Juniper equivalent Cisco STP Commands

Almost three years since my last post. I’m aiming to reboot this blog in a new form, probably Ghost or MediaWiki. It will focus on Juniper Networking as that’s my new employer.

In the meantime here’s some basic STP stuff on Juniper switches.

Cisco PortFast = Juniper Edge Port
set protocols xstp interface ge-0/0/0 edge

Cisco BPDU Guard = Juniper BPDU Protect
set ethernet-switching-options bpdu-block interface ge-0/0/0

Cisco BPDU Filter = Juniper Drop xSTP BPDUs
set ethernet-switching-options bpdu-block interface ge-0/0/0 drop

Cisco Loop Guard = Juniper Loop Protection
set protocols xstp interface ge-0/0/0 bpdu-timeout-action block

Cisco Root Guard = Juniper Root Protection
set protocols xstp interface ge-0/0/0 no-root-port

Install phpIPAM 1.0 on Ubuntu Server 13.10

phpIPAM is probably the best open source IP address management tool out there. I think it’s created by just one guy, but it feels like a fully featured commercial product.

Let’s get started with the installation!

Install Ubuntu Server 13.10 amd64
Update system with apt-get update/upgrade

Install the rest of LAMP (Linux, Apache, MySQL, PHP)

sudo apt-get install apache2
sudo apt-get install mysql-server
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install php5-gmp
sudo apt-get install php-pear
sudo apt-get install php5-ldap
sudo apt-get install php5-json
sudo a2enmod rewrite

Set your date.timezone in:

/etc/php5/apache2/php.ini
/etc/php5/cli/php.ini

Enable pcntl in /etc/php5/cli/php.ini by removing the following from disable_functions:

pcntl_fork
pcntl_waitpid
pcntl_wifexited
pcntl_signal
pcntl_wexitstatus

Enable .htaccess for /var/www/phpipam by adding the following to /etc/apache2/sites-enabled/000-default.conf

<Directory /var/www/phpipam>
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>

Restart Apache

Download phpIPAM from http://phpipam.net and untar to /var/www/

Create the mysql database for phpipam:

mysql -u root -p
create database phpipam;
exit

Import database SCHEME.sql file:

mysql -u root -p phpipam < /var/www/phpipam/db/SCHEMA.sql

Create user for database interaction from website and grant permissions to ipam tables. Replace “username” and “password” with the actual credentials you want to use.

mysql -u root -p
grant ALL on phpipam.* to username@localhost identified by “password”;
exit

Edit /var/www/phpipam/config.php

$db[‘host’] = “localhost”;
$db[‘user’] = “username”;
$db[‘pass’] = “password”;
$db[‘name’] = “phpipam”;

define(‘BASE’, “/phpipam/”);

Edit /var/www/phpipam/.htaccess
RewriteBase /phpipam/

Optional – Check if hosts are alive every 15 minutes by adding adding the following to /etc/crontab:

*/15 * * * *    root    /usr/bin/php /var/www/phpipam/functions/scripts/pingCheck.php

Point your browser to http://yourip/phpipam and login with Admin/ipamadmin

Setting up pro-bono TACACS+ server on Ubuntu Server 13.04

There are a bunch of TACACS+ versions out there, at least two of them happen to have the exact same name which can be confusing.
It has to do with the fact that Cisco created TACACS+ back in the 90s and later released the source code which was called tac_plus.

You may have noticed that on many Linux dists there’s a package called tac_plus, it’s the shrubbery.net version of TACACS+.
I find that version a bit outdated and lacking features such as multiple keys and the ability to use a range of IPs to identify routers, switches etc.

Fortunately there’s another version of tac_plus that supports all of this and much more made by Marc Huber over at http://www.pro-bono-publico.de/projects/tac_plus.html

This version supports a number of backends for user accounts:

LDAP backend such as OpenLDAP and MS Active Directory
PAM backend
System Password backend
Shadow backend
RADIUS backend such as FreeRADIUS

I chose Shadow backend which stores user accounts in a file. The benefit of this method is that it’s easy to maintain and it supports password change and password expiration warning on the routers/switches.

Installing and configuring TACACS+

1. Install Ubuntu Server 13.04 amd64
2. Update the system with apt-get update/upgrade
3. Install dependencies

sudo apt-get install make
sudo apt-get install libgc-dev-amd64
sudo apt-get install libnet-ldap-perl

4. Download the latest source from http://www.pro-bono-publico.de/projects/
5. Untar the file to your home dir or whatever
6. Compile the source

./configure tac_plus
make
sudo make install

Copy the sample configuration file to the config directory

sudo cp /usr/local/etc/mavis/sample/tac_plus.cfg /usr/local/etc

Start tac_plus at system startup

sudo cp /<dir-to-source>/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
sudo chmod 755 /etc/init.d/tac_plus
sudo update-rc.d tac_plus defaults

You can now start and stop tac_plus with “sudo service tac_plus start/stop/restart

tac_plus configuration file

#!../../../sbin/tac_plus

id = spawnd { listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10 }
background = yes

id = tac_plus {
        debug = PACKET AUTHEN AUTHOR ACL REGEX
        access log = /var/log/tac_plus/access.log
        accounting log = /var/log/tac_plus/acct.log
        authorization log = /var/log/tac_plus/auth.log

        mavis module = external {
            setenv LDAP_SERVER_TYPE = "microsoft"
            setenv LDAP_HOSTS = "172.18.1.25:3268"
            setenv LDAP_BASE = "dc=thefloppydisk,dc=net"
            setenv LDAP_USER = "Administrator@thefloppydisk.net"
            setenv LDAP_PASSWD = "passwordhere"
            setenv AD_GROUP_PREFIX = tacacs-
            exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }
        login backend = mavis
        user backend = mavis
        pap backend = mavis

#Host Configuration
       
        host = Core {
             address = 172.18.1.0/24
             prompt = "\nAuthorized access only!\nTACACS+ Login\n"
             key = core-key
        }

        host = CPE {
             address = 10.129.0.0/
             prompt = "\nAuthorized access only!\nTACACS+ Login\n"
             key = cpe-key
        }
#ACL configuration
        acl = Core_only {
             nas = Core
        }

        acl = CPE_only {
             nas = CPE
        }
      
        acl = Core_and_CPE {
             nas = Core
             nas = CPE
        }

#Group configurations
        group = read-write {
             default service = permit
             service = shell {
                  default command = permit
                  default attribute = permit
                  set priv-lvl = 15
             }
             service = junos-exec {
                  set local-user-name = remote-su
             }
        }

        group = read-only {
             default service = permit
             enable = deny
             service = shell {
                  default command = permit
                  default attribute = permit
                  set priv-lvl = 1
             }
             service = junos-exec {
             set local-user-name = remote-ro
             }
        }
        group = core-rw {
             acl = Core_and_CPE
             member = read-write@Core
             member = read-write@CPE
        }
    
        group = core-ro {
             acl = Core_and_CPE
             member = read-only@Core
             member = read-write@CPE
        }

        group = cpe-rw {
             acl = CPE_only
             member = read-write@CPE
        }

        group = cpe-ro {
             acl = CPE_only
             member = read-only@CPE
        }
}
Shadow file configuration

Passwords are stored in an auxiliary, /etc/shadow-like ASCII file, one user per line:

username:encryptedPassword:lastChange:minAge:maxAge:expWarn

lastChange is the number of days since 1970-01-01 when the password was last changed, and minAge and maxAge determine whether the password may/may not/needs to be changed. Setting lastChange to 0 enforces a password change upon first login. expWarn controls the number of days before a password expiration warning is issued.

Example shadow file in /usr/local/etc

rogewikl:$1$vBeN7c8V$Tpy9bfonpRC8fq8Ex3PvT1:15866:1:30:7:
plissken:$1$wWyDmqCp$qYYIn/vceiH97ouilsUDS/:15866:1:30:7:
freeman:blah:15866:1:30:7:

You can use openssl to compute password hashes

openssl passwd -1 clear_text_password

Cisco TACACS+ configuration

username localadmin password localpwd
!
enable secret localenablepwd
!
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
tacacs server tac_plus
address ipv4 192.168.1.26
key tacacs_key_here
!
ip tacacs source-interface Loopback0

Be sure to check out the excellent documentation http://www.pro-bono-publico.de/projects/pdf/tac_plus.pdf
There’s also a Google Group forum https://groups.google.com/forum/?fromgroups#!forum/event-driven-servers

UCCX 8.x RmCm Subsystem stuck in INITIALIZING

One of our customers had some problems with their UCCX 8.0 Subscriber node.
After restarting some services and eventually the entire server, RmCm subsystem would not start, it was stuck in INITIALIZING.

I looked at a couple of troubleshooting tips with no luck.

http://docwiki.cisco.com/wiki/RmCm_subsystem_stuck_in_INITIALIZING_state
https://supportforums.cisco.com/thread/2092466

My colleague then opened a TAC case and eventually they fixed the problem.
It turned out to be some sort of replication issue.

Login to the UCCX Publisher

1. Cisco Unified CCX Serviceability – > DataStore Control Center -> Replication Servers
2. Click Disable CDS and HDS
3. Click Reset replication
4. Enable CDS and HDS

Voilà!

SIP traces from CUCM in TranslatorX

I was troubleshooting a Cisco TelePresence integration the other day and had to check the traces on the SIP trunk to the VCS.

Since there’s no SBC in between to debug SIP on, I had to make due with RTMT.
In RTMT there’s a function called Session Trace which is pretty good. You can also view or download the Callmanager SDI/SDL log files. However reading the logs with the built in viewer or external text editor can be tedious at best.

Fortunately Cisco has a semi-official tool called TranslatorX. I say semi because it’s not on the CCO download page and it’s not supported by TAC.
This tool can parse the SDI/SDL traces from CUCM and present them in a Wireshark trace style.

http://translatorx.cisco.com

Start by setting your CUCM trace level to Detailed.

1. Serviceability -> Trace -> Configuration

2. Select CM Services and then Cisco Callmanager

trace_configuration

3. Set Debug Trace Level to Detailed

trace_level

Start RTMT as Administrator and connect to the CUCM Pub and download the log files.

4. Trace & Log Central -> Collect Files -> Select Cisco Callmanager (all servers)

rtmt_trace_file1

Click next without selecting any System Services/Applications.

rtmt_trace_file2

I selected Relative Range to get log files for the last 5 minutes.

rtmt_trace_file3

5. Open TranslatorX, drag and drop the folder containing the log files from the Download Directory above.

translatorx

RTMT Session Trace

Downloading the log files and running them through TranslatorX can take some time. If you want to quickly look at a SIP trace I recommend Session Trace in RTMT.

1. Callmanager -> Call Process -> Session Trace

rtmt_session_trace

Click on the search result to see ladder diagram.

rtmt_diagram

Enable Calendar Presence per user from CLI on CUPS 8.6(4)

After the main integration between CUPS and Exchange is done, each end user must enable Calendar Presence.
In CUPC this can be done from the client, but in Jabber for Windows the user must logon to the CUPS end user page to activate it.

There is no way for an Admin to active it from the GUI, however it can be done from the CLI.

This command works for CUPS 8.6(4):

run sql execute procedure spSetUserCalendaring((select pkid from enduser where userid=’roger’),’t’,’t’)

I’ve seen this command floating around on the Internet:

run sql update enduser set enablecalendarpresence=’t’

But according to Cisco this does not work in 8.6(4) and in earlier versions it does not enable it fully.

Jabber version 9.3 will supposedly have the enable Calendar Presence function in the client.

https://supportforums.cisco.com/message/3747298

New features in Cisco Unified Communications Manager 9.0

CUCM 9.0 is out, sporting some nice new features, here’s my top 5 list:

Number 5!
New End User Interface/Pause in Speed Dial.

Number 4!
Native Call Queueing on Hunt Groups.

Number 3!
Local and LDAP synchronized users supported simultaneously.

Number 2!
Service Parameter controls Call Forward behaviour when using Local Route Group.

And the number 1 new feature is…
When you log out from a Hunt Group calls are no longer sent to Remote Destination!!!

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/rel_notes/9_0_1/delta/CUCM_BK_N38FD301_00_cucm-new-and-changed-90.html

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/9x/uc9x.html

http://www.sunsetlearning.com/news-room/whats-new-in-cisco-unified-communications-manager-9-0/