Cisco virtual bridge interfaces

Use a Bridge Virtual Interface when you want to have multiple router interfaces act as members of a single Ethernet collision domain, or bridge two separate network segments together.  Lots of wireless bridges use this function to attach their wireless clients to a local Ethernet.  Start by defining the bridge group:

router(config)#bridge 202 protocol ieee
router(config)#bridge 202 route ip

Then put some interfaces into that group:

router(config)#int faste31
router(config-if)#bridge-group 202
router(config-if)#int faste32
router(config-if)#bridge-group 202
router(config-if)#int faste33

Then, create the BVI interface:

router(config-if)#int bvi202
router(config-if)#desc new server cluster
router(config-if)#ip addr 198.22.62.65 255.255.255.240

Your BVI interface should be up, and all these formerly “router” ports should now be a transparent bridge.

(Why am I using BVI instead of VLAN on a bunch of Ethernet ports?  This particular switch is configured as a router, and it really wants to treat all the interfaces as router interfaces.  It insists it doesn’t know how to configure a VLAN.  I’m certain that Cisco has a reason for this, but their explanation might put me off my feed.)

Request Tracker serialized workflow

RT offers many ways to manage workflow, but most of them create a separate ticket for each part of the workflow.  The tasks at my company are mostly serialized:  a request comes in, is worked on by person A, who hands it off to person B, who hands it to person C, who closes the request.  Opening a separate ticket for each of these isn’t efficient.  (The situation is different for parallelized tasks.)  I want a method to easily pass tickets from one person to the next. Continue reading “Request Tracker serialized workflow”

apache22 LDAP auth

If you have a central auth directory, such as OpenLDAP, everything should authenticate against it, including your Web apps. Here’s how you set up a FreeBSD system to authenticate against your OpenLDAP directory. I did this on FreeBSD/i386 running 8.1-PRERELEASE, with Apache 2.2 and OpenLDAP 2.4. Before starting, make sure your OpenLDAP install is configured correctly. You should be able to successfully run ldapsearch(1) against your directory. If your base OpenLDAP install is busted, go no further. Continue reading “apache22 LDAP auth”

OpenSolaris iSCSI ZFS COMSTAR target, FreeBSD initiator

Storage is a pain.  I can spend lots of money to solve this problem, or I can find less expensive alternatives.  I’ve been using diskless servers lately, all served off of a big OpenSolaris machine.  (Why OpenSolaris?  It has a newer ZFS than FreeBSD.)  Performance is mediocre on NFSv2/3, and I want faster.  One obvious thing to try is iSCSI.

iSCSI requires targets (servers) and initiators (clients).  For this test I’m using OpenSolaris as the target and FreeBSD as the initiator.  For testing, both machines are running on ESXi, on older hardware that’s been removed from production.

Continue reading “OpenSolaris iSCSI ZFS COMSTAR target, FreeBSD initiator”

FreeBSD/amd64-current virtual kernel

Back when machines had 128MB RAM, kernel customization was important.  Today, most standalone machines have so much RAM that customizing the kernel is pointless — until you virtualize, that is.  If you can assign a virtual machine 128MB of RAM again, reducing kernel size again becomes useful. I have a lot of single-purpose virtual machines with puny memory allocations.

Continue reading “FreeBSD/amd64-current virtual kernel”

Ubuntu is really annoying me

Installed a new Ubuntu 10.04 amd64 server yesterday.  (Before my BSD devotee readers scream in outrage, this is for a particular application.  When a software stack runs on a particular OS, you use that OS.)  On the first boot, the boot loader completed… and the screen went blank.  The hard drive light was on.

Single user mode?  Same thing.

Bad install?  But I could ping and SSH into the host. Continue reading “Ubuntu is really annoying me”

new RouterBOARD 750

A heap of RouterBoard 750s landed on my desk.  I want to use these to do daft things like VPN termination, MPLS, and so on, but they arrive configured as home NAT boxes.  Step one is to do basic setup on the box.  The MAC address is printed on the unit, so I can get the IP from the DHCP server.  Then I’ll use MicroTik’s WinBox management client.  A MicroTik’s default username is “admin” with no password.

Hmmm… I can’t get in from outside.  Sensible enough for a home NAT, I suppose, if annoying for me right now.  My laptop is running over wireless, so I have a free Ethernet port.  Plugging in a cable to the “inside” port gives me an address in 192.168.88/24, and I can browse to 192.168.88.1.  Good enough — but this bloody Windows box now has two default routes, and my Internet connectivity is hosed.

First, go to the firewall tab and disable the firewall and NAT.  I don’t want a “public” interface on this box, if possible. Then go to the DHCP tab to disable the default gateway on this lease.  The Web interface is clearly minimal, designed for the home user.  I need a better interface, so fire up Winbox.

Winbox can connect to the inside interface.  First off, go to the IP->DHCP Server, the Network tab, and remove the default gateway with the “up” arrow.  I “ipconfig /release && ipconfig /renew” on my laptop, and I once again have Internet connectivity over my wireless.

I want a static IP on the “outside” interface.  Go to IP->DHCP Client, and hit the red X to disable.  Now go to IP->Addresses and add a new address.  There’s no “netmask” in the IP setup screen; you have to use slash notation after the IP address (e.g., 192.0.2.1/25).

Then go to System->Users, select the Admin user, and set a password.  The box is up and on the network.

Next stop: Radius auth for admin logins.