Configuring unique sensor names for snort-mysql

Typical Internet hunting was required to answer a very simple question. How do you make sure that the name of the sensor which writes events to a MySQL database is unique in the table. The answer is you modify this file: /etc/snort/database.conf (at least in my installation) and set the "sensor_name=" parameter on the command line:

root@Snort-dc2:/etc/snort# cat database.conf

# database.config (Debian Snort database configuration file)


Built-in Management Interface on ASA5515-X shared by both the appliance and the internal CX/IPS or SFR module

Another thing which I though I knew, but I didn't really..... Seems like the dedicated management0/0 interface on my ASA5515-X (now 5512-X) is shared by both the internal CX/IPS (now SFR) module and the firewall appliance itself. Currently I have this interface used only for the internal module on the appliance, and I have a VLAN subinterface, GigabitEthernet 0/1.6 specified for my management interface on VLAN 6, my management VLAN.

How Much Energy Do I Use?

I'm often told something like, "Wow, that must take a lot of power!" when I show someone my network layout.

Not really. Let's do some math.....

1. ASA 5515-X NextGen Firewall: 65 watts steady state [200 max]
2. Cisco 2911 ISR2 Router: 50 watts (no cards), [165 max]
3. Cisco 3560-X 48-port switch: 121.59 watts [360 max]
4. Cisco 2504 WLC: 40 watts
5. Dell Poweredge 1950 III 1RU server: 123 watts [650 max] x 2 = 246 watts
6. Cisco Ironport C160 ESA: 123 watts (guesstimate)

NAT Issues with SMTP Server

I made a mistake setting up NAT on my edge router and my mail server was attempting to send email out my cable internet connection instead of my DSL connection. Only problem was, this ISP does not allow outgoing SMTP! The email backed up on my Cisco IronPort C160. Thankfully, there wasn't a lot of it. I was receiving email but none was getting out.

Dovecot IMAP server with Maildir format mailboxes

Dovecot IMAP server with Maildir format mailboxes Google is indeed your friend! I had trouble with the following error: "Initialization failed: namespace configuration error: inbox=yes namespace missing". Turns out that a simple parameter was missing from the /etc/dovecot/conf.d/10-mail.conf file:

namespace inbox { inbox = yes }

Trying to Setup Etherchannel between Cisco Catalyst switch and VMware vSwitch

I'm having a bit of an issue getting an Etherchannel up between my Catalyst 3560 switch and the standard vSwitch on my VMware ESXi 5.1 host. I'll keep on plugging away at it, but it seems like some of the articles that I've read (including knowledgebase articles on VMware's own site) as well as others disagree with each other. The key seems to be making sure that both the Cisco Catalyst switch and the VMware vSwitch agree on the right load-balancing metric for the Etherchannel.

LWAP Join Issues if WLC behind NAT

LWAP Join Issues if WLC behind NAT.

I found out something interesting when I was prepping some demonstrations for a Cisco Bring Your Own Device (BYOD) course which I'm delivering next week. It seems that while you *can* attach a Lightweight Access Point (LWAP) to a Wireless LAN Controller (WLC) across the Internet, problems may arise if the WLC is behind a NAT firewall. In my case, I'd like to bring an AP with me to the training venue and connect back to my WLC in my test lab.

Stacking IOS router EHWICs

I found out this weekend that when you add an additional HWIC-D-9ESW 9-port card to complement an existing HWIC-4ESW in an Cisco IOS router that the two cards do NOT talk to each other across the router backplane. In fact, you have to "stack" them, using an Ethernet port on each of the cards as a dedicated stacking port. In my case, my Cisco 2911 IOS router has an HWIC-4ESW in slot 0, subslot 0 and an HWIC-D-9ESW in slot 0, subslot 3. Thus, the port naming nomenclature for the 4-port card's ports is (Type/Slot/Subslot/Port) which yields: Fa0/0/0 -> Fa0/0/3. Remember that while it *is* a switch card HWIC, the device is inserted in a router, meaning that the ports number up (right-to-left) from "0" instead of (left-to-right) from "1" as with a switch. Using the same logic, the port naming nomenclature for the 9-port card's ports is Fa0/3/0 -> Fa0/3/8. You can choose whichever switch ports you want for stacking. In my case, the switch cards are stacked by patching port Fa0/0/3 on the 4-port HWIC to Fa0/3/8 on the 9-port NIC. This port is on the 9-port HWIC is not PoE (as are the others) so Cisco recommends using this port. Interestingly, once the cards are patched/stacked together, you have to issue the stacking command on only one of the stacking partners. This is what the command looks like applied to one of the stacking ports:

PBR#show run int fa0/3/8

Building configuration... Current configuration : 159 bytes !

interface FastEthernet0/3/8

description stack to HWIC-4ESW in slot 0 subslot 0 switchport stacking-partner interface FastEthernet0/0/3

no ip address


Once the switch ports are active, they form a stack. Interestingly, there's no separate command to verify the stacking worked properly, you just have to infer it from: a) the partner EHWIC's stack port will automagically have the stacking command inserted in its config and; b) you can communicate with devices connected to the new EHWIC's ports. Also, when you do a "show interface" of the stack ports, they show up as "line protocol down" even when properly configured.