The Ubiquiti Unifi is a fairly cheap and straightforward managed WiFi solution if you are happy with a L2 bridging architecture with not too much additional stuff.
My biggest issue with the hardware is the non-standard POE implementation, which uses 24V "Ubiquiti POE".
Based on the datasheet and experience (http://www.ubnt.com/downloads/datasheets/unifi/UniFi_AP_Datasheet.pdf), our base UAP devices can't directly use 802.3af POE, only the Pro UAP-Pro models can do that. Luckily, an official POE-adapter is sold by Ubiquiti (http://www.ubnt.com/8023af), and it's pretty cheap.
The 802.3af POE is 48V, but fear not: standard POE uses a detection mechanism before sending out the juice, so it won't fry your Unifi AP if you connect it directly to a POE switch, it just won't start up.
If you want to go with long cable runs, as higher voltage is better suited for longer runs, I'd suggest to use standard 48V POE to drive the cable, and use the Unifi adapter near the AP to convert it to 24V.
Friday, December 14, 2012
Thursday, December 6, 2012
Fun factsheet for Cisco 3500XL and 2900XL switches
It still seems like a popular topic, and these switches never really die, so here are some fun facts about them that I found to be useful (both from my experience and from the documentation):
- These are layer 2 switches;
- So they don't have DHCP snooping capabilities;
- Nor any ARP inspection (DAI).
- They can't do IP routing, or NAT.
- Traffic distribution over an etherchannel can be based on source or destination MAC addresses, but not both. Distribution can be configured per etherchannel, not just system-wide. You can't distribute based on layer3-4 (IP,TCP/UDP) info.
- No layer3 ACLs for switching. (Just for the control plane).
- They have 2 hardware priority queues.
- They only support L2 COS, not DSCP or TOS.
- For IP phones, you have to go with a switchport trunk, encapsulation dot1q, nonegotiate, native vlan , allowed vlan ,
, swichport voice vlan type of setup. - The 3500XL and 2900XL use the same software, you can run 2900XL images on a 3500XL box.
- The only members of the 2900XL family with Gigabit ports are the modular, 2U high chassis.
- They do not support MSTP and GVRP.
- They do not support LLDP.
- The 2900 series does not support POE; but some 3500 series models do: look for the -PWR in the model name.
Friday, November 30, 2012
Ethernet filtering fun in hexa with D-Link DES-3250
Most network admins in education know that the source of the most evil is the dormitory. Mostly ignorance with just a touch of malice for the flavor. Rogue DHCP servers, IPv6 router advertisements, IP collisions and the occasional ARP spoofing.
The D-Link DES-3250 series is our choice of switch for our dormitory, as it's cheap and fairly reliable. It can't perform proper DHCP snooping, dymanic-ARP-inspection or even the ARP protection the DES-3526 can, but it can do some filtering, based on IP, MAC or raw ethernet packets.
Credits for the first two go to Gavin McCullagh, not me.
You can filter DHCP replies easily:
create access_profile ip udp src_port_mask 0xFFFF port 1-48 profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 deny
Now this one is a thing of beauty: filtering IPv6 Router advertisements:
create access_profile packet_content_mask offset_0-15 0x0 0x0 0x0 0xFFFF0000 offset_16-31 0x0 0xFF000000 0x0 0x0 offset_48-63 0x0 0xFF00 0x0 0x0 port 1-48 profile_id 2
config access_profile profile_id 2 add access_id 1 packet_content offset_0-15 0x0 0x0 0x0 0x86DD0000 offset_16-31 0x0 0x3A000000 0x0 0x0 offset_48-63 0x0 0x8600 0x0 0x0 deny
IPv6 uses ethertype 0x86dd, and the type for RA in ICMPv6 is 0x86
Yesterday I had 4 TP-Link APs configured as 192.168.1.254. This wouldn't be a big issue normally, but these ones were dead-set on sending gratuitous ARPs against each other at speeds of 10Mpps...
The DES-3250 has broadcast control, which was set at 8pps, but something went wrong, as the switches still forwarded around 4kpps of ARPs on all ports.
So next up is IPv4 ARP filtering for anything with the source 192.168.0.0/16:
create access_profile packet_content_mask offset_0-15 0x0 0x0 0x0 0xFFFF0000 offset_16-31 0x0 0x0 0x0 0xFFFF0000 port 1-48 profile_id 3
config access_profile profile_id 3 add access_id 1 packet_content offset_0-15 0x0 0x0 0x0 0x08060000 offset_16-31 0x0 0x0 0x0 0xC0A80000 deny
The D-Link DES-3250 series is our choice of switch for our dormitory, as it's cheap and fairly reliable. It can't perform proper DHCP snooping, dymanic-ARP-inspection or even the ARP protection the DES-3526 can, but it can do some filtering, based on IP, MAC or raw ethernet packets.
Credits for the first two go to Gavin McCullagh, not me.
You can filter DHCP replies easily:
create access_profile ip udp src_port_mask 0xFFFF port 1-48 profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 deny
Now this one is a thing of beauty: filtering IPv6 Router advertisements:
create access_profile packet_content_mask offset_0-15 0x0 0x0 0x0 0xFFFF0000 offset_16-31 0x0 0xFF000000 0x0 0x0 offset_48-63 0x0 0xFF00 0x0 0x0 port 1-48 profile_id 2
config access_profile profile_id 2 add access_id 1 packet_content offset_0-15 0x0 0x0 0x0 0x86DD0000 offset_16-31 0x0 0x3A000000 0x0 0x0 offset_48-63 0x0 0x8600 0x0 0x0 deny
IPv6 uses ethertype 0x86dd, and the type for RA in ICMPv6 is 0x86
Yesterday I had 4 TP-Link APs configured as 192.168.1.254. This wouldn't be a big issue normally, but these ones were dead-set on sending gratuitous ARPs against each other at speeds of 10Mpps...
The DES-3250 has broadcast control, which was set at 8pps, but something went wrong, as the switches still forwarded around 4kpps of ARPs on all ports.
So next up is IPv4 ARP filtering for anything with the source 192.168.0.0/16:
create access_profile packet_content_mask offset_0-15 0x0 0x0 0x0 0xFFFF0000 offset_16-31 0x0 0x0 0x0 0xFFFF0000 port 1-48 profile_id 3
config access_profile profile_id 3 add access_id 1 packet_content offset_0-15 0x0 0x0 0x0 0x08060000 offset_16-31 0x0 0x0 0x0 0xC0A80000 deny
The ethertype for ARP is 0x8060, and 192.168 is 0xc0a8.
ARP spoofing of the gateway is not that popular on this subnet, but next time it happens, I'll do an entry with that.
Edit: 19/02/2013 - fixed ethertype value in ARP filter
Edit: 19/02/2013 - fixed ethertype value in ARP filter
Sunday, November 25, 2012
3Com 4050 and D-Link DGS-3324SR spanning tree native vlan
My new place uses a 3Com 4050 as a layer2 core/distribution switch. It's linked to DES-3526, DGS-3324SR and DGS-3100 switches. Protocol of choice is RSTP. Without native/untagged vlan on the links, the following happens:
- 3Com 4050 - DES-3526 - RSTP works okay
- 3Com 4050 - DGS-3100 - RSTP breaks, needs vlan1 untagged
- 3Com 4050 - DGS-3224SR - RSTP breaks, needs vlan1 untagged
- 3Com 4050 - DES-3052P - RSTP breaks, needs vlan1 untagged
- DGS-3224SR - DES3250 - RSTP works okay
- DES-3526 - DES-3052P - RSTP breaks, needs vlan1 untagged
- DGS-3324SR - 3Com 4400 - RSTP works okay
Alive N Kickin'
In case anybody wonders, I'm still active.
In the past 6 months I changed employment and countries, so it was a bit hectic.
My new place primarily uses Fortigate, Vyatta, D-Link and old 3Com gear, so expect less Cisco for a while. HP will be on the plate as I'm going for the ASE and MASE.
On a related note, I'm Brocade BCNE and BCNP since July, thanks to the BNCE/P 2012 beta program.
So for the time being, stay tuned for D-Link and 3Com stuff.
In the past 6 months I changed employment and countries, so it was a bit hectic.
My new place primarily uses Fortigate, Vyatta, D-Link and old 3Com gear, so expect less Cisco for a while. HP will be on the plate as I'm going for the ASE and MASE.
On a related note, I'm Brocade BCNE and BCNP since July, thanks to the BNCE/P 2012 beta program.
So for the time being, stay tuned for D-Link and 3Com stuff.
Friday, May 4, 2012
HP Procurve LLDP-MED and voice vlan configuration FAQ
These are quotations from the Software release notes and config guides, but maybe they'll make your life easier.
ProCurve does not recommend configuring a voice VLAN to accept jumbo packets. Voice VLAN packets are typically small, and allowing a voice VLAN to accept jumbo packet traffic can degrade the voice transmission performance.
Beginning with Release H.08.89, LLDP-MED is supported on ProCurve Series 2600 switches.
VLAN Operating Rules
These rules affect advertisements of VLANs in network policy TLVs:
- The VLAN ID TLV subelement applies only to a VLAN configured for voice operation: vlan < vid > voice
- If there are multiple voice VLANs configured on a port, LLDP-MED advertises the voice VLAN having the lowest VID.
- The voice VLAN port membership configured on the switch can be tagged or untagged. However, if the LLDP-MED endpoint expects a tagged membership when the switch port is configured for untagged, or the reverse, then a configuration mismatch results. (Typically, the endpoint expects the switch port to have a tagged voice VLAN membership.)
- If a given port does not belong to a voice VLAN, then the switch does not advertise the VLAN ID TLV through this port.
The QoS and voice VLAN policy elements can be statically configured with the following CLI
commands:
vlan < vid > voice
vlan < vid > < tagged | untagged > < port-list >
int < port-list > qos priority < 0 - 7 >
vlan < vid > qos dscp < codepoint >
Minimum software versions for LLDP-MED.
Source: HP ProCurve LAN products software feature matrix
LLDP-MED (Media Endpoint Discovery) H.08.89 R.11.04 R.11.04 T.11.xx W.14.03 L.10.02 K.14.xx K.11.1x K.14.xx E.10.02 H.07.57 K.14.03 K.14.xx K.12.31
Thursday, May 3, 2012
Bridged OpenVPN server on VMware ESXi host
After migrating our virtual firewall from a XenSource to an ESXi server, our bridged OpenVPN server stopped working: users could ping the server, but nothing else.
Since we were talking about Vista clients, we started with the usual suspects: reboot, reinstall TAP driver, reboot. No joy, so I had to start to actually think.
Turns out ESXi vSwitches are not in promiscuous mode by default. You can turn it on like this:
http://petermolnar.eu/linux-tech-coding/vmware-esxi-and-promiscuous-mode/
Since we were talking about Vista clients, we started with the usual suspects: reboot, reinstall TAP driver, reboot. No joy, so I had to start to actually think.
Turns out ESXi vSwitches are not in promiscuous mode by default. You can turn it on like this:
http://petermolnar.eu/linux-tech-coding/vmware-esxi-and-promiscuous-mode/
Thursday, April 26, 2012
Huawei Quidway S2309 as a CPE
Just a quick photoblog entry: after a relocation, Invitel provided us with a S2309, instead of the usual Catalyst Metro:This makes pretty evident that our service is a QinQ Ethernet link, not an MPLS tunnel, as we thought earlier.
Wednesday, April 25, 2012
HP Procurve 2510 voice vlan and LLDP-MED
Just because it's a hot search topic, and I love to divert attention to myself, here's a short post for you:
The Procurve 2510 while supporting LLDP, does not support LLDP-MED.
Here's a quote from the latest firmware release notes:
For more details on Procurve and LLDP, check out my older post:
http://packetparking.blogspot.com/2011/09/lldp-support-on-hp-devices-versus-my.html
The Procurve 2510 while supporting LLDP, does not support LLDP-MED.
Here's a quote from the latest firmware release notes:
That said, it's still a pretty good switch.CLI (PR_0000069348) - The switch allows configuration of a “voice” VLAN even thoughthe switch does not support LLDP-MED.
For more details on Procurve and LLDP, check out my older post:
http://packetparking.blogspot.com/2011/09/lldp-support-on-hp-devices-versus-my.html
Tuesday, February 28, 2012
Cisco IPS Manager Express performace tuning
A few weeks ago I did a clean install of IME on a virtual XP with 2GB of RAM. The user experience was okay, after it loaded the gadgets, but I just had to check out the system resources graph.
The java process used around a 100MB of RAM, and the MySQL used under 15MB. While I had a lot of free RAM as buffer, from my experiences it never hurts to give MySQL a lot of RAM.
The config file is "my.ini" under the base installation folder, and this is how it looks like after some tweaks:
[mysqld]
basedir=C:\Program Files\Cisco Systems\Cisco IPS Manager Express/MYSQL
datadir=C:\Program Files\Cisco Systems\Cisco IPS Manager Express/MYSQL/data
port=47007
myisam-recover=DEFAULT,FORCE,QUICK
bind-address=127.0.0.1
# performance options
key_buffer_size=128M
table_cache=256
sort_buffer_size=32M
read_buffer_size=8M
Now it uses around 120MB, and once started, it loads the gadgets noticeably faster.
I tried to add some InnoDB options too, but the options are not recognized. I guess that InnoDB support is not compiled in, or something.
The java process used around a 100MB of RAM, and the MySQL used under 15MB. While I had a lot of free RAM as buffer, from my experiences it never hurts to give MySQL a lot of RAM.
The config file is "my.ini" under the base installation folder, and this is how it looks like after some tweaks:
[mysqld]
basedir=C:\Program Files\Cisco Systems\Cisco IPS Manager Express/MYSQL
datadir=C:\Program Files\Cisco Systems\Cisco IPS Manager Express/MYSQL/data
port=47007
myisam-recover=DEFAULT,FORCE,QUICK
bind-address=127.0.0.1
# performance options
key_buffer_size=128M
table_cache=256
sort_buffer_size=32M
read_buffer_size=8M
Now it uses around 120MB, and once started, it loads the gadgets noticeably faster.
I tried to add some InnoDB options too, but the options are not recognized. I guess that InnoDB support is not compiled in, or something.
Thursday, February 9, 2012
Cisco MARS 20 upgrade
I'm not sure where can you find performance evaluations for MARS models, but our MARS 20 definitely had issues with managing 100+ switches and our main ASA cluster and FWSM logs. Since it's EOL soon, we don't want to buy a bigger one. But it's just a PC, so we looked into upgrade possibilities.
The MARS 20 has a SuperMicro P4SCT mainboard and 1GB of RAM, so our options are:
- A new CPU, possibly with Hyperthreading. Problem is, the kernel is not SMP compatible, and I don't really want to compile a new one.
- More RAM. That's always good, the maximum supported is 4GB DDR-400 in 4 sticks of 1GB.
- A new HDD. Our old one is, well, old (40k+ hours), so I decided to replace it with a 160GB standard IDE Western Digital drive.
The RAM upgrade was no problem at all, and I used a RescueCD USB stick to 'dd' the MARS OS between drives. The new drive is a good 2 times faster, and the new memory usage stats are eye-candy:
[root@voyager bin]# free -m
total used free shared buffers cached
Mem: 3772 3764 7 210 98 2141
-/+ buffers/cache: 1523 2248
Swap: 1027 851 175
Overall, the responsiveness of the system is way better in the web interface, and cron tasks are much faster.
Thursday, January 19, 2012
Friday, January 13, 2012
Catalyst 3500XL layer 3 frozen
I'm not sure about the reason (most likely a broadcast storm), but one of our 3500XL switches stopped processing L3 traffic. Layer 2 switching was normal, and since it's our distribution switch (Cisco Modular Campus Design, here we come!), I didn't really want to reload it.
Consoling to the switch provided me with a responsive CLI, so no trouble there, either. CPU utilization was normal too.
After a few show commands, it turned out that it can't even resolve IPs with ARP.
I tried clear arp-cache, clear mac-address table, clear int vlan 10; no joy. I had to delete the entire vlan interface (no interface vlan 10), clear the caches, and re-create the vlan interface to make it work again. Of course it's running the latest IOS out there (12.0(5)WC17).
Wednesday, January 11, 2012
A new kind of sexy: Huawei Quidway S2309
During winter break I managed to acquire a new baby to my collection:
a Huawei Quidway S2309 switch.
It's a layer2, carrier CPE grade box, with a lot of features:
It runs the Huawei VRP software, which is almost like the 3Com Comware, so I can use this baby to practice for my HP ASE exams.
Stay tuned for updates on this baby...
Subscribe to:
Posts (Atom)