Cisco HSRP / ACL

My setup notes on Cisco HSRP setups

 

access-list 101 permit ip host 10.164.30.1 any
 access-list 101 permit ip host 10.164.30.3 host 172.19.57.80
 access-list 101 deny ip 10.164.30.0 0.0.0.255 172.19.0.0 0.0.255.255
 access-list 101 permit ip any any
 interface Vlan30
 ip address 10.164.30.252 255.255.255.0
 ip access-group 101 in
 ip flow ingress
 ip route-cache flow
 mls netflow sampling
 standby 1 ip 10.164.30.254
 standby 1 priority 140
 standby 1 preempt

 

 

 

RANCID – Cisco config backups

Adding new Devices into Rancid

 

 

Add the new device to the router.db file in the format shown below

nano /var/rancid/ims-devices/router.db

 

192.168.1.1:cisco:up

 

Add the user details into

nano /var/rancid/.cloginrc

 

Test

su rancid

bin/clogin 192.168.1.1

Then for a successful test the script should run and login to the device and into the main configuration prompt like enable. You should be able to run commands ect.. If it logins in but you cannot run commands that means it’s not working.

Note: This happens with the HP switches when using clogin, instead use hlogin

 

More information Below =

 

 

The Rancid router.db file

The router.db file is the device list rancid uses to do its backups. It has the format:

dns-name-or-ip-address:device-type:status

Where dns-name-or-ip-address is the hostname or IP address of the device, device-type is the expected type of operating system the device should be running and status (which can be up or down) which determines whether the device should be backed up or not. This example is for a Cisco device with an IP address of 192.168.1.1.

192.168.1.1:cisco:up

Note: According to the Rancid help pages, “a ‘#’ at the beginning of a line is considered as a comment and the entire line is ignored. If a device is deleted from the router.db file, then Rancid will clean up by removing the device’s configuration file /usr/local/rancid/var/networking/configs directory. The CVS information for the device will be moved to CVS Attic directory (using cvs delete).”

Various device types for Rancid

Device Description
alteon An Alteon WebOS switches.
baynet A Bay Networks router.
cat5 A Cisco catalyst series 5000 and 4000 switches (i.e.: running the catalyst OS, not IOS).
cisco A Cisco router, PIX, or switch such as the 3500XL or 6000 running IOS (or IOS-like) OS.
css A Cisco content services switch.
enterasys An enterasys NAS. This is currently an alias for the riverstone device type.
erx A Juniper E-series edge router.
Extreme An Extreme switch.
ezt3 An ADC-Kentrox EZ-T3 mux.
force10 A Force10 router.
foundry A Foundry router, switch, or router-switch. This includes HP Procurve switches that are OEMs of Foundry products, such as the HP9304M.
hitachi A Hitachi routers.
hp A HP Procurve switch such as the 2524 or 4108 procurve switches. Also see the foundry type.
mrtd A host running the (merit) MRTd daemon.
netscalar A Netscalar load balancer.
netscreen A Netscreen firewall.
redback A Redback router, NAS, etc.
tnt A lucent TNT.
zebra Zebra routing software.
riverstone A Riverstone NAS or Cabletron (starting with version ~9.0.3) router.
juniper A Juniper router.

The Rancid .clogin.rc file

The .clogin.rc file lists all the passwords rancid will use. The one that comes with the Rancid installation kit has a lot of examples in it and is fairly self-explanatory. Unfortunately some of the examples are not commented out, so you will have to do so yourself. Here is a sample snippet using some commonly encountered scenarios.

#

# Sample .clogin.rc file

#

 

####################################################################

#

# Device 192.168.1.16 has a unique username and password, but

# doesn’t logins do not get the enable prompt.

#

# If the device prompts for a username, Rancid will use the Linux

# “rancid” username and the first password in the list. If only a

# login password is requested, rancid uses the first password in the

# list. The second password is the “enable” password.

#

####################################################################

 

add password 192.168.1.16 {telnet-password} {enable-password}

 

####################################################################

#

# Devices with DNS names ending in my-web-site.org in the router.db

# file or beginning with 172.16. have a different set of passwords.

#

# If the device prompts for a username, Rancid will use the Linux

# “rancid” username and the first password in the list. If only a

# login password is requested, rancid uses the first password in the

# list. The second password is the “enable” password.

#

####################################################################

 

add password *.my-web-site.org {telnet-password} {enable-password}

add password 172.16.* {telnet-password} {enable-password}

 

####################################################################

#

# Everything else uses these passwords. Rancid will attempt to use

# telnet then SSH for logins

#

####################################################################

 

add password * {telnet-password} {enable-password}

add method * telnet ssh

Testing Rancid

Rancid has a number of scripts that can be run as part of a testing program and the logs they create are fairly detailed. Here are some examples. As a general rule, it is usually easiest to do testing as the rancid user.

Testing A Login for a Single Device

The clogin script in the bin directory can be used to read the .cloginrc file as part of an interactive test. In this example, we successfully log in to our 192.168.1.1 Cisco device and get an interactive enable prompt.

[rancid@bigboy ~]$ bin/clogin 192.168.1.1

192.168.1.1

spawn telnet 192.168.1.1

Trying 192.168.1.1…

Connected to (192.168.1.1).

Escape character is ‘^]’.

 

User Access Verification

 

Password:

Type help or ‘?’ for a list of available commands.

pixfirewall> enable

Password: ********

pixfirewall#

pixfirewall# exit

 

Logoff

 

Connection closed by foreign host.

[rancid@bigboy ~]$

You can still test if you are not logged in as the rancid Linux user, but are a member of the netadm group (or root). Simply use the clogin command as user rancid and using the /usr/local/rancid/.cloginrc password file as in the example below.

[root@bigboy tmp]$ /usr/local/rancid/bin/clogin \

-f /usr/local/rancid/.cloginrc -u netadm 192.168.1.1

Testing For All Devices

The rancid-run script in the bin directory can be used to read the .cloginrc file as part of a complete test.

[rancid@bigboy ~]$ bin/rancid-run

[rancid@bigboy ~]$

 

 

Taken from

 

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid

 

 

Cisco Ether-channel

This is the notes from my production environment setup of a Cisco Catalyst  6506 and a Cisco 3500Xl Switch

 

6500 Catalyst

Set the ports up for channelling

set port disable 2/1-2

set port channel 2/1-2 auto

set port channel enable 2/1-2

show port channel

 set port channel 2/1-2 mode on

 

 

3500XL

int giga0/1

port group 1

int giga0/2

port group 1

show port group

 

Between production Catalyst’s

Instead of setting the ether-channel to “on” like the config above the channel must be set to ”auto” so the PAgP packets are exchanged otherwise the channel will not come up.

The production catalysts will be a lot more involved, I will have to think about the ports being able to trunk VLANs and any other functions the current ports are performing.

The 6509 will be different config from the 3500XL’s. Cisco’s documentation shows the commands differ between the two platforms.

 

Change to make the channel four ports

6506

 

set port disable 1/1-2,2/1-2

set port channel 1/1-2,2/1-2

set port channel 1/1-2,2/1-2 auto

set port channel enable 1/1-2,2/1-2

 

Console> (enable) show port 1/2

Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

1/2 Gigabit link 1-2 notconnect 1  full 1000 No Connector

 

Console> (enable) show port 2/2

* = Configured MAC Address



Port Name Status Vlan Duplex Speed Type

----- -------------------- ---------- ---------- ------ ----- ------------

2/2 Gigabit link 2-2 connected trunk full 1000 1000BaseT

 

ROUTER2

int range gigaethernet 1/43 -46

 channel-group 50 mode desirable 

 shut

 no shut

 end

 

 

ROUTER2

Connection into GigabitEthernet1/46

Functions of the current port

interface GigabitEthernet1/46

 switchport

 switchport vlan mapping enable

 no ip address

 

ROUTER2#show int trunk
Port Mode Encapsulation Status Native vlan


Gi1/1 desirable n-802.1q trunking 1

Gi1/7 on 802.1q trunking 1

Gi1/8 on 802.1q trunking 1

Gi1/9 on 802.1q trunking 1

Gi1/10 on 802.1q trunking 1

Gi1/24 on 802.1q trunking 1

Gi1/26 on 802.1q trunking 1

Gi1/27 on 802.1q trunking 1

Gi1/28 on 802.1q trunking 1

Gi1/30 on 802.1q trunking 1

Gi1/44 desirable n-802.1q trunking 1

Gi1/46 desirable n-isl trunking 1

Gi6/2 desirable n-isl trunking 1

Gi9/1 desirable n-802.1q trunking 1

Gi9/2 desirable n-802.1q trunking 1

Gi9/22 on 802.1q trunking 1

Gi9/26 on 802.1q trunking 1

Gi9/34 on 802.1q trunking 1

Gi9/43 on 802.1q trunking 1

Gi9/44 on 802.1q trunking 1



Port Vlans allowed on trunk

Gi1/1 1-4094

Gi1/7 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/8 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/9 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/10 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/24 1-4094

Gi1/26 1-4094

Gi1/27 1-4094

Gi1/28 1-29,32-4094

Gi1/30 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi1/44 1-4094

Gi1/46 1-4094

Gi6/2 1-4094

Gi9/1 1-4094

Gi9/2 1-4094

Gi9/22 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi9/26 1-4094

Gi9/34 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi9/43 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094

Gi9/44 1-19,22-30,33-69,71-79,81-84,86-89,91-95,97,100-665,667-4094



Port Vlans allowed and active in management domain

Gi1/1 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/7 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/8 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/9 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/10 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/24 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/27 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/28 1-2,4,10,12,20-21,25-26,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/30 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/44 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/46 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi6/2 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/1 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999



Port Vlans allowed and active in management domain

Gi9/2 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/22 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/34 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/43 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/44 1-2,4,10,12,25-26,33,75,100-102,104,503,999



Port Vlans in spanning tree forwarding state and not pruned

Gi1/1 1,12

Gi1/7 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/8 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/9 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/10 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/24 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/27 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi1/28 1-2,4,10,12,20-21,25-26,33,70,75,80,85,90,96,98-102,104,503,666,999



Port Vlans in spanning tree forwarding state and not pruned

Gi1/30 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi1/44 1

Gi1/46 1-2,10,666

Gi6/2 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/1 1

Gi9/2 1

Gi9/22 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/26 1-2,4,10,12,20-21,25-26,31,33,70,75,80,85,90,96,98-102,104,503,666,999

Gi9/34 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/43 1-2,4,10,12,25-26,33,75,100-102,104,503,999

Gi9/44 1-2,4,10,12,25-26,33,75,100-102,104,503,999

ROUTER2#

 

 

 

 

 

 

 

 

 

 

Configuration

 

 

!

interface Port-channel1

switchport

no ip address

shutdown

!

 

 

Ok so the port channel is setup, note its currently shutdown

 

Now we need to add the configuration into the two port’s

 

int range gigaethernet 1/46 -47

channel-group 1 mode desirable

shut

no shut

end

 

Note the desirable maybe used as on ?

 

show int giga 1/46 etherchannel

port-channel load-balance

show etherchannel load-bal 

Setup Linux ODBC database connections into Microsoft SQL  

Setup Linux ODBC database connections into Microsoft SQL:

In this example I am using CentOS6_64x to connect to my Microsoft SQL database server

yum install php php-odbc wget gcc php-pear php-pecl-apc php-xml php-xmlrpc php-intl php-tidy php-imap php-pecl-memcache

 

Grab the client from Microsoft

wget http://download.microsoft.com/download/6/A/B/6AB27E13-46AE-4CE9-AFFD-406367CADC1D/Linux6/sqlncli-11.0.1790.0.tar.gz

tar xvf sqlncli-11.0.1790.0.tar.gz

cd sqlncli-11.0.1790.0
 ./build_dm.sh

 

After that:

cd /tmp/unixODBC.5996.21582.3453/unixODBC-2.3.0

make install

cd /path_do_sql_client_download/sqlncli-11.0.1790.0

./install.sh install --lib-dir=/usr/local/lib64 --accept-license

 

Now I have to installed the Microsoft ODBC Client I edit the /etc/odbc.ini file and setup proper DSNName values

 

nano /etc/odbc.ini

[MyDSNName]
 Driver=ODBC Driver 13 for SQL Server
 Description=Database
 Trace=Yes
 Server=172.17.17.234
 Port=1433
 Database=database1
 MSSqlUser=sa
 MSSqlUserPassword=PASSWORDHERE
 MARS_Connection=yes

Test

isql -v MyDSNName MSSqlUser MSSqlUserPassword

I also had to restart apache for the new modules to be loaded for database access via my web page

service httpd restart

restart postfix

#!/bin/bash

OUR_QUEUE_LIMIT=150
 START_QUEUE=$((test -d $(postconf -h queue_directory)/active && find $(postconf -h queue_directory)/active -type f) | wc -l)

if [ $START_QUEUE -lt $OUR_QUEUE_LIMIT ]; then
 exit 0
 fi

sleep 120

CURR_QUEUE=$((test -d $(postconf -h queue_directory)/active && find $(postconf -h queue_directory)/active -type f) | wc -l)
 if [ $CURR_QUEUE -ge $START_QUEUE ]; then
 /usr/sbin/restart-mail-services()
 fi
 exit 0

 

#!/bin/bash

# Stop postfix (mail stops coming in and out when you do this)
 service postfix stop

# Run a cleanup after 30 seconds - this gives postfix time to finish any email it was busy with
 sleep 30

# Stop Amavis
 service amavis stop

# Purge old temporary files that are left over after system or software crashes
 postsuper -p

# Structure check and structure repair
 postsuper -s

# Restart Amavis
 service amavis start

# Give Amavis time to start - 15 seconds should do it
 sleep 15

# Now start postfix#
 service postfix start

check_mk remote plugin – mrpe

  • Put the script on the remote server
  • install the check_mk_agent
  • create the dir /etc/check_mk
  • create the file /etc/check_mk/mrpe.cfg

in the mrpe.cfg file give the check a name then what check to run with parameters

 Postfix_Active_Q /usr/lib/check_mk_agent/postfix_queue -w 20 -c 100 -q active

That should be it !

Now do an I on the Nagios server and it should pick up the check

Mondo Setup

Mondo is a great Linux backup utility, here are my installation and usage notes

Install Mondo

[root@server1-imetal ~]# cat /scripts/runbackup-full
 #!/bin/bash

mkdir -p /mnt/backup-share/`date +%F`-full
 mondoarchive -Oi -F -d /mnt/backup-share/`date +%F`-full -S /home/mondo-scratch -T /home/mondo-scratch -E '/mnt/backup-share' -s 4300m -p imetal-full
 [root@server1-imetal ~]# cat /scripts/runbackup-differential
 #!/bin/bash

mkdir -p /mnt/backup-share/`date +%F`-differential
 mondoarchive -D -Oi -F -d /mnt/backup-share/`date +%F`-differential -S /home/mondo-scratch -T /home/mondo-scratch -E '/mnt/backup-share' -s 4300m -p imetal-differential

[root@server1-imetal ~]#

Cron

###### MONDO BACKUPS

0 19 * * 0 root /scripts/runbackup-differential
 0 19 * * 6 root /scripts/runbackup-differential
 0 19 * * 5 root /scripts/runbackup-full
 0 19 * * 4 root /scripts/runbackup-differential
 0 19 * * 3 root /scripts/runbackup-differential
 0 19 * * 2 root /scripts/runbackup-differential
 0 19 * * 1 root /scripts/runbackup-differential
 [root@server1-imetal ~]#

mailq – delete domain

mailq|awk ' /^[0-9A-F][0-9A-F]*.*error.mag2.com$/ {print $1}'|tr -d '*'| xargs -rn1 postsuper -d

 

Where error.mag2.com is the domain, or from address you wish to delete. This works pretty well. I may whip up a bash script to handle this in the future.

For reference, the worst offenders are:

  1. magerr.combzmail.jp
  2. prjapanmail.jp
  3. error.mag2.com
  4. accessmail.jp
  5. mayld.net

Also, to delete items from the queue(s) based on the to address:

mailq | tail -n+2 | awk ‘BEGIN { RS = “” } { if ($8 == “toaddy@domain.com” && $9 == “”)print $1 }’ | tr -d ‘*!’ | postsuper -d -

Add multisite backends to Nagvis

nano /usr/sbin/nagvis/etc/nagvis.ini.php

; ----------------------------
 ; Backend definitions
 ; ----------------------------

; Example definition of a livestatus backend.
 ; In this case the backend_id is live_1
 ; The path /usr/local/nagios/var/rw has to exist
 [backend_live_1]
 backendtype="mklivestatus"
 ; The status host can be used to prevent annoying timeouts when a backend is not
 ; reachable. This is only useful in multi backend setups.
 ;
 ; It works as follows: The assumption is that there is a "local" backend which
 ; monitors the host of the "remote" backend. When the remote backend host is
 ; reported as UP the backend is queried as normal.
 ; When the remote backend host is reported as "DOWN" or "UNREACHABLE" NagVis won't
 ; try to connect to the backend anymore until the backend host gets available again.
 ;
 ; The statushost needs to be given in the following format:
 ; "<backend_id>:<hostname>" -> e.g. "live_2:nagios"
 ;statushost=""
 socket="unix:/var/spool/nagios/cmd/live"

[backend_live_2]
 backendtype="mklivestatus"
 socket="tcp:site1:6558"

[backend_site2_1]
 backendtype="mklivestatus"
 socket="tcp:site2:6558"

 

postfix aliases

if the aliases is not working then check the following. Most likely a domain has been set in the postfix configuration and the mail is not going to root: james@domain.net it going to root@serversdomain.com. If this is the case you need to set a few things in the postfix main.cf

 

The issue was i had  this set

 

# other configuration parameters.
 #
 myhostname = companyltd.co.uk
 #myhostname = virtual.domain.tld

# The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
 # $mydomain is used as a default value for many other configuration
 # parameters.
 #
 mydomain = companyltd.co.uk

# SENDING MAIL
 #

But this did not contain the domain so it didn't know to send it locally



#
 # Specify a list of host or domain names, /file/name or type:table
 # patterns, separated by commas and/or whitespace. A /file/name
 # pattern is replaced by its contents; a type:table is matched when
 # a name matches a lookup key (the right-hand side is ignored).
 # Continue long lines by starting the next line with whitespace.
 #
 # See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
 #
 mydestination = localhost, companyltd.co.uk

#mydestination = $myhostname, localhost.$mydomain, localhost
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
 #mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
 # mail.$mydomain, www.$mydomain, ftp.$mydomain

# REJECTING MAIL FOR UNKNOWN LOCAL USERS