Etherchannel 802.1q trunk between Cisco and Foundry

Foundry and Cisco both implement port grouping (load sharing) but are very different.  The following code snippets describe the configuration needed between the two very different platforms to create a working Etherchannel trunk.

On the Cisco, ports 23 and 24 form the group for port-channel1:

port-channel load-balance src-dst-ip

interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2,3
 switchport mode trunk
!
interface GigabitEthernet1/0/23
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/0/24
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,3
switchport mode trunk
channel-group 1 mode on
!

Note that in Cisco, load balancing is per-stream and not per-packet like in Foundry. Therefore you must choose the load sharing type. I found that src-dst-ip balanced traffic the best. The default is MAC based which is terrible in a layer3 routed network.

On the foundry, using ports 47 and 48:

vlan 2 by port
 tagged ethe 1 ethe 47 to 48
!
vlan 3 by port
 tagged ethe 1 ethe 47 to 48
!
trunk ethe 47 to 48

And that’s it. But don’t forget to issue the following command the first time you set it up:

trunk deploy

I didn’t see any issues with the different load sharing algorythms on each end with some limited testing. I suspect that as long as the latency is the same across both links in the group there shouldn’t be any issues with out of order packets and such. Send and receive loads on both lines appears well balanced.

Citrix Xenserver – Expanding Local Storage

Twice now, I have had the (dis)pleasure of expanding our local storage on a couple of XenServer boxes.  In a nutshell, here is how it works:

1.  Expand physical disk (add more RAID members, ect).  Use the procedure specific to your RAID card.

2.  Use fdisk to expand the partition your Local Storage resides on:

[root@vps1a ~]# pvscan
PV /dev/sda3 VG VG_XenStorage-4c69467e-0352-5bd4-3dee-e17cc18aee08 lvm2 [923.64 GB / 380.14 GB free]
Total: 1 [923.64 GB] / in use: 1 [923.64 GB] / in no VG: 0 [0 ]

Note the bold type to the left, /dev/sda3 is the partition we want to expand by deleting and re-adding to the maximum size in fdisk.  After you do this, you need to reboot so the OS will recognize the larger partition.  The bold type to the right is the UUID we need later.

3.  After rebooting, now we can expand the physical LVM volume:

pvresize /dev/sda3

4.  Now we tell XenServer that we increased the size, so you can actually use your extra space:

xe sr-scan uuid=4c69467e-0352-5bd4-3dee-e17cc18aee08

Note:  The UUID was discovered in step 2.

5.  All done!

Notes:  Rebooting the XenServer host is a real pain.  It can be avoided by adding your extra space as a separate partition or disk, then using vgextend to join the LVM physical volumes, instead of fdisk to expand an existing partition.  Using the vgextend method at step 2, you don’t have to reboot, but you lose the redundancy of having RAID5 or RAID10 backing your whole volume.

Alternate Row Shading in Excel

One way to make your data legible is to apply cell shading to every other row in a range. Excel’s Conditional Formatting feature (available in Excel or later) makes this a simple task.

  1. Select the range that you want to format
  2. Choose Format, Conditional Formatting
  3. In the Conditional Formatting dialog box, select Formula Is from the drop-down list, and enter this formula:
    =MOD(ROW(),2)=0
  4. Click the Format button, select the Patterns tab, and specify a color for the shaded rows.
  5. Click OK twice to return to your worksheet.

The best part is that the row shading is dynamic. You’ll find that the row shading persists even if you insert or delete rows within the original range.

Cpanel – Globally disabling the Email Catch-All feature

Spammers love nothing more than launching dictionary attacks on unsuspecting domains using the ‘catch-all’ feature.  This causes multiple problems — the main issues are excessive server load, disk usage, and spam volume.  The worse issue is that once spammers catch on to the fact your domain has a catch-all, they will launch spam campaigns with your domain as the sending domain and all of their backscatter will flood your inbox with legitimate bounces.  If you haven’t been the target of backscatter, keep it that way and disable your catch-all!

The following how-to explains how to manually disable the catch-all on every site.  Since there is no way to prevent a user from re-enabling the catch-all in their Cpanel account, you might consider setting this up to run via Cron every hour or so.

First, back up the virtual aliases:

mkdir /etc/valiasesbackup
cp -p /etc/valiases/* /etc/valiasesbackup

Then, check which sites have a catch-all enabled:

grep '*:' /etc/valiases/* | egrep -v ':fail:'

Disable the catch-all on any site(s) with catch-all enabled. After you do this, run the previous command again to make sure it worked — if it does, it shouldn’t return anything.

sed -i 's/^\*: [^ ]*$/*: :fail: ADDRESS DOES NOT EXIST/g' /etc/valiases/*

If something goes horribly wrong, you can restore the backup you just made:

cp -p –reply=yes /etc/valiasesbackup/* /etc/valiases

Enjoy

Cpanel / SuPHP Part 2 – Fix Ownership Issues

In addition to the correct chmod of files and folders (see part 1), you must ensure that all public_html files and folders have the correct (user and group) ownership.  The following Perl code will eliminate nobody/root ownership.  Place the Perl script into your /home directory and execute it.

#!/usr/bin/perl -w

my @dirs = grep -d,<*>;

foreach my $user (@dirs) {
`chown -R $user:$user $user/public_html/*`;
}

Cpanel / SuPHP – chmod All Files 644, All folders 755

When switching from DSO to SUPHP in cpanel (a must for anyone who takes security seriously on a public webserver), one must pay careful attention to the insecure permissions of user’s public_html folders.  The following commands will look in every user’s html folder and make the appropriate CHMOD to allow php to properly execute under SUPHP.  Don’t forget to also check for files owned by ‘nobody’ or ‘root’ — they will also fail with a 500 error.

find /home/*/public_html/ -type d -print0 | xargs -0 chmod 0755 # For directories
find /home/*/public_html/ -type f -not -name "*.pl" -not -name "*.cgi" -not -name "*.sh" -print0 | xargs -0 chmod 0644 # For files
find /home/*/public_html/ -type f -name "*.cgi" -print0 -o -name "*.pl" -print0 -o -name "*.sh" -print0 | xargs -0 chmod 0755 # For CGI/Scripts

UPDATE: Part 2 – Fixing Ownership

UPDATE: File permission command updated to exclude Perl/CGI. These still need to be 755 (not 644).

UPDATE: Exclude files in 644, add another for scripts/cgi. These still need to be 755 (not 644).