Friday, April 30, 2010

Enabling SNMP Community Strings on a Cisco Router (and Other IOS Devices)

Abstract: We're enabling SNMP community strings (SNMP's concept of a password) on a Cisco router named 'C2600' running Cisco's IOS (Internetwork Operating System). The router has never previously been configured for SNMP.



WARNING: SNMP in IOS versions 11.x-12.0 had a security vulnerability. More here.


Notes: IOS is also used in other Cisco managed network equipment and the generic term 'device' will be used onward in reference to the router.
Full IOS commands are used but many can be shortened: 'configure terminal' to 'conf term'; 'show' to 'sh'. Pressing *Tab* autocompletes a command if the letter combination is unique. Entering 're' *Tab* will fail as it could be for 'reload', 'rename','restart', or 'resume'. Entering 'ren' *Tab* will complete to 'rename'. If you forget a command, the '?' *Enter* will display most of the commands.



C2600> enable

Enable mode is used to view a device's settings.



C2600# show running-config

If SNMP is mentioned it was previously configured.


C2600# configure terminal

Configure allows you to change the device's settings.



C2600(config)# snmp-server community 'public-string' RO

'RO' stands for 'Read-Only' meaning that someone who knows the device's public string can view the device's SNMP settings. A relatively harmless ability.



C2600(config)# snmp-server community 'private-string' RW (RW read-write)

RW stands for Read-Write meaning that someone who knows the private string can change the device's settings. Someone with this knowledge can ruin your plans for the day, especially if the device is thousands of miles away. An instance: here's instructions for "How To Copy Configurations To and From Cisco Devices Using SNMP"



Replace 'public-string' and 'private-string' with appropriate substitutions. The common default strings are 'public' & 'private'. These strings are not recommended for securing the device.



C2600(config)# exit

Exits configure mode back to enable mode.



C2600# show running-config

A few lines about SNMP should appear.



C2600# write memory

This writes the new settings to memory. If you skip this step, you'll need to start over.



To check that configuration was successful:

C2600# show snmp

Empty stats about usage will display if SNMP is correctly configured.

Thursday, April 29, 2010

Solaris 10: Administering VNC


Solaris 10: Administering VNC

A simple way to administer multiple VNC sessions under Solaris.

Get your "vncadm" script here!

Solaris 10: Configuring IMAP



Solaris 10: Configuring IMAP

Abstract:
Solaris has long been shipped with a wide variety of email capabilities, while other commercial operating system require businesses to purchase email. EMail capabilities vary from sendmail to move mail between servers, to various commands to retrieve mail on a command line (i.e. mail, mailx, etc.), to Post Office Protocol (POP) or Internet Mail Access Protocol (IMAP) to retrieve mail from a desktop based email client. The IMAP protocol offers some of the most robust options.

Location:
The IMAP protocol is normally shipped on a Companion CD with Solaris. The Companion CD from Solaris 10 includes a SVR4 package of the IMAP protocol.

Installation:
An old version of a Companion CD IMAP version, which was loaded on a server, is below.
# pkginfo -l SFWimap
PKGINST: SFWimap
NAME: Imap - mail server daemon and utilities
CATEGORY: system
ARCH: sparc
VERSION: 2002.4,REV=2005.01.05.17.49
BASEDIR: /opt
VENDOR: http://www.Washington.EDU/imap
DESC: Imap - mail server daemon and utilities
PSTAMP: freeware20050105201031
INSTDATE: Dec 19 2005 14:52
HOTLINE: Please contact the owners of this software
STATUS: completely installed
FILES: 34 installed pathnames
7 shared pathnames
8 directories
7 executables
9605 blocks used (approx)
The binary can be easily found using the find command.
# find /opt -ls | grep /imap
...
772 776 -r-xr-xr-x 1 root bin 783408 Jan 5 2005 /opt/sfw/sbin/imapd
719 1 drwxr-xr-x 2 root bin 512 Dec 19 2005 /opt/sfw/doc/imap
721 19 -r--r--r-- 1 root bin 19296 Jan 5 2005 /opt/sfw/doc/imap/BUILD
722 8 -r--r--r-- 1 root bin 7941 Jan 5 2005 /opt/sfw/doc/imap/CONFIG
723 152 -r--r--r-- 1 root bin 146914 Jan 5 2005 /opt/sfw/doc/imap/FAQ.txt
724 18 -r--r--r-- 1 root bin 17522 Jan 5 2005 /opt/sfw/doc/imap/RELNOTES
Configuration:
If there is no service loaded, then imapd service will need to be configured.
# svcs | grep imap
# inetadm | grep imap
#
One of the easiest ways to configure a Solaris 10 Service, if you are used to using the old "/etc/inetd.conf" configuration methodology, is to use "inetconv" utility. Add the "imapd" entry to "inetd.conf", validate it, and perform the conversion.
# vi /etc/inetd.conf
# grep imap /etc/inetd.conf
imap stream tcp nowait root /opt/sfw/sbin/imapd imapd
# inetconv
imap -> /var/svc/manifest/network/imap-tcp.xml
Importing imap-tcp.xml ...Done
Verification:
After the import of the service, you can check to see it running.
# svcs | grep imap
online 14:11:40 svc:/network/imap/tcp:default
# inetadm | grep imap
enabled online svc:/network/imap/tcp:default
Usage:
Go and configure your Mozilla integrated web & messaging browser (now called SeaMonkey) or modern Thunderbird client!

Some Reading on Calendars



Some Reading on Calendars

I was doing some reading on Calendars from an "imap" software package (SFWimap) with source code originating from http://www.Washington.EDU/imap and on an older Solaris 10 machine in this location (/opt/sfw/doc/imap/calendar.txt) . I found it so interesting that I decided to copy-paste it!

All About Calendars

                         ALL ABOUT CALENDARS

Although one can never be sure of what will happen at some future
time, there is strong historical precedent for presuming that the
present Gregorian calendar will still be in effect within the useful
lifetime of the IMAP toolkit. We have therefore chosen to adhere to
these precedents.

The purpose of a calendar is to reckon time in advance, to show
how many days have to elapse until a certain event takes place in the
future, such as the harvest or the release of a new version of Pine.
The earliest calendars, naturally, were crude and tended to be based
upon the seasons or the lunar cycle.


ANCIENT CALENDARS

The calendar of the Assyrians, for example, was based upon the
phases of the moon. They knew that a lunation (the time from one full
moon to the next) was 29 1/2 days long, so their lunar year had a
duration of 354 days. This fell short of the solar year by about 11
days. (The exact time for the solar year is approximately 365 days, 5
hours, 48 minutes, and 46 seconds.) After 3 years, such a lunar
calendar would be off by a whole month, so the Assyrians added an extra
month from time to time to keep their calendar in synchronization with
the seasons.

The best approximation that was possible in antiquity was a 19-year
period, with 7 of these 19 years having 13 months (leap months). This
scheme was adopted as the basis for the lunar calendar used by the
Hebrews. The Arabs also used this calendar until Mohammed forbade
shifting from 12 months to 13 months; this causes the Muslim holy month
of Ramadan to move backwards through the seasons, completing a cycle
every 32 1/2 years.

When Rome emerged as a world power, the difficulties of making a
calendar were well known, but the Romans complicated their lives because
of their superstition that even numbers were unlucky. Hence their
months were 29 or 31 days long, with the exception of February, which
had 28 days. Every second year, the Roman calendar included an extra
month called Mercedonius of 22 or 23 days to keep up with the solar
year.


JULIAN CALENDAR

Even this algorithm was very poor, so that in 45 BCE, Caesar,
advised by the astronomer Sosigenes, ordered a sweeping reform. By
imperial decree, the year 46 BCE was made 445 days long to bring the
calendar back in step with the seasons. The new calendar, similar to
the one we now use was called the Julian calendar (named after Julius
Caesar).

Months in the Julian calendar were 30 or 31 days in length and
every fourth year was made a leap year (having 366 days) by adding a day
to the end of the year. This leap year rule was not consistantly
applied until 8 CE. The year-ending month of February, never a popular
month, was presently shortened so that Julius Caesar and Emperor
Augustus could each have long months named after them.

Caesar also decreed that the year would start with the first of
January, which since 153 BCE was the day that Roman consuls took office,
and not the vernal equinox in late March. Not everyone accepted that
part of his reform, as we shall see.


GREGORIAN CALENDAR

Caesar's year was 11 1/2 minutes short of the calculations
recommended by Sosigenes and eventually the date of the vernal equinox
began to drift. Roger Bacon became alarmed and sent a note to Pope
Clement IV, who apparently was not impressed. Pope Sixtus IV later
became convinced that another reform was needed and called the German
astronomer, Regiomontanus, to Rome to advise him. Unfortunately,
Regiomontanus died of the plague shortly thereafter and the plans died
as well.

In 1545, the Council of Trent authorized Pope Gregory XIII to
reform the calendar once more. Most of the mathematical work was done
by Father Christopher Clavius, S.J. The immediate correction that was
adopted was that Thursday, October 4, 1582 was to be the last day of the
Julian calendar. The next day was Friday, with the date of October 15.
For long range accuracy, a formula suggested by the Vatican librarian
Aloysius Giglio was adopted. It said that every fourth year is a leap
year except for century years that are not divisible by 400. Thus 1700,
1800 and 1900 would not be leap years, but 2000 would be a leap year
since 2000 is divisible by 400. This rule eliminates 3 leap years every
4 centuries, making the calendar sufficiently correct for most ordinary
purposes. This calendar is known as the Gregorian calendar and is the
one that we now use today.

It is interesting to note that in 1582, all the Protestant princes
ignored the papal decree and so many countries continued to use the
Julian calendar until either 1698 or 1752. Britain and its American
colonies went from Wednesday, September 2, 1752 to Thursday, September
14. Prior to the changeover, the British used March 25 as the start of
the new year.

In Russia, it needed the revolution to introduce the Gregorian
calendar in 1918. Turkey didn't adopt it until 1927.


NUMBERING OF YEARS

The numbering of the year is generally done according to an "era",
such as the year of a ruler's reign.

In about 525, a monk named Dionysius Exiguus suggested that the
calculated year of Jesus' birth be designated as year 1 in the Julian
calendar. This suggestion was adopted over the next 500 years and
subsequently followed in the Gregorian calendar.

For the benefit of those who seek religious significance to the
calendar millenium, note that year 1 is too late by at least 4 years.
Herod the Great, named in the Christian Bible as having all children in
Bethlehem put to death in an attempt to kill the infant Jesus, died in 4
BCE.

Nothing particularly significant of an historic or religious nature
happened in Gregorian year 1; however it has become a worldwide standard
as the "common era." In modern times, the terms "CE" (common era) and
"BCE" (before common era) are preferred over the earlier (and, as we
have seen, less accurate) "AD" (anno Domini, "the year of the Lord") and
"BC" (before Christ).

The Hebrew lunar calendar begins at 3760 BCE, the year of creation
in Jewish tradition. The Muslim lunar calendar begins on July 16, 622,
when Mohammed fled from Mecca to Medina.

The Japanese, Taiwanese, and North Koreans use the Gregorian
calendar, but number the year by political era. In Japan, an era begins
when an emperor succeeds to the throne; year 1 of the Heisei era was
1989 when Emperor Akihito ascended to the throne (the first few days of
1989 was year 64 of the Shouwa era). In Taiwan, year 1 is the year of
founding of the Republic of China (1911). In North Korea, year 1 is the
year of the Juche (self-reliance) ideal, corresponding to the birth year
of founder Kim Il-Sung (1912). Thus, year 2000 is Heisei 12 (Japan),
90th year of the Republic (Taiwan), and Juche 89 (North Korea).


FURTHER MODIFICATIONS TO THE GREGORIAN CALENDAR

Despite the great accuracy of the Gregorian calendar, it still
falls behind very slightly every few years. The most serious problem
is that the earth's rotation is slowing gradually. If you are very
concerned about this problem, we suggest that you tune in short wave
radio station WWV or the Global Positioning System, which broadcasts
official time signals for use in the United States. About once every
3 years, they declare a leap second at which time you should be
careful to adjust your system clock. If you have trouble picking up
their signals, we suggest you purchase an atomic clock (not part of
the IMAP toolkit).

Another problem is that the Gregorian calendar represents a year
of 365.2425 days, whereas the actual time taken for the earth to
rotate around the Sun is 365.2422 days. Thus, the Gregorian calendar
is actually 25.92 seconds slow each year, resulting in the calendar
being one day behind every 3,333 1/3 years.

Consequently, the Gregorian calendar has been modified with a
further rule, which is that years evenly divisible by 4000 are not
leap years. Thus, the year 4000 will not be a leap year. Or, at
least we assume that's what will happen assuming that the calendar
remains unchanged for the next 2000 years.

The modified Gregorian calendar represents a year of 365.24225
days. Thus, the modified Gregorian calendar is actually 4.32 seconds
slow each year, resulting in the calendar being one day slow every
20,000 years.

There is some dispute whether the modified Gregorian calendar was
officially adopted, or if it's just a proposal. Other options (see
below) exist; fortunately no decision needs to be made for several
centuries yet.

There is code in c-client to support the modified Gregorian
calendar, although it is currently disabled. Sometime in the next
2000 years, someone will need to enable this code so that c-client is
Y4K compiliant. Then, 18,000 years from now, someone will have to
tear into c-client's code to fix the Y20K bug.


EASTERN ORTHODOX MODIFICATION OF THE GREGORIAN CALENDAR

The Eastern Orthodox church in 1923 established its own rules to
correct the Julian calendar. In their calendar, century years modulo
900 must result in value of 200 or 600 to be considered a leap year.
Both the Orthodox and Gregorian calendar agree that the years 2000 and
2400 will be leap years, and the years 1900, 2100, 2200, 2300, 2500,
2600, 2700 are not. However, the year 2800 will be a leap year in the
Gregorian calendar but not in the Orthodox calendar; similarly, the
year 2900 will be a leap year in the Orthodox calendar but not in the
Gregorian calendar. Both calendars will agree that 3000 and
3100 are leap years, but will disagree again in 3200 and 3300.

There is code in c-client to support the Orthodox calendar. It
can be enabled by adding -DUSEORTHODOXCALENDAR=1 to the c-client
CFLAGS, e.g.
make xxx EXTRACFLAGS="-DUSEORTHODOXCALENDAR=1"

The Orthodox calendar represents a year of 365.24222222... days.
Thus, the Orthodox calendar is actually 1.91 seconds slow each year,
resulting in the calendar being one day slow every 45,000 years. The
Eastern Orthodox church has not yet made any statements on how the
Y45K bug will be fixed.


OTHER ISSUES AFFECTING THE CALENDAR IN THE FUTURE

The effect of leap seconds also needs to be considered when
looking at the Y20K and Y45K problems. Leap seconds put the clock
back in line with the Earth's rotation, whereas leap years put the
calendar back in line with the Earth's revolution. Since leap seconds
slow down the clock (and hence the calendar), they actually bring the
day of reckoning for the Gregorian and Orthodox calendars sooner.

Another factor is that the next ice age (technically, the end of
the current interglacial period; we are in the middle of an ice age
now!) is due around Y25K. It is not known what perturbations this will
cause on the Earth's rotation and revolution, nor what calendar
adjustments will be necessary at that time.


MEANINGS OF DAY NAMES

The names of days of the week from a combination of Roman and
Germanic names for celestial bodies:
. Sunday Latin "dies solis" => "Sun's day"
. Monday Latin "dies lunae" => "Moon's day"
. Tuesday Germanic "Tiw's day" => "Mars' day"
. Wednesday Germanic "Woden's day" => "Mercury's day"
. Thursday Germanic "Thor's day" => "Jupiter's day"
. Friday Germanic "Frigg's day" => "Venus' day"
. Saturday Latin "dies Saturni" => "Saturn's day"


MEANINGS OF MONTH NAMES

The names of the months are from the Roman calendar:
. January Janus, protector of doorways
. February Februalia, a time for sacrifice to atone for sins
. March Mars, god of war
. April Latin "aperire" => "to open" buds
. May Maia, goddess of plant growth
. June Latin "juvenis" => "youth"
. July Julius Caesar
. August Augustus Caesar
. September Latin "septem" => "seven"
. October Latin "octo" => "eight"
. November Latin "novem" => "nine"
. December Latin "decem" => "ten"

As you'll notice, the last four months are numbered 7 to 10, which
is an artifact of the time when the new year started in March.


INTERESTING FORMULAE

There's another reason why the historical starting of the new year
is significant. Starting with March, the length of months follows a
mathematical series:
31 30 31 30 31 31 30 31 30 31 31 28

This means that you can calculate the day of week for any
arbitrary day/month/year of the Gregorian calendar with the following
formula (note all divisions are integral):
_ _
| 7 + 31*(m - 1) y y y |
dow = | d + -------------- + y + - - --- + --- | MOD 7
|_ 12 4 100 400_|
where
d := day of month (1..31)
m := month in old style (March = 1..February = 12)
y := year in old style
dow := day of week (Tuesday = 0..Monday = 6)

To convert from new style month/year to old style:
if (m > 2) m -= 2; /* Mar-Dec: subtract 2 from month */
else m += 10,y--; /* Jan-Feb: months 11 & 12 of previous year */

Here's another fun formula. To find the number of days between two
days, calculate a pair of calendar days with the formula (again, all
divisions are integral), using new style month/year this time:
m
m + -
8 y y y
d + 30 * (m - 1) + ----- + y * 365 + - - --- + --- - ld
2 4 100 400

where:
d := day of month (1..31)
m := month in new style (January = 1..December = 12)
y := year in new style
ld := leap day correction factor:
0 for January and February in non-leap years
1 for January and February in leap years
2 for all other months in all years

In C code, the leap day correction factor is calculated as:
(m < 3) ? !(y % 4) && ((y % 100) || !(y % 400)) : 2

It's up to you to figure out how to adapt these formulas for the
Y4K bugfix and the Orthodox calendar. If you're really clever, try to
use these formulae to implement the C library ctime(), gmtime(), and
mktime() functions. Most C library implementations use a table of the
number of days in a month. You don't need it.


ACKNOWLEDGEMENT:

The original version is from an old Digital Equipment Corporation SPR
answer for VMS. Modifications for c-client, and additional information
added by Mark Crispin.

Your Sun V100 OpenBootProm Can't Find A New CD/DVD-ROM Drive?

Abstract:
You've installed a CD/DVD-ROM drive (Slim ATAPI connection) into a Sun V100 and now it can't find the drive. Reference manual is here [docs.sun.com]

Procedure:
Start up the system and place a console cable into the first serial port on the platform. (The console cable on the V100 happens to be an RJ45 and is compatible with Cisco RJ45 console cables.)

The default settings for your terminal application are: 9600, 1 stop bit, no parity. To access the console from a Solaris platform, you can use tip.

Allow OpenFirmware to figure out where your cdrom is. The following example demonstrates that the cdrom/dvd appeared on Device 2 from the probe-ide command.

ok probe-ide
ok boot /pci@1f,0/ide@d/cdrom@2,0:f


GOOD LUCK!

Wednesday, April 28, 2010

Password Reset on a Cisco 1600-Series Router


Abstract: Someone forgot the admin passwords to a Cisco 1600-series router and you have physical access to the router.

You'll need to know the break key sequence for your terminal program, fortunately Cisco has provided a handy list: Standard Break Key Sequence Combinations.

Connect your computer to the router's console port, ensure your terminal software is functioning and configured properly (baud: 9600, data: 8, parity: none, stop: 1, flow control: none, com ports will vary), and start or hard cycle the Cisco's power.

Enter the break key sequence within 60 seconds.

ROMMON> confreg 0x2142
ROMMON> reset

..enter setup mode [yes/no] no
c1600> enable (no passwords are required)
c1600# copy startup-config running-config

Set your new passwords.

c1600# copy running-config startup-config
c1600# config term
c1600(config)# config-register 0x2102
c1600(config)# reload

That's it.

Monday, April 26, 2010

Solaris 10: Configuring ZFS Scrub via SMF


Solaris 10: Configuring ZFS Scrub via SMF

Abstract:
The new packaging routines for OpenSolaris omit the use of pre and post installation routines common to SVR4 packaging, for the purpose of simplification. The new SMF (Service Management Facility) can be leveraged to provide these capabilities. The creation of a regular repetitive operation such as ZFS Scrub can be packaged and run via SMF. This can be wrapped in an OpenSolaris feature called "Visual Panels" to provide a GUI.


Background:
When Solaris had been merged with SVR4, the SVR4 Package standard was implemented for software installation and FMLI (Form and Menu Language Interpreter) would handle textual based GUI's. Some SVR4 variants released XFMLI, in order to wrap "fmli" into a standard X Windows GUI. With the creation of OpenSolaris, the iPkg was created through the inclusion of a Debian Linux developer. With the release of Solaris 10, SMF, a new mechanism to manage hierarhal service under Solaris was created, to merge both start/stop scripts as well as inetd servies. Shortly after Solaris 10's release, ZFS was released, in order to provide for enhanced file system management. OpenSolaris added "Visual Panels", to help provide a facility to replace "fmli".

ZFS:
The ZFS system performs error detection and correction through the use or CRC and parity, depending on the level of redundancy the user requires (and selects.) The "zpool" command handles most of the bottom-end functionality. The occasional "scrub" should be performed on-line via "zpool scrub" command, to ensure the integrity of on-line data, forcing the ZFS system to check all of the CRC's, and apply available parity information against silent data corruption.

The availability of scrub information can be acquired via the "zpool status" command, but it was not persistent across reboots. To simulate this bug without a reboot, the "zpool export" and "zpool import" commands can be used, after which time any scrub information would disappear. Constantin Gonzalez implemented CR6878281 to make this information persistent. A work-around needed to be created in order to make available information persistent.

ZFS has the ability to retain user defined properties at the file system level, but not at the zpool level. A user-defined property to hold the last scrub date at the upper most file system level can be implemented as a work-around for the work-around to provide a persistent location for the zpool last scrub data element. The "zfs" command handles many of the higher-layer features.

In order to set the property, the "zfs set =" can be used. To find the formerly set property, the "zfs get " can be used. To delete the property, the "zfs inherit " can be used, which forces Solaris to delete and not create a new property, since the parent zpool does not have that property in existence!


SMF:
The Service Management Facility can be used to start, stop, and monitor various infrastructures within the operating system. The "svcs" command will show the active services with their states while the "svcadm" command will allow for the adjusting of those states. Start, stopping, and restarting of services can be done with "svcadm start ", "svcadm stop ", and "svcadm restart ".


Visual Panels:
A modern Java based system, "Visual Panels" ascribes to a client-server model, where any platform can run the GUI. (Ben Rockwood at cuddletech.com has a short introduction to it.) The Panels talk to "Management Beans" located in a "JMX Management Agent", which do all the heavy lifting. There already exists an "SMF Bean" which can do the "SMF" configuration changes for custom panels. The "NetBeans" development platform allows for wiring.

Tying Everything Together.
Consantin Gonzalez produced a video series to describe how this can all be tied together in OpenSolaris. This is a great model for developers to use in order to migrate their system to modern Solaris infrastructures. Constantin has moved his main blogging to a new location.

Some of the ZFS Scrub concepts were based upon Tim Fosters (new location) Auto-Snapshot work.

Sunday, April 25, 2010

Basic Cisco Router Security and Ethernet Support


Abstract: We're going to quickly configure and secure a stock Cisco 2505 router and enable ethernet support. The tasks that follow:

1) shutdown unnecessary serial ports
2) set passwords
3) change the IP address

The router will start in user (boot) mode. In this mode we can see configuration data but not make alterations. The example router is named Bart and this is the current prompt:

Bart>

Moving into privileged (aka enable) mode allows the admin to make changes. The system indicates privileged mode with # for the prompt:

Bart> enable
Bart#

Closing Unnecessary Serial Ports

The router's serial ports will not be used for this network and both must be turned off. On the prompts, notice that (config) is general configuration mode and (config-if) indicates that a particular 'interface' (serial, ethernet, etc. port) has been selected.

Bart# configure terminal
Bart(config)# interface Serial0
Bart(config-if)# shutdown
(to reenable the command is no shutdown)
Bart(config-if)# exit
(repeat for Serial1)
Bart# write terminal
At this point the configuration information is printed to the screen. Check to ensure the data is properly entered.
Bart# write memory

Enabling and Encrypting Passwords

We'll start with securing the console (initial screen).

Bart# config term
Bart(config)# line console 0
Bart(config-line)# login
Bart(config-line)# password Sk@teb0ard
Bart(config-line)# exit

Remote terminal sessions:

Bart# config term
Bart(config)# line vty 0 4
Bart(config-line)# login
Bart(config-line)# password Krus%Ycl0wn
Bart(config-line)# exit

Privileged mode:

Bart# config term
Bart(config)# enable password Tr<>4ouSe
Bart(config)# exit
Bart# disable (exits privileged mode into user mode)
Bart> enable
Password:


Viewing the system configuration at this point reveals the passwords in plain text. To ensure no one accidentally views sensitive info, it must be encrypted.

Bart# config term
Bart(config)# service password-encryption
Bart(config)# exit
Bart# write terminal (check that all passwords are encrypted)
Telnet into the router to ensure your password works. All changes have been tested.
Bart# write memory (saves the configuration information to NVRAM and will persist through power cycles)
Bart# reload (restarts the router)

System configuration was modified. Save? [yes/no] yes
Proceed with reload? [confirm] *press enter*

Close the terminal window so that someone can't scroll up and collect password data that was previously displayed.

Changing the IP Address

Bart> enable
Bart# conf term
Bart(config)# interface Ethernet0
Bart(config-if)# ip address 192.168.9.1 255.255.255.255
Bart(config-if)# exit
Bart(config)# exit
Bart# write term (check that change was made)
Bart# write mem

Thursday, April 22, 2010

Solaris 10: Digging Into TCP/IP Problems


Solaris 10: Digging Into TCP/IP Problems

Abstract:
Transmission Control Protocol / Internet Protocol (TCP/IP) has been embedded into most UNIX platforms since the beginning days of the Internet. With the enhancement of TCP/IP protocols over the decades, configuration & debugging has become increasingly more sophisticated. In the process of converting to a 100% open source system, Solaris 10 has acquired newer tools to work through issues.

Key Files:
Some key files needed to validate a configuration:
/etc/inet/hosts
/etc/inet/ipnodes
/etc/inet/netmasks
/etc/inet/services
/etc/defaultrouter
/etc/hostname.{interface}
/etc/nsswitch.conf
/etc/resolv.conf
Key Commands:
Some key commands used to validate the configuration:
/usr/sbin/ifconfig
/usr/bin/netstat
/usr/sbin/dladm
/usr/sbin/inetadm
/usr/sbin/ping

Key Tasks:
Issues with debugging connectivity of a device or a service includes various steps.

Validate the machine host name is tied to an IP address:
sunt2000/root# grep `uname -n` /etc/inet/hosts /etc/inet/ipnodes
/etc/inet/hosts:192.168.254.7
sunt2000 loghost
/etc/inet/ipnodes:192.168.254.7 sunt2000 loghost
Validate the machine host name and ip address is tied to a network interface:
sunt2000/root# grep `uname -n` /etc/hostname.*
/etc/hostname.ipge2:
sunt2000
Validate a default gateway for traffic to pass off of the network:
sunt2000/root# grep -v ^# /etc/defaultrouter
192.168.254.2 1
Validate the configuration of the interface by the OS during the past reboot:
sunt2000/root# ifconfig ipge2
ipge2: flags=1000843 mtu 1500 index 4

inet 192.168.254.7 netmask ffffff00 broadcast 192.168.254.255

ether 0:14:4f:2:6a:5e
Validate the interface parameters for duplex and speed
sunt2000/root# dladm show-dev ipge2
ipge2 link: unknown speed: 100 Mbps duplex: full

Validate routing is set up from last reboot:
sunt2000/root# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------- ------------- ----- ----- ---------- ---------
default 192.168.254.2 UG 1 6719031
192.127.254.0 192.168.254.7 U 1 23399 ipge2
224.0.0.0 192.168.254.7 U 1 0 ipge2
127.0.0.1 127.0.0.1 UH 1 26319 lo0
Validate traffic is passing without errors or collisions on the interface.
sunt2000/root# netstat -ni -I ipge2
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue
ipge2 1500 192.168.254.0 192.168.254.7 419830401 0 538731765 0 0 0
Check to see what kind of name resolution is used on devices and services.
sunt2000/root# egrep '(^hosts|^services)' /etc/nsswitch.conf
hosts: dns files
services: files
When dns is being used, ensure the name services are running correctly.
sunt2000/root# nawk '/^nameserver/ { Cmd="nslookup www.oracle.com " $2 ; system(Cmd) }' /etc/resolv.conf
Server: 192.168.1.19

Address: 192.168.1.19#53

Non-authoritative answer:
www.oracle.com canonical name = www.oracle.com.edgesuite.net. www.oracle.com.edgesuite.net canonical name = a398.g.akamai.net.
Name: a398.g.akamai.net
Address: 63.216.54.107
Name: a398.g.akamai.net

Address: 63.216.54.106


Server: 192.168.24.231

Address: 192.168.24.231#53


Non-authoritative answer:

www.oracle.com canonical name = www.oracle.com.edgesuite.net. www.oracle.com.edgesuite.net canonical name = a398.g.akamai.net.
Name: a398.g.akamai.net

Address: 63.216.54.106
Name: a398.g.akamai.net
Address: 63.216.54.107
Check inet services which are not disabled.
sunt2000/root# inetadm | grep -v disabled
ENABLED STATE FMRI enabled online svc:/application/x11/xfs:default enabled online svc:/application/font/stfsloader:default enabled offline svc:/application/print/rfc1179:default enabled online svc:/network/rpc/smserver:default enabled online svc:/network/rpc/gss:default enabled online svc:/network/rpc/rstat:default enabled online svc:/network/security/ktkt_warn:default enabled online svc:/network/telnet:default enabled online svc:/network/nfs/rquota:default enabled online svc:/network/ftp:default enabled online svc:/network/login:rlogin enabled online svc:/network/shell:default enabled online svc:/network/rpc-100235_1/rpc_ticotsord:default enabled online svc:/network/bpcd/tcp:default enabled online svc:/network/vnetd/tcp:default enabled online svc:/network/vopied/tcp:default enabled online svc:/network/bpjava-msvc/tcp:default enabled online svc:/network/bootps/udp:default enabled online svc:/network/tftp/udp6:default enabled online svc:/network/rpc/cde-calendar-manager:default enabled online svc:/network/rpc/cde-ttdbserver:tcp
Check global properties for all inet services.
sunt2000/root# inetadm -p
NAME=VALUE
bind_addr=""
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=FALSE
tcp_wrappers=FALSE
connection_backlog=10
List inet properties for any service which is suspect of not running correctly.
sunt2000/root# inetadm -l telnet
SCOPE NAME=VALUE
name="telnet"
endpoint_type="stream"
proto="tcp6"
isrpc=FALSE
wait=FALSE
exec="/usr/sbin/in.telnetd"
user="root"
default bind_addr=""
default bind_fail_max=-1
default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=FALSE
default tcp_wrappers=FALSE
default connection_backlog=10
Conclusion:
For setting up and maintaining basic Network Management infrastructure under Solaris, these basic commands will take someone a long way.

Monday, April 19, 2010

HP & 3Com - Perfect Together



HP & 3Com - Perfect Together

History:

3Com has been in the network business for decades while HP (and the many acquired companies under it's umbrella) has been in the computing business for decades. Huawei, a Chinese manufacturer, had invested in 3Com and regulators recently shot down an attempt to gain a more significant portion. Not long after, HP had purchased 3Com, with promising results from regulators.

Combined:

The Register wrote a summary of the recent moves by HP.

HP has announced a new HP Networking brand, under it which it will offer an edge-to-core set of sub-brands: the A Series; E Series; V Series; and S Series products. The ProCurve and 3Com brands will go away.

...

The ProCurve brand will be transitioned into the E Series. The 3Com brand will be transitioned into the A Series, except in China where the H3C brand has done very well and will be retained. There will be a single converged channel programme using the best-of-breed features of the existing 3Com and HP channel programs

...

Donatelli said the A Series is for large enterprises, the E series for mid-sized customers, and the V series for small and medium enterprises. The S Series is for customers with network security needs, and the TippingPoint intrusion-prevention products will be featured there.

Network Management Implications:

For those of you who have been unfortunate enough to have to deal with Huawei, 3Com, and H3C devices, you will remember that the comman line interfaces are close enough to be helpful but different enough to cause nasty automation problems.

Some devices can have page size adjusted when displaying infomation, some have the option to shut off paging, some devices can not even shut off the pager - making it very difficult to script multiple device automations. Sometimes, sleeps need to be placed in the scripts, to make sure device automations actually work!

Plan on a nightmare of new issues related to automations on these devices, as updates are released. Some hope HP will fix some of the old issues on old hardware, but other do not hold out much hope, considering fixing old software would not drive new hardware sales.

Friday, April 16, 2010

Solaris 9: Missing dladm show-dev


Solaris 9: Missing dladm show-dev

Abstract:
Solaris 10 has included a new feature referred to as the Data Link Admin tool. This tool provides a simple way to configure and check the status of the layer 2 ethernet interfaces. Some of the information commonly used in dladm under Solaris 10 can be derived in Solaris 9.

Solaris 10: dladm show-dev
The Data Link Administration tool under Solaris 10 has some very nice features, including quickly seeing the interface name, speed, and duplex.

sunt2000# dladm show-dev
ipge0 link: unknown speed: 100 Mbps duplex: full
ipge1 link: unknown speed: 100 Mbps duplex: full
ipge2 link: unknown speed: 100 Mbps duplex: half
ipge3 link: unknown speed: 0 Mbps duplex: unknown


Solaris 9: kstat & nawk
A simple nawk script can be used on a Solaris 9 platform, to perform similar output.

sunt2000# kstat -p | nawk '/duplex/ || /speed/ { split($1,Array,":") ; Dev=Array[3] } /link_duplex/ && $2=="2" { Duplex[Dev]="full" } /link_duplex/ && $2=="1" { Duplex[Dev]="half" } /link_speed/ { if ( Duplex[Dev] == "" ) Duplex[Dev]="unknown" ; Speed[Dev]=$2 ; print Dev "\tlink: unknown\tspeed: " Speed[Dev] "\tMbit\tduplex: " Duplex[Dev] }'
ce0 link: unknown speed: 100 Mbit duplex: full
ce1 link: unknown speed: 1000 Mbit duplex: full
ce2 link: unknown speed: 1000 Mbit duplex: full
ce3 link: unknown speed: 1000 Mbit duplex: full
ce4 link: unknown speed: 0 Mbit duplex: unknown
ce5 link: unknown speed: 0 Mbit duplex: unknown

Thursday, April 15, 2010

Flash: Accelerating Performance


Flash: Accelerating Performance

Abstract:
Flash acceleration has been out for a very short period of time. Sun, the technology leader in this market, invested heavily in this market, providing hardware which speeds their operating system and unoptimized applications. Parent company Oracle also released application specific enhancements to increase database performance.

A Little History:

Sun had released a flash accelerator in September of 2009 surpassing 1 million IOPS with 1.6 million IOPS read and 1.2 million IOS write, as described by Oracle, BestPerf blogger, UNIXBot blogger, and StorageMojo blogger.

The Register seemed thrilled to mention LSI surpassing 1 million IOPS 6 months later and forgot to mention Oracle/Sun, the market leader.

The Register again mentioned NextIO, who surpassed Oracle/Sun's benchmark, by about 6%, using 25% more flash - becoming the new market leader. Can you guess which vendor was forgotten again, by The Register?

Impact to Network Management

The 1.7 million IOPS mark is a hair over 1.6 millions IOPS. It is really good to see the competition in the flash market - it helps everyone!

All of those heavy performance management platform, which require substantial data stores with embedded databases, can receive substantial performance benefits without incurring higher licensing costs or additional professional services for migration, by plugging in a flash accelerator.

Postscript

Perhaps the writer at The Register will remember to include the market leader in the future, since Oracle/Sun is beating up on all the competition of the price/performance and performance metrics using their flash accelerator.

New Sun Ray 3 Thin Client



New Sun Ray 3 Thin Client

Abstract:
Sun had traditionally been a workstation company, who had moved to servers, and then migrated to thinner clients. Thin Clients have been based occasionally upgraded. Since the acquisition of Sun by Oracle, the latest thin client had been released.

The Sun Ray 3:
Several blogs (MapleDesk, ThinkThin) have talked about the new thin client. There is also a posting to the Oracle/Sun Web Site comparing the new thin client against the other clients.



The front has audio input/output connectors, 2 USB jacks, while the rear panel has dual monitor support, 2 more USB jacks, Gigabit Etherrnet, and even a 9 pin serial port!


You can see what the new Sun Ray 3 Plus Thin Client look like, when it is unboxed.

Where's The Media?

What is extremely odd to me is the silence from the media. For example, The Register covers thin clients from vendors like Microsoft, but has been completely silent on the latest release.

Network Management Implications

The dual-monitor 2560x1600 support is an excellent opportunity to display high resolutions maps and consoles to large monitors in a NOC.

The 9 pin serial could provide a means to configure routers, switches, and other embedded systems from the thin client.

Why would it need gigabit ethernet? Honestly, the thin client would never need that much throughput. It could reduce latency and make the GUI feel more snappy in an environment where there is tremendous pressure for performance.

The SMARTS Card provides an extremely robust hard security mechanism so only NOC personnel can use the terminals while standard username/password combinations can still be used to access the applications.

Hot-Desking remains a great feature - the removal of a card at a particular NOC station means the desktop can move from one location to another location without the time cost of restarting the applications.

Wednesday, April 14, 2010

Oracle, MySQL, Sun - Moving Ahead



Oracle, MySQL, Sun - Moving Ahead

One might browse a short article, looking past the sarcasm and skepticism, looking for information.

Oracle acquired and enhanced a database core engine for MySQL a number of years ago:
Oracle has been working on InnoDB since the acquisition five years ago
Perhaps, the most important parts of the article was:
Oracle's man had slightly more luck highlighting what he called "one of the most significant changes" in up-coming MySQL 5.5, which is in beta. The InnoDB storage engine bought by Oracle in 2005 will become MySQL's default storage engine. Also, InnoDB will be included for free with MySQL Enterprise Edition, which is charged under a support contract.
Significant work that Sun began is being released under Oracle:
Oracle announced the release of MySQL Cluster 7.1 as finished product, with improved administration, Java, and OpenJPA connectors to clusters, sub-second fail over and self healing. Even though this was work begun under Sun Microsystems, which Oracle finally acquired in January, Screven said it proved Oracle's commitment to improve the database is happening now, "not some abstract point in the future".
Impact on Network Management

Performance Management with Network Management is increasing dependent upon databases to hold large quantities of data in mid to large deployments. Databases like Oracle are great options for internal facing deployments. External facing deployments require lower cost licensing options in order to be sufficiently competitive. This is where MySQL fits well.

Monday, April 5, 2010

Itanium: The Death of Microsoft Windows Support



Itanium: The Death of Microsoft Windows Support

Announcement:


History:

See former blog entry when Red Hat Linux discontinued their Itanium support.

Network Management Implications:

None. There were no serious Network Management products using Microsoft Windows on Itanium. There are really only HP operating systems left on this CPU platform, a single isolated software vendor on a single isolated chip supplier.

Why Few Implications:

Single vendor processors (IBM POWER and Intel Itanium) are somewhat more risky, when there is a gap in the development cycle due to human error. Specialized software vendors looking for longevity often look for multiple suppliers when producing a product, to ensure that a single vendor glitch does not damage their product marketing.

In the areas of server processors, there really only seems to be two multi-vendor CPU vendors left: SPARC (Oracle/Sun and Fujitsu) and x64 (Intel and AMD.)

Who Will Be Affected?

Probably, the people who will be most affected by this move will be businesses who depended on Microsoft SQL Server on Itanium.

Had those vendors chosen another database vendor, who supports multiple architectures (i.e. Oracle RDBMS) - a migration to another Operating System (i.e. an HP Operating System) on the same hardware could have been done, to extend the life of the asset, and any desired hardware architecture could have been chosen to migrate to later (i.e. SPARC, POWER, Intel x64, AMD x64.)