Press "Enter" to skip to content

//> A L C A T R O N . N E T //> Posts

Netdisco 2 Service Startup Script Centos/Redhat

I have been trying out the new package of Netdsico 2 from https://metacpan.org/pod/App::Netdisco and I must say im quite impressed by the new version, it has a new interface and its quite smooth to operate. Everything is bundled inside the package and deployed part as of CPAN. Its quite a bit different than Netdisco 1 in terms of installing and configuring, and it is bit easier to work with.

One of the things which I needed was a startup script to start the netdisco-daemon and netdisco-web service on Red Hat / Centos, so I built a custom service to operate it.

Simply download netdisco-web  and netdisco-daemon files , remove the .txt extension, and drop them into /etc/init.d on your redhat/centos system using WinSCP or similar.

Once the files are in there add execute privilege, go into /etc/init.d using terminal

[[email protected] init.d]# chmod +x netdisco-daemon 
[[email protected] init.d]# chmod +x netdisco-web

Then add the files as part of the startup process

[[email protected] init.d]# chkconfig --add netdisco-daemon 
[[email protected] init.d]# chkconfig --add netdisco-web 
[[email protected] init.d]# chkconfig netdisco-daemon on --level 2345 
[[email protected] init.d]# chkconfig netdisco-web on --level 2345

Lets check the startup run levels, looks good

[[email protected] init.d]# chkconfig --list | grep netdisco
netdisco-daemon 0:off 1:off 2:on 3:on 4:on 5:on 6:off 
netdisco-web 0:off 1:off 2:on 3:on 4:on 5:on 6:off

 

Now lets check the service

 

[[email protected] init.d]# service netdisco-web start Netdisco Web [Started] 
[[email protected] init.d]# config watcher: watching /home/netdisco/environments for updates. 
[[email protected] init.d]# service netdisco-daemon start Netdisco Daemon [Started]
 config watcher: watching /home/netdisco/environments for updates.

We can see it is working well.

We can then pass the “help” parameter what the service offers

[[email protected] init.d]# service netdisco-daemon help Usage: {start|stop|restart|status|help} 
[[email protected] init.d]# service netdisco-web help Usage: {start|stop|restart|status|help}

I finally have my netdisco 2 service operational and working well. The bootup scripts have been made so that it allows postgresql to startup first which netdisco relies on, then the daemon and then finally the web.

I haven’t tested on other linux platforms, but i’m sure it will be operational as well with possibly a few tweaks. Hopefully it will assist you too.

Leave a Comment

Configuring Cisco ASA 5506-X IPv6 with Prefix Delegation (PD)

On the 24 August 2016 Cisco released new ASA code 9.6.2 adding further support to the IPv6 protocol – Prefix Delegation. Recently Telstra (Australian ISP) has enabled IPv6 on NBN (National Broadband Network) services and I thought what better way to try out this than on my ASA 5506-X. I will go through the basic process on getting IPv6 to work on a Cisco ASA with PD.

In the steps below GigabitEthernet1/1 is the outside interface, and GigabitEthernet1/2 is the inside interface.

1)The first step is configuring IPV6 on the outside interface. At this point, no IPV6 address will be configured in the firewall.

interface GigabitEthernet1/1
 ipv6 address autoconfig default trust dhcp
 ipv6 address dhcp default
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 dhcp client pd ciscoasa

2) The ISP will provide the prefix which has to be used, and some data has to be collected by using the following commands:

show ipv6 dhcp interface outside

With this, you will have the info about the default-dateway (Reachable via address) and the subnet assigned by the ISP (Prefix)

GigabitEthernet1/1 is in client mode
 Prefix State is OPEN
 Renew will be sent in 01:37:04
 Address State is SOLICIT
 List of known servers:
 Reachable via address: fe80::fac0:1ff:fe70:17c0
 DUID: 000100011914BB0A00144FFA6B62
 Preference: 0
 Configuration parameters:
 IA PD: IA ID 0x00020001, T1 7200, T2 11520
 Prefix: 2001:8003:a02c:8700::/56
 preferred lifetime 14400, valid lifetime 14400
 expires at Sep 01 2016 03:40 AM (13024 seconds)
 Information refresh time: 0
 Vendor-specific Information options:
 Enterprise-ID: 1088
 Prefix name: ciscoasa

3)Then, we need to configure the interfaces with these IP address. So, with the command show ipv6 interface, we can find the IPV6 link local for the outside interface, and configure the IPV6 address using its eui-64 portion

outside is up, line protocol is up
   IPv6 is enabled, link-local address is fe80::5287:89ff:fefc:7106

With these 2 pieces of information, we can configure the IP address to be used in the outside interface and also configure the ipv6 dhcp client pd hint. This command is necessary to ask the ISP to always provide the same IPV6 prefix so that we will keep it as if it were a static assignment.

interface GigabitEthernet1/1
 ipv6 address ciscoasa ::5287:89ff:fefc:7106/64
 ipv6 dhcp client pd hint 2001:8003:a02c:8700::/56

In this case, the outside network will have the following subnet 2001:8003:a02c:8700::/64

We can also configure the IPV6 default gateway with the IPV6 link- local address provided by Telstra router

show ipv6 routers 
 ! Will show the link-local address to be used as the default gateway)
 Router fe80::fac0:1ff:fe70:17c0 on outside, last update 9 min
   Hops 64, Lifetime 1800 sec, AddrFlag=1, OtherFlag=0
   Reachable time 0 msec, Retransmit time 0 msec

ipv6 route outside ::/0 fe80::fac0:1ff:fe70:17c0

4) Next step is configuring the inside interface. We defined the subnet to be used so that it would not overlap the outside interface 2001:8003:a02c:8701::/64

interface GigabitEthernet1/2
 ipv6 enable
 ipv6 address 2001:8003:a02c:8701::/64 eui-64
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag

Also, a IPV6 DHCP scope was configured. In this case, it works as a stateless DHCP, as the interface will only provide the subnet used in the router advertisements and each host will include its eui-64 information to complete. In the case below I have also added in the Telstra IPv6 DNS servers however you can add your own in, or you can use import dns-server to automatically try get a server.

 

ipv6 dhcp pool ALCATRONV6
dns-server 2001:8000:101::1
dns-server 2001:8000:101::2
domain-name alcatron.net

interface GigabitEthernet1/2
 ipv6 dhcp server ALCATRONV6

5) Finally we can verify that the hosts are being able to get IPV6 subnet and configure their own IPV6 addresses

ciscoasa-5506X# sh ipv6 neighbor | inc 2001

2001:8003:a02c:8701:497f:8a80:b975:d580    30 a4b8.058e.8236  STALE inside
 2001:8003:a02c:8701:d565:2f36:d9b:32a7     39 1c5c.f2b4.6cad  STALE inside
 2001:8003:a02c:8701:7c57:4bd5:bb68:1b9     17 a4b8.058e.8236  STALE inside
 2001:8003:a02c:8701:c122:30ca:7b52:42ea     9 1c5c.f2b4.6cad  STALE inside
 2001:8003:a02c:8701:5f:860c:b32b:c7        43 0015.5d01.0602  STALE inside
 2001:8003:a02c:8701:597e:471f:bfd9:df3f     0 0cc4.7a70.a0a7  REACH inside
 2001:8003:a02c:8701:6820:c272:e85e:2feb    20 7081.eb1a.c6e5  STALE inside
 2001:8003:a02c:8701:f4d4:b595:88f8:374d    40 1c5c.f2b4.6cad  STALE inside
 2001:8003:a02c:8701:8574:1c6f:5fd6:1f1b    43 20c9.d07a.5777  STALE inside

And verify the IPV6 connections

ciscoasa-5506X# show conn | inc 2001

TCP outside  2404:6800:4006:806::2003:80 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51324, idle 0:00:32, bytes 15286, flags UIO
 TCP outside  2404:6800:4006:806::2005:443 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51333, idle 0:00:14, bytes 630639, flags UIO
 TCP outside  2a03:2880:f019:1:face:b00c:0:1:443 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51194, idle 0:02:03, bytes 17643, flags UIO
 TCP outside  2a03:2880:f019:1:face:b00c:0:1:443 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51193, idle 0:01:23, bytes 8865, flags UFRIO

 

Other useful commands you will need:

sh ipv6 interface
 ! show the configured IPV6 addresses and subnet masks
 outside is up, line protocol is up
   IPv6 is enabled, link-local address is fe80::5287:89ff:fefc:7106
   Global unicast address(es):
     2001:8003:a02c:8700:5287:89ff:fefc:7106, subnet is 2001:8003:a02c:8700::/64
   Joined group address(es):
     ff02::1:fffc:7106
     ff02::2
     ff02::1
sh ipv6 general-prefix
 ! Will show your prefix acquired via PD lifetime
 IPv6 Prefix ciscoasa, acquired via DHCP PD
   2001:8003:a02c:8700::/56 Valid lifetime 11664, preferred lifetime 11664
    Consumer List                Usage count
     outside (Address command)   1

Another issue I had is trying to get traceroute working correctly so to make sure this was working correctly i had to ensure I had the following lines. This allows ping, and echo reply to all your inside IPv6 hosts, you can tweak this however if you like with the access lists.

access-list Outside_access_in extended permit icmp6 any6 any6 echo-reply
access-list Outside_access_in extended permit icmp6 any6 any6 time-exceeded
access-list Outside_access_in extended permit icmp6 any6 any6 unreachable
access-list Outside_access_in extended permit icmp6 any6 any6

The policy maps were modified to ensure that traceroute v4 and v6 worked. You might have others in the policy-map, just leave those and append the ones below that are missing.

policy-map global_policy
 class inspection_default
   inspect icmp
   inspect icmp error
 class class-default
   set connection decrement-ttl

service-policy global_policy global

 

This was a steep learning experience, but finally I have dual stack IPv4 and IPv6 running on Telstra NBN through a Cisco ASA 5506-X. I have seen no articles which deal with PD delegation on Cisco ASA’s , so I thought i would do this write up so that it can benefit others. Any questions, comments, feedback, welcome as usual 🙂

Leave a Comment

Cisco ASA 5506-X IPv6

On the 24th of August 2016 Cisco released version 9.6.2 of its ASA software. The new version brings in more IPv6 support for the platform.

The ASA now supports the following features for IPv6 addressing:

  • DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.
  • DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.
  • BGP router advertisement for delegated prefixes
  • DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

If you have loaded the new software how did you go in getting IPv6 working in your environment ?

At the moment I am trialing the new software on my carrier, to see whether I can get the full IPv4 and IPv6 dual stack working on the ASA platform.

Leave a Comment