Wednesday, April 10, 2013

Here you will find answers to Spanning Tree Protocol Questions

Question 1

Spanning Tree Protocol IEEE 802.1s defines the ability to deploy which of these?
A. one global STP instance for all VLANs
B. one STP instance for each VLAN
C. one STP instance per set of VLANs
D. one STP instance per set of bridges

Answer: C

Explanation

The IEEE 802.1s standard is the Multiple Spanning Tree (MST). With MST, you can group VLANs and run one instance of Spanning Tree for a group of VLANs.
Other STP types:
+ Common Spanning Tree (CST), which is defined with IEEE 802.1Q, defines one spanning tree instance for all VLANs.
+ Rapid Spanning Tree (RSTP), which is defined with 802.1w, is used to speed up STP convergence. Switch ports exchange an explicit handshake when they transition to forwarding.

Question 2

Which two of these are used in the selection of a root bridge in a network utilizing Spanning Tree Protocol IEEE 802.1 D? (Choose two)
A. Designated Root Cost
B. bridge ID priority
C. max age
D. bridge ID MAC address
E. Designated Root Priority
F. forward delay

Answer: B D

Explanation

The IEEE 802.1 standard (STP) is used to create a loop-free Layer 2 network. This protocol uses the bridge ID (a field inside BPDU packets) to elect root bridge. It is 8 bytes in length. The first two bytes are the Bridge Priority, which is an integer in the range of 0 – 65,535 (default is 32,768). The last six bytes are a MAC address supplied by the switch.
In STP, lower bridge ID values are preferred. To compare two bridge IDs, the priority is compared first. If two bridges have equal priority, then the MAC addresses are compared. For example, if switch A (MAC=0600.0000.1111) and B (MAC=0600.0000.2222) both have a priority of 10, then switch A will be selected as the root bridge because it has lower MAC.

Question 3

If a port configured with STP loop guard stops receiving BPDUs, the port will be put into which state?
A. learning state
B. listening state
C. forwarding state
D. root-inconsistent state

Answer: D

Explanation

Loop Guard protects a switch trunk port from causing loops. It prevents switch ports from wrongly moving from a blocking to a forwarding state when a unidirectional link exists in the network.
Unidirectional links are simply links for which one of the two transmission paths on the link has failed, but not both. This can happen as a result of miscabling, cutting one ﬁber cable, unplugging one ﬁber or other reasons.
Let’s consider an example.
The network consists of 3 switches without Loop Guard feature. Switch 1 is the root switch. A port on Switch 3 is in blocking state, other ports are forwarding normally.

Suppose that Switch 3 does not receive BPDUs (Hellos) from Switch 2 due to unidirectional link failure on the link between switch 2 and switch 3. Switch 3 then transitions to forwarding state, and now all trunks on all switches are forwarding. Well, we have a loop!

With Loop Guard feature turned on, the blocking port on switch 3 will not transition to forwarding state but will fall into an STP loop-inconsistent state (same as blocking state).
(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094640.shtml & CCIE Routing and Switching Official Exam Certification)

Question 4

What is the purpose of the STP PortFast BPDU guard feature?
A. enforce the placement of the root bridge in the network
B. ensure that a port is transitioned to a forwarding state quickly if a BPDU is received
C. enforce the borders of an STP domain
D. ensure that any BPDUs received are forwarded into the STP domain

Answer: C

Explanation

By default, STP runs on all ports on a switch but most of these ports are connected to an end-user device (printers, PCs, servers). Suppose that someone turns off the PC and then turns on, it will take up to 50 seconds before the port transits to the forwarding state and can be usable (15 seconds for Listening to Learning, and 15 seconds for Learning to Forwarding and if that port is running Port Aggregation Protocol (PAgP) to negotiate EtherChannel conﬁguration, an additional 20-second delay can occur).
Therefore the STP PortFast feature is used to allow immediate transition of the port into forwarding state. Notice that PortFast is for access (user) ports only. It causes the port to bypass the STP listening and learning states and transition directly to forwarding. However, Spanning-tree loop detection is still in operation and the port moves into the Blocking state if a loop is ever detected on the port.
But there is an issue with PortFast feature. For example, if we connect a switch to a PortFast port, the loop can occur or this new switch can make the STP block important ports if it takes over the root bridge function.
This situation can be prevented with the BPDU guard feature. This feature disables (shuts down) the port as soon as the switch receives the STP BPDU from the port which has been configured with BPDU guard, placing it in the errdisable
state.
The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology.
(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml)

Question 5

When STP UplinkFast is enabled on a switch utilizing the default bridge priority, what will the new bridge priority be changed to?
A. 8192
B. 16384
C. 49152
D. 65535

Answer: C

Explanation

The STP UplinkFast is used to fast switchover to alternate ports when the root port fails. When STP UplinkFast is enabled on a switch utilizing the default bridge priority (32768), the new bridge priority will be changed to 49152. The reason for the priority being raised is to prevent the switch from becoming the root (recall that lower bridge priority is preferred). To enable UplinkFast feature, use the “set spantree uplinkfast enable” in privileged mode
The set spantree uplinkfast enable command has the following results:
+ Changes the bridge priority to 49152 for all VLANs (allowed VLANs).
+ Increases the path cost and portvlancost of all ports to a value greater than 3000.
+ On detecting the failure of a root port, an instant cutover occurs to an alternate port selected by Spanning Tree Protocol (without using this feature, the network will need about 30 seconds to re-establish the connection.
(Reference: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094641.shtml)

Question 6

The classic Spanning Tree Protocol (802.1 D 1998) uses which sequence of variables to determine the best received BPDU?
A. 1) lowest root bridge id, 2) lowest sender bridge id, 3) lowest port id, 4) lowest root path cost
B. 1) lowest root path cost, 2) lowest root bridge id, 3) lowest sender bridge id, 4) lowest sender port id
C. 1) lowest root bridge id, 2) lowest sender bridge id, 3) lowest root path cost 4) lowest sender port id
D. 1) lowest root bridge id, 2) lowest root path cost, 3) lowest sender bridge id, 4) lowest sender port id

Answer: D

Explanation

The parts of a BPDU are:
* Root BID – This is the BID of the current root bridge.
* Path cost to root bridge – This determines how far away the root bridge is. For example, if the data has to travel over three 100-Mbps segments to reach the root bridge, then the cost is (19 + 19 + 0) 38. The segment attached to the root bridge will normally have a path cost of zero.
* Sender BID – This is the BID of the switch that sends the BPDU.
* Port ID – This is the actual port on the switch that the BPDU was sent from.

Question 7

Which three port states are used by RSTP 802.1w? (Choose three)
A. Listening
B. Learning
C. Forwarding
D. Blocking
E. Discarding
F. Disabled
Answer: B C E

Explanation

Rapid Spanning Tree (RSTP) 802.1w is a standards-based, non-proprietary way of speeding STP convergence. Switch ports exchange an explicit handshake when they transition to forwarding. RSTP describes different port states than regular STP as described below:

STP Port State	Equivalent RSTP Port State
Disabled	Discarding
Blocking	Discarding
Listening	Discarding
Learning	Learning
Forwarding	Forwarding

Question 8

Refer to the exhibit. In the diagram, the switches are running IEEE 802.1s MST. Which ports are in the MST blocking state?

A. GE-1/2 and GE 2/1
B. GE-1/1 and GE-2/2
C. GE-3/2 and GE 4/1
D. no ports are in the blocking state
E. There is not enough information to determine which ports are in the blocking state.

Answer: D

Explanation

All these four switches are running MST and they are load-balancing. Dist-1 is the root bridge of VLANs 20 & 120 while Dist-2 is the root bridge of VLANs 40 & 140.
For VLANs 20, 120 switch Dist-1 is the root bridge so GE-4/1 & GE-4/2 links of Dist-2 are blocked:

For VLANs 40, 140 switch Dist-2 is the root bridge so GE-3/1 & GE-3/2 links of Dist-1 are blocked:

But notice that there are no ports in blocking state although some ports are blocked for specific VLANs. Remember that the blocking state in MST switch means that the port is blocked for all VLANs.

Question 9

Refer to the exhibit. In the diagram, the switches are running IEEE 802.1w RSTP. On which ports should root guard be enabled in order to facilitate deterministic root bridge election under normal and failure scenarios?

A. GE-3/1, GE-3/2
B. FE-2/1, FE-3/2
C. GE-1/1, GE-1/2
D. GE-4/1, GE-4/2
E. GE-2/1, GE-2/2
F. GE-3/1, GE-3/2, GE-4/1, GE-4/2, FE-2/1, FE-3/2

Answer: F

Explanation

Root Guard is a Cisco-specific feature that prevents a Layer 2 switched port from becoming a root port. It is enabled on ports other than the root port and on switches other than the root. If a Root Guard port receives a BPDU that might cause it to become a root port, then the port is put into “root-inconsistent” state and does not pass traffic through it. If the port stops receiving these BPDUs, it automatically re-enables itself.
This feature is sometimes recommended on aggregation layer ports that are facing the access layer, to ensure that a configuration error on an access layer switch cannot cause it to change the location of the spanning tree root switch (bridge) for a given VLAN or instance. Below is a recommended port’s features should be enabled in a network.

(Reference: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/nx_7000_dc.html)
The port FE-2/1 & FE-3/2 should be turned on the Root Guard feature because hackers can try to plug these ports into other switches or try to run a switch-simulation software on these PCs. Imagine a new switch that is introduced into the network with a bridge priority lower than the current root bridge. In a normal STP operation, this new bridge can become the new Root Bridge and disrupt your carefully designed network. The recommended design is to enable Root Guard on all access ports so that a root bridge is not established through this port.
Note: The Root Guard affects the entire port. Therefore it applies to all VLANs on that port. To enable this feature, use the following command in interface configuration:
Switch(config-if)# spanning-tree guard root

Question 10

Loop guard and UniDirectional Link Detection both protect against Layer 2 STP loops. In which two ways does loop guard differ from UDLD in loop detection and prevention? (Choose two)
A. Loop guard can be used with root guard simultaneously on the same port on the same VLAN while UDLD cannot.
B. UDLD protects against STP failures caused by cabling problems that create one-way links.
C. Loop guard detects and protects against duplicate packets being received and transmitted on different ports.
D. UDLD protects against unidirectional cabling problems on copper and fiber media.
E. Loop guard protects against STP failures caused by problems that result in the loss of BPDUs from a designated switch port.

Answer: B E

STP Protocol

Here you will find answers to Spanning Tree Protocol Questions

Question 1

Explanation

Question 2

Explanation

Question 3

If a port configured with STP loop guard stops receiving BPDUs, the port will be put into which state?
A. learning state
B. listening state
C. forwarding state
D. root-inconsistent state

Answer: D

Explanation

Question 4

Explanation

Question 5

When STP UplinkFast is enabled on a switch utilizing the default bridge priority, what will the new bridge priority be changed to?
A. 8192
B. 16384
C. 49152
D. 65535

Answer: C

Explanation

Question 6

Explanation

Question 7

Which three port states are used by RSTP 802.1w? (Choose three)
A. Listening
B. Learning
C. Forwarding
D. Blocking
E. Discarding
F. Disabled
Answer: B C E

Explanation

STP Port State	Equivalent RSTP Port State
Disabled	Discarding
Blocking	Discarding
Listening	Discarding
Learning	Learning
Forwarding	Forwarding

Question 8

Refer to the exhibit. In the diagram, the switches are running IEEE 802.1s MST. Which ports are in the MST blocking state?

A. GE-1/2 and GE 2/1
B. GE-1/1 and GE-2/2
C. GE-3/2 and GE 4/1
D. no ports are in the blocking state
E. There is not enough information to determine which ports are in the blocking state.

Answer: D

Explanation

For VLANs 40, 140 switch Dist-2 is the root bridge so GE-3/1 & GE-3/2 links of Dist-1 are blocked:

But notice that there are no ports in blocking state although some ports are blocked for specific VLANs. Remember that the blocking state in MST switch means that the port is blocked for all VLANs.

Question 9

A. GE-3/1, GE-3/2
B. FE-2/1, FE-3/2
C. GE-1/1, GE-1/2
D. GE-4/1, GE-4/2
E. GE-2/1, GE-2/2
F. GE-3/1, GE-3/2, GE-4/1, GE-4/2, FE-2/1, FE-3/2

Answer: F

Explanation

Question 10

Spanning Tree Protocol

What is Spanning Tree Protcol Definition

Abbreviated STP, a link management protocol that is part of the IEEE 802.1 standard for bridges. Using the spanning media access controltree algorithm, STP provides path redundancy while preventing undesirable loops in a network that are created by multiple active paths between stations. Loops occur when there are alternate routes between hosts. To establish path redundancy, STP creates a tree that spans all of the switches in an extended network, forcing redundant paths into a standby, or blocked, state. STP allows only one active path at a time between any two network devices (this prevents the loops) but establishes the redundant links as a backup if the initial link should fail. If STP costs change, or if one network segment in the STP becomes unreachable, the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the link by activating the standby path. Without spanning tree in place, it is possible that both connections may be simultaneously live, which could result in an endless loop of traffic on the LAN.

Spanning Tree Protocol (STP)

Back before it was purchased and renamed Compaq, a company called Digital Equipment Corporation (DEC) created the original version of Spanning Tree Protocol (STP) . The IEEE later created its own version of STP called 802.1D. All Cisco switches run the IEEE 802.1D version of STP, which isn’t compatible with the DEC version.

STP’s main task is to stop network loops from occurring on your layer 2 network (bridges or switches). It vigilantly monitors the network to find all links, making sure that no loops occur by shutting down any redundant links. STP uses the spanning-tree algorithm (STA) to first create a topology database, then search out and destroy redundant links. With STP running, frames will only be forwarded on the premium, STP-picked links. In the following sections, I am going to hit the nitty-gritty of the Spanning Tree Protocol.

Spanning Tree Terms

Before I get into describing the details of how STP works in the network, you need to understand some basic ideas and terms and how they relate within the layer 2 switched network:

STP

Spanning Tree Protocol (STP) is a bridge protocol that uses the STA to find redundant links dynamically and create a spanning-tree topology database. Bridges exchange BPDU messages with other bridges to detect loops, and then remove them by shutting down selected bridge interfaces.

Root bridge

The root bridge is the bridge with the best bridge ID. With STP, the key is for all the switches in the network to elect a root bridge that becomes the focal point in the network. All other decisions in the network—such as which port is to be blocked and which port is to be put in forwarding mode—are made from the perspective of this root bridge.

BPDU

All the switches exchange information to use in the selection of the root switch, as well as in subsequent configuration of the network. Each switch compares the parameters in the Bridge Protocol Data Unit (BPDU) that they send to one neighbor with the one that they receive from another neighbor.

Bridge ID The bridge ID is how STP keeps track of all the switches in the network. It is determined by a combination of the bridge priority (32,768 by default on all Cisco switches) and the base MAC address. The bridge with the lowest bridge ID becomes the root bridge in the network.

Nonroot bridge These are all bridges that are not the root bridge. Nonroot bridges exchange BPDUs with all bridges and update the STP topology database on all switches, preventing loops and providing a measure of defense against link failures.

Root port The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. The lowest cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising bridge ID is use. Since multiple links can be from the same device, the lowest port number will be used.

Designated port A port that has been determined as having the best (lower) cost—a designated port will be marked as a forwarding port.

Port cost Port cost determines when multiple links are used between two switches and none are root ports. The cost of a link is determined by the bandwidth of a link.

Nondesignated port Port with a higher cost than the designated port that will be put in blocking mode—a nondesignated port is not a forwarding port.

Forwarding port A forwarding port forwards frames.

Blocked port A blocked port is the port that will not forward frames, in order to prevent loops. However, a blocked port will always listen to frames.

Spanning Tree Operations

As I’ve said before, STP’s job is to find all links in the network and shut down any redundant ones, thereby preventing network loops from occurring. STP does this by first electing a root bridge that will preside over network topology decisions. Once all switches agree on who the root bridge is, every bridge must find the root port. If there are multiple links between switches, there must be one and only one designated port.

Things tend to go a lot more smoothly when you don’t have more than one person making a navigational decision, and so, there can only be one root bridge in any given network. I’ll discuss the root bridge election process more completely in the next section.

Selecting the Root Bridge

The bridge ID is used to elect the root bridge in the STP domain as well as to determine the root port. This ID is 8 bytes long, and includes both the priority and the MAC address of the device. The default priority on all devices running the IEEE STP version is 32,768.

To determine the root bridge, the priority of each bridge is combined with its MAC address. If two switches or bridges happen to have the same priority value, then the MAC address becomes the tie breaker for figuring out which one has the lowest (best) ID. It’s like this: If two switches— I’ll name them A and B—both use the default priority of 32,768, then the MAC address will be used instead. If Switch A’s MAC address is 0000.0c00.1111 and Switch B’s MAC address is 0000.0c00.2222, then Switch A would become the root bridge. Just remember that the lower value is the better one when it comes to electing a root bridge.

BPDUs are sent every 2 seconds, by default, out all active ports on a bridge/switch, and the bridge with the lowest (best) bridge ID is elected the root bridge. You can change the bridge’s ID by lowering its priority so that it will become a root bridge automatically. Being able to do that is important in a large switched network—it ensures that the best paths are chosen.

Note : Changing STP parameters is beyond the scope of this book, but it’s covered in CCNP: Building Cisco Multilayer Switched Networks

Selecting the Designated Port

If more than one link is connected to the root bridge, then port cost becomes the factor used to determine which port will be the root port. So, to determine the port that will be used to communicate with the root bridge, you must first figure out the path’s cost. The STP cost is an accumulated total path cost based on the available bandwidth of each of the links. Table 3.1 shows the typical costs associated with various Ethernet networks.

TABLE 3.1 Typical Costs of Different Ethernet Networks

The IEEE 802.1D specification has recently been revised to handle the new higher-speed links. The IEEE 802.1D specification assigns a default port cost value to each port based on bandwidth.

Spanning-Tree Port States

The ports on a bridge or switch running STP can transition through five different states:

Blocking A blocked port won’t forward frames; it just listens to BPDUs. The purpose of the blocking state is to prevent the use of looped paths. All ports are in blocking state by default when the switch is powered up.

Listening The port listens to BPDUs to make sure no loops occur on the network before passing data frames. A port in listening state prepares to forward data frames without populating the MAC address table.

Learning The switch port listens to BPDUs and learns all the paths in the switched network. A port in learning state populates the MAC address table but doesn’t forward data frames.

Forwarding The port sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the Learning state, it enters this state.

Disabled A port in the disabled state (administratively) does not participate in the frame forwarding or STP. A port in the disabled state is virtually nonoperational.

Switch ports are most often in either the blocking or forwarding state. A forwarding port is one that has been determined to have the lowest (best) cost to the root bridge. But when and if the network experiences a topology change (because of a failed link or because someone adds in a new switch), you’ll find the ports on a switch in listening and learning state.

As I mentioned, blocking ports is a strategy for preventing network loops. Once a switch determines the best path to the root bridge, then all other ports will be in blocking mode. Blocked ports can still receive BPDUs—they just don’t send out any frames.

If a switch determines that a blocked port should now be the designated or root port because of a topology change, it will go into listening mode and check all BPDUs it receives to make sure that it won’t create a loop once the port goes to forwarding mode.

Convergence

Convergence occurs when all ports on bridges and switches have transitioned to either the forwarding or blocking modes. No data is forwarded until convergence is complete. Before data can be forwarded again, all devices must be updated. Convergence is important to make sure all devices have the same database, but it does cost you some time. It usually takes 50 seconds to go from blocking to forwarding mode, and I don’t recommend changing the default STP timers. (But you can adjust those timers if necessary.) Forward delay means the time it takes to transition a port from listening to learning mode or vice versa.

Spanning Tree Example

It’s time to begin using and not just reading about this stuff. It’s important to see how a spanning tree works in an internetwork, because it will really help you understand it better. So in this section, I’ll give you a chance to observe what you’ve learned as it takes place in a live network.

In Figure 3.1, you can assume that all five switches have the same priority of 32,768. But now study the MAC address of each switch. By looking at the priority and MAC addresses of each device, you should be able to determine the root bridge:

Once you’ve established which switch has got to be the root bridge, look at the figure again and try to figure out which is the root port on each of the switches. (Hint: Root ports are always forwarding ports, which means they will always be in forwarding mode.) Okay, next try to establish which of the ports will be in blocking mode.

FIGURE 3.1 Spanning tree example

Figure .3.2 has the answers for each of the port states for each switch. Since Switch A has the lowest MAC address, and all five switches use the default priority, Switch A gets to be the root bridge. And remember this: A root bridge always has every port in forwarding mode (designated ports).

To determine the root ports on Switch B and Switch C, just follow the connection to the root bridge. Each direct connection to the root bridge will be a root port, so it will become forwarding. On Switches D and E, the ports connected to Switches B and C are Switches D and E’s closest ports to the root bridge (lowest cost), so those ports are root ports and in forwarding mode.

Take another look at the Figure 3.2. Can you tell which of the ports between Switch D and E must be shut down so a network loop doesn’t occur? Let’s work it out: Since the connection from Switches D and E to Switches B and C are root ports, those can’t be shut down. Next, the bridge ID is used to determine designated and nondesignated ports; so, because Switch D has the lowest (best) bridge ID, Switch E’s port to Switch D will become nondesignated (blocking), and Switch D’s connection to Switch E will be designated (forwarding).

FIGURE 3.2 Spanning tree example answers

When should I worry about spanning tree?

Bob, a Senior Network Administrator at Acme Corporation in San Francisco, is concerned about all the new switches his bosses just asked him to install, which will bring the total number of switches in his network to 20. He is concerned about STP and isn’t sure if he should even think about it since it seems to work OK with the few switches he has installed. Bob calls you for advice. What should you tell Bob when he calls?

If you have fewer than six switches in your internetwork and no more than about 100 users in your network, you would usually just let STP do its job and not worry about it. Understand that each network may vary, but with Bob ending up with about 20 switches, he has to think about STP!

But if you have dozens of switches and hundreds of users in your network, then it’s time to pay attention to how STP is running. That’s because if you don’t set the root switch in this larger switched network, your STP may never converge between switches—a nasty situation that could bring your network down.

Tuesday, April 9, 2013

Configure GLPI

GLPI installation guide | Step by Step Configuration | Setup

Tuesday, July 13, 2010 GLPI, INSTALLATION 2 comments

Step By Step GLPI Installation Guide for linux

Requirements

1) Working Apache server
2) Working Mysql Server
3) Latest version of GLPI

Step by Step Installation

1) Mysql configuration

Login to mysql server through shell (or webmin). Create database glpidbdb name - glpidb, username - glpiuser , password - glpipwd

#mysql -u root -p ( enter the mysql root password)

mysql> create database glpidb;

mysql> grant all privileges on glpidb.* to glpiuser@localhost identified by 'glpipwd';

mysql> exit

If you are ruining apache and mysql in different servers, you have to use glpiuser@apacheserverip 2)GLPI installation

Login to apache server host through shellDownload the latest glpi archive
Un tar glpi-0.72.4.tar.gz in the web root directory

#tar -xvzf glpi-0.72.4.tar.gz -C /var/www/html/

#cd /var/www/html

#chown -R apache glpi

Add dns engry for your support website ( support.example.com to 192.168.1.2 (replace with your ip) )If you don't have dns server, you can use the ip directly

edit /etc/httpd/conf/httpd.conf and add the following configurations

< VirtualHost 192.168.1.2:* >

DocumentRoot /var/www/html/glpi

ServerName support.example.com

RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

< Directory "/var/www/html/glpi" >

DirectoryIndex index.php

< /Directory >

Options ExecCGI

< /VirtualHost >

Or add alias for this glpi directory

Restart apache server

#service httpd restart

Browse your support url http://support.example.com or ip (from remote computer)
for directory access use http://192.168.1.2/glpi ( from local host http://localhost/glpi)

Click on Installation button

Click Continue

Enter the Mysql user name password details and continuehost - mysqlserverip (localhost)
User Name= glpiuser
Password = glpipwd
Step 2

Select the database glpi form the shown list and continue

IPTABLES for fedora Linux

Here I have mentioned the basic configurations for enabling iptables in fedora linux.

#iptables -L

will list your current iptables configuration.

To allow established sessions to receive traffic

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Now check the current configuration

For Interface based access for eth0 specify -i eth0
Once we enabled the ssh port.we can drop all other incoming ports.

# iptables -A INPUT -j DROP

Now check the rule

In the final step we have to enable loopback interface. After all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we'll insert it as the first rule so it's processed first.

#iptables -I INPUT 1 -i lo -j ACCEPT

To enabling logging

# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

To save this configuration

# iptables-save > /etc/sysconfig/iptables
or
#service iptables save

#service iptables start

This configuration will enable ssh port and disable all other incoming ports.

IPTABLES for Fedora| Redhat Linux

Basic Setup:

Here I have mentioned the basic configurations for enabling iptables in fedora linux.

#iptables -L

will list your current iptables configuration.

1) To allow established sessions to receive traffic

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

2) You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default ssh port (22)

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To allow incoming traffic on the default Squid port (3128)

# iptables -A INPUT -p tcp --dport 3128 -j ACCEPT

To allow incoming traffic on the default Apache port

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

To allow incoming traffic on the default samba port

# iptables -A INPUT -p udp --dport 137 -j ACCEPT
# iptables -A INPUT -p udp --dport 138 -j ACCEPT
# iptables -A INPUT -p udp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT

To allow incoming traffic on the default SNMP port (161)

# iptables -A INPUT -p tcp --dport 161 -j ACCEPT
# iptables -A INPUT -p udp --dport 161 -j ACCEPT

Now check the current configuration

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all -- anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:http
ACCEPT     tcp -- anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp -- anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     tcp -- anywhere             anywhere            udp dpt:netbios-ssn
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:snmp
ACCEPT     tcp -- anywhere             anywhere            udp dpt:snmp
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:microsoft-ds
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:squid

3) Once we enabled the above port.we can drop all other incoming ports.

# iptables -A INPUT -j DROP

Now check the rule

# iptables -L

For Interface based access for eth0 specify -i eth0

4) In the final step we have to enable loopback interface. After all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we'll insert it as the first rule so it's processed first.

#iptables -I INPUT 1 -i lo -j ACCEPT

5) To enabling logging

# iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

6) To save this configuration

# iptables-save > /etc/sysconfig/iptables
or
#service iptables save

#service iptables start

This configuration will enable ssh port and disable all other incoming ports.
To manually edit iptables config
Also you can manual edit /etc/sysconfig/iptables

IP Tables configuration for other Services

1) Iptables for default ldap port

# iptables -A INPUT -p tcp --dport 389 -j ACCEPT
# iptables -A INPUT -p tcp --dport 636 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT

2) Iptables for Backup Exec

3) IP tables for smtp

#iptables -A INPUT -p tcp --dport 25 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

4) iptables for smtps

#iptables -A INPUT -p tcp --dport 465 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

5) iptables for pop3 , pop3s

#iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --dport 995 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

6) iptables for imap , imaps

#iptables -A INPUT -p tcp --dport 143 -j ACCEPT
#iptables -A INPUT -p tcp --dport 993 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

7) iptables for webmin default port

#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 1000 -j ACCEPT

8) IPtables for named, domain

#iptables -A INPUT -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT

9) iptables for TFTP server

#iptables -A INPUT -p udp --dport 69 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p udp -m udp --dport 69 -j ACCEPT

10) iptable configuration for DHCP server

#iptables -A INPUT -p udp --dport 67 -j ACCEPT
#iptables -A INPUT -p udp --dport 68 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT

11) iptables for NFS server- click here

12) iptables for FTP server - click here

13) iptables for NTP server

#iptables -A INPUT -p udp --dport 123 -j ACCEPT

or manually edit /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p udp -m udp --dport 123 -j ACCEPT

iptables for NFS server | Linux NFS port enable configuration | Setup

Wednesday, May 19, 2010 IPTABLES, NFS 1 comment

Iptables for NFS server

Step 1

To enable NFS clients to access NFS server we need to enable the following services.

a] TCP/UDP 111 - RPC 4.0 portmapper
b] TCP/UDP 2049 - NFSD (nfs server)
c] Portmap static ports - Dynamic ports defined in /etc/sysconfig/nfs file.

Port mapper assigns each NFS service to a port dynamically at service startup time. Dynamic ports cannot be protected by port filtering firewalls such as iptables. So we need to configure static ports for port map service

Edit /etc/sysconfig/nfs and add the below mentioned lines

#vim /etc/sysconfig/nfs

RQUOTAD_PORT=875

LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020

Save the file and restart the service

# service portmap restart
# service nfs restart
# service rpcsvcgssd restart

Step 2

IP tables configuration for nfs

#iptables -A INPUT -p tcp --dport 110 -j ACCEPT

#iptables -A INPUT -p udp --dport 110 -j ACCEPT

#iptables -A INPUT -p tcp --dport 2049 -j ACCEPT

#iptables -A INPUT -p tcp --dport 662 -j ACCEPT

#iptables -A INPUT -p udp --dport 662 -j ACCEPT

#iptables -A INPUT -p tcp --dport 875 -j ACCEPT

#iptables -A INPUT -p udp --dport 875 -j ACCEPT

#iptables -A INPUT -p tcp --dport 892 -j ACCEPT
#iptables -A INPUT -p udp --dport 892 -j ACCEPT

#iptables -A INPUT -p tcp --dport 32803 -j ACCEPT

#iptables -A INPUT -p udp --dport 32769 -j ACCEPT

Now Save and restart iptables

# iptables-save > /etc/sysconfig/iptables

or

#service iptables save

#service iptables restart

Also you can manually edit and /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

-A INPUT -p udp -m udp --dport 110 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 662 -j ACCEPT

-A INPUT -p udp -m udp --dport 662 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 875 -j ACCEPT

-A INPUT -p udp -m udp --dport 875 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 892 -j ACCEPT

-A INPUT -p udp -m udp --dport 892 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32803 -j ACCEPT
-A INPUT -p udp -m udp --dport 32769 -j ACCEPT

FTP server iptables Configuration | How to Enable vsftpd port in iptables

Wednesday, May 19, 2010 IPTABLES, VSFTP 1 comment

IPTABLES configuration for VSFTPD server

1) Add following lines in /etc/modprobe.conf

alias ip_conntrack ip_conntract_ftp ip_nat_ftp

or run# modprobe ip_conntrack_ftp

#modprobe ip_nat_ftp

2) Allow incoming traffic on the default Ftp port (21)

# iptables -A INPUT -p tcp --dport 21 -j ACCEPT

save this configuration

# iptables-save > /etc/sysconfig/iptables

or

#service iptables save

or manually edit /etc/sysconfig/iptables and add the below mentioned line-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

Restart iptables

#service iptables start

Iptables enable ssh | Configuration for enabling 22 port | Setup

Tuesday, May 18, 2010 IPTABLES, SSH No comments

How to enable ssh port in iptables ?

Iptables Basic configuration

Enabling source IP based access

Edit /etc/sysconfig/iptables and add the following lines

#vim /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1888:534373]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d x.x.x.x/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -j DROPCOMMIT

replace x.x.x.x with your interface ip

Enabling interface based access

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1888:534373]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -j DROPCOMMIT

Restart iptables service

#service iptables restart

Linux iptables configuration for Symantec Backup Exec

Here I have described , how to enable the backup exec agent ports on Linux iptables configuration

By default Symantec backup exec will be running on dynamic ports . So we have to manually configure the dynamic port range in the backup exec server.

To configure the dynamic port range manually, follow the below steps.

In the symantec backup exec go to

Tools -- Options -- Network Security and check Enable remote agent TCP dynamic port range

and specify the ports range manualy . Port range 31821-32829

Restart the backup exec server

Now login to the linux machine and enable access for this port range (31821-32829) and the Backup Exec agent VRTSralus which is running on the port 10000 (default port for VRTSralus).
If webmin is running on the port 10000, edit /etc/webmin/miniserv.conf and change the default port to 10001

#iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
#iptables -A INPUT -p tcp --dport 32821:32829 -j ACCEPT

Now Save and restart iptables

# iptables-save > /etc/sysconfig/iptables

or
#service iptables save
#service iptables restart

Also you can manually edit and /etc/sysconfig/iptables and add the below mentioned line

-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32821:32829 -j ACCEPT

IPTABLES NAT for fedora linux

If your have two network cards eth0, eth1
lets assume
eth0 is connected to local network
eth1 is connected to public network(or ppp0)

Masquerading

1)To enable nat on eth0 for all local network users

If you are running iptables service, use the following method

#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
To save this changes
#iptables-save > /etc/sysconfig/iptables
or
#service iptables save
#service iptables restart

This will enable Masquerade. Now you can configure eth0 as the gateway for local network.

If you are not running iptables service
edit /etc/rc.local and add the below lines

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Then execute the ./rc.local file

2) To enable nat on eth0 for specified network user ips

#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -s x.x.x.x(ip of local user system1) -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s x.x.x.x(ip of local user system2) -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Port Redirection

1)To redirect external 80 port traffic to 3128 port

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

2)To redirect external rdp port traffic to any local systems rdp port.

#iptables -t nat -A PREROUTING -t nat -p tcp -d x.x.x.x(eth1 ip) --dport 3389 -j DNAT --to x.x.x.x(ip of any local network system):3389
or
#iptables -t nat -A PREROUTING -t nat -p tcp -d x.x.x.x(eth1 ip) --dport 3382 -j DNAT --to x.x.x.x(ip of any local network system):3389

squid time based access | Configure Squid Proxy Server with Time Based Access

Monday, May 03, 2010 ACL, SQUID No comments

How to enable Time based access in squid proxy server ?

Below you can find the squid time based access.
Edit squid.conf and add the below mentioned lines

User Based restriction

acl USER1 proxy_auth raj
acl USER2 proxy_auth sam
acl DAY time 08:00-18:00
http_access allow USER1 DAY
http_access deny USER1
http_access allow USER2 !DAY
http_access deny USER2

Special Access

acl After_Office time SMTWHFA 20:00-24:00
acl Before_Office time SMTWHFA 00:00-08:30

acl Proxy_Afrer8 proxy_auth user1 user2

http_access deny Before_Office #(Deny access to all users)

http_access deny After_Office !Proxy_Afrer8 # (This will exclude user1,user2)

http_access allow ntlm_users

http_access deny all

IP Based Restriction

acl IPGROUP01 src 10.1.2.3 10.1.2.4
acl WORKINGHOUR time MTWHF 08:30-17:30
http_access allow IPGROUP01 WORKINGHOUR
http_access deny IPGROUP01

squid ntlm auth howto | Authentication

Monday, May 03, 2010 ACL, NTLM, SQUID No comments

How to enable NTLM Auth in squid proxy server:

Step 1

Configure samba with winbind support

Step 2

Edit squid.conf and add the following lines

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

auth_param basic realm Squid Proxy server

auth_param basic credentialsttl 2 hour

auth_param basic children 5

auth_param basic casesensitive off

auth_param ntlm children 20

authenticate_cache_garbage_interval 10 seconds

acl ntlm_users proxy_auth REQUIRED

http_access allow ntlm_usershttp_access deny all

Restart Squid proxy server

#service squid restrat

How to Block skype on squid proxy server

Edit squid.conf and add the below mentioned lines. This will allow skype for user1, user 2 and deny for all.

acl numeric_IPs url_regex -i ^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)

acl Skype_UA browser ^skype^
acl Skype_Allowed_Users proxy_auth user1 user2

http_access deny numeric_IPS !Skype_Allowed_Users
http_access deny Skype_UA !Skype_Allowed_Users

http_access allow ntlm_users
http_access deny all

Install GLPI on a GNU/Linux Debian

We start by assuming that you have a running Debian Woody on your computer.

Apache, PHP and MySQL installation

First, install the Apache Web server (wwww.apache.org)
As GLPI is programmed in PHP, it is necessary to install the PHP module for Apache.
The use of the apt-get tool will make it easier.
As root (all commands below have to be entered as root) :

hector#

hector# apt-get install apache php4

This will warn you of the packages that are about to install. You should say yes to these when prompted.
GLPI uses a MySQL (www.mysql.com) database for its back end, so it is neccessary to install mysql-server and its associated PHP libraries.

hector#

hector# apt-get install mysql-server php4-mysql

We have now enough software to run GLPI, but there are some additional steps to perform.
First, we have to create a password for the root user of the MySQL server (for evident security reasons).

hector#

hector# mysqladmin -u root  password 'password'

Now we are going to create the glpidb database which will be used by GLPI.

hector#mysql -u root -p

enter password : *******

mysql> create database glpidb;

We are also going to create glpiuser user (with a password) and to give it the necessary rights :

hector#

mysql>grant all privileges on glpidb.* to glpiuser@localhost

mysql>identified by 'glpiuser_password';

If you want to administer your database from an easy to use front end, you can install phpmyadmin. It's MySQL database management tool written in PHP you can use with a web browser. An apt-get phpmyadmin should be all you need to run to install this, but any additonal steps required are out of the scope of this page.

Download and install GLPI

You now have to download the latest version of GPLI on the http://glpi-project.org website, “Download” section. (Debian has its own .deb package for GPLI available via apt-get, however this currently is several revisons behind the latest release).
Then you have to unzip the tarball in the /var/www directory Apache created for you :

hector#

hector#tar -xvzf glpi-X.X.X.tar.gz -C  /var/www/

Change directory to /var/www
Now you will have to give rights to some folders :

hector#

hector#cd /var/www/glpi

hector#chmod 777 backups/dump    glpi/config   docs

GLPI Configuration

In your web browser, go to http://your_server/glpi where you should see a GLPI install page.
Follow the step-by-step instructions which will guide you through the install steps. Once the installed has completed you will be presented with the GLPI login page. To re-run this installer, incase of any errors or missed steps above, delete the following file :

/var/www/glpi/config/config_db.php

By deleting this file, and re-visiting http://your_server/glpi will cause the installation script to re-run.