Archive for the ‘Network Management / Monitoring’ Category

Setting Time on Cisco Switches

Tags: , , ,
Posted in Network Management / Monitoring on May 22nd, 2009

Many Cisco switches do not have the ability to save time after a power cycle.  For this reason it is probably best to use NTP to keep the time current.

In GWLab we decided to use our Microsoft Domain Controllers as time servers.  The main reason for this is to ensure Active Directory logon attempts do not fail due to a time difference.

Here’s an example of how to configure a Cisco 2950 switch:

Config t
ntp server 10.1.1.203
ntp server 10.1.1.107
clock timezone EST -5
clock summer-time EDT recurring 2 Sunday March 2:00 first Sunday November 2:00

The first and second line set the ip addresses of the domain controllers to be our ntp servers.

By default time on the Cisco switch is kept in UTC format.  So the third line in this config example offsets UTC by -5 (which corresponds to EST).  Set this to the correct offset for your timezone.

We want to display time correctly during daylight savings time.  In 2007 the daylight savings time was modified.  The specifics were set that daylight savings time would begin on the 2nd Sunday in March and end the 1st Sunday in November at 2:00 am.  The fourth line in this config example displays the timezone as EDT during daylight savings time.

http://www.shop1stop.net


No Comments »

Setting a site-local or global IPv6 address within Windows 2008 Server Core

Tags: , , ,
Posted in Network Management / Monitoring, Server Management / Monitoring on April 13th, 2009

Recently, I set up a IPv6 section of gwlab.  The devices included Vista64, Windows 2008 Server Standard, Windows 2008 Server Standard Core, and Fedora 10 64bit.  They all natively support IPv6 but typically use link-local addresses (sorta like using 169.254.x.x addresses in IPv4).  Those with gui’s are easy to change but Windows 2008 core and it’s lack of a gui make it more of a challenge.  The method I use is very simple and would also work on other versions of 2008 and vista.

On the Windows 2008 Standard Core Server (2008 Core) device log in as an administrator.  At the cmd prompt enter the following command to get a list of the interface names:

“netsh interface ipv6 show interfaces”

You should get a list of interface information.  Look for the interface that is not disconnected and not name labeled with some part being loopback.  Use caution as many of the interfaces will have similar names by default.

On my system the interface name of interest was “Local Area Connection 2″ but most devices will need to be configured on “Local Area Connection”

Now that you have the interface name issue the following command:

“netsh interface ipv6 set address ‘inteface name determined above’ ‘ipv6 address’”

In my case that means: netsh interface ipv6 set address “Local Area Connection 2″ fec0:0:0:fffe::aa

Verify you now have the correct IPv6 interface settings by using the following commands:

“netsh interface ipv6 show addresses” or “netsh interface ipv6 show addresses ‘Local Area Connection 2′”

You should also be able to ping interfaces on other IPv6 enabled systems within the same network.  So for example:

ping fec0:0:0:fffe::1%1

You probably don’t need to include the %”interface number” but I’ve found it’s just a good habit to get into.

No Comments »

Install CCA Agent on All Domain Machines & Map Drives Thru Scripts

Tags: , , , , , , ,
Posted in Network Management / Monitoring, Security Related, Server Management / Monitoring on February 19th, 2009

Project Primary Goal(s):

Allow for mapping drives without adding exceptions to an unauthenticated role.

Secondary Goal(s):

Develop method for rolling out CCA Agent using group policy or login scripts that will not impact ability to map drives.

 

I’m starting out with the secondary goal first in this write up.

In order to install the CCA Agent without errors on all domain machines without user intervention I had to use a msiexec command.  The reason is that if I just push the msi package thru group policy users will encounter errors when the application first installs (something about already in task bar) and then the program exits.  It may also result in the machine attempting to use log in with the machine active directory account rather than the user account (for Active Directory Single Sign-On).

In order to ensure the installation section only ran once I check for the existence of the CCAAgent.exe file. 

Now once the application installations part of the logon script is in place I moved on to the Primary Goal of the project.

It is unlikely you would want users in an unauthenticated role to be able to access your fileserver.

The issue is that any script run to map network drives would fail unless the CCA Agent has placed the user into a role where access to the fileshare is allowed first.

A solution to this is create a section in the vbs script that is run at login time verifying the CCA Agent is running before attempting to map a network drive.  In order to accomplish this I use a check and wait script. 

The below example would install the CCA Agent if it is not installed and map a user drive only after verifying the CCA Agent is running.  It gives the CCA Agent 30 seconds after verification of  running to perform any sign in activities (I use Active Directory Single Sign-On but it would not change for radius, Kerberos, etc).  Set this script in group policy for a domain or OU (Specifically when editing the group policy you would add it to User Configuration > Policies > Windows Settings > Scripts > Logon).  

‘——————————————————————-

‘CCAAgent.vbs

‘Install CCA Agent if not installed first.

‘Verify CCA Agent is running.

‘Map network drives.

 

Dim ADSysInfo

Dim CurrentUser

Dim strGroups

Dim wshNet

Dim fserver

 

Dim AllProcess

Dim Process

Dim strFoundProcess

Dim numWaits

 

Dim objFSO

Dim ccainstalledfile

Dim wshShell

 

ccainstalledfile = “c:\program files\cisco systems\clean access agent\ccaagent.exe”

strFoundProcess = False

numWaits = 0

fserver = “\\servername\homedirectory\”

 

Set objFSO = CreateObject(”Scripting.FileSystemObject”)

If not (objFSO.FileExists(ccainstalledfile)) then

            Set wshShell = Wscript.CreateObject (”WSCript.shell”)

            wshShell.Run “%windir%\system32\msiexec.exe /package \\domaincontroller\netlogon\ccaagent.msi /qn”

            Set wshShell = nothing

End If

 

Do While (strFoundProcess = False and numWaits < 20)

            Set AllProcess = getobject(”winmgmts:”)

            For Each Process In AllProcess.InstancesOf(”Win32_process”)

                        If (Instr(Ucase(Process.Name),”CCAAGENT.EXE”) = 1) Then

                                    strFoundProcess = True

                                    Exit For

                        End If

            Next

            Wscript.Sleep 30000

            numWaits = numWaits + 1

Loop

 

Set wshNet = CreateObject(”WScript.Network”)

Set ADSysInfo = CreateObject(”ADSystemInfo”)

Set CurrentUser = GetObject(”LDAP://” & ADSysInfo.UserName)

strGroups = LCase(Join(CurrentUser.MemberOf))

 

If (InStr(strGroups, “faculty”) or InStr(strGroups, “staff”)) Then

            wshNet.MapNetworkDrive “U:”, fserver & “facstaff\” & wshNet.UserName

End If

If (InStr(strGroups, “students”)) Then

            wshNet.MapNetworkDrive “U:”, fserver & “students\” & wshNet.UserName

End If

 

‘——————————————————————-

No Comments »

How to Config Ubuntu Server 8.10 to use a Trunk port

Tags: , , , , , , , , , , ,
Posted in Network Management / Monitoring, Server Management / Monitoring on January 29th, 2009

I wanted to set up a VMWare 2.0 server host to allow guests on multiple vlans.  The project required that all Microsoft based servers / workstations be on one vlan and all Linux based servers / workstations be on a different vlan.  This meant that a VMware Server hosting both Microsoft and Linux based guests would be impossible until setting up multiple interfaces and trunking the switch port.  I did this project during a transition from from a Cisco switch to a Netgear Layer 3 switch so I provide config instructions for both devices.

Project Primary Goal(s):

1.)    Create a trunk port from a switch / router connected directly to a Ubuntu 8.10 Server

2.)    Enable multiple logical network interfaces on the Ubunutu system (1 each for each vlan on the trunk

3.)  Be able to network “sniff” traffic for only a given vlan while still communicating over other vlans for mail / web / etc

4.)  Be able to run VMware guests in different vlans

5.)  No routing enabled on the Ubuntu Server

6.)  Provide static config options for restoring all networks and connections after a reboot

 

On the Switch (This is Cisco – See below for a Netgear config):

1.)    Enter config mode on the switch “config t”

2.)    Enter config mode for the interface we want to trunk “int gig 1/0/1” for example

3.)    On some switches / routers you will need to set the encapsulation type “switchport trunk encapsulation dot1q”
Note:  If you don’t set this explicitely (even if your switch doesn’t require it) you will not be able to get vlan headers on a full network “sniff” and you may encounter communications problems on your vmware guest systems.

4.)    Set port to trunk mode “switchport mode trunk”

5.)    Allow vlan’s of interest on the trunk “switchport trunk allowed vlan 10,172,192″

6.)    Most admins agree setting a description is worth the effort for reducing confusing in future troubleshooting – ‘description “Trunk link to Ubuntu 8.10 VMware Server”’

7.)    Get out of int config mode “exit”

8.)    Get out of config mode “exit”

9.)    Save config to memory “write mem”

On the switch (This is Netgear config – See above for a Cisco config)

1.)  Enter config mode “Configure Terminal”

2.)  Enter interface config mode “Interface 0/10″

3.)  Set participation in the vlans of interest:
      ”vlan participation include 10″
      “vlan participation include 172″
      “vlan participation include 192″

4.)  Set tagging for all vlans:
      “vlan tagging 10″
      “vlan tagging 172″
      “vlan tagging 192″

5.)    Most admins agree setting a description is worth the effort for reducing confusing in future troubleshooting – ‘description “Trunk link to Ubuntu 8.10 VMware Server”’

6.)    Get out of interface config mode “exit”

7.)    Get out of config mode “exit”

8.)    Save config to memory “save” then “y” to the confirm prompt

 

 

 

On the Ubuntu 8.10 Server (I’ll try to get around to writing up instructions for Fedora 10 as well – basically they are the same except the static settings and the su / sudo commands).

1.)    I prefer to just up my privs to root and leave them there while on the terminal but you might want to use sudo instead – “sudo -s -H” then enter the root password for the system

2.)    Remove any settings on eth0 – Especially do not leave eth0 as DHPC enabled (I’ll provide more info about what I decided to do in the static config section below – but if you are just looking to do something temporary just take off ip information and routing information for eth0)

3.)    Now create the logical interfaces for each vlan.
“ip link add link eth0 name vlan10 type vlan id 10”
“ip link add link eth0 name vlan172 type vlan id 172”
“ip link add link eth0 name vlan192 type vlan id 192”

5.)    If you have a dhcpserver on any of the vlans you can grab a dhcp address
“dhclient vlan10”
To release the dhcp address:
“dhclient -r vlan10”

6.)    If you want to “sniff” traffic on a given vlan set the logical interface to promiscuous mode
“ifconfig vlan172 -promisc”
“tcpdump -i vlan172″
If you want to “sniff” traffic on all vlans
“tcpdump -i eth0″

 

Static Settings (this section is of interest if you want to set this up perminantely – For me that’s a primary project goal)

Several modifications need to be made to the /etc/network/interface file so “vi /etc/network/interfaces”

I include an example file here:

———————————————————————————————————————-

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface

# I set this up in promiscuous mode for any network “sniffing” I may want to do in the future
auto eth0
iface eth0 inet manual
        up ifconfig $IFACE 0.0.0.0 up
        up ip link set $IFACE promisc on
        down ip link set $IFACE promisc off
        down ifconfig $IFACE down

# The vlan 10 network interface

# This is an example of a logical vlan interface that has connectivity to a DHCP server
iface vlan10 inet dhcp
        pre-up ip link add link eth0 name vlan10 type vlan id 10
        post-down ip link del dev vlan10
auto vlan10

# The vlan192 network interface

# This is an example of a logical vlan interface that needs static / manual ip address information

iface vlan192 inet static
        pre-up ip link add link eth0 name vlan192 type vlan id 192
        post-down ip link del dev vlan192
        address 192.168.7.8
        netmask 255.255.255.0
auto vlan192

 

 

 

 

———————————————————————————————————————-

Don’t forget to save the file “:wq!”.

 

Last thing is to reconfigure the VMserver environment:

  1. At the root prompt type “/usr/bin/vmware-config.pl”  or at the user prompt “sudo /usr/bin/vmware-config.pl”
  2. When it asks to set up various network information the ones of highest interest is the Bridged.  Ensure you choose to set a bridged network for each vlan – I chose to name mine “Bridged10″, “Bridged172″, and “Bridged192″ after the logical vlan interfaces they would operate on.
  3. Go into the VMware Server web gui “https://serverip:8333” (you can do this from a remote system since you probably don’t have a graphical front end or web browser for the VMware Server) and for each guest that has been created ensure that the correct bridged network is selected.  For me that meant selecting each Linux guest and changing it’s network to “Bridged192″ and selecting each Microsoft guest and changing it’s network to “Bridged10″.

 

Note: I did this for VMware applications but it’s not a terrible way to configure a Linux firewall that has only 1 interface.  Just set the default route to the ip address given on each logical vlan interface.  Then enable ip forwarding on the linux system.

 

No Comments »


SetPageWidth