Sunday, November 27, 2011

ESXi 3.5 to 4.1 upgrade

Last year I wrote about my 3.5 to 4.0 upgrade adventures. This weekend we scheduled a 3.5 to 4.1 upgrade, assuming it will be a smooth ride (apart from moving 4TB of data).

The first issue was that 4.1 didn't want to boot from the new pendrive. Assuming I did something wrong with the imagedd.bz2 file, I tried it a few times more, wasting about 3 hours. Turns out the box didn't like the Veritech pendrive somehow. Running from a Silicon Power one went like a charm.

Second issue: the LVM.resignature config option disappeared from the ESXi advanced config. Our new friend is the esxcfg-volume command-line utility.

Use
exscfg-volume -l
to list the volumes, and
esxcfg-volume -r
to resignature (and rename) your volumes.

On a related note, ESXi 5.0 does not use the imagedd.bz2 file anymore, so I didn't even start to experiment with it (I wasted too much time on trivial stuff during the upgrade anyway).

Monday, November 7, 2011

ComWare authentication with Cisco Secure ACS

As I'm writing a presentation on Cisco-HP-3Com interoperability, I realized I forgot to post this config a while ago.

The basic setup: we have 2 Cisco ACS servers as RADIUS/TACACS servers, for network management purposes. Both the network devices and the VPN service on the ASA cluster authenticates with them. Setting up Cisco and HP Procurve to use RADIUS is almost the same, but Comware differs significantly.

After an afternoon well spent, here's what I've come up with:

#
local-server nas-ip 127.0.0.1 key 3com
#
radius scheme system
nas-ip 127.0.0.1
radius scheme ceu
server-type standard
primary authentication 10.0.0.10
secondary authentication 10.0.0.11
accounting optional
key authentication XXXXXXX
user-name-format without-domain
#
domain local
domain system
scheme radius-scheme ceu
#
user-interface aux 0
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme

Friday, September 30, 2011

LLDP support on HP devices, versus my Cisco phones

This week is about LLDP making me sad...

I set out to test the compatibility of my Cisco 7911G phones with the HP switches on our network, as part of the network integration work. The HP documents (like this: h17007.www1.hp.com/docs/interoperability/Cisco/4AA2-2301EEE.pdf) say that it's almost plug'n'play, with minimal configuration required. Cool, I'd love that. Then came reality:

ProCurve 2524
Okay, I'm kinda unfair here, this is an ancient switch. It supports basic LLDP, and has 2 hardware priority queues. On the other hand, it doesn't support a "voice VLAN" feature, but trusts 802.1p markings. The best I can do with this is to set a voice vlan as tagged on the ports, and configure the phones by hand. Not nice.

ProCurve 2510G-24
Nice switch, not too old, should be fine. But, it's not: it doesn't support LLDP-MED. It has the "voice VLAN" feature, which provides auto-qos, but I still have to config my phones by hand for the voice vlan.

ProCurve 2610-48
Untested at the moment, as they are in an other location, but they support LLDP-MED, so they should be fine. These are our mainstay switches, if they work, I'm pretty happy.

And the nasty part came here. A lot of "HP and Cisco interop" documents posted by HP were published before the 3Com merger. And 3Com switches run ComWare, not Provision OS. Hence most HP documents won't help you, if you have 3Com/H3C heritage HP switches.

According to some existing docs, if you run ComWare v5, you should be fine. But I'm not.

HP E4210-48
This not-that-old box runs ComWare v3, and it supports both LLDP and LLDP-MED. So it should work. But it somehow lacks the support of a "voice VLAN", and I never managed to pass that vlan ID to the phone. If you config the phone by hand for the VLAN, it works in both hybrid and trunk port modes.

All switches run the latest possible firmware, and the phone runs the 8.5.3 image, with LLDP-MED support.
Stay tuned for updates on the 2610 and Comware line.

Update:
Turns out I was wrong: the 2610's are actually 2650's. Anyways, they work perfect with LLDP-MED.

Update2:
I managed to grab a Huawei S2309, which is running VRP5, which is basically ComWare v5. More testing to come.

Monday, September 5, 2011

Cisco HW repair, the CCT cert and the RPS

About a month ago, I bought some cheap Cisco gear on eBay: an ASA 5505, a 2970 series Gbit switch, a 1131 AP, and so on. Some of these devices worked, some were gutted, and some were failing. The items were sold was as-is, so it's not a problem, as I'll try to repair them, as my time allows. If I manage to solve anything, I'll post about it.

On a related note, Cisco released their hardware support certifications (called CCT), which is a great idea IMHO. I'm also a big fan of the HP APS and the CompTIA A+ certifications. Most likely I'll get a CCT R&S.

One of my side projects is to reverse-engineer the Catalyst RPS signals, and build a cheap RPS device from a standard 12V power brick, just for kicks. If anyone has data about the CTRL signals, or is interested otherwise, please leave a comment. Thanks!

Friday, July 1, 2011

Cisco IOS configuration examples

While getting ready for my CCNP exams, I purchased quite a few Cisco devices from our national eBay-clone site. While some folks don't really understand, why I don't just use GNS3 and be happy with it, I prefer the hands-on stuff very much. Here's why:
  • Things don't go wrong in the simulated stuff as often as they should, to help you learn;
  • I have a hardware technician past, so I just like the boxes;
  • You don't have to learn memory constraints and upgrades on a simulated router: you just set it to max RAM, best-newest image, boot, done. Real world is not this nice;
  • You don't have to recover from a failed IOS upgrade, or do a password recovery;
  • And your configs are just too clear.
The last part is one of my problems with official CCNP study materials too: they only config what the chapter wants you to learn. If, for example, you study EIGRP, there won't be serious security configured on the box.

Now this is the part where the second-hand Cisco gear comes in: if you buy it from non-IT people, who didn't use it in their own home lab, chances are, the original config will be there. And that's the way I managed to acquire some live configs from ISPs and corporations. It's not guaranteed that these configs are perfect, but they were running in production networks, every day. So I think they are worth checking out.

Now, before we begin, the usual disclaimer: I deleted sensitive data from the configs, like usernames and passwords, and phone numbers, but not IP addresses (except for AAA servers). Most of these IP addresses are still in use by these organizations, so please be a grow-up, and don't try to hack them. They have some smart guys to track you down, and you don't really want that.

So, let's begin.

Nothing really fancy here, but it gets the job done.

Isn't that just beautiful?
Highlights include:

interface Dialer2
ip unnumbered Ethernet0
interface Dialer10
ip address 194.48.122.236 255.255.255.0
interface Dialer61
ip unnumbered Ethernet0
interface Dialer99
ip address negotiated

Next, a Cisco 3620 as a terminal server, but I'm not sure about the hardware config.
This was used by an ISP.
Highlights include:

interface Virtual-Template1
interface Group-Async1


Highlights include:

priority-list 1 protocol ip high list 150
priority-list 1 protocol ip medium list 151
priority-list 1 protocol ip normal list 152
priority-list 1 protocol ip low list 153

Highlights include:

interface Multilink1
voice-port 1/1
dial-peer voice 1 vofr
dial-peer voice 2 pots

And so, this is the current state of my little collection. If you want to share your own stuff, I'm very much interested.

The ultimate console cable

Forget my previous post on the Foundry console cable...

This is the stuff, that gets everything done:


Tuesday, May 31, 2011

CCNP home lab serial connections: T1 is the way to go!

As I'm building my home lab for the ROUTE exam, I find the DB60 DTE-DCE cables increasingly problematic, because:
  • they cost money,
  • they are bulky,
  • they are as flexible as a flagpole.
After playing around with different back-to-back connections, eBay provided the ultimate solution: WIC-1DSU-T1 cards.

They are cheaper than WIC-1T and WIC-2T cards, and use regular UTP cables (not with ethernet pinout, mind you!) for connection. Everything I need for a neat, organized rack. Only downside: they need modular routers, and can't be used with the built-in interfaces of my 1005, 1605R and 2500 series boxes.

The command to remember:

service-module t1 clock source {line | internal}
Default is line, so set one end of the link to internal.

Monday, May 16, 2011

Foundry/Brocade console cable

A few months ago I managed to buy a Foundry FWS24 switch. It comes with a DB9 serial port, but it does not work with a standard rollover DB9-RJ45 cable + RJ45-DB9 adapter combo.
Turns out it needs a straight serial cable instead of a rollover, but the built-in DB9 port is male, and I don't have female-female straight cables on hand.

At first I did an ugly hack with a DB9-DB25 modem cable, but I didn't like it very much, so I sacrificed one of my baby-blue Cisco cables, cut off the RJ45 plug on the end, and crimped a new one upside-down on it (black wire to pin 8), making it a straight cable. Using that cable and a standard Cisco DB9-RJ45 adapter (74-0495-01), the Foundry box works like a charm.

Tuesday, May 3, 2011

Linux bridge STP long path cost (802.1t-2001)

A few years ago, we had to implement STP on Linux boxes, using the long path cost standard. If changing the cost values from userspace is not really your thing, here's a patched br_if.c source (mind you, it's for an old kernel version, probably 2.6.17 or something).

Edit: for those who are interested in the actual numbers, not the Linux code:

Tuesday, April 19, 2011

Cisco 2500 frame relay switch - for the CCNP

Top fun for the weekend -if you don't have a life- : build a frame relay network in your Cisco home lab!

As it turns out, the Cisco 2500 series can do frame relay switching, and has more than one serial interface, so it actually makes sense to do such thing.

You can find a config here, and a discussion here.

Friday, April 1, 2011

HP AIS - Network Infrastructure [2011]

It appears that HP joined the fast-track certification solution club after Juniper and Brocade:
you can get a HP AIS certification with a valid CCNA and a web-based exam.

So while the ASE - Campus LAN cert is getting phased out, Cisco and H3C folks can get some new types of ASE and MASE certifications.

On a related note, I think the HP networking exams got quite a bit harder, with the 3Com/H3C acquisition: now you have to know both the old HP network OS, and the Comware OS, and now we have some decent routers in the portfolio, not just the good old 7000dl series.

Tuesday, March 29, 2011

Cisco Aironet 1231 with PowerDsine midspan POE

Lesson of the week: the Aironet 1231 series access points use a messed-up version of pre-standard POE.

We use PowerDsine 6524 midspans, which support 802.3af and and pre-standard devices just fine. They power our Cisco IP phones, the 1100 series access points (pre-standard) and our brand-new Aruba APs. But not our 1231 APs.

Here's the trick: both 1130 and 1230 series APs use reverse-polarity power, compared to the POE standard. The 1130 series contains an internal diode-bridge, which swaps the polarity, if necessary, so they work just fine. The 1200 don't. So what you need is a custom patch cord, which crosses the 4-5 and 7-8 pairs (usually the blue and brown).

Friday, February 11, 2011

It's time to Cisco

I'm proud to report that i've got a new job, as a full-time network admin. No user support, no more installing XP boxes, only the phat tubes. Yeah.
And it's a university, so we've got plenty of chicks...

It's a Cisco place, with some HP boxes, so i won't play with Juniper gear for a while, apart my own Netscreen at home. Oh well...

An interesting upcoming project is with an Aruba Mobility Controller, a centrally managed WiFi solution. Brochures say it's cool, user guide says it's cool, maybe it'll be cool. Stay tuned for details as we progress.
On a related note, Juniper just put up it's new Wireless fundamentals e-learning course.

What we learned today: if you're upgrading a Cisco MARS appliance from 4.2.2 to 4.2.3, read the release notes first, and check out the MARS blog.
To gain root access to the box: reboot, hold right Shift key during POST and Lilo, when Lilo prompt appears, press any key, like 'A'. Boot with 'linux init=/bin/bash', remount the root fs in rw mode, and passwd with a smile. Reboot, after pnadmin login, use the 'expert' command.
After that, you can clean up the /u01 partition, so the failed 4.2.3 upgrade can start again...