# Specific DNS servers
set system name-server 18.104.22.168
set system name-server 22.214.171.124
# VLAN 0 configured with web management enabled
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
# DHCP service enable for 126.96.36.199/24
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
# Untrust Zone enabled, default IDS protection and mapped to the first interface
set security zones security-zone untrust interfaces ge-0/0/0.0 ...
set security zones security-zone untrust screen untrust-screen
set security screen ids-option untrust-screen ...
Whenever I reset these Juniper SRX firewall to its "factory-defaults", they are always pre-configured with specific settings which is explained in the below factory default for a Juniper SRX220 firewall.
While upgrading a Brocade ICX7250 firmware from version 8.0.30 to 8.0.40, I noticed issues on the ssh (scp) client of the switch while transferring firmware from a Linux SSH server.
I executed this command on the Brocade switch with management IP (10.1.1.101) to copy the firmware (spz10106.bin) from the SSH server (10.1.1.111)
SSH@TEST-SW1-7250#copy scp flash 10.1.1.111 spz10106.bin primary
Below is the error logs from the Linux server (10.1.1.111).
Jan 8 17:57:13 linux_server sshd: fatal: Unable to negotiate with 10.1.1.101 port 7509: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
As part of the security hardening policies, I needed to secure access to the Riverbed Steelhead with RADIUS authentication. Since I already have a FreeRADIUS (v.2.2.5) in Debian Linux (8.6) running in the environment (currently used to authenticate with our network devices i.e. Cisco, Comware, Junos, Brocade), I only needed to follow the Steelhead Deployment Guide for RADIUS Configuration. However, it seem Riverbed forgot to update their documentation to reflect the latest FreeRADIUS.
I will post here my configuration experience for RADIUS configuration of Steelhead with FreeRADIUS. The first few steps are similar to the Deployment Guide.
First, update the FreeRADIUS clients file (/etc/freeradius/clients)
# Steelhead device
The BIG-IP Virtual Edition (VE) does not officially supports Virtualbox but there is a workaround posted by Tim Rupp in the F5 support. It was quite extensive but following it made headways for me getting the image working in Virtualbox (version 5.1.12)
If you don't follow his recommendations and just import the OVA in Virtualbox, you will get a similar error below for the BIG-IP LTM VE image (BIG-IP LTM IDE OVA VE version 12.1.1)
Failed to import appliance BIGIP-188.8.131.52.0.204.LTM-ide.ova.
We have been running wired 802.1x/NAC for quite awhile and managed to stabilized/chink out some issues. In this, post I will provide ONLY the configuration template on the HP Comware 5.2 switches. For the RADIUS/NPS setup, kindly search Microsoft NPS RADIUS configuration. For clients side, 802.1x supplicant should be enabled/configured.
Below are configuration steps and template to enable 802.1x on HP Comware switches.
Step 1: Configure RADIUS Scheme
radius scheme <radius_servers_scheme>
I have encountered issues with RADIUS authentication with updated version of Comware 7. In my case, I was over my head when we upgraded our HP 5130 switch from Comware version 7.1.045 Release 3109P09 to Comware version 7.1.045 Release 3112. With the same configuration, RADIUS authentication suddenly stops working as such I was forced to use local authentication.
I had the resulting RADIUS debug logs from the switch to showed my problem.
*Jan 1 20:49:49:596 2013 HPE RADIUS/7/PACKET:
After some debugging, I found out the multiple CIsco-AVPair strings are causing the problem. Selecting only one "shell:roles="network-admin"" in the RADIUS server fixed the issue.
In the latest version as of this writing, Comware version 7.1.045 Release 3113P05 seems to be fixed as it can now receive multiple Cisco AVPair strings.
Hopefully this helps others with the same problem.
In Juniper SRX cluster firewalls, we have always managed to poll the SNMP information thru the management port. In ourcluster, we have interface fxp0 as the management interface. Basic SNMP configuration can be easily found from Juniper support site. Below is a simple configuration.
# Basic SNMP information
I have been using HPE IMC (Intelligent Management Center) for quite awhile and have been using it to fit my needs in my daily network operations activities. One of them is receiving emails notifications when a device/network goes offline and recovers.
By default, IMC generates alarms for devices which are detected to have faults. In IMC 7.x, it uses a number of monitors to check on the health of a device. This include ICMP, SNMP (polling, traps), Syslog among other things. For ICMP (Ping) packets, it generates an alarm when the "device does not respond to Ping packets". However, when the devices "recovers" meaning it now responds back to the ICMP echo request by default IMC does NOT generate notifications for these recovered devices. In network monitoring, it is very essential to know when a network is suddenly not reachable, it should notify back when it comes back online (i.e. power restored, network no longer congested). This is very important especially when monitoring a number of devices.
Kindly refer to this Post from Linsay Hill in configuring HPE IMC for Email Alerts as well as getting getting Emails Notifications for Recovered Alarms. This post is provided for version lower than IMC 7.x. which will augment the above URL this with my current Setup.
We had a data recovery problem from a colleague which had a hard drive from some old storage array device.
In this endeavor, we took the challenge of using Ubuntu to mount and recover the data from the hard drive.
After physically mounting (yes we needed to turn off the machine and connect using IDE cable), we checked its format.
root@ubuntu:~# fdisk -l /dev/sdb
The main chunk of the data is located in the /dev/sdb2 partition. We then we tried mounting it.
root@ubuntu:~# mount /dev/sdb2 /opt/mnt/
This post is for determining the values for the SNMP MIB OID for CPU usage, Memory Usage and Temperature reading for HP (H3C) Comware network devices. For all who knows the HP Comware platform, these are devices originally from the H3C (Huawei 3COM joint venture) which still operates in China. As such, the SNMP MIB tree for these HP Comware devices still used the H3C MIB Tree. Using the information from this site from H3C, we determined the MIB OID for CPU, Memory and Temperature
Object: hh3cEntityExtCpuUsage (% Percent)
This is a Logstash filter configuration I have used when parsing CEF (Comment Event Format) logs which I need to stored in JSON format. Below are the CEF syslog generated by a TippingPoint NGFW for IPS alerts
IPS Alert Log for ICMP
CEF logs have standard header (PREFIX) delimited by "|" and then followed by a variable length of data (EXTENSIONS) which are mapped with corresponding "=" character. Below is the logstash filter configuration I used from which I referenced from here.
A long time ago, I was using RANCID to backup and manage all configurations from network devices or anything that has telnet/ssh CLI access. Over the period of time, I hardly maintained and updated. Then I installed a network device tracking database (NetDB) which is used to tracked all devices connected to the network where MAC addresses and IP addresses are collected and stored.
During this implementation and fine tuning (NetDB version 1.12), I stumbled on an undocumented option where the PERL script can call a function to collect the device configuration. This is done by invoking the equivalent "show configuration" for every vendor/product. I modified this a bit which included my contribution for HP Comware scraper which can also extract the device configuration via "display current-configuration".
For many years now, I have been using Cacti as the old school network monitoring system. This is a classical network monitoring system which you install, configure and forget as I runs without much maintenance.
Then someone asked me the network utilization graph for one of the MPLS links (20Mbps) which is currently peaking at 10Mb. In this graph, we have the Y-axis (left side) set at 10M max at this moment. I was asked if I can fixed the axis at 20Mb to give indication to the viewer that we still have enough traffic capacity for this MPLS link
This is an updated post for the RADIUS authentication for SSH to HP Comware network devices running version 7.0. My previous post only supports Comware 5.2. The only changes needed is to edit the Freeradius users configuration file.
netadmin Cleartext-Password := "netadmin"
I have added here updated configuration changes that will allow the account to access both HP Comware 5.2 and 7.0 as well as Cisco IOS network devices.
After reading this cookbook for HP Comware and Cisco interoperability, I noticed that RIP (Routing Information Protocol) is not discussed. Though it is not so famous as OSPF, I though of sharing configurations for RIPv2 (RIP version2) for HP Comware and Cisco IOS network device. Below is my test setup between a Cisco Catalyst Switch 3750 (IOS Version 12.2(55)SE8) and HP AMSR-3020 Router (Comware Version 5.20.106 Release 2513P11)
In our environment, we have an HP IRF (Intelligent Resilient Framework) switch cluster running between two HP A7500 chassis connected via 2 10Gb Fiber interfaces.
I used to post in Blogsome couple of years ago before until the site closed down. In here, I have posted blogs about RANCID which is a set of scripts (PERL) used to monitor network devices configurations and maintain history of changes via CVS (Concurrent Version System). Here are some of my post about RANCID (version 2.3.2) which are now archived in the Internet which might be of used to someone interested in RANCID and customizing it.
RANCID under the hood (posted October 23, 2011)
This post show the internal working of RANCID and understand how it works and which scripts are executed and dependent on each other
RANCID additional commands (posted November 2, 2011)
Normally, RANCID executes some commands when connecting to network devices, this post discusses how to include additional commands.
RANCID Customization (posted November 9, 2011)
This post is discusses how to poll different groups of network devices with different sets of commands
I hope in the future I can update my knowledge with the current release of RANCID.
This is continuation post of the usage of Python Paramiko network device configuration script (netscript.py) I am currently testing. Let us say you have around 100 network devices accessible via SSH and you need to update their configuration. For example you need to add a new syslog server and remove the current one. In Cisco IOS, you would need to run these set of commands:
# Enter Configuration mode
We had this problem with one of our Internet links which was an ADSL/PPPoE connection. Every now and then this Internet connection seems to be unstable and it affected Internet access through this line. One solution we came across is resetting the ADSL connection either by pulling the cable off or shut/unshut the interface. Once the ADSL/PPPoE gets reconnected, Internet access becomes stable again.
While waiting for the service provider to fix the issue (if it gets fixed), we needed to every now and then reset the interface connecting the ADSL/PPPoE line. This can be during after office hours (i.e. 12MN) but should be automated (I can't be doing this manually) Here comes my Python Network Script (netscript) discussed here in my post along with cron. Below are my steps in automating this task.
First we create the command file (interface_reset.txt) which will shutdown and enable the network interface.
As a network engineer, I have always been learning how to go about with scripting with network devices. Since most network devices are capable nowadays some kind of CLI via SSH remote access, there should be a better way in network scripting commands into these devices. As such, I needed a network script which will connect to the network devices via SSH and execute commands similar to running these in the command line.
Here I have used Python Paramiko as my preferred approach. There have been several articles discussing how to use Paramiko but I am more focused in using it for network scripting. After reading these articles, I have managed to create a working script and uploaded in my github repository (netscript). Kindly note that this a work in progress.
To get this script working, you need to install Python and Paramiko on Linux (preferred). Check with your preferred Linux distribution in installing these. In my environment which is Debian Linux, these are installed with apt-get.
A Certified Geek who blogs anything geeky he comes across mostly in Linux and Networking.