Fortigate High Availability – Active/Active – Part 1 – Preparation

I recently set up 2x Fortigate 200B units to run in HA Active/Active mode, this posed a number of challenges:

HA doesn’t work if any interfaces use PPPoE or have an address assigned via DHCP
How do I effectively split our network communications between both units?

Challenge 1

The main problem was that both the internet connections used PPPoE for address assignment and auth – I had taken care of one of these previously as it was a simple ADSL link our Fortigate units didn’t allow for so we had a Cisco 837 box to terminate the PPPoE on a virtual interface and unnumber the static external IP to an internal interface. (Read: I used it as a proxy of sorts to get round hardware limitations).

We had done it before for an ADSL link so I follow the same methodology for our fiber link, except, with a faster Cisco box – in the form of a very simple, cheap Cisco 1841. Loaded the latest broadband firmware onto it (c1841-broadband-mz.151-4.M7.bin) and did the following:

Assigned f0/0 to be our internal “gateway” address (assigned router address from BT/Zen in the static IP block)
Assigned f0/1 to be our external WAN facing address and act as PPPoE client (no ip address)
Created a virtual Dialer interface Dialer1 to act as PPPoE terminator
Unnumbered Dialer1‘s IP against f0/0
Set mtu to 1492 on Dialer1
Enable ip cef
Set adjust-mss to 1452 on f0/0 Extremely important to match frame size to ISP

Download full (nulled) config here.

With that out of the way I then set up our 200B to use this IP as its gateway (via static route 0.0.0.0/0.0.0.0 to go out [router address assigned to f0/0]).

A static route was used as I can set priorities on these and give our fiber link a higher priority than the ADSL meaning we will always use the fiber link unless it breaks, when it fails over to ADSL.

The previously configured PPPoE WAN link was changed to be “manual mode” and assigned it the desired public IP:

Screen-Shot-2014-02-11-at-12.36.56

This then left me in a position where I could configure our 200B’s to use HA as now no interfaced relied on DHCP or PPPoE for addressing.

Challenge 2

“How do we effectively split our network communications between both units?”

This was considerably simpler than the first problem I came across – the answer is get a Gb switch – I had a Cisco 3560-X 24P-L to work with.

I split the ports into groups of 4 ports on VLANs (a separate untagged VLAN for each usable interface on the Fortigate) this gave me:

1x input port
1x output port to fw-a
1x output port to fw-b
1x extra port for maintenance access

Download full (nulled) config here.

Hence the groups of 4, if you had 3x or even 4x Firewalls in A/A HA then you would need 5 and 6 ports per VLAN respectively.

My show vlan output looked like this (note I am using jumbo frames):

Cisco-3560X-200B-HA#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    
2    lan                              active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
3    mgmt                             active    
4    iscsi                            active    
5    phones                           active    Gi0/5, Gi0/6, Gi0/7, Gi0/8
6    wifi                             active    Gi0/9, Gi0/10, Gi0/11, Gi0/12
7    microwave-wan                    active    Gi0/13, Gi0/14, Gi0/15, Gi0/16
100  adsl                             active    Gi0/17, Gi0/18, Gi0/19, Gi0/20
101  fiber                            active    Gi0/21, Gi0/22, Gi0/23, Gi0/24
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
2    enet  100002     9000  -      -      -        -    -        0      0   
3    enet  100003     9000  -      -      -        -    -        0      0   
4    enet  100004     9000  -      -      -        -    -        0      0   
5    enet  100005     9000  -      -      -        -    -        0      0   
6    enet  100006     9000  -      -      -        -    -        0      0   
7    enet  100007     9000  -      -      -        -    -        0      0   
100  enet  100100     9000  -      -      -        -    -        0      0   
101  enet  100101     9000  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

All that needed to be done was plug the input ports into its respective VLAN and then take a cable to each 200B from each VLAN, effectively meaning each 200B could communicate with each input, easy.

In part 2 we will talk about setting up the Fortigate units themselves for HA and the proper procedure to employ for this.

Changing Fortigate from Switch mode to Interface mode

Fortigate units (the big ones at least) come configured in what is called “switch mode” meaning it groups a number of interfaces together and makes them act as a switch, serves DHCP over these interfaces, etc.

Most companies don’t like to use this – instead if we want to up our throughput for a given zone we’d create an 802.3ad aggregate link out of 2 or more of the interfaces.

Disabling switch mode isn’t as straight forward as putting the one command in, there are two factors you need to consider:

Are you serving DHCP over this switch interface?
Have you got any policies relating to this interface?

If the answer is “yes” to either of these you need to do the following or you will see one of “Interface switch is in use” or “Interface internal is in use” or “Entry is used” later on:

Delete the DHCP server relating to it (either in the GUI as below):

Screen-Shot-2014-02-11-at-11.36.54

Or you can do it in the CLI:

fw-a # config sys dhcp server
fw-a (server) # show <look at list and find the entry number relating to your interface>
fw-a (server) # delete [entry number here]
fw-a (server) # end

Next you need to delete all policies relating to the interface again, this can be done in the GUI via Policy -> Policy -> Policy and delete all policies associated with that interface. Again, it can be done with the CLI:

fw-a # config firewall policy
fw-a (policy) # show <look at list and find the entry number(s) relating to your interface>
fw-a (policy) # delete [entry number here]
fw-a (policy) # end

Once all the switch mode interface’s related objects are deleted then we can change the global mode from switch to interface via CLI:

fw-a # config sys global
fw-a (global) # set internal-switch-mode interface
fw-a (global) # end
Changing switch mode will reboot the system!
Do you want to continue? (y/n) y

The box will reboot and you’ll have a host of new interfaces to use as you like.

N.B: Some boxes are awkward and will require you to deleted the virtual hardware/software switch that is created it you still can’t see the individual IFs run the following commands:

configure system virtual-switch
delete {interface name e.g. lan, internal}

If you are still having difficulty you can run the following to find any remaining related entries to the interface:

diagnose sys checkused sys.interface.name {interface name e.g. lan, internal}

Juniper SRX Simple Internet Gateway Setup Guide

This guide was written for someone that wants to configure a Juniper SRX firewall as a simple home or business Internet gateway. You will need some tech savvy since I have written the instructions for the CLI and not J-Web, by doing it this way I can keep the instructions short and to the point.

SRXEnviroment

General Configuration

Thse are things that we need to take care of before getting to far into things.

set system host-name Internet_Gateway
set system root-authentication plain-text-password

#I like to have domain name services so that I do name resolution although this is not really needed and can be omitted.

set system name-server 8.8.8.8

#Setup a user other than root for administration, this is a good practice since it is never good for root to login remotely.

set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication plain-text-password

#For accurate date and time in logs configure an NTP server, in my case I used a publicly available server.

 set system ntp server 192.95.20.208

Interface Configuration

#This is our internet facing link and it will pull IP configuration via DHCP from our provider.

 set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server

#I would like interface fe-0/0/2 to 0/0/7 to be a member of vlan 100 and behave like a switch.

set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7

#Family ethernet-switching will allow the range of ports to behave like a switch while belonging to vlan-trust which is where they will find the gateway IP.

set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust

#This will be the gateway for the LAN devices on fe-0/0/2 to 0/0/7.

set interfaces vlan unit 100 family inet address 192.168.1.1/24

#Let’s create the vlan-trust and attache vlan.100 which was the L3 interface we created above.

set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Test

To see if DHCP is working on ge-0/0/0 issue the following command, you should see IP information from you Internet Service Provider.

admin@Internet_Gateway show system services dhcp client

Logical Interface name         ge-0/0/0.0
Hardware address        80:71:1f:b4:07:c0
Client status           bound
Address obtained        10.5.5.5
Update server           enabled
Lease obtained at       2013-05-08 19:14:06 UTC
Lease expires at        2013-05-08 23:14:06 UTC

DHCP options:
Name: server-identifier, Value: 10.5.5.254
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: router, Value: [ 10.5.5.1 ]
Name: domain-name, Value: corp.test.com
Name: name-server, Value: [ 10.5.5.253 ]

LAN DHCP

Since we just finished configuring the LAN we should setup DHCP which will provide local addresses to devices in vlan-trust.

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1

#This statement propagate-settings will take configuration from the client DHCP on ge-0/0/0 if not otherwise specified, most importantly name-server which changes from ISP to ISP and is very important otherwise name resolutions on the LAN won’t work.

set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0

Test

Lets see if the PC(s) connected to ports fa-0/02 to 0/0/7 are getting DHCP leases.

admin@Internet_Gateway> show system services dhcp binding
IP address       Hardware address   Type     Lease expires at
192.168.1.50     32:aa:a7:5e:17:45  dynamic  2013-05-08 20:14:02 UTC

Security Zones

We are going configure a zone for the LAN (Trust) and for our Internet (Untrust)

set security zones security-zone untrust description "Internet Link - DHCP Configured"

#Note we are allowing DHCP since the Internet facing interface will be a client.

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

#Allow any service/protocol to the internal interface. (Should be safe in our case)

set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

#Attach vlan.100 to the trust zone.

set security zones security-zone trust interfaces vlan.100

Source NAT

Since 19.168.1.0/24 is private and won’t be routed on the Internet we will need to source NAT this internal subnet to our Internet facing egress interface.
set security nat source rule-set internal-to-internet description “NAT anything from trust zone to untrust (LAN to Internet)”

set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface

Policies

Allow anything from trust to untrust (LAN to Internet) Since there is an implicit deny by default traffic from trust to untrust will automatically be dropped and doesn’t need a policy.

set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit

Management

This is a simple Internet gateway so lets enable SSH and HTTPS access from the inside LAN only.

set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100

Full Configuration

For those who would just like to copy and paste the entire configuration into the SRX.

set system host-name Serenity
set system root-authentication encrypted-password "$1$QgzUP4DH$dbmMYIKqw.I0b2KSIK1gB0"
set system name-server 8.8.8.8
set system login user lleroux uid 2000
set system login user lleroux class super-user
set system login user lleroux authentication encrypted-password "$1$FKKuZxhz$j0Yu8AYMW0x4JbH0CxkVZ1"
set system services ssh protocol-version v2
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.100
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.50
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system ntp server 192.95.20.208
set interfaces interface-range interface-trust member fe-0/0/2
set interfaces interface-range interface-trust member fe-0/0/3
set interfaces interface-range interface-trust member fe-0/0/4
set interfaces interface-range interface-trust member fe-0/0/5
set interfaces interface-range interface-trust member fe-0/0/6
set interfaces interface-range interface-trust member fe-0/0/7
set interfaces interface-range interface-trust unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/0 description Internet_Link
set interfaces ge-0/0/0 unit 0 family inet dhcp update-server
set interfaces vlan unit 100 family inet address 192.168.1.1/24
set security nat source rule-set internal-to-internet description "NAT anything from trust zone to untrust (LAN to Internet)"
set security nat source rule-set internal-to-internet from zone trust
set security nat source rule-set internal-to-internet to zone untrust
set security nat source rule-set internal-to-internet rule internet-access match source-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
set security policies from-zone trust to-zone untrust policy defaul-permit match source-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match destination-address any
set security policies from-zone trust to-zone untrust policy defaul-permit match application any
set security policies from-zone trust to-zone untrust policy defaul-permit then permit
set security zones security-zone untrust description "Internet Link - DHCP Configured"
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust description "Local Area Network"
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.100
set vlans vlan-trust vlan-id 100
set vlans vlan-trust l3-interface vlan.100

Virtual Chassis on EX2200 switches

The Juniper Virtual Chassis technology allows you to combine multiple physical switches into one logical switch stack, which reduces the management overhead of dealing with many switches. Because all members are acting as a single device, with a proprietary control protocol underneath, there is no need for Spanning Tree and its blocked links. It also has dual routing engine support, albeit with some feature limitations on the EX2200 platform.

Continue reading “Virtual Chassis on EX2200 switches”

Setting up a virtual lab topology with Juniper vSRX

Up until now, I’ve been doing most of my studies on real hardware. This was okay with Cisco gear, but Juniper hardware isn’t as cheap on the second hand market. Second, I always loose vast amounts of time reconfiguring appliances on the console, cabling them up, reconfiguring switchports and installing physical or virtual test machines. I recently installed an ESXi whitebox, with loads of RAM and compute power idle, so why not start virtualizing my labs?

The Juniper vSRX Integrated Virtual Firewall, formerly known as Firefly Perimeter, is a virtual appliance that brings all the features of the SRX firewalls to your virtual layer. Even better, you can use the full-featured trial version of the appliance for 60 days. Perfect for labbing purposes!

In this post, I will go through the steps of setting up the virtual appliance and giving it a basic configuration. Below is the topology I will be implementing and using for some parts of my JNCIS-SEC studies. I haven’t found an “official” installation guide from Juniper -although I haven’t really looked either- but the below scenario works for me.

Continue reading “Setting up a virtual lab topology with Juniper vSRX”

Useful Brocade FOS CLI Commands

Below is a list of useful Brocade CLI commands that I keep at my desk for reference. They’re divided up into categories for Zoning, Show, Port, Time/Date, License, Banner, Password, SNMP, User Config, Firmware, and Miscellaneous.

Zoning Commands

alicreate “Name”, “domain,port#”	Used to create an alias
alicreate “Name”,”portname1; portname2″	To create multiple ports under a single alias
alidelete “Name”	To delete an alias
aliadd “Name”, “domain,port#”	To add additional ports to an alias
aliremove “Name”, “domain,port#”	To remove a port from the alias
alishow “AliName”	To show the alias configuration on the switch
zonecreate “Zone Name”, “alias1; alias2″	To create zones based on alias
zonedelete “ZoneName”	To delete a zone
zoneadd “ZoneName”, “alias name”	To add additional alias into the zone
zoneremove “ZoneName”, “alias name”	To remove an alias from the zone
zoneshow “zoneName”	To show the zone configuration information
cfgcreate “Configname”, “Zone1; Zone2″	To create configurations by adding in zones
cfgdelete “ConfigName”	To delete a configuration
cfgadd “ConfigName”, “Zone3″	To add additional zones in the configuration
cfgremove “ConfigName”, “Zone3″	To remove a zone from the configuration
cfgshow “ConfigName”	To show the details of that configuration
cfgenable “ConfigName”	To enable a configuration on the switch
cfgsave	To have the effective configuration to be written into the flash memory

Show Commands

psshow	Displays the status of the power supply
fansshow	Displays the status of the fans
tempshow	Displays the status of the temperature readings
sensorshow	Displays the status of the sensor readings
nsshow	Displays information in the name server
nsshow -t	Displays information in the name server
nsshow -r	Displays the information in the name server along with the state change registration details
nscamshow	Displays detailed information of all the devices connected to all the switches in the fabric (Remote Name Servers)
nsallshow	Displays the 24 bit address of all devices that are in the fabric
licenseshow	Displays all the licenses that have been added in the switch
date	Displays the current date set on the switch
bannershow	Displays the banner that will appear when logging in using the CLI or web tools
httpcfgshow	Displays the JAVA version the switch expects at the management console
switchname	Displays the name of the switch
fabricshow	Displays information of all the switches in the fabric
userconfig –show -a	Displays the account information like role , description , password exp date , locked status
switchstatusshow	Displays the overall status of the switch
switchstatuspolicyshow	Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
portshow	To show the port status
portcfgshow	Displays the speed set for all ports on all slots and other detailed port information
configshow fabric.ops	Displays the parameters of the switch. Ensure all switches in a fabric have the same parameters in order to communicate
configshow fabric.ops.pidFormat	Displays the PID set for a switch Core , Native or Extended edge
switchuptime OR uptime	Displays the uptime for the switch
firmwareshow	Displays the firmware on the switch
version	Displays the current firmware version on the switch
hashow	Displays the status of local and remote CP’s. High availability , heartbeat and synchronization

Port Settings

portcfgshow	Displays the port settings
portcfg rscnsupr [slot/port] –enable	A registered state change registration is suppressed when a state change occurs on the port
portcfg rscnsupr [slot/port] –disable	A registered state change registration is sent when a state change occurs on the port
portname	To assign a name for a port
portdisable	To disable a port or slot
portenable	To enable a port or slot
portcfgpersistentdisable	To disable a port , status would not change even after rebooting the switch
portcfgpersistentenable	To enable a port , status would not change even after rebooting the switch
portshow	To show the port status
portcfgspeed ,	To set speed for a port#te – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
switchcfgspeed	To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
portcfgshow	Displays the speed set for all ports on all slots and other detailed port information
portcfgdefault	To set the port settings to default
portcfglongdistance	To set the long distance mode . Default is L0(Normal), as per distance will display LE <=10 kms , L0.5 <=25kms , L1 <=50 kms, L2<=100kms , LD=auto , LS = Static
portcfgeport	Used to disable a port from being a E port

Time and Date Settings

date	Displays the current date set on the switch
tsclockserver 10.10.1.1	Instruction for the principal switch to synchronize time with the NTP server (specify the ip address of the NTP server)
tsclockserver LOCL	Instruction to stop NTP server synchronization (Local time of the switch)
date mmddhhmmyy	To set the time of the switch when the NTP server synchronization is cancelled
tstimezone -5	To set the time zone for individual switches

License Commands

licenseshow	Displays all the licenses that are added in the switch
licenseadd	To add a new license to the switch
licenseremove	To remove a license from the switch
licenseidshow	Based on Switch WWN

Banner Commands

bannershow	Displays the banner that will appear when logging in using the CLI or web tools
bannerset	To set the banner which will appear when logging in using the CLI or web tools
bannerset “”	To remove the bannerset (two quotes)

Password commands

passwd	To change the password for that particular login
passwdcfg –set -lowercase 3 uppercase 1 -digits 2 -punctuation 2 -minlength 10 -history 3	To set the password rules
passwdcfg –set -minpasswordage 1	To set the minimum password age in Days
passwdcfg –set -maxpasswordage 30	To set the maximum password age in Days
passwdcfg –set -warning 23	To set a warning for the expiration Days remaining
passwdcfg –set -lockoutthreshold 5	To set the account lockout thresh hold
passwdcfg –set -lockoutduration 30	To set the account lockout duration in Minutes
passwdcfg –setdefault	To restore the password policy to Factory settings (min length – 8, history -1 , lockoutduration – 30)

SNMP Commands

snmpconfig	snmpconfig for 5.0 above fos
agtcfgset	snmp config for fos below 5.0
snmpmibcapset	for choosing the MIB’s for the snmp settings

User Configuration

userconfig –show -a / userconfig –show	Displays all the account information like role , description , password expiration date , locked status
userconfig –add john -r admin -d “John Doe”	To add a new account -r = role , -d = description
userconfig –show john	Displays all the information for the account john
userconfig –change -e no	To Disable an account , usually default a/cs like admin and user . But ensure before disabling the admin a/c there is another a/c with admin rights
userconfig –change -e yes	To Enable an account

Firmware commands

configupload	Saves the switch config as an ASCII text file to an FTP server
configdownload	To restore a switch configuration from ASCII text file Note – Need to disable the switch before downloading the config file
configure => cfgload attributes : [y] => Ensure secure config upload / download : [y]	Fabric OS v 4.4 & above provides Secure File Copy Protocol (SCP) during upload or download of configurations
firmwaredownload	To download the firmware to be installed on the switch
firmwareshow	To be run after installing the firmware on the switch
version	Displays the current firmware version on the switch
fastboot	Needs to be run after installing the firmware. This does not include the post.
reboot	Needs to be run after installing the firmware. This includes the post.

Miscellaneous commands

killtelnet	To kill a particular session which is using telnet
configure	To configure a switch
quietmode	To switch off the quiet mode
quietmode 1	To suppress messages to the console
switchname	Displays the switch name
switchname “EXAMPLE”	To assign a switch name
bannerset	To set the banner which will appear when logging in using the CLI or web tools
timeout	Displays the timeout time set for Telnet session on the switch
timeout 10	To set a specific timeout time for the Telnet session
switchuptime or uptime	Displays the uptime for the switch
switchcfgspeed	To set speed for all the ports on the switch Note – 0:auto negotiated 1,2,4 Gbit/sec , 1 : 1Gbit/sec , 2 : 2 Gbit/sec , 4 : 4Gbit/sec
fastboot	To reboot the switch without post
reboot	To reboot the switch with the post
switchstatusshow	Displays the overall status of the switch
switchstatuspolicyshow	Displays policy set for the switch regarding Marginal(Yellow) or Down(Red) error status
switchstatuspolicyset	To change the policy set for the switch regarding Marginal(Yellow) or Down(Red) error status

Basic commands on Alcatel Omniswitch

Introduction

This page is based on the notes I took when managing Alcatel Omniswitchs 6600, 6800 in 2007 and later 6850. The full documentation can be found on Alcatel-Lucent website.

Managing the configuration files

Alcatel Omniswitchs can operate in two modes: working and certified (show running-directory to know in which mode the switch is). In working mode, the configuration can be modified, while it is no possible in certified mode (well, actually, it is). When booting, if working and certified configuration files are different, the switch will boot in certified mode. Configuration files are stored in certifed/boot.cfg and working/boot.cfg (they can be directly edited with “vi”).

Continue reading “Basic commands on Alcatel Omniswitch”

Policy Based Routing on Cisco Catalyst 3750

I want to share how I configured basic configuration Policy Based Routing (PBR) on Cisco.

To give you an idea here is a sample diagram how the PBR works.

This is a setup of network with 2 ISP, if you want to separate the users for using different ISP.

Config on cataly 3750

STEP 1. First set your Vlan SVI’s
!

interface Vlan2
ip address 10.2.0.1 255.255.0.0
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
!

STEP 2. Create Access-list, for filtering
access-list 10 permit 10.2.0.0 0.0.255.255
access-list 10 permit 10.4.0.0 0.0.255.255
access-list 20 permit 10.3.0.0 0.0.255.255
access-list 20 permit 10.5.0.0 0.0.255.255

STEP 3. Now create Route-map;

route-map routetoISP1 permit 10
match ip address 10
set ip next-hop 10.0.0.1
!
route-map routetoISP2 permit 20
match ip address 20
set ip next-hop 10.0.0.2
!

and now for here put the MAGIC!

!
interface Vlan2
ip address 10.2.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
ip helper-address 10.0.0.4
ip policy route-map routetoISP2
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
ip policy route-map routetoISP2
!

Here is the final config.

!
interface Vlan2
ip address 10.2.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan4
ip address 10.4.0.1 255.255.0.0
ip policy route-map routetoISP1
!
interface Vlan3
ip address 10.5.0.1 255.255.0.0
ip helper-address 10.0.0.4
ip policy route-map routetoISP2
!
interface Vlan5
ip address 10.5.0.1 255.255.0.0
ip policy route-map routetoISP2
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
access-list 10 permit 10.2.0.0 0.0.255.255
access-list 10 permit 10.4.0.0 0.0.255.255
access-list 20 permit 10.3.0.0 0.0.255.255
access-list 20 permit 10.5.0.0 0.0.255.255
route-map routetoISP1 permit 10
match ip address 10
set ip next-hop 10.0.0.1
!
route-map routetoISP2 permit 20
match ip address 20
set ip next-hop 10.0.0.2
!

Cấu hình DHCP trên Cisco

I : Cấu Hình DHCP Server

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#service dhcp
Router1(config)#ip dhcp pool 192.168.6.128/25
Router1(dhcp-config)#network 192.168.6.128 255.255.255.128
Router1(dhcp-config)#default-router 192.168.6.200
Router1(dhcp-config)#dns-server 210.245.31.130
Router1(dhcp-config)#lease 2
Router1(dhcp-config)#exit
Router1(config)#ip dhcp excluded-address 192.168.6.129 192.168.6.140
Router1(config)#ip dhcp excluded-address 192.168.6.200 192.168.6.254
Router1(config)#end
Router1#

Continue reading “Cấu hình DHCP trên Cisco”

Upgrade Software Nortel ERS 8600

Here’s a question that I’ve been asked over and over again.

How can I upgrade the software of a Nortel ERS 8600 Switch?

It’s actually very easy and only takes a few minutes (along with a reboot). If you have dual CPUs (8690SF, 8691SF, 8692SF) your going to need to upgrade both CPUs. If your running in a HA (High Availability) configuration you probably shouldn’t be reading this. I’ll assume that anyone with dual CPUs is running them in a standby configuration. I generally like to upgrade the standby CPU first and then upgrade the primary CPU, the switch will fail over to the standby CPU once the primary CPU starts to reboot.

You’ll need a TFTP server to host the software files. I generally use the TFTP server that comes with Linux (CentOS), however, you can use TFTPD32 by Philippe Jounin on Windows XP/2003. Just drop the TFTPD32 files in the same directory with the Nortel ERS 8600 software release and run the executable.

Continue reading “Upgrade Software Nortel ERS 8600”