HiddenOne

I hate to break the news to those of you with spindles filled with hundreds of blanks CD’s, but optical disc is dead! While this statement may be a bit dramatic, it holds true for me. Sure discs are still a means of cheap retail content delivery (Software, movies, etc), but for a network administrator even rewritable discs are a hassle.

The advent of the live CD has changed the game of even further. Once upon a time you might need one CD for every task that you might want to complete. Now you are able to cook your own live CD complete with all of the tools you need. Even with this ability, I recognize that there are some great live CDs out there that have a very complete set of network tools out of the box. I will discuss a few tools that make it much easier to take a typical ISO and “burn” it to a bootable USB drive.

Requirements

Before starting, keep in mind that in order for this entire process to work, the computer you intend to use the bootable USB drive with must support booting from such a device. Many older computers do not support this function. In some cases a BIOS upgrade may provide this functionality.

UNetbootin

UNetbootin is a utility for Windows and Linux that can take just about any ISO and write it to a USB drive in a bootable fashion. It has a nice feature where will can even automatically download the ISO for various Linux distributions before writing it to your USB drive.

Most users will use the second option, which will write an existing disk image (ISO or floppy/hard drive format) to the selected USB device.

I have personally used UNetbootin with many different ISOs and I have not run into any problems. This utility comes in handy for OS installs without a CD or otherwise using a live CD.

BootMyISOs

This is a Windows only utility used to make a USB drive bootable. Once BootMyISOs has done its part, all you have to do is copy the ISOs you want to the USB drive. This is great for replacing all of your old CDs with one bootable USB drive.

Make sure you refer to the linked page on Pen Drive Linux, since BootMyISOs only supports certain distributions/ISOs.

Happy booting!

The underlying goal at work this month is to get some much needed insight and auditing abilities into our network. I have looked at Rancid before, and after doing some research I finally decided to take the plunge and implement it into our network.

The steps below assume that you are running Ubuntu Server 8.04.3 LTS i386 with a standard LAMP installation. They may work with other Debian based distributions, but your mileage may vary. For this installation I will be using Rancid version 2.3.2, which is the current stable release at the time that I wrote this article. I encourage you to check the Shrubbery web site and get the latest release that is available. Additionally, this article will go into a bit more detail about using Rancid with various HP Procurve equipment.

It would be a lie to say I figured out all of these steps on my own. Some of it was trial and error, other information I found in various places on the Internet. Tweets from Jeremy over at Evil Routers gave me the needed insight on editing the hrancid file to support some of the newer Procurve equipment.

Rancid Installation

After your base LAMP system is installed, you need to install some packages that are required to install and run rancid. You can combine these commands into one line, but I broke them out into two lines to show that the second line begins the actual Rancid dependencies.

apt-get install gcc make libc6-dev
apt-get install expect cvs

Next, create a user that will run Rancid. This user’s home directory will be used as the install path and CVS repository for Rancid. For simplicity’s sake I have used the user name “rancid”, but you can use anything.

adduser –home /home/rancid rancid

Download the latest rancid source archive using wget.

wget ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2.tar.gz

Copy the archive to /usr/src and extract the contents.

cp rancid-2.3.2.tar.gz /usr/src
cd /usr/src
tar xvfz rancid-2.3.2.tar.gz
cd rancid-2.3.2

Configure and install Rancid. Note that we are providing arguments for specific installation directories.

./configure -prefix=/home/rancid -localstatedir=/home/rancid/var/rancid
make install

Since the previous commands were issued by the root user, we need to change ownership of /home/rancid back to the rancid user.

chown -R rancid:rancid /home/rancid

Rancid Configuration

Edit /home/rancid/etc/rancid.conf and look for the following line (which is probably commented out):

LIST_OF_GROUPS=”"

There will probably be text between the quotes which you will delete. The group names you provide will be your CVS groups, and will translate into folders when viewing the repository with CVSweb. In my case I choose to create a group for each building I manage. Once everything is running, each building’s folder will contain the network devices in that building as well as their configuration files. Below is an example of a list of groups. Each group is seperated from the previous group name with a space.

LIST_OF_GROUPS=”Philadelphia Boston Miami Burbank”

Edit the /home/rancid/.cloginrc file. This contains the login information for your switches. If you use AAA/Radius to authenticate users that manager network equipment, your job is easy. All you have to do is provide a username and password for every device like so:

add user * {ranciduser}
add password * {ranciduserpassword}
add autoenable * 1

The first two lines are self-explanatory. The asterisk is a wild card meaning all or every device. The last line tells Rancid that the authentication information provided automatically drops the user into enable mode.

Since the cloginrc file contains passwords, you want to change its permissions to ensure only the rancid user can access this file.

chmod 600 .cloginrc
chown rancid:rancid .cloginrc

Now we run the rancid-cvs command, which will create the CVS groups based on the “LIST_OF_GROUPS” we created earlier. It is important that you run this command as the rancid user.

su – rancid
/home/rancid/bin/rancid-cvs

Next, edit the router.db files for each group. There is a seperate router.db file for each group. The groups are located in the /home/rancid/var/rancid directory (each group has its own folder). The router.db files tell rancid the IP address or hostname of the device, the device manufacturer, and the status of the device. For example

192.168.1.2:hp:up

If you use a hostname instead of an IP address, be sure the server running Rancid is able to resolve the hostnames. For newer HP Procurve devices, you will set the manufacturer to “hp”. This works for 5400zl and 8200zl models as well as older model stackables (3400, 2524, etc). If you have a switch that was manufactured by Foundry, such as the Procurve 9308, set the manufacturer to “foundry”. Rancid will only process the device if the status is set to “up”. Any other status will cause the device to be skipped.

Edit hrancid File

The newer Procurve models no longer support the “show system-information” command, instead this command has been changed to “show system”. Luckily this command is specific enough that when it is issued on older switches that still use “show system-information”, it translates properly. In order to support the newer switches, we need to edit the “hrancid” file located in /home/rancid/bin. Once you have the file open, look for the following block of code:

@commandtable = (
{‘show version’                 => ‘ShowVersion’},
{‘show flash’                   => ‘ShowFlash’},
{‘show system-information’      => ‘ShowSystem’},
{‘show system information’      => ‘ShowSystem’},
{‘show module’                  => ‘ShowModule’},
{‘show stack’                   => ‘ShowStack’},
{‘write term’                   => ‘WriteTerm’}
);

You need to change “show system-information” to “show system”. The “show system information” line does not need to be modified.

Run Rancid

Now we will run Rancid for the first time. Again, we are going to need to do this as the rancid user. Be patient, as this command can take some time to complete if you have a large number of devices.

su – rancid
/home/rancid/bin/rancid-run

Install & Configure CVSweb

CVSweb will provide a web interface where you can view the configuration files for your network devices in addition to performing diffs on the files to see what has changed. Installing CVSweb is simple.

apt-get install cvsweb

After the installation is complete, edit the /etc/cvsweb/cvsweb.conf file to point CVSweb to your Rancid CVS repository.

@CVSrepositories = (
#’local’ => ['Local Repository', '/var/lib/cvs'],
‘MNSD’ => ['MNSD Devices', '/home/rancid/var/rancid/CVS'],
);

I usually comment out the “local” line with a pound, just to make navigation a bit easier (since in my case the local repository is not used.

Create a link to in the www directory that points to the location of the CVSweb icons.

ln -s /usr/share/cvsweb /var/www/cvsweb

You can now access your repository using the following URL: http://YOUR_SERVER/cgi-bin/cvsweb

Rancid Automation

Now that everything is working properly, we want to make sure Rancid runs automatically every so often. We will do this by editing the /etc/crontab file and adding the following lines.

1 12,23 * * *    rancid    /home/rancid/bin/rancid-run
50 23 * * *    rancid    /usr/bin/find /home/rancid/var/rancid/logs -type f -mtime +2 -exec rm {} \;

The first line runs Rancid at 12:00 PM and 12:00 AM. Carefully choose your intervals, because the number of devices you are running Rancid against and the size of the config on each device will increase the run time. The second line periodically clears the configuration differ log files.

There you have it! You should now have a working version of Rancid!

At work we recently converted from a network monitoring package that was provided by our switching vendor, to Orion Network Performance Monitor from Solarwinds. Shortly after installing and configuring Orion, I configured a Linux server running Rancid for configuration management. In my eyes, both Orion and Rancid fall under the network monitoring/management category, so I wanted to make accessing both as easy as possible.

Orion allows you to create and add custom links to your menu bars, but adding a typical link is a bit “clunky” since the link either takes the user away from the Orion page or opens in a new window. The steps below describe how to create a custom link that will retain the Orion header and menu barat the top of the page. This has made navigating between the two much easier and has eliminated the need for me to have both Orion and Rancid open in separate browser tabs.

Creating a Custom Link

First, make sure you log into Orion with credentials that have administrator access. After you do that, click the “Admin” link that appears in the Orion menu bar.

On the admin page, click the “Customize Menu Bars” link under the Customize section.

On the “Customize Menu Bars” page, I choose to edit the admin menu bar by clicking the “Edit” button under the menu bar. If you want different groups of users to see this link, you may have to edit different or multiple menu bars.

On the edit menu bar page, click the “Add” button that appears towards the bottom of the page.

This will open the dialog box shown below.

Fill in the name and description fields as you see fit. Next, uncheck the “Open in a New Window” option box. In the URL field type the following:

http://YOUR_SERVER/Orion/External.aspx?Title=Rancid&URL=

After the “URL=” argument, type the URL of the web page you wish the link to display. When you are finished, click the “OK” button.

Back on the edit menu bar page, you will notice your new link in the “Available Items” list. Click and drag the link from this list to the “Selected Items” list.

When finished, click the “Submit” button and enjoy the fruits of your 30 seconds of labor!

This is a very simple process, but it came in handy for me and makes day to day management a bit easier.

There are many tools that can make the life of a network administrator easier. The following is a list of programs that I use on a daily basis to make management of the network easier. As a bonus, all of these programs are available free of charge.

A few of these tools I use mainly for organization, as I am anal retentive about being organized and making commonly used information easily accessible. You may find some of these tools more or less useful depending on your habits.

KeePass – This a great tool to organize and securely store password information. It has multiple methods of authentication, including password and key based. KeePass allows you to create groups as well as nested groups to easily organize information. The entire database is also searchable to further make accessing information easier. The included password generator can help you come up with passwords other than the usual P@$$word!

Wireshark  - Wireshark is a popular traffic capture program. A traffic capture program comes in handy when issues arise and you need to see communication information between hosts. It has helped my countless times when troubleshooting port authentication issues. Wireshark has a plethora of other features that can aide in finding the cause of any issues.

Tftpd32 - You’re going to need a TFTP server as some point in your career. It may be to upload a new software image, backup a config, or some other reason. Tftpd32 takes your run of the mill TFTP server and adds a few more features including: Tftp Client, DHCP server, and Syslog server. Even with these features, the program remains light and quick.

Network Stumbler - If you’re using the bars displayed in the Windows wireless connection manager to determine wireless signal strength, you’re not getting an accurate picture. Net Sumbler will give you a real-time graph of the signal to noise ratio. It will also provide various other pieces of information about the wireless networks it discovers.

PuTTY Connection Manager - PuTTY has been my personal choice for managing network devices from the terminal (Console, Telnet, etc). PuTTY CM is a separate piece of software that uses PuTTY for connections to devices. The biggest advantage of PuTTY CM, for me, is the ability to build a database of Telnet/SSH configurations to network devices. This allows me to quickly connect to a device and automate various tasks at login.

I use many different tools to monitor, diagnose, and test my network on a daily basis. One tool that is often overlooked is a cell phone. Cell phones have enjoyed an explosive growth in popularity over the years. PDAs in particular have bridged a major gap, going from a device for business people to a device for the every day consumer. With the popularity of PDAs comes the likelihood that most, if not all, of these phones have a data plan associated to them.

When making changes to any network it is often important to test all services from inside and outside the network. With tightening budgets, you can consider yourself lucky if your employer springs for an Internet connection strictly for testing. That’s ok, since you can use that fancy phone that’s attached to your hip for testing.

At work we recently changed Internet service providers. Along with this change came changes to our address space, DNS zones, firewall policies and more. It was important for me to test connectivity to our external facing services after the migration, particularly since I was taking this opportunity to apply hardened policies to our firewall. Once the migration was complete, I was able to use my cell phone to see check the status of our DNS zone propagation as well as to test how well my firewall policies were working (sometimes they work too well).

Tethering your cell phone to your computer can be a tricky subject. Many carriers charge an extra monthly fee for tethering for one reason or another. There are ways to tether your cell phone to your computer without the need for an additional tethering plan. I caution you in following any of these processes. There is the likelihood that if you abuse the “free” tethering your cell phone provider can find out and you may be stuck with a fat bill.

Moderation is the key here. In my opinion you should only use the free tethering process minimally, such a when you need to do testing. These processes should not be used if you plan to tether regularly, or use your phone as you would a data card.

Below are some links to tutorials on how to setup various cell phones for tethering. Remember; use them wisely and at your own risk.

• Using a Blackberry as a modem
• Windows Mobile phone as a modem
• Tetherbot (Proxy) for Android Phones
• Palm Pre Bluetooth Tethering