Configuring Syslog

The Cisco 67x has a built-in syslog facility, but it has limited memory and can be cumbersome to access. The Cisco has the capability to send syslog messages to a central syslog server, and I just happen to maintain such a server on my network. My syslog server currently runs Ubuntu Server 12.04.2 LTS (Precise Pangolin) and I use the provided rsyslogd (5.8.6). To configure it, edit /etc/rsyslog.conf and ensure UDP support is enabled (I had to uncomment the following lines).

$ModLoad imudp
$UDPServerRun 514

I also had to add a firewall rule to allow the traffic.

iptables -A INPUT -i eth1 -s <cisco ip>/32 -p udp --dport 514 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -d <cisco ip>/32 -p udp --sport 514 -m state --state RELATED,ESTABLISHED -j ACCEPT

Next, configure the Cisco to send its syslog messages to the remote server. This consists of connecting to the Cisco, configuring syslog, writing the config, rebooting, and testing.

User Access Verification
Password:********

cbos>enable
Password:********

cbos#set syslog enabled
SYSLOG is enabled

cbos#set syslog remote <syslog server ip>
SYSLOG will now send messages to <syslog server ip>

cbos#set syslog port 514
SYSLOG will now use port 514

cbos#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

Obviously, you need to replace <syslog server ip> with an actual IP. Adjust the port if necessary. Once the reboot is complete, you can test it.

cbos#set syslog test testing syslog from cisco 678
Message: "testing syslog from cisco 678" sent via syslog

You should see the message appear in your logs on the central syslog server.

user@syslog$ tail /var/log/syslog.log
May 24 18:29:11 <cisco ip> "testing sysylog from cisco 678"

If the message doesn’t appear in the syslog logs, check for errors on the Cisco.

cbos#show errors
- Current Error Messages -
## Ticks Module Level Message
 0 000:00:00:00 SYSLOG Alarm Could not send message

If the error “Could not send message” appears, verify that the Cisco was configured correctly. Note: the Cisco will probably fail until the config is written and the device is rebooted.

Messages from the Cisco should now be appearing in your central syslog logs.

Configuring SNMP

The Cisco 678 has built-in support for SNMP, and it’s fairly straight-forward to enable. My goal is to use Net-SNMP to monitor the performance and general health of the Cisco. To setup the 678 to support SNMP, add a ‘manager’ (use “set snmp manager” for details). In my example, <client ip> is the IP of the machine generating SNMP requests, and “internal” is the name of my SNMP ‘community’.

cbos#set snmp manager <client ip> internal read enable all
Added SNMP Manager

cbos#set snmp enable
SNMP enabled

cbos#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

The Cisco should now respond to SNMP requests originating from <client ip>. Net-SNMP includes several tools, such as snmpwalk, that can be used to test the setup. This can be done on an Ubuntu client as follows.

user$ sudo apt-get install -y snmp
user$ snmpwalk -r 0 -v1 -c internal <cisco ip>

The output of both commands has been omitted, but the system information for the Cisco should look similar to the following.

user$ snmpwalk -r0 -v1 -c internal <cisco ip> system
SNMPv2-MIB::sysDescr.0 = STRING: Cisco CPE SNMPv3 Agent
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.10.1.1
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8835020) 1 day, 0:32:30.20
SNMPv2-MIB::sysContact.0 = STRING: Cisco Systems, Inc
SNMPv2-MIB::sysName.0 = STRING: CBOS675
SNMPv2-MIB::sysLocation.0 = STRING: Irvine
SNMPv2-MIB::sysServices.0 = INTEGER: 72

Note: Net-SNMP 5.4.3 was having problems translating OID numbers into more human-friendly strings. Eventually, Google led me to several articles explaining a bug in 5.4 that caused Net-SNMP to fail when reading MIB files to translate the OID numbers. It was necessary for me to build and install 5.7.1 to resolve this problem. If you’re using 5.4.3, then you may need to change your command, and the result will be different (and more cryptic).

user$ snmpwalk -r0 -v1 -c internal <cisco ip> .1.3.6.1.2.1.1
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco CPE SNMPv3 Agent"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.10.1.1
iso.3.6.1.2.1.1.3.0 = Timeticks: (8887560) 1 day, 0:41:15.60
iso.3.6.1.2.1.1.4.0 = STRING: "Cisco Systems, Inc"
iso.3.6.1.2.1.1.5.0 = STRING: "CBOS675"
iso.3.6.1.2.1.1.6.0 = STRING: "Irvine"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72

Most of the examples I found online use mrtg (along with Apache, cron, and rrdtool) to generate web-accessible graphs of  data collected via SNMP. This isn’t the model I’m using, but Google can lead you to the answer; I’m using a custom tool to record specific parameters as part of my overall network monitoring.

A Final Thought

Between syslog and SNMP, it should be relatively easy to keep an eye on a Cisco 678 or 675. It’s worth noting that there are some security trade offs to consider when enabling SNMP. In my setup, I was able to disable my 678’s telnet server, but end up exposing its SNMP functionality. This may or may not be advisable in your environment.

There are two SSH options that can help: StrictHostKeyChecking and UserKnownHostsFile (see the ssh-config man page for full details). Setting StrictHostKeyChecking to “no” tells SSH to automatically add hosts to the known_hosts file. UserKnownHostsFile can be used to define a different file to track host keys. In the bluntest scenario, /dev/null can be used as a known_hosts file. From the command line, the options are used as follows:

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@example.com

In this scenario, SSH will attempt to connect to example.com as user, look for an existing host key record in /dev/null (which obviously doesn’t exist), automatically adds the host key to /dev/null (without prompting, but it may output a warning), and finally opens the connection.

This trick can also be applied to a SSH config file to simplify usage. For example, if connections are frequently made to a cloud environment, a host pattern could be used to automatically apply the above options.

Host *.cloud.example.com
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Then, connections would be as simple as:

ssh instance.cloud.example.com

The internet is filled with variations on this, and other, tips.

ESXi 4 has been serving me just fine, so I hadn’t taken the time to upgrade to 5. However, I recently saw some notes indicating that vSphere was moving away from the Windows-based Client to a web-based management console. I didn’t have anything exciting deployed and decided to spend an afternoon checking out the latest version of ESXi.

It usually takes me a few minutes to navigate the labyrinth VMware calls a website, but I eventually located the ESXi 5.1 download page. Installation is straight-forward (see the official documentation for details). Once the system was up and running, I pointed my browser at it and found the familiar link to “Download vSphere Client”. There was also a link to “Browse datastores in this host’s inventory.” I was immediately disappointed. The inventory browser is virtually useless and I didn’t see anything suggesting a web-based management tool.

After a more thorough review of the documentation, I realized that the vSphere Web Client 5 has to be installed on a separate server – a Windows server – and only supports a few browsers. For me, this completely defeated the point.

I only have Mac OS X and Linux systems at home. To work around this particular challenge, I run vSphere Client on an Amazon EC2 instance. If you don’t have an AWS account, you can sign up for free and take advantage of the AWS Free Tier. (You need a credit card to sign up, but nothing gets charged to it unless you provision something outside the free tier, which Amazon provides clear documentation for.) There are also cloud-based Virtual Desktop providers, but I’ve never actually used one.

To run vSphere Client on AWS, launch a Microsoft Windows Server 2008 Base (64-bit) image, which is free tier eligible if you provision it as a t1.micro instance. (A t1.micro is ridiculously small for a Windows server, but it’s sufficient to run vSphere Client.) Once the instance is running, you can use the EC2 Management Console to get its Administrator password and public DNS name – you’ll need these to open a Remote Desktop connection to the instance. For detailed instructions, see the EC2 User Guide.

Now you have a Windows machine that is either free or only pennies per running hour. Now, you need to connect your Windows instance to your ESXi server. There is an obvious security risk here – you could end up exposing your system to the public. Proceed with caution.

The vSphere client uses TCP ports 443, 902, and 903 to communicate with the server. If you don’t have any control over your firewall/network, then you can try using SSH tunneling/port-forwarding to “map” your server ports to local ports on the Windows instance. In this scenario, you would access your server using localhost ports on your client, and you may need to install a SSH server on the Windows instance to make this work. I usually modify my firewall to map my server ports to a publicly accessible IP, but secure access to the IP of the Windows instance.

In short, vSphere Client and vSphere Web Client both require a Windows system to run, and you can use a cheap cloud-hosted Windows instance to bridge the gap.

On Ubuntu Server 10.04 LTS 64-bit, the wrapper script uses tail(1) and gzip to unpack the flash executable.

# chmod u+x SC440-010500.BIN
# ./SC440-010500.BIN
Dell BIOS Update Installer 1.1
Copyright 2006 Dell Inc. All Rights Reserved.

tail: cannot open `+78' for reading: No such file or directory

gzip: stdin: not in gzip format

The script uses an old syntax for tail that is being progressively obsoleted in their GNU forms. This can be fixed by either modifying the update script (change “+N” to “–lines=+N”) or set the environment variable _POSIX2_VERSION to “199209” to make tail use the old syntax.

The other issue is with gzip. The updater is 32-bit, but the SC440 is 64-bit native and, in this case, running a 64-bit OS. This problem can be solved by installing a 32-bit zlib library. I found some

My final process looks like this:

# Verify MD5 checksum is correct
md5sum SC440-010500.BIN

# Install 32-bit libs (for Ubuntu or Debian)
# (Fedora: yum install glibc.1686 zlib.i386)
# (SUSE: zypper install glibc-32bi zlib-32bit)
sudo apt-get install ia32-libs libc6-1386

# Switch to run-level 1
sudo init 1

# On Ubuntu, select 'root Drop to root shell prompt'

# Make the script executable
chmod u+x SC440-010500.BIN

# Let tail(1) know it should use the obsolete syntax
export _POSIX2_VERSION=199209

# Verify the package will extract
./SC440-010500.BIN --version

# If all was OK, run it for effect
./SC440-010500.BIN

# Follow the on-screen prompts to finish the install

If you struggled to follow along, then I would recommend taking more time to understand all the details before you risk turning your system into a brick by botching something while flashing the new BIOS.

Initially, I avoided GoDaddy because I didn’t care for their corporate policies (they’re no stranger to controversy) any more than I cared for their hideous brand aesthetic. Unfortunately, a domain I wanted was trapped in GoDaddy’s auction limbo. To buy the domain I had to participate in their auction and keep the domain registered with them for a minimum period. This is where I developed a strong dislike for everything they do. I have the impression that GoDaddy is built by individual product teams that don’t coordinate or communicate and everything is glued together by a terrible user experience and marketing drivel so aggressive I can’t actually tell what they’re trying to sell. The whole system seems to be fighting itself.

In the end, I ended up with a single domain registered on GoDaddy. Now that it’s eligible for transfer, I’m moving it to Network Solutions with the rest of my domains.

Preparing the Domain for Transfer

I spent a few minutes trying to find my way through GoDaddy’s support site before resorting to Google. Eventually, I found this: Transferring Domain Names to Another Registrar. In short, unlock the domain, get an authorization code, and initiate the transfer from the destination registrar.

First, log in to the GoDaddy Domain Manager for the domain to transfer.

1. Go to GoDaddy.com
2. Click, “Log In to My Account” (top left)
3. Enter your credentials and click “Log In”
4. Click “My Account” (it replaced “Log In to My Account”)
5. Next to Domains, click Launch
6. Click the domain name you’re going to transfer

At this point, I highly recommend you note your domain’s configuration. Be aware that moving the domain will impact any related services you may have with GoDaddy. You’ll need to document your configuration to ensure you can recreate it after the transfer.

Before the domain can be transferred, it needs to be unlocked. Look under “Domain Information” for “Locked:”. If it doesn’t say “Unlocked”, then it needs to be unlocked. (See Locking and Unlocking Your Domain Name for details.)

1. Under “Domain Information”, next to “Locked:”, click Manage
2. Unselect “Lock domain(s)”
3. Click OK
4. Click OK

Most registrars will ask for an authorization code when initiating a transfer; Network Solutions is one of them. (See Getting an Authorization Code to Transfer Your Domain Name.)

1. Under “Domain Information”, next to “Authorization Code”, click “Send by Email”
2. GoDaddy will send an email to the administrative contact for the domain
3. Wait for the email and note the authorization code

Once the domain is unlocked and you have an authorization code in hand, you’re ready to initiate the transfer from Network Solutions.

Initiate the Transfer

Go to Network Solutions and log in to the Account Manager. If you scroll to the bottom of the page, under “Manage My Products & Services”, click “Transfer Domains“.

Enter your domain name in the box and click “Get Started”. When the search returns, you should see your domain selected under “Domains Eligible for Online Transfer”. Click Continue, enter your authorization code, and click Continue, again.

The final step is paying for the transfer. The domain is added to a shopping cart. Configure the cart how you want (just the transfer, additional years of registration, etc) and complete the checkout process.

Network Solutions will notify GoDaddy and GoDaddy will send the domain administrator an email with instructions to complete the transfer. This step may take some time; don’t expect it to finish in just a few minutes. (It took about two hours to get my first email.)

Authorize/Confirm the Transfer

I received two emails from Network Solutions – they were essentially identical, but one was sent to my GoDaddy administrative contact address and the other was sent to my Network Solutions administrative contact address. The email contained a link for confirming the transfer and a notice that the transfer must be confirmed within 15 days or it will be automatically rejected.

The link takes you to a page that identifies the domain being transferred, instructions on how to proceed, and a form to complete the authorization. I scrolled to the form, verified that “Authorize” was selected, checked the box acknowledging the Service Agreement, and clicked Submit. Be sure to save a copy of your confirmation.

I received an email from GoDaddy almost immediately. Their email indicated that the transfer was pending and I had five days to decline the transfer. If you don’t decline it, then it will complete automatically. If you don’t want to wait five days, then click the link and accept the transfer using the GoDaddy Domain Manager.

1. Log in to GoDaddy “My Account”
2. Next to Domains, click Launch
3. In the Domains drop-down, select “Pending Transfers”
4. On the line for the domain, click “Accept or Decline”
5. Click “Accept/decline transfer now”
6. Select Accept
7. Click OK
8. Click OK

After a couple of minutes, I received two emails confirming the transfer and lamenting my departure from GoDaddy. I logged into the GoDaddy Domain Manager and verified that the domain no longer appeared there. Initially, my domain did not appear in the Network Solutions Domain Manager. It took about two hours before I received email confirmation from Network Solutions and the domain appeared in their Domain Manager. I also noticed that the name servers I had associated with the domain on GoDaddy were migrated to Network Solutions. (A happy surprise!)

Conclusion

In the end, transferring my domain was fairly straight forward. It would have been nice if it was faster, but I can’t really complain considering what must be involved behind the scenes. The process really comes down to: unlock the domain, get an authorization code, initiate the transfer at the destination, confirm the initiation, confirm the transfer for the source, wait for it to complete. Good-bye GoDaddy!

Connecting

The 678 can be reset and configured using the LAN port, but connecting to the management port using the provided management cable is safer. If you don’t have a management cable, Cisco is kind enough to tell you how (basically, a DB9 to RJ45 cable). If you’re stuck using the LAN, then do your homework, double check your work, and be prepared to accept defeat. I use telnet when connecting over the LAN and screen, tip, or cu when connecting with the management cable.

When the connection is initially opened, the router should prompted for the exec password. If the router/modem is already running when the connection is opened, then it may be necessary to hit enter to trigger the prompt.

If you don’t know the exec or enable passwords for your router/modem, then check out the Password Recovery Procedure for the Cisco 6xx.

Resetting

Start by resetting the router/modem to a known state. If the current state is a complete disaster, then it can be completely reset using RMON. See Erase the Configuration from the Password Recovery Procedure for details. Typically, the router/modem can be reset by connecting and erasing the configuration in normal mode (shown below).

This is where working with the LAN can be tricky. If the configuration is erased and written, but the connection is dropped before a new configuration is written, the router could be left in an unknown/undesirable state. If you’re connected using the LAN, skip the reboot step at the end. And, good luck!

User Access Verification
Password: <your password>

cbos>enable
Password: <your password>

cbos#set nvram erase
Erasing Running Configuration.
You must use "write" for changes to be permanent.

cbos#write 
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

The router/modem will reboot into a “clean” state with no configuration (including blank passwords).

Configuring

My configuration is fairly straight forward. I have a single external IP and a handful of devices that use network address translation (NAT) to access the outside world. Most of my internal network is assigned static IPs, but I maintain a small pool of IPs for (mostly wireless) DHCP devices. In my setup, my Cisco 678 acts as the modem and router, but it’s possible to configure the 678 as a simple modem bridged to another device that handles PPP, NAT, DHCP, etc. For details, see the RFC 1483 Routing section in the Cisco 600 Series Installation and Operation Guide.

I start by connecting and setting the passwords for exec and enable.

User Access Verification
Password:<your password; blank after reset>

cbos>enable
Password:<your password; blank after reset>

cbos#set password exec <new password>
Exec Password Change Successful!

cbos#set password enable <new password>
Enable Password Change Successful!

Next, configure the PPP connection.

cbos#set ppp wan0-0 ipcp 0.0.0.0
PPP wan0-0 IPCP Address set to 0.0.0.0

cbos#set ppp wan0-0 dns 0.0.0.0
PPP wan0-0 DNS Server Addresses set to 0.0.0.0

cbos#set ppp wan0-0 authentication enable
PAP and CHAP Authentication is now enabled on specified port

cbos#set ppp wan0-0 login <your login>
User name for wan0-0 has been set to <your login>

cbos#set ppp wan0-0 password <your password>
Password for wan0-0 has been set to <your password>.

cbos#set ppp restart enabled
CPE Remote Restart is now enabled...

Next, enable network address translation (NAT).

cbos#set nat enabled
NAT is now enabled
You must use "write" then reboot for changes to take effect.

Next, configure the internal/local network. The LAN port is eth0, and the following example sets the router/modem’s IP to 10.0.0.1.

cbos#set interface eth0 address 10.0.0.1
eth0 ip address changed from 10.0.0.1 to 10.0.0.1

Next, setup a DHCP server for the internal/local network. The following example allocates a pool of 16 IPs starting at 10.0.0.200, sets a DNS server to pass to DHCP clients, and a gateway that points to the router.

cbos#set dhcp server enabled
DHCP Server enabled

cbos#set dhcp server pool 0 ip 10.0.0.200 size 16 netmask 255.255.255.0
Pool 0 IP parameter is now 10.0.0.200

cbos#set dhcp server pool 0 dns <dns server IP>
Pool 0 DNS parameter is now <dns server IP>

cbos#set dhcp server pool 0 gateway 10.0.0.1
Pool 0 gateway parameter is now 10.0.0.1

cbos#set dhcp server pool 0 enabled
DHCP Server Pool 0 now enabled

Next, configure the WAN port. Before executing the following steps, disconnect the phone line. Once the configuration is complete and written, the phone line can be reconnected.

cbos#set interface wan0-0 close
Closing connection wan0-0

cbos#set interface wan0-0 vpi 0
Change completed.

cbos#set interface wan0-0 vci 32
Change completed.

cbos#set interface wan0-0 open
Opening connection wan0-0

Finally, write the configuration and reboot.

cbos#write
Warning: traffic may pause while NVRAM is being modified
NVRAM written.

cbos#reboot

Validating

At this point, I like to connect over the LAN and issue a few commands to validate that the running configuration was persisted correctly, the DSL line is trained and authenticated, and the connection’s upstream and downstream data rates are correct (verify you’re getting what you pay for).

User Access Verification
Password: <your password>

cbos>enable
Password: <your password>

cbos#show nvram
Warning: traffic may pause while NVRAM is being accessed
[[ CBOS = Section Start ]]
NSOS MD5 Enable Password = <omitted>
NSOS Remote Restart = enabled
NSOS MD5 Root Password = <omitted>
NSOS MD5 Commander Password = <omitted>
[[ PPP Device Driver = Section Start ]]
PPP Port Option = 00, IPCP,IP Address,3,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port Option = 00, IPCP,Primary DNS Server,129,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port Option = 00, IPCP,Secondary DNS Server,131,Auto,Negotiation Not Required,Negotiable,IP,0.0.0.0
PPP Port User Name = 00, <omitted>
PPP Port User Password = 00, ****
[[ IP Routing = Section Start ]]
IP NAT = enabled
[[ DHCP = Section Start ]]
DHCP Server = enabled
DHCP Server Pool IP = 00, 10.0.0.200
DHCP Server Pool DNS = 00, <omitted>
[[ ATM WAN Device Driver = Section Start ]]
ATM WAN Virtual Connection Parms = 00, 0, 32, 0

cbos#show interface wan0
wan0 ADSL Physical Port
 Line Trained
Actual Configuration:
 Overhead Framing: 3
 Trellis Coding: Enabled
 Standard Compliance: T1.413
 Downstream Data Rate: 6144 Kbps
 Upstream Data Rate: 896 Kbps
<omitted the rest... but there's lots more!>

cbos#show interface wan0-0
WAN0-0 ATM Logical Port
 PVC (VPI 0, VCI 32) is open.
 ScalaRate set to Auto
 AAL 5 UBR Traffic
 PPP LCP State: Opened
 PPP NCP State (IP Routing): Opened
 PPP MRU: 2048 HDLC Framing: disabled MPOA Mode: VC Mux
 PPP Login: <your login>
 Authentication Type: Autodetecting/PAP
 RADIUS: disabled
 PPP Tx: 113997 Rx: 387171 
 Dest IP: <omitted>
 Dest Mask: 255.255.255.255
 IP Port Enabled

If there are any problems, check out the Cisco 600 Series Installation and Operation Guide – Troubleshooting.

When I was working on my ECE degree, I purchased a USB-to-Serial adapter to connect my iBook to everything from oscilloscopes to micro-controllers. Earlier this week I had to dig out my adapter, a Keyspan USA-19, to update my DSL router (a story for another day).

As it turns out, Keyspan was bought by Tripp Lite in 2008, but appears to continue making and supporting Keyspan’s USB-to-Serial adpaters. I couldn’t find drivers for the USA-19, but took the risk an used the driver for the USA-19HS (Mac OS X 10.6.x to 10.8.x). There isn’t anything fancy about the installer; just follow the prompts.

Once the driver is installed, plug in the adapter and check for it with:

% ls -1 /dev/tty.*

I had to restart before I saw what I was looking for (I’ve omitted the results that aren’t relevant):

% ls -1 /dev/tty.*
/dev/tty.KeySerial1
/dev/tty.USA192433P1.1

Once you identify the USB-to-Serial adapter, in this case, USA192433P1.1, you can connect using tip(1)/cu(1) or screen(1). I used tip on my iBook, but don’t have it installed on my iMac.

% screen /dev/tty.USA.192433P1.1

Check the screen manpage for details about setting baud rate and other options.

I naively thought I could copy the iWork folder from my “/Applications/iWork ’09/” folder from my iMac to my MacBook Air. But, when I try to run an iWork application, I receive an error indicating that it’s “corrupt”.

A quick search later, and I was trying to copy additional files from “/Library/Application Support/” and “/Library/Preferences/”. Finally, I dug out the original iWork ’09 installation DVD that came with my iMac.

My MacBook Air doesn’t have a DVD drive, so I had to setup DVD sharing between my iMac and Air. On my iMac, I opened System Preferences, clicked Sharing under Internet & Wireless, and enabled “DVD or CD Sharing”. I checked the box “Ask me before allowing others to use my DVD drive” as a precaution.

After inserting the DVD into my iMac, I opened a new Finder window and clicked “Remote Disc” under Devices in the window’s sidebar, double-clicked the icon for my iMac, and clicked the “Ask to use…” button. (See “Use another computer’s DVD or CD drive” in Help Center for details. The “Ask to use…” button is a consequence of checking “Ask me before allowing other to use my DVD drive” on the iMac.) A dialog appears on my iMac indicating that my user on my MacBook Air would like to use my DVD drive; I clicked Accept, and the disc opens on my MacBook Air.

Initially, the installer failed because there was a newer version of iWork on my MacBook Air (the version I tried to copy earlier). I had to remove the following:

sudo rm -rf "/Applications/iWork '09/"
sudo rm -rf "/Library/Application Support/iWork '09/"
sudo rm -rf "/Library/Preferences/com.apple.iWork09.Installer.plist"
sudo rm -rf "/Library/Preferences/com.apple.iWork09.plist"

After removing the above, I was able to successfully run the installer. After installation, I ran Software Update to upgrade iWork to the latest version.