Some PHP snmp scripting

I was digging through some of my old notes and came across a few networking PHP scripts that I put together for some Proxim AP-4000 access points. I put this script and many others together to help manage these standalone access points before there were wireless controllers. This particular PHP script sets up a while loop to modify some snmp values to modify AP filters. The snmp values within this script can be modified to be used in changing other values as well. Your setup will require PHP installed along with the snmp package. Have fun.

<head>
<title>
AP-4000 Filter modification Script
</title>
</head>

<body>

<?php
//set the variable that will be the start number of the third octet within your IP range
$ip = 100;
//set your snmp RW password
$snmpRwPass = yoursnmppassword;

//setup the loop that will snmpset each AP mgmt IP address defined starting at your IP variable and completing before your max value
while ( $ip <= 111) {

//modifies snmp values of Proxim AP-4000 filters
snmpset(“192.168.1.$ip”,”$snmpRwPass”,”.1.3.6.1.4.1.11898.2.1.5.5.3.1.6.1″,”i”,”1″, “10”);

snmpset(“192.168.1.$ip”,”$snmpRwPass”,”.1.3.6.1.4.1.11898.2.1.5.5.3.1.6.2″,”i”,”1″, “10”);

snmpset(“192.168.1.$ip”,”$snmpRwPass”,”.1.3.6.1.4.1.11898.2.1.5.5.3.1.6.3″,”i”,”1″, “10”);

snmpset(“192.168.1.$ip”,”$snmpRwPass”,”.1.3.6.1.4.1.11898.2.1.5.5.1.0″, “i”,”1″, “10”);

//print output of each AP mgmt IP thats completed
echo “done with 192.168.1.”.$ip;
echo “<br>”;

//counter for increasing AP mgmt IP
$ip++;

}
?>
</body>
</html>

 

Portable home lab virtualization server + gaming

I have a few PC’s that I use for testing, gaming, and other side projects. I wanted to pare down on a few systems, so I started looking into a portable VM home lab server setup that could potentially be used for testing at least four different VM’s and also allow for some decent gaming performance utilizing VM hardware GPU passthrough.

I first pondered on the Intel NUC Skull Canyon. It’s pretty portable, tough looking, and powerful, but it lacked the ability to easily install an external GPU and the ability to easily install a hypervisor when it first launched. It’s also pretty expensive and I was trying to stay around the $500-$600 range. I started looking at a few mini ITX cases and remembered coming across the ASRock M8 Mini ITX design in the past.

asrockm8portableserver

asrock m8 side view

I ended up finding the case, but it was a barebones only bundle that already included an older motherboard that didn’t support the type of passthrough that I was looking to utilize. The case reminded me of the old G4/5 Apple cases with the handles on each corner of the case. The handles on the corners make it a lot easier to carry.  I ended finding a discount open box from Newegg that made the purchase a little more bearable.

Here’s the home lab setup specifications and costs:

Case: ASRock M8 Mini ITX (included LGA 1150 mobo w/pwr supply) open box $186.69
Memory: G.SKILL Aegis 16GB (2 x 8GB) 288-Pin DDR4 SDRAM DDR4 2133 $52.42
CPU: Intel Xeon E3-1225 v5 SkyLake 3.3 GHz 8MB L3 Cache LGA 1151 $234.99
Motherboard: ASRock Server/Workstation MB-C236WSI $213.00

Total

$687.10

I ditched the 1150 motherboard and installed the Intel c236 chipset based LGA 1151 motherboard along with a Xeon Skylake based processor. My first attempt at installing Vmware exsi 6.0 was a failed attempt due to my inability to get anything working with passthrough. I tried multiple versions of Esxi, but I still couldn’t get my ATI 6770, usb, or sound passthrough working. I tried a few other graphics cards, but without sound, I threw the Esxi hypervisor out of the picture. I then decided to try an installation of Xenserver 7 and to my surprise, I was able to pass through all of my components. I did have to manually run some commands to get things going, but in the end I ended up with a VM that could possibly do some decent gaming.

ASrock MB-C236WSI asrock m8 with MB-C236WSI skylake xeon motherboardasrock m8 rear with MB-C236WSI skylake xeon motherboard

In order to get all the passthrough devices working, you may have to do some work within the CLI. I didn’t have to worry about setting up the GPU within the CLI as it was already listed as a passthrough device in the Xenserver GUI management interface.

In order to add other devices, first find your VM UUID once provisioned through the GUI manager. Then run the following command within the Xenserver CLI interface:

lspci -k | more

Find your pci devices. I was specifically looking for USB and sound. If you want to add multiple passthrough devices, you will have to run the next command once with both your pci devices listed within the command along with your VM UUID

xe vm-param-set other-config:pci=0/000:00:1f.3,0/000:00:14.0 uuid=a4f084ae-e8cf-144a-ac31-7bf456e333b5

Why NetDevOps/NetOps will become important for Network Admins

Being a network administrator/engineer typically requires typing in ssh consoles to get things going. At some point, being able to automate tasks or being able to manipulate configurations based on a certain outcome will become necessary. I’ve gathered a few thoughts on real world views to network automation. The buzzword floating around for this topic is NetDevOps.

NetOps/NetDevOps(my definition): Network automation using code to run commands that would normally have to be typed in manually into each device. Example: Run code that can parse or write through configs, logs, and snmp values in order to take action on a specific outcome.

I won’t go into the details of the ins and outs of NetOps/NetDevOps and how to get started with coding. I’ve provided a list of links with information that other really smart people came up with.

Detailed Definitions:
https://cumulusnetworks.com/blog/netdevops-networking-methods-with-a-devops-mindset/
http://packetpushers.net/pull-my-strings-im-your-puppet-juniper-bringing-devops-to-networking/
Some examples:
https://www.nanog.org/sites/default/files/Carr_What_S_Netdevops_Why.pdf
Getting Started with coding:
https://www.nanog.org/sites/default/files/Swafford_Netops_Coding_101.pdf

Ok, now what can NetDevOps actually do for you network administrators out there? I started to create a list of items that NetDevOps could put a dent in. I don’t feel that you require a Google or Facebook sized infrastructure to take advantage of NetDevOps. My team and I currently manage around 120 switching/routing devices and we’re headed to add lots more. That’s no Google, so here’s my list:

  • Changing network admin passwords for devices when staffing changes can be very time consuming. Running some code that can SSH into switches and routers to update passwords and privileges  could be a very useful feature to have.
  • If you have routers that maintain the same ACLs or route maps, having to make changes can be a daunting task even if it’s only a dozen routers. Using code to automatically upload new changes to duplicate ACL’s and route maps across your routers will reduce time and human input errors.
  • I also have a few ideas about gathering wireless user data and plotting details on a google map to indicate AP’s that have a large volume of user connectivity. The map would provide visual information in real time that can help determine if you’re having a sticky client situation. You could also make some automated config changes to your AP’s power levels or with minimum basic rates to help the situation out.
  • You could manage bandwidth available across network links and trigger an automatic response to apply route maps to redirect traffic or apply QOS rules to your programming hearts content.

I’m sure there’s lots of other examples out there, please post others that you may have. I know this last one is heading down the openflow rabbit hole, but hey if you could do these types of things with your current equipment using a NetDevOps approach, why not?

IPplan – IPAM (IP address management)

For those of you looking to track your IP space in something other than a shared excel sheet, take a look at open source IPplan. All you need is a linux box with apache and a few other components. Installation is not too hard. I would recommend that you use https to access your build that way your authentication is encrypted. If you were using excel, format your columns to the correct format that IP plan will take and export your excel sheet to a tab delimited file. You can then import that file into IPPlan.

IP-plan ip address management

You can easily select multiple addresses to make bulk changes as shown above. You have all the fields you need. There’s even a MAC field that’s visible when you click on the IP link. I like how the change field is updated with a time stamp after a modification. This way you can see who made the latest change.

ipplan request

Another nice feature is the request an IP address page. You can point all your internal clients to this page in order to submit a request for a static IP if you don’t have a ticketing system. You can then be emailed. You can manage DNS as well, but I haven’t dug into that. NMAP can also be implemented into the system to check which IP’s are being used. You can also have the system email you when ip subnets exceed a certain utilization level.

If your interested in a fully supported paid IPAM platform, check out infoblox. You can try out their IPAM software for free. Its highly limited compared to IPPlan, but if your looking to expand your DDI (DNS,DHCP, IPAM) services and you have a budget, this may be a better option for you.

FreeRadius multiple domains

We use freeradius to 802.1x auth our wireless users. We need to authenticate users that may be on one of two domains. We have an issue with trying to authenticate to the global catalog because we have duplicate user account names that have been created on each domain. That wasn’t my idea and it can’t be fixed, so I have to work around the issue. One way to fix the issue is to have the user append the domain when they authenticate, but we don’t want to make things harder for end users.

With freeRadius, I was able to use some freeRadius unlang. I wanted to share some of the config with you. I’m assuming you have most of your freeradius running at a point where you can authenticate against one domain via mschap. Basically my config tries to auth the user by specifying one of the domains in one mschap module and specifies the other domain in a new mschap module. If the user fails on authentication to the first domain, then the second mschap module fires off with the second domain specified.

First, I modified my mschap module found in the following directory: /etc/raddb/modules/mschap

ntlm_auth = “/usr/bin/ntlm_auth –configfile=/etc/samba/smb.conf –request-nt-key –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –domain=YourFirstDomainName –challenge=%{%{mschap:Challenge}:-00} –nt-response=%{%{mschap:NT-Response}:-00}”

I then created another mschap module instance by editing radius.conf found in the following directory: /etc/raddb/radius.conf

add the following:

mschap NameOfNewModule {
with_ntdomain_hack = yes
ntlm_auth = “/usr/bin/ntlm_auth –configfile=/etc/samba/smb.conf –request-nt-key –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –domain =YourSecondDomainName –challenge=%{mschap:Challenge:-00} –nt-response=%{mschap:NT-Response:-00}”
}

Modify your inner-tunnel file with some freeRadius unlang found in /etc/raddb/sites-available/inner-tunnel
Add the following in the authorize { section:

Authorize{
mschap
NameOfNewModule

Then add the following unlang in the authenticate { section:

Authenticate{

Auth-Type MS-CHAP {
mschap {
reject = 2
}
if (reject) {
NameOfNewModule
}
}

Show me your dashboard…

Zenoss Core open source dashboard

network admin zenoss dashboard

We use zenoss core (open source) to monitor our devices. We have tried zabbix, nagios, and cacti, but Zenoss seems to be the easiest to manage and maintain. I can create custom snmp templates with thresholds that can overlay our rrd graphs. Zenoss also allows you to create email notification triggers based on the severity and threshold set on each graph template. You can see two of these custom graphs in the zenoss dashboard image above. I’m monitoring our wireless dhcp pools and each of the Enterasys Extreme N7 chassis slot CPU’s.

I also have weathermap installed on our linux server that’s also hosting zenoss and the link to the PNG file is placed on the zenoss dashboard. Weathermap is a nice open source network visualization tool. You can create a custom network map that will draw link speeds and colors based on rrd files. I set the weathermap config to point to the zenoss rrd files that can be located under each sub folder in the /opt/zenoss/perf/Devices main directory.