Blue Flower

rConfg is a great management tool (free of charge) that can be use to manage and backup your Cisco switches and routers. You'd love it once you start using it, and surely it will help you keeping track of your Cisco devices. Needless to say that you need to have some kind of backup in place for the configuration of your Cisco switches and routers, and that this need is actually a requirement for any Network Audit of your systems

This is what we'll do in this tutorial:

  1. Get the rConfig VM ready with CentOS
  2. Installing rConfig
  3. Configure the rConfig web interface
  4. Add your Cisco devices

 And finally, and insight for some useful Cisco Tips of general use

1. Get the VM rConfig ready with CentOS

Set up on your environment a VM and install on it CentOS7 (64-bit), that's my favourite Linux distro. I was very generous and gave it 30GB of storage so that it can save as many config files from your Cisco switches as you like (don't forget obviously to backup the VM itself). I used these settings:

 

For the installation type, choose "Infrastructure Server" only. Set the root password and DO NOT create any user

Ensure that on the installation screen of CentOS you click on "Network & Hostname" and set the network to on, otherwise it will start disconnected by default

 

If you want to use DHCP that's great, but if you prefer static IP instead, enter the following line on the terminal once you are up and running (mine defaults to ens192, but your lan name might be different):

vi /etc/sysconfig/network-scripts/ifcfg-ens192

Set the following:

  • BOOTPROTO=none
  • ONBOOT=yes
  • IPADDR=192.168.0.x
  • NETMASK=255.255.255.0
  • GATEWAY=192.168.0.x
  • NM_CONTROLLED=no

Edit also your DNS servers and add them to your rConfig VM box (only if you don't want to use DHCP, of course):

vi /etc/resolv.conf

Set the following in the resolv.conf file, for your Primary and Secondary DNS server respectively:

  • nameserver 192.168.0.x1
  • nameserver 192.168.0.x2

Edit the hostname of the system and just call it "rconfig"

vi /etc/hostname

systemctl restart network   #run this after you have changed the name

Get as well the net-tools from the CentOS repos (it doesn't harm to run this command if you already have it installed):

yum -y install net-tools

Finally, and before leaving the configuration of your rConfig VM, be gentle and check for updates, that will also verify that your machine is connected to the Internet

yum -y update

2. Installing rConfig

Start a putty session to your fine configured rConfig VM, it would be easier that way to copy and paste commands. Visit the rconfig official website here: http://help.rconfig.com/gettingstarted/installation from where you can get this script to be run on your VM:

cd /home
curl -O http://files.rconfig.com/downloads/scripts/install_rConfig.sh -A "Mozilla"
chmod +x install_rConfig.sh
./install_rConfig.sh

 

All the required packages will be installed for you, thank you rConfig! :) Answer the questions that follow with a yes, yes

  • Do you want to allow root access to FTP....? yes
  • Do you want to enter your own NTP server...? yes

At the time of MySQL installation, enter the root password to be blank, in other words: none, then set a new password for MySQL

  • Remove anonymous user..? yes
  • Disallow root login remotely...? no
  • Remove test database and access to it...? yes
  • Reload privilege tables now...? yes

Once the installation is completed, give a fine reboot to your VM, then run:

home# ./centos_postReboot.sh

3 Configure the rConfig web interface

Almost there! Now visit https://rconfig/install to understand what is happening. Follow the wizard after, accepting the license. In the "Database Setup" window, enter these details, with the MySQL password for the root included

After you click on "Check Setting" and have all green light, click on "Install Database". Any issues go and verify your settings again (there should be no other 'rconfig' MySQL on your network)

Do the final checks and take note of the initial logon details for rConfig

 

 

4. Add your Cisco devices

Visit the "Settings" web section and do the following:

  • Set your correct timezone
  • Set the username/password for your Cisco devices, as well as the "enable" password
  • Set your e-mail settings (do a test after your have configured the e-mail)
  • Add a 2nd admin user, just in case

Visit the section Devices > Commands and under the category of "Switches" add these two commands:

  • show running-config
  • show interface status
  • show ehterchannel summary
  • show ip route
  • show cdp neigh
  • show ip access-list
  • show spanning-tree active

Then, feel free to add your first Cisco switch to the list (be mindful of the 'device name', once you chose it you'll have to delete the device if you want to update it):

Create a "Schedule Task" to download the configuration of the "Switches" category on the 1st and the 15th of every month, so you'll have piece of mind knowing that your running-config are all being backup on regular basis; you just will need to ensure that (of course) the rConfig VM is backup too!

 

 

Thank you for reading!

Please click and explore on any of the adverts if you would like to contribute supporting this page

London, 25 February 2019

References

Thank you Jim Jones for you great article! https://www.koolaid.info/getting-started-with-rconfig-on-centos-7/ 

 

Cisco Tips

These are some handy commands and tips to make your life easier when managing Cisco switches

1. Set a specific switch (normally a layer 3) as the root for Spanning-tree

To set a switch as the primary spanning-tree root for a number of specific VLANs, do as follows:

(config)#show spanning-tree root ;this will display the distance of the switch to the root

(config)#spanning-tree mode pvst
(config)#spanning-tree extend system-id
(config)#spanning-tree vlan 1,10-15,28,30,33,50 priority 16384

By setting this switch to a priority of 16384, we'll force it to be the root switch, as its priority would be lower than the default of 32768

2. Check the warranty of your device

Make sure your Cisco device is still under cover by entering its serial number on this link: https://cway.cisco.com/sncheck/

3. Find out an IP address by its MAC address

Imagine you see through PRTG that a device in a particular Cisco access switch port is taking all the juice, who is that guy? To find out who is that nasty fellow, first do this on the switch where the device is connected:

SWITCH#show mac address-table
This will show you the MAC address that is connected to that port

Then visit the router or the layer 3 device that route traffic to that switch, and issue this command:

ROUTER#show ip arp | inc 0023.2492.9425
And that will list the IP address of the above MAC :)

4. Your friend Telnet

We all know telnet is insecure and uses the well-know port 23, but you can actually use this tool to test the Network Layer of any host, and see if any TCP port is open on that host, SMTP, FTP, HTTP, etc

#telnet 192.168.0.1 25
      trying 192.168.0.1,25...Open

The above tells you that port 25 is open in host 192.168.0.1; if you get 'connnection refused' that means the port is closed 

 In Windows OS, use the command route print to quickly discover its gateway

 

 

 

ENABLE SSH

Do this first to see if SSH is enable in the switch

#show ip ssh

 If it is not enable, run these commands to configure the switch

(config)#ip domain-name mydomain.com

(config)#crypto key generate rsa
Use 1024 bits for the key, so that the switch uses SSH v2 instead of SSH version 1

Then configure the VTP lines

(config)#line vty 0 15
(config-line)#transport input ssh
(config-line)#login local

 

Redundant notes:

CONFIGURE THE EXPORT

(config)#ip flow-export destination 192.168.0.26 9997
(config)#ip flow-export version 9
(config)#ip flow-export source vlan 11 //**whichever your management vlan


CONFIGURE TOP-TALKERS TO COVER YOUR WHOLE LAN

(config)#ip flow-top-talkers
(config-flow-top-talkers)#match source address 192.168.0.0 255.255.0.0
(config-flow-top-talkers)#top 50
(config-flow-top-talkers)#sort-by packets
(config-flow-top-talkers)#cache-timeout 60000 //**this is in miliseconds, so it's 60 seconds

CONFIGURE THE CACHE

(config)#ip flow-cache entries 4000  //needs to turn off /on netflow on all interfaces

CONFIGURE ALL REQUIRED INTERFACES TO CAPTURE TRAFFIC INGESS AND EGRESS

This will effectively enable NetFlow on the interface, you don't need to enable it on the PortChannels, but DO enable on all physical interface part of the channel

(config)#int range Gi0/35 - 50
(config-if-range)#ip flow ingress //**aparently 'egress' is not supported


TO VERIFY CONFIG:

do sh ip flow export

do sh ip flow top-talkers
do sh int sum

(config)# flow-sampler-map TEST

(config-sampler)# mode random one-out-of 10

 

 

 

 

 

 

High CPU usage

If you notice high CPU usage, troubleshoot the problem this way:

show processes cpu sorted //**will show you a table with the higest process usage on top
show process cpu history

If the switch has Spanning tree enable per VLAN that could be an issue if you have too many vlans, remove from the affected switch the ones that you don't need

 

 

 

 

 

 

Print Friendly, PDF & Email

Comments powered by CComment