Broadcast issue with bridge-domain on ASR9000

By default, Flood Optimization feature on ASR9K prevents broadcast and multicast frames to be flooded to the other interfaces that are located on different line cards.

For example, if one bridge-domain contains one Bundle-Ethernet interface and one physical interface Gigabit 0/1/0/12, broadcast received from interface G0/1/0/12 will never be flooded to the BE interface.

In some application, that's not a good idea. To change this, enter flood mode convergence-optimized command under bridge-domain configuration.

Click here for more information about this feature.

Cisco PPPoE: No idb found! Framed IP Addr might not be included

I encountered this issue today when setting wrong value for the CiscoAVPair attribute on LDAP.
I have radiusIPPool in LDAP mapping to Cisco AVPair used to assign IP Pool for PPPoe users.
The right format for this attribute is "ip:addr-pool=", but I put only
 But the problem is, Cisco BRAS doesn't reject user's connection and just issue the log "No idb found! Framed IP Addr might not be included". That cause the user keep establishing new ppp connnection to BRAS until the maximum session for that user is met or the BRAS has no more resource for new connection.

BE CAREFUL with Cisco AVPAir. Wrong format could cause serious or unexpected problem.

Following is the log message:



Jul 22 13:17:10 VN-Time: RADIUS(00056ED0): Send Access-Request to 192.168.1.2:1812 id 1645/151, len 155
Jul 22 13:17:10 VN-Time: RADIUS:  authenticator 60 D0 60 C5 56 AF 76 65 - 95 40 85 C0 41 88 80 2D
Jul 22 13:17:10 VN-Time: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Jul 22 13:17:10 VN-Time: RADIUS:  User-Name           [1]   11  "ctvtnpc6a"
Jul 22 13:17:10 VN-Time: RADIUS:  User-Password       [2]   18  *
Jul 22 13:17:10 VN-Time: RADIUS:  NAS-Port-Type       [61]  6   PPPoEoVLAN                [33]
Jul 22 13:17:10 VN-Time: RADIUS:  NAS-Port            [5]   6   1124077332              
Jul 22 13:17:10 VN-Time: RADIUS:  NAS-Port-Id         [87]  13  "4/0/19/3860"
Jul 22 13:17:10 VN-Time: RADIUS:  Vendor, Cisco       [26]  41
Jul 22 13:17:10 VN-Time: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=0050.7f7a.02bb"
Jul 22 13:17:10 VN-Time: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Jul 22 13:17:10 VN-Time: RADIUS:  NAS-IP-Address      [4]   6   116.xxx.xxx.xxx            
Jul 22 13:17:10 VN-Time: RADIUS:  Acct-Session-Id     [44]  22  "4/0/19/3860_00057816"
Jul 22 13:17:10 VN-Time: RADIUS(00056ED0): Sending a IPv4 Radius Packet
Jul 22 13:17:10 VN-Time: RADIUS(00056ED0): Started 5 sec timeout
Jul 22 13:17:11 VN-Time: RADIUS: Received from id 1645/149 192.168.1.2:1812, Access-Reject, len 30
Jul 22 13:17:11 VN-Time: RADIUS:  authenticator 44 A6 24 BA 1A B8 0E B3 - A8 A5 F1 27 90 81 01 A7
Jul 22 13:17:11 VN-Time: RADIUS:  Reply-Message       [18]  10
Jul 22 13:17:11 VN-Time: RADIUS:   55 6E 6B 6E 6F 77 6E 20          [ Unknown ]
Jul 22 13:17:11 VN-Time: RADIUS(00056ECF): Received from id 1645/149
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: Reply-Message fragments, 8, total 8 bytes
Jul 22 13:17:11 VN-Time: RADIUS: Received from id 1645/150 192.168.1.2:1812, Access-Accept, len 218
Jul 22 13:17:11 VN-Time: RADIUS:  authenticator 74 B2 77 A0 FB E0 9B E3 - 87 5A 74 1E A1 48 20 0C
Jul 22 13:17:11 VN-Time: RADIUS:  Class               [25]  88
Jul 22 13:17:11 VN-Time: RADIUS:   53 42 52 32 43 4C 9C F2 A2 ED EF AF F3 B1 F3 C0 11 80 43 01 80 04 81 99 8C 86 80 02 80 0A 81 B1 DD 8E E7 A3 B9 E0 E3 9B 80 06 80 05 81 BC 80 C0 80 80 12 80 0E 81 9C F2 A2 ED EF AF F3 B1 F3 C0 80 81 97 C8 13 80 0E 81 99 8C 86 82 EB 8D E8 F6 BA 9B CE 86 99 D8           [ SBR2CLC]
Jul 22 13:17:11 VN-Time: RADIUS:  NAS-Port-Id         [87]  14  "4/0/19/3860 "
Jul 22 13:17:11 VN-Time: RADIUS:  Vendor, Cisco       [26]  37
Jul 22 13:17:11 VN-Time: RADIUS:   Cisco AVpair       [1]   31  "ip:sub-qos-policy-in=NPC6_UP "
Jul 22 13:17:11 VN-Time: RADIUS:  Vendor, Cisco       [26]  40
Jul 22 13:17:11 VN-Time: RADIUS:   Cisco AVpair       [1]   34  "ip:sub-qos-policy-out=NPC6_DOWN "
Jul 22 13:17:11 VN-Time: RADIUS:  Vendor, Cisco       [26]  19
Jul 22 13:17:11 VN-Time: RADIUS:   Cisco AVpair       [1]   13  "IP_POOL_03 "
Jul 22 13:17:11 VN-Time: RADIUS: Received from id 1645/151 192.168.1.2:1812, Access-Accept, len 220
Jul 22 13:17:11 VN-Time: RADIUS:  authenticator 6C 44 67 BC 5B 96 8A 52 - 18 5D E5 C2 8D 30 AE 49
Jul 22 13:17:11 VN-Time: RADIUS:  Class               [25]  90
Jul 22 13:17:11 VN-Time: RADIUS:   53 42 52 32 43 4C 9C F2 A2 ED EF AF F3 B1 F3 C0 11 80 45 01 80 04 81 99 8C 86 80 02 80 0B 81 B1 DD 8E E7 A3 B9 E0 E3 9B 98 A0 06 80 05 81 BC C0 C0 80 80 12 80 0E 81 9C F2 A2 ED EF AF F3 B1 F3 C0 80 81 97 CC 13 80 0F 81 99 8C 86 82 EB 8D E8 F6 BA 9B CE 86 99 D9 C2           [ SBR2CLE]
Jul 22 13:17:11 VN-Time: RADIUS:  NAS-Port-Id         [87]  14  "4/0/19/3860 "
Jul 22 13:17:11 VN-Time: RADIUS:  Vendor, Cisco       [26]  37
Jul 22 13:17:11 VN-Time: RADIUS:   Cisco AVpair       [1]   31  "ip:sub-qos-policy-in=NPC6_UP "
Jul 22 13:17:11 VN-Time: RADIUS:  Vendor, Cisco       [26]  40
Jul 22 13:17:11 VN-Time: RADIUS:   Cisco AVpair       [1]   34  "ip:sub-qos-policy-out=NPC6_DOWN "
Jul 22 13:17:11 VN-Time: RADIUS:  Vendor, Cisco       [26]  19
Jul 22 13:17:11 VN-Time: RADIUS:   Cisco AVpair       [1]   13  "IP_POOL_03 "
Jul 22 13:17:11 VN-Time: RADIUS(00056ED1): Received from id 1645/150
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: parse VSA parts error
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: convert VSA string; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: cisco VSA type 1; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: VSA; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: decoder; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: parse response op decode; FAIL
Jul 22 13:17:11 VN-Time: RADIUS(00056ED0): Received from id 1645/151
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: parse VSA parts error
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: convert VSA string; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: cisco VSA type 1; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: VSA; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: decoder; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: attribute Vendor-Specific; FAIL
Jul 22 13:17:11 VN-Time: RADIUS/DECODE: parse response op decode; FAIL
Jul 22 13:17:16 VN-Time: RADIUS: [No of bits] slot : 4 port : 3 adapter : 1
        vlanid : 24 vci : 0 vpi : 0 inner_vlan_id : 0
Jul 22 13:17:16 VN-Time: RADIUS: [No of bits] slot : 4 port : 3 adapter : 1
        vlanid : 24 vci : 0 vpi : 0 inner_vlan_id : 0
Jul 22 13:17:16 VN-Time: RADIUS: [No of bits] slot : 4 port : 3 adapter : 1
        vlanid : 24 vci : 0 vpi : 0 inner_vlan_id : 0
Jul 22 13:17:16 VN-Time: RADIUS/ENCODE(00056ED3):Orig. component type = PPPoE
Jul 22 13:17:16 VN-Time: RADIUS: DSL line rate attributes successfully added
Jul 22 13:17:16 VN-Time: RADIUS: Format E value 0x4 for character S with bitmask 0xF
Jul 22 13:17:16 VN-Time: RADIUS: Format E port 0x4 with bit 4 processed
Jul 22 13:17:16 VN-Time: RADIUS: Format E value 0x0 for character A with bitmask 0x1
Jul 22 13:17:16 VN-Time: RADIUS: Format E port 0x8 with bit 5 processed
Jul 22 13:17:16 VN-Time: RADIUS: Format E value 0x3 for character P with bitmask 0x7
Jul 22 13:17:16 VN-Time: RADIUS: Format E port 0x43 with bit 8 processed
Jul 22 13:17:16 VN-Time: RADIUS: Format E value 0xF14 for character V with bitmask 0xFFFFFF
Jul 22 13:17:16 VN-Time: RADIUS: Format E port 0x43000F14 with bit 32 processed
Jul 22 13:17:16 VN-Time: RADIUS(00056ED3): Config NAS IP: 0.0.0.0
Jul 22 13:17:16 VN-Time: RADIUS(00056ED3): Config NAS IPv6: ::
Jul 22 13:17:16 VN-Time: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Jul 22 13:17:16 VN-Time: RADIUS/ENCODE(00056ED3): acct_session_id: 358425
Jul 22 13:17:16 VN-Time: RADIUS/ENCODE(00056ED3): Acct-session-id pre-pended with Nas Port = 4/0/19/3860
Jul 22 13:17:16 VN-Time: RADIUS(00056ED3): sending

Installing Rsyslog and Log Analyzer

Operating system: RedHat Linux Enterprise 6.

Assume that Apache has been installed and configured to work properly. Apache docsroot is /var/www/html.

This installation is aimed to provide syslog facility to networking devices such as routers, switches, servers and to use Log Analyzer to view and analyse syslog.

1. Configuring Rsyslog
Rsyslog is installed by default in RHEL environment. If not, do it following this.
Configure Rsyslog to receive syslog via UDP port 514:
Edit /etc/rsyslog.conf
Uncomment $ModLoad imudp.so and $UDPServerRun 514
Add $ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format and comment all other $ActionFileDefaultTemplate

Add *.* /var/log/syslog and comment all other rules if not used. That causes all syslog messages received to be put to file /var/log/syslog.

Make Rsyslog to automatically start when OS reboots:
Run chkconfig rsyslog on
Start Rsyslog: /etc/init.d/rsyslog start

2. Installing Log Analyzer
Get it
Install it
DONE.
If you get this message "Syslog file is not readable, read access may be denied". Follow this to resolve

3. Configuring logging in Cisco IOS


logging esm config // Send to syslog server every command that user enters. Used to track what user has done on IOS.
logging trap notifications // Choose lowest severity level to send to syslog. In this case syslog messages include emerg, alert, crit, err, warning and notice. If you want more, put logging trap info or even lower.
logging origin-id hostname // To send HOSTNAME in syslog msg
logging source-interface Loopback0 // Source IP address used to send syslog msg
logging 192.168.16.9 // Syslog server

Apache file permission issue

I was so crazy about this.
I tried to setup Log Analyzer site but couldn't get it work as wanted. "Syslog file is not readable, read access may be denied" is what I got instead of syslog information.

Searching in the net and asking for help from friends didn't work. All I got were about using such:
chmod 644 or 755 or even 777
Or chown

At last, I found out that, the main cause of the issue is SE Linux. SE Linux prevents Apache from accessing files outside its granted folders (that's /var/www). Following shows how to overcome this:
Solution 1:
Disable SE Linx (Not recommended)
edit /etc/selinux/config
change SELINUX=enforcing to SELINUX=disabled
DONE.

Solution 2:

Grant permission to apache user (The one that's used to run apache web server) over /var/log/ or anywhere you want.

OpenLDAP for ISP on RedHat Enterprise 6

This posts shows step by step of installing OpenLDAP on RHEL 6.
The next post will shows how to add more LDAP objects and AAA attributes that often being used in Internet Service Provider environment (such as Framed-IP-Address, NAS-Port-ID...)

1. Installing compiler tools
RHEL doesn't install this by default. At least that's true to me.
Refer to this
2. Installing Prerequisites software
2.1. Installing Oracle Berkeley Database
[root@openldap db-5.1.25]# cd build_unix
[root@openldap db-5.1.25]# ../dist/configure
[root@openldap db-5.1.25]# make
[root@openldap db-5.1.25]# make install

2.2. Installing OpenSSL
Get it (Require internet connection to the server)
[root@openldap tmp]# wget http://www.openssl.org/source/openssl-1.0.0d.tar.gz
Install it
[root@openldap tmp]# tar zxvf openssl-1.0.0d.tar.gz
[root@openldap openssl-1.0.0d]# ./config
[root@openldap openssl-1.0.0d]# make
[root@openldap openssl-1.0.0d]# make install

2.3. Installing Cyrus SASL
Install Cyrus SASL from RHEL DVD: [root@openldap Packages]# rpm -Uvh cyrus-sasl-2.1.23-8.el6.x86_64.rpm
2.4. Installing Kerberos Authentication Service
3. Installing OpenLDAP
3.1. Get the latest version
http://www.openldap.org/software/download/
3.2. Compile and install
CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include"
export CPPFLAGS
LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.7/lib -R/usr/local/BerkeleyDB.4.7/lib"
export LDFLAGS
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.7/lib"
export LD_LIBRARY_PATH4. Configuring OpenLDAP

4.1. Create database for storing config information (config DIT)
4.2. Create database for root DIT
In this example, root DIT is: dc=test, dc=com