Networking – Linux Administration

ESXi 5.5 and Teaming on Cisco Switches (VLANs)

Create a basic port channel


interface Port-channel1
description ESX Port Channel
switchport mode trunk

interface GigabitEthernet0/8
description ESX team
channel-group 1 mode on
spanning-tree portfast trunk

interface GigabitEthernet0/9
description ESX team
channel-group 1 mode on
spanning-tree portfast trunk

Configure NIC teaming (Configuration – Network – Properties – vSwitch Properties) with the following settings


Load Balancing: Route based on IP address

Network Failover Detection: Link status only

Notify Switche: Yes

Failback: No

When you’re happy with the results, update your Management network settings to use NIC teaming as well.

Raspberry PI Phone Home

This can be done on any systemd based system, this example is on a Raspberry PI running Raspbian (jessie).

# apt-get install autossh

Generate SSH key and copy it over

# ssh-keygen

# ssh-copy-id root@server

Create /etc/systemd/system/autossh.service


[Unit]
Description=AutoSSH service
After=network.target

[Service]
User=root
Environment=AUTOSSH_PIDFILE=/tmp/autossh.pid
ExecStart=/usr/bin/autossh -M 0 -f -N -T -q -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -R 9993:localhost:22 root@server
PIDFile=/tmp/autossh.pid
Restart=always

[Install]
WantedBy=multi-user.target

Reload systemd

# systemctl daemon-reload

Enable/Start Service

# systemctl enable autossh

# systemctl start autossh

Now from “server” you should be able to reach your PI

# ssh localhost -p 9993

Debian 7 LACP Bonding /etc/network/interfaces

/etc/network/interfaces

auto bond0 iface bond0 inet static address 10.10.0.100 gateway 10.10.0.1 netmask 255.255.255.0 slaves eth0 eth1 eth2 bond-mode 802.3ad bond-miimon 100 bond-lacp-rate 4

ExtremeWare configuration

As you may be able to guess, this configures ports 41, 42 and 43 for LACP

enable sharing 41 grouping 41,42,43 dynamic

Summit 400-48t Enable Advanced Edge License

I noticed the license is a length 7 numeric value, so I modified an existing script floating around for the Summit 400-48t. Should work with any Summit 200/300/400 however.

You may need to modify the “Summit400” near the end of the file to match your prompt. This runs much quicker than I’d think; got my license after 4 hours or so.

Uncomment the dump.log line if you have trouble to debug

#!/usr/bin/perl use Net::Telnet; use warnings;


$t = new Net::Telnet(

    Timeout => 10,

#    Dump_Log => "dump.log",

    Prompt => '/\* Summit*$/',

    Errmode=>'die'

);

$t->open('SWITCHIPADDRESS');

$t->waitfor('/login: $/i');

$t->print('admin');

$t->waitfor('/password: $/i');

$t->print('YOURPASSWORD');

$t->waitfor('/Summit400/i');
for($x = 1; $x < 9999999; ++$x)
{
    print "Trying: $x\n";
    #@lines = $t->cmd("enable license advanced-edge $x");

    $t->print("enable license advanced-edge $x");

    $t->waitfor('/Summit400/i');

}

MRV LX Console Server to Cisco Pinout

Crimp a RJ45 cable with the following pinout

1 <-> 1
2 <-> 7
3 <-> 6
4 <-> 5
5 <-> 4
6 <-> 3
7 <-> 2
8 <-> 8

On the MRV LX, use the following settings

– Flow Control to “None”
– Banner to “None”
– Disable “AutoHangup”
– Change Prompt to empty string

You can now access your cisco devices through your MRV LX Console server

Update: Extreme Network devices will work with the regular blue cisco serial cable. Console to switch, RJ45 to MRV

Obtain free Cisco IOS upgrades

0. Determine who purchased the device. You will need to send an email from their CCO registered account. This does not mean it needs an active contract.

1. Log onto the device and capture all of the output of “show version”

2. Go to http://tools.cisco.com/security/center/selectIOSVersion.x and select the “B” option to use the “show version” output

3. Choose to view all security vulnerabilties

4. Send an email to [email protected] with

The output of “show version” in the body of the e-mail

Serial number of the device in the body of the e-mail (yes, even though it’s in show ver)

A list of all vulnerabilities for the selected IOS from cisco’s website in the body of the e-mail (just copy and paste the links)

Request a non-vulnerable IOS version

5. Wait and they should send you a link to download the IOS.

Cisco wireless access point and Windows 2008 RADIUS EAP Authentication

Configure Windows server for RADIUS

1. Install NPS and CA authority roles if you have not already

2. Go to Computer Management. Roles – Network Policy and Access – NPS (Local) – RADIUS Clients

3. Create new RADIUS client

Friendly name: Name of AP (Example: corp-ap-1141-il)

IP Address: IP of AP

Shared Secret – Manual (Generate a random 12+ digit key with no special chars)

Under “Advanced” tab, Vendor name: Cisco and check “RADIUS client is NAP capable”

4. Under NPS – Policies – Network Policies create a new Policy called ‘Cisco AP Radius’

Condition Tab: Windows Groups (Domain Users)

Constraints Tab

Auth Methods: Add all three auth methods. Check MS-CHAPv2, MS-CHAP, CHAP and PAP/SPAP

NAS Port Type: Select Wireless 802.11 under Common 802.1x types and “Wireless Other” under “Others”

Settings Tab

Standard: add Service-Type Login

5. When done, move the Cisco AP Radius policy to the #1 position

Configure Cisco AP for RADIUS

1. Enter in RADIUS group information

aaa new-model

aaa group server radius rad_eap

server 10.0.0.3 auth-port 1812 acct-port 1813

aaa authentication login eap_methods group rad_eap

aaa session-id common

radius-server host 10.0.0.3 auth-port 1812 acct-port 1813 key KEYYOUGENERATEDEARILER

dot11 ssid CompanyWifi

no authentication open

no wpa-psk ascii

authentication open eap eap_methods

authentication network-eap eap_methods

2. Try to connect with a client computer. Debug on AP with: debug radius authentication

tshark MAC address filtering

Had to troubleshoot a Solaris box but couldn’t go by IP address since it wasn’t picking one up.

tshark -i eth1 -R "eth.addr == 00:03:ba:05:0d:60"

Ubuntu 9.10 PXE Boot

Ubuntu 9.10 uses initrd.lz instead of initrd.gz, so PXE booting like you did in previous versions does not work.

This article assumes you’ve already downloaded the iso and have a working PXE boot server.

First, copy the contents of the iso to a directory we can work with

mkdir /tmp/910

mount -o loop ubuntu-9.10-desktop-i386.iso /tmp/910

cp -r /tmp/910 /tftpboot

Convert initrd.lz to initrd.gz

cd /tftpboot/910/casper

mkdir initrd

cp initrd.lz initrd

cd initrd

lzma -dc -S .lz initrd.lz | cpio -id

rm initrd.lz

find . | cpio –quiet –dereference -o -H newc | gzip -9 > initrd.gz

cp initrd.gz /tftpboot/910/casper

Now add the appropriate lines to pxelinux (Example: /tftpboot/pxelinux.cfg/default)

LABEL Ubuntu 9.10 i386 Unmodified Livecd KERNEL 910/casper/vmlinuz APPEND root=/dev/nfs boot=casper netboot=nfs nfsroot=192.168.0.1:/home/tftpboot/910 initrd=910/casper/initrd.gz quiet splash --

Make sure /tftpboot is shared via nfs; in /etc/exports add the following line

/tftpboot/910 192.168.0.0/24(rw,async,no_subtree_check)

Reload the NFS server

/etc/init.d/nfs-kernel-server reload

OpenSolaris LDAP Client to Linux OpenLDAP Server

The following outlines how to set up a OpenSolaris client to work with a Linux OpenLDAP server.

The following is one line

ldapclient manual -a credentialLevel=proxy -a authenticationMethod=simple -a proxyDN=cn=admin,dc=server -a proxyPassword=yourpassword -a defaultSearchBase=dc=server -a defaultServerList=192.168.1.1:389 -a serviceSearchDescriptor=passwd:ou=People,dc=server -a
serviceSearchDescriptor=group:ou=Groups,dc=server

Add the following lines to their appropriate sections in /etc/pam.conf

login   auth required           pam_ldap.so.1
other   auth required           pam_ldap.so.1
passwd auth required         pam_ldap.so.1

Test LDAP with

ldaplist -l passwd

Test user authentication using the following steps

mkdir /export/home/ldapuser

chown ldapuser /export/home/ldapuser

Edit /etc/auto_home and add the following BEFORE “+auto_home”

ldapuser localhost:/export/home/ldapuser

SSH to test

ssh ldapuser@localhost

You should be in! If not, you may have to change the following in /etc/ssh/sshd_config

PAMAuthenticationViaKBDInt no

#Change from yes to no

Restart SSH

svcadm restart ssh

If you are still unable to log in, your userPassword attribute probably needs to be changed from md5/md5crypt to crypt.

su – ldapuser

passwd

After changing your password you should be able to log in.