Cisco Active NAT Translations OID

enterprises.9.10.77.1.2.3.0

# snmpget -Of -v2c -c skynet 10.250.10.1 enterprises.9.10.77.1.2.3.0
.iso.org.dod.internet.private.enterprises.9.10.77.1.2.3.0 = Gauge32: 102

Resources

Cisco SNMP Object Navigator
Cisco MIB Repository and misc notes
Cisco SNMP Counters: Frequently Asked Questions

Starting nfsendPANIC nfsend dies: RRD version '1.4004' not yet supported!

RRD version '1.4004' not yet supported!

Previously I had worked around this issue by editing the NfSenRRD.pm file to allow the RRD version I had installed, which obviously isn’t an ideal solution. Both nfdump and nfsen had been updated since I last checked, and the changelog included support for RRD 1.4x. The update process was quite painless:

nfdump

Download and extract
check the INSTALL file

./configure --enable-nfprofile --with-rrdpath=/usr/bin
make
make install

/usr/local/bin/nfdump -V
/usr/local/bin/nfdump: Version: 1.6.1 $LastChangedDate: 2010-03-05 07:50:35 +0100 (Fri, 05 Mar 2010) $

Nfsen

Download and extract
check the README file

./install.pl [path/to/your/nfsen/etc/nfsen.conf]

/usr/local/nfsen/bin/nfsen -V
/usr/local/nfsen/bin/nfsen: 1.3.4 $Id: nfsen 65 2010-07-04 19:40:16Z haag $

/usr/local/nfsen/bin/nfsen start
Starting nfcapd:(starwish)
Run: /usr/local/bin/nfcapd -w -D -p 9991 -u apache -g apache -B 200000 -S 1 -P /usr/local/nfsen/var/run/starwish.pid   -I starwish -l /usr/local/nfsen/profiles-data/live/starwish
[10182]
Starting nfsend.

All done.

Number of hosts or subnets:
Number of “usable” hosts or subnets:

(n being the number of borrowed bits)

Number of links required for a full mesh network: or

(n being the number of nodes in the topology)

Classful networks

Class	Leading Bits	Start		End		   Networks          Addresses
A	     0		0.0.0.0		127.255.255.255	   128 (2^7)         16,777,216 (2^24)
B	     10		128.0.0.0	191.255.255.255	   16,384 (2^14)     65,536 (2^16)
C	     110	192.0.0.0	223.255.255.255	   2,097,152 (2^21)  256 (2^8)
D (mc)	     1110	224.0.0.0	239.255.255.255	   n/a               n/a
E (reserved) 1111	240.0.0.0	255.255.255.255	   n/a               n/a

EIGRP Metric

I doubt this will be used often, but it may be useful when trying to tweak the metric of a particular route by changing the delay (or bandwidth).

The full metic:

However,  the bandwidth and delay values aren’t taken directly from the show commands, rather:

(this gives us the delay in tens of microseconds * 256)

(InterfaceBandwidth and InterfaceDelay refer to the vlaues given from sh interface)

Given the default K values of: K₁ = 1, K₂ = 0, K₃ = 1, K₄=  0, K₅ = 0, the metric becomes much simpler: 

Another interesting fact, taken from the Cisco EIGRP docs:

Cisco routers do not perform floating point math, so at each stage in the calculation, you need to round down to the nearest integer to properly calculate the metrics.

Block Size	Max VHD Size

1 MB		256 GB
2 MB		512 GB
4 MB		1 TB
8 MB		2 TB

The solution is to create a GPO with the required user settings, linked to the OU of the machine account, and enable the User Group Policy loopback processing mode policy within the GPO. This setting applies policies defined in the User portion of the GPO to users logging into machines under the GPO.

The policy is located in Computer Configuration > Policies > Administrative Templates > System > Group Policy.

There are two modes with this policy: Merge and Replace.

Replace will overwrite all user settings with policies within the computer GPO. This means that only the settings within the computer GPO will be applied to users logging into that machine.

Merge will combine whatever GPOs are normally applied to the user with the computer GPO, if a conflict exists, the computer GPO will take precedence.

Reference: http://support.microsoft.com/?kbid=231287

Router#sh caller ?
  full       Provide expanded caller information
  interface  Provide information on one interface
  ip         Display IP information
  line       Provide information on one line
  summary    Display total users logged and total ISDN/Analog users
  timeouts   Display session and idle limits and disconnect time
  user       Display information for a particular user
  |          Output modifiers
  <cr>

And the output

Router#sh caller
                                                  Active    Idle
  Line           User               Service       Time      Time
  vty 194        admin             VTY           00:03:45  00:00:00
  Vi2            <unknown phone number> \
                                    PPPoE         5d11h     00:00:04

Router#sh caller full

  User: admin, line vty 194, service VTY
        Active time 00:03:48
  Timeouts:    Limit     Remaining Timer Type
               00:30:00  00:29:59  Idle Exec
  VTY: Line 194, remote 10.250.1.100
  Line: Baud rate (TX/RX) is 9600/9600
  Status: PSI Enabled, Ready, Active, No Exit Banner
  Modem State: Ready

  User: , line Vi2, service PPPoE
        Connected for 5d11h, Idle for 00:00:00
  Timeouts:    Limit     Remaining Timer Type
               -         -         -
  PPP: LCP Open, CHAP (->), IPCP
  Dialer: Connected to <unknown phone number>, inbound
          Type is DIALER PPPOE, group Di0
  IP: Local xxx.xxx.xxx.xxx/32, remote xxx.xxx.xxx.xxx
  Counts: 3523433 packets input, 3912371236 bytes, 4 no buffer
          0 input errors, 0 CRC, 0 frame, 0 overrun
          2624812 packets output, 624201855 bytes, 0 underruns
          0 output errors, 0 collisions, 0 interface resets

Luckily, a few more asstons of emails were queued by sendmail and we were able to delete them before it launched a second offensive.

There are a few ways to view the mail queue.

mailq

sendmail -bp

ll /var/spool/mqueue/
ll /var/spool/clientmqueue

There are also several ways to delete emails from the queue.

sendmail -v -q

Alternatively, the sendmail service can be stopped, all items from /var/spool/mqueue/ and /var/spool/clientmqueue can be deleted, and the sendmail service restarted.

Confirm the queue has been cleared with mailq or one of the other commands.

There are downsides to the Cisco method, for one, following a reload, it tends to start naming files back at 1, which causes it to overwrite older configs, but the beauty is that it it will only back up a config when the changes are committed to NVRAM; ie. wr mem. Other tools either rely on scheduled checks, or in some cases, can be configured to periodically read a syslog file and grab a copy of the config when they see a new %SYS-5-CONFIG_I: Configured from console entry logged.

The biggest downside though is the need to store FTP/SCP credentials in the router itself, it’s not something I like doing for a number of reasons. However, it does work well for small networks or home lab environments where having recent changes documented is useful.

Enough talk, this is how it’s down with FTP:

ip ftp username <username>
ip ftp password <password>
archive
 log config
  hidekeys
 path ftp://serverIP/desired/path/$h.
 write-memory

There are also additional ip ftp commands, such as source-interface. If the ip ftp username|password commands are left out, an anonymous login will be used.

And SCP:

archive
 log config
  hidekeys
 path scp://username:password@serverIP//desired/path/to/configs/$h.
 write-memory

In both examples I’ve used $h. as the name of the file, there are two parts to this. The $h creates sets the filename to the hostname of the router. When writing files, the router appends -[number] to the end of the filename, it starts at 1 and increments to 14 before returning to 1, so the filename will actually end up being hostname.-[number]. The . is just there so it creates an extension which windows users can map to WordPad (don’t use Notepad, it doesn’t open the files properly). Anything can be used for the filename, but this method works very well.

To view a list of archived configurations, and to show the most recent:

#sh archive
The next archive file will be named ftp://10.250.1.11/lab/adelaide.-6
 Archive #  Name
   0
   1       ftp://10.250.1.11/lab/adelaide.-1
   2       ftp://10.250.1.11/lab/adelaide.-2
   3       ftp://10.250.1.11/lab/adelaide.-3
   4       ftp://10.250.1.11/lab/adelaide.-4
   5       ftp://10.250.1.11/lab/adelaide.-5 <- Most Recent
   6
   7
   8
   9
   10
   11
   12
   13
   14

To view the differences between the running config, and an archived config (this is a spankingly delicious):

#sh archive config differences system:running-config ftp://10.250.1.11/lab/adelaide.-1
Loading lab/adelaide.-1 !
[OK - 10792/4096 bytes]

Contextual Config Diffs:
+ip route 10.1.50.0 255.255.255.0 Tunnel2
+ip nat inside source static tcp 10.1.90.10 80 interface Dialer0 80
+ip nat inside source static tcp 10.1.90.10 443 interface Dialer0 443
interface FastEthernet1
 -ip address 10.1.50.254 255.255.255.0 secondary
-ip nat inside source static tcp 10.1.90.15 80 interface Dialer0 80
-ip nat inside source static tcp 10.1.90.15 443 interface Dialer0 443
-access-list 120 permit tcp any host 203.134.160.154 eq 443

To restore a configuration:

#copy ftp://10.250.1.11/lab/adelaide.-5 startup-config
Destination filename [startup-config]?
Accessing ftp://10.250.1.11/lab/adelaide.-5...
Loading lab/adelaide.-5 !
[OK - 10860/4096 bytes]
[OK]
10860 bytes copied in 11.476 secs (946 bytes/sec)

Even thought the netflow collector (nfdump) and Nfsen are seperate packages, Nfsen will configure and start all the necessary nfdump processes as required.

Firstly, read and check the prerequisites at http://nfsen.sourceforge.net. An assumption is being made that Apache, PHP and Perl are already installed.

Download necessary Perl Modules

cpan Mail::Header
cpan Mail::Internet

Install RRDTool and flex (required for nfdump to compile)

yum install perl-rrdtool rrdtool rrdtool-devel flex

Download and install nfdump

Download latest version from http://sourceforge.net/projects/nfdump. At the time of writing, this was nfdump-1.6b-snapshot-20090619.tar.gz.

Extract, and compile as follows (your rrdpath may differ, use which rrdtool):

./configure --enable-nfprofile --with-rrdpath=/usr/bin
make
make install

Download and install NfSen

Download latest version from http://sourceforge.net/projects/nfsen. At the time of writing, this was nfsen-1.3.2.tar.gz.

Once extracted, make a copy of the etc/nfsen-dist.conf and call it nfsen.conf

For CentOS 5.3, with a standard Apache install, the following changes can to be made to the nfsen.conf. Some are optional, but the user, wwwuser and wwwgroup are mandatory.

$BASEDIR = "/usr/local/nfsen";
$HTMLDIR    = "/var/www/html/nfsen/";
$USER    = "apache";
$WWWUSER  = "apache";
$WWWGROUP = "apache";

Remove the default sample netflow devices, and add you own. The syntax is fairly self explanatory: the name of the device, what port it’s sending flows to, the colour which will represent the device on the web interface, and the type.

 'starwish'        => { 'port'    => '9996', 'col' => '#ff0000', 'type' => 'netflow'  },

Run the install script

./install.pl etc/nfsen.conf

And we’re done. The control script is located in /usr/local/nfsen/bin/nfsen. NfSen will automagically configure and start the necessary nfdump processes.

Now you should be able to browse to http://yourserver/nfsen/nfsen.php and see a bunch of empty graphs, which will hopefully be populated with many pretty colours over time.

Last thing we can do is set nfsen.php to be the default page for /nfsen in Apache.

Create and edit /etc/httpd/conf.d/nfsen.conf

<Directory /var/www/html/nfsen/>
    DirectoryIndex nfsen.php
</Directory>

That’s it for now.

Reference: http://www.first.org/conference/2006/program/netflow_tools_nfsen_and_nfdump.html

If traffic to this /29 is PATted though various internal hosts, there won’t be anything on the network which has those addresses assigned, and therefore nothing to respond to pings or other ICMP traffic.

The simplest solution is to create a Loopback interface on the router and assign it the /29 addresses:

interface Loopback100
 description -- STATIC IPS --
 ip address 150.101.x.x 255.255.255.255 secondary
 ip address 150.101.x.x 255.255.255.255
 ip address ....