Dual stack IPv4/IPv6 on FreeBSD

April 14, 2010

Here is a quick note to show how easy it is to enable a dual IP stack on FreeBSD (and actually on most modern system)…

Here is what you need :

1. Native connectivity to IPv4 & IPv6 backbones

Connectivity to IPv4 should be OK. If you don’t have connectivity to IPv6 you may want to use 6in4 tunnel to connect to IPv6 backbone through a tunnel over IPv4 backbone. Several tunnel brokers are available for free, I personally know Hurricane Electric and SixXS.

2. An IPv4 gateway such as 192.168.1.1
3. An IPv4 address in that range such as 192.168.1.10
4. An IPv6 gateway such as 2001:db8:abcd::1
5. An IPv6 address in that range such as 2001:db8:abcd::e
6. Put all together in /etc/rc.conf

Extract from /etc/rc.conf

#IPv4 config
ifconfig_re0="inet 192.168.1.10 netmask 255.255.255.0"
static_routes="default"
route_default="default 192.168.1.1"

#IPv6 config
ipv6_enable="YES"
ipv6_ifconfig_re0="2001:db8:abcd::e/56"
ipv6_static_routes="default"
ipv6_route_default="default 2001:db8:abcd::1"

Then restart the server or the network related script from /etc/rc.d

ipv6#/etc/rc.d/netif start
re0: flags=8843 metric 0 mtu 1500
	options=9b
	ether 9e:65:96:1e:ca:5e
	inet 192.168.1.10 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (100baseTX )
	status: active

ipv6#/etc/rc.d/routing start
add net default: gateway 192.168.1.1
Additional routing options:.

ipv6# /etc/rc.d/network_ipv6 start
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
net.inet6.ip6.forwarding: 0 -> 0
re0: flags=8843 metric 0 mtu 1500
	options=9b
	inet6 2001:db8:abcd::e prefixlen 56 tentative
plip0: flags=108810 metric 0 mtu 1500
lo0: flags=8049 metric 0 mtu 16384
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net default: gateway 2001:db8:abcd::1
IPv4 mapped IPv6 address support=NO

You may notice the IPv6 address is marked as tentative, that’s because DAD (Duplicate Address Detection) is still validating the IPv6 address. If you run ifconfig a bit later and if you IPv6 is not a duplicate address, the tentative flag should disappear.

Test connectivity with some awesome tools…

ipv6# ping -c3 www.google.com
PING www.l.google.com (209.85.229.147): 56 data bytes
64 bytes from 209.85.229.147: icmp_seq=0 ttl=55 time=10.624 ms
64 bytes from 209.85.229.147: icmp_seq=1 ttl=55 time=10.675 ms
64 bytes from 209.85.229.147: icmp_seq=2 ttl=55 time=10.815 ms

--- www.l.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 10.624/10.705/10.815/0.081 ms

ipv6# ping6 -c3 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:db8:abcd::e --> 2a00:1450:8006::93
16 bytes from 2a00:1450:8006::93, icmp_seq=0 hlim=56 time=15.562 ms
16 bytes from 2a00:1450:8006::93, icmp_seq=1 hlim=56 time=15.529 ms
16 bytes from 2a00:1450:8006::93, icmp_seq=2 hlim=56 time=15.541 ms

--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 15.529/15.544/15.562/0.014 ms

Congratulations, you now have IPv4 and IPv6 connectivity from your FreeBSD box!

Filed Under Systems · Leave a Comment

ACE software upgrade

February 10, 2010

Cisco Application Control Engine Module (ACE) loadbalancers are designed to work in standalone mode or in cluster mode. When running in standalone mode, software upgrade has obviously a great impact on the traffic going through the loadbalancer. All the sessions will be dropped and no new session will be accepted until the ACE restarts with the new image (up to 8 minutes).

Now, in cluster mode, you can do the software upgrade with no or very limited impact if you follow the correct sequence of operations. Here are the steps I used last time and it went perfectly and transparent for the users.

Note this procedure has been tested on ACE modules for Catalyst 6500 only but it should remain valid for the ACE 4710 appliances.

Step 1

First you need to ensure all the contexts are properly synchronized and the standby contexts are in STANDBY_HOT state.

ACE_1/Admin# sh ft group brief
FT Group ID: 1  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_HOT
                Context Name: Admin     Context Id: 0
FT Group ID: 2  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_COLD
                Context Name: C1        Context Id: 4
FT Group ID: 3  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_HOT
                Context Name: C2        Context Id: 3

Here as you can see context C1 is stuck in STANDBY_COLD state. Usually put that context out of service on the standby ACE and then put it back in service solve the issue. If it is not the case you won’t have a fully transparent software upgrade for that context; current session will be dropped but new session will be accepted after the failover. If it is acceptable for you, go on with the upgrade otherwise try to find out why it is not in STANDBY_HOT state.

Note it might take several minutes to leave the STANDBY_BULK state (it took 2 minutes during my tests).

ACE_2/Admin(config)# ft group 2
ACE_2/Admin(config-ft-group)# no inservice
ACE_2/Admin(config-ft-group)# do sh ft group 2 detail

FT Group                     : 2
No. of Contexts              : 1
Context Name                 : C1
Context Id                   : 4
Configured Status            : out-of-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_INIT
My Config Priority           : 90
My Net Priority              : 90
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_UNKNOWN
Peer Config Priority         : Unknown
Peer Net Priority            : Unknown
Peer Preempt                 : Unknown
Peer Id                      : 1
Last State Change time       : Wed Feb  3 14:35:36 2010
Running cfg sync enabled     : Enabled
Running cfg sync status      :
Startup cfg sync enabled     : Enabled
Startup cfg sync status      :
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
ACE_2/Admin(config-ft-group)# inservice

NOTE: Configuration mode has been disabled on all sessions

ACE_2/Admin(config-ft-group)# do sh ft group 2 detail

FT Group                     : 2
No. of Contexts              : 1
Context Name                 : C1
Context Id                   : 4
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_STANDBY_BULK
My Config Priority           : 90
My Net Priority              : 90
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_ACTIVE
Peer Config Priority         : 120
Peer Net Priority            : 120
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Wed Feb  3 14:36:02 2010
Running cfg sync enabled     : Enabled
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Startup configuration sync has completed
Bulk sync done for ARP: 1
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
ACE_2/Admin(config-ft-group)# do sh ft group 1 detail

FT Group                     : 2
No. of Contexts              : 1
Context Name                 : C1
Context Id                   : 4
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_STANDBY_HOT
My Config Priority           : 90
My Net Priority              : 90
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_ACTIVE
Peer Config Priority         : 120
Peer Net Priority            : 120
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Wed Feb  3 14:37:51 2010
Running cfg sync enabled     : Enabled
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Startup configuration sync has completed
Bulk sync done for ARP: 1
Bulk sync done for LB: 2
Bulk sync done for ICM: 2

Step 2

On the ACE, preemption is enabled by default for all the contexts. It needs to be disabled to perform a manual failover.

ACE_1/Admin(config)# ft group 1
ACE_1/Admin(config-ft-group)# no preempt
ACE_1/Admin(config-ft-group)# ft group 2
ACE_1/Admin(config-ft-group)# no preempt
ACE_1/Admin(config-ft-group)# ft group 3
ACE_1/Admin(config-ft-group)# no preempt
ACE_1/Admin(config-ft-group)# end

Step 3

Download the new software image to the active and standby ACEs. Here I’ve chosen to use tftp because I hadn’t an ftp server configured in the lab… ftp can be used and is definitely faster.

ACE_1/Admin# copy tftp: image:
Enter source filename[]? c6ace-t1k9-mz.A2_2_3.bin
Enter the destination filename[]? [c6ace-t1k9-mz.A2_2_3.bin]
Address of remote host[]? 10.1.1.1
Trying to connect to tftp server......
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(…)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
TFTP get operation was successful
 31361516 bytes copied
ACE_1/Admin#
ACE_1/Admin# dir image:
 30788103  Apr 15 13:14:48 2009 c6ace-t1k9-mz.A2_1_4a.bin
 31361516  Feb  3 14:43:45 2010 c6ace-t1k9-mz.A2_2_3.bin
          Usage for image: filesystem
          461848576 bytes total used
          577126400 bytes free
         1038974976 total bytes

Check the file size is correct…

Step 4

Change the boot string on the active ACE, it will be synced to the standby ACE. By the way, configuration mode is disabled on the standby ACE therefore it is the only option…

ACE_1/Admin# sh run | i boot
Generating configuration....
boot system image:c6ace-t1k9-mz.A2_1_4a.bin
ACE_1/Admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ACE_1/Admin(config)# no boot system image:c6ace-t1k9-mz.A2_1_4a.bin
ACE_1/Admin(config)# boot system image:c6ace-t1k9-mz.A2_2_3.bin
ACE_1/Admin(config)# exit
ACE_1/Admin# wr mem all
Generating configuration....
running config of context Admin saved
Generating configuration....
running config of context C2 saved
Generating configuration....
running config of context C1 saved
Please wait ... sync to compact flash in progress.

This may take a few minutes to complete

Sync Done

Step 5 (optional)

Create checkpoint in all contexts on active and standby devices

ACE_2/Admin# checkpoint create 20100203
Generating configuration....
Created configuration checkpoint '20100203'
ACE_2/Admin# changeto C2

NOTE: Configuration mode has been disabled on all sessions

ACE_2/C2# checkpoint create 20100203
Generating configuration....
Created configuration checkpoint '20100203'
ACE_2/C2# changeto C1

NOTE: Configuration mode has been disabled on all sessions

ACE_2/C1# checkpoint create 20100203
Generating configuration....
Created configuration checkpoint '20100203'
ACE_2/C1# changeto Admin

Step 6

Reload the standby device

ACE_2/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes] no (already done in step 4)
Perform system reload. [yes/no]: [yes]

NOTE: Configuration mode is enabled on all sessions

Connection to ACE_2 closed by remote host.
Connection to ACE_2 closed.

Step 7

Check the standby device is running the new software version.

ACE_2/Admin# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://C2 .cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://C2 .gnu.org/licenses/gpl.html.

Software
  loader:    Version 12.2[120]
  system:    Version A2(2.3) [build 3.0(0)A2(2.3)]
  system image file: [LCP] disk0:c6ace-t1k9-mz.A2_2_3.bin
  installed license: ACE-VIRT-020

Hardware
  Cisco ACE (slot: 6)
  cpu info:
    number of cpu(s): 2
    cpu type: SiByte
    cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
    cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
  memory info:
    total: 827128 kB, free: 256000 kB
    shared: 0 kB, buffers: 1824 kB, cached 0 kB
  cf info:
    filesystem: /dev/cf
    total: 1014624 kB, used: 451040 kB, available: 563584 kB

last boot reason:  reload command by Admin
configuration register:  0x1
ACE_2 kernel uptime is 0 days 0 hour 8 minute(s) 45 second(s)

Step 8

Wait until all the contexts on the standby devices stabilize in STANDBY_WARM or STANDBY_HOT state.

ACE_2/Admin# sh ft group brief

FT Group ID: 1  My State:FSM_FT_STATE_STANDBY_WARM      Peer State:FSM_FT_STATE_ACTIVE
                Context Name: Admin     Context Id: 0
FT Group ID: 2  My State:FSM_FT_STATE_STANDBY_WARM      Peer State:FSM_FT_STATE_ACTIVE
                Context Name: C1        Context Id: 4
FT Group ID: 3  My State:FSM_FT_STATE_STANDBY_WARM      Peer State:FSM_FT_STATE_ACTIVE
                Context Name: C2        Context Id: 3

For your information, here is what Cisco says about STANDBY_WARM state :

In the STANDBY_WARM state, as with the STANDBY_HOT state, configuration mode is disabled on the standby ACE and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state. However, while stateful failover is possible for a WARM standby, it is not guaranteed. In general, modules should be allowed to remain in this state only for a short period of time.

Step 9

Perform a failover from the active ACE to the standby ACE for all the contexts.

ACE_1/Admin# ft switchover all
This command will cause card to switchover (yes/no)?  [no] yes

NOTE: Configuration mode has been disabled on all sessions

Step 10

Check the newly upgraded ACE is well become active.

ACE_1/Admin# sh ft group brief

FT Group ID: 1  My State:FSM_FT_STATE_STANDBY_BULK      Peer State:FSM_FT_STATE_ACTIVE
                Context Name: Admin     Context Id: 0
FT Group ID: 2  My State:FSM_FT_STATE_STANDBY_BULK      Peer State:FSM_FT_STATE_ACTIVE
                Context Name: C1        Context Id: 4
FT Group ID: 3  My State:FSM_FT_STATE_STANDBY_BULK      Peer State:FSM_FT_STATE_ACTIVE
                Context Name: C2        Context Id: 3

Step 11

Reload the 2^nd ACE (previously active).

ACE_1/Admin# reload
This command will reboot the system
Save configurations for all the contexts. Save? [yes/no]: [yes] no
Perform system reload. [yes/no]: [yes]

NOTE: Configuration mode is enabled on all sessions

Connection to ACE_1 closed by remote host.
Connection to ACE_1 closed.

Step 12

When the 2^nd ACE state stabilize to FSM_FT_STATE_STANDBY_HOT state, perform again a failover for all the contexts.

ACE_2/Admin# sh ft group brief

FT Group ID: 1  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_HOT
                Context Name: Admin     Context Id: 0
FT Group ID: 2  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_HOT
                Context Name: C1        Context Id: 4
FT Group ID: 3  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_HOT
                Context Name: C2        Context Id: 3

Step 13 (If you’re not superstitious)

Reconfigure preemption if it is in your standard… (personally I don’t like preemption because if a device has failed I prefer to check exactly why before activating it again)

ACE_1/Admin(config)# ft group 1
ACE_1/Admin(config-ft-group)# preempt
ACE_1/Admin(config-ft-group)# ft group 2
ACE_1/Admin(config-ft-group)# preempt
ACE_1/Admin(config-ft-group)# ft group 3
ACE_1/Admin(config-ft-group)# preempt
ACE_1/Admin(config-ft-group)# end
ACE_1/Admin# wr mem

And that’s it, you have upgraded your ACE cluster with no or limited impact. If you find this post helpful you may leave a comment to encourage me to publish more articles…

Filed Under Networking · Leave a Comment

VPS for rent

December 21, 2009

VPS

You need a server connected to Internet? You don’t want a shared server but you don’t want to pay for a dedicated server? exp-NETWORKS can rent you a Virtual Private Server (VPS). A VPS runs its own Linux OS with its own packages, users administration, configuration on a shared hardware. The VPS running on the same hardware are isolated from each other. [Read more]

Filed Under Company news, Systems · Leave a Comment

ClamXav differential update

November 29, 2009

ClamXav ClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end.

The default install of ClamXav does not enable the automatic virus definition update. When a user enables those automatic updates, a ‘good old cron job’ is created for that user. Three minor concerns with that method are:

Each users on the system can enable the automatic updates leading to multiple redundant checks for new virus definitions
The users do not have write access to ClamXav directories and are not able to create a temporary directory required for differential updates. Fortunately ClamXav fall back to a standard update where the entire virus definition file is downloaded.
All the users who enable the automatic updates will get e-mails containing an error message like this one :
```
clamxav ERROR: chdir_tmp: Can't create directory ./clamav-97e66bd7fbb
```

Only the _clamav user has write access to his directories. I’ve found several workarounds for this by googling but most of them were either not secure like setting the _clamav user’s directories world wide writable, either not elegant like putting the cron job in the root’s crontab…

The only elegant workaround I’ve found so far is still requiring some manual configuration but at least it uses Apple’s vision of daemon and recurrent tasks; it uses launchd. I won’t explain launchd here but Apple website or AFP548 website are very good start to understand its philosophy.

We will configure a launchd daemon to start the virus definition update every day at 21:30 as _clamav user. Launchd is configured via property list files (.plist) placed in appropriate directories. In this case we want the daemon to be started as long as the system is started (i.e. regardless if a user is logged or not). We will place our plist file in /Library/LaunchDaemons/.

 1. <?xml version="1.0" encoding="UTF-8"?>
 2. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3. <plist version="1.0">
 4.   <dict>
 5.     <key>Label</key>
 6.     <string>com.clamxav.freshclam</string>
 7.     <key>UserName</key>
 8.     <string>_clamav</string>
 9.     <key>LowPriorityIO</key>
10.     <true/>
11.     <key>Nice</key>
12.     <integer>1</integer>
13.     <key>Program</key>
14.     <string>/usr/local/clamXav/bin/freshclam</string>
15.     <key>ProgramArguments</key>
16.     <array>
17.       <string>/usr/local/clamXav/bin/freshclam</string>
18.       <string>--quiet</string>
19.       <string>--log=/usr/local/clamXav/share/clamav/freshclam.log</string>
20.     </array>
21.     <key>StartCalendarInterval</key>
22.     <dict>
23.       <key>Hour</key>
24.       <integer>21</integer>
25.       <key>Minute</key>
26.       <integer>30</integer>
27.     </dict>
28.   </dict>
29. </plist>

Lines 5-6 : define the daemon’s name
Lines 7-8 : define the user the daemon will run as
Lines 9-12 : reduce the update process priority as it is not required to run fast
Lines 13-20 : define the daemon’s executable and its parameters
Lines 21- 27 : schedule when the daemon must run

That plist file must be placed in /Library/LaunchDaemons/. It will be automatically loaded after each reboot but you can manually load it with launchctl if you don’t want to restart your computer.

$ sudo launchctl load /Library/LaunchDaemons/com.clamxav.freshclam.plist
$ sudo launchctl list | grep com.clamxav.freshclam
-	0	com.clamxav.freshclam

Now you can check in the log file (/usr/local/clamXav/share/clamav/freshclam.log) the error message has disappeared and differential update is now working fine…

ClamAV update process started at Sat Nov 28 21:30:09 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10091.cdiff [100%]
daily.cld updated (version: 10091, sigs: 115838, f-level: 44, builder: ccordes)
Database updated (660873 signatures) from database.clamav.net (IP: 193.1.193.64)
Clamd successfully notified about the update.

Thanks for leaving a comment if you found this useful

Filed Under Security, Systems · 2 Comments

Recent Posts

Recent Comments
- Kees: Thanks a lot, finally get of the can’t create ….. error Cheers
- Christophe Lemaire: Hi Melek, In order to take advantage of the redundant setup, I would go for HSRP or even GLBP if...
- Melek: Hi, Thank you for this post, it is really interesting. I am trying to implement the same design but I still...
- Matthew: Awesome post. This has been a thorn in my side for many months. I implemented this last night, told Clam not...

Categories
Archives

Cumulus

antivirus Cisco Company Firewall IPv6 Juniper Linux Mac OS X network Networks Security Systems VPN Company news (4)
Networking (4)
Security (4)
Systems (6)

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.

-->