In summary, it is best to configure this via the Proxmox shell interface. In this setup, I choose to use a VLAN-aware Linux bridge. First, identify the network interface connected to the trunk port. In my case, I have the eth0 interface connected to the trunk interface and vmbr0 as the bridge. We have 2 VLANs, VLAN 100 with subnet 192.168.100.0/24 and VLAN 200 with subnet 192.168.200.0/24.
We are required to connect the Proxmox Server with a trunk port or a network connection with tagged VLANs. If the trunk port is configured properly, then there should not be any issues configuring the Proxmox server side. Please have a read on this page from Proxmox themselves.
In summary, it is best to configure this via the Proxmox shell interface. In this setup, I choose to use a VLAN-aware Linux bridge. First, identify the network interface connected to the trunk port. In my case, I have the eth0 interface connected to the trunk interface and vmbr0 as the bridge. We have 2 VLANs, VLAN 100 with subnet 192.168.100.0/24 and VLAN 200 with subnet 192.168.200.0/24.
0 Comments
This is my experience on the installation of the FUSE filesystem to mount Google Drive on Linux systems since sometimes the PPA sources are broken or not syncing. The steps below are steps applicable on Debian/Ubuntu systems. In my case, I installed this on Kali Linux. First, we update the system. sudo apt update; sudo apt upgrade -y Then we install the opam before installing the package. sudo apt-get install opam FreeRDP has not updated some of the pages of their user wiki for quite sometime. As such, when I was using xfreerdp with this command. $ xfreerdp /v:[ip_address] /u:[domain]\[user] /p:[password] I encountered this error [22:53:30:886] [1619223:1619224] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 I was a bit dumbfounded as using the same credentials with Microsoft RDP client (mstsc) works. So after some digging, I found out with this version of FreeRDP [ version 2.11.2], I just need to separate the domain. $ xfreerdpp /v:[ip_address] /d:[domain] /u:[user] /p:[password] Hope this helps someone. While upgrading a Brocade ICX7250 firmware from version 8.0.30 to 8.0.40, I noticed issues on the ssh (scp) client of the switch while transferring firmware from a Linux SSH server. I executed this command on the Brocade switch with management IP (10.1.1.101) to copy the firmware (spz10106.bin) from the SSH server (10.1.1.111) SSH@TEST-SW1-7250#copy scp flash 10.1.1.111 spz10106.bin primary Below is the error logs from the Linux server (10.1.1.111). Jan 8 17:57:13 linux_server sshd[19405]: fatal: Unable to negotiate with 10.1.1.101 port 7509: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] As part of the security hardening policies, I needed to secure access to the Riverbed Steelhead with RADIUS authentication. Since I already have a FreeRADIUS (v.2.2.5) in Debian Linux (8.6) running in the environment (currently used to authenticate with our network devices i.e. Cisco, Comware, Junos, Brocade), I only needed to follow the Steelhead Deployment Guide for RADIUS Configuration. However, it seem Riverbed forgot to update their documentation to reflect the latest FreeRADIUS. I will post here my configuration experience for RADIUS configuration of Steelhead with FreeRADIUS. The first few steps are similar to the Deployment Guide. First, update the FreeRADIUS clients file (/etc/freeradius/clients) # Steelhead device A long time ago, I was using RANCID to backup and manage all configurations from network devices or anything that has telnet/ssh CLI access. Over the period of time, I hardly maintained and updated. Then I installed a network device tracking database (NetDB) which is used to tracked all devices connected to the network where MAC addresses and IP addresses are collected and stored.
During this implementation and fine tuning (NetDB version 1.12), I stumbled on an undocumented option where the PERL script can call a function to collect the device configuration. This is done by invoking the equivalent "show configuration" for every vendor/product. I modified this a bit which included my contribution for HP Comware scraper which can also extract the device configuration via "display current-configuration". I used to post in Blogsome couple of years ago before until the site closed down. In here, I have posted blogs about RANCID which is a set of scripts (PERL) used to monitor network devices configurations and maintain history of changes via CVS (Concurrent Version System). Here are some of my post about RANCID (version 2.3.2) which are now archived in the Internet which might be of used to someone interested in RANCID and customizing it.
RANCID under the hood (posted October 23, 2011) This post show the internal working of RANCID and understand how it works and which scripts are executed and dependent on each other RANCID additional commands (posted November 2, 2011) Normally, RANCID executes some commands when connecting to network devices, this post discusses how to include additional commands. RANCID Customization (posted November 9, 2011) This post is discusses how to poll different groups of network devices with different sets of commands I hope in the future I can update my knowledge with the current release of RANCID. This is continuation post of the usage of Python Paramiko network device configuration script (netscript.py) I am currently testing. Let us say you have around 100 network devices accessible via SSH and you need to update their configuration. For example you need to add a new syslog server and remove the current one. In Cisco IOS, you would need to run these set of commands: # Enter Configuration mode We had this problem with one of our Internet links which was an ADSL/PPPoE connection. Every now and then this Internet connection seems to be unstable and it affected Internet access through this line. One solution we came across is resetting the ADSL connection either by pulling the cable off or shut/unshut the interface. Once the ADSL/PPPoE gets reconnected, Internet access becomes stable again. While waiting for the service provider to fix the issue (if it gets fixed), we needed to every now and then reset the interface connecting the ADSL/PPPoE line. This can be during after office hours (i.e. 12MN) but should be automated (I can't be doing this manually) Here comes my Python Network Script (netscript) discussed here in my post along with cron. Below are my steps in automating this task. First we create the command file (interface_reset.txt) which will shutdown and enable the network interface. #!/bin/bash slow-query-log = 1 Ever wondered why some queries from the MySQL database seems to be slow. I have been into a situation when I restart a process (particularly Snort/Barnyard) I end up waiting up why the MySQL process takes ages sometimes 5 to 15 minutes waiting. As such, I ended up enabling debugging MySQL queries and checked how long each query is being process. This is called the Slow Query Log. To enable this debugging, we need to modify the MySQL configuration file (normally my.cnf). Below are settings working for MySQL version 5.6.21 on Debian 7.7 environment. The slow-query-log-file can be any filename as long with a log extension name and preferred to be located in the MySQL logs directory. Then restart the MySQL process # /etc/init.d/mysql restart Now, you can view ALL queries to the database both preceding queries and actives queries. Below is a sample of logs from my Snort/Barnyard/BASE platform. # tail /var/log/mysql/localhost-slow.log Note that each SQL queries has a "Query_time" and a "Lock_time" which gives an indication how long these statements where executed on the database.
When a device is configured with SNMP, we normally need a tool to confirm if the configuration is correct. For this, I normally use snmpwalk which part of the NET-SNMP package which can be easily installed in any Linux distribution. For SNMP version2 testing, this is fairly straightforward for those show have been using SNMPv2 for a long while. Testing SNMP version 3 configuration is not a simple walk through the park as there are many variations in configuring SNMPv3 on a device. I would advice reading a bit on SNMPv3 and learn the specific configuration on your device (if supported). Let see the snmpwalk command for version3. snmpwalk -v 3 -l <level> -u <username> -a <authtype> -x <privtype> -A <authpass> -X <privpass> <target> <oid> As you can see, there are several arguments for the commands all within the "< >" are variables. Below is a sample output from the command # snmpwalk -v 3 -l authPriv -u snmpuser -a MD5 -x AES -A snmpauthpass -X snmprivpass 192.168.0.11 system As you can see on the output, we managed to pull the SNMP data from target device (IP: 192.168.0.11) using the "system" for the OID. The version3 security level used is "authPriv" as such we would need "MD5" for the authtype and "AES" for the privtype. The username "snmpuser", authpass "snmpauthpass" and privpass "snmpprivpass" are used accordingly in the command.
This is a simple guide installation of DHCP service on Debian Linux (7.7 wheezy). First you need to know which interface the service will be listening (normally this eth0) and next the current IP subnet where this server is running. This could be the same IP subnet you plan leasing. Next you need to get the information about the IP subnet this service will be leasing. In this guide, we will be using this IP subnet. Subnet: 192.168.100.0 Netmask: 255.255.255.0 Range: 192.168.100.100 192.168.100.200 # These are the IP address range to be lease to end devices Gateway: 192.168.100.1 # This gateway to the rest of the network (i.e. Internet) Domain Name Servers: 192.168.200.11 192.168.200.12 # These are your DNS servers Domain Name: HOME.NET # This is important if you have a DOMAIN or WORKGROUP Install the required package # apt-get install isc-dhcp-server isc-dhcp-common After installation, don't worry if the word "failed" came out. We just need to modify the configuration file get things working. Edit /etc/dhcp/dhcpd.conf and add/modify these lines option domain-name "HOME.NET"; Start the DHCP service # /etc/init.d/isc-dhcp-server start Verify and check if the services is running. # ps ax | grep dhcp The output for ps shows if the proces is indeed running while the output for netstat shows if the DHCP service is listening on UDP port 67 both for IPv4 and IPv6. Dont worry about UDP port 29114 as this is for inter-process communication. For paranoid administrator, you can firewall this. Check/update for any firewall rules if needed (iptables -L -n -v). When in operation, you can check any leased IP address by checking the DHCP lease file (tail -f /var/lib/dhcp/dhclient.leases). You can check DHCPStatus for a simple web interface. Check the syslog output for any errors (tail /var/log/syslog). Below is the most common errors if the DHCP server is running on a different subnet than the IP subnet being leased. Jan 7 08:16:50 testprobe dhcpd: No subnet declaration for eth0 (192.168.100.11). Add this line on the configuration file (etc/dhcp/dhcpd.conf) as the server is on a different subnet (i.e. eth0 = 192.168.100.11) subnet 192.168.100.0 netmask 255.255.255.0 { } |
Certified Geek
A Certified Geek who blogs anything geeky he comes across mostly in Linux and Networking. Archives
February 2024
Categories
All
|