In summary, it is best to configure this via the Proxmox shell interface. In this setup, I choose to use a VLAN-aware Linux bridge. First, identify the network interface connected to the trunk port. In my case, I have the eth0 interface connected to the trunk interface and vmbr0 as the bridge. We have 2 VLANs, VLAN 100 with subnet 192.168.100.0/24 and VLAN 200 with subnet 192.168.200.0/24.
We are required to connect the Proxmox Server with a trunk port or a network connection with tagged VLANs. If the trunk port is configured properly, then there should not be any issues configuring the Proxmox server side. Please have a read on this page from Proxmox themselves.
In summary, it is best to configure this via the Proxmox shell interface. In this setup, I choose to use a VLAN-aware Linux bridge. First, identify the network interface connected to the trunk port. In my case, I have the eth0 interface connected to the trunk interface and vmbr0 as the bridge. We have 2 VLANs, VLAN 100 with subnet 192.168.100.0/24 and VLAN 200 with subnet 192.168.200.0/24.
0 Comments
While upgrading a Brocade ICX7250 firmware from version 8.0.30 to 8.0.40, I noticed issues on the ssh (scp) client of the switch while transferring firmware from a Linux SSH server. I executed this command on the Brocade switch with management IP (10.1.1.101) to copy the firmware (spz10106.bin) from the SSH server (10.1.1.111) SSH@TEST-SW1-7250#copy scp flash 10.1.1.111 spz10106.bin primary Below is the error logs from the Linux server (10.1.1.111). Jan 8 17:57:13 linux_server sshd[19405]: fatal: Unable to negotiate with 10.1.1.101 port 7509: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth] As part of the security hardening policies, I needed to secure access to the Riverbed Steelhead with RADIUS authentication. Since I already have a FreeRADIUS (v.2.2.5) in Debian Linux (8.6) running in the environment (currently used to authenticate with our network devices i.e. Cisco, Comware, Junos, Brocade), I only needed to follow the Steelhead Deployment Guide for RADIUS Configuration. However, it seem Riverbed forgot to update their documentation to reflect the latest FreeRADIUS. I will post here my configuration experience for RADIUS configuration of Steelhead with FreeRADIUS. The first few steps are similar to the Deployment Guide. First, update the FreeRADIUS clients file (/etc/freeradius/clients) # Steelhead device The BIG-IP Virtual Edition (VE) does not officially supports Virtualbox but there is a workaround posted by Tim Rupp in the F5 support. It was quite extensive but following it made headways for me getting the image working in Virtualbox (version 5.1.12) If you don't follow his recommendations and just import the OVA in Virtualbox, you will get a similar error below for the BIG-IP LTM VE image (BIG-IP LTM IDE OVA VE version 12.1.1) Failed to import appliance BIGIP-12.1.1.2.0.204.LTM-ide.ova. We have been running wired 802.1x/NAC for quite awhile and managed to stabilized/chink out some issues. In this, post I will provide ONLY the configuration template on the HP Comware 5.2 switches. For the RADIUS/NPS setup, kindly search Microsoft NPS RADIUS configuration. For clients side, 802.1x supplicant should be enabled/configured. Below are configuration steps and template to enable 802.1x on HP Comware switches. Step 1: Configure RADIUS Scheme radius scheme <radius_servers_scheme> A long time ago, I was using RANCID to backup and manage all configurations from network devices or anything that has telnet/ssh CLI access. Over the period of time, I hardly maintained and updated. Then I installed a network device tracking database (NetDB) which is used to tracked all devices connected to the network where MAC addresses and IP addresses are collected and stored.
During this implementation and fine tuning (NetDB version 1.12), I stumbled on an undocumented option where the PERL script can call a function to collect the device configuration. This is done by invoking the equivalent "show configuration" for every vendor/product. I modified this a bit which included my contribution for HP Comware scraper which can also extract the device configuration via "display current-configuration". After reading this cookbook for HP Comware and Cisco interoperability, I noticed that RIP (Routing Information Protocol) is not discussed. Though it is not so famous as OSPF, I though of sharing configurations for RIPv2 (RIP version2) for HP Comware and Cisco IOS network device. Below is my test setup between a Cisco Catalyst Switch 3750 (IOS Version 12.2(55)SE8) and HP AMSR-3020 Router (Comware Version 5.20.106 Release 2513P11) +-----------+ +-----------+ In our environment, we have an HP IRF (Intelligent Resilient Framework) switch cluster running between two HP A7500 chassis connected via 2 10Gb Fiber interfaces. +-----------------+ +-----------------+ I used to post in Blogsome couple of years ago before until the site closed down. In here, I have posted blogs about RANCID which is a set of scripts (PERL) used to monitor network devices configurations and maintain history of changes via CVS (Concurrent Version System). Here are some of my post about RANCID (version 2.3.2) which are now archived in the Internet which might be of used to someone interested in RANCID and customizing it.
RANCID under the hood (posted October 23, 2011) This post show the internal working of RANCID and understand how it works and which scripts are executed and dependent on each other RANCID additional commands (posted November 2, 2011) Normally, RANCID executes some commands when connecting to network devices, this post discusses how to include additional commands. RANCID Customization (posted November 9, 2011) This post is discusses how to poll different groups of network devices with different sets of commands I hope in the future I can update my knowledge with the current release of RANCID. This is continuation post of the usage of Python Paramiko network device configuration script (netscript.py) I am currently testing. Let us say you have around 100 network devices accessible via SSH and you need to update their configuration. For example you need to add a new syslog server and remove the current one. In Cisco IOS, you would need to run these set of commands: # Enter Configuration mode We had this problem with one of our Internet links which was an ADSL/PPPoE connection. Every now and then this Internet connection seems to be unstable and it affected Internet access through this line. One solution we came across is resetting the ADSL connection either by pulling the cable off or shut/unshut the interface. Once the ADSL/PPPoE gets reconnected, Internet access becomes stable again. While waiting for the service provider to fix the issue (if it gets fixed), we needed to every now and then reset the interface connecting the ADSL/PPPoE line. This can be during after office hours (i.e. 12MN) but should be automated (I can't be doing this manually) Here comes my Python Network Script (netscript) discussed here in my post along with cron. Below are my steps in automating this task. First we create the command file (interface_reset.txt) which will shutdown and enable the network interface. #!/bin/bash As a network engineer, I have always been learning how to go about with scripting with network devices. Since most network devices are capable nowadays some kind of CLI via SSH remote access, there should be a better way in network scripting commands into these devices. As such, I needed a network script which will connect to the network devices via SSH and execute commands similar to running these in the command line.
Here I have used Python Paramiko as my preferred approach. There have been several articles discussing how to use Paramiko but I am more focused in using it for network scripting. After reading these articles, I have managed to create a working script and uploaded in my github repository (netscript). Kindly note that this a work in progress. To get this script working, you need to install Python and Paramiko on Linux (preferred). Check with your preferred Linux distribution in installing these. In my environment which is Debian Linux, these are installed with apt-get. This post is in continuation of the previous post on HP Comware BootROM. In this article, I will display the menu options for the Extended BootROM for a HP 5120 Network Switch. This mode can be accessed by pressing CTRL+B while the device is booting and this keypress option is displayed (see below).
This post will highlight accessing the boot loader of an HP Comware network device. This is called BootROM in most HP Comware devices (or BootWare in the H3C models). This post will show accessing the bootloader (BootROM) for an HP 5120 Switch. The HP 5120 Switch has two modes in accessing the BootROM. First mode is the Basic Boot Mode which can be accessed by pressing CTRL+D while the device is booting. Note that this can only be performed while accessing the network device through the Serial Console. Starting...... The Basic BootROM menu provides limited options in updating the BootROM software for both basic and extended upgrades. The Menu display might be different for other BootROM versions. In most options, it requires selecting the baudrate prior to downloading the BootROM software via XMODEM protocol.
In summary, HP Comware supports local logfile. This means logs generated by the network device can be stored in a local file within the device. This feature is very convenient in case the network devices encounters a disruption (i.e. power, hardware fault) and its logs are not able to reach the configured SYSLOG host. The locally stored logs will be useful in conducting post mortem network analysis (i.e. before the network device rebooted). HP Comware local logfile is disabled by default. To enable local logfile support Below are configuration options for local logfile management <HP-TEST-SWITCH>display logfile summary <HP-TEST-SWITCH>system-view These are basic file management commands for HP Comware which are handy when working with the contents of a Comware network device. dir - Displays contents of the current working directory dir /all - Displays contents of the current working directory including hidden files dir /all-filesystems - Displays contents on all storage (i.e. cfa0:/ if exists) dir <storage|directory> - Displays contents of a target storage or directory cd <storage|directory> - Change current directory pwd - Display current working directory Note: Some network device have more than one storage other that the default Flash storage (flash:/) such as Compact Flash (cfa0:/). # Display contents of current directory Other relevant file system commands. copy <source_file> <target_directory|target_file> - Copies the source file to the target directory or target file (if renaming) move <source_file> <target_directory|target_file> - Moves the source file to the target directory or target file (if renaming) rename <target_file> <new_filename> - Renames the source file to the new file name delete [/unreserved] <target_file> - Deletes the target file and moves it to the recycle-bin. The unreserved keyword deletes the file permanently. undelete <target_file> - Restores the target file located in the recycle-bin. reset recycle-bin [/force] - Deletes files in the recycle-bin. The force keyword deletes all files without confirmation. more <target_file> - Displays contents of target file . Recommended only for text files. mkdir <target_directory> - Creates a new directory on the current storage. rmdir <target_directory> - Deletes an existing directory. Note: only empty directories can be deleted. format <target_storage> - Formats the target storage. Useful for formatting mounted Compact Flash (cfa0:/). Warning: Formatting the flash is not recommend unless firmware is corrupted or planned to reset the device. mount|umount <target_storage> - Mounts or unmounts a storage device particularly the Compact Flash (cfa0:/) fixdisk <target_storage> - Examines and repairs the target storage (i.e. similar to chkdsk) Kindly refer to this URL for more details on file system management configuration. This is simple configuration for Policy Based Routing for HP Comware (version 5.2) we have implemented in our environment where we required all Internet access routed to a transparent proxy. in this setup, we have these conditions:
First we defined two access-lists, one for the traffic exempted from the PBR acl number 2000 name PBR-Traffic-Exemption Second ACL for the traffic to be routed by the PBR to the transparent proxy acl number 2001 name PBR-to-Transparent-Proxy Create the PBR configuration with these ACLs included policy-based-route PBR-Transparent-Proxy deny node 10 Kindly note that the keyword "deny" indicates that any matched traffic will be handled by the device's routing table where as the "permit" keyword indicates any matched traffic will be handled by the corresponding apply sub-command. Appy the PBR configuration on the desired interface interface Vlan-interface 100 To inspect and verify the PBR configuration on the device: # Check the PBR configuration I hope this simple configuration would help anyone. In this post, I will not discuss in detail QoS (Quality of Service). I will however discuss specific in configuring a HP Comware network device to mark specific traffic with DSCP code point. This marking of traffic is important for QoS/CoS aware network devices in order for them prioritize these traffic. I have tested this configuration with a HP MSR 3020 Router with Comware version 5.2. In this setup, I have installed 2 probes both running Linux where one (10.10.10.251) is located locally next to the router and the other (10.0.0.200) located over a WAN connection. On the MSR router, we configured an access lists (ACL) to match all traffic to/from the remote probe (10.0.0.200) acl number 3001 name probe_traffic Configure a traffic classifier to match these traffic to/from the remote probe traffic classifier class_probe_traffic Configure a traffic behavior to mark a traffic with a specific DSCP code point value. Below we use AF11 traffic behavior mark_dscp_af11 Below are the other DSCP values we can use on HP Comware INTEGER<0-63> DSCP (DiffServ CodePoint) value Then configure a QoS policy combining the traffic classifier and behavior qos policy qos_test_remark This QoS policy can now be applied to an interface both inbound and outbound traffic interface GigabitEthernet0/0 Verify the QoS policy applied on the interface <HP-WAN-TEST-RTR-3020>display qos policy interface g0/0 Test the policy from the local probe by pinging the remote probe here we sent 3 ICMP echo request root@probe:/# ping -c 3 10.0.0.200 Verify if the traffic is matched, classified and marked by the policy <HP-WAN-TEST-RTR-3020>display qos policy interface g0/0 We can see in the above results, 3 packets are matched and marked both inbound and outbound. From the remote probe, traffic is capture via tcpdump to check in detail the packets arriving at the remote probe. root@probe200:/# tcpdump -n -vvv host 10.10.10.251 The important highlight here is the packet trace confirming the TOS HEX value 0x28 which is equivalent to DSCP code point of AF11 is detected. This is a continuation of the interface range configuration capability of HP Comware network devices, see Part 1 for the "port-group" command. HP managed to introduce the same "interface range" command in HP Comware network devices. Unfortunately I have only seen it available in some models. So far I have seen this command in the EI Switch Series, A5800 and A7500. Someone can correct me here as I don't have the resource to verify all of their product line. To give an understanding on how the commands works, below is a session example on a HP A5800 switch # Show the HP Comware version As we can see, the HP Comware "interface range" command is very similar to Cisco IOS and no longer has limited interface sub commands. These means we can now use interface sub commands such as description, shutdown, port-security, and so forth. Another option with the "interface range" command is to name the range and save in the configuration. # Enter system-view mode As we can see, this feature allows us to save a range of interfaces which can be configured altogether again and again without redefining them. Saves some NetOps time :) Similar to Cisco IOS interface range command, HP Comware has options to configure multiple ports. Depending on the HP Comware network device model, not all of these options might be available. I will break this post in two parts in order to focus in each commands. The port-group command is common to all HP Comware network devices which is used to configured multiple ports. First create a name for a group of ports and then use the group-member sub-command to assign a port into the port group. This can be a continuous range of ports or not. Afterwards, these group of ports can be configured at the same time with the available interface commands. Below is a session example using the port-group command. # Enter system-view mode HP Comware has provided network administrators the port-group command as an equivalent to the interface range option of Cisco. However, it still has limitations particularly the available interface commands while in the port-group mode. In my daily network operations, commands like description, port-security and even shutdown are not available in this mode which provides limitations. In Part2, HP Comware introduced another command which addressed these. Everyone who have dealt with HP Comware should be familiar with the "display" command which is the "show" equivalent in Cisco IOS. This post is a recap on the command and its features. The most useful display command is the "display this" which serves its effectiveness while in system-view mode. <HP-TEST-SW-5800>system-view Then let us focus on the "display current-configuration" and its options <HP-TEST-SW-5800>display current-configuration ? Here I find very useful the by-linenum in tracing and debugging in detail the device configuration. Below we look at the pipe "|" options. <HP-TEST-SW-5800>display current-configuration | ? Those who use Cisco IOS should be familiar how to use these begin, exclude, and include preceeding a string to be searched. Then we have this option while in the "display current-configuration" where we have the "---- More ----" paging. <HP-TEST-SW-5120>display current-configuration While in this view, you can press any of these keys:
Here I will discuss the minimum configuration required to enable sFlow for HP Comware (v5.2) network devices which supports it. First thing is to check if sFlow is supported by the HP Comware network device. Below is the output for the command "display sflow" on a HP MSR 3020 Router. <TEST-ROUTE-MSR-3040>display sflow As you can see, this router supports sFlow with default settings such as sFlow version 5 and the sFlow agent IP address (192.168.0.128). This configuration can support 10 sFlow collectors with default UDP/port 6343. Collectors are hosts which receive/process and/or analyze sFlow data. In this test router, we configured sFlow with a collector IP 10.0.0.251 and sflow collection on the interface G0/0. Below are the minimal configuration. # Reconfigure the sFlow agent IP (optional) Once sFlow is configured, we will its final configuration. <TEST-ROUTE-MSR-3040>display sflow We can see in detail the sFlow configuration particularly the collector IP address and its assigned interface. Finally, we will verify if we are receiving sFlow traffic on the collector. Here I have a tcpdump packet capture on Linux host which is our sFlow collection. # tcpdump -n port 6343 For more details and options in configuring sFlow with HP Comware, kindy refer to this link from H3C. This is a simple guide to enable the HP Comware network device to lockdown a specific switchport to a MAC address. This is a restrictive Layer 2 security measure however not very flexible. This method is recommended for areas where there is minimal network movement particularly the Server Room. When in the Comware CLI, enable first "port-security" in system-view. You should see "Done" once enabled. <HP-SWITCH-5120>system-view While in system-view, proceed to the specific interface (i.e. G1/0/1) and enable these commands interface G1/0/1
Below is log generated when we connected a device initially on the switch port %Jan 14 08:52:41:334 2015 HP-SWITCH-5120 PORTSEC/6/PORTSEC_LEARNED_MACADDR: When we check the interface configuration, we see the MAC address registered. <HP-SWITCH-5120>display current-configuration interface g1/0/1 Below is sample log for port-security MAC Address violation %%10PORTSEC/4/VIOLATION(t): Trap1.3.6.1.4.1.25506.2.26.1.3.2 An intrusion occurs! IfIndex: 9437208 Port: 9437208 MAC Addr: B8:88:E2:EC:32:24 VLAN ID: 1800 IfAdminStatus: 1 You can refer to this link for more options on Port Security on the HP/H3C Comware Platfrom _ I am posting here my simple configuration template for hardening the HP Comware network devices. This template currently works well with Comware Version 5.2.
Configuration template !##### Enter System-View mode ##### In the template, all lines which begin with "!" will not be processed by the Comware CLI (command line interface). Again, ensure all variables "<>" are replaced with the correct values in your environment. Example <admin_workstation_ip> is replaced with 192.168.1.201 (note: no more <>). After applying the configuration, review the configuration display current-configuration Onced confirmed, save the configuration save force For more information and other options in hardening HP Comware network devices, kindly refer to this URL. |
Certified Geek
A Certified Geek who blogs anything geeky he comes across mostly in Linux and Networking. Archives
February 2024
Categories
All
|