Saturday, January 24, 2015
Rancid 3.2 alpha + git
Rancid lovers rejoice, a 3.2 alpha version is released with (at least) 2 interesting features.
- Git support: based on the patch by jcollie.
But with a 'small' difference, not one repository for all the groups, but a repository per group.
Maybe fine if your starting from scratch, but for my situation I like the one repository setup of the original patch.
You can find the latest version with the original setup of one repository for everything, together with some other minor patches on https://github.com/42wim/rancid/commits/mypatches3.1.99
- WLC support: Now you can backup your Cisco Wireless Lan Controllers configuration out of the box. One patch less to maintain. Hurrah!
I'm running Rancid in a Docker setup, so upgrading and testing was quite easy.
No issues found yet with this version.
Tuesday, February 25, 2014
Circumventing IPv6 feature parity: drop AAAA to specific IPs
Unless you've been living under a rock, you'll be aware that IPv6 usage has been increasing.
Yes, it even has come to this: mere mortals can use it at home. The audacity!
Unfortunately not all vendors (if any?) have feature parity, in our case a specific VPN product doesn't support IPv6.
The client will only receive an IPv4 address from the VPN server.
When the user at home starts it's VPN and asks for an internal resource (which also has an IPv6 address), it will try to connect to this resource using the IPv6 from his provider (he didn't receive one from the VPN server) which doesn't work, because this specific resource is firewalled for outside addresses.
Luckily the user has to use our DNS server to look up records (forced to do so by the vpn client)
Luckily we're using PowerDNS recursor which has support for LUA scripting which can modify DNS responses.
The script below gives normal answers to every host not coming from 10.100.0.0/15 or 10.0.0.1/32. Otherwise if the answer contains an AAAA, drop it, and return the rest.
More information about LUA scripting for PowerDNS can be found here: http://doc.powerdns.com/html/recursor-scripting.html
Yes, it even has come to this: mere mortals can use it at home. The audacity!
Unfortunately not all vendors (if any?) have feature parity, in our case a specific VPN product doesn't support IPv6.
The client will only receive an IPv4 address from the VPN server.
When the user at home starts it's VPN and asks for an internal resource (which also has an IPv6 address), it will try to connect to this resource using the IPv6 from his provider (he didn't receive one from the VPN server) which doesn't work, because this specific resource is firewalled for outside addresses.
Luckily the user has to use our DNS server to look up records (forced to do so by the vpn client)
Luckily we're using PowerDNS recursor which has support for LUA scripting which can modify DNS responses.
The script below gives normal answers to every host not coming from 10.100.0.0/15 or 10.0.0.1/32. Otherwise if the answer contains an AAAA, drop it, and return the rest.
More information about LUA scripting for PowerDNS can be found here: http://doc.powerdns.com/html/recursor-scripting.html
Sunday, December 1, 2013
Winter is coming
Which means I have some more time, expect some IPv6 and Cisco related posts in the near future.
Monday, May 13, 2013
Compiling your own PuTTY-CAC with EID support
So we've got electronic ID's, (smartcards) but except for doing our taxes we're not using them so much.
Now under linux there are options to use them for SSH authentication, but these days I'm mostly using Putty on Windows, so I wanted it to work with this client.
After some searches I found a possible candidate: Putty-cac : http://www.risacher.org/putty-cac/
It works with CAPI, the military uses it, it's opensource and based on Putty. Seems like a win-win-win-win. And for once it also is :-)
So I downloaded the source from https://github.com/risacher/putty-cac/archive/master.zip
compared it with the official putty source from http://svn.tartarus.org/sgt/putty/ to see if nothing suspicious was added to the code. There wasn't, so I could safely build the binary myself.
I remembered that Visual Studio Express was a free C++ compiler from Microsoft, so i download version 2010
So now just open the project and press build right? Wrong! The project was made in Visual studio 6 and apparently you can not convert from visual studio 6 to visual studio 2010. According to the internets you need to first install Visual studio 2008, convert there, save it, open it in Visual studio 2010, convert, save and build.
Here is an overview for those that want to do this:
Start visual C++ 2008
Open Project - c:\temp\putty-cac-master\windows\MSVC\putty.dsw
Convert and open project
Choose File - Save All
Start visual C++ 2010 (and close 2008 ;-)
Open Project - c:\temp\putty-cac-master\windows\MSVC\putty.sln
You'll get a wizard: Next - Next - Finish
Now when you try to build it, it won't. You'll need to add a define
Open c:\temp\putty-cac-master\windows\winstuff.sh
Add #define SECURITY_WIN32 at the top of the file
If you compile now you'll get linking errors. You'll need to add 'sc.c' and 'capi.c' to the 'source files'
Now you're finally ready to build your binary. Press build and enjoy your own build putty.
To actually use your EID with this, just follow the CAPI instructions on http://www.risacher.org/putty-cac/
Stuff you'll need to get this working:
Microsoft Windows
SDK for Windows 7 and .NET Framework 4
Visual 2008 express
Visual 2010 express
PuTTY CAC source
Good luck!
Wednesday, April 3, 2013
DHCPv6: ISC MAC logging and Cisco relay agent configuration
DHCPv6 server MAC address logging
One of the
differences between DHCPv6 and DHCPv4 is that it uses DUID as an identifier
instead of a MAC address.
As you probably know, DUID's are for the majority of OS (ie Windows) based on a timestamp suffixed by a MAC address
As you probably know, DUID's are for the majority of OS (ie Windows) based on a timestamp suffixed by a MAC address
For some of our
internal systems we use a MAC as an identifier, for now we will also be needing this for IPv6. The default ISC DHCPv6
daemon isn't logging a MAC address by default. One way to have it print out is
by adding this to your DHCP config.
option dhcp6.macaddr code 193 = string;
option dhcp6.leased-address code 194 = string;
option dhcp6.macaddr = binary-to-ascii(16, 8, ":", suffix(option dhcp6.client-id, 6));
option dhcp6.leased-address = binary-to-ascii(16,16, ":", substring(suffix(option dhcp6.ia-na, 24),0,16));
log (info, concat ("Lease for ",config-option dhcp6.leased-address, " leased to ", config-option dhcp6.macaddr));
Above code will only work for DUID-LLT and DUID-LL (so not DUID-EN, but I don't know anyone using this at the moment)
More info over DUID on http://tools.ietf.org/html/rfc6355
Other great blogpost
about DHCPv6 at http://ipv6friday.org/blog/2011/12/dhcpv6/
DHCPv6 relay configuration on Cisco equipment
Overview of the configuration we're using on our routers.
(1) We're using
FE80:: as our IPv6 default gateway everywhere, seems to work for me for now ;) any best practices for this? (update: because of issues with linux and fe80:: (linux responds to fe80:: if it's specified on any link, this has now changed to FE80::1)
(2) Asking the hosts
on the subnet to not do SLAAC please, we're asking you nicely.
(3) Letting the
hosts know we're managing the config, that they must use DHCPv6.
(4) Just to be sure
also set this flag, tell them to use DHCPv6 not only for getting an IP but also
for getting e.g. DNS servers
(5) We're the boss
on this subnet.
(6) relay DHCPv6
requests to our server and use (7) the loopback as a source for this.
We're using
link-local addresses for routing, so if we don't specifiy an source-interface,
the relay agents would try to use a link-local address which obviously can not
be routed.
Interface vlan42
ipv6 address FE80::1 link-local (1)
ipv6 address 2001:0db8:100:4200::1/64
ipv6 nd prefix default 2592000 604800 no-autoconfig (2)
ipv6 nd managed-config-flag (3)
ipv6 nd other-config-flag (4)
ipv6 nd router-preference High (5)
ipv6 dhcp relay destination 2001:0db8:0:40::547:1 (6)
ipv6 dhcp relay source-interface Loopback0 (7)
interface Loopback0
ipv6 address 2001:0db8:300::63/128
Tuesday, February 26, 2013
IPv6 logging and Cisco NCS
So you want to
deploy IPv6 on your wireless network.
You want to use SLAAC and you want
logging of those SLAAC addresses.
Straight from the
horses mouth:
Q: What are IPv6 private addresses and why are they
important to track?
A: Private (also known as temporary) addresses
are randomly generated by the client when SLAAC address assignment is in use.
These addresses are often rotated at a frequency of a day or so, as to prevent
host traceability that would come from using the same host postfix (last 64
bits) at all times. It is important to track these private addresses for
auditing purposes such as tracing copyright infringement. Cisco NCS records all IPv6
addresses in use by each client and historically logs them each time the client
roams or establishes a new session. These records can be configured at
NCS to be held for up to a year.
Pasted
from <http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml#faqs>
BUT Cisco NCS or PI doesn't
make it easy for you, it keeps the addresses in the database somewhere, but as
soon as the client has disassociated you can't search for the IPv6 address
anymore. Disassociated IPv4 addresses
can be searched though.
So far for IPv6
parity.
Radius to the rescue ?
But wait, we've got
radius accounting, right? You'll see the Framed-IP-Address attribute and this
will show you the IPv6 address, right ? RIGHT ?
As we all know, IPv6
is a very new protocol (only about 15 years old), so of course there isn't support for
IPv6 in the Framed-IP-Address attribute. There is a draft proposing
Framed-IPv6-Address (also very new, only 3 years old).
(See http://tools.ietf.org/html/draft-ietf-radext-ipv6-access-16 for more info)
So, no searching, no
IPv6 address logging by Radius.
So far for IPv6 parity again..
But according to the
documentation (see above) cisco is recording those addresses somewhere ...
Reports to the rescue!
The workaround is
reports:
Go to the report
launch pad - Client - Client Sessions
Create a new report:
-
report by SSID (or your own favorite source)
-
reporting criteria (all SSIDs)
-
reporting period select last 7 days
Customize the
report, where you can find the most important data field: "Global
Unique", this will show you the IPv6 address. Now you can schedule this
report weekly and you've got weekly CSV files containing all the necessary
information of the users.
If anyone got a better workaround please share!
Thursday, February 7, 2013
Cisco Prime Infrastructure NCS 1.2 and the Oracle issue
Continuing my story about NCS diskspace increase.
A few weeks everything went fine, until one day the webserver or the shell wasn't accessible anymore.
In the vmware server console we saw that all of the memory was in use (8GB). So we add some extra memory and rebooted the system. (At that time I didn't made the correlation with increasing the disk space a few weeks ago)
This didn't solve the problem.
But I could log in and memory usage seemed normal. First I went looking in /var/log , you can skip this step, nothing of value can be found here.
The interesting directories are /opt/CSCOlumos/logs/
Last file modified was hm-0-0.log. Containing:
(Other logfiles were also giving oracle errors)
Closing in on the oracle DB.
Next target /opt/oracle (disclaimer: I know nothing about Oracle), after some searching I discovered the logfile /opt/oracle/diag/rdbms/wcs/wcs/trace/alert_wcs.log which seemed interesting.
This didn't look good. Apparently Oracle has it own internal idea of how big a disk is and how much free space is available. Because we still had 130Gb available.
With the help of google and a colleague with the necessary oracle knowledge. This was the solution (increasing the recovery db size):
Still the error, but now some free space to do something
Next ran ncs cleanup on the NCS CLI
And rebooted the system.
Oracle DB came up normally and NCS was happily running again.
A few weeks everything went fine, until one day the webserver or the shell wasn't accessible anymore.
In the vmware server console we saw that all of the memory was in use (8GB). So we add some extra memory and rebooted the system. (At that time I didn't made the correlation with increasing the disk space a few weeks ago)
This didn't solve the problem.
But I could log in and memory usage seemed normal. First I went looking in /var/log , you can skip this step, nothing of value can be found here.
The interesting directories are /opt/CSCOlumos/logs/
Last file modified was hm-0-0.log. Containing:
ERROR [system] [HealthMonitorServer] HealthMonitorServer.initHealthMonitor: initHealthMonitor(): can not start DB
INFO [database] [Thread-17] OracleSchemaUtil dbServerUp(): wcs errorCode = 1034
(Other logfiles were also giving oracle errors)
Closing in on the oracle DB.
Next target /opt/oracle (disclaimer: I know nothing about Oracle), after some searching I discovered the logfile /opt/oracle/diag/rdbms/wcs/wcs/trace/alert_wcs.log which seemed interesting.
ORA-19815: WARNING: db_recovery_file_dest_size of 107374182400 bytes is 100.00% used, and has 0 remaining bytes available.
ORA-19809: limit exceeded for recovery files
ORA-16038: log 1 sequence# 1018 cannot be archived
ORACLE Instance wcs - Archival Error
ARCH: Archival stopped, error occurred. Will continue retrying
/dev/mapper/smosvg-optvol
249204396 97436636 138909244 42% /opt
With the help of google and a colleague with the necessary oracle knowledge. This was the solution (increasing the recovery db size):
[root@ncs oracle]# su - oracle
[oracle@ncs ~]$ ls
base coracleenv dbPasswd.pwd oracleenv oraInventory templates utils
[oracle@ncs ~]$ . oracleenv
[oracle@ncs ~]$ sqlplus '/as sysdba'
SQL*Plus: Release 11.2.0.2.0 Production
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to an idle instance.
SQL> startup nomount
ORACLE instance started.
Total System Global Area 4275781632 bytes
Fixed Size 2233336 bytes
Variable Size 2986347528 bytes
Database Buffers 1275068416 bytes
Redo Buffers 12132352 bytes
SQL> show parameter db_recovery_file_dest_size
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
db_recovery_file_dest_size big integer 100G
SQL> alter system set db_recovery_file_dest_size=120G scope=both;
System altered.
SQL> show parameter db_recovery_file_dest_size;
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
db_recovery_file_dest_size big integer 120G
SQL> shutdown
ORA-01507: database not mounted
ORACLE instance shut down.
SQL> quit
Still the error, but now some free space to do something
ORA-19815: WARNING: db_recovery_file_dest_size of 128849018880 bytes is 85.07% used, and has 19241095680 remaining bytes available.
Next ran ncs cleanup on the NCS CLI
ncs/admin# ncs cleanup
===================================================
Starting Cleanup:
===================================================
Removing all files in backup staging directory
Removing all Matlab core related files
Removing all older log files
Cleaning older archive logs
Cleaning database backup and all archive logs
Cleaning database
Stopping database
Starting database
Starting database clean
Completed database clean
Stopping database
===================================================
Completed Cleanup
===================================================
ncs/admin#
And rebooted the system.
Oracle DB came up normally and NCS was happily running again.
Subscribe to:
Posts (Atom)