Multi Vendor

Citrix Netscaler 10 Summary Notes – Getting Started – Day 6

Posted on


Load Balancing

Overview

  • Distributes client requests across multiple servers to optimize resource utilization
  • Prevents bottlenecks
  • Configuration:
    • Define a virtual server that proxies multiple servers in a server farm
    • Balance the load
  • Provides traffic management from Layer 4 (TCP and UDP) through Layer 7 (FTP, HTTP, and HTTPS)
  • Load balancing algorithms are used to determine how to distribute the load among servers
    • Least Connections method – default

How it works:

  • Client initiates a connection to the server
  • Virtual server terminates client connection
  • Virtual server initiates new connection to selected server or reuses connection to load balance
  • Entities:
    • Virtual server
      • Represented by IP, port and protocol
      • VIP is usually a public address
      • Clients connect to its address
      • Represents a bank of servers
    • Service
      • Logical representation of a server or an application running on a server
      • Identifies server’s IP, port, protocol
      • Bound to virtual servers
    • Server object
      • Represented by IP
      • Created when a service is created
      • IP address of the service is used as the name of the object
    • Monitor
      • Tracks health of services
      • Priodically probes the servers bound to each service
      • Failure, to respond within a specified timeframe and specified number of probes, service is marked as down. Load balancing is performed among other servers

Configuration

  • Enable load balancing
enable feature lb
show feature
 
System>Settings>Modes and features>change basic features>load balancing > check > ok>enable
  • (optional) create server object
  • Create services or service groups
add service <name> <IPaddress> <serviceType> <port>
  • (optional) create monitors
  • Create virtual servers
add lb vserver []
  • Bind service to virtual servers
bind lb vserver
show service bindings <serviceName>
  • (optional) assign weights to service –
  • Load balancing method will use the weight to select a service
  • (Optional) Configure basic persistance settings – for sessions that have to maintain connections to particular servers. For initial connection to the server, the appliance uses the configured load balancing method to select the server, subsequent connections from the same client are to that specific server. Persistance overrides the load balancing methods once the server is selected. If service is down, appliance uses load balancing method to select new service then connects persistantly to that service for subsequent requests from the same server. If service state is out-of-service, the service serves only the outstanding requests for a specific shutdown period but does not allow new connections. Once shutdown period is up, existing connections are terminated.
    • Max 250K persistance connections for Source IP, SSL Session ID, Rule, DESTIP, SRCIPDESTIP
    • persistant connections are allowed until the memory limit for CookieInsert (if timeout is not 0), URL passive, Custom Server ID
    • If persistance cannot be maintained because of lack of resources, appliance uses load balancing methods to select server
    • Persistance is maintained for a configured period of time depending on type
    • If persistance is enabled on a group of servers, the requests are directed to the same selected server regardless of which virtual server in the group receives the request. If configured time ends, then any vserver in the group can be selected for incoming requests.

2013_09_18_13_23_59_Greenshot2013_09_18_13_37_29_Greenshot

  • cookie persistance
    • NetScaler adds an HTTP cookie into the Set-Cookie header field of the HTTP response:

<NSC_XXXX>= <ServiceIP> <ServicePort>

<nsc_xxxx> vserver ID (from vserver name)

 IP add of service in hexadecimal (encrypted by netscaler when sent. decrypted on receipt)

<ServicePort>  port of the service in hexadecimal

(encrypted by netscaler when sent. decrypted on receipt)

  • Cookie contains info for the service to which the http requests should be sent
  • Client stores cookie and uses it in subsequent requests. If it is not allowed to store cookies, persistance is not honoured in subsequent requests
  • Netscaler checks the cookie and uses it to  select the service for the requests
  • Can be used on HTTP and HTTPS vservers
  • By default HTTP cookie version 0 is sent (Netscape specification). Can also send RFC 2109  HTTP cookie version 1
  • Timeout can be configured
    • If HTTP cookie version 0 (mostly used)
      • Expiration = current GMT time on a NetScaler + Timeout
    • If HTTP cookie version 1
      • Expiration = Max-Age attribute of the HTTP cookie is sent by netscaler to the client. client calculates the value
    • Value = 0 Netscaler does not specify expiration time. Value depends on client and becomes invalid if the software is shut down
      • Persistance does not use system resources
      • unlimited number of persistant clients supported

System > Settings > HTTP Parameters

set lb vserver -persistenceType COOKIEINSERT

show lb vserver

Traffic Management > Load Balancing > Virtual Servers> select vserver > Open

  • URL PASSIVE persistance (Persistance  Based on Server IDs in URLs)
    • Netscaler extracts server iD (IPadd and port in hexa) from server response and adds it to the URL query of the client request
    • Netscaler extracts server ID in subsequent requests and uses it to select server. If unable to extract ID, then netscaler uses load balancing method to select server
    • Requires either of the following configurations:
      • payload expression
      • policy infrastructure expression
    • Not affected by timeout value. persistance maintained as long as SID can be extracted
    • Does not consume system resources
    • Can be unlimited number of persistant clients

set lb vserver -persistenceType URLPASSIVE

show lb vserver

Traffic Management > Load Balancing > Virtual Servers

  • (optional) basic configuration – protection settings
    • URL redirection – notifies of vserver (HTTP and HTTPS) malfunctions. Can be a local or remore link. Netscaler uses HTTP 302 redirect
      • Redirects can be:
        • Absolute URL – HTTP redirect is sent to the configured location, regardless of the URL specified in the incoming HTTP request
        • Relative URL (domain name) – HTTP redirect is sent to a location after appending the incoming URL to the domain configured in the redirect URL
      • incase a backup server is configured, backup virtual server takes precedence over the redirect URL.
      • redirect is used when both primary and backup vservers are down

set lb vserver -redirectURL

show lb vserver

Traffic Management > Load Balancing > Virtual Servers > select server > open >

  • Backup vserver – takes over incase the primary vserver fails
    • It is a proxy and is transparent to client
    • Can be configured:
      • when a vserver is created
      • when the optional parameters of an existing vserver are changed
    • a backup server can be configured for another backup server (maximum cascading depth = 10)
    • if no backup and no redirect url, an error message is displayed
    • Backup server takes precedence over a URL redirect if both are configured

set lb vserver [-backupVserver ]

show lb vserver

Traffic Management > Load Balancing > Virtual Servers

  • Verify config
  • Verify stats

stat lb vserver

Compression

Overview

  • Means of optimizing bandwidth usage
  • Netscaler gets requests from clients and checks to see if clients accept compressed data
  • Appliance receive HTTP response from server and checks to see if compressable, if so – compresses, modifies header to show compression type then forwards to client
  • Policy based feature
    • Policy filters requests and responses to check which responses can be compressed and specifies type of compression to apply to response
    • There are several built in policies
    • Can create custom policies
  • Some Multipurpose Internet Mail Extensions (MIME) types that can be compressed
    • text/html
    • text/plain
    • text/xml, text/css
    • text/rtf
    • application/msword
    • application/vnd.ms-excel
    • application/vnd.ms-powerpoint
  • Multipurpose Internet Mail Extensions (MIME) that Cannot be compressed:
    • application/octet-stream
    • binary
    • bytes
    • compressed image formats : GIF and JPEG
  • Configuration

    1) Enable globally – not enabled by default.

    enable ns feature CMP

    show ns feature

    System > Settings > Modes and Features > change basic features > check compression > OK > Enable

    2) Enable it on each service that will provide responses that need to be compressed

    set service -CMP YES

    show service <name>

    Traffic Management > Load Balancing > Services > select service > advanced > settings> compression > OK

    3) (If applicable)Bind compression policy to the loadbalancing vservers. If load balancing is not enabled, then compression will apply to the whole traffic that passes through the appliance. If bound, the compression policy will be evaluated only by this service.

    (bind|unbind) lb vserver -policyName

    show lb vserver

    Traffic Management > Load Balancing > Virtual Servers > select vserver > policies > compression  > insert policy > OK

    4) Verify configuration

    Securing Load Balanced traffic ( SSL Offload)

    Overview:

    • offloading CPU-intensive SSL encryption and decryption tasks from the local web server to the NS. This allows the servers to process a greater number of requests.
    • Improves performance of sites that conduct SSL transactions
    • Ensures secure delivery of web applications
    • SSL works seemlessly with some HTTP and TCP data

    Configuration:

    1) Enable SSL Offloading. SSL entities can be configured before enabling SSL, but they become active only when SSL is enabled.

    enable ns feature SSL

    show ns feature

    System > Settings > Modes and features > Change basic features > SSL Offloading > OK  > enable

    2) Configure HTTP or TCP services to represent the applications on the server. Services are disabled until netscaler can reach the server and monitor it.

    add service <name> (<IP> | <serverName>) <serviceType> <port>

    show service <name>

    Traffic Management > SSL Offload > Services > Add >

    3) Configure SSL vserver. The server will intercept encrypted traffic, decrypt it and send it to the services bound

    add lb vserver []

    show lb vserver

    Traffic Management > SSL Offload > Virtual Servers > Add >

    4) Bind the services to the SSL  vserver

    bind lb vserver

    show lb vserver

    Traffic Management > SSL Offload > Virtual Servers > Services  > select > OK

    5) Create (if already not there) and add SSL certificate key pair. The certificate is used to identify the server during SSL handshake. NS supports RSA/DSA certificates of up to 4096 bits

    • Certificate must be paired with key for it to be used
    • Cert and Key are stoored in /nsconfig/ssl/

    add ssl certKey -cert [-key ]

    show sslcertkey

    Traffic Management > SSL > Certificates > Add >

    6) Bind SSL certkey to vserver

    bind ssl vserver -certkeyName

    show ssl vserver

    Traffic Management > SSL Offload > Virtual Servers > select server > SSL settings >

    7) Configure Optional parameters

    (In the case of Outlook Web Access OWA Servers) . Only for HTTP based traffic

    • Create an action to enable SSL OWA support

    add ssl action -OWASupport ENABLED

    show SSL action <name>

    Traffic Management > SSL > Policies > Add >

    • Create a policy to apply the action

    add ssl policy -rule -reqAction

    show ssl policy

    Traffic Management > SSL > Policies > Add >

    • Bind the policy to the SSL virtual server

    bind ssl vserver -policyName

    show ssl vserver

    Traffic Management > SSL Offload > Virtual Servers > select server >

    Features

    • application switching and traffic management features
    • application acceleration features
    • application security and firewall features
    • application visibility feature.

     

     

    Advertisements

    Citrix Netscaler 10 Summary Notes – Getting Started – Day 4

    Posted on Updated on


    Citrix NetScaler Editions

    Feature licence required on all editions

    • Standard Edition
      • SME
      • comprehensive L4-L7 traffic management
      • Web application availability
    • Enterprise Edition
      • Advanced  L4-L7 traffic management
      • Web Application acceleration
      • Increases Web application performance, availability and reduced costs
    • Platinum Edition
      • Reduces data center costs
      • Accelerates application performance
      • End to end visibility of application performance
      • Advanced application security

    Administration options:

    • CLI
      • VT100 terminal emulation, 9600 baud, 8 data bits, 1 stop bit, parity, and flow control set to NONE
      • username: nsroot
      • password:  nsroot
    • GUI

    Deployment types:

    • NetScaler ADC – Optimization over the internet and private network
    • Netscaler Gateway – Allows users to work from anywhere
    • XenMobile MDM – Load balances data from the mobile devices to the XenMobile MDM Servers
    • CloudBridge Connector – Sets up a secure tunnel beween 2 data centers or between a data center and cloud

    Initial Configuration options

    • First-time use wizard – Via web browser. Network configuration + Licencing information
      • Assign NSIP for management of the Netscaler appliance + mask
      • SNIP for servers to connect + mask
      • Timezone
      • Hostname (optional)
      • DNS (Optional) – can then use hardware serial number (HSN) or license activation code (LAC) to allocate your licenses instead of uploading them to the appliance
      • Upload licences
    • LCD keypad – Located in the front panel of the appliance. Just network configuration. Licencing info is entered using a different interface
      • Press <
      • First Enter Subnet Mask
      • Next NSIP
      • Last Gateway
      • Press enter
    • Serial console – Via Console. Network configuration + Licencing information
      • Login
      • config ns
        • system IP address
        • create a subnet or mapped IP address
        • configure advanced network settings
        • change the time zone

    set ns config -ipaddress -netmask add ns ip -type add route set system user -password save ns config reboot

    First Time High Availability Configuration

    • One Unit (primary)actively accepts connections and manages servers, Other unit (secondary) monitors the first
    • Units monitor each other by sending periodic heartbeats or health checks. Incase of failure, heartbeats are sent for a specific period of time, then the secondary takes over (failover)
    • Mode of operation
      • One-arm – servers andnetscaler appliances are connected to the same switch
        • Can be:
          • Single subnet. Clients and servers on the same subnet.
          • Multiple subnet. Client and servers reside on different subnets.

    pic1

    • Inline Mode (Two-arm) – netscaler are connected to 2 switches. servers are connected to the second switch. Traffic between client and serverspass through either netscaler appliances.
      • One Interface is connected to the client network, the other to the server network
      • Can be:
        • Appliance in public subnet, servers in private (Multiple Subnet Mode)
        • Both servers and appliance in public network (transparent mode). Used when the clients need to access the servers directly without an intervening virtual server. L2 Mode must be enabled for bridging the packets. NSIP and MIP are in the same public subnet

    pic2

    • Configuration procedure
      • Configure 1 NS as primary, other as secondary
      • Add a node on both NS ( logical representation of the peer NS). Used to exchange heartbeat messages
        • From CLI

    add HA node <id> <IPAddress>

    show HA node <id>

    • GUI

    System> HA>Nodes>Add

    • Disable HA on unused interfaces on both NS
      • CLI

    set interface -haMonitor OFF

    show interface <id>

    • GUI

    System > Network > Interfaces – Open – HA Monitoring = OFF

    Netscaler Packet forwarding Modes L2 Mode

    • Netscaler behaves like a layer 2 device
    • (Default – L2 disabled) – appliance drops packets that are not destined for one of its MAC address.
    • Netscaler does not support STP
    • If enabled: packets are not forwarded to any of the MAC addresses, because the packets can arrive on any interface of the appliance and each interface has its own MAC address

    > enable ns mode l2 > disable ns mode l2 > show ns mode

    L3 Mode

    • Netscaler routes packets which are not destined for it (default mode)

    > enable ns mode l3 > disable ns mode l3 > show ns mode

    MAC-Based Forwarding Mode

    • useful in VPN devices. Netscaler remembers the source MAC and MAC of the responding server.

    > enable ns mode mbf

    > disable ns mode mbf

    > show ns mode

    Citrix Netscaler 10 Summary Notes – Getting Started – Day 3

    Posted on


    Understanding the NetScaler

    An Application L4-L7 Switch. Used for Web Applications. Functions as a TCP Proxy

    Features:

    • Switching Features for optimal distribution of client requests
    • Security and protection Features protects web applications from application-layer attacks
    • Server-farm Optimization Features speeds up applications by offloading resource-intensive operations from the server

    Placement

    2013_09_13_13_18_21_Greenshot

    Request Switching

    • Netscaler is deployed infront of a server farm as a transparent TCP proxy
    • No client side  config needed
    • Appliance can separate HTTP Request from TCP Connection request

    Physical Deployment Modes

    Inline Mode

    • The appliance has a separate network interface to each client network and a separate network interface to each server network
    • Appliance transparently applys L4-L7 features

    One-Arm Mode

    • Only one network interface of the appliance is connected to an Ethernet segment
    • Does not isolate the client and server sides of the network

    L2 Mode

    • Operates as an L2 device
    • Packets are forwarded if:
      • Destination MAC is for another device
      • Destination MAC is on a different interface
      • Interface is member of same VLAn (Default vlan =1 )

    L3 Mode

    NetScaler-Owned IP Addresses

    NetScaler IP address (NSIP) – Management address + High Availability (HA) Communication

    Mapped IP address (MIP) – For server side communication. Appliance changes source IP with MIP before sending to server

    Virtual server IP address (VIP) – IP of a virtual server. Public IP that clients connect to

    Subnet IP address (SNIP) – If multiple subnets, SNIP is MIP for each subnet

    IP Set – Set of IP SNIPs or MIPs

    Net Profile – contains an IP add or IP Set. Used for communication with physical servers

    Traffic Flow Management

    If Virtual Server is present

    • Clients connect to VIP address of the virtual server
    • Appliance sends request to the server using MIP or SNIP by default

    If Virtual server is absent (Transparent Mode)

    • Client sends request using Source IP SIP
    • Nescaler changes SIP to MIP or SNIP but does not change destination IP  transparently forwards request to server
    • If server needs actual SIP, netscaler adjusts HTTP header and adds SIP as additional field or configured to use SIP instead of MIP or SNIP to connect to servers

    Building blocks for Traffic Management

    • Helps separate traffic flows
    • Cliets access applications through the Virtual servers

    Load Balancing

    • Create a service for every server
    • Bind the service to a virtual server
    • Create a monitor to track the service
    • Clients connect to the VIP. Netscaler sends to the server accordingly

    Virtual Servers

    • Represented by Alphanumeric name + VIP + port + Protocol
    • Name is locally significant
    • Clients conect to VIP and not address of the physical server
    • Multiple virtual servers can use the same VIP but different protocols and ports
    • Deliver features like compression, caching, SSL offload
    • Multiple services can be bound to 1 virtual server

    Load balancing virtual servers – redirects requests to appropriate server

    Cache redirection virtual server – redirect requests for dynamic contect to origin servers and for static content to cache servers. Work in conjunction with load balancing virtual servers

    Content Switching virtual server – redirect traffic on the basis of content requested. Work in conjunction with load balancing virtual servers

    Virtual private network (VPN) virtual server – decrypts traffic and sends to intranet applications

    SSL virtual server – receives and decrypts traffic then sends to appropriate server

    Services

    • Represents applications on a server
    • Can exist in the absence of a virtual server
    • Point for applying features
    • Use entities (monitors) to track the health of the application
    • Every service has a default monitor (probes are sent at regular intervals to check state of service). If check fails – netscaler marks it as down.

    Service-only mode

    • Appliance is proxy
    • Netscaler translates IP addresses, port numbers, and sequence numbers

    Policies and Expression

    • Defines details on traffic filtering and management

    2013_09_13_16_58_19_Greenshot

    L7 Packet Flow Diagram for Netscaler

    2013_09_13_17_43_10_Greenshot

    • Multipath TCP is a TCP extension specified in RFC6824 that allows endhosts to efficiently use multiple interfaces for a single TCP connection
    • SPYDY is an open networking protocol developed primarily at Google for transporting web content  with particular goals of reducing web page load latency and improving web security

    Data Packet Flow Diagram (Supported by MySQL and MYSQL database)

    2013_09_13_17_55_24_Greenshot

    Aruba620 -SSID Prunning on a specific AP

    Posted on Updated on


    Situation:

    I have the Aruba620 controller configured with several SSIDs. 

    Image

    I would like a specific AP RAP-2WG to announce 3/4 SSIDs. The unlucky SSID that we will prune is Test2-620 🙂

    We need to locate that specific AP by MAC address:

    Configuration > AP Specific > Edit “00:0b:86:xx:xx:xx”

    Image

    Commands:

    ap-name “00:0b:86:c3:50:9d”
      exclude-virtual-ap “Test2-620-vap_prof”

    Image

    Dont forget to Apply and save configuration 🙂

    What if we want to add it back ? Just click the  delete button. Apply and save

    Image

     

     

    Aruba 3200XM – Initial Configuration – Part 1

    Posted on Updated on


    Got a larger toy 🙂

    Initialization Wizard via Console

    Loading image 0:0##############################################################################################################################################################################################################################################################################################################
    Image is signed; verifying checksum…
    passed
    Signer Cert OK
    Policy Cert OK
    RSA signature verified.

    Booting image…
    Uncompressing core image files… 00:00:07 done. 00:00:42

    Aruba Networks
    ArubaOS Version 6.1.3.6 (build 36470 / label #36470)
    Built by p4build@corsica.arubanetworks.com on 2012-12-11 at 12:51:05 PST (gcc versio
    Copyright (c) 2002-2012, Aruba Networks, Inc.

    <<<<< Welcome to Aruba Networks – Aruba A3200 >>>>>

    Performing CompactFlash fast test… Checking for file system…
    Passed.
    Performing integrity check on Ancillary partition 0…passed.
    Reboot Cause: Power Failure.
    Downloading SOS…done.
    Deleting the Databases
    Restoring the database…done.
    Generating SSH Keys……done.
    Initializing TPM and Certificates
    Generating a 2048 bit RSA private key
    ………..+++
    ……………..+++
    writing new private key to ‘/tmp/tempCertKey/priveKeyGen.pem’
    —–
    TPM and Certificate Initialization successful.
    Reading configuration from factory-default.cfg

    ***************** Welcome to the Aruba3200 setup dialog *****************
    This dialog will help you to set the basic configuration for the switch.
    These settings, except for the Country Code, can later be changed from the
    Command Line Interface or Graphical User Interface.

    Commands: <Enter> Submit input or use [default value], <ctrl-I> Help
    <ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end
    <ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line
    <ctrl-P> Previous question <ctrl-X> Restart beginning

    Enter System name [Aruba3200]: Aruba3200-Test
    Enter Switch Role (master|local|standalone|remote-node) [master]: st
    The switch can be configured as local or master. The master switch
    will have global configuration and will distribute it to the local switches.
    If there is a single switch, it should be configured as master.
    Enter Switch Role (master|local|standalone|remote-node) [master]: standalone
    Enter VLAN 1 interface IP address [172.16.0.254]: 10.2.221.200
    Enter VLAN 1 interface subnet mask [255.255.255.0]:
    Enter IP Default gateway [none]: 10.2.221.2
    Enter Country code (ISO-3166), <ctrl-I> for supported list: RU
    You have chosen Country code RU for Russia (yes|no)?: y
    Enter Time Zone [PST-8:0]:
    Enter Time in UTC [06:24:57]: 23:08
    Enter Time in UTC [06:24:57]: 18:25:00
    Enter Date (MM/DD/YYYY) [8/24/2013]: 8/24/2013
    Enter Password for admin login (up to 32 chars): ********
    Re-type Password for admin login: ********
    Enter Password for enable mode (up to 15 chars): ******
    Re-type Password for enable mode: ******
    Do you wish to shutdown all the ports (yes|no)? [no]:

    Current choices are:

    System name: Aruba3200-Test
    Switch Role: standalone
    VLAN 1 interface IP address: 10.2.221.200
    VLAN 1 interface subnet mask: 255.255.255.0
    IP Default gateway: 10.2.221.2
    Country code: RU
    Time Zone: PST-8:0
    Ports shutdown: no

    If you accept the changes the switch will restart!
    Type <ctrl-P> to go back and change answer for any question
    Do you wish to accept the changes (yes|no)y
    Creating configuration… Done.

    System will now restart!

    Shutdown processing started
    Syncing data….done.
    Sending SIGKILL to all processes.
    Please stand by while rebooting the system.
    2:<7>ide-disk 0.0: shutdown
    2:<0>Restarting system.
    2:.
    2:<2>Performing hard reset…

    CPBoot 1.3.1.0 (build 35189)
    Built: 2012-09-06 at 16:05:15
    DRAM: Operating at 533 MHz
    DRAM: Channel 0: 1024 MB
    DRAM: Channel 2: 0 MB
    DRAM: Total = 1024 MB
    POST: QUICK MEMORY TEST
    Memory test: Physical 0x00000000 – 0x02000000 – address pattern
    Memory test: Physical 0x00000000 – 0x02000000 – invr addr pattern
    Memory test: Physical 0x00000000 – 0x02000000 – Mod3 pattern
    Memory test: Physical 0x10000000 – 0x12000000 – address pattern
    Memory test: Physical 0x10000000 – 0x12000000 – invr addr pattern
    Memory test: Physical 0x10000000 – 0x12000000 – Mod3 pattern
    PASS
    CPU: XLR508 rev. C4 Clock: 800MHz
    Board: A3200
    CPLD: rev: 1.3
    SMP: All 8 cpus successfully started
    Boot: Primary bootflash partition
    POST2: OK
    Net: xlr_gmac0 xlr_gmac1 xlr_gmac2 xlr_gmac3
    IDE: Bus 0: OK
    Device 0: Model: CF 512MB Firm: 20100924 Ser#: 2012C 0000091383
    Type: Removable Hard Disk
    Capacity: 502.0 MB = 0.4 GB (1028160 x 512)

    Hit any key to stop autoboot: 0
    Loading image 0:0##############################################################################################################################################################################################################################################################################################################
    Image is signed; verifying checksum…
    passed
    Signer Cert OK
    Policy Cert OK
    RSA signature verified.

    Booting image…
    Uncompressing core image files… 00:00:07 done. 00:00:42

    Aruba Networks
    ArubaOS Version 6.1.3.6 (build 36470 / label #36470)
    Built by p4build@corsica.arubanetworks.com on 2012-12-11 at 12:51:05 PST (gcc versio
    Copyright (c) 2002-2012, Aruba Networks, Inc.

    <<<<< Welcome to Aruba Networks – Aruba A3200 >>>>>

    Performing CompactFlash fast test… Checking for file system…
    Passed.
    Performing integrity check on Ancillary partition 0…passed.
    Reboot Cause: User reboot.
    Downloading SOS…done.
    Restoring the database…done.
    Generating SSH Keys……done.
    Initializing TPM and Certificates
    TPM and Certificate Initialization successful.
    Performing intra-version configuration upgrade for version 6.1.
    Saving current config file default.cfg as default.cfg.2013-08-24_18-28-56
    Generating new configuration.
    Configuration upgrade complete.
    Reading configuration from default.cfg
    Retrieving Configuration…will take approximately 1 minute

    (Aruba3200-Test)
    User: admin
    Password: ********
    (Aruba3200-Test) >enable
    Password:******
    (Aruba3200-Test) #

    Day out with Aruba Controller 620 – Initial Configuration – Part 1

    Posted on Updated on


    Playing around with my new toy 🙂

    Just trying to find out what the Controller supports:

    Number of APs supported 

    (Aruba620) #show license-usage ap

    AP Licenses
    ———–
    Type Number
    —- ——
    AP Licenses 4
    Overall AP License Limit 4

    AP Usage
    ——–
    Type Count
    —- —–
    CAPs 0
    RAPs 0
    Tunneled nodes 0
    Total APs 0

    Remaining AP Capacity
    ———————
    Type Number
    —- ——
    CAPs 4
    RAPs 4

     

    Number of Users supported:

    (Aruba620) #show license-usage user

    User License Usage
    ——————
    Name Value
    —- —–
    License Limit 256
    License Usage 0
    License Exceeded 0
    License Platform 256

     

    Interesting commands that I know not yet 🙂

     

    (Aruba620) #show license-usage xsec

    xSec License Usage
    ——————
    Name Value
    —- —–
    License Limit 0
    License Usage 0
    License Exceeded 0
    xSec users 0
    xSec tunnel 0

    (Aruba620) #show license-usage acr

    ACR License Usage
    —————–
    Name Value
    —- —–
    License Limit 0
    License Usage 0
    License Exceeded 0
    802.1x ACR users 0
    IPSEC ACR tunnels 0

     

    Install PoE Licence 

    Configuration -> Wizards -> Licence Wizard. 

     

    Image

    Disable Control Plane Security so as to allow APs to connect to the Controller automatically. If the feature is Enabled, one has to manually add each of the APs.  For a lab setup – we will disable the feature to save time. Disabling this feature allows APs to automatically connect to the Controller.

    Configuration > Network > Controller >Control Plane Security

    Image

    Next we configure VLANs on the controller. We will create the following VLANs:

    • VLAN for the APs and Controller Services = Vlan 1 (10.2.221.0/24)
    • VLAN for Voice = Vlan 100 (10.10.100.0/24)
    • VLAN for the Employee SSID = Vlan 200 (10.10.200.0/24)
    • VLAN for the Guest SSID = Vlan 300 (10.10.300.0/24)

    Configuration > Network > VLAN > Add New VLAN 

    Vlan Voice

    Image

    Employee Vlan

    Image

    Guest Vlan

    Image

    Voice, Guest and Management VLANs need DHCP. Enable DHCP and add the pools

    Image

    Image

    Image

    ip dhcp pool “Voice-Vlan”
      default-router 10.10.100.254
      lease 1 0 0 0
      network 10.10.100.0 255.255.255.0
    !

    Image

    ip dhcp pool “Guest-Vlan”
      default-router 10.10.30.254
     dns-server 4.4.4.4
      lease 0 5 0 0
      network 10.10.30.0 255.255.255.0
    !

    Image

    ip dhcp pool “AP-Management”
      default-router 10.2.221.100
     dns-server 8.8.8.8
      lease 1 0 0 0
      network 10.2.221.0 255.255.255.0
    !

    Image

    All the Vlans will use Contoller as the default gateway. we need to add the Controller’s IP addresses.

    IP address for the VOIP Subnet

    Network > IP > IP Interface

    Image

    Guest Vlan requires both DHCP and NAT so as to access the internet 

    Image

    interface vlan 300
    interface vlan 300 ip address 10.10.30.254 255.255.255.0
          !
    interface vlan 300 ip nat inside
          !
    interface vlan 300 no bcmc-optimization

    Optimally, we would provide a DHCP Server in the Employee network to do the dishing out of IP addresses to the employess, but since I would like to Isolate my Test-Lab, lets also create a DHCP Pool for the Employee Vlan and add IP address to the Interface.

    Image

    ip dhcp pool “Employee-Vlan”
      default-router 10.10.200.254
     dns-server 10.10.200.2
      lease 1 0 0 0
      network 10.10.200.0 255.255.255.0
    !

    Image

    Image

    interface vlan 200
    interface vlan 200 ip address 10.10.200.254 255.255.255.0
          !
    interface vlan 200 ip nat inside
          !
    interface vlan 200 no bcmc-optimization

    Next AP Initial setup wizard. 

    All APs are in the Local LAN

    Image

    Image

    Image

    Image

    Image

     

    Hmm, we only found one AP to configure yet there are 4 connected APs. 

    Consoled into the AP-105 to find out what the issue was. Since my knowledge of Aruba products is close to zero at this point, it took me a while to figure out what exactly i needed to change so as to have the AP associate with the Controller. Anyway, found the catch :).  Click the

    Maintenance tab > Convert > Campus AP managed by controller 

    Add the IP address of our contoller

    Image

    And Walaaah! I see the AP-105 now 🙂

    Image

     

    Moving on to the next AP…Console…Connect to Computer …Convert :). Aruba 93..Make me proud 😉

    Was able to console using admin/admin 

    User: admin
    Password:

    aruba_ap93# write erase
    Are you sure you want to erase the configuration? (y/n): y

    Warning: configuration via CLI is not supported!
    aruba_ap93 (config) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93#
    Warning: configuration via CLI is not supported!
    aruba_ap93 (config) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93#
    Warning: configuration via CLI is not supported!
    aruba_ap93 (config) #
    aruba_ap93 (config) #
    aruba_ap93 (config) #
    aruba_ap93 (config) #
    aruba_ap93 (ARM) #
    aruba_ap93 (ARM) #
    aruba_ap93 (ARM) #
    aruba_ap93# Erase configuration.
    aruba_ap93#

    Not all is well! AP came up without an IP address and I cannot see the instant wifi so as to configure it 😦

    DHCP timed out.
    Installing default ip.
    Default IP comes up.
    ip_time_handler: Got ip and packets on bond0 Started master election 124-0
    DHCP timed out.
    DHCP got ip address.
    169.254.212.156 255.255.0.0
    Compressing all files in the /etc/httpd directory…
    Dec 31 16:03:39 udhcpc[864]: send_discover: pkt num 0, secs 0
    Dec 31 16:03:39 udhcpc[864]: Sending discover…
    Done.
    Starting Webserver
    bind: Transport endpoint is not connected
    bind: Transport endpoint is not connected
    bind: Transport endpoint is not connected
    bind: Transport endpoint is not connected
    NTP Server not saved in flash… using default
    Jan 1 00:03:41 udhcpc[864]: send_discover: pkt num 1, secs 2
    ath_hal: module license ‘Proprietary’ taints kernel.
    Jan 1 00:03:41 udhcpc[864]: Senath_hal: 0.9.17.1 (ding discover…AR5416
    , AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_EEPROM, 11D)
    ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
    ath_rate_atheros: Aruba Networks Rate Control Algorithm
    ath_dfs: Version 2.0.0
    Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
    ath_spectrum: Version 2.0.0
    Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
    ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
    ath_ahb: 0.9.4.5 (Atheros/multi-bss)
    ath_pci: 0.9.4.5 (Atheros/multi-bss)
    wifi0: Base BSSID 24:de:c6:91:ad:c0, 16 available BSSID(s)
    bond0 address=24:de:c6:c1:1a:dc
    br0 address=24:de:c6:c1:1a:dc
    wifi0: AP type AP-93, radio 0, max_bssids 16
    wifi0: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000

    Starting FIPS KAT … Completed FIPS KAT

    AP rebooted Sat Jan 1 21:07:45 UTC 2000; User reboot
    shutting down watchdog process (nanny will restart it)…
    Jan 1 00:03:43 udhcpc[864]: send_discover: pkt num 2, secs 4
    Jan 1 00:03:43 udhcpc[864]: Sending discover…

    <<<<< Welcome to the Access Point >>>>>

    process `snmpd’ is using obsolete setsockopt SO_BSDCOMPAT

    i am master now
    (00:04:12) !!! Init —> Master
    asap_send_elected_master: sent successfully
    Useradmin
    Password:
    User: admin
    Password:

    Trying a write erase all

    aruba_ap93# write erase all
    Are you sure you want to erase the configuration? (y/n): y

    Warning: configuration via CLI is not supported!
    aruba_ap93 (config) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93 (SSID Profile “instant”) #
    aruba_ap93#
    Warning: configuration via CLI is not supported!
    aruba_ap93 (config) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93 (Access Rule “instant”) #
    aruba_ap93#
    Warning: configuration via CLI is not supported!
    aruba_ap93 (config) #
    aruba_ap93 (config) #
    aruba_ap93 (config) #
    aruba_ap93 (config) #
    aruba_ap93 (ARM) #
    aruba_ap93 (ARM) #
    aruba_ap93 (ARM) #
    aruba_ap93# Erase configuration.
    aruba_ap93# reload

    Same thing 😦

    Update: Crap! so I have spent the whole morning wondering why nothing seems to work so I have decided to try reset the AP…I really do not understand why it is not acquiring an IP address from the Controller yet the AP 105 and 135 had no problem with DHCP! 

    Flash: 16 MB
    PCI: scanning bus 0 …
    dev fn venID devID class rev MBAR0 MBAR1 MBAR2 MBAR3
    00 00 168c 002a 00002 01 10000004 00000000 00000000 00000000
    Net: eth0
    Radio: ar9280#0

    Hit <Enter> to stop autoboot: 0
    apboot> purge
    Un-Protected 1 sectors
    .done
    Erased 1 sectors
    Writing
    apboot> save
    Saving Environment to Flash…
    Un-Protected 1 sectors
    .done
    Erased 1 sectors
    Writing
    apboot> boot
    Checking image @ 0xbf100000

    And BANG!!! The AP obtained an IP address 🙂 

    Getting an IP address…
    Dec 31 16:01:03 udhcpc[770]: udhcpc (v0.9.9-pre) started
    Dec 31 16:01:03 udhcpc[770]: send_discover: pkt num 0, secs 0
    Dec 31 16:01:03 udhcpc[770]: Sending discover…
    Dec 31 16:01:05 udhcpc[770]: send_discover: pkt num 1, secs 2
    Dec 31 16:01:05 udhcpc[770]: Sending discover…
    Dec 31 16:01:07 udhcpc[770]: send_discover: pkt num 2, secs 4
    Dec 31 16:01:07 udhcpc[770]: Sending discover…
    Dec 31 16:01:09 udhcpc[770]: No lease, forking to background.
    Dec 31 16:01:29 udhcpc[860]: send_discover: pkt num 0, secs 0
    Dec 31 16:01:29 udhcpc[860]: Sending discover…
    Dec 31 16:01:30 udhcpc[860]: send_selecting: pkt num 0, secs 0
    Dec 31 16:01:30 udhcpc[860]: Sending select for 10.2.221.254…
    Dec 31 16:01:30 udhcpc[860]: Lease of 10.2.221.254 obtained, lease time 86400
    Dec 31 16:01:30 udhcpc[860]: DHCP OPT 43, len: 12, buf: 10.2.221.100

    Dec 31 16:01:30 udhcpc[860]: DHCP OPT 43 deleted airwave config

    ip_time_handler: Got ip and packets on bond0 Started master election 5-0
    10.2.221.254 255.255.255.0 10.2.221.100
    Compressing all files in the /etc/httpd directory…
    Done.

    Converted the AP 93 to connect to the Controller like the rest of the APs.

    Image

     

    And Hurray!

    ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
    10.2.221.254 255.255.255.0 10.2.221.100
    Running ADP…Done. Master is 10.2.221.100
    ath_hal: module license ‘Proprietary’ taints kernel.
    ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, PRIVATE_DIAG, WRITE_EEPROM, 11D)
    ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
    ath_rate_atheros: Aruba Networks Rate Control Algorithm
    ath_dfs: Version 2.0.0
    Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
    ath_spectrum: Version 2.0.0
    Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved
    ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
    ath_pci: 0.9.4.5 (Atheros/multi-bss)
    wifi0: Base BSSID 24:de:c6:91:ad:c0, 16 available BSSID(s)
    bond0 address=24:de:c6:c1:1a:dc
    br0 address=24:de:c6:c1:1a:dc
    wifi0: AP type AP-93, radio 0, max_bssids 16
    wifi0: Atheros 9280: mem=0x10000000, irq=48 hw_base=0xb0000000

    Starting FIPS KAT … Completed FIPS KAT

    AP rebooted Sat Jan 1 00:08:38 UTC 2000; Image Upgrade Successful
    shutting down watchdog process (nanny will restart it)…

    <<<<< Welcome to the Access Point >>>>>

    ~ #
    ~ #

    3 down! One more to go! 

    Image

    Next RAP-3WNP

     

     

     

     

     

     

     

    Aruba 620 Controller Factory Reset

    Posted on Updated on


    Doesn’t it feel good starting on a clean slate…! Oh well, at least for Networking devices 🙂

    Erase it all…

    (Aruba620) #write erase all
    Switch will be factory defaulted. All the configuration and databases will be deleted. Press ‘y’ to proceed :
    Write Erase successful

    Reload

    (Aruba620) #reload
    Do you really want to restart the system(y/n): y
    System will now restart!
    Shutdown processing started
    Syncing data….done.
    Sending SIGKILL to all processes.
    Please stand by while rebooting the system.
    1:<0>Restarting system.
    1:.
    1:<2>Performing hard reset…

    CPBoot 1.1.0.0 (build 28907)
    Built: 2011-06-24 at 13:46:40
    DDR2 DRAM running at 466Mhz
    DRAM: Total = 512 MB
    POST: Memory test: Physical 0 – 0x10000000 – quick test
    Memory test: Physical 0x10000000 – 0x20000000 – quick test
    PASS
    CPU: XLS204, rev. A1 Clock: 600MHz
    CPLD: rev: 1.3
    SMP: All 4 cpus successfully started
    Board: A620
    POST2: OK
    PCIE: RC2x2 mode
    Net: xls_gmac0, xls_gmac1 [PRIME]
    NAND device: Manufacturer ID: 0x2c, Chip ID: 0xca ( NAND 256MiB 3,3V 16-bit)
    Boot: Primary bootflash partition

    Hit any key to stop autoboot: 0
    booting system partition 0:0
    part offset: 0 part size: 3200000
    ### JFFS2 loading ‘uImage’ to 0x87000000

    Scanning JFFS2 FS: load: loaded ‘uImage’ to 0x87000000 (26841048 bytes)
    ### JFFS2 load complete: 26841048 bytes loaded to 0x87000000

    Booting image…

    Image is signed; 26838492 sizeverifying checksum…
    passed
    Signer Cert OK
    Policy Cert OK
    RSA signature verified.
    No network device to cleanup
    No network device to cleanup
    Jumping to the application… 0x80666000
    Linux command line: run quiet console=ttyS0,9600
    ————————————————————
    Downloading SOS…done.

    Uncompressing core image files…

    Uncompressing core image files…done.
    Mounting the flash file systems…done.

    Aruba Networks
    ArubaOS Version 6.1.3.6 (build 36470 / label #36470)
    Built by p4build@corsica.arubanetworks.com on 2012-12-11 at 12:34:08 PST (gcc ve rsion 3.4.3)
    Copyright (c) 2002-2012, Aruba Networks, Inc.

    <<<<< Welcome to Aruba Networks – Aruba A620-4 >>>>>

    Starting watchdog processes
    Check/update Boot Image
    Clearing AP environment variables
    Reboot Cause: Power Failure.
    Deleting the Databases
    SKIPPING Generating SSH Keys……0022
    done.
    Initializing TPM and Certificates
    Generating a 2048 bit RSA private key
    .+++
    ……………………………………………….+++
    writing new private key to ‘/tmp/tempCertKey/priveKeyGen.pem’
    —–
    Performing integrity check on Ancillary partition 0…passed.
    Restoring the database…done.
    Starting hwMon
    Reading configuration from factory-default.cfg

    ***************** Welcome to the Aruba620 setup dialog *****************
    This dialog will help you to set the basic configuration for the switch.
    These settings, except for the Country Code, can later be changed from the
    Command Line Interface or Graphical User Interface.

    Commands: <Enter> Submit input or use [default value], <ctrl-I> Help
    <ctrl-B> Back, <ctrl-F> Forward, <ctrl-A> Line begin, <ctrl-E> Line end
    <ctrl-D> Delete, <BackSpace> Delete back, <ctrl-K> Delete to end of line
    <ctrl-P> Previous question <ctrl-X> Restart beginning

    Start-up wizard

    Enter System name [Aruba620]:
    Enter Switch Role (master|local|standalone|remote-node) [master]:
    Enter VLAN 1 interface IP address [172.16.0.254]: 10.2.221.100
    Enter VLAN 1 interface subnet mask [255.255.255.0]:
    Enter IP Default gateway [none]: 10.2.221.2
    Enter Country code (ISO-3166), <ctrl-I> for supported list:

    Algeria DZ Lebanon LB
    Argentina AR Liechtenstein LI
    Australia AU Lithuania LT
    Austria AT Luxembourg LU
    Bahrain BH Macau MO
    Belgium BE Macedonia MK
    Bermuda BM Malaysia MY
    Bolivia BO Mali ML
    Bosnia and Herzegovina BA Malta MT
    Brazil BR Mauritius MU
    Bulgaria BG Mexico MX
    Canada CA Morocco MA
    Chad TD Netherlands NL
    Chile CL New Zealand NZ
    China CN Nigeria NG
    Colombia CO Norway NO
    Costa Rica CR Oman OM
    Croatia HR Panama PA
    Cyprus CY Peru PE
    Czech Republic CZ Philippines PH
    Denmark DK Poland PL
    Dominican Republic DO Portugal PT
    Ecuador EC Puerto Rico PR
    Egypt EG Qatar QA
    El Salvador SV Republic of Korea (South Korea) KR
    Estonia EE Romania RO
    Finland FI Russia RU
    France FR Saudi Arabia SA
    Germany DE Serbia and Montenegro CS
    Ghana GH Singapore SG
    Greece GR Slovak Republic SK
    Guatemala GT Slovenia SI
    Honduras HN South Africa ZA
    Hong Kong HK Spain ES
    Hungary HU Sri Lanka LK
    Iceland IS Sweden SE
    India IN Switzerland CH
    Indonesia ID Taiwan TW
    Ireland IE Thailand TH
    Islamic Republic of Pakistan PK Trinidad and Tobago TT
    Israel IL Tunisia TN
    Italy IT Turkey TR
    Jamaica JM Ukraine UA
    Japan JP3 United Arab Emirates AE
    Jordan JO United Kingdom GB
    Kazakhstan KZ United States US
    Kenya KE Uruguay UY
    Kuwait KW Venezuela VE
    Latvia LV Vietnam VN

    Enter Country code (ISO-3166), <ctrl-I> for supported list: RU
    You have chosen Country code RU for Russia (yes|no)?: yes
    Enter Time Zone [PST-8:0]: GMT+4
    Enter Time Zone [PST-8:0]: GMT
    Enter Time Zone [PST-8:0]: MSK
    Enter Time Zone [PST-8:0]:
    Enter Time in UTC [10:59:40]: 19:14:00
    Enter Date (MM/DD/YYYY) [8/21/2013]:
    Enter Password for admin login (up to 32 chars): ********
    Re-type Password for admin login: ********
    Enter Password for enable mode (up to 15 chars): ******
    Re-type Password for enable mode: ******
    Do you wish to shutdown all the ports (yes|no)? [no]:

    Current choices are:

    System name: Aruba620
    Switch Role: master
    VLAN 1 interface IP address: 10.2.221.100
    VLAN 1 interface subnet mask: 255.255.255.0
    IP Default gateway: 10.2.221.2
    Country code: RU
    Time Zone: PST-8:0
    Ports shutdown: no

    If you accept the changes the switch will restart!

    System restart

    Type <ctrl-P> to go back and change answer for any question
    Do you wish to accept the changes (yes|no) yes

    Creating configuration… Done.

    System will now restart!

    Shutdown processing started
    Syncing data….done.
    Sending SIGKILL to all processes.
    Please stand by while rebooting the system.
    0:<0>Restarting system.
    0:.
    0:<2>Performing hard reset…

    CPBoot 1.1.0.0 (build 28907)
    Built: 2011-06-24 at 13:46:40
    DDR2 DRAM running at 466Mhz
    DRAM: Total = 512 MB
    POST: Memory test: Physical 0 – 0x10000000 – quick test
    Memory test: Physical 0x10000000 – 0x20000000 – quick test
    PASS
    CPU: XLS204, rev. A1 Clock: 600MHz
    CPLD: rev: 1.3
    SMP: All 4 cpus successfully started
    Board: A620
    POST2: OK
    PCIE: RC2x2 mode
    Net: xls_gmac0, xls_gmac1 [PRIME]
    NAND device: Manufacturer ID: 0x2c, Chip ID: 0xca ( NAND 256MiB 3,3V 16-bit)
    Boot: Primary bootflash partition

    Hit any key to stop autoboot: 0
    booting system partition 0:0
    part offset: 0 part size: 3200000
    ### JFFS2 loading ‘uImage’ to 0x87000000
    Scanning JFFS2 FS: load: loaded ‘uImage’ to 0x87000000 (26841048 bytes)
    ### JFFS2 load complete: 26841048 bytes loaded to 0x87000000

    Booting image…

    Image is signed; 26838492 sizeverifying checksum…
    passed
    Signer Cert OK
    Policy Cert OK
    RSA signature verified.
    No network device to cleanup
    No network device to cleanup
    Jumping to the application… 0x80666000
    Linux command line: run quiet console=ttyS0,9600
    ————————————————————
    Downloading SOS…done.
    Uncompressing core image files…done.
    Mounting the flash file systems…done.

    Aruba Networks
    ArubaOS Version 6.1.3.6 (build 36470 / label #36470)
    Built by p4build@corsica.arubanetworks.com on 2012-12-11 at 12:34:08 PST (gcc version 3.4.3)
    Copyright (c) 2002-2012, Aruba Networks, Inc.

    <<<<< Welcome to Aruba Networks – Aruba A620-4 >>>>>

    Starting watchdog processes
    Check/update Boot Image
    Reboot Cause: User reboot.
    SKIPPING Generating SSH Keys……0022
    done.
    Initializing TPM and Certificates

    Aruba 620 Controller Password Recovery

    Posted on Updated on


    The worst part about having to configure old appliances is the fact that most of the times, you are faced with having to do password recovery!

    This is basically the best password recovery that I have ever done :). How I wish other vendors can adopt such a scheme…

    Oh well, Aruba has just impressed me – first impressions do count :). They actually have a login and password for the password recovery procedure to  be initiated.

    Login: password

    Password: forgetme!

    User: password
    Password: *********

    Enable password is enable

    (Aruba620) >enable
    Password:******

    Create a new password and exit

    (Aruba620) (config) #mgmt-user admin root
    Password:********
    Re-Type password:********
    (Aruba620) (config) #exit
    (Aruba620) #exit
    (Aruba620) >exit
    (Aruba620)

    Login with the new password

    User: admin
    Password: ********

    Enable password is still enable for now

    (Aruba620) >enable
    Password:******

    Do not forget to save the changes 🙂

    (Aruba620) #write memory
    Saving Configuration…

    Configuration Saved.

    (Aruba620) #

     

     

    JNCIA Summary Notes – Day 2

    Posted on Updated on


    JUNOS software Naming

    Example:

    jbundle-5.2R1.4-domestic-signed.tgz

    • jbundle – package (jbundle, jroute, jpfe)
    • 5.2 – Major version
    • R – Stage (R – publicly released, A – Alpha version , B – Beta Version, I – Internal Test version)
    • 1.4 – released_version
    • domestic – type ( domestic contains jcrypto, expo does not)
    • signed – package is protected with md5

    Commands:

     admin@Junya> file list /packages/ | match jbase
     cleanup-pkgs@ -> /packages/mnt/jbase/sbin/cleanup-pkgs
     jbase@ -> jbase-ex-12.3R2.5
     jbase-ex-12.3R2.5
     jbase-ex-12.3R2.5.certs
     jbase-ex-12.3R2.5.sha1
     jbase-ex-12.3R2.5.sig
     jbase.symlinks

    Software Upgrade

    Command used to upgrade software:

    request system software add request system software add jbundle-5.3R2.4-domestic-signed.tgz

     

    admin@Junya> show version brief
    fpc0:
    ————————————————————————–
    Hostname: Junya
    Model: ex2200-48t-4g
    JUNOS Base OS boot [12.3R2.5]
    JUNOS Base OS Software Suite [12.3R2.5]
    JUNOS Kernel Software Suite [12.3R2.5]
    JUNOS Crypto Software Suite [12.3R2.5]
    JUNOS Online Documentation [12.3R2.5]
    JUNOS Enterprise Software Suite [12.3R2.5]
    JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R2.5]
    JUNOS Routing Software Suite [12.3R2.5]
    JUNOS Web Management [12.3R2.5]
    JUNOS FIPS mode utilities [12.3R2.5]

    JUNOS is stored in 3 possible places:

    • Internal Flash (this is the primary boot media)
    • Hard Drive (secondary)
    • Removable media (used for disaster-recovery)

    Boot Sequence

    • Power-on self test (POST) verifies basic system components
    • Router locates JUNOS. It first checks the removable media, if it finds it, it loads it. Next checks Internal flash, Next the hard drive. If booted from the removable media, the router boots to factory default settings. Command used to boot from hard drive;

    request system snapshot

    • Loads JUNOS to memory

    JUNOS CLI

    Two main modes:

    • Operational – shows Router’s current status, verify and troubleshoot the router

    username@routerhostname>

    • Configuration – Can alter the current status of the router.

    admin@Junya> configure
    Entering configuration mode

    {master:0}[edit]

     

    Commands;

    admin@Junya> show route

    inet.0: 29 destinations, 29 routes (27 active, 0 holddown, 2 hidden)
    + = Active Route, – = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 6w3d 17:27:54
    > to 10.2.232.1 via vlan.232
    10.2.210.0/24 *[Direct/0] 6w3d 17:27:54
    > via vlan.210
    10.2.210.2/32 *[Local/0] 6w3d 17:29:31
    Local via vlan.210
    10.2.211.0/24 *[Direct/0] 6w3d 17:27:47
    > via vlan.211
    10.2.211.2/32 *[Local/0] 6w3d 17:29:31
    Local via vlan.211

     

    Enables you to check history using the updown arrows

    > set cli terminal vt100

    Short Handy commands:

    • Ctrl+P – previous
    • Ctrl+N – next
    • Ctrl+B- back one character
    • Ctrl+F Forward
    • Ctrl+A Beggining of command
    • Ctrl+E – end of command
    • Ctrl+W deletes word to left 
    • Ctrl+X deletes command
    • Ctrl+L redraws command

    Commands:

    admin@Junya> show interfaces terse | count
    Count: 130 lines

    {master:0}

    admin@Junya> show interfaces terse | display xml interface-ranges
    <rpc-reply xmlns:junos=”http://xml.juniper.net/junos/12.3R2/junos”&gt;
    <interface-information xmlns=”http://xml.juniper.net/junos/12.3R2/junos-interface&#8221; junos:style=”terse”>
    <physical-interface>
    <name>ge-0/0/0</name>
    <admin-status>up</admin-status>
    <oper-status>up</oper-status>
    <description>to_cisco</description>
    <logical-interface>
    <name>ge-0/0/0.0</name>
    <admin-status>up</admin-status>
    <oper-status>up</oper-status>
    <filter-information>
    </filter-information>
    <address-family>
    <address-family-name>eth-switch</address-family-name>
    </address-family>
    </logical-interface>
    </physical-interface>

    admin@Junya> show interfaces terse | except fe | except ge | except vlan
    Interface Admin Link Proto Local Remote
    bme0 up up
    bme0.32768 up up inet 128.0.0.1/2
    128.0.0.16/2
    128.0.0.32/2
    tnp 0x10
    dsc up up
    gre up up
    ipip up up
    lo0 up up
    lo0.0 up up inet 127.0.0.1/8
    lo0.16384 up up inet 127.0.0.1 –> 0/0
    lsi up up
    me0 up down
    me0.0 up down eth-switch
    mtun up up
    pimd up up
    pime up up
    tap up up
    vme up down

    {master:0}
    admin@Junya>

    admin@Junya> show interfaces terse | find vlan
    vlan up up
    vlan.0 up up inet 10.2.230.2/24
    vlan.101 up up inet 10.128.1.2/24
    vlan.120 up up inet 10.128.20.2/24
    vlan.130 up up inet 10.128.30.2/24
    vlan.192 up up inet 192.168.1.2/28
    vlan.210 up up inet 10.2.210.2/24
    vlan.211 up up inet 10.2.211.2/24
    vlan.212 up up inet 10.2.212.2/24
    vlan.214 up up inet 10.2.214.2/24
    vlan.220 up up inet 10.2.220.2/24
    vlan.221 up up inet 10.2.221.2/24
    vlan.222 up up inet 10.2.222.2/24
    vlan.232 up up inet 10.2.232.2/24
    vme up down

    {master:0}
    admin@Junya>

    admin@Junya> show cli | hold
    CLI complete-on-space set to on
    CLI idle-timeout disabled
    CLI restart-on-upgrade set to on
    CLI screen-length set to 46
    CLI screen-width set to 167
    CLI terminal is ‘vt100’
    CLI is operating in enhanced mode
    CLI timestamp disabled
    CLI working directory is ‘/var/home/admin’

    {master:0}
    admin@Junya>

    admin@Junya> show cli | match cli
    CLI complete-on-space set to on
    CLI idle-timeout disabled
    CLI restart-on-upgrade set to on
    CLI screen-length set to 46
    CLI screen-width set to 167
    CLI terminal is ‘vt100’
    CLI is operating in enhanced mode
    CLI timestamp disabled
    CLI working directory is ‘/var/home/admin’

    {master:0}

    admin@Junya> show interfaces terse
    Interface Admin Link Proto Local Remote
    ge-0/0/0 up up
    ge-0/0/0.0 up up eth-switch
    ge-0/0/1 up up
    ge-0/0/1.0 up up eth-switch
    ge-0/0/2 up up
    ge-0/0/2.0 up up eth-switch
    ge-0/0/3 up up
    ge-0/0/3.0 up up eth-switch
    ge-0/0/4 up up
    ge-0/0/4.0 up up eth-switch

    Command used to access operation-mode commands from within configuration mode:

    run show interfaces

    command used to show users currently in config mode

    admin@Junya# status
    Users currently editing the configuration:
    admin terminal p0 (pid 70772) on since 2013-06-08 21:21:01 UTC
    {master:0}[edit]

    {master:0}[edit]

    Useful commands:

    Up – move up a directory level

    edit

    set

    delete

    top

    Configuration Files:

    • Candidate configuration – no changes made to the current operating configuration
    • Active Configuration

    To see the difference between the two files:

    admin@Junya# show | compare

    {master:0}[edit]
    admin@Junya#

     

     

    Citrix Netscaler 10 Summary Notes – Day 1 and 2

    Posted on Updated on


    Citrix Netscaler Introduction

    It is an application delivery controller. It is a physical or virtual appliance that is used to control application delivery in a network.

    Optimizes delivery of the following services:

    • Web applications
    • Cloud based services
    • Virtual desktops
    • Mobile services
    • Business applications

    What does it do:

    • Accelerate application delivery up to 5 times
    • Layer 4 to 7 traffic management
    • Has an intergrated firewall that can be used to increase security
    • Increases web server efficiency

    Placement in the network:

    Infront of application and database servers

    What Citrix Netscaler can achieve:

    • High-speed load balancing and content switching
    • Application aceleration
    • Data compression
    • SSL acceleration
    • Network optimization
    • Application performance monitoring
    • Application security

    When Netscaler can be used (Application delivery pain points):

    • To ensure application availability
    • To improve performance of certain applications inorder to meet the rise in demand of the application
    • When the infrastructure load is increasing and scalability turns out to be a major concern
    • When there is need to adopt a multilayered security approach to protect information that traverses the network
    • Scalability 
    • In readiness of cloud computing

    Features offered by NetScaler

    a) Application Availability Features:

    These features ensure that the applications are always available

    • Load Balancing – Traffic is managed at the request level.
    • Content Switching – Can determine the which server can best respond and switches requests to it.

    b) Application Visibility:

    Offers application visibility and policy management

    • AppExpert policy manager – For management of all application delivery capabilities. Includes AppVisualizer that provides a graphical display.
    • ActionAnalytics – Intergrated real time monitoring of traffic
    • AppFlow – Generate detailed application flow records
    • EdgeSight – Monitors end-user experience

    c) Offload Features: Increase performance demands

    These features improve performance.

    • SSL Offloading – Offloads SSL encryptions and decryption from the webservers hence freeing resources
    • Cache redirection – Traffic is sent to reserve proxy. Non-chacheable requests are sent directly to the origin servers over persistanct connections hence reducing response delays
    • TCP Buffering – Adds a speed-matching mechanism between a slow client’s network and a fast server network by buffering the response of the server before delivering it to the client at a slower speed. Retransmissions are also done by NetScaler

    d) Optimization features:

    Reduces load in the network. 

    • TCP Optimization – Some TCP tasks are moved from the servers to Netscaler hence reduced CPU load
    • AppCompress – Compresses HTML and text files using GZip. Upto 50% bandwidth savings
    • AppCache – On-board cache stores results of incoming requests for subsequent requests for the same information hence reducing page regeneration times.
    • WAN Optimization – No reconfiguration is required in network devices when netscaler is present

    Security Features:

    • Content Filtering – Protects websites from malicious attacks on layer 7. Screens unwanted requests and reduces server exposure attacks
    • Application Firewall – Filters traffic between servers and end users
    • DNS Security Extensions – Data integrity and data origin authentication between servers and clients
    • AAA Application Traffic – Verifys clients credentials and only allows approved users to access the servers
    • SSL VPN – The Access Gateway can be used to deliver secure remote access for applications and virtual desktops
    • SAML (Security assertion Markup Language) 2.0 – enables single sign-on 

    New Features in Netscaler 10 

    • Application delivery using load balancing and content caching
    • TriScale – Improves network performance by scaling the network up for elastic performance, IN for simplicity and out for expandability. Clustering enables scaling out – Up to 32 appliances can be clustered together (both physical or virtual). The netscaler SDX appliance enables to Scale in by consolidating multiple independently managed appliances into one platform
    • NextGeneration security + SSL and SSL VPNs
    • Action  Analytics – Collects data info from the network
    • Cloud connectivity – Can still control and secure applications even when they are in the cloud
    • Application Visibility – provides end to end monitoring

    Netscaler Editions:

    * Standard 

    • Load Balancing
    • Content Switching
    • Rate Controls
    • IPv6 Support
    • Client and server Side TCP optimization
    • Denial of Service
    • Content Filtering
    • HTTP rewrite modules

    * Enterprise – Adds the following to the standard edition

    • Global server Load Balancing
    • Dynamic routing
    • Surge protection
    • Priority queuing
    • Data  compression
    • Citrix Command Center for simplified management of several Netscalers

    * Platinum – Adds the following to the Enterprise Edition:

    • Web Application firewall
    • AppCache module used to accelerate applications 
    • EdgeSight – end to end visibility of web apps

    Netscaler Installation 

    Netscaler system can be installed in the following modes:

    • Layer 2 Bridge
    • Layer 3 Router 
    • Combnation of modes

    Netscaler placement:

             Servers -> Netscaler -> Internet -> Clients

     

     

     

     

     

    JNCIA Summary Notes – Day 1

    Posted on Updated on


    Router Design

    Router has two separate engines.

    Control Plane – Routing Engine

    This is the central control system. It is based on a single  Intel PCI motherboard and prcessor.

    Functions:

    • Software upgrades and maintenance
    • Monitoring the router
    • Router configuration
    • JUNOS software is stored here
    • Operates all routing protocols
    • Performs all routing table decisions
    • Builds the master routing table with the best paths to destinations and stores them in the forwarding table of the Routing engine

    Forwarding Plane – Packet forwarding engine

    This is the central location for data packet forwarding. The plane is controlled by ASICs. Contains a passive midplane and multiple boards and processors. Main portions of the engine are:

    • Physical Interface Card (PIC)

    Physical media in the router connects to the PIC. 

    • Flexible PIC Concentrator (FPC)

    Connects to both the switching control board and the router’s interfaces within the Packet Forwarding Engine.

    It is controlled by a PowerPC CPU which does not participate in data forwarding

    Hosts a Juniper Networks ASIC which interacts with the data packets as they enter and exit the router interfaces.

     

    • Switching control board. contains PowerCPU and RAM.  Static random access memory (SSRAM) contains the forwarding table for the router

    Control board is also refered to as:

    * Forwarding Engine Board (FEB) – M5 and M10. Contains only 1.

    * System Switching Board (SSB) – M20. Can hold 2 but only 1 is operational at a time

    * System Control Board (SCB) – M40. only 1 per chassis

    *  Switching and Forwarding Module (SFM) – M40e (2 each but only 1 operational at a time) and M160 (4 each working in parallel)

    * Memory Mezzanine Board (MMB) – T320 and T640.

    Functions:

    • Forwarding of data packets across any interface in the router

    Components of the Routing Engine 

    Software Architecture

    JUNOS software is based on the FreeBSD Unix operating system. the Kernel is the heart of the JUNOS software.

    Common daemons:

    * Routing Protocol Daemon (rpd) – controls protocol messages, routing updates and routing policies

    * Device Control Daemon (dcd) – Configuration and mainetnance of both the physical and logical properties of router interfaces

    * Management Daemon (mgd) – Controls user access

    * Chassis Daemon (chassisd) – Controls properties of the router itself

    * Packet Forwarding Engine Daemon (pfed) – Controls communication between the Packet forwarding engine and routing engine

    Software components:

    * jkernel – basic components of JUNOS

    * jbase – additions to the JUNOS since the last update of the jkernel

    * jroute – software that operates on the Routing Engine.

    * jpfe – Embedded OS software that controls the components of the Packet Forwarding Engine.

    * jdocs – software documentation

    * jcrypto – controls various security functions

    * jbundle – contains all the other packages

    Commands:

    # help topic ospf area-backbone

    # help reference ospf area

    JUNOS Installation on GNS3 – Part 3: Setting GNS3 up for VirtualBox

    Posted on Updated on


    Lets test the Virtual Box settings in GNS3

    2013_08_15_17_01_07_Greenshot

    Change VirtualBox Guest settings to point to the VirtualMachine that we created in Part 2

    2013_08_15_17_03_23_Greenshot

    Drag the VirtualBox Guest icon to the topology window and start it. VirtualBox is expected to start

    2013_08_15_17_06_58_Greenshot

     

    Let’s dance 🙂

    2013_08_15_17_19_21_Greenshot

     

    Use the login and password that we provided during the installation process and we done 🙂

    JUNOS Installation on GNS3 – Part 2: FreeBSD Installation

    Posted on Updated on


    For this Installation, we will use FreeBSD version 4.11 that is readily available from the FreeBSD ftp server

    We start off by creating a virtual Machine that will use the FreeBSD OS. 

    Image

     

    We will go with a standard memory of 512 MB

    Image

     

    We will create a 8G Virtual HardDrive

    Image

    Image

    We will choose a fixed size harddisk

    Image

    The allocated size is 8GB

    Image

     

    The HardDisk will take some time to create. Patience Pays 🙂

    Image

     

    Once the Virtual Machine has been created, we are taken back to VirtualBox interface

    Image

    Select the created machine so that we can make changes to it’s setting. Click on Settings

    Image

    Oops1 I forgot to indicate that we are using the 64bit machine. But not all is lost :). Lets correct that.

    Image

     

    Lets add the ISO image. We need to show the path to the image

    Image

     

    Change the boot process to start with CD

    Image

     

    Start the machine but skip kernel configuration. we choose the standard installation process

    Image

    Image

     

    Next, we need to create fdisk. Hit A to use the entire disk then Q to exit. Next we Install BootManager

    Image

    Image

    We need to partition the disk as shown below. Use C to create the partitions

    Image

     

    Image

    Image

    Image

    Image

    Image

    Image

    Image

    Image

    Image

    Image

    Q to Finish the setup. This is what we have so far 🙂

    Image

     

    We will set distribution to User

    Image

    Image

    Image

    Image

    ImageImageImage

    Installation complete. Am not really sure about the post installation features…lets just try activating minimal for now

    Image

    For some reason, I guess its necessary to have an ethernet interface.

    ImageImageImageImage

    We need to Exit Install. Then switch the machine off. Change the boot order so that it starts with the HardDisk and not the CD…and we done

    Image

    You will be required to provide the login and password that we created during installation.

    Image

     

    Power off the machine. Forgot to modify some changes.

    Enable extended processor features:

    Image

     

    Disable Audio

    Image

    Enable Serial Ports

    Image

     

    We done 🙂

     

     

     

     

     

     

     

     

     

    Uploading ICX 10 GB Ports on Demand Licence

    Posted on Updated on


    1) Copy the licence from tftp

    copy tftp license XX.XX.XX.XX ICX6610-10G-LIC-POD.xml unit 1

    2) Verify licence

    ICX6610-24 Router#sh license
    Index License Name Lid License Type Status License Period License Capacity
    Stack unit 1:
    1 ICX6610-10G-LIC-POD XXXXX Normal Active Unlimited 4

    3) I realised that after that, the ports dd not automatically come up so I had to change port speeds 

    interface ethernet 1/3/1
    speed-duplex 10G-full
    !
    interface ethernet 1/3/2
    speed-duplex 10G-full

    4) Walaaa!!!

    ICX6610-24 Router#sh int bri

    Port Link State Dupl Speed Trunk Tag Pvid Pri MAC Name
    1/3/1 Up Forward Full 10G None Yes N/A 0 748e.f8e6.XXXC
    1/3/2 Up Forward Full 10G None Yes N/A 0 748e.f8e6.XXXC

     

    Upgrading firmware on brocade ICX6610

    Posted on Updated on


    1) Confirm existing firmware

    ICX6610-24 Router#sh flash
    Stack unit 1:
    Compressed Pri Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
    Compressed Sec Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
    Compressed Boot-Monitor Image size = 369491, Version:07.3.01T7f5
    Code Flash Free Space = 51511296
    2) Copy file from tftp to primary flash (had to copy to primary because there is an existing bug that did not allow to copy from tftp to secondary)
    ICX6610-24 Router#copy tftp flash 79.XX.9.1XX FCXR08000a.bin primary
    ICX6610-24 Router#Flash Memory Write (8192 bytes per dot)
    ………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….^C
    ICX6610-24 Router#
    TFTP to Flash Done.
    3) Confirm that flile has been copied

    ICX6610-24 Router#sh flash
    Stack unit 1:
    Compressed Pri Code size = 8874046, Version:08.0.00aT7f3 (FCXR08000a.bin)
    Compressed Sec Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
    Compressed Boot-Monitor Image size = 369491, Version:07.3.01T7f5
    Code Flash Free Space = 49414144
    4) Verify MD5
    ICX6610-24 Router#verify md5 pri

    ICX6610-24 Router#verify md5 pri
    ICX6610-24 Router#………………………………………………………………………………………………………………………Done
    Size = 8874046, MD5 6b5ce5f7f370e4803418149f4e14d449

    Check against the MD5 value provided during IOS download

    6B5CE5F7F370E4803418149F4E14D449 ICX6610\Images\FCXR08000a.bin

    Walaaa :)….we are up and running 🙂

    Upgrading Palo Alto Software to 5.0.6

    Posted on Updated on


    1) First Check that the content Update is up to date or update if required.

    Device – Dynamic Updates – applications and Threats

    2013_07_12_18_33_25_Greenshot

    2) My current version was 4.1.6. Inorder to upgrade to 5.0.6, we have to make sure that the base firmware 5.0.0 is downloaded (no need to install it). We then download and install v5.0.6. And finally install it. Finally 🙂

    Device – Software

    2013_07_12_19_03_17_Greenshot

    Palo Alto Update Server down!! WTF???

    Posted on Updated on


    1) Confirm connectivity

    admin@PA-500> ping host 10.2.232.1
    PING 10.2.232.1 (10.2.232.1) 56(84) bytes of data.
    64 bytes from 10.2.232.1: icmp_seq=1 ttl=255 time=0.488 ms
    64 bytes from 10.2.232.1: icmp_seq=2 ttl=255 time=0.469 ms
    64 bytes from 10.2.232.1: icmp_seq=3 ttl=255 time=0.468 ms
    64 bytes from 10.2.232.1: icmp_seq=4 ttl=255 time=0.489 ms
    64 bytes from 10.2.232.1: icmp_seq=5 ttl=255 time=0.445 ms
    64 bytes from 10.2.232.1: icmp_seq=6 ttl=255 time=0.435 ms
    64 bytes from 10.2.232.1: icmp_seq=7 ttl=255 time=0.442 ms
    ^C
    — 10.2.232.1 ping statistics —
    7 packets transmitted, 7 received, 0% packet loss, time 5997ms
    rtt min/avg/max/mdev = 0.435/0.462/0.489/0.026 ms

    2) Try pinging the update server

    admin@PA-500> ping host updates.paloaltonetworks.com
    PING updates.paloaltonetworks.com (199.167.52.13) 56(84) bytes of data.
    ^C
    — updates.paloaltonetworks.com ping statistics —
    6 packets transmitted, 0 received, 100% packet loss, time 5013ms

    3) Confirm connectivity

    admin@PA-500> ping host ya.ru
    PING ya.ru (77.88.21.3) 56(84) bytes of data.
    64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=1 ttl=58 time=1.80 ms
    64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=2 ttl=58 time=1.24 ms
    64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=3 ttl=58 time=1.48 ms
    64 bytes from http://www.yandex.ru (77.88.21.3): icmp_seq=4 ttl=58 time^C
    — ya.ru ping statistics —
    4 packets transmitted, 4 received, 0% packet loss, time 3038ms
    rtt min/avg/max/mdev = 1.249/1.487/1.802/0.204 ms

    4) What the fuck is happening?

    admin@PA-500> ping host updates.paloaltonetworks.com
    PING updates.paloaltonetworks.com (199.167.52.13) 56(84) bytes of data.
    ^C
    — updates.paloaltonetworks.com ping statistics —
    15 packets transmitted, 0 received, 100% packet loss, time 14016ms

    admin@PA-500> traceroute host updates.paloaltonetworks.com
    traceroute to updates.paloaltonetworks.com (199.167.52.13), 30 hops max, 40 byte packets
    1 (10.2.232.1) 1.091 ms 1.137 ms 1.247 ms
    2 (81.23.6.65) 4.064 ms 4.154 ms 4.169 ms
    3 (83.220.63.5) 2.813 ms 2.823 ms 2.900 ms
    4 (62.140.239.81) 1.861 ms 1.868 ms 1.870 ms
    5 (62.140.245.49) 2.544 ms 2.615 ms 2.960 ms
    6 (62.140.245.81) 56.934 ms 56.698 ms 56.605 ms
    7 (213.242.110.217) 50.186 ms 50.005 ms 50.183 ms
    8 (4.68.70.10) 58.485 ms 63.608 ms 63.486 ms
    9 (67.17.74.41) 63.464 ms 63.457 ms 63.525 ms
    10 (67.17.105.2) 191.497 ms 191.114 ms 191.204 ms
    11 (64.210.28.142) 182.979 ms 181.979 ms 181.966 ms
    12 (66.151.144.29) 180.588 ms 180.550 ms 180.499 ms
    13 (66.151.157.250) 182.051 ms 181.039 ms 180.905 ms
    14 * * *
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    27 * * *
    28 * * *
    29 * * *
    30 * * *
    admin@PA-500> telnet port 443 host updates.paloaltonetworks.com
    Trying 199.167.52.13…

    Connected to updates.paloaltonetworks.com.
    Escape character is ‘^]’.
    ^^]
    ^C^H
    ^^]
    Connection closed by foreign host.
    admin@PA-500> request anti-virus upgrade download latest

    Server error : No update information available

    I have network connectivity but the servers are down!!1 How on earth are the update servers for a firewall down ???

    Palo Alto Team….do sth!

     

    ====================EDITED UPDATE============

    So after all the runting, I visited the Device->Software webpage, clicked on Check Now and a lis of the sotware updates came up 🙂

    But the IP address was still unreachable. So guys, if you ever get the connectivity error….first try checking for the updates instead of wasting time runting 🙂

    Factory reset process on Palo Alto

    Posted on Updated on


    1) Connect to the console and power off the firewall. When it starts to boot up, wait for the autoboot prompt and enter maint

    Autoboot to default partition in 5 seconds.
    Enter ‘maint’ to boot to maint partition.

    INIT: version 2.86 booting

    Welcome to PanOS
    Setting clock (utc): Fri Jul 12 00:40:17 PDT 2013 [ OK ]
    Starting udev: [ OK ]
    Setting hostname PA-500: [ OK ]
    Checking filesystems:
    Running filesystem check on pancfg: [ OK ]
    Running filesystem check on panrepo: [ OK ]
    [ OK ]
    Remounting root filesystem in read-write mode: [ OK ]
    mount: can’t find / in /etc/fstab or /etc/mtab
    Enabling /etc/fstab swaps: [ OK ]
    INIT: Entering runlevel: 3
    Entering non-interactive startup
    Starting Networking: [ OK ]
    Starting system logger: [ OK ]
    Starting kernel logger: [ OK ]
    Starting portmap: [ OK ]
    Starting NFS statd: [ OK ]
    Starting panhttpd: [ OK ]
    Starting sshd: [ OK ]
    Starting ha-sshd: [ OK ]
    Starting xinetd: [ OK ]
    Starting ntpd: [ OK ]
    Starting NFS services: [ OK ]
    Starting NFS daemon: [ OK ]
    Starting NFS mountd: [ OK ]
    Starting PAN Software: [ OK ]

    2) Select Factory Reset option

    Welcome to the Maintenance Recovery Tool
    Welcome to maintenance mode. For support please contact Palo Alto
    Networks.

    866-898-9087 or support@paloaltonetworks.com

    Welcome to the Maintenance Recovery Tool

    Factory Reset

    WARNING: Performing a factory reset will remove all logs and configuration.

    Using Image:
    (X) panos-4.1.6

    < Factory Reset >

    < Advanced >

     3) Factory reset starts

    (X) panos-4.1.6

    Percent Complete

    0 %

    Factory Reset Status

    Factory Reset Status: Success

     4) Reboot and login using admin admin

    Bootstrapping [panos ] into partition “sysroot0”
    Installing packages into /mnt/swm/sysroot0/…
    Installing: glibc-2.9-4.pan
    Installing: zlib-1.2.3-3.pan
    Installing: libgcc-4.3.3-4.pan
    Installing: libstdc++-4.3.3-5.pan
    Installing: popt-1.12-1.pan
    Installing: chkconfig-1.3.30.1-2.pan
    Installing: mktemp-1.5-23.2.2
    Installing: bzip2-libs-1.0.3-3.pan
    Installing: sed-4.1.5-5.pan
    INIT: Sending processes the TERM signal
    Stopping PAN Software: [ OK ]
    Shutting down NFS mountd: [ OK ]
    Shutting down NFS daemon: nfsd: last server has exited, flushing export cache
    [ OK ]
    Shutting down NFS services: [ OK ]
    Stopping ha-sshd: [ OK ]
    Stopping sshd: [ OK ]
    Stopping xinetd: [ OK ]
    Shutting down ntpd: [ OK ]
    Stopping NFS statd: [ OK ]
    Stopping portmap: [ OK ]
    Shutting down kernel logger: [ OK ]
    Shutting down system logger: [ OK ]
    Stopping Networking: SIOCGIFFLAGS: No such device
    [ OK ]
    Starting killall: [ OK ]
    Sending all processes the TERM signal…
    Sending all processes the KILL signal…
    Saving random seed:
    Syncing hardware clock to system time
    Unmounting pipe file systems:
    Unmounting file systems:
    Please stand by while rebooting the system…
    sd 0:0:0:0: [sda] Synchronizing SCSI cache
    Restarting system.
    Welcome to the PanOS Bootloader.

    U-Boot 4.1.6.0-7 (Build time: Apr 18 2012 – 22:20:45)
    BIST check passed.
    PEREGRINE board revision major:2, minor:1, serial #: 0006C112377
    OCTEON CN5220-CP pass 2.0, Core clock: 500 MHz, DDR clock: 265 MHz (530 Mhz data rate)
    DRAM: 1024 MB
    Clearing DRAM…….. done
    Using default environment

    Flash: 32 MB
    PCIe: Port 0 link active, 1 lanes
    Net: octeth0, octeth1, octeth2, octeth3
    Bus 0 (CF Card): not available

    ata0: SATA max UDMA/133: lba 48 mode
    Model: WDC WD2503ABYX-01WERA1 Firm: 01.01S02 Ser#: WD-WMAYP4400518
    Type: Hard Disk
    Supports 48-bit addressing
    Capacity: 239429.0 MB = 233.8 GB (490350672 x 512)

    USB: (port 1) No USB devices found.

    Autoboot to default partition in 5 seconds.
    Enter ‘maint’ to boot to maint partition.

    Allocating memory for ELF segment: addr: 0xffffffff81100000 (adjusted to: 0x1100000), size 0x984d80
    ## Loading Linux kernel with entry point: 0xffffffff81105cd0 …
    Bootloader: Done loading app on coremask: 0x3
    Linux version 2.6.32.13-mp-4.1.6.0.7 (build@cobalt.paloaltonetworks.local) (gcc version 4.3.3 (Cavium Networks Version: 2_0_0 build 99) ) #2 SMP Wed Apr 18 23:09:37 PDT 2012
    CVMSEG size: 2 cache lines (256 bytes)
    Cavium Networks SDK-2.0
    bootconsole [early0] enabled
    CPU revision is: 000d0708 (Cavium Octeon+)
    Checking for the multiply/shift bug… no.
    Checking for the daddiu bug… no.
    Determined physical RAM map:
    memory: 0000000000046000 @ 00000000019da000 (usable after init)
    memory: 0000000006400000 @ 0000000001b00000 (usable)
    memory: 0000000007c00000 @ 0000000008200000 (usable)
    memory: 0000000020000000 @ 0000000020000000 (usable)
    memory: 000000000fc00000 @ 0000000410000000 (usable)
    INIT: version 2.86 booting

    Welcome to PanOS
    Setting clock (utc): Fri Jul 12 00:47:25 PDT 2013 [ OK ]
    Starting udev: [ OK ]
    Setting hostname 500: [ OK ]
    Checking filesystems:
    Running filesystem check on sysroot0: [ OK ]
    Running filesystem check on pancfg: [ OK ]
    Running filesystem check on panrepo: [ OK ]
    [ OK ]
    Remounting root filesystem in read-write mode: [ OK ]
    Enabling /etc/fstab swaps: [ OK ]
    INIT: Entering runlevel: 3
    Entering non-interactive startup
    Starting Networking: [ OK ]
    Starting system logger: [ OK ]
    Starting kernel logger: [ OK ]
    Starting portmap: [ OK ]
    Starting NFS statd: [ OK ]
    Starting sshd: [ OK ]
    Starting ha-sshd: [ OK ]
    Starting xinetd: [ OK ]
    Starting ntpd: [ OK ]
    Starting NFS services: [ OK ]
    Starting NFS daemon: [ OK ]
    Starting NFS mountd: [ OK ]
    Starting PAN Software: [ OK ]

    500 login: admin

    6) I couldnt get the default password correct several times – don’t know why…but finally it worked

    Login incorrect

    login: admin
    Password:
    Login incorrect

    login: Login timed out after 60 seconds

    PA-HDF login: admin
    Password:
    Login incorrect

    login: Login timed out after 60 seconds

    PA-HDF login: admin
    Password:
    Warning: Your device is still configured with the default admin account credentials. Please change your password prior to deployment.

    7) Enter configuration mode

    admin@PA-500> configure
    Entering configuration mode
    [edit]

    8) Set the devices management IP address

    admin@PA-500# set deviceconfig system ip-address 10.2.232.3 netmask 255.255.255.0 default-gateway 10.2.232.1 dns-setting servers primary 10.1.200.3 secondary 10.1.200.5

    [edit]
    admin@PA-500# commit

    ………….55%…75%…98%……….100%
    Configuration committed successfully

    [edit]

    9) Confirm connectivity

    admin@PA-500> ping host 10.2.232.1
    PING 10.2.232.1 (10.2.232.1) 56(84) bytes of data.
    64 bytes from 10.2.232.1: icmp_seq=1 ttl=255 time=0.505 ms
    64 bytes from 10.2.232.1: icmp_seq=2 ttl=255 time=0.465 ms
    64 bytes from 10.2.232.1: icmp_seq=3 ttl=255 time=0.475 ms
    64 bytes from 10.2.232.1: icmp_seq=4 ttl=255 time=0.472 ms
    64 bytes from 10.2.232.1: icmp_seq=5 ttl=255 time=0.470 ms
    64 bytes from 10.2.232.1: icmp_seq=6 ttl=255 time=0.477 ms
    64 bytes from 10.2.232.1: icmp_seq=7 ttl=255 time=0.518 ms
    64 bytes from 10.2.232.1: icmp_seq=8 ttl=255 time=0.458 ms
    ^C
    — 10.2.232.1 ping statistics —
    8 packets transmitted, 8 received, 0% packet loss, time 6995ms
    rtt min/avg/max/mdev = 0.458/0.480/0.518/0.019 ms

    Boot Brocade switch as a Layer 3 device from Secondary flash

    Posted on Updated on


    Confirm that the router image is installed.

    ICX6610-24 Switch#show flash
    Stack unit 1:
    Compressed Pri Code size = 5320842, Version:07.3.00aT7f1 (/foundry/FGS/os/FCXS07300a.bin)
    Compressed Sec Code size = 6803305, Version:07.3.00aT7f3 (/foundry/FGS/os/FCXR07300a.bin)
    Compressed Boot-Monitor Image size = 369491, Version:07.3.01T7f5
    Code Flash Free Space = 52822016

    Configure the switch to reboot from the secondary image.
    ICX6610-24 Switch#boot system flash sec
    secondary From Secondary image flash
    ICX6610-24 Switch#boot system flash secondary
    Are you sure? (enter ‘y’ or ‘n’): y
    Halt and reboot
    Rebooting(2)…
    *
    $
    ICX Boot Code Version 7.3.01 (grz07301)
    Enter ‘a’ to stop at memory test
    Enter ‘b’ to stop at boot monitor
    BOOT INFO: load monitor from boot flash, cksum = b4d2
    BOOT INFO: verify flash files………
    BOOT INFO: load image from secondary copy…

    platform type = 8
    PCIE-1 LTSSM status: 22
    PCIE Switch status: 0
    …………………
    …..
    Starting Main Task …CPSS DxCh Version: cpss3.4 release
    Pre Parsing Config Data …

    Parsing Config Data …

    Copyright (c) 1996-2011 Brocade Communications Systems, Inc.
    UNIT 1: compiled on Dec 02 2011 at 11:46:03 labeled as FCXR07300a
    (6803305 bytes) from Secondary /foundry/FGS/os/FCXR07300a.bin
    SW: Version 07.3.00aT7f3
    Boot-Monitor Image size = 369491, Version:07.3.01T7f5 (grz07301)
    HW: Stackable ICX6610-24
    ==========================================================================
    UNIT 1: SL 1: ICX6610-24 24-port Management Module
    Serial #: BXP2551H0BX
    License: ICX6610_BASE_ROUTER_SOFT_PACKAGE (LID: dzrHKKGjFdz)
    P-ENGINE 0: type E02B, rev 01
    ==========================================================================
    UNIT 1: SL 2: ICX6610-QSFP 10-port 160G Module
    ==========================================================================
    UNIT 1: SL 3: ICX6610-8-port Dual Mode(SFP/SFP+) Module
    ==========================================================================
    800 MHz Power PC processor 8544E (version 0021/0023) 400 MHz bus
    65536 KB flash memory
    512 MB DRAM
    STACKID 1 system uptime is 9 seconds
    The system : started=warm start reloaded=by “reload”

    ……………………
    ICX6610-24 Router>
    Power supply 2 detected.
    Power supply 2 is up.

    ICX6610-24 Router>en
    No password has been assigned yet…
    ICX6610-24 Router#

     

    Note that the hostname has not changed to ICX6610-24 Router

    How to Check SFP connected to Brocade ICX 6610 switch

    Posted on Updated on


    I have 2 10Gb SFPs connected to the switch. Needed to confirm that the switch recognises them.

    ICX6610-24 Switch#show media
    1/1/1:C 1/1/2:C 1/1/3:C 1/1/4:C 1/1/5:C 1/1/6:C 1/1/7:C 1/1/8:C 1/1/9:C 1/1/10:C 1/1/11:C 1/1/12:C 1/1/13:C 1/1/14:C 1/1/15:C 1/1/16:C 1/1/17:C 1/1/18:C 1/1/19:C 1/1/20:C 1/1/21:C 1/1/22:C 1/1/23:C 1/1/24:C
    1/2/1:– 1/2/2:– 1/2/3:– 1/2/4:– 1/2/5:– 1/2/6:– 1/2/7:– 1/2/8:– 1/2/9:– 1/2/10:–
    1/3/1:XG-SR 1/3/2:XG-SR 1/3/3:– 1/3/4:– 1/3/5:– 1/3/6:– 1/3/7:– 1/3/8:–

     

    ICX6610-24 Switch#show media ethernet 1/3/1
    Port 1/3/1: Type : 10G XG-SR(SFP +)
    Vendor: FINISAR CORP. Version: A
    Part# : FTLX8571D3BCL Serial#: ANF0KN3
    ICX6610-24 Switch#show media ethernet 1/3/2
    Port 1/3/2: Type : 10G XG-SR(SFP +)
    Vendor: FINISAR CORP. Version: A
    Part# : FTLX8571D3BCL Serial#: ANG04LP