How To: Setup Cisco EtherChannel with ESX Server

In this blog, I will go through on how to setup a Port-Channel in a Cisco Catalyst 3750G switch, and setup that port-channel (etherchannel) to work properly with ESXi Server version 5.5. In my environment, it took, much, much longer to get this running because I had to completely re-architect my network to function this way. But if you’re building an environment from scratch, then this should be pretty easy to do.

I’ve verified that this config will also work with other Catalyst switches (2960’s, 3500’s, 3700’s, 4500’s, and 6500 series switches). This configuration will NOT work with Cisco Nexus switches, because the Cisco Nexus switches have different command line parameters than their Catalyst cousins.

So, let’s get going here.

I’m going to start by configuring a Port-Channel on my Catalyst switch.

interface Port-channel2
description Port Channel interface to DL380 Server
switchport trunk encapsulation dot1q
switchport mode trunk


After you create your port channel, you need to add switch ports to that port-channel. See below, as I add 8 ports to this port-channel.

interface GigabitEthernet4/0/11
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/12
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/14
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/15
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/21
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/22
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/23
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on

interface GigabitEthernet4/0/24
description Port-Channel group to DL-380 ESXi Server
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on


From here I need to mirror the same VLANs that the ESXi server will have on it. So, lets create 5 VLANs to start. We can add more at any time.

interface Vlan1
no ip address
!
interface Vlan10
description Outside zone between pfSense and ASA
no ip address
 
interface Vlan20
description Inside network
ip address 192.168.1.2 255.255.255.0

interface Vlan30
description Front DMZ for direct connections from the Internet
no ip address

interface Vlan40
description Back DMZ -- Teired DMZ for server systems
no ip address

interface Vlan50
description Wireless network
no ip address


Now that the Cisco Catalyst switch is configured, let’s log into ESXi vSphere Client and configure the server to communicate with our switch.


I actually just bought a new quad port network adapter off of eBay just for this project. So after I installed it in my HP DL 380 G6 Server, I went in to verify that the card worked. And from this screenshot, it looks like it is working just fine.

esxi-1


Now go over to the “Networking” section. You can see I already have multiple vSwitches defined for my other 4 port network card that was already installed in the server. What my plan is going to be, is that I want all eight of my network adapters to be part of one port-channel. This will maximize the throughput and bandwidth to and from the server, as well as provide a reliable 8 way path to my core switch. The only downside to this is that my core switch is now my single point of failure on the network. I recommend that if you’re going to do this in your environment, you should have an identical switch and a full backup of the configuration on your primary switch so that you can swap out if the primary fails.

esxi-2


From here, click on “Add Networking…”

esxi-3


You need to select “VMkernel” here. You’ll be using “Virtual Machine” network type later. For now, VMkernel, then click “Next”:

esxi-4


Select the network adapters you want to participate in the port channel, then click “Next”:

esxi-5


Since this is a Port-Channel, or Etherchannel, you want this to trunk all of your VLANs from the Cisco Catalyst switch to your ESXi server. Make it easy and name this “Port-Channel” and allow all VLANs to traverse the link, then click “Next”:

esxi-6


You’ll want to enable management on this, so give it an IP address on your Internal network. Please, for the love of all that is right and just, do NOT open up management access to the Internet or any of your DMZs!

esxi-7


Verify your settings on the “Summary” screen, then click “Finish” to continue.

esxi-8


After you create your switch, you’ll see it appear in the “Networking” screen of your vSphere client. You’ll see that I haven’t attached network cables yet, which is why all my adapters are showing as “Down” with the red “X” next to each physical adapter.

Go ahead and click on “Properties…” to continue.

esxi-9


Make sure your vSwitch is highlighted in the left column, then click, “Edit…”

esxi-10


In the vSwitch Properties window, make sure that you have ESXi “Route based on IP Hash”, then click okay.

esxi-11


Now you can add in all your VLANs that will live on this vSwitch. So click on “Add Networking…” to continue:

esxi-3


Here is where you’re going to use the “Virtual Machine” connection type. Click Next to continue.

esxi-12


We’re going to bind this VLAN to the new switch we created. So select the vSwitch you created earlier in this process, then click “Next” to continue.

esxi-13


Here, I will create a Business-to-Business VLAN, and I’ll tag all traffic in this VLAN to #75. Then click “Next” to continue.

esxi-14


Verify your changes in the “Summary” screen, then click “Finish” to continue.

esxi-15


After you create all of your VLANs and add your virtual machines to each network you desire, your end result will look like this:
esxi-16



If you have any questions, please feel free to contact me at any time!

http://vmwaremine.com/vmware-vsphere-best-practices/
http://vmwaremine.com/2012/05/29/networking-configuration-for-esx-ot-esxi-part-3/
http://frankdenneman.nl/2013/01/28/vmotion-and-etherchannel-an-overview-of-the-load-balancing-policies-stack/
http://www.virtualizetips.com/2011/03/05/esxi-management-network-issues-when-using-etherchannel-and-nic-teaming/
http://blog.scottlowe.org/2008/07/16/understanding-nic-utilization-in-vmware-esx/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1010778
http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1003825
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003806
http://searchnetworking.techtarget.com/tip/How-to-configure-Virtual-Switch-Tagging-for-vSphere-VLANs
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003825
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://www.sysadmintutorials.com/tutorials/vmware-vsphere-4/vcenter4/network-teaming-with-cisco-etherchannel/
http://serverfault.com/questions/628541/esxi-5-5-nic-teaming-for-load-balancing-using-cisco-etherchannel
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1001938
http://www.simongreaves.co.uk/vmware-nic-trunking/
http://www.geekmungus.co.uk/vmware/vmwareesxi55managementnetwork-nicteamingandvlantrunking
http://www.mustbegeek.com/configure-nic-teaming-in-esxi-server/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004074
http://www.ahmedchoukri.com/?p=298
https://glazenbakje.wordpress.com/2012/05/10/cisco-catalyst-switch-ether-channel-settings-to-vmware-esxi-5/
http://blog.scottlowe.org/2006/12/04/esx-server-nic-teaming-and-vlan-trunking/
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004048
http://longwhiteclouds.com/2012/04/10/etherchannel-and-ip-hash-or-load-based-teaming/
http://wahlnetwork.com/2012/05/09/demystifying-lacp-vs-static-etherchannel-for-vsphere/
http://www.amirmontazeri.com/?p=18

VN:D [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

AT&T u-Verse Static IP work around with pfSense

First off, I’d like to give AT&T an honorable mention (sarcasm) for using the fucking worst, P.O.S. garbage, DSL Modems on the planet: 2WIRE. These things are ridiculous. You’d think that if a provider was able to route a /28 subnet to your home/business, that they’d be able to properly manage that subnet through their “firewall” or whatever you want to call it. The way this normally works is through routing a network range to your device. But AT&T and 2WIRE ensure that for every public static IP address you have, it has to have a unique MAC address and it must look like a different device all together. This is asinine.

So, with the help of my business partner, we’ve come up with a solution on how to get a set of static IP addresses to work so that you can host services on AT&T u-Verse. The way we accomplished this was through the use of an open source and free operating system named, “pfSense”. I’m sure there are other systems out there that we could have used, or just done it in Linux, but pfSense is really robust and has a nice interface. So that’s what we went with.

Additionally, I’m sure not everyone and their mother have an HP DL380 running in their basement, but… welcome to the Erdmanor. I have a DL380 in my basement. So what we’ve done is virtualized a firewall. We’re running pfSense in a virtual machine on the DL 380, which is running ESXi 5.5. I know ESXi 6.0 has been out for a few months now, but to be honest, I’m just too damn lazy to upgrade my box.

Anyways, here’s how we configured the virtual firewall. In ESX, we provisioned the system to have 8 network adapters, a 10GB HDD, 2GB RAM, and 1 virtual CPU. From there we added the VM to access the three different network segments (DMZ, Internal, Outside), and created the interfaces within pfSense. Then we programmed the AT&T gateway to use the external addresses that were provided by them, making sure that the proper interfaces and MAC addresses lined up between the ESX server, the AT&T gateway and the pfSense console. Also, in the AT&T gateway, we setup the system to be in DMZplus Mode, which you can read about in the screenshot below.

pfSense1

pfSense2

pfSense3

att-config0

att-config1

att-config2

att-config3



Now that our AT&T gateway is properly forwarding External IP traffic to the proper interfaces on our pfSense firewall, we can go through and create all the inbound NATs, firewall rules and network security that we wish to have.

If you have any further questions on how to set this up, just ask!

Thanks!





VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Setting up Etherchannel between Cisco ASA and Cisco Switch

I’ve recently had the need to re-architect my network in order to gain more functionality, scalability and security. I’ve written in past blogs on how important it is to have network security built into your network, and how important it is to have a properly segmented network. Here I’m going to show you how easy that is to do, and show you why every business should be doing this to some extent.

So let’s get going here. First off, if you have an ASA that is already being used in a production environment, you’re going to have to schedule some downtime. In order to setup Etherchannel on the ASA, your ports need to have no configuration on them. In my case, I’m setting up a quad port Etherchannel, so I need all my ports wiped clean.

erdmanor-5510# sh run int
!
interface Ethernet0/0
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
erdmanor-5510#
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.1.2     YES manual up                    up  
erdmanor-5510#


Now that we have a clean configuration, let’s setup the port-channel.

erdmanor-5510(config)# int port-channel 1
erdmanor-5510(config-if)#
erdmanor-5510(config-if)# no nameif
erdmanor-5510(config-if)# no security-level
erdmanor-5510(config-if)# no ip address
erdmanor-5510(config-if)#


Now that we have a port-channel created, we need to assign what interfaces are going to take part in that port channel.

erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int Ethernet0/0
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/0.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/1        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/1.
erdmanor-5510(config-if)# exit
erdmanor-5510(config)# int Ethernet0/2        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/2.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)# int Ethernet0/3        
erdmanor-5510(config-if)# channel-group 1 mode on
INFO: security-level, delay and IP address are cleared on Ethernet0/3.
erdmanor-5510(config-if)# exit                  
erdmanor-5510(config)#


Now we need to get our switch configured. We’ll basically be doing the same thing on the switch that we just got done doing on our ASA. You’ll notice the syntax on the ASA is just a bit different than the switch, but Cisco came close on the two.

Let’s start with creating our port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int port-channel 1
Erdmanor3750G(config-if)#    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switch mode trunk
Erdmanor3750G(config-if)#


Now we can get our Ethernet ports into the port channel.

Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/1
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/2              
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA                
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/3        
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA    
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#int Gi4/0/4      
Erdmanor3750G(config-if)#description Port-Channel group to ERD-ASA      
Erdmanor3750G(config-if)#switch trunk encap dot1q
Erdmanor3750G(config-if)#switchport mode trunk  
Erdmanor3750G(config-if)#channel-group 1 mode on
Erdmanor3750G(config-if)#exit                    
Erdmanor3750G(config)#
Erdmanor3750G(config)#


Now that the port-channel is up and running, we need to establish what VLANs are going to traverse this link. The way that Cisco ASAs interpret VLANs is a bit different than the way Catalyst Switches interpret VLANs, at least for the configuration of them. In a Cisco ASA, for every VLAN that you want, you create a sub-interface. For The Catalyst Switch,

erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.10
erdmanor-5510(config-subif)# vlan 10
erdmanor-5510(config-subif)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 172.98.17.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.20                
erdmanor-5510(config-subif)# vlan 20                            
erdmanor-5510(config-subif)# nameif Inside                      
INFO: Security level for "Inside" set to 100 by default.
erdmanor-5510(config-subif)# ip address 192.168.100.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.30                
erdmanor-5510(config-subif)# vlan 30                              
erdmanor-5510(config-subif)# nameif FrontDMZ                      
INFO: Security level for "FrontDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.121.23.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.40                
erdmanor-5510(config-subif)# vlan 40                              
erdmanor-5510(config-subif)# nameif BackDMZ                      
INFO: Security level for "BackDMZ" set to 0 by default.
erdmanor-5510(config-subif)# ip address 10.156.183.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#
erdmanor-5510(config)# int port-channel1.50                
erdmanor-5510(config-subif)# vlan 50                              
erdmanor-5510(config-subif)# nameif Wireless                      
INFO: Security level for "Wireless" set to 0 by default.
erdmanor-5510(config-subif)# security-level 50
erdmanor-5510(config-subif)# ip address 172.21.49.1 255.255.255.0
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)#
erdmanor-5510(config)#



From here we just need to create some VLANs on the switch and then we can finalize the configuration on the ASA.

Erdmanor3750G#
Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#vlan 10
Erdmanor3750G(config-vlan)#no shut
%VLAN 10 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 20
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 30
Erdmanor3750G(config-vlan)#no shut
%VLAN 30 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 40
Erdmanor3750G(config-vlan)#no shut
%VLAN 20 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#vlan 50
Erdmanor3750G(config-vlan)#no shut
%VLAN 40 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#interface vlan 10
Erdmanor3750G(config-if)#description Outside zone between pfSense and ASA
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 20                              
Erdmanor3750G(config-if)#description Inside network                      
Erdmanor3750G(config-if)#no shut                  
Erdmanor3750G(config-if)#exit                      
Erdmanor3750G(config)#interface vlan 30        
Erdmanor3750G(config-if)#description Front DMZ for direct connections from the Internet
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 40                                            
Erdmanor3750G(config-if)#description Back DMZ -- Teired DMZ for server systems
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#interface vlan 50                                    
Erdmanor3750G(config-if)#description Wireless network                
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#



So this is what my interface list looks like in the running config now:

interface Ethernet0/0
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 channel-group 1 mode on
 no nameif    
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.1.2 255.255.255.0
!
interface Port-channel1
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif Outside
 security-level 0
 ip address 172.98.17.1 255.255.255.0
!
interface Port-channel1.20
 vlan 20
 nameif Inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Port-channel1.30
 vlan 30
 nameif FrontDMZ
 security-level 0
 ip address 10.121.23.1 255.255.255.0
!
interface Port-channel1.40
 vlan 40
 nameif BackDMZ
 security-level 0
 ip address 10.156.183.1 255.255.255.0
!
interface Port-channel1.50
 vlan 50      
 nameif Wireless
 security-level 50
 ip address 172.21.49.1 255.255.255.0
!



And now a look at my switch port configuration:

!
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet4/0/1
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/2
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/3
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface GigabitEthernet4/0/4
 description Port-Channel group to ERD-ASA
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode on
!
interface Vlan1
 ip address 192.168.1.3 255.255.255.0
!
interface Vlan10
 description Outside zone between pfSense and ASA
 no ip address
!
interface Vlan20
 description Inside network
 no ip address
!
interface Vlan30
 description Front DMZ for direct connections from the Internet
 no ip address
!
interface Vlan40
 description Back DMZ -- Teired DMZ for server systems
 no ip address
!
interface Vlan50
 description Wireless network
 no ip address


Erdmanor3750G#
Erdmanor3750G#sh ip int bri
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  192.168.1.3     YES manual up                    up      
Vlan10                 unassigned      YES unset  up                    up      
Vlan20                 unassigned      YES unset  up                    up      
Vlan30                 unassigned      YES unset  up                    up      
Vlan40                 unassigned      YES unset  up                    up  
GigabitEthernet4/0/1   unassigned      YES unset  up                    up      
GigabitEthernet4/0/2   unassigned      YES unset  up                    up      
GigabitEthernet4/0/3   unassigned      YES unset  up                    up      
GigabitEthernet4/0/4   unassigned      YES unset  up                    up      
...  
Port-channel1          unassigned      YES unset  up                    up



Fantastic. Let’s check to see that the ASA is showing the port-channel working.

erdmanor-5510# sh port-channel detail
        Channel-group listing:
        -----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 4   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
        Ports in the group:
        -------------------
Port: Et0/0
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Et0/3
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

erdmanor-5510# sh port-channel sum    
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol  Span-cluster  Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)             -            No     Et0/0(P)   Et0/1(P)   Et0/2(P)   Et0/3(P)  
erdmanor-5510#
erdmanor-5510# sh int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up  
Ethernet0/1                unassigned      YES unset  up                    up  
Ethernet0/2                unassigned      YES unset  up                    up  
Ethernet0/3                unassigned      YES unset  up                    up  
Management0/0              192.168.86.2    YES manual up                    up  
Port-channel1              unassigned      YES unset  up                    up  
Port-channel1.10           172.98.17.1     YES manual up                    up  
Port-channel1.20           192.168.100.1   YES manual up                    up  
Port-channel1.30           10.121.23.1     YES manual up                    up  
Port-channel1.40           10.156.183.1    YES manual up                    up  
Port-channel1.50           172.21.49.1     YES manual up                    up  
erdmanor-5510#



And now to check the port channel on the Catalyst switch:

Erdmanor3750G#sh etherchannel detail
        Channel-group listing:
        ----------------------

Group: 1
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
        Ports in the group:
        -------------------
Port: Gi4/0/1
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:45s

Port: Gi4/0/2
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:16s

Port: Gi4/0/3
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:24m:04s

Port: Gi4/0/4
------------

Port state    = Up Mstr In-Bndl
Channel group = 1           Mode = On              Gcchange = -
Port-channel  = Po1         GC   =   -             Pseudo port-channel = Po1
Port index    = 0           Load = 0x00            Protocol =    -

Age of the port in the current state: 0d:00h:23m:53s

        Port-channels in the group:
        ---------------------------

Port-channel: Po1
------------

Age of the Port-channel   = 0d:00h:33m:13s
Logical slot/port   = 10/1          Number of ports = 4
GC                  = 0x00000000      HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =    -

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi4/0/1  On                 0
  0     00     Gi4/0/2  On                 0
  0     00     Gi4/0/3  On                 0
  0     00     Gi4/0/4  On                 0

Time since last port bundled:    0d:00h:23m:53s    Gi4/0/4

Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#
Erdmanor3750G#sh etherchannel sum  
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port


Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi4/0/1(P)  Gi4/0/2(P)  Gi4/0/3(P)  
                                 Gi4/0/4(P)  

Erdmanor3750G#



Now, moving forward, please remember that you MUST specify the VLAN each switch port will be in, otherwise you’re going to have communications issues. The Catalyst switches do NOT auto-sense what VLAN your port is in. So to do this, you need to specify the VLAN, on both the Cisco ASA and the Switch, like this:

Erdmanor3750G#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Erdmanor3750G(config)#
Erdmanor3750G(config)#vlan 60
Erdmanor3750G(config-vlan)#no shut
%VLAN 60 is not shutdown.
Erdmanor3750G(config-vlan)#exit
Erdmanor3750G(config)#interface Vlan60
Erdmanor3750G(config-if)#description ATT Outside Public 108.227.33.120/28 Network
Erdmanor3750G(config-if)#no ip address
Erdmanor3750G(config-if)#no shut
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#
Erdmanor3750G(config)#int GigabitEthernet4/0/19
Erdmanor3750G(config-if)#switchport access vlan 60
Erdmanor3750G(config-if)#exit
Erdmanor3750G(config)#


Now create the VLAN (sub-interface) on the ASA, like this:

erdmanor-5510# conf t
erdmanor-5510(config)# interface Port-channel1.60
erdmanor-5510(config-subif)# vlan 60
erdmanor-5510(config-subif)# nameif ATTOutside
INFO: Security level for "ATTOutside" set to 0 by default.
erdmanor-5510(config-subif)# ip address 108.227.33.121 255.255.255.248
erdmanor-5510(config-subif)# exit
erdmanor-5510(config)# exit
erdmanor-5510#


Now that we have the VLANs and port-channel created, we need to ensure that our firewall rulebase is setup properly.

NOTE: I am just showing you how to set this up. It is up to YOU to be a smart network admin and lock down these VLANs with the proper rules!!!

From here, create your basic ACLs and lock them down tightly. Make sure that you tie your access-list to an interface too! I personally like to write all my ACLs from the point of view of the requester or client machine on a network. So what I do is write the ACL like you’re going into a garden hose. The garden hose is like the interface that traffic will be going to. Basically, you’re writing the rules that will be implemented as close to the end point as possible.

erdmanor-5510(config)# access-list backdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list frontdmz-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list inside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list outside-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)# access-list wireless-traffic-in extended permit ip any4 any4 log
erdmanor-5510(config)#
erdmanor-5510(config)# access-group outside-traffic-in in interface Outside
erdmanor-5510(config)# access-group inside-traffic-in in interface Inside
erdmanor-5510(config)# access-group frontdmz-traffic-in in interface FrontDMZ
erdmanor-5510(config)# access-group backdmz-traffic-in in interface BackDMZ
erdmanor-5510(config)# access-group wireless-traffic-in in interface Wireless


Now we’re all done! Please contact me with any questions or concerns (or if you found that I screwed this up at all!). Thanks for reading!





http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#wp1709086
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#18497
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-5-0E/15-21E/configuration/guide/config/channel.html#pgfId-1040179
http://www.cisco.com/c/en/us/support/docs/lan-switching/etherchannel/12033-89.html
http://www.amirmontazeri.com/?p=18
http://www.ciscozine.com/configuring-link-aggregation-with-etherchannel/
https://networkingtipz.wordpress.com/2013/12/09/etherchannel-on-asa-2/
http://www.gomjabbar.com/2012/05/08/cisco-asa-5520-creating-subinterfaces/
http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/general/asa-general-cli/interface-vlan.pdf
https://supportforums.cisco.com/discussion/11378981/portchannel-cisco-asa-subinterface-vlan
https://www.fir3net.com/Firewalls/Cisco/configuring-etherchannel-on-an-asa-firewall.html
http://www.danpol.net/index.php/cisco/firewalls/asa-port-channels/
http://www.petenetlive.com/KB/Article/0001085.htm
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-1_19_ea1/configuration/guide/3750scg/swethchl.pdf

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Backing up Cisco Configurations for Routers, Switches and Firewalls

I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables).

This should give you all the software you need:

sudo apt-get update
sudo apt-get install python python-pexpect python-paramiko

I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs.

I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version 8.4(2)160”. Theoretically, I would believe that this would work with all 8.4 code and up, including the 9.x versions that are out as of the writing of this blog.

Here you go! Full Scripted interrogation of Cisco ASA 5520 that can be setup to run on a CRON job.

#!/usr/bin/python
import paramiko, pexpect, hashlib, StringIO, re, getpass, os, time, ConfigParser, sys, datetime, cmd, argparse



### DEFINE VARIABLES

currentdate="10-16-2014"
hostnamesfile='vpnhosts'
asahost="192.168.222.1"
tacacsuser='testuser'
userpass='Password1'
enpass='Password2'
currentipaddress="192.168.222.1"
currenthostname="TESTASA"


#dummy=sys.argv[0]
#currentdate=sys.argv[1]
#currentipaddress=sys.argv[2]
#tacacsuser=sys.argv[3]
#userpass=sys.argv[4]
#enpass=sys.argv[5]
#currenthostname=sys.argv[6]

parser = argparse.ArgumentParser(description='Get "show version" from a Cisco ASA.')
parser.add_argument('-u', '--user',     default='cisco', help='user name to login with (default=cisco)')
parser.add_argument('-p', '--password', default='cisco', help='password to login with (default=cisco)')
parser.add_argument('-e', '--enable',   default='cisco', help='password for enable (default=cisco)')
parser.add_argument('-d', '--device',   default=asahost, help='device to login to (default=192.168.120.160)')
args = parser.parse_args()

   


#python vpnbackup.py $currentdate $currentipaddress $tacacsuser $userpass $enpass $currenthostname



def asaLogin():
   
    #start ssh")
    child = pexpect.spawn ('ssh '+tacacsuser+'@'+asahost)
   
    #testing to see if I can increase the buffer
    child.maxread=9999999
   
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send password")
    child.sendline (userpass)
    #expect user mode prompt")
    child.expect ('.*>.*')
    #send enable command")
    child.sendline ('enable')
    #expect password prompt")
    child.expect ('.*assword:.*')
    #send enable password")
    child.sendline (enpass)
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #set term pager to 0")
    child.sendline ('terminal pager 0')
    #expect enable mode prompt = timeout 5")
    child.expect ('#.*', timeout=10)
    #run create dir function")
    createDir()
    #run create show version")
    showVersion(child)
    #run create show run")
    showRun(child)
    # run showCryptoIsakmp(child)
    showCryptoIsakmp(child)
    # run dirDisk0(child)
    dirDisk0(child)
    # run showInterfaces(child)
    showInterfaces(child)
    #run  showRoute")
    showRoute(child)
    #run showVpnSessionDetail")
    showVpnSessionDetail(child)
    # run showVpnActiveSessions(child)
    showWebVpnSessions(child)
    # run showVpnActiveSessions(child)
    showAnyConnectSessions(child)
    #send exit")
    child.sendline('exit')
    #close the ssh session")
    child.close()
   
   
def createDir():
    if not os.path.exists(currentdate):
        os.makedirs(currentdate)
    if not os.path.exists(currentdate+"/"+currenthostname):
        os.makedirs(currentdate+"/"+currenthostname)
   
   
   
def showVersion(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-ver.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show version")
    child.sendline('show version')
    #expect enable mode prompt = timeout 400")
    child.expect(".*# ", timeout=50)
    #closing the log file")
    fout.close()
   
   
def showRun(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"sh-run.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending more system running-config")
    child.sendline('more system:running-config')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()   
   

def showCryptoIsakmp(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"cryptoisakmp.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show crypto isakmp sa")
    child.sendline('show crypto isakmp sa')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()   


def dirDisk0(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"dirdisk0.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending dir disk0:")
    child.sendline('dir disk0:')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=75)
    #closing the log file
    fout.close()


def showInterfaces(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"interfaces.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show interface")
    child.sendline('show interface')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=100)
    #closing the log file
    fout.close()


def showRoute(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"show-route.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show route")
    child.sendline('show route')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=300)
    #closing the log file
    fout.close()


def showVpnSessionDetail(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"vpnsession.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb detail")
    child.sendline('show vpn-sessiondb detail')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=50)
    #closing the log file
    fout.close()


def showWebVpnSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"webvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb webvpn")
    child.sendline('show vpn-sessiondb webvpn')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=200)
    #closing the log file
    fout.close()


def showAnyConnectSessions(child):
    #setting a new file for output")
    fout = file(currentdate+"/"+currenthostname+"/"+currenthostname+datetime.datetime.now().strftime("%m-%d-%Y")+"anyconnectvpns.txt",'w')
    #capturing the command output to the file")
    child.logfile_read = fout
    #sending show vpn-sessiondb anyconnect")
    child.sendline('show vpn-sessiondb anyconnect')
    #expect enable mode prompt = timeout 400
    child.expect(".*# ", timeout=999)
    #closing the log file
    fout.close()




def main():
    #Nothing has been executed yet
    #executing asaLogin function
    asaLogin()
    #Finished running parTest\n\n Now exiting
   

main()

Here are all the websites that have provided help to me writing these scripts:
http://www.802101.com/2014/06/automated-asa-ios-and-nx-os-backups.html
http://yourlinuxguy.com/?p=300
http://content.hccfl.edu/pollock/Unix/FindCmd.htm
http://paulgporter.net/2012/12/08/30/
http://paklids.blogspot.com/2012/01/securely-backup-cisco-firewall-asa-fwsm.html
http://ubuntuforums.org/archive/index.php/t-106287.html
http://stackoverflow.com/questions/12604468/find-and-delete-txt-files-in-bash
http://stackoverflow.com/questions/9806944/grep-only-text-files
http://unix.stackexchange.com/questions/132417/prompt-user-to-login-as-root-when-running-a-shell-script
http://stackoverflow.com/questions/6961389/exception-handling-in-shell-scripting
http://stackoverflow.com/questions/7140817/python-ssh-into-cisco-device-and-run-show-commands
http://pastebin.com/qGRdQwpa
http://blog.pythonicneteng.com/2012/11/pexpect-module.html
https://pynet.twb-tech.com/blog/python/paramiko-ssh-part1.html
http://twistedmatrix.com/pipermail/twisted-python/2007-July/015793.html
http://www.lag.net/paramiko/
http://www.lag.net/paramiko/docs/
http://stackoverflow.com/questions/25127406/paramiko-2-tier-cisco-ssh
http://rtomaszewski.blogspot.com/2012/08/problem-runing-ssh-or-scp-from-python.html
http://www.copyandwaste.com/posts/view/pexpect-python-and-managing-devices-tratto/
http://askubuntu.com/questions/344407/how-to-read-complete-line-in-for-loop-with-spaces
http://stackoverflow.com/questions/10463216/python-pexpect-timeout-falls-into-traceback-and-exists
http://stackoverflow.com/questions/21055943/pxssh-connecting-to-an-ssh-proxy-timeout-exceeded-in-read-nonblocking
http://www.pennington.net/tutorial/pexpect_001/pexpect_tutorial.pdf
https://github.com/npug/asa-capture/blob/master/asa-capture.py
http://stackoverflow.com/questions/26227791/ssh-with-subprocess-popen

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Creating a basic monitoring server for network devices

I’ve recently been working more and more with network device management. So, to help with up-time monitoring, interface statistics, bandwidth utilization, and alerting, I’ve been building up a server with some great Open Source tools. My clients love it because it costs virtually nothing to run these machines, and it helps keep the network running smoothly when we know what is going on within the network.

One thing I haven’t been able to do yet is SYSLOG monitoring with the ability to generate email alerts off of specific SYSLOG messages. That’s in the work, and I’ll be adding that information into this blog as soon as I get it up and running properly.

I am using Debian 7.6 for this Operating System. Mainly because it’s very stable, very small, and doesn’t update as frequently (making it easier to manage). You can follow a basic install of this OS from here: Debian Minimal Install. That will get you up and running and we’ll take it from there.

Okay, now that you have an OS running, go ahead and open up a command prompt and log in as your user account or “root”. Go ahead an then “sudo su”.

Now we will update apt:

apt-get update

 

From here, let’s get LAMP installed and running so our web services will run properly.

apt-get install apache2
apt-get install mysql-server
apt-get install php5 php-pear php5-mysql

 

Now that we have that all setup, lets secure MySQL a bit:

mysql_secure_installation

 

When you run through this, make sure to answer these questions:

root@testmonitor:/root# mysql_secure_installation




NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

You already have a root password set, so you can safely answer 'n'.

Change the root password? [Y/n] n
 ... skipping.

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
 ... Failed!  Not critical, keep moving...
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

 
 

Let’s test the server and make sure it’s working properly. Using nano, edit the file “info.php” in the “www” directory:

nano /var/www/info.php

 

Add in the following lines:

<?php
phpinfo();
?>

 

Now, open a web browser and type in the server’s IP address and the info page:

http://192.168.0.101/info.php

 

 

Now let’s get Cacti installed.

apt-get install cacti cacti-spine

Make sure to let the installer know that you’re using Apache2 as your HTTP server.

Also, you’ll need to let the installer “Configure database for cacti with dbconfig-common”. Say yes!

After you apt is done installing your software, you’ll have to finish the install from a web browser.

http://192.168.0.101/cacti/install/

 

After answering a couple very easy questions, you’ll be finished and presented with a login screen.

The default credentials for cacti are “admin:admin”

From there you can log in and start populating your server with all the devices that you want to monitor. It’s that easy.

 

 

 

 

Now, let’s get Nagios installed. Again, it’s really easy. I just install everything nagios (don’t forget the asterisk after nagios):

apt-get install nagios*

This is what it will look like:

root@debiantest:/root# apt-get install nagios*
Reading package lists... Done
Building dependency tree      
Reading state information... Done
Note, selecting 'nagios-nrpe-plugin' for regex 'nagios*'
Note, selecting 'nagios-nrpe-doc' for regex 'nagios*'
Note, selecting 'nagios-plugins-basic' for regex 'nagios*'
Note, selecting 'check-mk-config-nagios3' for regex 'nagios*'
Note, selecting 'nagios2' for regex 'nagios*'
Note, selecting 'nagios3' for regex 'nagios*'
Note, selecting 'nagios-snmp-plugins' for regex 'nagios*'
Note, selecting 'uwsgi-plugin-nagios' for regex 'nagios*'
Note, selecting 'ndoutils-nagios3-mysql' for regex 'nagios*'
Note, selecting 'nagios-plugins' for regex 'nagios*'
Note, selecting 'gosa-plugin-nagios-schema' for regex 'nagios*'
Note, selecting 'nagios-nrpe-server' for regex 'nagios*'
Note, selecting 'nagios-plugin-check-multi' for regex 'nagios*'
Note, selecting 'nagios-plugins-openstack' for regex 'nagios*'
Note, selecting 'libnagios-plugin-perl' for regex 'nagios*'
Note, selecting 'nagios-images' for regex 'nagios*'
Note, selecting 'pnp4nagios-bin' for regex 'nagios*'
Note, selecting 'nagios3-core' for regex 'nagios*'
Note, selecting 'libnagios-object-perl' for regex 'nagios*'
Note, selecting 'nagios-plugins-common' for regex 'nagios*'
Note, selecting 'nagiosgrapher' for regex 'nagios*'
Note, selecting 'nagios' for regex 'nagios*'
Note, selecting 'nagios3-dbg' for regex 'nagios*'
Note, selecting 'nagios3-cgi' for regex 'nagios*'
Note, selecting 'nagios3-common' for regex 'nagios*'
Note, selecting 'nagios3-doc' for regex 'nagios*'
Note, selecting 'pnp4nagios' for regex 'nagios*'
Note, selecting 'pnp4nagios-web' for regex 'nagios*'
Note, selecting 'ndoutils-nagios2-mysql' for regex 'nagios*'
Note, selecting 'nagios-plugins-contrib' for regex 'nagios*'
Note, selecting 'ndoutils-nagios3' for regex 'nagios*'
Note, selecting 'nagios-plugins-standard' for regex 'nagios*'
Note, selecting 'gosa-plugin-nagios' for regex 'nagios*'
The following extra packages will be installed:
  autopoint dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gsfonts imagemagick-common libavahi-client3 libavahi-common-data libavahi-common3 libc-client2007e
  libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3 libcurl3-gnutls libdata-optlist-perl libdate-manip-perl
  libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl libfont-afm-perl libfpdf-tpl-php libfpdi-php
  libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libhttp-cookies-perl libhttp-daemon-perl
  libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0 libjansson4 libjasper1 libjbig0 libjbig2dec0
  libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl libmagickcore5 libmagickwand5 libmail-imapclient-perl
  libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl
  libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl
  libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0 librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl
  libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0 libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock ndoutils-common
  perlmagick php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby ruby1.9.1 samba-common
  samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core x11-common
Suggested packages:
  dbus-x11 freeipmi-ipmidetect freeipmi-bmc-watchdog gettext-doc ghostscript-cups ghostscript-x hpijs git-daemon-run git-daemon-sysvinit git-doc git-el git-arch git-cvs git-svn git-email git-gui gitk gitweb gosa-si-server
  cyrus21-imapd postfix-ldap gosa-schema php5-suhosin php-apc uw-mailutils cups-common libgd-tools libdata-dump-perl libjasper-runtime libjs-jquery-ui-docs libkohana2-modules-php liblcms2-utils libcrypt-ssleay-perl
  libmagickcore5-extra libauthen-sasl-perl libmcrypt-dev mcrypt libio-socket-inet6-perl libcrypt-des-perl libmyodbc odbc-postgresql tdsodbc unixodbc-bin libscalar-number-perl slpd openslp-doc libauthen-ntlm-perl backuppc perl-doc
  cciss-vol-status expect ndoutils-doc imagemagick-doc ttf2pt1 rrdcached libgearman-client-perl libcrypt-rijndael-perl poppler-utils fonts-japanese-mincho fonts-ipafont-mincho fonts-japanese-gothic fonts-ipafont-gothic
  fonts-arphic-ukai fonts-arphic-uming fonts-unfonts-core python-distribute python-distribute-doc ri ruby-dev ruby1.9.1-examples ri1.9.1 graphviz ruby1.9.1-dev ruby-switch ldap-utils cifs-utils nginx-full cherokee libapache2-mod-uwsgi
  libapache2-mod-ruwsgi uwsgi-plugins-all uwsgi-extra
The following NEW packages will be installed:
  autopoint check-mk-config-nagios3 dbus fonts-droid fonts-liberation fping freeipmi-common freeipmi-tools gettext ghostscript git git-man gosa gosa-plugin-nagios gosa-plugin-nagios-schema gsfonts imagemagick-common libavahi-client3
  libavahi-common-data libavahi-common3 libc-client2007e libcalendar-simple-perl libclass-accessor-perl libclass-load-perl libclass-singleton-perl libconfig-tiny-perl libcroco3 libcrypt-smbhash-perl libcups2 libcupsimage2 libcurl3
  libcurl3-gnutls libdata-optlist-perl libdate-manip-perl libdatetime-locale-perl libdatetime-perl libdatetime-timezone-perl libdbus-1-3 libdigest-hmac-perl libdigest-md4-perl libencode-locale-perl liberror-perl libfile-listing-perl
  libfont-afm-perl libfpdf-tpl-php libfpdi-php libfreeipmi12 libgd-gd2-perl libgd2-xpm libgettextpo0 libgomp1 libgs9 libgs9-common libhtml-form-perl libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl
  libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libice6 libijs-0.35 libio-pty-perl libio-socket-ip-perl libio-socket-ssl-perl libipc-run-perl libipmiconsole2 libipmidetect0
  libjansson4 libjasper1 libjbig0 libjbig2dec0 libjpeg8 libjs-jquery-ui libkohana2-php liblcms2-2 liblist-moreutils-perl liblqr-1-0 libltdl7 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwp-useragent-determined-perl
  libmagickcore5 libmagickwand5 libmail-imapclient-perl libmailtools-perl libmath-calc-units-perl libmath-round-perl libmcrypt4 libmemcached10 libmodule-implementation-perl libmodule-runtime-perl libnagios-object-perl
  libnagios-plugin-perl libnet-dns-perl libnet-http-perl libnet-ip-perl libnet-libidn-perl libnet-smtp-tls-perl libnet-snmp-perl libnet-ssleay-perl libodbc1 libpackage-deprecationmanager-perl libpackage-stash-perl
  libpackage-stash-xs-perl libpaper-utils libpaper1 libparams-classify-perl libparams-util-perl libparams-validate-perl libparse-recdescent-perl libpgm-5.1-0 libpq5 libradiusclient-ng2 libreadonly-perl libreadonly-xs-perl librecode0
  librrds-perl librtmp0 libruby1.9.1 libslp1 libsm6 libsocket-perl libssh2-1 libsub-install-perl libsub-name-perl libsystemd-login0 libtalloc2 libtdb1 libtiff4 libtimedate-perl libtry-tiny-perl libunistring0 liburi-perl libwbclient0
  libwww-perl libwww-robotrules-perl libxpm4 libxt6 libyaml-0-2 libyaml-syck-perl libzmq1 mlock nagios-images nagios-nrpe-plugin nagios-nrpe-server nagios-plugin-check-multi nagios-plugins nagios-plugins-basic nagios-plugins-common
  nagios-plugins-contrib nagios-plugins-openstack nagios-plugins-standard nagios-snmp-plugins nagios3 nagios3-cgi nagios3-common nagios3-core nagios3-dbg nagios3-doc nagiosgrapher ndoutils-common ndoutils-nagios3-mysql perlmagick
  php-fpdf php5-curl php5-gd php5-imagick php5-imap php5-ldap php5-mcrypt php5-recode pnp4nagios pnp4nagios-bin pnp4nagios-web poppler-data python-httplib2 python-keystoneclient python-pkg-resources python-prettytable qstat rsync ruby
  ruby1.9.1 samba-common samba-common-bin slapd smarty3 smbclient ttf-liberation uwsgi-core uwsgi-plugin-nagios x11-common
0 upgraded, 196 newly installed, 0 to remove and 0 not upgraded.
Need to get 81.9 MB of archives.
After this operation, 272 MB of additional disk space will be used.
Do you want to continue [Y/n]?

 

 

Now to test, just login at http://your-server-ip/nagios3/

You’ll have to look up tutorials on configuring Nagios and Cacti. Of the two, Cacti is much easier because it’s all web based. But Nagios isn’t too difficult once you get used to playing around with config files.

One last thing I did was setup a landing page to point at the services. To do that just edit the index.php file in your www folder like this:

root@testdebian:/etc/nagios3/conf.d/hosts# cat /var/www/index.html
<html><body><h1>TEST Monitoring Server</h1>
<p>This is the landing page for the TEST Monitoring server.</p>
<p>&nbsp;</p>
<p>Please use the following links to access services:</p>
<p><a href="/nagios3"> 1. Nagios</a></p>
<p><a href="/cacti"> 2. Cacti</a></p>
</body></html>
root@testdebian:/etc/nagios3/conf.d/hosts#

Now you can browse to the IP address and get a easy to use page that will forward you to which ever service you want!

Let me know if you have any questions!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Serious network architecture that works for everyone.

I started writing this blog post as a way to setup a reverse proxy for mail inspection, but it turned out that a network architecture blog focused on security of the perimeter was more important. I’ve gone over in my head with all the companies that have told me, “Ohhh we don’t need this” or, “this is too much administrative overhead” or, “We don’t need this much complexity, we’re just manufacturing “widgets” , or something like that. And to those people, I say this: “I am so sick and tired of hearing excuses of why you think it’s okay to be lazy. Do it right, do it now, and save yourself the headaches of a breach.” We’ll talk about the costs associated with being penetrated some other time, but it’s EXPENSIVE!

If you’re planning to do this right, then you’ll want/need to have a multi-tier DMZ for your public facing services. We’re not talking about internal servers or your internal network at this point (though after thinking about it, the exact same concept can be carried out on the Internal network too). In this blog, I’m merely trying to tell you about your externally facing services. This blog will go over proper placement for Internet facing services. The VAST majority of companies out there don’t go to this level of sophistication, but its totally possible for any company to do this and if you really want to secure your network infrastructure, then you’ll at least attempt this.

Before we start, I’ll say this. I’m going to try my best to describe this as granular as possible. There are a TON of intricacies here that need to be thought out. I’ll provide a rudimentary Visio diagram to help on this, but you’ll need to map out your own network and break it down in a way you can understand.

The main point of network segmentation and building a secure network architecture is based on one of the most talked about security areas: The Principle of Least Privilege. Do your end users need access to databases? How about other network services? How about filesharing with eachother? How about shared resources for just once specific department (should engineering folks be able to communicate with financial systems)? Please think about the level of access people should have to services while going through this blog.

You’re first level DMZ should house only your front end web servers (or load balancers in front of those servers), DNS servers and your proxy servers, nothing more. These systems are extremely visible to the public and will be processing thousands of requests per day, so if anything happens to them, trust me people will notice. Remember, these are front end systems, so you don’t need much of anything out there. I’ll be going over how to set those services up on a future blog, but for now just remember, least privilege. Internet users dont need direct access to the webserver, they do need access to a reverse proxy server that inspects the traffic going to the web server(s).

From here, you can create your second tier that will house your web servers (if you have load balancers or proxy servers in front of them out in tier one), mail servers, SFTP servers, if you’re using LDAP or AD you could add a read-only domain controller (RO-DC) for authentication (but NO Internet access), and things like that. These systems should be using local firewalls as well as network layer firewalls to control access to them. Web servers dont need to talk to anything except the back-end SQL BD and the end user. Both of those firewalls should specify that the only systems they’re allowed to talk to is the server in tier 1 that proxies data to it, and if there is a server behind it in tier three.

Then there is an optional third tier where you would house your back-end database servers and any other servers deemed unnecessary for tier two. when I say optional, I dont mean just throw it away and put SQL over in tier 2. I mean, if you dont have a SQL back-end you can eliminate tier 3. Another RO-DC could be posted here for authentication services(again, NO Internet access!). If you’re running MS-SQL or Oracle SQL servers here, you can have services level authentication (or any other services for that matter) authenticating to that RO-DC. Same goes for tier two.

Lastly, I’ll mention a Management network that will have access to all three tiers. You’ll obviously have admins (even if it’s just yourself) that will need to run updates on those boxes or perform other administrative functions on those systems. Don’t forget to allow yourself access to that. But that doesn’t mean “IP ANY ANY” from the management network into those tiers either! Dont be LAZY, be smart and do it right.

In my Visio diagram, I used some old hardware, and multiple physical switches, but don’t forget, you can trunk VLANs and do some pretty cool configurations with Cisco gear, especially the new ASA’s. See it here: DIAGRAM LINK

So from tier 1, your DNS server should only be servicing requests from your 3 DMZs, and the Internet. I would say, you shouldn’t open this up to your internal clients, because you should already have internal DNS servers for Active Directory (or what ever LDAP service you’re using). At most, you should only be allowing 53/udp inbound to that DNS server from the Internet, and allow SSH inbound to that server from your management network. That’s IT! For your proxy server or load balancer, you should allow 80/tcp and 443/tcp inbound from the Internet and allow in whatever port your load balancer needs from the management network. So in this scenario, you should have 80 and 443/tcp and 53/udp open from the Internet to tier 1. Simple, see?

Tier two only has ports open FROM tier 1 into tier 2 (and management network into tier 2). The people out on the Internet will NEVER communicate directly with tier 2, there’s just no need.

And lastly, tier 3 will only accept communications from tier 2 and the management tier. No end user needs to communicate with the SQL DB’s directly, so why let them?

The only thing I’ve left out here is the RO-DCs. What do they communicate with? Well, the way I would set them up is have the 2 real Domain Controllers in the management network. This should be a totally different domain than your internal network. Name the domain whatever you want (fubar.dmz or whatever). Your RO-DCs are only acting as a proxy to the domain. Nothing is stored on them, so you’ve got really nothing to lose.

So that’s really about it. If you’ve got any questions, contact me via my LinkedIn profile. There’s a link to that right on my home page near the bottom of the left column.

 

Enjoy!! 🙂

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)