Network – Thuong

Initial HPE Comware Switch Configuration

Initial configuration (Best Practices) for HPE Comware switches based on My deep personal experience and HPE reference guides, with focus on Security. Only the Best to the Best. Let’s go!

Out of box switch has no configuration but this is not truth. Switch will try to allocate IP address on Management port. With Zero Provisioning technology we can push basic configuration to the switch automatically by connecting Management port to Out of Band Network. In the next articles I will share the exacts steps.

Let’s connect to the new switch with USB to console cable.

Startup/Backup Configuration files

After switch is starting up press CTRL+D or CTRL+C to quit from auto configuration.

Enter to configuration mode with System-view. Configure hostname with sysname command. I recommend to set startup/backup configuration files with the same name as the switch and not the default name: startup.cfg. In case you have centralised backup server, it is nicer to have all backups with different names. Press save followed by file name (don’t forget .cfg extension). Same for the backup configuration file: save backup. With display startup command you can verify startup and backup configuration files.

RSA/DSA keys

1024-bit keys are become crackable between 2006 and 2010 and that 2048-bit keys are sufficient until 2030. The National Institute of Standards (NIST) recommends 2048-bit keys for RSA.

LLDP, STP

LLDP is not enabled by default. There is no way to enable LLDP on specific ports without enabled it globally. Enable LLDP globally and keep it only on switch to switch ports. Enter lldp global enable command. Spanning is also not enabled by default, so let’s enable it with stp global enable command. In addition strongly recommended in modern Networks move to dot1t path cost, enter stp pathcost-standard dot1t. (Be careful, it will recalculate stp cost on all links

VPN Instance (VRF-Lite)

In case that HPE device supports VPN Instance feature, I am strongly recommend to configure VPN Instance on Management interface (completely separate routing table for management). In addition, Static routes, NTP, SNMP, Syslog and TACACS configurations will run with VPN Instance feature.

ip vpn-instance mgmt command will create VPN Instance named mgmt. Then we need to bind management interface (it will delete IP address if you have one).

int M-GigabitEthernet 0/0/0

ip binding vpn-instance mgmt

description HPE-TEST

ip address 10.0.0.1 24

Login banner

To configure the banner that displays when the user logs in to a HPE switch, use the header login command. Use “%” in beginning of the banner and in the end.

header login %

************************************

* Your Banner Here *

************************************

Console password

By default there is no password on the console port. To configure the console to require authentication use the following commands:

line aux 0

authentication-mode password

user-role network-admin

set authentication password simple 123456

idle-timeout 5 0

SSH

For SSH connection let’s create local user admin with inbound protocol SSH only:

local-user admin class manage

password simple 123456

service-type ssh

authorization-attribute user-role network-admin

line vty 0 63

authentication-mode scheme

user-role network-admin

protocol inbound ssh

idle-timeout 15 0

ssh server enable

ssh server authentication-retries 5

ssh server authentication-timeout 30

Hardening

Disable copyright info,USB port and unused services.

usb disable

undo copyright-info enable

In addition, if you have HTTP or Telnet running, please disabled it. HTTPS and DHCP can be also disabled, unless you are using them. Personal, I am using only CLI.

undo ip http enable

undo ip https enable

undo telnet server enable

undo dhcp enable

Version 1 of the SSH protocol has irremediable problems and multiple vulnerabilities. Strongly recommended to disable ssh v1 compatibility:

undo ssh server compatible-ssh1x

Verification can be done with display ssh server status command.

To verify TCP/UDP open ports use display tcp and display udp:

Enable BPDU protection, all access ports configure as edge ports (portfast). All unused ports should be moved to some unused VLAN and must be Shutdown. For example, we have 10 servers connected to first 10 ports:

vlan 666

description Null

name Null

*All unused ports will be configured in VLAN 666.

**Always put name and description after creating VLANs.

int range GigabitEthernet 1/0/1 to GigabitEthernet 1/0/10

stp edged-port

Enable BPDU protection globally:

stp bpdu-protection

—————————————————————————————————————

In the next article I will share Best Practices for Monitoring configurations: NTPv4, Info Center (Syslog), SNMPv3 and TACACs.

Script loadbalance multiwan PPPoE RouterOS 7

Các tính năng chính:

1. Script cho phép bạn gửi lưu lượng từ danh sách địa chỉ đặc biệt qua kết nối pppoe cụ thể, bỏ qua luật cân bằng tải (Ví dụ: TV của bạn luôn phải đi qua pppoe-02).

2. Script hỗ trợ HAIRPIN-NAT

3. Script giải quyết vấn đề multiwan khi bạn đang xây dựng các đường hầm VPN ra (openvpn, wireguard, IPSec vv). Vui lòng xem phần hồ sơ pppoe.

4. Script thân thiện với CPU

Trong script giả định bạn có 2 liên kết WAN pppoe:

1. ether1 với pppoe-01 (FPT)

2. ether2 với pppoe-02 (VNPT)

Và 2 bridge LAN:

1. Bridge-lan-01 (ether3, ether4, ether5)

2. bridge-lan-02 (sử dụng sau này)

Comware7: Configuration commit delay

In the old days it was quite common to schedule a device reboot e.g. 5 min ahead when ‘tricky’ remote device changes had to be performed over an in-band connection such as SSH/telnet. In case the config changes provided the desired result, the reboot would be cancelled. When the changes would have resulted in a lost management connection, the reboot would have reverted the device state to the previous config (assuming no ‘save’ was done).

Comware 7 now has a similar feature but without the device reboot, so this is an online ‘swap’ of the configuration without the reboot delay.

Note: This command is a one-off command, it is not saved in config and it needs to re-entered every time it is needed.

First set the time in the future when the auto-rollback is supposed to happen

[5900G-1]configuration commit delay ?
 INTEGER<1-65535>  Delay time in minutes
[5900G-1]configuration commit delay 2

%Jan  1 04:11:58:463 2011 5900G-1 SHELL/5/SHELL_COMMIT_DELAY: A configuration rollback will be performed in 2 minutes.

Now a config change is made, for example, the G1/0/1 description is set to ‘demo’

[5900G-1]int g1/0/1
[5900G-1-GigabitEthernet1/0/1]description demo1

Review the running config with the applied change

[5900G-1-GigabitEthernet1/0/1]dis cur int g1/0/1


 #
 interface GigabitEthernet1/0/1
 port link-mode bridge
 description demo1
 #
 return

When the administrator does not confirm the applied changes with the ‘commit’ command within the set delay time, the device will automatically rollback the configuration.

%Jan  1 04:08:28:315 2011 5900G-1 SHELL/5/SHELL_COMMIT_ROLLBACK: The configuration commit delay is overtime, a configuration rollback will be performed.
%Jan  1 04:08:36:403 2011 5900G-1 SHELL/5/SHELL_COMMIT_ROLLBACKDONE: The configuration rollback has been performed.

Now the running config has been reverted to the state before the commit delay was entered

[5900G-1-GigabitEthernet1/0/1]dis cur int g1/0/1
 #
 interface GigabitEthernet1/0/1
 port link-mode bridge
 #
 return

When the admin decides that the changes are fine, the configuration commit can be used. This will cancel the pending timer.

Again some configuration change is made

[5900G-1-GigabitEthernet1/0/1]description demo2
 [5900G-1-GigabitEthernet1/0/1]quit

Now the configuration commit is used

[5900G-1]configuration commit
%Jan  1 04:09:30:268 2011 5900G-1 SHELL/5/SHELL_COMMIT: The configuration has been committed.

And the running configuration now contains the applied changes

[5900G-1-GigabitEthernet1/0/1]dis cur int g1/0/1
#
 interface GigabitEthernet1/0/1
 port link-mode bridge
 description demo2
 #
 return

Reset or recover password lost or forgotten alcatel OS6850 switch

Connect with putty.exe to the switch, make sure you are connected (press Enter key couple times)

Then reboot and press enter key almost immediately to stop Auto boot

Wait for the message Hit any key to stop autoboot: 0 and hit any key. Hit any key to stop autoboot: 0

Then type the following commands

=> fatls ide :1,0

=> fatls ide :1,0 /network

=> fatdelete ide :1,0 /network/usertable5 OR usertable4

Now powercycle the switch or type “run miniboot” on the U-Boot; => Reboot or =>boot Now back switch will be factory default “admin/switch”.

Configuring Dynamic VLAN assignment on ProCurve switches

Introduction

The information contained in this post describes how to configure an HP ProCurve switch and Windows 2008 R2 NPS RADIUS server to authorise and assign users dynamically into specific VLANs.

The switch used is an HP ProCurve model 2610-48 running firmware version R.11.72

Configure VLANs

Create VLANs, define IP address and IP helper-address

VLAN 30

name “VLAN30”

ip address 192.168.30.1 255.255.255.0

ip helper-address 192.168.20.20

VLAN 40

name “VLAN40”

ip address 192.168.40.1 255.255.255.0

ip helper-address 192.168.20.20

Configure RADIUS/802.1x

Define RADIUS server IP address and shared secret

radius-server host 192.168.20.20 key secret12

Configure 802.1x authentication type

aaa authentication port-access eap-radius

Configure ethernet ports 1-2 as authenticator ports

aaa port-access authenticator 1-2

Activates 802.1x port-access authentication on ports

aaa port-access authenticator active

Create Active Directory Groups

Authentication to the individual VLANs will be by Active Directory group membership for user or computer, therefore we need to create the appropriate the groups for use later in the NPS radius server policy.

Add a user to each of the groups

070512_1543_configuring1

Windows 20008 R2 NPS (RADIUS) Configuration

Create an appropriately named NPS Policy to authorise users for each VLAN

070512_1543_configuring2

Configure a “Condition” of Windows Group value of DOMAINNAME\GroupName

070512_1543_configuring3

Configure the “Authentication Methods” as “Microsoft: Protected EAP (PEAP)”

070512_1543_configuring4

Configure “RADIUS Attributes”

Tunnel-Medium-Type = 802

Tunnel-Pvt-Group-ID = VLAN Name or VLAN ID e.g “VLAN30” or “30”

Tunnel-Type = Virtual LANs (VLAN)

070512_1543_configuring5

Configure Windows 7 computer to authenticate

Open Windows services and change the startup type of the service “Wired AutoConfig” to Automatic. Click Start service

Open “Network and Sharing Center”. Click “Change adapter settings”

Click “Local Area Connection” > “Properties” > “Authentication”

Ensure “Enable IEEE 802.1x authentication” is ticked

Ensure “Microsoft: Protected EAP (PEAP)” is selected from the dropdown box. Click Settings

If the client computers do not have a trusted root certificate un-check the tick box “Validate server certificate”. If you do have an internal CA and all client computers have the root CA in the computer certificate store leave checked.

If the client computer is not joined to the domain and you wish to prompt for authentication, select “Configure” and un-check “Automatic use my Windows logon….”

The steps above can also be configured via Group Policy

Testing

Connect a computer to a port configured for authentication

If using a non-domain joined computer and you have previously un-checked the tick box “Automatic use my Windows logon….” a balloon will appear “Additional information is needed to connect to this network”. Click the balloon and enter your domain credentials.

070512_1543_configuring6

If you are on a domain joined computer, the authentication will be transparent to the user (you will not see the prompt for authentication as above).

From the switch, the command “Show port-access authenticator” will display useful troubleshooting information

When a user account is a member of “VLAN30” windows group, they will be authorised on the RADIUS server and the port will be dynamically assigned to VLAN 30.

070512_1543_configuring7

If the user is successfully authenticated and is a member of “VLAN40” group the port would be dynamically assigned to VLAN 40.

070512_1543_configuring8

Những việc cần làm để thiết kế hệ thống hạ tầng thông tin

Đã từng một thời, với những “thắc mắc biết hỏi cùng ai” về thiết kế mạng:

* Hệ thống mạng trên thực tế đang hoạt động được thiết kế như thế nào ?

* Mô hình mạng cần phải thiết kế ra sao cho từng đối tượng khách hàng (SMB, Enterprise, Banking, …) ?

* Phải chọn thiết bị mạng (Switch, Router, Firewall, …) tối ưu nhất trong từng thiết kế ?

* Ứng dụng những kiến thức đã học trong viêc thiết kế một hệ thống mạng trong thực tế như thế nào ?

Tại thời điểm đó, cũng có chút kiến thức học được, tuy nhiên việc áp dụng các kiến thức đã học áp dụng vào thực tế chỉ là con số 0 tròn trĩnh, hay nói cách khác, đó là một cảm giác “có võ công nhưng khi gặp cao thủ để tỉ thí thì không biết dùng như thế nào”, một cảm giác … thực sự rất khó chịu… đó là:

– Học về HSRP/VRRP/GLBP, hiểu rõ các giao thức này hoạt động ra sao, hiểu rõ phải cấu hình thế nào, hiểu rõ phải troubleshoot ra sao nếu có sự cố,… nhưng lại không biết phải dùng ở đâu trong mô hình mạng.

– Học về Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), PVST+, Rapid-PVST, MST: hiểu rõ làm sau để cấu hình Root Bridge, Root Port, Load Sharing với STP, sự khác biệt giữa STP, RSTP, PVST+, Rapid-PVST, MST, ưu và nhược điểm của từng loại. Nhưng… lại không hiểu phải dùng như thế nào trong thực tế…

– Học về thiết kế mạng mô hình 3 lớp: Core/Distribution/Access… hiểu rõ vai trò của từng lớp, nhưng lại không thể design nổi hệ thống mạng cho 1 doanh nghiệp vừa và nhỏ (SMB), hay thậm chí ngay cả khái niệm SMB, ENT, … cũng còn rất mơ mơ hồ hồ.

– Và rất nhiều những điều tương tự …

Đã từng tự hỏi, là do đâu có phải là:

– Thiếu kiến thức về sản phẩm: Vâng, tuy rằng tôi đã được trang bị 1 hệ thống kiến thức nền tảng tuy nhiên lại không biết hoặc chưa hiểu được:

– Khái niệm Modular Switch (Catalyst 6500, Catalyst 4500, Nexus 7000, …): thế nào là linecard, là supervisor, là fans tray, là power supply, vv..

– Một Switch thế nào được gọi là “mạnh”, cùng các khái niệm để định nghĩa độ “mạnh” này của 1 thiết bị

Ví dụ: trên dòng Switch 3750-X: 160 Gbps switching fabric, 101.2 mpps forwarding rate, 10GbE uplinks, …

– Khái niệm về VSS trên dòng Switch 6500, Stack-Wise trên dòng Switch 3750 series, Flex-Stack trên dòng Switch 2960S (lưu ý, đây là những tính năng cực kỳ quan trọng trong thiết kế hệ thống mạng với nhiều đặc điểm nổi trội mà sẽ được đề cập chi tiết trong các bài viết sau).

– Các tính năng (feature) hỗ trợ trên từng dòng thiết bị là khác nhau do được thiết kế với những mục đích khác nhau, như: Switch 2960 series chỉ hỗ trợ các tính năng Layer 3 ở mức rất hạn chế so với Switch 3750/4500/6500 series do 2960 được thiết cho lớp Access …

– Đặc trưng của từng đối tượng khách hàng, ví dụ: khi thiết kế hệ thống mạng cho khách hàng là SMB thì sẽ rất khác với khách hàng Enterprise,…

– Chưa có kinh nghiệm thực tế… -> vậy phải làm sao để có ?? Học từ ai ?? Học ở đâu ??

Và tôi đã trải qua 1 đoạn thời gian mò mẫm, như bước đi trong 1 đường hầm tối tăm như thế, và cho đến bây giờ, tôi vẫn đang đi trong đường hầm, có khác chăng đó là đường hầm với một “tia sáng le lói” dẫn đường

Hiểu rõ những khó khăn đã từng trải qua cùng với mong muốn được chia sẽ, trao đổi và học hỏi nhằm làm giàu thêm về kỹ năng thiết kế mạng.

Xin phép được bắt đầu chuỗi bài viết chuyên đề “Thiết kế mạng, từ lý thuyết đến thực tiễn”.

How to measure bandwidth between two computers on the same network

In this article we will explain you how to measure bandwidth between two computers on the same network, by using Iperf software and related utilities. Iperf is a free software tool that can measure the bandwidth between two nodes in a computer network and the quality of a network link.

Idea is to run Iperf on both computers and measure bandwidth between them, where one computer is a client and the other is a server. Computer is assigned as a client (or server) within the application by using appropriate switches.

Iperf is a console application, which means you have to type commands in terminal (command prompt). If you find that annoying, try a graphical front-end for Iperf called Jperf – a graphical front-end written in Java, and it will be mentioned in the section regarding how to measure bandwidth between computer and Android smartphone (I performed a test and took screenshots in my home network).

Iperf:

Download v2: https://iperf.fr/
Download v3: https://github.com/esnet/iperf
Supported operating systems: Windows 2000, XP, 2003, Vista, 7, 8 and Windows 10, Unix/Linux, MacOS X, Solaris
Try this Android application to have Iperf on your Android device: iPerf for Android
Jperf: https://code.google.com/p/xjperf/downloads/list

OK, let’s get to work and perform a simple bandwidth test, and other features will be provided in examples and the further reading section.

How to measure bandwidth between two computers in network by using Iperf

You can see this concept on how to measure bandwidth between two computers on the same network in the chart below:

IPERFmeasureBandwidth

OK, you’ve downloaded Iperf (I downloaded v2) and copied it on computers that you want to measure bandwidth between them; open command prompt and run Iperf on the computer you want to be a server (there is no formal rule on which computer must have a server or client role. Any computer can be a client or a server), and type the command: iperf.exe -s

iperfserver

Use this tip to open the command prompt on specific path (where you have put Iperf): navigate to folder which contains your Iperf executable (iperf205, in my case), hold the Shift key and right mouse click on that folder; extended contextual menu will appear where you have to click on Open command window here option.

OpenCommandWindow

In my case, I used a computer with Windows 7 as a server and computer with Windows 8.1 as a client. On the diagram above, you can see that server is marked with “1”, because that’s always the first step – to define a server. Take a note of your server’s IP address (if you don’t know it), and the easiest way to achieve that, provided that you are already in command prompt, is by typing ipconfig command (IP address on the diagram is: 10.1.1.1).

When it comes to a client, take a look at the diagram – I marked it as “2”; open your command prompt on the client computer and type: iperf -c server_address

iperfclient

And that’s it, default settings are enough to show you the bandwidth between two computers in your network. Of course, you can add some extra switches to use this software according to your needs.

This method we used to measure bandwidth is through TCP tests; besides that, you can measure jitter (latency variation) or datagram loss with an UDP test.

I mentioned iperf v3, which is a rewrite of Iperf from scratch, with the goal of a smaller, simpler code base and a library version of the functionality that can be used in other programs. Iperf3 is not backwards compatible with iperf2.x. Opinions on which version is better are divided, so many users would still recommend you Iperf 2.0.x. (Iperf 3 is not as well respected).

Iperf usage examples:

iperf -s —> runs iperf in the server mode.
iperf -c 10.1.1.1 –> runs iperf in the client mode, where the server’s IP address is 10.1.1.1 (by default, only the bandwidth from the client to the server is measured).
iperf -c 10.1.1.1 -r –> connects back to the client allowing the bi-directional bandwidth measurement.
iperf -c 10.1.1.1 -d –> implies simultaneous bi-directional bandwidth measurement. If you want to test the bandwidths sequentially, use the -r argument (see the previous example).
iperf -c 10.1.1.1 -w 4000 –> w switch defines TCP window size – amount of data that can be buffered during a connection without a validation from the receiver (it can be between 2 and 65,535 bytes).
server side: iperf -s -p 12000 and client side: iperf -c 10.1.1.1 -p 12000 –> p switch must be set on both sides and its value defines a communication port. By default, the Iperf client connects to the Iperf server on the TCP port 5001 and the bandwidth displayed by Iperf is the bandwidth from the client to the server.
iperf -c 10.1.1.1 -t 30 –> specifies the test duration time in seconds (default is 10 seconds).
iperf -c 10.1.1.1 -t 30 -i 3 –> i argument specifies the interval in seconds between periodic bandwidth reports.
iperf -h –> provides you with detailed help starting with command format: iperf [-s|-c host] [options], then explanation of the arguments/switches, etc.

Great reference manual that describes how to use these switches (e.g. how to use -u switch to perform UDP test) can be found here: https://iperf.fr/ , and here: https://code.google.com/p/iperf/wiki/ManPage

How to measure bandwidth between computer and Android device on the same network

As I mentioned in the beginning (where I placed download links) there is a software Iperf for Android, that can turn your smartphone or tablet into a iperf server or client. My test environment is as follows:

Server: Samsung Galaxy S2 smartphone (GT-I9100), rooted and with Cyanogen Mod custom ROM,
Klijent: Fujitsu Amilo laptop, Windows 8.1, x64, where I tested both Iperf and Jperf.

Install Iperf for Android onto your Android device and run this application; type iperf -s or just -s in the text field and tap on off button (Aus, in my case, because my phone interface is in German). So you’ll get something similar to this (An is On):

Andriperf0

Note server’s IP address from the screenshot: 192.168.1.3

Run Iperf on the client computer and type the next command (make sure you use an IP from your server):

IperfForAndroid

Android application will show info when a client connects to it:

Jperf can be associated with Iperf to provide a graphical frontend written in Java. So, if you’d like to try Jperf, you must have Java Runtime installed onto your operating system (I have Java JRE 8). Download Jperf from the download link I provided; extract the downloaded archive, find jperf.bat and run it:

JperfGraph-1024x576

In the screenshot above can be seen that I chose client mode, entered the IP address of my server (smartphone), and set test duration to 20 seconds (instead 10, which is default). Graph is provided to show you measured bandwidth between my computer and smartphone in my home network.

[ Further reading ]:

Wikipedia: http://en.wikipedia.org/wiki/Iperf
IPERF for Windows (native Windows port, not Cygwin), trial: http://www.iperfwindows.com/
Iperf3-Cygwin-GUI: http://sourceforge.net/projects/iperf3cygwingui/?source=recommended
Iperf2 vs Iperf3: https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf-and-iperf3/
bwctl (ensures that just one test is executed in a moment): https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/bwctl/