I had a situation a couple of weeks ago where I had the serial numbers for a bunch of Cisco switches, I needed to get some extended cover for them, but what I didn’t have were the Cisco SKU (Stock Keeping Unit) codes.
Solution
You will need to have a Cisco CCO login, once you have that go here > Add devices.
Give the device a name, (it does not matter what) > Paste in the serial number > Add.
Boom, there’s your SKU (Product ID)
Repeat as required.
Related Articles, References, Credits, or External Links
If you have fiber channel switches, (regardless of the vendor,) scratch the surface and underneath it’s probably a Brocade. (Unless it’s a Cisco Nexus then you are in the wrong place my friend, move along!) e.g an HP StorageWorks 8/8 SAN Switch (Yeah it’s a Brocade 6505), or an IBM SAN24B-4 Express Fabric Switch (you guessed it, Brocade).
If you need to get the serial number for them, here’s how.
Solution
SSH into the switch, and issue the following command;
[box]chassisshow[/box]
I need the Brocades Vendor Serial Number!
For ‘re-badged’ Brocades, some vendors, (HP for example), have a ‘Suppler Serial Number‘ also, you need to GUI into the switch manager to get that, (that means using a browser and having Java installed!) Warning: You will need to enter the switches IP or FQDN into the the ‘Safe’ list in the Java settings in the Control Panel or this will fail. Typically you then browse to http://{IP-Address}/switchExplorer_installed.html to then get access.
Go here;
1: Is the Brocade Serial Number.
2. Is the Supplier (Vendor) Serial Number.
Related Articles, References, Credits, or External Links
Cisco have done this for a while, the first time I saw it was years ago on a 5585, but all the NGFW models now have a ‘Serial Number” and a “Chassis Serial Number”. Normally you don’t care unless you need to log a TAC call online. So you issue a show version command, take a note of the serial number, and then it says, there’s no record of that serial number?
Solution
Just to be clear
SmartNets are registered to the Chassis Serial Number, this is NOT the serial number shown with a ‘show version‘ command.
Software (e.g. AnyConnect) is licensed to the Serial Number that IS shown with a ‘show version‘ command.
As a general rule, Cisco ASA chassis serial numbers start with JMX, and the serial numbers start with JAD.
How to Locate the Cisco ASA ‘Chassis Serial Number’
Well it’s printed on the chassis of course, but if it’s in a rack or a thousand miles away, that’s not much help! To get it remotely you use the ‘show inventory’ command;
I can’t really take the credit for this, I was at a client’s site a few weeks ago, and they were doing this. I thought ‘That’s cool, I’ll have a play with that when I get the chance”.
Essentially, you update the description of the Computer object(s) in AD so that they list;
The last user who logged on.
What time they logged on.
What AD ‘Site’ the machine is in.
Model of the PC/Laptop.
Serial Number of the machine.
Operating System.
32 or 64 bit.
I tested it in VMware so my machine type and serial number are a little misleading but this is what it looks like.
Now I can think of loads of situations when that information would be very helpful?
Solution : Last User
So how do you do it? Well to make a change to a computer’s ‘Description’ filed in AD, requires some rights, locate the OU (or OUs) that contain your computers/servers and open the advanced properties on their security tab.
You can either ‘Add’ (as shown), or select the existing ‘Authenticated Users’ object from the list.
Change the ‘Applies to’ section to ‘Descendant Computer Objects’.
Scroll down and tick, ‘Write Description’
Isn’t that dangerous? Well not really, it gives users the right to change a computer objects description field, they would need to have the technical ability to do so. And if they did it would get overwritten the next time a user logged onto that machine anyway.
Download the ComputerDescriptionLogonStamp.zip file, and extract the two files you find inside it, into your domain netlogon share (\\{your-domain-name}\netlogon). Edit the domain name in the ComputerDescriptionLogonStamp.bat file so it matches YOUR domain name not mine!
Now create a new Group Policy Object, linked to your USERS.
Edit the policy, and navigate to;
[box]User Configuration > Windows Settings > Scripts > Logon[/box]
Add in the UNC path to the ComputerDescriptionLogonStamp.bat file (Note: Make sure you use a UNC path, to your Netlogon folder, and you do NOT browse locally to the file, if the path looks like; C:\windows\sysvol\pnl.con\sysvol\ComputerDescriptionLogonStamp.batIT WON’T WORK.)
Close the Group policy editor, then either wait, or force a group policy update.
The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).
If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.
It is a hardware device that plugs into the back of the ASA, and comes in two flavours.
1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.
2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.
In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).
Solution
Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.
1. Connect to the ASA via command line, go to enable mode and issue the following command;
From the output you should be able to get the serial number of the CSC module (write it down).
2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.
3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.
Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.
4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.
5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.
6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).
7. Open the license file (will have a .lic extension) with notepad and you should see two keys.
Step 2: Setup the CSC Module
Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.
9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.
10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.
11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.
12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.
13. Review the settings > Finish.
Note: You may get a warning if you set ‘fail open’ above that’s OK.
Connecting to and Managing the Cisco CSC Module
Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443
Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.
If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.
1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.
2. Paste in the new code > Activate.
3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.
Related Articles, References, Credits, or External Links