Here are a number of self contained scripts I developed (mostly for my work at SOAS) that others should find useful. I do not think they justify a whole page to themselves however if something proves popular I'll put more time into it.
My thanks go to the IT department at SOAS for sponsoring this work, and letting me retain the copyright so that I could release the code under an opensource license; typically the GPL version 2 license unless it is a patch then the license matches the original.
This script hopefully can help any Network Sysadmin who finds tedious querying a switch that has no spare ports for patching, on which ports are 'available' as they are idle. For our environment
This script should work on any Layer2 aware switch that SNMP::Info can talk to; of course I have been only able to test it against Cisco kit. It uses 'standard' MIB data and none of the Cisco specific bits so do let me know how you get along with it.
The following shows a trial running of what the script does on a switch with a mixture of idle and adminstratively 'shutdown' ports.
ac56@node0:~$ idlePortReport 172.16.1.172 querying 172.16.1.172... uptime : 2w1d1h name : LibReadingRm-3548-2 class : SNMP::Info::Layer2::C2900 int link admin time description Fa0/1 down up 2w1d1h 049 Fa0/2 down up 2w1d1h Fa0/3 down up 2w1d1h 051 Fa0/4 down up 2w1d1h 052 Fa0/15 down up 2w1d1h 063 Fa0/18 down down n/a 066 Fa0/19 down down n/a 067 Fa0/25 down up 2w1d1h 073 Fa0/29 down up 2w1d1h 077 Fa0/33 down up 2w1d1h 081 Fa0/39 down down n/a 087 Fa0/41 down down n/a 089 Fa0/43 down down n/a 091 Fa0/45 down down n/a 093 Fa0/47 down down n/a 095 Gi0/1 down up 2w1d1h
The following script should work on any Perl enabled machine that has SNMP::Info installed. Simply download idlePortReport and run it as in the above example.
To use, remember to configure your SNMP communities/credentials at the top of the script to match your environment. And no, 'megasecret' is not our SNMPv2c community secret...
Whilst working on Net::LanWarden it looked like I was not going to be able to escape the pains of migrating our network dynamic (MAC based) VLAN assignment from using a no longer supported Cisco's VMPS system to an 802.1x based one. The outcome unfortunately was going to be a solution based around a seperate 'standard' port config chunk for workstations that were 802.1x enabled and unaware ones. Of course I still wanted to use the same backend RADIUS bits and was sad to find OpenVMPS did not have a RADIUS authorisation backend. Fortuantely it did support external helpers.
The script depends on Authen::Radius, however the module does not support Vendor-Specific attributes properly so I wrote a patch you need to apply to add the neccessary support.
The script it's self, vmps-radius, is just used as a regular external helper to OpenVMPS. I would recommend you install it on the same machine you run FreeRADIUS (the script uses it's dictionary files, but you should be able to just copy them and use them standalone) and amend the SERVER and SECRET at the top of the script. Point your Cisco switches at it and you should be able to use the same 802.1x backend for your 802.1x enabled kit.
Annoyingly, shortly after I wrote this script Cisco decided to get their act together and support 'dot1x mac-auth-bypass' which effectively makes this script defunct for kit that this functionality is available (also FreeRADIUS 2.x drove the final nail into the coffin by added VMPS support too). I recommend you use this feature whenever possible instead as then you get a 'standard' port configuration for 802.1x enabled and non-802.1x enabled equipment:
interface FastEthernet1/0/1 description standard port config switchport mode access dot1x mac-auth-bypass dot1x pae authenticator dot1x port-control auto dot1x control-direction in dot1x timeout quiet-period 3 dot1x timeout server-timeout 10 dot1x timeout tx-period 5 dot1x timeout supp-timeout 5 no cdp enable end
If you want DHCP spoofingly protection, port security and the works you should read a posting I made on the UNISOG mailing list; generally you need to run at least IOS version 12.2(40)SE otherwise nothing will work.
It's annoying when you get caught with your trousers down when a number of certificates expire in your network. Wouldn't it be nice if your got a months advanced worning...also a number of validity tests to be performed? This script does just that, as well as informing a BCCed person you can configure it to email the sysadmin in charge of the offending machine.
Download sslChecker and make it a cronjob.
Finding it annoying that when using ldapsearch I had to constantly pass a large number of attributes and annoyingly a number of attributes were always base64 encoded.
Enough was enough, so I wrote ldapquery to do the job for me. It assumes you can get the information you need via an anonymous bind to your LDAP server(s) (specified at the top of the script). Any base64 encoded fields that contain only printable characters are decoded properly.
It should be trivial to get the script to pick up the details of your LDAP servers from your /etc/ldap/ldap.conf file or bind using SSL/TLS to your LDAP server(s).
ac56@node0:~$ ldapquery commonname=ac56
ac56@node0:~$ ldapquery '(commonname=a*)' dn
or you could replace 'dn' with '1.1'.
ac56@node0:~$ ldapquery commonname=ac56 fullname email