In summary, it is best to configure this via the Proxmox shell interface. In this setup, I choose to use a VLAN-aware Linux bridge. First, identify the network interface connected to the trunk port. In my case, I have the eth0 interface connected to the trunk interface and vmbr0 as the bridge. We have 2 VLANs, VLAN 100 with subnet 192.168.100.0/24 and VLAN 200 with subnet 192.168.200.0/24.
We are required to connect the Proxmox Server with a trunk port or a network connection with tagged VLANs. If the trunk port is configured properly, then there should not be any issues configuring the Proxmox server side. Please have a read on this page from Proxmox themselves.
In summary, it is best to configure this via the Proxmox shell interface. In this setup, I choose to use a VLAN-aware Linux bridge. First, identify the network interface connected to the trunk port. In my case, I have the eth0 interface connected to the trunk interface and vmbr0 as the bridge. We have 2 VLANs, VLAN 100 with subnet 192.168.100.0/24 and VLAN 200 with subnet 192.168.200.0/24.
0 Comments
This is my experience on the installation of the FUSE filesystem to mount Google Drive on Linux systems since sometimes the PPA sources are broken or not syncing. The steps below are steps applicable on Debian/Ubuntu systems. In my case, I installed this on Kali Linux. First, we update the system. sudo apt update; sudo apt upgrade -y Then we install the opam before installing the package. sudo apt-get install opam FreeRDP has not updated some of the pages of their user wiki for quite sometime. As such, when I was using xfreerdp with this command. $ xfreerdp /v:[ip_address] /u:[domain]\[user] /p:[password] I encountered this error [22:53:30:886] [1619223:1619224] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 I was a bit dumbfounded as using the same credentials with Microsoft RDP client (mstsc) works. So after some digging, I found out with this version of FreeRDP [ version 2.11.2], I just need to separate the domain. $ xfreerdpp /v:[ip_address] /d:[domain] /u:[user] /p:[password] Hope this helps someone. These are quick shortcut keys in Notepad++ to use capitalization and uppercase.
Hope this helps! This is an error I encountered while running one of my virtual machines in VirtualBox. From Stack Overflow, these were these ere three common culprits for the type of error the user is seeing:
To restore the Windows 10 native task manager from the Process Explorer of Sysinternals, you need to delete this registry key (requires an administrative command prompt). reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" Hope this helps! While I (haphazardly) upgraded my Debian box from 8.8/Jessie to 9.0/Stretch, it also upgraded the FreeRADIUS service from 2.2.5 to 3.0.12. With this foolish upgrade, the RADIUS service stopped working.
After inspecting all config files and copying all the required configurations to the appropriate config, I manage to restart the RADIUS services (maybe I was lucky). Below are my notes in order to migrate (i.e successfully recover) from FreeRADIUS 2.2.5 to 3.0.12 in Debian LInux ("Stretch"). These are the rsyslog templates I configured using the configuration guide discussed by UnterGeek here. In my setup, the log server collects logs from multiple devices and I need to store the logs in JSON format and also forward them to logstash/elasticsearch/kibana (ELK) system. The first template is used to collect logs from the device and save them in a file with a format using its source IP address and the current day (YEAR-MONTH-DAY.log). Dont forget to create the target directory. template (name="devicelog" type="string" Next template is used for parsing the logs into JSON format. template(name="json_syslog" Then we use these templates to process the syslog of interest. if $fromhost-ip == '10.x.x.x' then { Remember to restart the rsyslog service in order to take effect. Whenever I reset these Juniper SRX firewall to its "factory-defaults", they are always pre-configured with specific settings which is explained in the below factory default for a Juniper SRX220 firewall. # Specific DNS servers While configuring a Brocade FastIron Switch (ICX7250) for RADIUS management, I did not pay attention to the subtle notes on the configuration guide from Brocade documentation. It says from their website.
"Brocade devices support authentication using up to eight RADIUS servers, including those used for 802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the Brocade device tries the next one in the list. Servers are tried in the same sequence each time there is a request." If you have multiple RADIUS servers used for remote management (SSH/Telnet/Console), the order it is configured/added is the order they are contacted. The issue appears when adding support for 802.1x/NAC on the switches which needs to authenticate devices to RADIUS/EAP. If the same lists of RADIUS servers are to be used for 802.1x/EAP, then this should not be an issue. If you use a different set of RADIUS servers for remote management and a another set of RADIUS servers for 802.1x/NAC, we would need different approach. We have been handling cluster of TippingPoint NGFW for quite a while now. These NGFW cluster are configured to function only as inline Intrusion Detection/Prevention System. One thing I want to share is my experiences with the Configuration "Out-of-Sync" issue which pops up every now and then whenever we make changes on the Active device and then "push configuration to peer" to the Passive device. As observed from my end, these "Out-of-Sync" issue only occurs when I configured the IPS filter exception rules on the Active device. However in general, these are rectified by manually comparing the two devices configuration. Below is my scenario and the steps I have undertaken. After making changes on the Active NGFW, I manually pushed the configuration via CLI. NGFW1{}high-availability push-config While upgrading a Brocade ICX7250 firmware from version 8.0.30 to 8.0.40, I noticed issues on the ssh (scp) client of the switch while transferring firmware from a Linux SSH server. I executed this command on the Brocade switch with management IP (10.1.1.101) to copy the firmware (spz10106.bin) from the SSH server (10.1.1.111) SSH@TEST-SW1-7250#copy scp flash 10.1.1.111 spz10106.bin primary Below is the error logs from the Linux server (10.1.1.111). Jan 8 17:57:13 linux_server sshd[19405]: fatal: Unable to negotiate with 10.1.1.101 port 7509: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] As part of the security hardening policies, I needed to secure access to the Riverbed Steelhead with RADIUS authentication. Since I already have a FreeRADIUS (v.2.2.5) in Debian Linux (8.6) running in the environment (currently used to authenticate with our network devices i.e. Cisco, Comware, Junos, Brocade), I only needed to follow the Steelhead Deployment Guide for RADIUS Configuration. However, it seem Riverbed forgot to update their documentation to reflect the latest FreeRADIUS. I will post here my configuration experience for RADIUS configuration of Steelhead with FreeRADIUS. The first few steps are similar to the Deployment Guide. First, update the FreeRADIUS clients file (/etc/freeradius/clients) # Steelhead device The BIG-IP Virtual Edition (VE) does not officially supports Virtualbox but there is a workaround posted by Tim Rupp in the F5 support. It was quite extensive but following it made headways for me getting the image working in Virtualbox (version 5.1.12) If you don't follow his recommendations and just import the OVA in Virtualbox, you will get a similar error below for the BIG-IP LTM VE image (BIG-IP LTM IDE OVA VE version 12.1.1) Failed to import appliance BIGIP-12.1.1.2.0.204.LTM-ide.ova. We have been running wired 802.1x/NAC for quite awhile and managed to stabilized/chink out some issues. In this, post I will provide ONLY the configuration template on the HP Comware 5.2 switches. For the RADIUS/NPS setup, kindly search Microsoft NPS RADIUS configuration. For clients side, 802.1x supplicant should be enabled/configured. Below are configuration steps and template to enable 802.1x on HP Comware switches. Step 1: Configure RADIUS Scheme radius scheme <radius_servers_scheme> I have encountered issues with RADIUS authentication with updated version of Comware 7. In my case, I was over my head when we upgraded our HP 5130 switch from Comware version 7.1.045 Release 3109P09 to Comware version 7.1.045 Release 3112. With the same configuration, RADIUS authentication suddenly stops working as such I was forced to use local authentication. I had the resulting RADIUS debug logs from the switch to showed my problem. *Jan 1 20:49:49:596 2013 HPE RADIUS/7/PACKET: After some debugging, I found out the multiple CIsco-AVPair strings are causing the problem. Selecting only one "shell:roles="network-admin"" in the RADIUS server fixed the issue.
In the latest version as of this writing, Comware version 7.1.045 Release 3113P05 seems to be fixed as it can now receive multiple Cisco AVPair strings. Hopefully this helps others with the same problem. In Juniper SRX cluster firewalls, we have always managed to poll the SNMP information thru the management port. In ourcluster, we have interface fxp0 as the management interface. Basic SNMP configuration can be easily found from Juniper support site. Below is a simple configuration. # Basic SNMP information I have been using HPE IMC (Intelligent Management Center) for quite awhile and have been using it to fit my needs in my daily network operations activities. One of them is receiving emails notifications when a device/network goes offline and recovers.
By default, IMC generates alarms for devices which are detected to have faults. In IMC 7.x, it uses a number of monitors to check on the health of a device. This include ICMP, SNMP (polling, traps), Syslog among other things. For ICMP (Ping) packets, it generates an alarm when the "device does not respond to Ping packets". However, when the devices "recovers" meaning it now responds back to the ICMP echo request by default IMC does NOT generate notifications for these recovered devices. In network monitoring, it is very essential to know when a network is suddenly not reachable, it should notify back when it comes back online (i.e. power restored, network no longer congested). This is very important especially when monitoring a number of devices. Kindly refer to this Post from Linsay Hill in configuring HPE IMC for Email Alerts as well as getting getting Emails Notifications for Recovered Alarms. This post is provided for version lower than IMC 7.x. which will augment the above URL this with my current Setup. Ubuntu data recovery adventure (unknown filesystem type 'linux_raid_member' & 'LVM2_member')16/3/2016 We had a data recovery problem from a colleague which had a hard drive from some old storage array device. In this endeavor, we took the challenge of using Ubuntu to mount and recover the data from the hard drive. After physically mounting (yes we needed to turn off the machine and connect using IDE cable), we checked its format. root@ubuntu:~# fdisk -l /dev/sdb The main chunk of the data is located in the /dev/sdb2 partition. We then we tried mounting it. root@ubuntu:~# mount /dev/sdb2 /opt/mnt/ This post is for determining the values for the SNMP MIB OID for CPU usage, Memory Usage and Temperature reading for HP (H3C) Comware network devices. For all who knows the HP Comware platform, these are devices originally from the H3C (Huawei 3COM joint venture) which still operates in China. As such, the SNMP MIB tree for these HP Comware devices still used the H3C MIB Tree. Using the information from this site from H3C, we determined the MIB OID for CPU, Memory and Temperature Object: hh3cEntityExtCpuUsage (% Percent) This is a Logstash filter configuration I have used when parsing CEF (Comment Event Format) logs which I need to stored in JSON format. Below are the CEF syslog generated by a TippingPoint NGFW for IPS alerts IPS Alert Log for ICMP CEF logs have standard header (PREFIX) delimited by "|" and then followed by a variable length of data (EXTENSIONS) which are mapped with corresponding "=" character. Below is the logstash filter configuration I used from which I referenced from here.
A long time ago, I was using RANCID to backup and manage all configurations from network devices or anything that has telnet/ssh CLI access. Over the period of time, I hardly maintained and updated. Then I installed a network device tracking database (NetDB) which is used to tracked all devices connected to the network where MAC addresses and IP addresses are collected and stored.
During this implementation and fine tuning (NetDB version 1.12), I stumbled on an undocumented option where the PERL script can call a function to collect the device configuration. This is done by invoking the equivalent "show configuration" for every vendor/product. I modified this a bit which included my contribution for HP Comware scraper which can also extract the device configuration via "display current-configuration". For many years now, I have been using Cacti as the old school network monitoring system. This is a classical network monitoring system which you install, configure and forget as I runs without much maintenance.
Then someone asked me the network utilization graph for one of the MPLS links (20Mbps) which is currently peaking at 10Mb. In this graph, we have the Y-axis (left side) set at 10M max at this moment. I was asked if I can fixed the axis at 20Mb to give indication to the viewer that we still have enough traffic capacity for this MPLS link This is an updated post for the RADIUS authentication for SSH to HP Comware network devices running version 7.0. My previous post only supports Comware 5.2. The only changes needed is to edit the Freeradius users configuration file. netadmin Cleartext-Password := "netadmin" I have added here updated configuration changes that will allow the account to access both HP Comware 5.2 and 7.0 as well as Cisco IOS network devices. Enjoy! After reading this cookbook for HP Comware and Cisco interoperability, I noticed that RIP (Routing Information Protocol) is not discussed. Though it is not so famous as OSPF, I though of sharing configurations for RIPv2 (RIP version2) for HP Comware and Cisco IOS network device. Below is my test setup between a Cisco Catalyst Switch 3750 (IOS Version 12.2(55)SE8) and HP AMSR-3020 Router (Comware Version 5.20.106 Release 2513P11) +-----------+ +-----------+ |
Certified Geek
A Certified Geek who blogs anything geeky he comes across mostly in Linux and Networking. Archives
February 2024
Categories
All
|