Thursday, December 16, 2010


If you need to pass the tshoot exam you should have done hands on with the topology. Cisco have come up with new exam scenario that you will not be able to pass this only cramming. Main advantage is they have given the exact exam topology that you can practice before facing the exam. You can download from Cisco site Those who need to pass the exam first need to clearly understand and practice the topology.
This GNS3 lab is is designed to fit to the above topology. Its connected with 3660 IOS which also included here. I practice this on Ubuntu, with 2Gb RAM and 1.83GHz dualcore processor with no problem.

How to start the LAB

* Download the zip file and extract on /home/gns3/Documents/ directory path.
* Load the configuration file
* start the lab
* loginto ASW1,ASW2,DSW1,DSW2 and check whether the 10,20,200 vlans are in the vlan database. "show vlan-s". If not add them manually using "vlan d" followed by "vlan 10","vlan 20","vlan 200", "exit" commands.
* Then you should see Client1 getting ip from DHCP.

This is similar exam topology according to the topology they have given on the site. I could get a quick and correct approach to each ticket due to practicing this. Some configurations that you need to configure, will not support on this IOS. You can change the IOS and configurations try it.

This topology configured with following configurations.
L3 Security, VLANs, GRE Tunnel

Download the GNS3 confi files with IOS here.
Or Click here to Download

Good luck.

Saturday, November 6, 2010

Configuration Similarities between Cisco and Huawei/H3c Products

I was happen to use a Huawei product and saw lots of similarities between Cisco and Huawei configuration. Most of commands seems synonyms of cisco commands :). Following are some of commands comparison.

Cisco Huawei / H3C
enable system-view
show display
show running-config display current-configuration
hostname < Name > sysname < Name >
Ip route ip route-static
interface vlan 1 interface Vlan-interface1
show processes cpu history display cpu-usage history
show interface display interface
line vty 0 4 user-interface vty 0 4
write save
enable password password simple

If you are familiar Cisco IOS it wouldn't be harder to understand the Huawei OS.

Wednesday, November 3, 2010

Squid Cache proxy with Cisco WCCP

WCCP is a nice protocol to use caching with Cisco, Main reason is you don't have to route traffic through the caching PC. You can keep the caching server as a PC running on the LAN. WCCP will find the caching server and route the web traffic through the caching server. Advantage is If your caching server is down still you will be able to access Internet.

As configuration wise you need to enables WCCP on cisco as following in global configuration mode.

ip wccp version 1
ip wccp web-cache

You need to enable cache redirect on the interface connect with the internet as follows.

ip wccp web-cache redirect out

If the caching server located in the same LAN, do following configuration on LAN interface.
ip route-cache same-interface

In your Squid cache proxy you need to enable wccp.
open /etc/squid/squid.conf file and uncomment wccp_router directive and wccp_version as follows.

wccp_router < IP of the wccp router >
wccp_version 4

Now the squid configuration is done. But If you monitor traffic comes to the squid you may realize its unable to cache the web traffic. This is because WCCP redirect web traffic by GRE encapsulated. There fore you need to enable gre interface just to decrypt and get the encapsulated data.

modprobe ip_gre
ifconfig gre0 up

And assign a IP just to up the interface.

ip addr add dev gre0

Then enable IP forwarding and disable rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

Now you need to redirect traffic comes to port 80 into proxy service port.
iptables -t nat -A PREROUTING -i gre0 -p tcp --dport 80 -j REDIRECT --to-port 3128

Now you are Finished configuring wccp with squid box.

To trouble shoot you can use following commands on cisco.

#sh ip wccp

Global WCCP information:
Router information:
Router Identifier:
Protocol Version: 1.0

Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected: 263
Process: 49
Fast: 0
CEF: 263

#sh ip wccp web-cache detail
WCCP Client information:
WCCP Client ID:
Protocol Version: 0.4

#sh ip wccp web-cache view

WCCP Clients Visible:

Monday, August 30, 2010

Trip to Wasgamuwa Sanctuary and returning through reverstain.

Wasgamuwa sanctuary, located in Central and North-Central Provinces and east bounded with mahawali river. Its is a marvelous place to watch animals including wild Elephants, peacocks, deers, birds. You have to enter the sanctuary early in the morning to watch animals. Better around 5.30 - 6.00 a.m. If you are traveling from colombo The recomened root is Colombo, kandy, through Tannekumbura-rikillagaskada high way to Hasalaka Wasgamuwa. You can see Randenigala dam on the way this root.
When returning you can get the root through pitawala pathana, reverstan, matale colombo. Don't mis to have some bath from illukkumbura natural pool.

I have attached some snaps herewith.

Friday, August 27, 2010

Simple Nagios NRPE bash plugin to check a URL or image existance.

Copy and paste the following Bash script and name the file as check_url.


VAR=`wget --spider $1 2>&1`
CHECK=`echo $VAR | grep '200 OK'`

if [ "$CHECK" != "" ]; then
echo "LOGO OK - Site Logo exist site is up"
exit 0
echo "LOGO CRITICAL - Site logo missing site is down"
exit 2

Save it on /usr/lib/nagios/plugins/ and make it a executable file. chmod +x check_url

call the check_url with the image path or link path you wanted to check as follows.


Tuesday, July 6, 2010

Configure JIRA 4.0 with SSL/HTTPS and proxy with apache or nginx

When you do SSL and enabling https proxy together Its recommended to configure the SSL on proxy gateway. If not you may have seen JIRA gadgets are not loading and giving following error.

We've detected a potential problem with JIRA's Dashboard configuration that your administrator can correct. Hide
Dashboard Diagnostics: Mismatched URL Scheme

JIRA is reporting that it is using the URL scheme 'https', which does not match the scheme used to run these diagnostics, 'http'. This is known to cause JIRA to construct URLs using an incorrect hostname, which will result in errors in the dashboard, among other issues.

The most common cause of this is the use of a reverse-proxy HTTP(S) server (often Apache or IIS) in front of the application server running JIRA. While this configuration is supported, some additional setup might be necessary in order to ensure that JIRA detects the correct scheme.

The following articles describe the issue and the steps you should take to ensure that your web server and app server are configured correctly:

* Gadgets do not display correctly after upgrade to JIRA 4.0
* Integrating JIRA with Apache
* Integrating JIRA with Apache using SSL

If you believe this diagnosis is in error, or you have any other questions, please contact Atlassian Support.
Detailed Error

com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'https', does not match expected scheme 'http'

JIRA Configuration
You only need to set the conf/server.xml file edit the Add scheme,proxyName and proxyPort to the Connector as follows.


< Connector port="8080" protocol="HTTP/1.1"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" useBodyEncodingForURI="true"
enableLookups="false" redirectPort="9443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true"


Now JIRA consider the as his https proxy.
consider if you use the jira as on your domain.

NGINX Configuration
Under listening port 80

# This is to Redirect all traffic comes to http into https.

server {
listen 80;
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^ permanent;


Under listening port 443

#Since we have enable https proxy in connector in JIRA we need to publish it here as a https proxy service.

server {
listen 443;
# Please note to remove ="" notations from config file. Its shows due to code-highlight error.

location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://:8080/jira;


If its Apache
# Please note to remove ="" notations from config file. Its shows due to code-highlight error.


ErrorLog /var/log/apache2/ssl-error.log
LogLevel warn
CustomLog /var/log/apache2/ssl-access.log combined
ServerSignature On

SSLEngine On
SSLCertificateFile example.crt
SSLCertificateKeyFile example.key
SSLCertificateChainFile CA.crt

SSLProxyEngine on

Order deny,allow
Allow from all
#Allow from

ProxyRequests Off
ProxyPreserveHost On

ProxyPass /jira http://localhost:8080/jira
ProxyPassReverse /jira http://localhost:8080/jira

If you use http proxy instead of https proxy you only need delete the scheme="https" and change proxyPort="443" into proxyPort="80".Then do the proxy under http on NGINX or apache.

Wednesday, June 16, 2010

How to import pem type certificate and key to java key store

We tried lots of ways to do above but works only following for me.

PEM is the default format for OpenSSL.First convert the PEM format key and certificate in to DER format as following

openssl rsa -in input.key -inform PEM -out output.key -outform DER
openssl x509 -in input.crt -inform PEM -out output.crt -outform DER

Download KeyTool IUI tool
This tool let easily import the key and certificate to the key store

start the KeyTool IUI as the readme file.

Import the DER type key and certificate in to the key store as in following image. I used cacerts "/etc/java-6-sun/security/cacerts" as the key store.default password is "changeit".
The private key extension should be .der certificate extension should be .cer or .crt and key store should be .jks . If your files are not in that extensions you have to rename it.

How to enable ssl on tomcat or JIRA

Since you have already imported the key and certificate file to the key store do the following changes on ${tomcat/jira_home}/conf/server.xml

< Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keyAlias="" keystoreFile="/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts" />

note: make sure to set the keystoreFile parameter. Default keystoreFile file is ~homefolder/.keystoreFile. if you change the keystore password set the keystorePass directive as well. /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts path is a symlink for /etc/java-6-sun/security/cacerts file.

Monday, June 14, 2010

Google Android, Nexus One prefectly works in Sri Lanka

The biggest competitor of iPhone, Google nexus one works fine in sri lanka. The Phone comes with capacitive touch screen (nokia resistive touch screen, sucks ...:( ) giving same kind of a feeling like iphone and 3.7' diagonal with 800x480 resolution gives more space on the screen, So it can be suggest as a great mobile for full time Internet users :).
If you are planning to buy a nexus one in sri lanka its recommended to get it through some one from US,UK, Singapore, or Hong Kong. Trusting ebay, or amazon is risky and can't guarantee how much you will have to pay to the custom.
Still it seems any of the local vendors still haven't look in to nexus one market.

If you are buying a Nexus one you must buy a good data package otherwise you wont get the full benefit of using Nexus one. It wont work 3G/HSDPA Out of the box, you will have to add the APNs manually.

How to add Dialog and Mobitel APNs to enable 3G/HSDPA on nexus one

Go to Settings → Wireless & Networks → Mobile networks → Access point Names

click menu → New APN

add following according to your mobile operator.

Dialog WAP
Name = Dialog WAP

Dialog Broad Band
Name = Dialog Broad Band
APN = dialogbb

Mobitel Broad Band
Name = Mobitel Broad Band
APN = mobitelbb

keep the rest of the fields empty

You may have seen there are two versions of mobiles available based on the 3G frequency.
850 MHz, 1900 MHz, and 2100 MHz frequency
900 MHz, AWS, and 2100 MHz frequency

either version will works because 2100 MHz frequency range uses by SL mobile operators.

Following are the my awesome applications available with android.

Raging Thunder is a great car game running from accelerometer
connectBot is for if you are a terminal user.
Google Sky Map is another awesome app to discover night sky just by pointing your phone to space.
Shazam is amazing music discovery engine just by listing to the music
Documents to go is for Document, Spread sheet and powerpoint application.
Nimbuzz for connecting all social chats together including Skype.

YouTube search browser, facebook mobile app, Google map and goggles picture search engine, comes as built in apps on android OS.

It seems android community is fast growing than other mobile app communities. If you visit to android market place you can see the available apps developed for this short period of time. hopefully future will be better with android...

Friday, May 14, 2010

Dump only selected tables of a mysql database

If any case if you want to get the database dump of the selected tables of a mysql server.

mysqldump -u user -p DBname TB1 TB2 > dump.sql

if you want to ignore some of the tables

mysqldump -u user -p DBName --ignore-table=database.table1 --ignore-table=database.table2 > dump.sql

Thursday, May 13, 2010

Enable Apache proxy Service (mod_proxy / proxy_http)

Apache proxy is used to expose different services (running on different ports) to public as standard http, https ftp services. Its act as the middle layer in between back-end and public.

Earlier apache came with mod_proxy module but it has been replaced with proxy_http module in new apache versions(2.2.12).

1) Enable proxy_http or mod_proxy module
a2enmod proxy_http or a2enmod mod_proxy

2) Restart the server.
/etc/init.d/apache2 restart

2) Do the virtual hosting. following vhost for http proxy service.

assume you want the service running on port 8080 as default http service.

# Please note to remove ="" notations from config file. Its shows due to code-highlight error. Check lines 5 and 13.
# Eg : in the < VirtualHost *:80=""> syntax ="" should be removed

# DocumentRoot /home/httpd/
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

Order deny,allow
Allow from all
#Allow from

ProxyRequests Off
ProxyPreserveHost On

ProxyPass /
ProxyPassReverse /

for expose service running on 8083 as a https connection

# Please note to remove ="" notations from your config file. Its shows due to code-highlight error. check lines 4 and 21.
# Eg : in the < VirtualHost *:443=""> syntax ="" should be removed

#DocumentRoot /home/httpd/

ErrorLog /var/log/apache2/ssl-error.log
LogLevel warn
CustomLog /var/log/apache2/ssl-access.log combined
ServerSignature On

SSLEngine On
SSLCertificateFile /etc/apache2/certs/example.crt
SSLCertificateKeyFile /etc/apache2/certs/example.key
SSLCertificateChainFile /etc/apache2/certs/CA.crt

SSLProxyEngine on

Order deny,allow
Allow from all
#Allow from

ProxyRequests Off
ProxyPreserveHost On

ProxyPass /
ProxyPassReverse /

Saturday, March 20, 2010

configuring RAID 1 array and replacing failed device

This post will explain how to configure raid1 on two identical HDD using debian. and in case of a HDD failure how to add a new HDD.

First we assume you have booted form /dev/sad HDD and sda have sda1,sda2,sda3 as ext3 partitions and sda4 is swap.

Configuring RAID 1 array

Raid array will be manage through mdadm package. First need to install mdadn.
* apt-get install mdadm

make sure kernel modules will be loaded in the boot time
* add "md" and "raid1" modules to the /etc/modules file

load the modules.
* modprobe raid1
* modprobe md

Using lsmod command you can see the loaded modules

now your configuration install in the /dev/sda. You can copy the partition table to the second drive(/dev/sdb)
* sfdisk -d /dev/sda | sfdisk /dev/sdb

First start configuring raid in the second drive. Because once you format the raid array the data will be lost and in case of a reboot you will be facing problem on mounting devises. There fore first Change the /dev/sdb partition types in to fd which is Linux raid autodetect type.
* sfdisk --change-id /dev/sdb 1 fd
* sfdisk --change-id /dev/sdb 2 fd
* sfdisk --change-id /dev/sdb 3 fd

Create the raid1 array and add the sdb devise. level=1 for raid1
* mdadm --create /dev/md1 --level=1 --raid-disks=2 missing /dev/sdb1
* mdadm --create /dev/md2 --level=1 --raid-disks=2 missing /dev/sdb2
* mdadm --create /dev/md3 --level=1 --raid-disks=2 missing /dev/sdb3

now format the array
* mkfs.ext3 /dev/md1
* mkfs.ext3 /dev/md2
* mkfs.ext3 /dev/md3

you need to mount the array device every time boot the edit the /etc/fstab file
* proc /proc proc defaults 0 0
/dev/md1 / ext3 defaults 0 1
/dev/md2 /home ext3 defaults 0 2
/dev/md3 /mnt ext3 defaults 0 2

note above devices are /dev/md1, /dev/md2, /dev/md3 instead of physical drives

configure the grub

* sed 's/sda1/md1/' < /boot/grub/menu.lst_orig > /boot/grub/menu.lst
* update-grub

reboot from single mode
* init 1

mount the array and sync all the data on /dev/sda
* mount /dev/md1 /media
* rsync -aqxP / /media
* umount /media

* mount /dev/md2 /media
* rsync -aqxP /home /media
* umount /media

* mount /dev/md3 /media
* rsync -aqxP /mnt /media
* umount /media

then boot from the /dev/sdb, setup the boot manager
* grub
* device (hd0) /dev/sdb
* root (hd0,0)
* setup (hd0)
* quit

reboot the machine add the sda.
* sfdisk --change-id /dev/sda 1 fd
* sfdisk --change-id /dev/sda 2 fd
* sfdisk --change-id /dev/sda 3 fd

* mdadm --add /dev/md1 /dev/sda1
* mdadm --add /dev/md2 /dev/sda2
* mdadm --add /dev/md3 /dev/sda3

check the status
* watch cat /proc/mdstat

comment the last three lines of /etc/mdadm/mdadm.conf file and add the following again
* mdadm --detail --scan >> /etc/mdadm/mdadm.conf

Replace failed HDD
identify the failed drive
* cat /proc/mdstat

first mark the device and then remove from the array
* mdadm --manage /dev/md1 --fail /dev/sdb1
* mdadm --manage /dev/md1 --remove /dev/sdb1

* mdadm --manage /dev/md2 --fail /dev/sdb1
* mdadm --manage /dev/md2 --remove /dev/sdb1

* mdadm --manage /dev/md3 --fail /dev/sdb1
* mdadm --manage /dev/md3 --remove /dev/sdb1

shut down the machine and start after adding the new drive.Then cop the partition table.
* sfdisk -d /dev/sda | sfdisk /dev/sdb

again add the new device to the array
* mdadm --manage /dev/md1 --add /dev/sdb1
* mdadm --manage /dev/md2 --add /dev/sdb2
* mdadm --manage /dev/md3 --add /dev/sdb3

Sunday, February 14, 2010

Past memo

I am fragile now
having trying to
healing my paining and
emotions of you.

remember it was your birthday
I gave you the ring
and promised you to
Give the care protection.

One Smile of you
make me the happiest
One word of you
Build my dream castles.

Its paining to love someone
and not be getting in return
The day you show me up
felt like a body without a soul.

Though it's my B'day
I know you wouldn't mind
The only gift I have is
sorrow you left with me beside.

Even its hard to forget
I cant hate a one I loved
May you find the future you needed
with all the happiness wrapped up with my bless


Sunday, January 31, 2010

Export and Import Mysql database as CSV

Export in to CSV
INTO OUTFILE '/tmp/result.txt'

Import in to database

LOAD DATA INFILE '/tmp/result.txt'

Sunday, January 17, 2010

Connect SVN with LDAP

If you are trying to authenticate the SVN (Subversion) system with LDAP, Following is the Apache configuration file

Install following plugin

apt-get install libapache2-svn

Then create the following vhost conf file while loading following modules.

#-------------------Start Conf file---------------------------------------

LoadModule ldap_module /usr/lib/apache2/modules/
LoadModule authnz_ldap_module /usr/lib/apache2/modules/
LoadModule dav_svn_module /usr/lib/apache2/modules/
LoadModule authz_svn_module /usr/lib/apache2/modules/

< Location /repo>
DAV svn
SVNParentPath /var/repo1/
SVNListParentPath On
SVNAutoversioning On
SVNReposName "Your Subversion Repository"
AuthzLDAPAuthoritative on
AuthType Basic
AuthName "Repo1 Subversion Repository"
AuthLDAPBindDN "CN=admin,DC=test,DC=com"
AuthLDAPBindPassword password
AuthLDAPURL "ldap://,DC=com?sAMAccountName?sub?(objectClass=*)"
Require valid-user
< /Location>


#------------------------sampe 2 -------------------------------
< Location /repo>
DAV svn
SVNParentPath /var/repo/
SVNListParentPath On
SVNAutoversioning On
SVNReposName "Repository"
SVNPathAuthz off

AuthBasicProvider ldap
AuthBasicAuthoritative on
AuthzLDAPAuthoritative off

AuthType Basic

AuthName "Repository"
AuthLDAPBindDN "cn=admin,dc=test,dc=com"
AuthLDAPBindPassword password
AuthLDAPURL "ldap://,dc=test,dc=com?uid"
Require valid-user

If you need any detail information, follow-up following blogs.

Thursday, January 14, 2010

How to check the Hard Disk performance and health on Debian Systems

Proberbility of faliurs are high on the HDD is the highest because of the highest active part of a computer.Therefore it is better to keep a eye on that. Following are some of the ways we can check the HDD performance.

sudo apt-get install smartmontools

Get HDD info
smartctl -i /dev/sda

Model Family: Hitachi Travelstar 7K100
Device Model: Hitachi HTS721060G9SA00
Serial Number: MPCC12Y3GUPARE
Firmware Version: MC3OC10H
User Capacity: 60,011,642,880 bytes
Device is: In smartctl database [for details use: -P show]
ATA Version is: 7
ATA Standard is: ATA/ATAPI-7 T13 1532D revision 1
Local Time is: Thu Jan 14 19:54:34 2010 MVT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

Note ATA Verstion 8 is SATA HDD and 7 is IDE

General overall HDD health

smartctl -H /dev/sda

smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is

SMART overall-health self-assessment test result: PASSED

If its not "PASSED" there is a problem with the HDD and take the nessery actions ASAP.

If you want to take a detail out put use following command to see short-selftest and long self-test
time taken

smartctl -c /dev/sda

Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 35) minutes.

Then run the short or extended self tests as follows

smartctl -t short /dev/sda
smartctl -l selftest /dev/sda

then check the self tests results

smartctl -t long /dev/sda

Check the disk temprature

smartctl -A /dev/sda | grep Temp

194 Temperature_Celsius 0x0002 103 103 000 Old_age Always - 53 (Lifetime Min/Max 19/66)

or use following tool

apt-get install hddtemp
hddtemp /dev/sda

If the temprature goes above 60 you may want to change the HDD soon.

Check HDD Speed

hdparm -tT /dev/sda