Archive

Category Archives for "packetmischief.ca"

Net-SNMP and snmpd Coexistence on OpenBSD

Although it would be awesome to ditch Net-SNMP altogether now that the base OpenBSD SNMP daemon has support for all of the OpenBSD-related MIBS (CARP, PF, kernel sensors), reality is that Net-SNMP still offers some features that are needed. OpenBSD doesn't have any SNMP tools (snmpwalk, snmpset, etc) so these are still required from Net-SNMP. There's also some unique features in the Net-SNMP daemon that are still useful if you want to do things like monitor BIND9 or Postfix statistics.

Here's how to run both at the same time and leverage snmpd for the OpenBSD-related MIBs and the Net-SNMP daemon for its ability to retrieve data from scripts and extend itself using loadable modules and smux sub-agents.

Switching from Net-SNMP to snmpd for CARP, PF and Sensor Monitoring

Update: For help running both snmpds at the same time, see Net-SNMP and snmpd Coexistence on OpenBSD

Now that OPENBSD-CARP-MIB and OPENBSD-PF-MIB have been added to the base snmpd in OpenBSD (CARP-MIB will be in 5.1-release, PF-MIB in 5.2, and the SENSOR MIB has been there since 4.5), I wanted to document the differences between these MIBs and the corresponding implementation of the MIBs that I wrote for Net-SNMP.

Both implementations provide the same set of OIDs and allow the same data to be retrieved. Whatever you were querying via Net-SNMP is available via snmpd.

What has changed is the base OID where the CARP and PF MIBs are rooted at as well as the name of certain OIDs.

Cisco ISE and ip http server

We're all hardcore network engineers here right? We all sling packets using nothing but the CLI on our gear? We've all got the “CLI OR DIE” bumper sticker? OK. We're all on the same page then. So, when you're configuring Cisco Identity Services Engine (ISE) and the documentation says it's mandatory to enable “ip http server” on your switches in order to do central web authentication (CWA) (ie, the captive portal for authenticating users on guest devices) that probably makes you uncomfortable right?

Fear not. It's not as bad as it sounds. I'll explain why.

VRFs and Shared Services Cheating with Junos

The shared services area of the network is meant to provide common services — such as DNS, DHCP, and Internet access — to multiple logical networks/VRFs/customers. Cisco publishes a validated design for shared services that describes the use of multiple virtual firewalls and routers to provide connectivity between the shared services module and the VRFs in the network. I'm going to describe a method of collapsing the shared services firewalls and virtual routers into a single instance running on a single box using some of the features found in Juniper's Junos platform.

Resetting Admin Password on a Cisco ISE Appliance

A great little “feature” of Cisco's Identity Services Engine is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The documentation says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.

Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn't happen again.

Getting the WordPress TMAC and GASP Plugins to Play Nice

Two of the WordPress plugins I use on this site are Twitter Mentions as Comments and Growmap Anti Spambot Plugin. The first, TMAC, watches Twitter for any tweets that link to a post somewhere on this blog and submits those tweets as new comments on that particular post. GASP's job is to keep spammers from submitting spammy comments by placing a Javascript-driven checkbox in the comment form. A user must check the box to confirm they are not a spambot before submitting their comment.

Both of these plugins are great and work really well on their own.

However, when both plugins are in use and TMAC submits a comment, GASP inspects the comment to see if the checkbox has been marked, finds that it hasn't been, and silently rejects the comment. (Aside: the exception to this is if you are a logged-in user and you initiate a manual TMAC check, any new tweets will successfully pass through GASP).

Configuring VRF-Lite on IOS and Junos

This post is going to provide a very basic introduction to configuring VRFs on Cisco IOS and Juniper's Junos. There's so many configuration combinations and options for virtual routing that it would be impossible to go through everything in great detail. At the end of the post I'll provide links to documentation where you can get detail if you want it.

An Introduction to Layer 3 Traffic Isolation

All network engineers should be familiar with the method for virtualizing the network at Layer 2: the VLAN. VLANs are used to virtualize the bridging table of Layer 2 switches and create virtual switching topologies that overlay the physical network. Traffic traveling in one topology (ie VLAN) cannot bleed through into another topology. In this way, traffic from one group of users or devices can be kept isolated from other users or devices.

Traffic Isolation Using VLANs

VLANs work great in a Layer 2 switched network, but what happens when you need to maintain this traffic separation across a Layer 3 boundary such as a router or firewall?

Packets of Interest 11-11-16

I read two interesting articles on VTP (Cisco's VLAN Trunking Protocol) this week. The first is an older article from networkworld.com that reminds us all that VTP clients are also capable of updating VLANs on the network, not just servers. When I first heard that a VTP client can update a VTP server under the right conditions, I was frankly a non-believer. No way. I'd seen evidence to the contrary in several documents at cisco.

VPN Host Checker vs. AD Group Policy

This post is for anyone who administers a Juniper SSL VPN. I saw an issue in our environment recently that was created by an unexpected interaction between two different systems that were working to enforce our computer security policy. Because the way the systems were configured is pretty common and because the issue is not specifically warned against by Juniper, I'm going to share it here.

OpenBSD 5.0 SNMP MIBs

The OpenBSD SNMP MIBs are now updated to compile under OpenBSD 5.0. Full details of how to install and use the MIBs are on the SNMP MIBs page. There is no functional change in this release. Download: obsd-mibs50.tar As usual, if you find OpenBSD valuable, please make a donation to the project as they are dependent upon donations to cover many of their costs.

What Does The Cloud Mean To Your Network?

If you're an IT professional you've probably been hearing a lot about cloud computing lately. I know I've sat through a number of seminars and sales pitches where people have been touting public cloud services on the merits of lower cost, reducing infrastructure and quicker implementation of services. However, I've noticed that almost none of these presentations discuss the increased reliance on Internet connectivity. With all the focus on the benefits of cloud computing, it's easy to forget that there has to be a trade-off. In order to offer reliable, quality access to public cloud services, your Internet connectivity likely needs some tuning.

Net-SNMP 5.6.1 Missing hrSystemProcesses OID

I just upgraded a couple of machines to OpenBSD 4.9 and noticed the hrSystemProcesses OID was not being returned by Net-SNMP 5.6.1 (from the 4.9 ports/packages collection) . joel@theta:~% snmpwalk -v2c -c public theta .1.3.6.1.2.1.25.1.6.0 SNMPv2-SMI::mib-2.25.1.6.0 = No Such Instance currently exists at this OID I know for sure this worked on OpenBSD 4.8/Net-SNMP 5.4.2.1. Turns out there is a bug in Net-SNMP 5.6.1 (bug 3166568) that's causing this. It's been fixed in their SVN tree.