RackTables is a datacenter asset management system. By default is is configured with several object-types that are used in most datacenters, like network-switch, server, PDU, ups, etc. However, some obvious object types are missing. A firewall or loadbalancer are quite often used in datacenter environments. But RackTables is very flexible and extensible. You can easily add your own custom object type. To do this, follow the following steps.
- Go to Configuration, Dictionary
- Click RackObjectType
- Click the ‘Edit’ tab
- Add the Object-type you want and click the ‘+’
By default, you cannot attach an ip address to an object-type. This must be configured manually. To make the object IPv4 enabled, follow the following steps.
- Go to Configuration, User-interface
- Click the ‘change’ tab
- Add the object id to the textbox named ‘List source: IPv4-enabled objects’
The list of IPv4 enabled objects should be something like:
{$typeid_4} or {$typeid_7} or {$typeid_8} or {$typeid_12} or {$typeid_445} or {$typeid_447} or {$typeid_50019} or {$typeid_2} or {$typeid_50063}
I use Racktables to keep track of the devices in our network. To backup the configuration of our network devices I use rancid. To prevent having to edit and update multiple configuration files and systems, I thought it would be a good idea to centralize this and use Racktables as a source for configuring other systems. Racktables is a very extensible system that allows you to add attributes to a category yourself. I’ve added a ‘Rancid’ attribute as a dictionary item containing ‘Yes’ and ‘No’. I’ve bound this attribute to the object categories (Networkswitch, firewall and router) I want to backup with Rancid. I’ve scheduled a cronjob that runs the attached script, creating the routers.db file that is used by rancid.
The script runs an sql query to include all devices that have the Rancid attribute set to ‘Yes’.
To use this script in your environment, you have to edit the sql query to use the id of your rancid attribute in the dictionary. In my case the rancid attribute has the id ’10003′ and the ‘Yes’ dictionary id is ’50030′. These values can be found by looking in the racktables database.
Download the racktables-rancid export script.
Download the wrapper script
While migrating the authentication of our ASA firewalls to tacacs, we enabled ‘enable’ authentication to tacacs and tried to switch to enable mode on the console. This did not work, and caused the following message in the tacacs log file:
Wed Jan 13 17:07:42 2010 [25444]: enable query for 'username' 13 from 10.x.x.x rejected
To fix this problem the tacacs configuration for the user needs to include the enable password in the profile, as shown below:
user = username {
login = des "XXXXXXX"
member = admin
acl = mgmt_devices
service = shell {
priv-lvl = 15
}
enable = des "XXXXXXX"
}
We use the following configuration on the ASA to enable AAA to tacacs.
aaa-server tacacs protocol tacacs+
aaa-server tacacs (outside) host 1.1.1.1
key TACACSKEY
aaa-server tacacs (outside) host 2.2.2.2
key TACACSKEY
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authorization command tacacs LOCAL
Tacacs is a great way to centralize user authentication, authorization and accounting. While tacacs originally is a Cisco thing, there is an open source server version available, tac_plus (http://www.gazi.edu.tr/tacacs/index.php?page=download). Installing the tacacs server is quite straight forward. Configuring the switch is not difficult either, as long as you think about possible failures. You don’t want to be locked out of your switches when your tacacs server is not available. I use the following configuration that uses two tacacs servers and asks for the enable password when neither of the tacacs servers is available. To enter ‘enable’ mode, the configured enable password suffices. Use the following Cisco configuration for a save AAA authentication.
NOTE: Always be careful when changing authentication and authorization configuration, as this might lock you out of the device. The savest way is to do this on the console of the machine.
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
tacacs-server host 1.1.1.1 single-connection
tacacs-server host 2.2.2.2 single-connection
tacacs-server key TACACSKEY
tacacs-server directed-request
To restrict access to specific devices, you can configure an ACL in the tacacs configuration on the server (tac_plus.conf). See the example below.
user = username {
login = des "XXXX"
member = admin
acl = mgmt_devices
service = shell {
priv-lvl = 15
}
}
group = admin {
default service = permit
service = exec {
priv-lvl = 15
}
}
# acl's
acl = mgmt_devices {
permit = 12.12.12.12
permit = 13.13.13.13
}
We have a small VOIP network with 10 phone, a dedicated DSL line from Orange/Online and an external Asterisk server in a datacenter. The DSL line is terminated on a Speedtouch modem. With the default settings of the modem we experienced two problems:
- Incoming calls did not get through
- The sound of outgoing calls disappeared while the call was not dropped
In the Asterisk logs we could see the following message:
[Dec 30 13:40:51] WARNING[1911] chan_sip.c: Maximum retries exceeded on transmis
sion 0016c7ea-28120012-73ca27ca-35d5391a@10.0.0.45 for seqno 102 (Critical Respo
nse) -- See doc/sip-retransmit.txt.
[Dec 30 13:40:51] WARNING[1911] chan_sip.c: Hanging up call 0016c7ea-28120012-73
ca27ca-35d5391a@10.0.0.45 - no reply to our critical packet (see doc/sip-retrans
mit.txt).
To fix this, you have to disable the SIP helper on the Speedtouch modem. Connect to the modem with telnet (default ip: 10.0.0.138, default user: Administrator, default password: ) and enter the following commands:
_{Administrator}=>connection
{Administrator}[connection]=>appconfig application=SIP SIP_ALG=disabled
{Administrator}[connection]=>exit
