Script to quickly create a pastable list of AD users in Powershell.

I might rewrite this in powershell at some point, but due to my familiarity with python, I tossed this together to create a pastable list of AD users for a collaboration lab environment spin up.  Hopefully this saves someone time.

#!/usr/bin/python3
list = ["John Doe", "Jane Doe"]
for fullName in list:
   nameList = fullName.split(" ")
   firstName = nameList[0]
   lastName = nameList[1]
   print("$Attributes = @{")
   print("    Enabled = $true")
   print("    ChangePasswordAtLogon = $false")
   print("    PasswordNeverExpires = $true")
   print("    UserPrincipalName = \"" + lastName.lower() + firstName[0].lower() + "@join.com\"")
   print("    Name = \"" + lastName.lower() + firstName[0].lower() + "\"")
   print("    GivenName = \"" + firstName + "\"")
   print("    Surname = \"" + lastName + "\"")
   print("    DisplayName = \"" + fullName + "\"")
   print("    Office = \"Remote\"")
   print("    Company = \"Company\"")
   print("    Department = \"Support\"")
   print("    Title = \"Test User\"")
   print("    City = \"New York\"")
   print("    State = \"New York\"")
   print("    AccountPassword = \"CHANGEME\" | ConvertTo-SecureString -AsPlainText -Force")
   print("}")
   print("New-ADUser @Attributes")
   print("Set-ADUser -Identity " + lastName.lower() + firstName[0].lower() + " -Add @{\"msRTCSIP-PrimaryUserAddress\" =\"sip:" + lastName.lower() + firstName[0].lower() + "@join.com\"}")
   print("")

Policy Based Routing on a Cisco Switch

While policy based routing is available on a great many Cisco switches, you will need the right firmware that supports it.  For my home lab, a 3560X is my main switch, it requires 15.1-15.3 to work, currently 15.2 has MD releases, which is what I used.  A quick show sdm prefer will output the features you have available, ensure ip routing is enabled as well.

Lastly, as far as creating an access list for policy based routing, ensure you deny your internal networks in the ACL prior to implementation or a lot of things won't work.

access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

This ACL will allow you to policy route all traffic that is external to a next hop.

Enjoy!

Vsphere 6.7 OVA issues.

In the new release of VMWare's Vsphere which is currently a release candidate you may get many OVA errors.  In many collaboration OVA's there are dual purpose sections where the XML portion may include a comma.  Currently, Vsphere will report errors when importing them, you need to copy the section entirely, remove the comma and have both.

This section will create errors:

      <Item ovf:configuration="CUCM_10000,CUCM_2500_small_disk">
        <rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
        <rasd:Description>Number of Virtual CPUs</rasd:Description>
        <rasd:ElementName>4 virtual CPU(s)</rasd:ElementName>
        <rasd:InstanceID>1</rasd:InstanceID>
        <rasd:Reservation>7200</rasd:Reservation>
        <rasd:ResourceType>3</rasd:ResourceType>
        <rasd:VirtualQuantity>4</rasd:VirtualQuantity>
      </Item>
To fix:

      <Item ovf:configuration="CUCM_10000">
        <rasd:AllocationUnits>hertz * 10^6</rasd:AllocationUnits>
        <rasd:Description>Number of Virtual CPUs</rasd:Description>
        <rasd:ElementName>4 virtual CPU(s)</rasd:ElementName>
        <rasd:InstanceID>1</rasd:InstanceID>
        <rasd:Reservation>7200</rasd:Reservation>
        <rasd:ResourceType>3</rasd:ResourceType>
        <rasd:VirtualQuantity>4</rasd:VirtualQuantity>
      </Item>
      <Item ovf:configuration="CUCM_2500_small_disk">
        <rasd:AllocationUnits>byte * 2^20</rasd:AllocationUnits>
        <rasd:Description>Memory Size</rasd:Description>
        <rasd:ElementName>3072MB of memory</rasd:ElementName>
        <rasd:InstanceID>2</rasd:InstanceID>
        <rasd:Reservation>3072</rasd:Reservation>
        <rasd:ResourceType>4</rasd:ResourceType>
        <rasd:VirtualQuantity>3072</rasd:VirtualQuantity>
      </Item>

Now just do a sha1sum on the updated ovf, update the manifest and reimport it into your OVA.

No more 180 day trial licensing....thanks Cisco :(

Here are the new licensing options.  If you request a license type more than once, you will now only get offered a 30 day license unless you request approval for a longer license.

Limitations of passing SQL across the Unified OS CLI

I have found that if you pass around 500 SQL updates via the CLI, you will get the following memory fault, 10.5.2, I have not yet tested with any other version:

Exception in thread "main" run(): caught exception Stream closed
java.lang.OutOfMemoryError: unable to create new native thread
        at java.lang.Thread.start0(Native Method)
        at java.lang.Thread.start(Thread.java:714)
        at com.cisco.cpi.common.util.cmExecCommand.exec(cmExecCommand.java:937)
        at com.cisco.cpi.common.util.cmExecCommand.exec(cmExecCommand.java:842)
        at com.cisco.iptplatform.cli.cmdBaseDbOSI.setDbLogMessageMethod(cmdBaseDbOSI.java:57)
        at com.cisco.iptplatform.cli.cmdBaseDbOSI.<init>(cmdBaseDbOSI.java:49)
        at com.cisco.iptplatform.cli.cmdRunSql.<init>(cmdRunSql.java:38)
        at sun.reflect.GeneratedConstructorAccessor8.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
        at java.lang.Class.newInstance(Class.java:383)
        at com.cisco.iptplatform.cli.cmdClassThread.setCmdInstance(cmdClassThread.java:105)
        at com.cisco.iptplatform.cli.CliClassLauncher.execute(CliClassLauncher.java:285)
        at sdMain.main(sdMain.java:1881)


However, I wrote a script that simply splits the loop into 400 command segments and then logs out and back in.  I will look to see if the API has the same issue as well and update this post at a later time.

ISE 2.3 for TACACS

This is just a quick post on how to get TACACS working in 2.3; using AD in this example.  For this, we will follow the guide provided here and supplement it below:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

But for Configuring TACACS Authorization Policy, I am going to provide some screenshots in order.

Step 1

Step 2

Step 3

                        

Step 4

Restoring from OVA backups, and changing IP, losing communications between nodes and how to restore

On occasion you might want to re-IP your lab environment and while the steps are fairly easy, ensuring you change it on the GUI prior to CLI changes and rebooting the subscriber node first.  You may still find you run into errors when trying to check the dbreplication runtimestate post IP change.  If you get the error, "Runtime state cannot be performed on a cluster with a single active node; aborting operation", you can fix it by ensuring you have the cluster publisher IP set in the subscriber and restarting the cluster manager service on both nodes.

set network cluster publisher ip <IP ADDRESS>
utils service restart Cluster Manager

After this, you should be able to see the proper status when issuing show network cluster:

admin:show network cluster
<IP> hq-sub.collab.life hq-sub Subscriber authenticated
<IP> hq-pub.collab.life hq-pub Publisher authenticated

Enjoy!