Val:~$ whoami

I am Val Glinskiy, network engineer specializing in data center networks. TIME magazine selected me as Person of the Year in 2006.

Search This Blog

Monday, October 30, 2006

Centralized TACACS+ management

I've got TACACS+ servers running in every location where I have network equipment. That's fine, until I have to add a user or change password. Then I have to log into every server, edit tacacs.conf file and restart tacacs daemon. Here is what I've done.
1. Install Open LDAP server in every location.

2. Configure replication:

In master LDAP server's slapd.conf:


replica uri=ldap://10.10.10.2:389
binddn="cn=admin,dc=example,dc=com"
bindmethod=simple credentials=SecretPassword


for every replica

in replca LDAP server's slapd.conf:

updatedn "cn=admin,dc=example,dc=com"
updateref ldap://10.10.10.1

Note, that updatedn must match binddn and must have read/write access to LDAP database. See Open LDAP documentation for details.

3. Compile TACACS+ with LDAP support. If you run Debian, simply run "apt-get install tac-plus". It's already compiled with LDAP support.

in tacacs.conf file put

default authentication = ldap "ldap://localhost:389/dc=example,dc=com"

and restart tacacs.
replace "dc=example,dc=com" with your BaseDN

You can use phpLDAPadmin to manage master LDAP server.
Now, if I want to add new user or change my password, I do it on master LDAP server.

For enable password create user $enab15$ in LDAP server. Beware, LDIF format treats dollar sign as line separator.

Wednesday, October 25, 2006

Find a device on Cisco switch

I have a few dozens of Cisco switches running CatOS and IOS and from time to time I need to find the port on the switch where particular network device is connected to. Sometimes I know the MAC address and sometimes I know IP address only. Logging into every switch and running "show cam" or "show mac-address-table" is time consuming, but all my switches have SNMP on. I wrote a script which polls list of switches to find the device either by MAC or IP address.

get_mac_port.pl ([-m <mac-address>]| [-i <ip address> -r <router>]) -f <file> -c <community> [-hV]
Where:
<file> - list of switches (IP or names) in a text file, one per line.
<mac-address> - MAC address of the host. It should be in form of aa:23:cc:dd:ee:ff or aabb.ccdd.eeff
Both lower and upper case letters accepted.
<ip address> - IP address of the host.
<router> - IP address or name of the default gateway for the host's network. This is the best source to get host's MAC address from.
<community> - SNMP community string.

Known problem: If switches are interconnected via trunks, the script will report the device as connected to a trunk port.
Download