Linux Virtual Server (LVS)

I have a requirement to setup a Linux load balancer on one of our web servers

To load-Balance across the two web servers I am going to use Linux Virtual Server (LVS)

Setting up a virtual server with two web server servers:

ipvsadm -A -t 10.10.100.90:80 -s rr
ipvsadm -a -t 10.10.100.90:80 -r 172.24.24.201:80 -m
ipvsadm -a -t 10.10.100.90:80 -r 172.24.24.202::80 -m

The first entry assigns  port 80 on 10.10.100.90, this is the virtual server.  I have selected  the scheduling algorithm for the load balancer to be Round-Robin:

-s rr

The second and third entries are specifying the IP addresses of the web servers.

The -m is telling LVS to hide the network packets almost like a NAT hide on a router

-m

Status of the above LVS setup:

# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.10.100.90:80 rr
  -> 172.24.24.201:80                Masq    1      3          1
  -> 172.24.24.202:80                Masq    1      4          0

Cisco Port Mirroring (SPAN)

We had a requirement for our Linux based network probe to see all the network traffic for monitoring purposes.
To achieve this I suggested we implement a network mirror port, this essentially copies the network packet information from
ports you specify to a destination port where the packets can be analysed.

Using a Cisco switch this what I did to achieve the network port mirror, in Cisco terms this is called a SPAN or RSPAN using VLANS

CISCO

“A local SPAN session associates a destination port with source ports. You can monitor incoming or outgoing traffic on a series or range of ports and source VLANs. An RSPAN session associates source ports and source VLANs across your network with an RSPAN VLAN. The destination source is the RSPAN VLAN.

Get a list of ports you need Monitored:

monitor session 1 source interface GigabitEthernet1/0/25
monitor session 1 source interface GigabitEthernet1/0/24
monitor session 1 source interface GigabitEthernet1/0/26
monitor session 1 source interface GigabitEthernet1/0/27
monitor session 1 source interface GigabitEthernet1/0/48
monitor session 1 source interface GigabitEthernet2/0/46
monitor session 1 source interface GigabitEthernet2/0/47
monitor session 1 source interface GigabitEthernet2/0/48
monitor session 1 source interface GigabitEthernet2/0/31
monitor session 1 source interface GigabitEthernet2/0/32
monitor session 1 source interface GigabitEthernet2/0/33
monitor session 1 source interface GigabitEthernet5/0/43

Set the Destination port

monitor session 1 destination interface GigabitEthernet6/0/1

 

SWS-STK1#show monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
 Both : Gi1/0/44-48,Gi2/0/21-23,Gi2/0/46-48,Gi5/0/13
Destination Ports : Gi6/0/24
 Encapsulation : Native
 Ingress : Disabled


SWS-STK1#

The Ingress shows disabled by default. This is because it is just used for monitoring traffic, it won’t work as a regular port.
If you want to monitor traffic and use that port to receive regular traffic you need to use the following:

monitor session 1 destination interface GigabitEthernet5/0/43 ingress vlan XXX

To monitor vlan (RSPAN) use the following:

monitor session 1 source remote vlan 200

Samba4 running as an Active Directory Controller

 

Installation notes

Fresh centos minimal

yum -y install gcc libacl-devel libblkid-devel gnutls-devel \
 readline-devel python-devel gdb pkgconfig krb5-workstation \
 zlib-devel setroubleshoot-server libaio-devel \
 setroubleshoot-plugins policycoreutils-python \
 libsemanage-python setools-libs-python setools-libs \
 popt-devel libpcap-devel sqlite-devel libidn-devel \
 libxml2-devel libacl-devel libsepol-devel libattr-devel \
 keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils
yum -y install glibc glibc-devel gcc python* libacl-devel krb5-server krb5-workstation krb5-libs pam_krb5 make gnutls-devel \
 openssl-devel bind bind-libs bind-utils libblkid-devel readline-devel gdb python-devel *ldap* *gnutls* *acl* cups sqlite-devel\
 setroubleshoot-server popt-devel libxml2-devel libpcap-devel libidn-devel cups-devel

Change fstab to have acl flag

#
 # /etc/fstab
 # Created by anaconda on Mon Nov 18 09:59:13 2013
 #
 # Accessible filesystems, by reference, are maintained under '/dev/disk'
 # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
 #
 ##/dev/mapper/vg_dc1-lv_root / ext4 acl user_xattr defaults 1 1

/dev/mapper/vg_dc1-lv_root / ext4 acl 1 1

 

If you get ldap issues in the logs & the DNS is not working check for ports using the ldap port

samba_terminate: Failed to startup ldap server task

use netstat

netstat --tcp --listen --program
 netstat -nalp | grep 636

Had some issues with the firewall, at the moment to get DNS / Domain requests working iptables is disabled

iptables -A INPUT -p tcp --dport 53 -j ACCEPT
 iptables -A INPUT -p udp --dport 53 -j ACCEPT
 iptables -A INPUT -p udp --dport 137:138 -j ACCEPT
 iptables -A INPUT -p tcp --dport 139 -j ACCEPT
 iptables -A INPUT -p tcp --dport 445 -j ACCEPT
 iptables -A INPUT -p tcp --dport 135 -j ACCEPT
 iptables -A INPUT -p tcp --dport 88 -j ACCEPT
 iptables -A INPUT -p udp --dport 88 -j ACCEPT
 iptables -A INPUT -p tcp --dport 464 -j ACCEPT
 iptables -A INPUT -p tcp --dport 389 -j ACCEPT
 iptables -A INPUT -p udp --dport 389 -j ACCEPT
 iptables -A INPUT -p tcp --dport 1024 -j ACCEPT

iptables -A INPUT -p tcp --dport 636 -j ACCEPT
 iptables -A INPUT -p tcp --dport 3268 -j ACCEPT
 iptables -A INPUT -p tcp --dport 3269 -j ACCEPT
 iptables -A INPUT -p udp --dport 445 -j ACCEPT
 iptables -A INPUT -p tcp --dport 25 -j ACCEPT
 iptables -A INPUT -p tcp --dport 135 -j ACCEPT
 iptables -A INPUT -p tcp --dport 5722 -j ACCEPT
 iptables -A INPUT -p udp --dport 464 -j ACCEPT
 iptables -A INPUT -p tcp --dport 137 -j ACCEPT

Windows admin

Login to the domain, then restart & login to machine on the domain then run AD users & computers – AD users & computers won’t work if you loggged in locally

 

=====================================

Ref

http://wiki.eri.ucsb.edu/stadm/AD_Samba4

https://wiki.samba.org/index.php/Samba_4/OS_Requirements

=====================================

SNMP Traps with Nagios

SNMP TRAPS with Nagios

Files to install

yum install net-snmp net-snmp-utils net-snmp-devel php-mysql.i686 net-snmp-perl.i686

Download Nagtrap and extract the files

tar xvvzf nagtrap-0.1.4.tar.gz

Place the nagtrap dir into the nagios dir

Normally located at /usr/share/nagios/

Give it permissions

chown -R nagios:nagios /usr/share/nagios/nagtrap/

Copy the php config file from the etc folder and rewrite the config file to suit needs

cp etc/config.ini.php-dist etc/config.ini.php

nano etc/config.ini.php

;<?/*
;###########################################################################
;#
;# config.ini.php - NagTrap configuration file
;#
;# Copyright (c) 2006 - 2011 Michael Luebben (nagtrap@nagtrap.org)
;# Last Modified: 06.02.2011
;#
;# License:
;#
;# This program is free software; you can redistribute it and/or modify
;# it under the terms of the GNU General Public License version 2 as
;# published by the Free Software Foundation.
;#
;# This program is distributed in the hope that it will be useful,
;# but WITHOUT ANY WARRANTY; without even the implied warranty of
;# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;# GNU General Public License for more details.
;#
;# You should have received a copy of the GNU General Public License
;# along with this program; if not, write to the Free Software
;# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
;###########################################################################

[global]
;# Select here a language (EN = English / DE = German)
language = EN

;# When you will use a authentification, then enable this option (0=off / 1=on)
useAuthentification = 0

;# If you use the authentification, then entry here the User that 
;# may changes on the Web-Frontend comma seperated.
allowedUser = nagiosadmin

;# When you use a database for unknown-Traps, then enable this option (0=off / 1=on)
;# If you enable this option, then you musst have a table in your database for unknown
;# traps.
useUnknownTraps = 1

;# Entry here the number of traps, that you will see per side.
step = 90

;# Path to Image-Directory from your SNMP-Trap Frontend installation
images = ./images/

;# Select Icons for the Frontend (nuovo, dropline, nuvola_1 or nuvola_2)
iconStyle = dropline

;# Set here the Trap Message indicates to be cut off is after many indications.
;# When set no parameter, the Trap-Messages wasn't cut. 
cutTrapMessage =

;# Set here illegal charactars for output of the javabox
illegalCharJavabox = "<,>,'"

[jobs]
;# Set days to archive traps
daysToArchive = 30

;# Set days to delete traps
daysToDelete = 90

;# Authentification ID for the jobs !!!CHANGE!!!
#authID = 6dhmes0909le00ek9834lfdsd03k0ccvvmv9em4g


[nagios]
;# Url to Nagios/Icinga
prefix = /nagios

;# Path to the Image-Dirctory from your Nagios-Installation
images = ../images/

;# Enter here your information that were used to connect to your database
[database]
host = localhost
user = root
password = gamma00
name = snmptt
tableSnmptt = snmptt
tableSnmpttArchive = snmptt_archive

;# Ignore this option, when you don`t use a table for unknown-Traps in your database
tableSnmpttUnk = snmptt_unknown

;*/?>



Next setup the database, use the SQL file within NagTrap to create the database

Now you should be able to see the Nagtrap web interface

http://localhost/nagios/nagtrap

Add it to the side.php within Nagios

nano /usr/share/nagios/side.php

add

<li><a href="/nagios/nagtrap/" target="<?php echo $link_target;?>">SNMP TRAPS</a></li>

Ok now lets get the SNMP configured

Install the perl module Config::IniFiles
perl -MCPAN -e 'install Config::IniFiles'
Download snmptt 
tar xvvzf snmptt_1.3.tgz

Move the bins to the correct place and apply permissions

cp snmptt /usr/sbin/
cp snmptthandler /usr/sbin/
cp snmpttconvert /usr/bin/
cp snmptt.ini /etc/snmp/
chmod +x /usr/sbin/snmptt
chmod +x /usr/sbin/snmptthandler 
chmod +x /usr/bin/snmpttconvert

Now setup the snmptt.ini file

nano /etc/snmp/snmptt.ini


#
# SNMPTT v1.3 Configuration File
#
# Linux / Unix
#

[General]
# Name of this system for $H variable. If blank, system name will be the computer's
# hostname via Sys::Hostname.
snmptt_system_name =

# Set to either 'standalone' or 'daemon'
# standalone: snmptt called from snmptrapd.conf
# daemon: snmptrapd.conf calls snmptthandler
# Ignored by Windows. See documentation
mode = daemon

# Set to 1 to allow multiple trap definitions to be executed for the same trap.
# Set to 0 to have it stop after the first match.
# This option should normally be set to 1. See the section 'SNMPTT.CONF Configuration 
# file Notes' in the SNMPTT documentation for more information.
# Note: Wildcard matches are only matched if there are NO exact matches. This takes
# into consideration the NODES list. Therefore, if there is a matching trap, but
# the NODES list prevents it from being considered a match, the wildcard entry will
# only be used if there are no other exact matches.
multiple_event = 1

# SNMPTRAPD passes the IP address of device sending the trap, and the IP address of the
# actual SNMP agent. These addresses could differ if the trap was sent on behalf of another
# device (relay, proxy etc).
# If DNS is enabled, the agent IP address is converted to a host name using a DNS lookup
# (which includes the local hosts file, depending on how the OS is configured). This name
# will be used for: NODES entry matches, hostname field in logged traps (file / database), 
# and the $A variable. Host names on the NODES line will be resolved and the IP address 
# will then be used for comparing.
# Set to 0 to disable DNS resolution
# Set to 1 to enable DNS resolution
dns_enable = 0

# Set to 0 to enable the use of FQDN (Fully Qualified Domain Names). If a host name is
# passed to SNMPTT that contains a domain name, it will not be altered in any way by
# SNMPTT. This also affects resolve_value_ip_addresses.
# Set to 1 to have SNMPTT strip the domain name from the host name passed to it. For 
# example, server01.domain.com would be changed to server01
# Set to 2 to have SNMPTT strip the domain name from the host name passed to it
# based on the list of domains in strip_domain_list
strip_domain = 0

# List of domain names that should be stripped when strip_domain is set to 2.
# List can contain one or more domains. For example, if the FQDN of a host is
# server01.city.domain.com and the list contains domain.com, the 'host' will be
# set as server01.city.
strip_domain_list = <<END
nagios.local
END

# Configures how IP addresses contained in the VALUE of the variable bindings are handled.
# This only applies to the values for $n, $+n, $-n, $vn, $+*, $-*.
# Set to 0 to disable resolving ip address to host names
# Set to 1 to enable resolving ip address to host names
# Note: net_snmp_perl_enable *must* be enabled. The strip_domain settings influence the
# format of the resolved host name. DNS must be enabled (dns_enable)
resolve_value_ip_addresses = 0

# Set to 1 to enable the use of the Perl module from the UCD-SNMP / NET-SNMP package.
# This is required for $v variable substitution to work, and also for some other options
# that are enabled in this .ini file.
# Set to 0 to disable the use of the Perl module from the UCD-SNMP / NET-SNMP package.
# Note: Enabling this with stand-alone mode can cause SNMPTT to run very slowly due to
# the loading of the MIBS at startup.
net_snmp_perl_enable = 1

# This sets the best_guess parameter used by the UCD-SNMP / NET-SNMP Perl module for 
# translating symbolic nams to OIDs and vice versa.
# For UCD-SNMP, and Net-SNMP 5.0.8 and previous versions, set this value to 0.
# For Net-SNMP 5.0.9, or any Net-SNMP with patch 722075 applied, set this value to 2.
# A value of 2 is equivalent to -IR on Net-SNMP command line utilities.
# UCD-SNMP and Net-SNMP 5.0.8 and previous may not be able to translate certain formats of
# symbolic names such as RFC1213-MIB::sysDescr. Net-SNMP 5.0.9 or patch 722075 will allow
# all possibilities to be translated. See the FAQ section in the README for more info
net_snmp_perl_best_guess = 2

# Configures how the OID of the received trap is handled when outputting to a log file /
# database. It does NOT apply to the $O variable.
# Set to 0 to use the default of numerical OID
# Set to 1 to translate the trap OID to short text (symbolic form) (eg: linkUp)
# Set to 2 to translate the trap OID to short text with module name (eg: IF-MIB::linkUp)
# Set to 3 to translate the trap OID to long text (eg: iso...snmpTraps.linkUp)
# Set to 4 to translate the trap OID to long text with module name (eg: 
# IF-MIB::iso...snmpTraps.linkUp)
# Note: -The output of the long format will vary depending on the version of Net-SNMP you
# are using.
# -net_snmp_perl_enable *must* be enabled
# -If using database logging, ensure the trapoid column is large enough to hold the
# entire line
translate_log_trap_oid = 1

# Configures how OIDs contained in the VALUE of the variable bindings are handled.
# This only applies to the values for $n, $+n, $-n, $vn, $+*, $-*. For substitutions
# that include variable NAMES ($+n etc), only the variable VALUE is affected.
# Set to 0 to disable translating OID values to text (symbolic form)
# Set to 1 to translate OID values to short text (symbolic form) (eg: BuildingAlarm)
# Set to 2 to translate OID values to short text with module name (eg: UPS-MIB::BuildingAlarm)
# Set to 3 to translate OID values to long text (eg: iso...upsAlarm.BuildingAlarm)
# Set to 4 to translate OID values to long text with module name (eg: 
# UPS-MIB::iso...upsAlarm.BuildingAlarm)
# For example, if the value contained: 'A UPS Alarm (.1.3.6.1.4.1.534.1.7.12) has cleared.',
# it could be translated to: 'A UPS Alarm (UPS-MIB::BuildingAlarm) has cleared.'
# Note: net_snmp_perl_enable *must* be enabled
translate_value_oids = 1

# Configures how the symbolic enterprise OID will be displayed for $E.
# Set to 1, 2, 3 or 4. See translate_value_oids options 1,2,3 and 4. 
# Note: net_snmp_perl_enable *must* be enabled
translate_enterprise_oid_format = 1

# Configures how the symbolic trap OID will be displayed for $O.
# Set to 1, 2, 3 or 4. See translate_value_oids options 1,2,3 and 4. 
# Note: net_snmp_perl_enable *must* be enabled
translate_trap_oid_format = 1

# Configures how the symbolic trap OID will be displayed for $v, $-n, $+n, $-* and $+*.
# Set to 1, 2, 3 or 4. See translate_value_oids options 1,2,3 and 4. 
# Note: net_snmp_perl_enable *must* be enabled
translate_varname_oid_format = 1

# Set to 0 to disable converting INTEGER values to enumeration tags as defined in the 
# MIB files
# Set to 1 to enable converting INTEGER values to enumeration tags as defined in the 
# MIB files
# Example: moverDoorState:open instead of moverDoorState:2
# Note: net_snmp_perl_enable *must* be enabled
translate_integers = 1

# Allows you to set the MIBS environment variable used by SNMPTT
# Leave blank or comment out to have the systems enviroment settings used
# To have all MIBS processed, set to ALL
# See the snmp.conf manual page for more info
mibs_environment = ALL

# Set what is used to separate variables when wildcards are expanded on the FORMAT /
# EXEC line. Defaults to a space. Value MUST be within quotes. Can contain 1 or 
# more characters
wildcard_expansion_separator = " "

# Set to 1 to allow unsafe REGEX code to be executed.
# Set to 0 to prevent unsafe REGEX code from being executed (default).
# Enabling unsafe REGEX code will allow variable interopolation and the use of the e
# modifier to allow statements such as substitution with captures such
# as: (one (two) three)(five $1 six)
# which outputs: five two six
# or: (one (two) three)("five ".length($1)." six")e
# which outputs: five 3 six
#
# This is considered unsafe because the contents of the regular expression 
# (right) is executed (eval) by Perl which *could contain unsafe code*.
# BE SURE THAT THE SNMPTT CONFIGURATION FILES ARE SECURE!
allow_unsafe_regex = 0

# Set to 1 to have the backslash (escape) removed from quotes passed from
# snmptrapd. For example, \" would be changed to just "
# Set to 0 to disable
remove_backslash_from_quotes = 1

# Set to 1 to have NODES files loaded each time a trap is processed.
# Set to 0 to have all NODES files loaded when the snmptt.conf files are loaded.
# If NODES files are used (files that contain lists of NODES), then setting to 1
# will cause the list to be loaded each time an EVENT is processed that uses
# NODES files. This will allow the NODES file to be modified while SNMPTT is 
# running but can result in many file reads depending on the number of traps
# received. Defaults to 0
dynamic_nodes = 0

# This option allows you to use the $D substitution variable to include the
# description text from the SNMPTT.CONF or MIB files.
# Set to 0 to disable the $D substitution variable. If $D is used, nothing
# will be outputted.
# Set to 1 to enable the $D substitution variable and have it use the
# descriptions stored in the SNMPTT .conf files. Enabling this option can
# greatly increase the amount of memory used by SNMPTT.
# Set to 2 to enable the $D substitution variable and have it use the
# description from the MIB files. This enables the UCD-SNMP / NET-SNMP Perl 
# module save_descriptions variable. Enabling this option can greatly 
# increase the amount of memory used by the Net-SNMP SNMP Perl module, which 
# will result in an increase of memory usage by SNMPTT.
description_mode = 0

# Set to 1 to remove any white space at the start of each line from the MIB
# or SNMPTT.CONF description when description_mode is set to 1 or 2.
description_clean = 1

# Warning: Experimental. Not recommended for production environments.
# When threads are enabled, SNMPTT may quit unexpectedly.
# Set to 1 to enable threads (ithreads) in Perl 5.6.0 or higher. If enabled,
# EXEC will launch in a thread to allow SNMPTT to continue processing other
# traps. See also threads_max.
# Set to 0 to disable threads (ithreads).
# Defaults to 0
threads_enable = 0

# Warning: Experimental. Not recommended for production environments.
# When threads are enabled, SNMPTT may quit unexpectedly.
# This option allows you to set the maximum number of threads that will 
# execute at once. Defaults to 10
threads_max = 10

# The date format for $x in strftime() format. If not defined, defaults 
# to %a %b %e %Y.
#date_format = %a %b %e %Y

# The time format for $X in strftime() format. If not defined, defaults 
# to %H:%M:%S.
#time_format = %H:%M:%S

# The date time format in strftime() format for the date/time when logging 
# to standard output, snmptt log files (log_file) and the unknown log file 
# (unknown_trap_log_file). Defaults to localtime(). For SQL, see 
# date_time_format_sql.
# Example: %a %b %e %Y %H:%M:%S
#date_time_format =

[DaemonMode]
# Set to 1 to have snmptt fork to the background when run in daemon mode
# Ignored by Windows. See documentation
daemon_fork = 1

# Set to the numerical user id (eg: 500) or textual user id (eg: snmptt)
# that snmptt should change to when running in daemon mode. Leave blank
# to disable. The user used should have read/write access to all log
# files, the spool folder, and read access to the configuration files.
# Only use this if you are starting snmptt as root.
# A second (child) process will be started as the daemon_uid user so
# there will be two snmptt processes running. The first process will 
# continue to run as the user that ran snmptt (root), waiting for the
# child to quit. After the child quits, the parent process will remove 
# the snmptt.pid file and exit. 
daemon_uid = nagios

# Complete path of file to store process ID when running in daemon mode.
pid_file = /var/run/snmptt.pid

# Directory to read received traps from. Ex: /var/spool/snmptt/
# Don't forget the trailing slash!
spool_directory = /var/spool/snmptt/

# Amount of time in seconds to sleep between processing spool files
sleep = 5

# Set to 1 to have SNMPTT use the time that the trap was processed by SNMPTTHANDLER
# Set to 0 to have SNMPTT use the time the trap was processed. Note: Using 0 can
# result in the time being off by the number of seconds used for 'sleep'
use_trap_time = 1

# Set to 0 to have SNMPTT erase the spooled trap file after it attempts to process
# the trap even if it did not successfully log the trap to any of the log systems.
# Set to 1 to have SNMPTT erase the spooled trap file only after it successfully
# logs to at least ONE log system.
# Set to 2 to have SNMPTT erase the spooled trap file only after it successfully
# logs to ALL of the enabled log systems. Warning: If multiple log systems are
# enabled and only one fails, the other log system will continuously be logged to
# until ALL of the log systems function.
# The recommended setting is 1 with only one log system enabled.
keep_unlogged_traps = 1

# How often duplicate traps will be processed. An MD5 hash of all incoming traps
# is stored in memory and is used to check for duplicates. All variables except for
# the uptime variable are used when calculating the MD5. The larger this variable,
# the more memory snmptt will require.
# Note: In most cases it may be a good idea to enable this but sometimes it can have a 
# negative effect. For example, if you are trying to troubleshoot a wireless device
# that keeps losing it's connection you may want to disable this so that you see
# all the associations and disassociations.
# 5 minutes = 300
# 10 minutes = 600
# 15 minutes = 900
duplicate_trap_window = 0

[Logging]
# Set to 1 to enable messages to be sent to standard output, or 0 to disable.
# Would normally be disabled unless you are piping this program to another
stdout_enable = 0

# Set to 1 to enable text logging of *TRAPS*. Make sure you specify a log_file 
# location
log_enable = 1

# Log file location. The COMPLETE path and filename. Ex: '/var/log/snmptt/snmptt.log'
log_file = /var/log/snmptt/snmptt.log

# Set to 1 to enable text logging of *SNMPTT system errors*. Make sure you 
# specify a log_system_file location
log_system_enable = 1

# Log file location. The COMPLETE path and filename. 
# Ex: '/var/log/snmptt/snmpttsystem.log'
log_system_file = /var/log/snmptt/snmpttsystem.log

# Set to 1 to enable logging of unknown traps. This should normally be left off
# as the file could grow large quickly. Used primarily for troubleshooting. If
# you have defined a trap in snmptt.conf, but it is not executing, enable this to
# see if it is being considered an unknown trap due to an incorrect entry or 
# simply missing from the snmptt.conf file.
# Unknown traps can be logged either a text file, a SQL table or both.
# See SQL section to define a SQL table to log unknown traps to.
unknown_trap_log_enable = 1

# Unknown trap log file location. The COMPLETE path and filename. 
# Ex: '/var/log/snmptt/snmpttunknown.log'
# Leave blank to disable logging to text file if logging to SQL is enabled
# for unknown traps
unknown_trap_log_file = /var/log/snmptt/snmpttunknown.log

# How often in seconds statistics should be logged to syslog or the event log.
# Set to 0 to disable
# 1 hour = 216000
# 12 hours = 2592000
# 24 hours = 5184000
statistics_interval = 0

# Set to 1 to enable logging of *TRAPS* to syslog. If you do not have the Sys::Syslog
# module then disable this. Windows users should disable this.
syslog_enable = 0

# Syslog facility to use for logging of *TRAPS*. For example: 'local0'
syslog_facility = local0

# Set the syslog level for *TRAPS* based on the severity level of the trap
# as defined in the snmptt.conf file. Values must be one per line between 
# the syslog_level_* and END lines, and are not case sensitive. For example:
# Warning
# Critical
# Duplicate definitions will use the definition with the higher severity.
syslog_level_debug = <<END
END
syslog_level_info = <<END
END
syslog_level_notice = <<END
END
syslog_level_warning = <<END
END
syslog_level_err = <<END
END
syslog_level_crit = <<END
END
syslog_level_alert = <<END
END

# Syslog default level to use for logging of *TRAPS*. For example: warning
# Valid values: emerg, alert, crit, err, warning, notice, info, debug 
syslog_level = warning

# Set to 1 to enable logging of *SNMPTT system errors* to syslog. If you do not have the 
# Sys::Syslog module then disable this. Windows users should disable this.
syslog_system_enable = 0

# Syslog facility to use for logging of *SNMPTT system errors*. For example: 'local0'
syslog_system_facility = local0

# Syslog level to use for logging of *SNMPTT system errors*.. For example: 'warning'
# Valid values: emerg, alert, crit, err, warning, notice, info, debug 
syslog_system_level = warning

[SQL]
# Determines if the enterprise column contains the numeric OID or symbolic OID
# Set to 0 for numeric OID
# Set to 1 for symbolic OID
# Uses translate_enterprise_oid_format to determine format
# Note: net_snmp_perl_enable *must* be enabled
db_translate_enterprise = 0

# FORMAT line to use for unknown traps. If not defined, defaults to $-*.
db_unknown_trap_format = '$-*'

# List of custom SQL column names and values for the table of received traps
# (defined by *_table below). The format is
# column name
# value
#
# For example:
#
# binding_count
# $#
# uptime2
# The agent has been up for $T.
sql_custom_columns = <<END
END

# List of custom SQL column names and values for the table of unknown traps
# (defined by *_table_unknown below). See sql_custom_columns for the format.
sql_custom_columns_unknown = <<END
END

# MySQL: Set to 1 to enable logging to a MySQL database via DBI (Linux / Windows)
# This requires DBI:: and DBD::mysql
mysql_dbi_enable = 1

# MySQL: Hostname of database server (optional - default localhost)
mysql_dbi_host = localhost

# MySQL: Port number of database server (optional - default 3306)
mysql_dbi_port = 3306

# MySQL: Database to use
mysql_dbi_database = snmptt

# MySQL: Table to use
mysql_dbi_table = snmptt

# MySQL: Table to use for unknown traps
# Leave blank to disable logging of unknown traps to MySQL
# Note: unknown_trap_log_enable must be enabled.
mysql_dbi_table_unknown = snmptt_unknown

# MySQL: Table to use for statistics
# Note: statistics_interval must be set. See also stat_time_format_sql.
#mysql_dbi_table_statistics = snmptt_statistics
mysql_dbi_table_statistics =

# MySQL: Username to use
mysql_dbi_username = root

# MySQL: Password to use
mysql_dbi_password = gamma00

# MySQL: Whether or not to 'ping' the database before attempting an INSERT
# to ensure the connection is still valid. If *any* error is generate by 
# the ping such as 'Unable to connect to database', it will attempt to 
# re-create the database connection.
# Set to 0 to disable
# Set to 1 to enable
# Note: This has no effect on mysql_ping_interval.
mysql_ping_on_insert = 1

# MySQL: How often in seconds the database should be 'pinged' to ensure the
# connection is still valid. If *any* error is generate by the ping such as 
# 'Unable to connect to database', it will attempt to re-create the database
# connection. Set to 0 to disable pinging.
# Note: This has no effect on mysql_ping_on_insert.
# disabled = 0
# 5 minutes = 300
# 15 minutes = 900
# 30 minutes = 1800
mysql_ping_interval = 300

# PostgreSQL: Set to 1 to enable logging to a PostgreSQL database via DBI (Linux / Windows)
# This requires DBI:: and DBD::PgPP
postgresql_dbi_enable = 0

# Set to 0 to use the DBD::PgPP module
# Set to 1 to use the DBD::Pg module
postgresql_dbi_module = 0

# Set to 0 to disable host and port network support
# Set to 1 to enable host and port network support
# If set to 1, ensure PostgreSQL is configured to allow connections via TCPIP by setting 
# tcpip_socket = true in the $PGDATA/postgresql.conf file, and adding the ip address of 
# the SNMPTT server to $PGDATApg_hba.conf. The common location for the config files for
# RPM installations of PostgreSQL is /var/lib/pgsql/data. 
postgresql_dbi_hostport_enable = 0

# PostgreSQL: Hostname of database server (optional - default localhost)
postgresql_dbi_host = localhost

# PostgreSQL: Port number of database server (optional - default 5432)
postgresql_dbi_port = 5432

# PostgreSQL: Database to use
postgresql_dbi_database = snmptt

# PostgreSQL: Table to use for unknown traps
# Leave blank to disable logging of unknown traps to PostgreSQL
# Note: unknown_trap_log_enable must be enabled.
postgresql_dbi_table_unknown = snmptt_unknown

# PostgreSQL: Table to use for statistics
# Note: statistics_interval must be set. See also stat_time_format_sql.
#postgresql_dbi_table_statistics = snmptt_statistics
postgresql_dbi_table_statistics =

# PostgreSQL: Table to use
postgresql_dbi_table = snmptt

# PostgreSQL: Username to use
postgresql_dbi_username = snmpttuser

# PostgreSQL: Password to use
postgresql_dbi_password = password

# PostgreSQL: Whether or not to 'ping' the database before attempting an INSERT
# to ensure the connection is still valid. If *any* error is generate by 
# the ping such as 'Unable to connect to database', it will attempt to 
# re-create the database connection.
# Set to 0 to disable
# Set to 1 to enable
# Note: This has no effect on postgresqll_ping_interval.
postgresql_ping_on_insert = 1

# PostgreSQL: How often in seconds the database should be 'pinged' to ensure the
# connection is still valid. If *any* error is generate by the ping such as 
# 'Unable to connect to database', it will attempt to re-create the database
# connection. Set to 0 to disable pinging.
# Note: This has no effect on postgresql_ping_on_insert.
# disabled = 0
# 5 minutes = 300
# 15 minutes = 900
# 30 minutes = 1800
postgresql_ping_interval = 300

# ODBC: Set to 1 to enable logging to a database via ODBC using DBD::ODBC. 
# This requires both DBI:: and DBD::ODBC
dbd_odbc_enable = 0

# DBD:ODBC: Database to use
dbd_odbc_dsn = snmptt

# DBD:ODBC: Table to use
dbd_odbc_table = snmptt

# DBD:ODBC: Table to use for unknown traps
# Leave blank to disable logging of unknown traps to DBD:ODBC
# Note: unknown_trap_log_enable must be enabled.
dbd_odbc_table_unknown = snmptt_unknown

# DBD:ODBC: Table to use for statistics
# Note: statistics_interval must be set. See also stat_time_format_sql.
#dbd_odbc_table_statistics = snmptt_statistics
dbd_odbc_table_statistics =

# DBD:ODBC: Username to use
dbd_odbc_username = snmptt

# DBD:DBC:: Password to use
dbd_odbc_password = password


# DBD:ODBC: Whether or not to 'ping' the database before attempting an INSERT
# to ensure the connection is still valid. If *any* error is generate by 
# the ping such as 'Unable to connect to database', it will attempt to 
# re-create the database connection.
# Set to 0 to disable
# Set to 1 to enable
# Note: This has no effect on dbd_odbc_ping_interval.
dbd_odbc_ping_on_insert = 1

# DBD:ODBC:: How often in seconds the database should be 'pinged' to ensure the
# connection is still valid. If *any* error is generate by the ping such as 
# 'Unable to connect to database', it will attempt to re-create the database
# connection. Set to 0 to disable pinging.
# Note: This has no effect on dbd_odbc_ping_on_insert.
# disabled = 0
# 5 minutes = 300
# 15 minutes = 900
# 30 minutes = 1800
dbd_odbc_ping_interval = 300

# The date time format for the traptime column in SQL. Defaults to 
# localtime(). When a date/time field is used in SQL, this should
# be changed to follow a standard that is supported by the SQL server.
# Example: For a MySQL DATETIME, use %Y-%m-%d %H:%M:%S.
#date_time_format_sql =

# The date time format for the stat_time column in SQL. Defaults to 
# localtime(). When a date/time field is used in SQL, this should
# be changed to follow a standard that is supported by the SQL server.
# Example: For a MySQL DATETIME, use %Y-%m-%d %H:%M:%S.
#stat_time_format_sql =

[Exec]

# Set to 1 to allow EXEC statements to execute. Should normally be left on unless you
# want to temporarily disable all EXEC commands
exec_enable = 1

# Set to 1 to allow PREEXEC statements to execute. Should normally be left on unless you
# want to temporarily disable all PREEXEC commands
pre_exec_enable = 1

# If defined, the following command will be executed for ALL unknown traps. Passed to the
# command will be all standard and enterprise variables, similar to unknown_trap_log_file
# but without the newlines.
unknown_trap_exec =

# FORMAT line that is passed to the unknown_trap_exec command. If not defined, it
# defaults to what is described in the unknown_trap_exec setting. The following
# would be *similar* to the default described in the unknown_trap_exec setting
# (all on one line):
# $x !! $X: Unknown trap ($o) received from $A at: Value 0: $A Value 1: $aR 
# Value 2: $T Value 3: $o Value 4: $aA Value 5: $C Value 6: $e Ent Values: $+*
unknown_trap_exec_format =

# Set to 1 to escape wildards (* and ?) in EXEC, PREEXEC and the unknown_trap_exec
# commands. Enable this to prevent the shell from expanding the wildcard 
# characters. The default is 1.
exec_escape = 1

[Debugging]
# 0 - do not output messages
# 1 - output some basic messages
# 2 - out all messages
DEBUGGING = 2

# Debugging file - SNMPTT
# Location of debugging output file. Leave blank to default to STDOUT (good for
# standalone mode, or daemon mode without forking)
#DEBUGGING_FILE = 
DEBUGGING_FILE = /var/log/snmptt/snmptt.debug

# Debugging file - SNMPTTHANDLER
# Location of debugging output file. Leave blank to default to STDOUT
DEBUGGING_FILE_HANDLER = /var/log/snmptt/snmptthandler.debug

[TrapFiles]
# A list of snmptt.conf files (this is NOT the snmptrapd.conf file). The COMPLETE path 
# and filename. Ex: '/etc/snmp/snmptt.conf'
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf
/etc/snmp/nagiosmib.conf
/etc/snmp/cisco4-mibs.conf
END

 

Then move the service into the correct place

cp snmptt-init.d /etc/init.d/snmptt
chmod 777 /etc/init.d/snmptt
mkdir /var/spool/snmptt/

Then start the service

/etc/init.d/snmptt start

Then make sure snmptrapd is running

/etc/rc.d/init.d/snmptrapd start

Sometimes it is needed to kill the process and restart, Check whats using port 162

netstat -tulpn

Next send a test trap and see if the trap is forwarded into Nagtrap (MYSQL DB) it should be displayed in UNKNOWN traps, make sure to change the filter

/usr/bin/snmptrap -v 2c -c public 127.0.0.1 '' NAGIOS-NOTIFY-MIB::nSvcEvent nSvcHostname s "$HOSTNAME$" nSvcDesc s "$SERVICEDESC$" nSvcStateID i 0 s nSvcOutput "$SERVICEOUTPUT$"

Remember to open the port on the firewall 162 !

OK now you should have traps going into NagTrap however we need to make sense of them and have them using MIBS!

MIB SETUP

Now to get mibs resolving OID’s we need to do a couple of things, first download the MIBS and make sure they are extracted into the correct folder, otherwise snmptranslate will not know how to translate them!
Now the important thing to remember here is to place the MIBS into the correct folder, place the mibs into /usr/share/snmp/mibs

cd /usr/share/snmp/mibs
wget http://www.unleashnetworks.com/lib/mibpackages/AllCisco.zip
unzip AllCisco.zip
rm -rf *.vosmi

ok now the mibs are in the correct folder, run the command to convert the mibs into a conf file that snmptt can read

for i in /usr/share/snmp/ALLCISCOMIBS/*.my; do /snmptt_1.3/snmpttconvertmib --format_desc=6 --net_snmp_perl --in=$i --out=/etc/snmp/cisco4-mibs.conf; done

The above file is loaded into the snmptt.ini file

[TrapFiles]
# A list of snmptt.conf files (this is NOT the snmptrapd.conf file). The COMPLETE path 
# and filename. Ex: '/etc/snmp/snmptt.conf'
snmptt_conf_files = <<END
/etc/snmp/snmptt.conf
/etc/snmp/nagiosmib.conf
/etc/snmp/cisco4-mibs.conf
END

This is now setup, snmptt should be resolving the mib OID sent from CISCO’s
Add other MIBS in the same way

RESTART ALL SERVICES to load the MIBS Correctly

service snmpd restart
service snmptrapd restart
service snmptt restart
service nagios restart

Cisco HSRP / ACL

My setup notes on Cisco HSRP setups

 

access-list 101 permit ip host 10.164.30.1 any
 access-list 101 permit ip host 10.164.30.3 host 172.19.57.80
 access-list 101 deny ip 10.164.30.0 0.0.0.255 172.19.0.0 0.0.255.255
 access-list 101 permit ip any any
 interface Vlan30
 ip address 10.164.30.252 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip route-cache flow
 mls netflow sampling
 standby 1 ip 10.164.30.254
 standby 1 priority 140
 standby 1 preempt

 

 

 

RANCID – Cisco config backups

Adding new Devices into Rancid

 

 

Add the new device to the router.db file in the format shown below

nano /var/rancid/ims-devices/router.db

 

192.168.1.1:cisco:up

 

Add the user details into

nano /var/rancid/.cloginrc

 

Test

su rancid

bin/clogin 192.168.1.1

Then for a successful test the script should run and login to the device and into the main configuration prompt like enable. You should be able to run commands ect.. If it logins in but you cannot run commands that means it’s not working.

Note: This happens with the HP switches when using clogin, instead use hlogin

 

More information Below =

 

 

The Rancid router.db file

The router.db file is the device list rancid uses to do its backups. It has the format:

dns-name-or-ip-address:device-type:status

Where dns-name-or-ip-address is the hostname or IP address of the device, device-type is the expected type of operating system the device should be running and status (which can be up or down) which determines whether the device should be backed up or not. This example is for a Cisco device with an IP address of 192.168.1.1.

192.168.1.1:cisco:up

Note: According to the Rancid help pages, “a ‘#’ at the beginning of a line is considered as a comment and the entire line is ignored. If a device is deleted from the router.db file, then Rancid will clean up by removing the device’s configuration file /usr/local/rancid/var/networking/configs directory. The CVS information for the device will be moved to CVS Attic directory (using cvs delete).”

Various device types for Rancid

Device Description
alteon An Alteon WebOS switches.
baynet A Bay Networks router.
cat5 A Cisco catalyst series 5000 and 4000 switches (i.e.: running the catalyst OS, not IOS).
cisco A Cisco router, PIX, or switch such as the 3500XL or 6000 running IOS (or IOS-like) OS.
css A Cisco content services switch.
enterasys An enterasys NAS. This is currently an alias for the riverstone device type.
erx A Juniper E-series edge router.
Extreme An Extreme switch.
ezt3 An ADC-Kentrox EZ-T3 mux.
force10 A Force10 router.
foundry A Foundry router, switch, or router-switch. This includes HP Procurve switches that are OEMs of Foundry products, such as the HP9304M.
hitachi A Hitachi routers.
hp A HP Procurve switch such as the 2524 or 4108 procurve switches. Also see the foundry type.
mrtd A host running the (merit) MRTd daemon.
netscalar A Netscalar load balancer.
netscreen A Netscreen firewall.
redback A Redback router, NAS, etc.
tnt A lucent TNT.
zebra Zebra routing software.
riverstone A Riverstone NAS or Cabletron (starting with version ~9.0.3) router.
juniper A Juniper router.

The Rancid .clogin.rc file

The .clogin.rc file lists all the passwords rancid will use. The one that comes with the Rancid installation kit has a lot of examples in it and is fairly self-explanatory. Unfortunately some of the examples are not commented out, so you will have to do so yourself. Here is a sample snippet using some commonly encountered scenarios.

#

# Sample .clogin.rc file

#

 

####################################################################

#

# Device 192.168.1.16 has a unique username and password, but

# doesn’t logins do not get the enable prompt.

#

# If the device prompts for a username, Rancid will use the Linux

# “rancid” username and the first password in the list. If only a

# login password is requested, rancid uses the first password in the

# list. The second password is the “enable” password.

#

####################################################################

 

add password 192.168.1.16 {telnet-password} {enable-password}

 

####################################################################

#

# Devices with DNS names ending in my-web-site.org in the router.db

# file or beginning with 172.16. have a different set of passwords.

#

# If the device prompts for a username, Rancid will use the Linux

# “rancid” username and the first password in the list. If only a

# login password is requested, rancid uses the first password in the

# list. The second password is the “enable” password.

#

####################################################################

 

add password *.my-web-site.org {telnet-password} {enable-password}

add password 172.16.* {telnet-password} {enable-password}

 

####################################################################

#

# Everything else uses these passwords. Rancid will attempt to use

# telnet then SSH for logins

#

####################################################################

 

add password * {telnet-password} {enable-password}

add method * telnet ssh

Testing Rancid

Rancid has a number of scripts that can be run as part of a testing program and the logs they create are fairly detailed. Here are some examples. As a general rule, it is usually easiest to do testing as the rancid user.

Testing A Login for a Single Device

The clogin script in the bin directory can be used to read the .cloginrc file as part of an interactive test. In this example, we successfully log in to our 192.168.1.1 Cisco device and get an interactive enable prompt.

[rancid@bigboy ~]$ bin/clogin 192.168.1.1

192.168.1.1

spawn telnet 192.168.1.1

Trying 192.168.1.1…

Connected to (192.168.1.1).

Escape character is ‘^]’.

 

User Access Verification

 

Password:

Type help or ‘?’ for a list of available commands.

pixfirewall> enable

Password: ********

pixfirewall#

pixfirewall# exit

 

Logoff

 

Connection closed by foreign host.

[rancid@bigboy ~]$

You can still test if you are not logged in as the rancid Linux user, but are a member of the netadm group (or root). Simply use the clogin command as user rancid and using the /usr/local/rancid/.cloginrc password file as in the example below.

[root@bigboy tmp]$ /usr/local/rancid/bin/clogin \

-f /usr/local/rancid/.cloginrc -u netadm 192.168.1.1

Testing For All Devices

The rancid-run script in the bin directory can be used to read the .cloginrc file as part of a complete test.

[rancid@bigboy ~]$ bin/rancid-run

[rancid@bigboy ~]$

 

 

Taken from

 

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid

 

 

Linux Disk LVM Resize

Notes on Linux disk LVM

 

fdisk -l
 lvextend -L200G /dev/mapper/vg_share1-lv_home
 lvextend -L+200G /dev/mapper/vg_share1-lv_home
 lvextend -L+100G /dev/mapper/vg_share1-lv_home
 lvcreate -L+200G /dev/mapper/vg_share1-lv_home
 lvcreate -L 1500 -ntestlv testvg /dev/sdg1
 lvcreate -L 1500 -ntestlv /dev/mapper/vg_share1-lv_home /dev/sda1
 lvextend -L+200G /dev/mapper/vg_share1-lv_home
 vgdisplay
 vgs -o +vg_free_count,vg_extent_count
 pvs
 pvs
 lvs
 lv
 pvdisplay
 pvresize

pvresize /dev/sda1
 pvresize /dev/sda2
 df -h

resize2fs /dev/mapper/vg_share1-lv_home
 df -h
 resize2fs /dev/mapper/vg_share1-lv_home

 

 

 

 

 

 

 

 

 

 

RESIZE LVM PARTITION

first off resize the disk on VMware
now you should see unallocated space when viewing in gparted or something similar

Now you need to create an ext4 partition on this unallocated space, if the you cannot do this on the live system
then reboot and use gparted live and do so

now the space is partitioned

run

# pvcreate /dev/sda3
Run this command to extend the physical volume:

# vgextend vg_centosjw /dev/sda3
Run this command to verify how many physical extents are available to the Volume Group:

# vgdisplay vg_centosjw | grep “Free”
Run the following command to extend the Logical Volume:

# lvextend -L+4.8G /dev/vg_centosjw/lv_root

Where # is the number of Free space in GB available as per the previous command
then run

resize2fs /dev/vg_centosjw/lv_root

df -h /

 

[root@networkmon ~]# lvextend -L+4.8G /dev/vg_centosjw/lv_root
Rounding up size to full physical extent 4.80 GiB
Extending logical volume lv_root to 17.34 GiB
Logical volume lv_root successfully resized
[root@networkmon ~]# resize2fs /dev/vg_centosjw/lv_root
resize2fs 1.41.12 (17-May-2010)
Filesystem at /dev/vg_centosjw/lv_root is mounted on /; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 2
Performing an on-line resize of /dev/vg_centosjw/lv_root to 4545536 (4k) blocks.
The filesystem on /dev/vg_centosjw/lv_root is now 4545536 blocks long.

[root@networkmon ~]#

Cisco Ether-channel

This is the notes from my production environment setup of a Cisco Catalyst  6506 and a Cisco 3500Xl Switch

 

6500 Catalyst

Set the ports up for channelling

set port disable 2/1-2

set port channel 2/1-2 auto

set port channel enable 2/1-2

show port channel

 set port channel 2/1-2 mode on

 

 

3500XL

int giga0/1

port group 1

int giga0/2

port group 1

show port group

 

Between production Catalyst’s

Instead of setting the ether-channel to “on” like the config above the channel must be set to ”auto” so the PAgP packets are exchanged otherwise the channel will not come up.

The production catalysts will be a lot more involved, I will have to think about the ports being able to trunk VLANs and any other functions the current ports are performing.

The 6509 will be different config from the 3500XL’s. Cisco’s documentation shows the commands differ between the two platforms.

 

Change to make the channel four ports

6506

 

set port disable 1/1-2,2/1-2

set port channel 1/1-2,2/1-2

set port channel 1/1-2,2/1-2 auto

set port channel enable 1/1-2,2/1-2

 

Console> (enable) show port 1/2

Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

1/2 Gigabit link 1-2 notconnect 1  full 1000 No Connector

 

Console> (enable) show port 2/2

* = Configured MAC Address



Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

2/2 Gigabit link 2-2 connected trunk full 1000 1000BaseT

 

ROUTER2

int range gigaethernet 1/43 -46

 channel-group 50 mode desirable 

 shut

 no shut

 end

 

 

ROUTER2

Connection into GigabitEthernet1/46

Functions of the current port

interface GigabitEthernet1/46

 switchport

 switchport vlan mapping enable

 no ip address

 

ROUTER2#show int trunk
Port Mode Encapsulation Status Native vlan


Gi1/1 desirable n-802.1q trunking 1

Gi1/7 on 802.1q trunking 1

Gi1/8 on 802.1q trunking 1

Gi1/9 on 802.1q trunking 1

Gi1/10 on 802.1q trunking 1

Gi1/24 on 802.1q trunking 1

Gi1/26 on 802.1q trunking 1

Gi1/27 on 802.1q trunking 1

Gi1/28 on 802.1q trunking 1

Gi1/30 on 802.1q trunking 1

Gi1/44 desirable n-802.1q trunking 1

Gi1/46 desirable n-isl trunking 1

Gi6/2 desirable n-isl trunking 1

Gi9/1 desirable n-802.1q trunking 1

Gi9/2 desirable n-802.1q trunking 1

Gi9/22 on 802.1q trunking 1

Gi9/26 on 802.1q trunking 1

Gi9/34 on 802.1q trunking 1

Gi9/43 on 802.1q trunking 1

Gi9/44 on 802.1q trunking 1



Port Vlans allowed on trunk

Gi1/1 1-4094

Gi1/7 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/8 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/9 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/10 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/24 1-4094

Gi1/26 1-4094

Gi1/27 1-4094

Gi1/28 1-29,32-4094

Gi1/30 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/44 1-4094

Gi1/46 1-4094

Gi6/2 1-4094

Gi9/1 1-4094

Gi9/2 1-4094

Gi9/22 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi9/26 1-4094

Gi9/34 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi9/43 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi9/44 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094



Port Vlans allowed and active in management domain

Gi1/1 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/7 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/8 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/9 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/10 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/24 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/27 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/28 1-2,4,10,12,20-21,25-26,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/30 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/44 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/46 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi6/2 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/1 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999



Port Vlans allowed and active in management domain

Gi9/2 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/22 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/34 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/43 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/44 1-2,4,10,12,25-26,33,75,100-102,104,503,999



Port Vlans in spanning tree forwarding state and not pruned

Gi1/1 1,12

Gi1/7 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/8 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/9 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/10 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/24 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/27 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/28 1-2,4,10,12,20-21,25-26,33,70,75,80,85,90,96,98-102,104,503,666,999



Port Vlans in spanning tree forwarding state and not pruned

Gi1/30 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/44 1

Gi1/46 1-2,10,666

Gi6/2 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/1 1

Gi9/2 1

Gi9/22 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/34 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/43 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/44 1-2,4,10,12,25-26,33,75,100-102,104,503,999

ROUTER2#

 

 

 

 

 

 

 

 

 

 

Configuration

 

 

!

interface Port-channel1

switchport

no ip address

shutdown

!

 

 

Ok so the port channel is setup, note its currently shutdown

 

Now we need to add the configuration into the two port’s

 

int range gigaethernet 1/46 -47

channel-group 1 mode desirable

shut

no shut

end

 

Note the desirable maybe used as on ?

 

show int giga 1/46 etherchannel

port-channel load-balance

show etherchannel load-bal 

Netflow / cacti

flow1-settingsNet Flow & Cacti plugin

The packeage for the flow capture is called flow-tools — Normally the RPM is included
in the cacti plugin – The plugin is called Flowview

flow-tools-0.68-12.fc3.x86_64.rpm
The deamon is flow-capture

"service flow-capture stop"

Config file is – /etc/sysconfig/flow-capture

nano /etc/sysconfig/flow-capture

 # Change the source IP and port to what is used on your network
 OPTIONS="-n 287 -N 0 -w /var/netflow/flows/completed -S 5 0/0/9996"

9996 is the port used for Netflow

Cisco config

 !
 ip flow-export version 5
 ip flow-export destination 172.19.38.228 9996
 !

The dir /var/netflow/flows/completed is where the netflows are stored

 

Cisco Router Site to Site IPSEC VPN

This is my Cisco router site to site IPSEC tunnel setups.

Router1 (90.215.78.91):

Setup IPSEC

!
 crypto isakmp policy 10
 hash md5
 authentication pre-share
 crypto isakmp key c1sc0 address 81.136.245.108
 !
 !
 crypto ipsec transform-set secretkey esp-des esp-md5-hmac
 !
 crypto map mymap 10 ipsec-isakmp
 set peer 81.136.245.108
 set transform-set secretkey
 match address 101
 !

 

Setup Route

ip route 192.168.2.0 255.255.255.0 Dialer0

Setup the access lists, remember to add the deny rule for the local subnet to the remote subnet in your NAT accesslist, if not the traffic is NATed and your routing will not work

ip nat inside source list 100 interface Dialer0 overload

 access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 access-list 100 permit ip 192.168.1.0 0.0.0.255 any
 access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 dialer-list 1 protocol ip permit
 !

 

Router2 (81.136.245.108):

Setup IPSEC

!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key c1sc0 address 90.215.78.91
!
!
crypto ipsec transform-set secretkey esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 90.215.78.91
set transform-set secretkey
match address 101
!

Setup Route

ip route 192.168.1.0 255.255.255.0 Dialer0

 

Setup Access lists

ip nat inside source list 100 interface Dialer0 overload

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255