I was reminded recently of a lesson that I have had to learn several times over.

If you are troubleshooting a lan-to-lan IPSec VPN tunnel on Cisco hardware that isn’t establishing, not showing any useful logs or debugs and looks correct: remove the crypto map and re-add it. The last two times I have had this problem, it was after I added in lines to the middle of an already established crypto map.

When your crypto map is removed from the config, all of the VPN on that map will drop (obvious, but full disclosure).

Extreme XOS supports authentication to a Cisco SecureACS server using TACACS+, however there is a bit of a gotcha. In Cisco if you configure authentication to a TACACS+ server without any special configuration it drops you into user mode. You can then issue a enable to get yourself into privileged mode where you can actually do something useful.

In Extreme it also drops you into user mode, but here’s the gotcha: there’s no enable. This means that if you configure the switch to authenticate to your TACACS+ server, you can put yourself in a position where you can’t issue any kind of meaningful commands (including changing the authentication back to local) without having to drive to your data center and console into the device.

In order to resolve this your have to configure your TACACS+ server to drop you into level 15 permissions from the get-go.

On a Cisco SecureACS server this is done under Group Setup. Select and edit the group that you use for your network equipment login and scroll down to the Shell (exec) section. Check “Privilege level” and set the value to 15.

Submit the change and allow it to restart the service.

Now SSH into your switch and issue the following:

The example makes the assumption that you’re using the default virtual router. If you’re not then substitute that value with the appropriate one. You can also add in a redundant server by substituting secondary in for primary.

Unlike Cisco, this doesn’t go into effect until you issue this additional command turning it on:

Verification can be accomplished with:

Random note: I couldn’t find it documented anywhere but learned through my own trials, if the switch can’t communicate with your AAA server it will automatically fail back to local authentication. No special configuration is necessary for this to happen, it’s default.

Enabling IVR on a XOS switch is pretty similar to an IOS switch, same concepts just different commands. First you need to take your existing VLAN’s (at least 2) and give them a routed interface.

For the example let’s assume the following VLAN creation commands have already been issued on the switch:

Add a routed interface on each VLAN:

Now run the command for enabling IVR. This is equivalent to the Cisco “ip routing” command, except unlike with Cisco it is not enabled by default.

You can enable the command globally (to allow routing between all VLAN’s with an IP address) or on a per-vlan level. If you enable it on a per-vlan level, remember you’ll have to enable it on at least 2 VLAN’s in order for anything to actually happen.

Globally enabled would look like:

And enabled per-vlan would look like:

You probably also want to configure a default gateway. This can be be applied with:

At this point you can either add in any necessary static routes or enable a supported routing protocol (RIP or OSPF) to populate networks that are not adjacent to your switch.

Came across this today. You can disable ICMP echo responses on a Linux server by adding the following line to the /etc/sysctl.conf config file:

To remove it you could change the = value to 0 … or comment it out … or remove it.

Much of the power of Cacti doesn’t come from the core code but instead comes from the multitude of powerful plugins available.

The process of installing and removing different plugins can vary slightly, but they all follow at least these basic steps.

To install a plugin, first download it from the appropriate download site. Cacti has a common plugin SVN upcoming however currently the best place to download the most up-to-date versions is from each developers website. You can get a feel for some of the available plugins on the Cacti Plugin Announcement forum.

Extract the gzip file and upload the folder to the plugins directory of your Cacti server (or just download it straight to the Cacti server and extract if from there). Most commonly this is going to be:

So assuming you were installing the threshhold plugin, your structure would look like this:

If you’re running Cacti on a Linux server, fix your ownership and permissions. Ownership should be set to your web server account (usually apache) using:

And permissions should be set to:

Issue a ls -la | grep thold to verify your permissions are set to drwxr-xr-x and ownership to apache/apache.

Next you need to enable the plugin in the primary Cacti configuration file (global.php).

global.php is located in the include subdirectory of your Cacti directory.

Open it up and locate the line:

Add whatever plugins you want to install under this in the following format:

The thold refers to the folder name under the plugins directory, so make sure they match.

Save the config file and open up Cacti, if your plugin doesn’t require any specific additional configuration it should now be functional. Examples of additional configuration could include uploading additional files, setting up a Cron job or running a script against your database – read through the documentation of the plugin you are trying to install to find out.

To disable the plugin, comment it out int the global.php file (or remove the line and directory to completely remove it). The comment designator in PHP is double slashes, so an example would be:

Again, no service restarts are necessary, because the PHP code is interpreted in real-time it should “just work”.

Got back from the Texas Warrior Dash over the weekend. Was a lot of fun, I will definitely be back next year. The event was also extremely well organized – the doom and gloom that was going around beforehand was without warrant.

Here’s a pic of the crew after the race – i’m on the right.

Yes the guy in the middle is wearing a Björk swan-dress costume. That’s how we roll.

There seem to be tons of articles online on how to install and setup Skipfish on a Debian-based distro, but none if you’re using a RedHat-based distro.

First download and decompress it like you would on any distro. You’ll probably have to substitute in the current version number

Now install the following dependencies.

Compile and copy over a dictionary to use.

You can verify your installation is successful by running Skipfish with the help flag.

Was looking for paid Xen training and found this. Haven’t started it yet but I like the price. Online course is normally $150.

Interesting tool which can be used to help diagnose problems with a SSL certificate.

http://www.sslshopper.com/ssl-checker.html

Continuing from my 4/10 post on the SQL Select statement, probably the most powerful tool in your arsenal for filtering down results is the WHERE statement, which allows you to apply conditions to your query.

These are the operators you can use with WHERE:

Using our previous example of the states table, you could structure a WHERE statement that returned a specific state:

Would return the row for Texas. You could also use the WHERE command to return all states that have a population of at least 10,000,000, but limited to 5 results and displayed in order of highest population to lowest:

As you can see in the above two examples, you need to use quotes when matching a string but not when matching a numerical value. Usually matching in SQL is not case sensitive, but YMMV based on your database product and configuration.

The BETWEEN operator requires two input variables in order to be successful. Let’s take the last example but assume that instead of wanting to see states with a population greater than 10,000,000, I want to see states with a population between 5,000,000 and 10,000,000:

Note that the two input variables have to be separated by the AND keyword.

You can chain multiple WHERE checks together with AND or OR. You can force an order of operations with parentheses but by default AND’s are evaluated before OR’s.

Some examples:

I’ll admit that last one doesn’t seem to be the most useful query but hopefully it gets the point across anyway.

Another useful command is the LIKE command, which allows you to query information with wildcards.

There are two main wildcards that are used for LIKE:

Wildcards can be put before, inside or after a search string.

Here’s an example:

Would return every state that starts with an A, so:

Alaska
Arizona
Arkansas
Alabama

Running the same query with a _ in place of the % would return 0 rows because there is no 2 character state that begins with A.

If you don’t have to use a wildcard, don’t use it. Queries with wildcards (especially with ones at the beginning of the search string) take a long time to run and can slow down your database if relied to heavily upon.

And last but not least, REGEX is the deep end equivalent of LIKE. Everything that you can do with LIKE, you can also do with REGEX. I’m not going to go too far into it because regular expressions are a topic upon themselves, but it’s used in the same way the rest of the commands are.

Would do the same thing as the a% LIKE example above, just requires a lot more brain cells to get off the ground.

EDIT: I was thinking about it and if you want to get nitpicky, the regex doesn’t do *exactly* the same thing. After the initial A/a, it matches any letter (but not non-letter characters) where the LIKE a% would match any valid character.

There’s more to say on this, I may make a 3rd post.