Thursday 27 January 2011

Learning IPv6 Part 1

Still thinking a lot about IPv6 and not doing too much yet.

I have updated an old Netscreen 5GT to its highest recommended firmware (5.4.0r19) which supports IPv6 and enabled it. Setting up rules etc is pretty much the same as for IPv4 and I can't see there being any big issues there. I have two options for getting it on the net - get an IPv6 allocation from BT (working on it) or use a tunnel broker (for example Hurricane Electric). Either way I'll need to have my Netscreen 5GT directly connected to the internet outside our firewall and at the moment our incomming internet is wired directly to our firewall. I'll need to unplug our net and install a switch so I can split the incomming traffic, which means getting to the office before anyone else. Some day soon.

One thing I still have not got my head arround is how to allocate IP addresses inside the company. I know the basic idea is the same as if we had an IPv4 /24 to play with, setting lots of different subnets up for different roles. My problem is just the sheer scale - with IPv6 we could have Thousands of subnets and being so used to the limited scope of IPv4 its hard to decide on a setup which is at the correct grain - too many subnets will be a pain to maintain and too few will lead to issues later on. Without experience it will be tricky to get that right. Also if I were to go for one subnet for printer class devices, one for each departments desktops, one for the main servers, one for our public facing servers etc how well would that interact with our current setup where all printers/desktops/internal servers are on the same subnet?  Having two seperate overlapping topographies could get interesting....

Tuesday 18 January 2011

Debian snmpd not listening on network interfaces

By default snmpd on Debian listens on the local loopback address only.  To fix this you don't exit the /etc/snmp/snmpd.conf (that would be far too obvious).  The file you need to edit is /etc/default/snmpd and change the following line:

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/'
to read
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/'

Snmpd will now listen on all network interfaces.  While setting it to be more limited by default is a good design idea for security, I have trouble understanding the separate configuration location for this especially as if you look at the init script in /etc/init.d/snmpd that starts the daemon it has a SNMPDOPTS variable used when starting the service that does not include this restriction!  Following the startup to work out what is happening seems to indicate taht the restriction does not exist.  A little note in snmpd.conf mentioning this separate defaults file would be very helpful!