Picture of the Month

Picture of the Month

Tagcloud:

Things relevant to my interest, and maybe yours.

tidy-acl

Tidy ACLs listings on ASA

Normaly a show access-list would bring up something like

access-list OUTSIDE-IN line 1 extended permit ip object-group FOO any (hitcnt=9001)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.1 any (hitcnt=9000)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.2 any (hitcnt=1)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.3 any (hitcnt=0)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.4 any (hitcnt=0)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.5 any (hitcnt=0)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.6 any (hitcnt=0)
  access-list OUTSIDE-IN line 1 extended permit ip host 10.42.23.7 any (hitcnt=0)
access-list OUTSIDE-IN line 2 extended permit ip object-group BAR any (hitcnt=9002)
  ...

Sometimes you just like to see the leading configuration lines. To get there you can simply exclude a double whitespace like:

show access-list | exclude \ \ 
access-list OUTSIDE-IN line 1 extended permit ip object-group FOO any (hitcnt=9001)
access-list OUTSIDE-IN line 2 extended permit ip object-group BAR any (hitcnt=9002)
bash

bash-completion for arbitrary commands

To use the completion for ssh for any command ssh * /etc/bash_completion:

. /usr/share/bash-completion/bash_completion
# set up dynamic completion loading
_completion_loader()
{
  local compdir=./completions
  [[ $BASH_SOURCE == */* ]] && compdir="${BASH_SOURCE%/*}/completions"
  # Try basename.
  . "$compdir/${1##*/}" &>/dev/null && return 124
  # Arbitrary ssh command
  [[ $1 =~ .*ssh ]] && . /usr/share/bash-completion/completions/ssh >/dev/null 2>&1 && complete -F _ssh $1 && return 124

    # Need to define *something*, otherwise there will be no completion at all.
  complete -F _minimal "$1" && return 124
} &&
complete -D -F _completion_loader

Note: _completion loader was mostly extracted from /usr/share/bash-completion/bash_completion itself, just the "# Arbitrary ssh command" part was added.

  • Nächstes Thema
port-channel

IEEE 802.3ad - Link aggregation on a CISCO Switch

In case you are wondering it's a stacked switch so the Gi1/0/ is one switch and Gi2/0/ is the other one, aiming for maximum redundancy. The interesting part is the channel-protocol lacp statement.

This article is the counterpart of bonding.

interface Port-channel1
description Po1 (Etherchannel Gi1/0/1, Gi2/0/1)
switchport trunk encapsulation dot1q
switchport mode access
storm-control broadcast level 0.50
storm-control multicast level 0.50
spanning-tree portfast

interface GigabitEthernet1/0/1
description Server - eth0 (Po1 link 1)
switchport access vlan 2
switchport mode access
load-interval 30
storm-control broadcast level 0.50
storm-control multicast level 0.50
channel-protocol lacp
channel-group 1 mode active
spanning-tree portfast

interface GigabitEthernet2/0/1
description Server - eth1 (Po1 link 1)
switchport access vlan 2
switchport mode access
load-interval 30
storm-control broadcast level 0.50
storm-control multicast level 0.50
channel-protocol lacp
channel-group 1 mode active
spanning-tree portfast
bonding

Configure bonding for IEEE 802.3ad (Link aggregation)

For details about bonding in general, see the Linux Ethernet Bonding Driver HOWTO

This article is the counterpart of port-channel.

Debian

  • /etc/network/interfaces

      auto bond0
      iface bond0 inet static
      address 192.168.0.10
      netmask 255.255.255.0
      slaves eth0 eth2
      bond_miimon 100
      bond_mode 802.3ad
      bond_lacp_rate fast
    
      allow-bond0 eth0
      iface eth0 inet manual
    
      allow-bond0 eth2
      iface eth2 inet manual
    

    RedHat (CentOS, Scientific Linux, Fedora, ...)

For users of a ixgbe (Intel) nic: Careful with kernel releases between 2.6.194-8.1.el5 and 2.6.18-229.el5, you might run into RHEL bug #619070

  • /etc/sysconfig/network-scripts/ifcfg-bond0

      DEVICE=bond0
      IPADDR=192.168.2.12
      NETMASK=255.255.255.0
      ONBOOT=yes
      BOOTPROTO=none
      USERCTL=no
      BONDING_OPTS="miimon=100 mode=802.3ad lacp_rate=fast"
    
  • /etc/sysconfig/network-scripts/ifcfg-eth0

      DEVICE=eth0
      BOOTPROTO=none
      ONBOOT=yes
      HWADDR=xx:xx:xx:xx:xx:xx
      MASTER=bond0
      SLAVE=yes
      USERCTL=no
    
  • /etc/sysconfig/network-scripts/ifcfg-eth1

      DEVICE=eth1
      BOOTPROTO=none
      ONBOOT=yes
      HWADDR=xx:xx:xx:xx:xx:xx
      MASTER=bond0
      SLAVE=yes
      USERCTL=no
    

OpenSUSE

Presumably the same issue with the kernel as for RedHat. I haven't got it to work with 2.6.27.7-9-default (openSUSE 11.1).

  • /etc/sysconfig/network/ifcfg-bond0

      STARTMODE='auto'
      BOOTPROTO='static'
      BONDING_MASTER=yes
      BONDING_SLAVE_1='eth0'
      BONDING_SLAVE_2='eth1'
      BONDING_MODULE_OPTS='mode=802.3ad miimon=100 lacp_rate=fast'
      IPADDR='192.168.0.10/24'
      NETWORK='192.168.0.0'
      USERCONTROL='no'
    
  • /etc/sysconfig/network/ifcfg-eth0

      STARTMODE='off'
      BOOTPROTO='none'
      USERCONTROL='no'
    
  • /etc/sysconfig/network/ifcfg-eth1

      STARTMODE='off'
      BOOTPROTO='none'
      USERCONTROL='no'
    

archive


This wiki is powered by ikiwiki.