. 111010 is for configuration changes.Here is the syslog for your information:
111008: Message: %ASA-5-111008: User user executed the command string
Explanation: The user entered any command, with the exception of a show command.
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html?bookSearch=true#con_8587071
111010: Message: %ASA-5-111010: User username , running application-name from IP ip addr , executed cmd
Explanation: A user made a configuration change.
- username —The user making the configuration change
- application-name —The application that the user is running
- ip addr —The IP address of the management station
- cmd —The command that the user has executed
You need to enable syslog, and severity level 5, and if you don’t want to see any other logging, you can only log the above 2 syslog numbers.
Also rather than send level 5 messages, it sends level 3 messages.
logging list notif-cfg-changes message 111008-111010 logging list notif-cfg-changes level errors logging trap notif-cfg-changes
Note: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1064820
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
