How to use Nmap for Port Scanning in Linux

Here are a several ways to do port scanning and know which port/services are currently opened from remote host.

Determining opened ports from remote hosts enables somebody to check which service and known applications are currently running from a remote host. Considering that you are not currently managing a particular remote host, this gives confirmation if a specific application service is properly running from specific ports of a particular IP address or host. This can be handy at times when needed to verify some running services on host ports.

Linux Port Scanning
——————-

This blog entry does not intend to discuss of any misuse or abuse usage of a powerful linux command line tool like nmap. However, in hope to explain more of basic nmap usage, this blog entry is here for further basic nmapreferences.

Take for example, a client is allowed to send and receive mail from his box and considering all changes have been done from your server and still the client can’t receive emails. Further client phone conversation informs you that the issue was working fine recently and suddently, he just cannot send and receive emails. Although you can verify that the destination host is currently up, and you are not currently with the client’s site, this blog entry is another step on expanding your troubleshooting arm to confirm some ports from remote host without having total access from it.

One way to approach this issue is by using one of the linux port scanning packages named nmap.
Nmap man says:

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Here’s how to verify if a port is open from remote host using NMap.

Port Scanning with Nmap

# nmap remote-IP-address
# nmap -P0 123.123.123.123

The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time.

Ports are classified as unfiltered when they are responsive to Nmap’s probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.

To issue nmap OS and version detection using nmap

# nmap -A 123.123.123.123

If you wish to do UDP scan against the remote host

# nmap -sU 123.123.123.123

If you wish to do specific port scanning using nmap

# nmap -v -p port_number 123.123.123.123

If you wish to probe open ports for service and version

# nmap -sV 123.123.123.123

Ping scanning can also be done using nmap

# nmap -sP 123.123.123.123

Sometimes you wish to scan a whole network of adjacent hosts. Nmap supports CIDR-style addressing. Nmap scanning to group of host or multiple IP address can also be done like so

# nmap -v -P0 123.123.123.123; 111.222.111.222-230
# nmap -v -P0 192.168.0.0/24; 192.168.1.0/27

When doing group port scanning, exclusing of a particular IP from command line

# nmap -v -P0 v -P0 123.123.123.123; 111.222.111.222-230 –exclude 111.222.111.222.228

Using nmap to exclude multiple host from batch text file can be done like

# nmap -v -P0 -P0 123.123.123.123; 111.222.111.222-230 –excludefile textfile.txt

When doing large number of multiple host port scanning using nmap, a delay can also be specified like so

# nmap -v -P0 123.123.123-254.123-254 –scan-delay 5

Nmap is capable of reading IP address as a batch from text file. This can be done like so

# nmap -v -iL ip-address-text.txt

Nmap also supports resuming an aborted nmap scan by specifying nmap parameter like so

# nmap -v -P0 123.123.123.123-150 –resume

Nmap is so great and handy as it also supports MAC address spoofing for probing remote host. This can be specified using the below nmap argument

# nmap -v -P0 123.123.123.123 –spoof-mac 00:03:47:31:55:69

All nmap shown above were scanning IP address, since nmap knows any DNS presence, you can also specify hostname or domain name as a target remote host for scanning

# nmap -v -P0 my.domain.com

Timing values for nmap can also be specified. Timing nmap values can be useful for IDS alert from target hosts that usually takes longer results to appear. For such a long scan, you may prefer to set the exact timing values you need rather than rely on the canned -T0 and -T1 values. Other values are shown below:
0 1 2 3 4
-T
1 = Paranoid
2 = Sneaky
3 = Polite
4 = Normal
5 = Aggressive
6 = Insane

# nmap -P0 -T1 123.123.123.123

Source host port can also be spoofed trying to achieve same scanning effect from a cloned source host. This can also be specified with nmap as shown below

# nmap -p 110 123.123.123.123 –source-port 110

Generally, collecting opened ports from multiple target hosts can be redirected to physical file using linux I/O as well, this is when you are doing host port monitoring and gathering opened ports statistics in a long-term basis.

Nmap works like sending out a series of TCP and UDP packets to a target host and then examines the returning response bits coming from the target host. The response bits are also classified based on the specified arguments from the person doing the port scanning.

However each version of nmap keeps track of its own port database file. So, it is highly advisable to upgrade your nmap version. Upgrading of nmap package can be easily done like so

# yum -y update nmap

If you wish to know more of known linux defined service ports, you can see more /etc/services.

Basically, nmap offers more arguments depending on the needed nmap service. I find it quite handy, as it does the job very well specially when I need them so. Use nmap with your good thoughts of linux port scanning, and be careful with scanning target host, as you might leave a mark while you are scanning them too!

Continue reading How to use Nmap for Port Scanning in Linux

How to use Gmail with your Domain Name

I want to do this! What's This?

Free email hosting with Gmail

How to use Gmail with your Domain Name

Go to http://www.google.com/a/cpanel/domain/new

Gmail offers free email hosting with your domain name through google apps. Learn how to have yourname@yourdomain.com as your email address without paying additional email hosting fees.

Difficulty: Moderate

Instructions

Things You'll Need:

• A domain name
• Google Apps account
• Your log in information for your domain registrant

1. Step 1
   
   Sign up for Google Apps

   First, click the gmail app link (see link in resource section below). Select administrator and enter your domain name.

2. Step 2
   
   Enter info

   Enter your personal information as requested, and any organization info you may have.

3. Step 3
   
   Create admin account

   You will then be taken to a screen where you will setup your first mailbox for your administrator, e.g. admin@yourdomain.com. Enter your preferred user name and password.

4. Step 4
   
   Domain dashboard

   After creating the admin account, you are taken to your domain dashboard. This is the main control panel where the administrator can add new users, e.g. user1@yourdomain.com, user2@yourdomain.com. You can add more users now, but before anyone can use their new email, you must verify ownership of your domain name, and update your MX records.

5. Step 5
   
   Verify Domain

   There are a couple methods for verifying your domain. If you click on "verify domain" you will see two options to add a CNAME or upload html. There is also a third option not listed and that is to update your MX records. Since we need to update MX records anyway, so this is the method we will use.

6. Step 6
   
   Update MX records

   To make the necessary dns changes, you need to log in to your domain name registrant account. For example, if you registered your domain with GoDaddy, then you would log in to your account at godaddy.com. Select the option to manage your domain name and then go to the dns management option. If you have any MX records listed for your domain remove them and add those provided by gmail as listed here:
   MX Server address Priority
   ASPMX.L.GOOGLE.COM. 10
   ALT1.ASPMX.L.GOOGLE.COM. 20
   ALT2.ASPMX.L.GOOGLE.COM. 20
   ASPMX2.GOOGLEMAIL.COM. 30
   ASPMX3.GOOGLEMAIL.COM. 30
   ASPMX4.GOOGLEMAIL.COM. 30
   ASPMX5.GOOGLEMAIL.COM. 30

7. Step 7
   
   Your new inbox

   It can take up to 48 hours for dns changes to update, so be patient. Once your changes have updated and been verified, you will notice that the email section of your dashboard now says active rather than pending. When your email is active, you are ready to send and receive email with your personal domain name.

Continue reading How to use Gmail with your Domain Name

EtherChannel Between Catalyst 3550/3560/3750 Series Switches and Catalyst Switches Running Cisco IOS System Software Configuration Example

Contents

Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Theory
Important Notes
Configure
Network Diagram
Configurations
Verify
Catalyst 3550
Catalyst 6500/6000
Troubleshoot
Err-Disable State
“speed nonegotiate” Command Does not Appear in the Running Configuration
Related Information

---

Introduction

This document provides a sample configuration for how to set up an EtherChannel between a Catalyst 3550 and a Catalyst 6500/6000 running Cisco IOS® System Software. EtherChannel can be called Fast EtherChannel or Gigabit EtherChannel, depending upon the speed of interfaces or ports used to form the EtherChannel.

Note: The EtherChannel commands applied to the Catalyst 3550 switch in this document can also be applied to Catalyst 3750 series switches.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Catalyst 3550 switch running Cisco IOS® Software Release 12.1(14)EA
• Catalyst 6500/6000 switch running Cisco IOS® Software Release 12.1(13)E1

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Theory

In this document, two Gigabit Ethernet interfaces on a Catalyst 3550 switch — the GigabitEthernet interface on the 3500 is a 10/100/1000 negotiated Ethernet interface — have been bundled into a Fast EtherChannel with two Fast Ethernet interfaces from a Catalyst 6500/6000 switch running Cisco IOS System Software to form a Layer 2 (L2) EtherChannel.

Note: In this document, Fast EtherChannel, Gigabit EtherChannel, port channel, and channel group all refer to EtherChannel.

The Catalyst switch configuration in this document applies to any Catalyst 6500/6000 or Catalyst 4500/4000 series switch running Cisco IOS System Software.

This document shows configuration files for the switches only, as well as output from the related sample show commands. For details on how to configure an EtherChannel, refer to these documents:

• Configuring Layer 2 EtherChannels section of Configuring EtherChannel (Catalyst 3550 switch)
• Configuring Layer 3 EtherChannels section of Configuring EtherChannel (Catalyst 3560 switch)
• Configuring Layer 2 EtherChannels section of Configuring EtherChannel (Catalyst 3750 switch)
• Configuring Layer 3 and Layer 2 EtherChannel (Catalyst 6500/6000 running Cisco IOS System Software)
• Configuring Layer 2 EtherChannel section of Understanding and Configuring EtherChannel (Catalyst 4500/4000 running Cisco IOS System Software)

Important Notes

EtherChannel can be configured manually with the appropriate commands. You can also configure the EtherChannel automatically with Port Aggregation Protocol (PAgP) in order to have the switch negotiate the channel with the other side. For details on PAgP, refer to these documents:

• Understanding the Port Aggregation Protocol section of Configuring EtherChannel (Catalyst 3550 switch)
• Understanding the Port Aggregation Protocol section of Configuring EtherChannel (Catalyst 3560 switch)
• Port Aggregation Protocol section of Configuring EtherChannels (Catalyst 3750 switch)
• Understanding the Port Aggregation Protocol section of Configuring EtherChannel (Catalyst 6500/6000 running Cisco IOS System Software)
• Understanding the Port Aggregation Protocol section of Understanding and Configuring EtherChannel (Catalyst 4500/4000 running Cisco IOS System Software)

The configurations in this document are implemented with use of the desirable mode. If you plan to configure the EtherChannel manually, use the steps provided in order to create a port channel. This avoids problems with Spanning Tree Protocol (STP) during the configuration process. STP can shut down some ports, with a port status of error-disabled [errdisable], if one side is configured as a channel before the other side can be configured as a channel.

Perform these steps in order to create a port channel:

1. Leave the interfaces to be used in port channeling as administratively shutdown.
2. Create the port channel (channel group) on the Catalyst 6500/6000 switch.

   Ensure that you set the channel mode to on, for example, channel-group 1 mode on.

3. Create port channels on the Catalyst 3550, 3560 or 3750 switch.

   Ensure that you set the channel mode to on.

4. Reenable the interfaces that were disabled earlier on the Catalyst 6500/6000 switch with the no shut command.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

This document uses the network setup shown in this diagram:

Note: The Gigabit Ethernet interface on the Catalyst 3550 is a 10/100/1000 Mbps negotiated Ethernet interface. The Gigabit port on the Catalyst 3550 can also be connected to a FastEthernet (100 Mbps) port on a Catalyst 6500/6000.

Note: The Catalyst 3750 series switches support cross-stack EtherChannel, which allows interfaces from different stack switches to be members of the same EtherChannel group. For more information on EtherChannel in a stacked switch environment, refer to the EtherChannel and Switch Stacks section of the Configuring EtherChannels documentation for Catalyst 3750 series switches.

Configurations

This document uses these configurations:

• Catalyst 3550
• Catalyst 6500/6000

Configuring EtherChannel.

Catalyst 3550

Building configuration...
Current configuration : 1610 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cat3550
!
enable password ww
!
ip subnet-zero
no ip finger
!
!
!
!
!--- A logical port-channel interface is automatically created
!--- when ports are grouped into a channel group.

interface Port-channel 1


!--- In this example, the L2 EtherChannel is configured.
!--- A Layer 3 (L3) EtherChannel can also be configured on the Catalyst 3550 switches.
!--- For more information, refer to the document 
switchport mode access no ip address snmp trap link-status!

!--- Note: The Gigabit Ethernet interface on the Catalyst 3550 is a
!--- 10/100/1000 Mbps negotiated Ethernet interface. The Gigabit port on the Catalyst 3550 is
!--- connected to a FastEthernet (100 Mbps) port on the Catalyst 6500/6000.

!--- The port is a member of channel group 1.

interface GigabitEthernet0/1
switchport mode access
no ip address
snmp trap link-status
channel-group 1 mode desirable
!


!--- The port is a member of channel group 1.

interface GigabitEthernet0/2
switchport mode access
no ip address
snmp trap link-status
channel-group 1 mode desirable
!
interface GigabitEthernet0/3
switchport mode access
no ip address
snmp trap link-status
!


!--- Output suppressed.

interface GigabitEthernet0/12
switchport mode access
no ip address
snmp trap link-status


!--- Interface VLAN1 is required for management purposes.

interface Vlan1
ip address 10.1.1.1 255.255.255.0
!
ip classless
ip http server
!
!
line con 0
transport input none
line vty 5 15
!
end

Catalyst 6500/6000

Building configuration...

Current configuration : 5869 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cat6500
!
boot buffersize 126968
boot bootldr bootflash:c6msfc-boot-mz.121-4.E1
enable password ww
!
redundancy
 main-cpu
  auto-sync standard
ip subnet-zero
!
!
no ip finger
!
!
!
!


!--- A logical port-channel interface is automatically created
!--- when ports are grouped into a channel group.

interface Port-channel 1
 no ip address
 switchport
 switchport mode access
!
interface GigabitEthernet1/1
 no ip address
 shutdown
!
interface GigabitEthernet1/2
 no ip address
 shutdown
!

!--- Note: The Gigabit Ethernet interface on the Catalyst 3550 is a
!--- 10/100/1000 Mbps negotiated Ethernet interface. The Gigabit port on the Catalyst 3550 is
!--- connected to a FastEthernet (100 Mbps) port on the Catalyst 6500/6000.

interface FastEthernet3/1
 no ip address


!--- In this example, the L2 EtherChannel is configured.
!--- An L3 EtherChannel can also be configured on the Catalyst 6500/6000 running
!--- Cisco IOS System Software. For more details, refer to the document
!--- Configuring EtherChannel.

!--- On a Catalyst 6500/6000, you must issue the switchport
!--- command once, without any keywords, in order to configure the interface as an L2 port.
!--- By default, all the ports are router ports (L3 ports).
!--- On a Catalyst 4500/4000 switch, all ports are L2 ports by default;
!--- no additional command is required.

switchport

!--- This command puts the interface in VLAN1, by default.

switchport mode access

!--- The port is a member of channel group 1.

channel-group 1 mode desirable
!
interface FastEthernet3/2
 no ip address

!--- On a Catalyst 6500/6000, you must issue the switchport
!--- command once, without any keywords, in order to configure the interface as an L2 port.
!--- By default, all the ports are router ports (L3 ports).
!--- On a Catalyst 4500/4000 switch, all ports are L2 ports by default;
!--- no additional command is required.

 switchport

!--- This command puts the interface in VLAN1, by default.

 switchport mode access

!--- The port is a member of channel group 1.

 channel-group 1 mode desirable
!
interface FastEthernet3/3
 no ip address
switchport
 switchport mode access
!


!--- Output suppressed.

!
interface FastEthernet3/48
 no ip address
switchport
 switchport mode access
!


!--- Interface VLAN1 is required for management purposes.

interface Vlan1
 ip address 10.1.1.2 255.255.255.0
!
ip classless
no ip http server
!
!
!
line con 0
 transport input none
line vty 0 4
!
end

Note: This configuration example shows an EtherChannel configuration with access links. The same configuration applies to EtherChannel trunk links. Issue the switchport mode trunk command, or allow the switches to negotiate the mode with the dynamic desirable mode. For more information on how to configure trunking, refer to the Configuring VLAN Trunks section of the document Configuring VLANs.

Verify

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

In order to verify the port channel in Catalyst 6500/6000 and Catalyst 3500 switches running Cisco IOS System Software, issue these commands:

• show interfaces port-channel channel-group-number
• show etherchannel channel-group-number summary

In order to check the STP status in Catalyst 6500/6000 and Catalyst 3500 switches running Cisco IOS System Software, issue this command:

• show spanning-tree vlan vlan-number detail

Catalyst 3550

Cat3550# show interface port-channel 1
Port-channel1 is up, line protocol is up
Hardware is EtherChannel, address is 0002.4b28.db02 (bia 0002.4b28.db02)
MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
input flow-control is off, output flow-control is off
 Members in this channel: Gi0/1 Gi0/2
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:03:27, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
26 packets input, 5344 bytes, 0 no buffer
Received 17 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
59 packets output, 5050 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

Cat3550# show spanning-tree vlan 1 detail

VLAN1 is executing the ieee compatible Spanning Tree protocol
 Bridge Identifier has priority 32768, address 0002.4b28.db01
 Configured hello time 2, max age 20, forward delay 15
 We are the root of the spanning tree
 Topology change flag not set, detected flag not set
 Number of topology changes 1 last change occurred 00:00:38 ago
         from Port-channel1
 Times:  hold 1, topology change 35, notification 2
         hello 2, max age 20, forward delay 15
 Timers: hello 0, topology change 0, notification 0, aging 0

 Port 65 (Port-channel1) of VLAN1 is forwarding
  Port path cost 12, Port priority 128, Port Identifier 128.65.
  Designated root has priority 32768, address 0002.4b28.db01
  Designated bridge has priority 32768, address 0002.4b28.db01
  Designated port id is 128.65, designated path cost 0
  Timers: message age 0, forward delay 0, hold 0
  Number of transitions to forwarding state: 1
  BPDU: sent 34, received 0

Cat3550# show etherchannel 1 summary
Flags:  D - down        P - in port-channel
       I - stand-alone s - suspended
       R - Layer3      S - Layer2
       U - port-channel in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Gi0/1(P)   Gi0/2(P)

Cat3550# ping 10.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Catalyst 6500/6000

Cat6500# show interface port-channel 1
Port-channel1 is up, line protocol is up
 Hardware is EtherChannel, address is 0002.7ef1.36e1 (bia 0002.7ef1.36e1)
 MTU 1500 bytes, BW 200000 Kbit, DLY 100 usec,
    reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Full-duplex, 100Mb/s
 Members in this channel: Fa3/1 Fa3/2
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input never, output never, output hang never
 Last clearing of "show interface" counters never
 Queueing strategy: fifo
 Output queue 0/40, 0 drops; input queue 0/2000, 0 drops
 5 minute input rate 1000 bits/sec, 1 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
    407 packets input, 34994 bytes, 0 no buffer
    Received 311 broadcasts, 0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
    0 input packets with dribble condition detected
    93 packets output, 16598 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 babbles, 0 late collision, 0 deferred
    0 lost carrier, 0 no carrier
    0 output buffer failures, 0 output buffers swapped out

Cat6500# show spanning-tree vlan 1 detail

VLAN1 is executing the ieee compatible Spanning Tree protocol
 Bridge Identifier has priority 32768, address 00d0.024f.6001
 Configured hello time 2, max age 20, forward delay 15
 Current root has priority 32768, address 0002.4b28.db01
 Root port is 833 (Port-channel1), cost of root path is 12
 Topology change flag not set, detected flag not set
 Number of topology changes 0 last change occurred 00:02:13 ago
 Times:  hold 1, topology change 35, notification 2
         hello 2, max age 20, forward delay 15
 Timers: hello 0, topology change 0, notification 0, aging 300

 Port 833 (Port-channel1) of VLAN1 is forwarding
  Port path cost 12, Port priority 128, Port Identifier 131.65.
  Designated root has priority 32768, address 0002.4b28.db01
  Designated bridge has priority 32768, address 0002.4b28.db01
  Designated port id is 128.65, designated path cost 0
  Timers: message age 1, forward delay 0, hold 0
  Number of transitions to forwarding state: 1
  BPDU: sent 0, received 66

Cat6500# show etherchannel 1 summary
Flags:  D - down        P - in port-channel
       I - stand-alone s - suspended
       R - Layer3      S - Layer2
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Fa3/1(P)   Fa3/2(P)

Cat6500# ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Troubleshoot

Err-Disable State

A common issue during EtherChannel configuration is that the interfaces go into err-disable mode. This can be seen when Etherchannel is switched to the ON mode in one switch, and the other switch is not configured immediately. If left in this state for a minute or so, STP on the switch where EtherChannel is enabled thinks there is a loop. This causes the channeling ports to be put in err-disable state. See this example for more information on how to determine if your EtherChannel interfaces are in the err-disable state:

%SPANTREE-2-CHNL_MISCFG: Detected loop due to etherchannel misconfiguration of Gi0/9
%PM-4-ERR_DISABLE: channel-misconfig error detected on Po10, putting Gi0/9 in err-disable state
%PM-4-ERR_DISABLE: channel-misconfig error detected on Po10, putting Gi0/10 in err-disable state

Switch1#show etherchannel summary
Flags:  D - down        P - in port-channel
       I - stand-alone s - suspended
       H - Hot-standby (LACP only)
       R - Layer3      S - Layer2
       u - unsuitable for bundling
       U - in use      f - failed to allocate aggregator
       d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
10     Po10(SD)         -        Gi0/9(D)    Gi0/10(D)

Switch1#show interfaces GigabitEthernet 0/9 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/9                        err-disabled 1            auto   auto 10/100/1000BaseTX

Switch1#show interfaces GigabitEthernet 0/10 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/10                       err-disabled 1            auto   auto 10/100/1000BaseTX

The error message states that the EtherChannel encountered a spanning tree loop. To resolve the issue, set the channel mode to desirable on both sides of the connection, and then re-enable the interfaces:

Switch1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch1(config)#interface gi0/9
Switch1(config-if)#channel-group 10 mode desirable

This causes each side to form a channel only if they both agree to channel. If they do not agree to channel, they continue to function as normal ports.

After the channel mode is set to desirable on both the sides of the connection, issue the shutdown and no shutdown commands on the associated interface to re-enable the ports by manually:

Switch1(config-if)#shutdown
Switch1(config-if)#no shutdown

“speed nonegotiate” Command Does not Appear in the Running Configuration

The speed nonegotiate command configured on a port channel does not always appear in the running configuration. This happens because nonegotiate on port channel interface depends on that of bundled ports. It is inserted when the port channel is active and based on the individual channel ports configuration.

Continue reading EtherChannel Between Catalyst 3550/3560/3750 Series Switches and Catalyst Switches Running Cisco IOS System Software Configuration Example

How to convert / migrate image based vm (guest / dom-U) to LVM based vm (virtual machine)-(Guest / dom-U) using xen.

Hi all, In this article we will learn how to install virtual machine on sparse file (image file) and how to migrate / move it to LVM based storage / disk. It is recommended to use LVM based partition to install virtual machines for productions environment, as you may experience performance issues if you use images (sparse files) to install virtual machine.

How to install virtual machine on image based disk ...

I will presume that you have a server running xend on it. In my case I am using CentOS 5.4 and xend 3.0.3. After your xen dom-0 server is ready we need to install dom-u on it. First we will install dom-u using sparse (image)file. please follow steps listed below.

1. Create sparse file using command
   #dd if=/dev/zero of=/home/xenvm01.img bs=1M count=1 seek=4096.
   I am considering that you have enough disk space in /home partition and you want to install a virtual machine under that partition. please use relevent partition as per your choice. After this command completes successfully, you will see a image file xenvm01.img
2. Now we need to install virtual maching using this image file as disk. use
   #virt-install -p --name=xenvm01 --location=http://10.10.10.1/centos53/ --bridge=xenbr0 --ram=512 --file=/home/xenvm01.img -x "ks=http://10.10.10.1/xenvm01.ks?ip=10.10.10.11"
3. After installation is completed, you will able to login to newly installed virtual machine.
   Configuration for this xen guest (dom-U) is stored in /etc/xen/ directory. my configuration file looks like.
   name = "xenvm01"
   uuid = "056a8eb9-c5e8-dc42-1f5a-a048d9a58f74"
   maxmem = 512
   memory = 512
   vcpus = 1
   bootloader = "/usr/bin/pygrub"
   on_poweroff = "destroy"
   on_reboot = "restart"
   on_crash = "restart"
   vfb = [ ]
   disk = [ "tap:aio:/home/xenvm01.img,xvda,w" ]
   vif = [ "mac=00:16:3e:1f:c3:a4,bridge=xenbr0" ]

How to convert /migrate image based xen virtual machine (guest) to LVM based Guest

4. To achieve this reult we need a volume group with free space not allocated to any logical volume. On my test system I've a volume group called "xenimg01" which has free space.
   [root@localhost ~]#vgdisplay
   --- Volume group ---
   VG Name xenimg01
   System ID
   Format lvm2
   Metadata Areas 1
   Metadata Sequence No 2
   VG Access read/write
   VG Status resizable
   MAX LV 0
   Cur LV 1
   Open LV 1
   Max PV 0
   Cur PV 1
   Act PV 1
   VG Size 50.00 GB
   PE Size 4.00 MB
   Total PE 12799
   Alloc PE / Size 3328 / 13.00 GB
   Free PE / Size 9471 / 37.00 GB
   VG UUID 5IZDY3-Vs4o-Zs26-p7sx-CaRk-8kdi-eX9fZC
   ... You can see from the above output that it has approximately 37 GB free. If you remember correctly , in our previous section we created an image disk of size 4 GB (4096 MB) to install guest OS. To convert that image based guest to LVM based disk we need logical volume with exactly same size .i.e 4 GB (4096 MB). lets create a logical volume now.
5. [root@localhost ~]#lvcreate -L4096M -n lvmxen01 xenimg01.
   Logical volume "lvmxen01" created
   We don't need to format this logical volume. We will use it as raw disk to migrate / convert dom-u (guest) OS to it.
6. Shutdown the dom-u we installed earlier.
   [root@localhost ~]#xm shutdown xenvm01
   After the xenvm01 virtual machine is donw completely you need to use command specified next to convert it to LVM based dom-U
7. [root@localhost ~]#dd if=/home/xenvm01.img of=/dev/xenimg01/lvmxen01
   This process will take good amount of time. depending on resources available on server also. usually I have noticed it takes about 30 Minutes for image of 4GB.
8. Once the command listed in above step completes successfully, we need to make a change in configuration file for dom-U. edit /etc/xen/xenvm01 file and change the disk parameter as mentioned below.
   name = "xenvm01"
   uuid = "056a8eb9-c5e8-dc42-1f5a-a048d9a58f74"
   maxmem = 512
   memory = 512
   vcpus = 1
   bootloader = "/usr/bin/pygrub"
   on_poweroff = "destroy"
   on_reboot = "restart"
   on_crash = "restart"
   vfb = [ ]
   disk = [ "phy:/dev/xenimg01/lvmxen01,xvda,w" ]
   vif = [ "mac=00:16:3e:1f:c3:a4,bridge=xenbr0" ]
   As specified disk value need to be changed from disk = [ "tap:aio:/home/xenvm01.img,xvda,w" ] to disk = [ "phy:/dev/xenimg01/lvmxen01,xvda,w" ]
9. Now start the guest os with following command
   xm create -c xenvm01. This will start your dom-U guest from logical volume /dev/xenmg01/lvmxen01
Hope this article will help lots of other people as it helped a lot to me.

Continue reading How to convert / migrate image based vm (guest / dom-U) to LVM based vm (virtual machine)-(Guest / dom-U) using xen.

BGP Essentials: Configuring Internal BGP Sessions

Internal BGP (IBGP) sessions (BGP sessions within your autonomous system) are identified by the neighbor’s AS number being identical to your AS number. While the external BGP (EBGP) sessions are usually established between directly-connected routers, IBGP sessions are expected to be configured across the network.

The current best practice is to configure IBGP sessions between the loopback interfaces of the BGP neighbors, ensuring that the TCP session between them (and the BGP adjacency using the TCP session) will not be disrupted after a physical link failure as long as there is an alternate path toward the adjacent router.

To configure IBGP session on a Cisco router, specify the neighbor’s loopback address in all neighbor commands and use the neighbor update-source command to specify the source IP address of the TCP session. Without the neighbor update-source configuration command, the TCP session will use the IP address of the outgoing physical interface and the neighbor will reject the incoming TCP SYN packet as it’s not coming from a recognized BGP neighbor.

The following table shows the configuration commands necessary to configure an IBGP session between loopback interfaces of two routers:

AS 11	AS 12
interface Loopback 0 ip address 10.0.0.1 ! router bgp 65001 neighbor 10.0.0.2 remote-as 65001	interface Loopback 0 ip address 10.0.0.2 ! router bgp 65001 neighbor 10.0.0.1 remote-as 65001 neighbor 10.0.0.1 update-source loopback 0

Continue reading BGP Essentials: Configuring Internal BGP Sessions

Inbound Rate Limiting on Cisco Catalyst Switches

If you need to limit the inbound bandwidth of a switch port on a Cisco Catalyst, the key is in the QoS configuration. Rather than going into an depth discussion of QoS and how it works, let’s skip that (check out Cisco’s QoS site for that level of detail) and jump into the configuration details. This particular configuration was done on a Cisco Catalyst 2960.

As I mentioned, the key is QoS. The first thing you need to do is globally enable QoS with the mls qos configuration command. Once this command is enabled, QoS is enabled on all ports with default settings.

Next, we’ll need an access-list to match traffic on. In this example, we are going to police all traffic coming through the switch port, so our access-list will match all IP addresses.

ip access-list extended ACL_SLAP
permit ip any any

A class map is necessary to classify our traffic.

class-map match-all CLASS_SLAP
match access-group name ACL_SLAP

The policy map dictates what we want done to the traffic class previously defined. The police configuration command sets our rate limit in this example to 8 Mbps the a burst size of 100 KB. The burst size is the trickiest part of this command. If the burst is set too low, your traffic will not be able to approach the maximum allowed throughput do to packet drops.

Because TCP window scaling halves the window size for each dropped packet, it’s important to set the burst size at a level that doesn’t impact performance. The rule of thumb is that the burst size should be double the amount of traffic sent at the maximum rate at a given round-trip time. In this example, I assumed a round-trip time of 50 ms which results in a burst size of 100 KB.

policy-map POLICY_SLAP
class CLASS_SLAP
  police 8000000 100000 exceed-action drop

Finally, apply the policy-map to the switch port with the service-policy configuration command.

interface GigabitEthernet0/2
service-policy input POLICY_SLAP

And now you’re done. In our example, we configured a switch port to only allow inbound traffic at 8 Mbps. We won’t be able to truly max the 8 Mbps, but we should come close. I’ve created a full text example that should be ready to copy and paste.

Leave a comment and let me know how it goes for you.

Continue reading Inbound Rate Limiting on Cisco Catalyst Switches

How would you limit the bandwidth on a switch port?

Edit: this configuration doesn’t seem to be that simple, because it’s not working very well on my 3560 now.

Edit #2: It turns out everything works as stated, except for the minor fact that the command slows your interface down.

Go into interface configuration mode, on the port you are making changes on.

switch(config-if)#srr-queue bandwidth ?
limit Configure bandwidth-limit for this interface
shape Configure shaping on transmit queues
share Configure shared bandwidth

These is what the IOS help is showing; you can see that there are more options than merely limiting the bandwidth.

switch(config-if)#srr-queue bandwidth limit ?
<10-90> enter bandwidth limit for interface as percentage

The percentage value range that should be entered, ranging from 10 to 90. The default is 100.

Therefore, a workaround to limit the switch port’s speed to 5mbps would be to do the following instead:

switch(config-if)#speed 10

switch(config-if)#srr-queue bandwidth limit 50

*Remember that this will slow your interface down, as it’s reduced from a 100mbps interface to a 10mbps interface instead.

Continue reading How would you limit the bandwidth on a switch port?

Cisco Router Configuration Commands.(Basic)

Set a console password to cisco
Router(config)#line con 0
Router(config-line)#login
Router(config-line)#password cisco

Set a telnet password
Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco

Stop console timing out
Router(config)#line con 0
Router(config-line)#exec-timeout 0 0

Set the enable password to cisco
Router(config)#enable password cisco

Set the enable secret password to peter.
This password overrides the enable password and is encypted within the config file
Router(config)#enable secret peter

Enable an interface
Router(config-if)#no shutdown

To disable an interface
Router(config-if)#shutdown

Set the clock rate for a router with a DCE cable to 64K
Router(config-if)clock rate 64000

Set a logical bandwidth assignment of 64K to the serial interface
Router(config-if)bandwidth 64
Note that the zeroes are not missing

To add an IP address to a interface
Router(config-if)#ip addr 10.1.1.1 255.255.255.0

To enable RIP on all 172.16.x.y interfaces
Router(config)#router rip
Router(config-router)#network 172.16.0.0

Disable RIP
Router(config)#no router rip

To enable IRGP with a AS of 200, to all interfaces
Router(config)#router igrp 200
Router(config-router)#network 172.16.0.0

Disable IGRP
Router(config)#no router igrp 200

Static route the remote network is 172.16.1.0, with a mask of 255.255.255.0, the next hop is 172.16.2.1, at a cost of 5 hops
Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1 5

Disable CDP for the whole router
Router(config)#no cdp run

Enable CDP for he whole router
Router(config)#cdp run

Disable CDP on an interface
Router(config-if)#no cdp enable

Continue reading Cisco Router Configuration Commands.(Basic)

How To Disable Windows Genuine Advantage Notification in 3 Simple Steps

--

Following three simple steps now you can get rid of the pesky and sometimes buggy Windows Genuine Advantage (WGA) notifications:

Step 1. Reboot Windows in safe mode (hold the f8 key while booting and you will get the option to boot in safe mode) and then:

Step 2. Open Registry Editor (regedit.exe) and search for wgalogon folder and delete it. You should backup up the registry beforehand, in case somethiong goes wrong.

Step 3. In your windows directory search for files wga* and delete them.

You are done!

Now reboot back normally and continue your work. Windows Genuine Advantage will not bother you anymore.

Warning: Use at your own risk. Backup everything before you do.

Continue reading How To Disable Windows Genuine Advantage Notification in 3 Simple Steps

Pin CPU core(s) to specific Xen domU (guest)

It is often needed for a virtual machine to use specific cores of those available. On a multi-core system, one or more cores can be assigned for each virtual machine to improve performance. By default a virtual machine will use any available core. Assuming that there is a machine with 4 cores and a virtual machine needs to use two of them, the following entries in the guest’s configuration file will present the virtual machine with two virtual CPUs and will map them between the 3rd and the 4th physical cores.

cpus = "2,3"

vcpus = 2

A longer range, let’s say on a 8core machine, can be specified as “2-8″ for example.
Which CPU is used for each VCPU can be seen with the xm vcpu-list command:

# xm vcpu-list node1

Name                              ID VCPUs   CPU State   Time(s) CPU Affinity

node1                              4     0     2   -b-       1.9 2-3

node1                              4     1     3   -b-       2.8 2-3

If there’s no cpus definition in the config file, each VCPU will use any of the available physical ones. The following host is configured to have 4 VCPUS:

# xm vcpu-list node3

Name                              ID VCPUs   CPU State   Time(s) CPU Affinity

node3                              2     0     3   -b-       2.1 any cpu

node3                              2     1     0   -b-       1.2 any cpu

node3                              2     2     2   -b-       0.9 any cpu

node3                              2     3     1   -b-       2.9 any cpu

However, I noticed that Xen will assign different CPU to each VCPU at different times, and many times the same CPU will be mapped to more than one VCPUs:

# xm vcpu-list node2

Name                              ID VCPUs   CPU State   Time(s) CPU Affinity

node2                              8     0     2   -b-       4.1 0-2

node2                              8     1     1   -b-       1.6 0-2

node2                              8     2     1   -b-       1.5 0-2

---

Continue reading Pin CPU core(s) to specific Xen domU (guest)

Asterisk + ss7

From last few days I am trying to set up Asterisk + SS7 with Sangoma A102 card on my Ubuntu 8.04 machine. This being my first time with Asterisk I was bit skeptical of things and was wondering if it will be smooth? Well, it wasn't really out-of-box, but it wasn't tough either. Here I will try to explain step-by-step of what I did, challenges I faced and solution for same.

First of all keep in mind that Zaptel module is now renamed to Dahdi. It really took some time for me to understand this and I was wondering if I need Zaptel or Dahdi. This might be very trivial for people who are into Asterisk, but for some one like me who has just started, especially after reading 'Asterisk - The future of Telephony' book where they always talk about Zaptel, it wasn't easy to make out that Dahdi is latest version of Zaptel. Follow the announcement here http://blogs.digium.com/2008/05/19/zaptel-project-being-renamed-to-dahdi/

To have Asterisk + SS7 you need following modules

1. LibSS7
2. Dahdi
3. Asterisk

Even before you start on installation of these modules, there are few linux specific modules that needs to be installed in your machine.

#sudo apt-get install build-essential
#sudo apt-get install linux-headers-`uname -r`
#sudo apt-get install libssl-dev
#sudo apt-get install ncurses-dev
#sudo apt-get install libnewt-dev
#sudo apt-get install zlib1g-dev
#sudo apt-get install bison

In addition I also followed the packages explained in book 'Asterisk - The future of Telephony'. look at Table 3.1


LibSS7
Next download the source code for libss7 (this is still not available as binary). Remember you need to download the Branch 1.0 and *not* Trunk. Follow the forum entry http://archives.free.net.ph/message/20090331.150153.564445b6.en.html

Check out src code to your /usr/src svn co http://svn.digium.com/svn/libss7/branches/1.0/

Next call 'make' and then 'sudo make install'. Thats it! libss7 is installed.

Dahdi
Check out dahdi linux trunk src (there is also dahdi-tools) to /usr/src

svn co http://svn.digium.com/svn/dahdi/linux/trunk/

I renamed /usr/src/trunk to /usr/src/dahdi-trunk. But really it doesn't matter. Go to this dir and call 'make' and 'sudo make install' and your dahdi is installed

Dahdi Tools
Check out dahdi-tools trunk src to /usr/src

svn co http://svn.digium.com/svn/dahdi/tools/trunk/

Go to this dir call './configure' and 'make menuselect'. This will open up UI where you can select modules that you want. I just called 'Save & Exit'. Next call 'make' and 'sudo make install' This will install the dahdi tools for you.


Asterisk
Download the Asterisk 1.6.0.9 from http://downloads.digium.com/pub/asterisk/asterisk-1.6.0.9.tar.gz to /usr/src. Un-tar it and go to parent dir. Call './configure' You should see in console output that libss7 is selected. Call 'make menuselect'. In this under 'Channel Drivers' header you should see 'chan_dahdi' selected (* against it) This means libss7 is good! Just call 'Save & Exit'. Next execute 'make' command and then 'sudo make install'. If everything is good, Asterisk is installed for you!

So far we just talked about Asterisk side of the world. But for Asterisk to talk to your Sangoma Hardware you need to install the wanpipe drivers. I downloaded the beta version from Sangoma site and trying it out now. Will blog about Sangoma experience in next blog!


I also tried chan_ss7 instead of Asterisk libSS7 for Asterisk support of SS7, but realized chan_ss7 is not compatible with Asterisk 1.6.x.

Found a very good article on this and worth reading http://www.cesnet.cz/doc/techzpravy/2006/asterisk-ss7/asterisk-ss7.pdf


Stay Tunned!

Continue reading Asterisk + ss7