VLAN Access Control Lists

A customer asked me if it is possible to block ping (or icmp) from host 1 to host 2 in the same vlan.
Yes this is possible, if you use a so called VLAN Access Control List or VACL.

It’s fairly easy to configure. First of all, create a vlan:
!
conf t
!
vlan 100
name Test
!

Then create a SVI (this is not mandatory):
!
conf t
!
int vlan 100
ip address 10.0.0.254 255.255.255.0
no shut
!

Create an extended access list in which you permit the traffic you want to drop:
!
conf t
!
ip access-list extended VACL_test
permit icmp host 10.0.0.1 host 10.0.0.2
!

Create the access-map:
!
conf t
!
vlan access-map VACL_no_icmp
action drop
match ip address VACL_test // this points to the access list created earlier
vlan access-map VACL_no_icmp
action forward // this permits all other traffic
!

Now connect the access-map to the vlan:
!
conf t
!
vlan filter VACL_no_icmp vlan-list 100
!

Try pinging from host A to host B and you will see it isn’t possible. Try pinging your default gateway and you will see this is possible.
With other words, the VACL is functioning as intended.

Advertisements

Howto Install Cacti on Ubuntu

Recently I wrote a blogpost about Smokeping. Although Smokeping is good in what it does, I needed some more features than available in Smokeping.
The customer for who I am setting up this monitoring needs more information like cpu usage history or memory history. After some research I got to Cacti. Cacti is an open source solution that has many possibilities like latency polling, cpu usage, memory usage and bandwidth usage. Cacti can do a lot more, but for this customer the above things are the key features.
Cacti is available for Windows and Linux. For this kind of tools I always use Linux, beacause 9 out of 10 times the tools work on Linux “out-of-the-box” and the windows versions need a lot of tweaking and tuning.
Installing Cacti on Ubuntu:
  • First update your machine –> sudo apt-get update (If you are behind a proxy server use the following command: http_proxy=http://ip-adres:port-nr apt-get update )
  • Install Cacti –> sudo apt-get install cacti
  • During the install you have to give in some password e.d., just follow the installation and everthing will be fine
  • After installing give the following cli commando: rrdtool create datafile.rrd DS:mysource:ABSOLUTE:900:0:10000000 RRA:AVERAGE:0.5:1:9600 RRA:AVERAGE:0.5:4:9600 RRA:AVERAGE:0.5:24:6000
  • Now open a browser with: http://ip-adres/cacti, follow the instructions and the installation is done
  • To actually monitor a device follow the next steps:
  • Click Console–>Devices–>Add, make sure it looks like the picture below
  • Capture
  • Click Create
  • When the screen reloads some new options are available, “Associated Graph Template” and “Associated Data Queries”, this are options to monitor several different types of devices.
  • To monitor the CPU load and Latency add “Cisco – CPU Usage” and “Unix – Ping Latency” to “Associated Graph Templates”
  • To monitor interface bandwidth add “SNMP – Interface Statistics” to “Associated Data Queries”
  • Click Save
  • Click Devices again and check the box and choose “Place on a tree” and click Go
To create the actual graph follow the next steps
  • Click new Graphs
  • Check the checkboxes of the interfaces/processes you want to monitor and click Create
  • Wait for five minutes and click graphs

 

Now you can see the graphs, but they are not filled….. Damn!
This can be resolved by following the next steps:

 

  • Open the ping.pl script: sudo nano /usr/share/cacti/site/scripts/ping.pl, the output will look like this:

 

#!/usr/bin/perl
# take care for tcp:hostname or TCP:ip@
$host = $ARGV[0];
$host =~ s/tcp:/$1/gis;
open(PROCESS, “ping -c 1 $host | grep icmp_seq | grep time |”);
$ping = <PROCESS>;
close(PROCESS);
$ping =~ m/(.*time=)(.*) (ms|usec)/;
if ($2 == “”) {
print “U”;  # avoid cacti errors, but do not fake rrdtool stats
}elsif ($3 eq “usec”) {
print $2/1000; # re-calculate in units of “ms”
}else{
print $2;
}

 

  • Change “icmp_seq” into “icmp_req” save the file and restart the server

Wait for a couple of minutes and you’ll see that the graphs are getting filled!