My Tech Notes: June 2015

Monday, June 29, 2015

Restart ssh service in linux

[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>ssh ats-earms-lnx
ssh: connect to host ats-earms-lnx port 22: Connection refused
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>ping ats-earms-lnx
PING ats-earms-lnx.cisco.com (10.105.33.158) 56(84) bytes of data.
64 bytes from ats-earms-lnx.cisco.com (10.105.33.158): icmp_seq=1 ttl=59 time=0.399 ms
64 bytes from ats-earms-lnx.cisco.com (10.105.33.158): icmp_seq=2 ttl=59 time=0.411 ms
64 bytes from ats-earms-lnx.cisco.com (10.105.33.158): icmp_seq=3 ttl=59 time=0.401 ms
64 bytes from ats-earms-lnx.cisco.com (10.105.33.158): icmp_seq=4 ttl=59 time=0.389 ms

--- ats-earms-lnx.cisco.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001ms
rtt min/avg/max/mdev = 0.389/0.400/0.411/0.007 ms
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>rsh ats-earms-lnx
Last login: Wed Jun 10 20:08:57 from bgl-ads-843.cisco.com
Cisco Linux 5.03-4 Kickstarted on: Mon Dec 19 08:30:34 IST 2011.
Terminal is set to: vt100
Display is set to: bgl-ads-843:1
ats-earms-lnx>
ats-earms-lnx>

Login as root user

Execute "/etc/init.d/sshd restart"

Logout and try to ssh again .. it should work ..

ats-earms-lnx>
srikragh logged out at Tue Jun 30 10:27:53 IST 2015.
rlogin: connection closed.
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>
[bgl-ads-843:/auto/tftp-eARMS3-blr/dhcp]>ssh ats-earms-lnx
Last login: Tue Jun 30 10:27:43 2015 from ats-earms-lnx
Cisco Linux 5.03-4 Kickstarted on: Mon Dec 19 08:30:34 IST 2011.
Terminal is set to: vt100
Display is set to: bgl-ads-843:1
ats-earms-lnx>
ats-earms-lnx>

Source: http://www.cyberciti.biz/faq/howto-restart-ssh/

Parallel login to routers in a testbed

#############################################################################

bgl-ads-843>more polaris_setup
gnome-terminal \
--tab -t "K-MC-1" -e "bash -c \"telnet 10.64.67.58 2004; exec bash\"" \
--tab -t "K-MC-shell" -e "bash -c \"ssh -t ats-earms-lnx 'telnet 9.27.110.153'; exec bash\"" \
--tab -t "K-MC-AP" -e "bash -c \"telnet 10.64.67.50 2003; exec bash\"" \
--tab -t "MA-1" -e "bash -c \"telnet 10.64.67.50 2010; exec bash\"" \
--tab -t "MA-1-shell" -e "bash -c \"ssh -t ats-earms-lnx 'telnet 9.27.14.84'; exec bash\"" \
--tab -t "MA-2" -e "bash -c \"telnet 10.64.67.50 2011; exec bash\"" \
--tab -t "MA-2-shell" -e "bash -c \"ssh -t ats-earms-lnx 'telnet 9.27.14.88'; exec bash\"" \
--tab -t "E-AP-1" -e "bash -c \"telnet 10.64.67.50 2015; exec bash\"" \
--tab -t "E-AP-2" -e "bash -c \"telnet 10.64.67.50 2006; exec bash\"" \
--tab -t "FR-121" -e "bash -c \"ssh root@10.104.99.121; exec bash\""

##########################################################################

[bgl-ads-843:/users/srikragh]>more beni_setup
gnome-terminal \
--tab -t "E-MC-1" -e "bash -c \"telnet 10.64.67.58 2003; exec bash\"" \
--tab -t "E-MC-AP" -e "bash -c \"telnet 10.64.67.50 2008; exec bash\"" \
--tab -t "E-MA-1" -e "bash -c \"telnet 10.64.67.54 2002; exec bash\"" \
--tab -t "E-MA-2" -e "bash -c \"telnet 10.64.67.54 2003; exec bash\"" \
--tab -t "E-AP-1" -e "bash -c \"telnet 10.64.67.54 2004; exec bash\"" \
--tab -t "E-AP-2" -e "bash -c \"telnet 10.64.67.54 2005; exec bash\"" \
--tab -t "FR-121" -e "bash -c \"ssh root@10.104.99.121; exec bash\""

############################################################################

Sunday, June 28, 2015

Parallel ping from windows PC

File-1 = ping_google.bat

ping google.com -t

File-2 = ping_loop.bat[This script will try to ping google.com 30 times per second]

@echo off
cls
Set Sleep=0
:start
if %Sleep% == 30 ( goto end )
start /b ping_google.bat
echo This is a loop
Set /A Sleep+=1
echo %Sleep%
goto start
:end
echo "am 30 now"
pause

###########################################################
Below sample can be used to send exactly 1000 pkts from the PC:

File-1 = ping_50.bat

ping 123.123.123.123 -l 1400 -w 500 -n 50

File-2 =

@echo off
cls
Set Sleep=0
:start
if %Sleep% == 20 (goto end)
start /b ping_50.bat
echo This is a loop
Set /A Sleep+=1
echo %Sleep%
goto start
:end
echo "am 30 now"
pause

Monday, June 22, 2015

Parallel SSH script

Use below hosts file to configure the hosts list:

##############################################################

virl@virl:~$ more test14

9.27.110.221

virl@virl:~$

###############################################################

virl@virl:~$ more test

#!/bin/bash

a=1

while [ $a -gt 0 ]

sshpass -p test parallel-ssh -h test14 -l test -A "show version"

sshpass -p test parallel-ssh -h test14 -l test1 -A "show version"

sshpass -p test parallel-ssh -h test14 -l test2 -A "show version"

sshpass -p test parallel-ssh -h test14 -l test3 -A "show version"

sshpass -p test parallel-ssh -h test14 -l test4 -A "show version"

sshpass -p test parallel-ssh -h test14 -l test5 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test6 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test7 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test8 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test9 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test10 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test11 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test12 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test13 -A "show clock"

sshpass -p test parallel-ssh -h test14 -l test14 -A "show clock"

sshpass -p test1 parallel-ssh -h test14 -l test1 -A "show version"

sshpass -p test2 parallel-ssh -h test14 -l test2 -A "show version"

sshpass -p test3 parallel-ssh -h test14 -l test3 -A "show version"

sshpass -p test4 parallel-ssh -h test14 -l test4 -A "show version"

sshpass -p test5 parallel-ssh -h test14 -l test5 -A "show clock"

sshpass -p test6 parallel-ssh -h test14 -l test6 -A "show clock"

sshpass -p test7 parallel-ssh -h test14 -l test7 -A "show clock"

sshpass -p test8 parallel-ssh -h test14 -l test8 -A "show clock"

sshpass -p test9 parallel-ssh -h test14 -l test9 -A "show clock"

sshpass -p test10 parallel-ssh -h test14 -l test10 -A "show clock"

sshpass -p test11 parallel-ssh -h test14 -l test11 -A "show clock"

sshpass -p test12 parallel-ssh -h test14 -l test12 -A "show clock"

sshpass -p test13 parallel-ssh -h test14 -l test13 -A "show clock"

sshpass -p test14 parallel-ssh -h test14 -l test14 -A "show clock"

done

virl@virl:~$

Setting up freeradius in ubuntu

apt-get install freeradius

apt-get install freeradius-utils

chkconfig freeradius on

service freeradius restart

Edit /etc/freeradius/clients.conf

Below is the sample file after editing:

# -*- text -*-

## clients.conf -- client configuration directives

## $Id$

#######################################################################

# Define RADIUS clients (usually a NAS, Access Point, etc.).

# Defines a RADIUS client.

# '127.0.0.1' is another name for 'localhost'. It is enabled by default,

# to allow testing of the server after an initial installation. If you

# are not going to be permitting RADIUS queries from localhost, we suggest

# that you delete, or comment out, this entry.

# Each client has a "short name" that is used to distinguish it from

# other clients.

# In version 1.x, the string after the word "client" was the IP

# address of the client. In 2.0, the IP address is configured via

# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x

# format is still accepted.

client localhost {

# Allowed values are:

# dotted quad (1.2.3.4)

# hostname (radius.example.com)

ipaddr = 10.104.99.222

# OR, you can use an IPv6 address, but not both

# at the same time.

ipv6addr = ::

# ::1 == localhost

# A note on DNS: We STRONGLY recommend using IP addresses

# rather than host names. Using host names means that the

# server will do DNS lookups when it starts, making it

# dependent on DNS. i.e. If anything goes wrong with DNS,

# the server won't start!

# The server also looks up the IP address from DNS once, and

# only once, when it starts. If the DNS record is later

# updated, the server WILL NOT see that update.

# One client definition can be applied to an entire network.

# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and

# "netmask = 8"

# If not specified, the default netmask is 32 (i.e. /32)

# We do NOT recommend using anything other than 32. There

# are usually other, better ways to achieve the same goal.

# Using netmasks of other than 32 can cause security issues.

# You can specify overlapping networks (127/8 and 127.0/16)

# In that case, the smallest possible network will be used

# as the "best match" for the client.

# Clients can also be defined dynamically at run time, based

# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,

# etc.

# See raddb/sites-available/dynamic-clients for details.

# netmask = 32

# The shared secret use to "encrypt" and "sign" packets between

# the NAS and FreeRADIUS. You MUST change this secret from the

# default, otherwise it's not a secret any more!

# The secret can be any string, up to 8k characters in length.

# Control codes can be entered vi octal encoding,

# e.g. "\101\102" == "AB"

# Quotation marks can be entered by escaping them,

# e.g. "foo\"bar"

# A note on security: The security of the RADIUS protocol

# depends COMPLETELY on this secret! We recommend using a

# shared secret that is composed of:

# upper case letters

# lower case letters

# numbers

# And is at LEAST 8 characters long, preferably 16 characters in

# length. The secret MUST be random, and should not be words,

# phrase, or anything else that is recognizable.

# The default secret below is only for testing, and should

# not be used in any real environment.

secret = rad123

# Old-style clients do not send a Message-Authenticator

# in an Access-Request. RFC 5080 suggests that all clients

# SHOULD include it in an Access-Request. The configuration

# item below allows the server to require it. If a client

# is required to include a Message-Authenticator and it does

# not, then the packet will be silently discarded.

# allowed values: yes, no

require_message_authenticator = no

# The short name is used as an alias for the fully qualified

# domain name, or the IP address.

# It is accepted for compatibility with 1.x, but it is no

# longer necessary in 2.0

# shortname = localhost

# the following three fields are optional, but may be used by

# checkrad.pl for simultaneous use checks

# The nastype tells 'checkrad.pl' which NAS-specific method to

# use to query the NAS for simultaneous use.

# Permitted NAS types are:

# cisco

# computone

# livingston

# max40xx

# multitech

# netserver

# pathras

# patton

# portslave

# tc

# usrhiper

# other # for all other types

nastype = cisco # localhost isn't usually a NAS...

# The following two configurations are for future use.

# The 'naspasswd' file is currently used to store the NAS

# login name and password, which is used by checkrad.pl

# when querying the NAS for simultaneous use.

# login = !root

# password = someadminpas

# As of 2.0, clients can also be tied to a virtual server.

# This is done by setting the "virtual_server" configuration

# item, as in the example below.

# virtual_server = home1

# A pointer to the "home_server_pool" OR a "home_server"

# section that contains the CoA configuration for this

# client. For an example of a coa home server or pool,

# see raddb/sites-available/originate-coa

# coa_server = coa

}

# IPv6 Client

client 2001::1 {

secret = rad123

shortname = AAA_ASR1

}

# All IPv6 Site-local clients

#client fe80::/16 {

# secret = testing123

# shortname = localhost

#client some.host.org {

# secret = testing123

# shortname = localhost

# You can now specify one secret for a network of clients.

# When a client request comes in, the BEST match is chosen.

# i.e. The entry from the smallest possible network.

client 9.14.14.14 {

secret = rad123

shortname = asr1k_2054

}

client 9.27.110.102 {

secret = rad123

shortname = AAA_ASR1

}

#client 10.10.10.10 {

# # secret and password are mapped through the "secrets" file.

# secret = testing123

# shortname = liv1

# # the following three fields are optional, but may be used by

# # checkrad.pl for simultaneous usage checks

# nastype = livingston

# login = !root

# password = someadminpas

#######################################################################

# Per-socket client lists. The configuration entries are exactly

# the same as above, but they are nested inside of a section.

# You can have as many per-socket client lists as you have "listen"

# sections, or you can re-use a list among multiple "listen" sections.

# Un-comment this section, and edit a "listen" section to add:

# "clients = per_socket_clients". That IP address/port combination

# will then accept ONLY the clients listed in this section.

#clients per_socket_clients {

# client 192.168.3.4 {

# secret = testing123

# }

root@ubuntu-2:~#

root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1812 -j ACCEPT

root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1813 -j ACCEPT

root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1645 -j ACCEPT

root@ubuntu-2:~# iptables -I INPUT 1 -p udp --dport 1646 -j ACCEPT

root@ubuntu-2:~#

root@ubuntu-2:~# iptables-save

# Generated by iptables-save v1.4.12 on Sat Oct 25 14:11:30 2014

*filter

:INPUT ACCEPT [36:4425]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [20:2880]

-A INPUT -p udp -m udp --dport 1646 -j ACCEPT

-A INPUT -p udp -m udp --dport 1645 -j ACCEPT

-A INPUT -p udp -m udp --dport 1813 -j ACCEPT

-A INPUT -p udp -m udp --dport 1812 -j ACCEPT

COMMIT

# Completed on Sat Oct 25 14:11:30 2014

root@ubuntu-2:~#

Make sure you edit the users file as per your requirement. Below is a sample "users" file for your reference.

client2 Cleartext-Password :="welcome"

Service-Type = Login,

Cisco-Avpair = "shell:priv-lvl=15"

client_test Cleartext-Password := "cisco"

Service-Type = Login-User,

Cisco-Avpair = "shell:priv-lvl=15"

client1 Cleartext-Password :="welcome"

Service-Type = Framed

$enab15$ Cleartext-Password :=rad123

Cisco-Avpair = "shell:priv-lvl=15"

########################################################

/usr/sbin/freeradius -i 2001::1234 -p 1645 -X &

/usr/sbin/freeradius -i 10.104.99.222 -p 1645 -X &

/usr/sbin/freeradius -i 2001::1234 -p 1812 -X &

/usr/sbin/freeradius -i 10.104.99.222 -p 1812 -X &

#######################################################

The logs can be found in below path:

/var/log/freeradius

Accounting records will be stored in below path:

/var/log/freeradius/radacct

Sample test command

radtest client1 welcome 10.104.99.222 1 cisco

root@ubuntu-2:/etc/freeradius# radtest client1 welcome 10.104.99.222 1 cisco

Sending Access-Request of id 105 to 10.104.99.222 port 1645

User-Name = "client1"

User-Password = "welcome"

NAS-IP-Address = 127.0.1.1

NAS-Port = 1

rad_recv: Access-Request packet from host 10.104.99.222 port 44808, id=105, length=59

User-Name = "client1"

User-Password = "welcome"

NAS-IP-Address = 127.0.1.1

NAS-Port = 1

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "client1", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

[files] users: Matched entry client1 at line 95

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

++[pap] returns updated

Found Auth-Type = PAP

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group PAP {...}

[pap] login attempt with password "welcome"

[pap] Using clear text password "welcome"

[pap] User authenticated successfully

++[pap] returns ok

# Executing section post-auth from file /etc/freeradius/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 105 to 10.104.99.222 port 44808

Service-Type = Framed-User

Finished request 4.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Accept packet from host 10.104.99.222 port 1645, id=105, length=26

Service-Type = Framed-User

root@ubuntu-2:/etc/freeradius#

Bringing UP Virtual Spirent ports

Power off an existing Spirent VM that you would like to clone.

Go to the Configuration tab of the ESXi Server and click Storage in the Hardware section

Right-click on the datastore listed and select Browse Datastore

Add a new folder and copy the below files from existing spirent VM's folder to the new one

Add as many Physical NICs required as per your requirement and associate each NIC to a seperate vSwitch.

Associate the VM NIcs to the appropriate vswitch

Power ON the VM. => Open the VM console and wait for login screen.

pwd: spt_admin

Type "help" to view the list of available commands.

For example, configure the management ip address for the VM using "ipaddress" command

Finally execute the command "activate" and reboot the VM for the settings to take effect.

Right-click on the *.vmx file, and select Add to Inventory ==> Step through the wizard

Configuring Syslog

Please refer the steps to configure syslog server logging in cisco routers:

1. In order to ensure that logging is enabled, issue the logging on command.

Router(config)# logging on

2. In order to specify the Essentials server that is to receive the router syslog messages, issue the logging ip_address command. ip_address is the address of the server that collects the syslog messages.

Router(config)# logging 2.2.2.2

3. In order to limit the types of messages that can be logged to the Essentials server, set the appropriate logging trap level with the logging trap informational command. The informational portion of the command signifies severity level 6. This means all messages from level 0-5 (from emergencies to notifications) are logged to the Essentials server.

Router(config)# logging trap informational

Please refer the below to setup the syslog server in cent os:

http://computernetworkingnotes.com/network-administrations/syslog-server.html

Please also refer below link for more info:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swlog.html

NAT configuration in cent OS

Step-By-Step Configuration of NAT with iptables

Step #1. Add 2 Network cards to the Linux box

Step #2. Verify the Network cards, Wether they installed properly or not

ls /etc/sysconfig/network-scripts/ifcfg-eth* | wc -l

( The output should be "2")

Step #3. Configure eth0 for Internet with a Public ( IP External network or Internet)

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=none
BROADCAST=xx.xx.xx.255    # Optional Entry
HWADDR=00:50:BA:88:72:D4    # Optional Entry
IPADDR=xx.xx.xx.xx
NETMASK=255.255.255.0    # Provided by the ISP
NETWORK=xx.xx.xx.0       # Optional
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=xx.xx.xx.1    # Provided by the ISP

Step #4. Configure eth1 for LAN with a Private IP (Internal private network)

cat /etc/sysconfig/network-scripts/ifcfg-eth1

BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05    # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.0.0        # Specify based on your requirement
BROADCAST=""
IPADDR=192.168.2.1        # Gateway of the LAN
NETWORK=192.168.0.0        # Optional
USERCTL=no
ONBOOT=yes

Step #5. Host Configuration (Optional)

cat /etc/hosts

127.0.0.1 nat localhost.localdomain localhost

Step #6. Gateway Configuration

cat /etc/sysconfig/network

    NETWORKING=yes
    HOSTNAME=nat
    GATEWAY=xx.xx.xx.1    # Internet Gateway, provided by the ISP

Step #7. DNS Configuration

cat /etc/resolv.conf

nameserver 203.145.184.13 # Primary DNS Server provided by the ISP
nameserver 202.56.250.5 # Secondary DNS Server provided by the ISP

Step #8. NAT configuration with IP Tables

# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.

iptables --flush            # Flush all the rules in filter and nat tables

iptables --table nat --flush

iptables --delete-chain

# Delete all chains that are not in default filter and nat table

iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

iptables --append FORWARD --in-interface eth1 -j ACCEPT

# Enables packet forwarding by kernel

echo 1 > /proc/sys/net/ipv4/ip_forward

#Apply the configuration

service iptables restart

Source : http://www.howtoforge.com/nat_iptables

Also execute the below commands if it still does not work:

  iptables -A FORWARD -i eth1 -j ACCEPT  iptables -A FORWARD -o eth1 -j ACCEPT    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Configuring SNMP based LI

The required MIBS are attached.

Below are the Steps:

To allow SNMP to use Object Names rather than OID's on your CentOS server:

Create /etc/snmp/snmp.conf with the following lines

mibs +CISCO-SMI

mibs +CISCO-TAP2-MIB

mibs +CISCO-IP-TAP-MIB

mibs +CISCO-USER-CONNECTION-TAP-MIB

Please add the attached MIB files to /usr/share/snmp/mibs

i.e.

SNMPv2-SMI-V1SMI

SNMPv2-TC-V1SMI

SNMPv2-SMI

SNMPv2-TC

CISCO-SMI

CISCO-USER-CONNECTION-TAP-MIB

CISCO-TAP2-MIB

CISCO-IP-TAP-MIB

CISCO-USER-CONNECTION-TAP-MIB

For configuring taps:

Aspects which need to be changed once:

Device IP

SNMP Username

SNMP Password

MD IP (aka cTap2MediationDestAddress)

MD Source Interface on ASR (aka cTap2MediationSrcInterface. Use show snmp mib ifmib ifindex <interface> to get value)

Aspects which will need to be potentially changed for different customer taps:

citapStreamSourceAddress and citapStreamDestinationAddress, aka the subscriber IP. They can all be the same value as one matches on /0 mask the other /32 in each direction.

citapStreamVRF aka the customer VRF in use for that subscriber.

You must each time check the timeout of the tap. After the timeout date, the tap deactivates itself. Note on reload of ASR taps are also removed and must be reprovisioned:

Date format for cTap2MediationTimeout:

#07 db a 0f 00 00 00 00

#^---^ ^ ^ ^---------^

# | | | |------ Hours, minutes and seconds(4 bytes), generally we give all 0s here

# | | |

# | | |------------- Date in hex (one byte), 0f = 15

# | |--------------- Month in hex (one byte), 0a = 10 (October)

# |

# |------------------- Year in hex (07dbx = 2011)

#### DATE MUST BE WITHIN NEXT 20 DAYS, otherwise intercept will NOT WORK

If you need multiple customer taps, you will need to change the indexing

For the SNMP set commands related to MD, replace the .2 on the end of each with a different number not used by another tap

e.g. cTap2MediationStatus.2 becomes cTap2MediationStatus.3

That same number also needs to replace .2 on the end of the other SNMP set commands

You also need to choose new stream indexes that are not used by another tap for all the other commands

e.g. citapStreamAddrType.2.5 becomes citapStreamAddrType.3.10, citapStreamAddrType.2.6 becomes citapStreamAddrType.3.11

#Provision Commands

#MD

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2MediationStatus.2 i 4 cTap2MediationDestAddressType.2 i 1 cTap2MediationDestAddress.2 d "10 66 76 120" cTap2MediationDestPort.2 u 9995 cTap2MediationTransport.2 i 1 cTap2MediationTimeout.2 x "07DE 02 1C 00 00 00 00" cTap2MediationSrcInterface.2 i 0

#IP Details for Sub

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 citapStreamAddrType.2.5 i 1 citapStreamDestinationAddress.2.5 d "10 66 76 77" citapStreamDestinationLength.2.5 u 0 citapStreamDestL4PortMin.2.5 u 0 citapStreamDestL4PortMax.2.5 u 65535 citapStreamSourceAddress.2.5 d "10 66 76 77" citapStreamSourceLength.2.5 u 32 citapStreamSourceL4PortMin.2.5 u 0 citapStreamSourceL4PortMax.2.5 u 65535 citapStreamFlowId.2.5 i -1 citapStreamProtocol.2.5 i -1 citapStreamTosByte.2.5 i 0 citapStreamTosByteMask.2.5 i 0 citapStreamInterface.2.5 i -1 citapStreamVRF.2.5 s "" citapStreamStatus.2.5 i 4

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 citapStreamAddrType.2.6 i 1 citapStreamDestinationAddress.2.6 d "10 66 76 77" citapStreamDestinationLength.2.6 u 32 citapStreamDestL4PortMin.2.6 u 0 citapStreamDestL4PortMax.2.6 u 65535 citapStreamSourceAddress.2.6 d "10 66 76 77" citapStreamSourceLength.2.6 u 0 citapStreamSourceL4PortMin.2.6 u 0 citapStreamSourceL4PortMax.2.6 u 65535 citapStreamFlowId.2.6 i -1 citapStreamProtocol.2.6 i -1 citapStreamTosByte.2.6 i 0 citapStreamTosByteMask.2.6 i 0 citapStreamInterface.2.6 i -1 citapStreamVRF.2.6 s "" citapStreamStatus.2.6 i 4

#Generic Stream for Sub, turns on Tap

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamType.2.5 i 1 cTap2StreamInterceptEnable.2.5 i 1 cTap2StreamStatus.2.5 i 4

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamType.2.6 i 1 cTap2StreamInterceptEnable.2.6 i 1 cTap2StreamStatus.2.6 i 4

#Remove Tap

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 citapStreamStatus.2.5 i 6 citapStreamStatus.2.6 i 6

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamStatus.2.5 i 6 cTap2StreamStatus.2.6 i 6

snmpset -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2MediationStatus.2 i 6

#Check if tap is intercepting packets

snmpget -v3 -u markLI -a MD5 -A cisco123 -l AuthNoPriv 10.66.76.16 cTap2StreamInterceptedHCPackets.2.5 cTap2StreamInterceptedHCPackets.2.6

Source: Mark Fisher (markfis) <markfis@cisco.com>

How to Install the BIND DNS Server on CentOS 6

Initial BIND Installation

To begin, we will need to install the BIND and BIND Utilities packages using yum.

yum install bind bind-utils -y

Next, we'll open the BIND (named) configuration file and make several modifications.

nano -w /etc/named.conf

Your "options" section should appear as follows, replacing 2.2.2.2 with the IP of your second droplet.

options {     #listen-on port 53 { 127.0.0.1; };        listen-on-v6 port 53 { ::1; };        directory "/var/named";        dump-file "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };        allow-transfer     { localhost; 2.2.2.2; };        recursion no;        dnssec-enable yes;        dnssec-validation yes;        dnssec-lookaside auto;        /* Path to ISC DLV key */        bindkeys-file "/etc/named.iscdlv.key";        managed-keys-directory "/var/named/dynamic";};

Above, listen-on must be commented to listen on all available interfaces. Recursion should be turned off to prevent your server from being abused in "reflection" DDoS attacks. Theallow-transfer directive whitelists transfers to your secondary droplet's IP. Furthermore, we have changed the allow-query directive to "any" in order to allow users proper access to hosted zones.

Next, we'll want to add a new zone for our first domain, you should add the following to your named.conf below the existing zones.

        zone "mydomain.com" IN {                type master;                file "mydomain.com.zone";                allow-update { none; };        };

After saving named.conf with the changes above, we're ready to create our first zone file.

Configure BIND Zones

Firstly, we'll need to open the zone file, using the name you specified in the configuration above. (Ex: mydomain.com.zone)

nano -w /var/named/mydomain.com.zone

We'll add the following contents to our newly created file. You should replace the applicable information with your own, where 1.1.1.1 is the IP of your first droplet, 2.2.2.2 is the IP of your second droplet and 3.3.3.3 is the IP you wish to point the domain itself to, such as a droplet running a webserver. You are free to add additional entries in the same format.

$TTL 86400@   IN  SOA     ns1.mydomain.com. root.mydomain.com. (        2013042201  ;Serial        3600        ;Refresh        1800        ;Retry        604800      ;Expire        86400       ;Minimum TTL); Specify our two nameservers IN NS ns1.mydomain.com. IN NS ns2.mydomain.com.; Resolve nameserver hostnames to IP, replace with your two droplet IP addresses.ns1 IN A 1.1.1.1ns2 IN A 2.2.2.2; Define hostname -> IP pairs which you wish to resolve@ IN A 3.3.3.3www IN A 3.3.3.3

We can now start named for the first time. This may take several minutes while named generates the rndc.key file, which only occurs on first execution.

service named restart

Once named has started successfully, we'll want to ensure that it is enabled as a startup service, by running the following:

chkconfig named on

By now, we should have a fully operational primary nameserver. You can verify that BIND is working correctly by running the following command, replacing 1.1.1.1 with the IP of your first droplet.

dig @1.1.1.1 mydomain.com

If you recieve a response which includes an answer and authority section, your nameserver has been configured correctly.

Slave Nameserver Configuration

With our primary nameserver configured, we'll now setup a slave nameserver on our second cloud server. As always, please assure your system is up to date by checking for updates with yum as follows:

yum update -y

We can start by installing BIND (and related utilities) on the second droplet, in the same manner as the first:

yum install bind bind-utils -y

We'll proceed by opening named.conf and making the same changes we made previously, ommitting the "allow transfer" line. This directive is unnecessary as we will only be transfering records from our primary nameserver.

nano -w /etc/named.conf

options {

#listen-on port 53 { 127.0.0.1; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { any; };

recursion no;

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;        /* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";};

We will add the zone we configured on the first droplet, this time changing the "type" directive to slave, instead of master. You should replace "1.1.1.1" with your first droplet's IP address.

zone "mydomain.com" IN {

type slave;

masters { 1.1.1.1; };

file "mydomain.com.zone";};

After configuring our slave zone, we'll start named. Again this may take several minutes while our rndc.key file is initially generated.

service named start

As with the first cloud server, we want to assure named is set to run at startup with the following:

chkconfig named on

Your slave nameserver should now be up and running. You can verify that it is fully operational by using dig again, replacing 2.2.2.2 with the IP of your second droplet.

dig @2.2.2.2 mydomain.com

After any changes you make to the master zone files, you will need to instruct BIND to reload. Remember, you must also increment the "serial" directive to ensure synchronicity between the master and slave.

To reload the zone files, we need to run the following command on the master nameserver, followed by the slave:

rndc reload

Source:

https://www.digitalocean.com/community/articles/how-to-install-the-bind-dns-server-on-centos-6

Disabling firewall in CENT OS

Task: Disable firewall

Type the following command as the root user to disable firewall for IPv4:

# service iptables save
# service iptables stop
# chkconfig iptables off

Sample output with verification (see below):

Red Enterprise Linux Disable Iptables IPv4 Firewall

Type the following command as the root user to disable firewall for IPv6 :

# service ip6tables save
# service ip6tables stop
# chkconfig ip6tables off

Task: Enable firewall

Type the following command as the root user to enable firewall for IPv4:

# service iptables start
# chkconfig iptables on

Sample outputs:

iptables: Applying firewall rules:                         [  OK  ]

Type the following command as the root user to disable firewall for IPv6 :

# service ip6tables start
# chkconfig ip6tables on

Task: Verify that firewall is disabled

Type the following command as root user to see IPv4 firewall rules:
# /sbin/iptables -L -v -nOR
# service iptables status

Type the following command as root user to see IPv6 firewall rules:
# /sbin/ip6tables -L -v -n
OR
# service ip6tables status

Source:

http://www.cyberciti.biz/faq/fedora-redhat-centos-5-6-disable-firewall/