ESXi 5.5 and Teaming on Cisco Switches (VLANs)

Posted in ESX, Networking on November 22nd, 2016 by termina

 

Create a basic port channel

interface Port-channel1
description ESX Port Channel
switchport mode trunk

interface GigabitEthernet0/8
description ESX team
channel-group 1 mode on
spanning-tree portfast trunk

interface GigabitEthernet0/9
description ESX team
channel-group 1 mode on
spanning-tree portfast trunk

Configure NIC teaming (Configuration – Network – Properties – vSwitch Properties) with the following settings

Load Balancing: Route based on IP address

Network Failover Detection: Link status only

Notify Switche: Yes

Failback: No

 

When you’re happy with the results, update your Management network settings to use NIC teaming as well.

 

Raspberry PI Phone Home

Posted in Networking on November 15th, 2016 by termina

This can be done on any systemd based system, this example is on a Raspberry PI running Raspbian (jessie).

# apt-get install autossh

Generate SSH key and copy it over

# ssh-keygen

# ssh-copy-id [email protected]

Create /etc/systemd/system/autossh.service

 

[Unit]
Description=AutoSSH service
After=network.target

[Service]
User=root
Environment=AUTOSSH_PIDFILE=/tmp/autossh.pid
ExecStart=/usr/bin/autossh -M 0 -f -N -T -q -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R 9993:localhost:22 [email protected]
PIDFile=/tmp/autossh.pid
Restart=always

[Install]
WantedBy=multi-user.target

Reload systemd

# systemctl daemon-reload

Enable/Start Service

# systemctl enable autossh

# systemctl start autossh

Now from “server” you should be able to reach your PI

# ssh localhost -p 9993

 

 

Debian 7 LACP Bonding /etc/network/interfaces

Posted in Networking on March 12th, 2014 by termina

/etc/network/interfaces


auto bond0
iface bond0 inet static
address 10.10.0.100
gateway 10.10.0.1
netmask 255.255.255.0
slaves eth0 eth1 eth2
bond-mode 802.3ad
bond-miimon 100
bond-lacp-rate 4

ExtremeWare configuration

As you may be able to guess, this configures ports 41, 42 and 43 for LACP


enable sharing 41 grouping 41,42,43 dynamic

Summit 400-48t Enable Advanced Edge License

Posted in Code, Networking on March 3rd, 2014 by termina

I noticed the license is a length 7 numeric value, so I modified an existing script floating around for the Summit 400-48t. Should work with any Summit 200/300/400 however.

You may need to modify the “Summit400” near the end of the file to match your prompt. This runs much quicker than I’d think; got my license after 4 hours or so.

Uncomment the dump.log line if you have trouble to debug


#!/usr/bin/perl
use Net::Telnet;
use warnings;

$t = new Net::Telnet(
Timeout => 10,
# Dump_Log => "dump.log",
Prompt => '/\* Summit*$/',
Errmode=>'die'
);
$t->open('SWITCHIPADDRESS');
$t->waitfor('/login: $/i');
$t->print('admin');
$t->waitfor('/password: $/i');
$t->print('YOURPASSWORD');
$t->waitfor('/Summit400/i');

for($x = 1; $x < 9999999; ++$x) { print "Trying: $x\n"; #@lines = $t->cmd("enable license advanced-edge $x");
$t->print("enable license advanced-edge $x");
$t->waitfor('/Summit400/i');
}

MRV LX Console Server to Cisco Pinout

Posted in Networking on December 26th, 2013 by termina

Crimp a RJ45 cable with the following pinout

1 <-> 1
2 <-> 7
3 <-> 6
4 <-> 5
5 <-> 4
6 <-> 3
7 <-> 2
8 <-> 8

On the MRV LX, use the following settings

– Flow Control to “None”
– Banner to “None”
– Disable “AutoHangup”
– Change Prompt to empty string

You can now access your cisco devices through your MRV LX Console server

Update: Extreme Network devices will work with the regular blue cisco serial cable. Console to switch, RJ45 to MRV

Obtain free Cisco IOS upgrades

Posted in Networking on October 7th, 2013 by termina
0. Determine who purchased the device. You will need to send an email from their CCO registered account. This does not mean it needs an active contract.
1. Log onto the device and capture all of the output of “show version”
2. Go to http://tools.cisco.com/security/center/selectIOSVersion.x  and select the “B” option to use the “show version” output
3. Choose to view all security vulnerabilties
4. Send an email to [email protected] with
  • ​The output of “show version” in the body of the e-mail
  • Serial number of the device in the body of the e-mail (yes, even though it’s in show ver)
  • A list of all vulnerabilities for the selected IOS from cisco’s website in the body of the e-mail (just copy and paste the links)
  • Request a non-vulnerable IOS version

 

​5. Wait and they should send you a link to download the IOS.

Cisco wireless access point and Windows 2008 RADIUS EAP Authentication

Posted in Networking on October 7th, 2013 by termina
Configure Windows server for RADIUS
1. Install NPS and CA authority roles if you have not already
2. Go to Computer Management. Roles – Network Policy and Access –  NPS (Local) – RADIUS Clients
3. Create new RADIUS client

 

  • ​Friendly name: Name of AP (Example: corp-ap-1141-il)
  • IP Address: IP of AP
  • Shared Secret – Manual (Generate a random 12+ digit key with no special chars)
  • Under “Advanced” tab, Vendor name: Cisco and check “RADIUS client is NAP capable”

4. Under NPS – Policies –  Network Policies create a new Policy called ‘Cisco AP Radius’

  • ​Condition Tab: Windows Groups (Domain Users)
  • Constraints Tab
    • Auth Methods: Add all three auth methods. Check MS-CHAPv2, MS-CHAP, CHAP and PAP/SPAP
    • NAS Port Type: Select Wireless 802.11 under Common 802.1x types and “Wireless Other” under “Others”
  • Settings Tab
    • Standard: add Service-Type Login

​5. When done, move the Cisco AP Radius policy to the #1 position

 
​Configure Cisco AP for RADIUS

 
1. Enter in RADIUS group information
aaa new-model
aaa group server radius rad_eap
     server 10.0.0.3 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa session-id common
radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key KEYYOUGENERATEDEARILER
dot11 ssid CompanyWifi
   no authentication open
   no wpa-psk ascii
   authentication open eap eap_methods
   authentication network-eap eap_methods

2. Try to connect with a client computer. Debug on AP with: debug radius authentication​

 

tshark MAC address filtering

Posted in Networking, Security on June 24th, 2010 by termina

Had to troubleshoot a Solaris box but couldn’t go by IP address since it wasn’t picking one up.


tshark -i eth1 -R "eth.addr == 00:03:ba:05:0d:60"

Ubuntu 9.10 PXE Boot

Posted in Networking, Services on November 16th, 2009 by termina

Ubuntu 9.10 uses initrd.lz instead of initrd.gz, so PXE booting like you did in previous versions does not work.

This article assumes you’ve already downloaded the iso and have a working PXE boot server.

First, copy the contents of the iso to a directory we can work with


mkdir /tmp/910

mount -o loop ubuntu-9.10-desktop-i386.iso /tmp/910

cp -r /tmp/910 /tftpboot

Convert initrd.lz to initrd.gz


cd /tftpboot/910/casper

mkdir initrd

cp initrd.lz initrd

cd initrd

lzma -dc -S .lz initrd.lz | cpio -id

rm initrd.lz

find . | cpio –quiet –dereference -o -H newc | gzip -9 > initrd.gz

cp initrd.gz /tftpboot/910/casper

Now add the appropriate lines to pxelinux (Example: /tftpboot/pxelinux.cfg/default)


LABEL Ubuntu 9.10 i386 Unmodified Livecd
KERNEL 910/casper/vmlinuz
APPEND root=/dev/nfs boot=casper netboot=nfs nfsroot=192.168.0.1:/home/tftpboot/910 initrd=910/casper/initrd.gz quiet splash --

Make sure /tftpboot is shared via nfs; in /etc/exports add the following line


/tftpboot/910 192.168.0.0/24(rw,async,no_subtree_check)

Reload the NFS server

/etc/init.d/nfs-kernel-server reload

OpenSolaris LDAP Client to Linux OpenLDAP Server

Posted in Networking, Security, Services on November 13th, 2009 by termina

The following outlines how to set up a OpenSolaris client to work with a Linux OpenLDAP server.

The following is one line

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=admin,dc=server -a proxyPassword=yourpassword -a defaultSearchBase=dc=server -a defaultServerList=192.168.1.1:389 -a serviceSearchDescriptor=passwd:ou=People,dc=server -a
serviceSearchDescriptor=group:ou=Groups,dc=server

Add the following lines to their appropriate sections in /etc/pam.conf

login   auth required           pam_ldap.so.1
other   auth required           pam_ldap.so.1
passwd  auth required         pam_ldap.so.1

Test LDAP with

ldaplist -l passwd

Test user authentication using the following steps

mkdir /export/home/ldapuser

chown ldapuser /export/home/ldapuser

Edit /etc/auto_home and add the following BEFORE “+auto_home”

ldapuser localhost:/export/home/ldapuser

SSH to test

ssh [email protected]

You should be in! If not, you may have to change the following in /etc/ssh/sshd_config

PAMAuthenticationViaKBDInt no

#Change from yes to no

Restart SSH

svcadm restart ssh

If you are still unable to log in, your userPassword attribute probably needs to be changed from md5/md5crypt to crypt.

su – ldapuser

passwd

After changing your password you should be able to log in.