Tuesday, July 31, 2012

Cisco IPS Module (ASA-SSM-10) In ASA: Step By Step Setup/Initial Configuration

Steps I took to install the IPS module into the ASA to the point of configuration of the IPS module.

Unbox the IPS module.
Power down the ASA.
Put the module in the ASA.
Power on the ASA.
When the ASA boots, do a "show module" to make sure the card is recognized.
Put the following settings in the unit:
------------------------
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

login: cisco
Password:
Change the password.
sensor#
sensor#
sensor# config t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# host-ip 192.168.1.2/24,192.168.1.1
sensor(config-hos-net)# access-list 192.168.1.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes?[yes]: yes
sensor(config)# exit
sensor# exit
------------------------------
Web browse into HTTPS://192.168.1.2
License the IPS module.
Upgrades:
To upgrade the Engine:
1. Log into IPS module: session 1
2. type config t
3. type upgrade ftp://shane@192.168.1.2/IPS-engine-E4-req-6.2-2.pkg
4. type none
5. sensor reboots

IPS system:
6. log into IPS module
7. type config t
8. type upgrade ftp://shane@192.168.1.2/IPS-K9-6.2-2-E4.pkg
9. type none
10. yes
11. sensor reboots.

Signatures:
12. log into the IPS module
13. config t
12. upgrade ftp://shane@192.168.1.2/IPS-sig-S576-req-E4.pkg
13. type yes

OR, you can do this via web browser.
NOTE: After the upgrade, you may have to go back and put in the networ settings again.  I had to do this before.
sensor# config t
sensor(config)# service host
sensor(config-hos)# network-settings
sensor(config-hos-net)# host-ip 192.168.1.2/24,192.168.1.1
sensor(config-hos-net)# access-list 192.168.1.0/24
sensor(config-hos-net)# exit
sensor(config-hos)# exit
Apply Changes?[yes]: yes
sensor(config)# exit
sensor# exit


Make all traffic that traverses the ASA go to the IPS module.  We want it to be inline, not promiscuous.  Its more secure.
asa(config)#access-list traffic_for_ips permit ip any any
asa(config)#class-map ips_class_map
asa(config-cmap)#match access-list traffic_for_ips
asa(config)#policy-map global_policy
asa(config-pmap)#class ips_class_map
asa(config-pmap-c)#ips inline fail-open

Service policy is already in place by default for the 'global_policy'.

Next, go in and configure more settings in the web browser.
Posted by

Sunday, July 29, 2012

Personal Brocade OSPF Notes

This is an odd post to anyone reading this.  Im just putting down some notes I took on some OSPF stuff I just went through with one of my Brocade contacts.  This is really for me to refer back to in the future.  

FES12GCF Router#sho ip ospf neigh

Port        Address         Pri State      Neigh Address   Neigh ID        Ev
v2          172.16.2.2      1   FULL/DR    172.16.2.1      2.2.2.2         6 
FES12GCF Router#sho ip ospfr    interface

v2,OSPF enabled
     IP Address 172.16.2.2, Area 0
     OSPF state BD, Pri 1, Cost 1, Options 2, Type broadcast
     Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40
     DR:  Router ID 2.2.2.2           Interface Address 172.16.2.1
     BDR: Router ID 1.1.1.1           Interface Address 172.16.2.2
     Neighbor Count = 1, Adjacent Neighbor Count= 1
     Neighbor:         172.16.2.1
     Authentication-Key:None
     MD5 Authentication: Key None, Key-Id None, Auth-change-wait-time 300

lb1,OSPF enabled
     IP Address 1.1.1.1, Area 0
     OSPF state DR, Pri 1, Cost 0, Options 2, Type broadcast
     Timers(sec): Transit 1, Retrans 5, Hello 10, Dead 40
     DR:  Router ID 1.1.1.1           Interface Address 1.1.1.1
     BDR: Router ID 0.0.0.0           Interface Address 0.0.0.0
     Neighbor Count = 0, Adjacent Neighbor Count= 0
     Authentication-Key:None
     MD5 Authentication: Key None, Key-Id None, Auth-change-wait-time 300
FES12GCF Router#
FES12GCF Router#sh ip ospf database link-state

Index Area ID         Type LS ID           Adv Rtr         Seq(Hex) Age  Cksum
1     0               Rtr  3.3.3.3         3.3.3.3         80000004 499  0x2177
2     0               Rtr  2.2.2.2         2.2.2.2         80000006 494  0xc74c
3     0               Rtr  1.1.1.1         1.1.1.1         80000004 498  0x9027
4     0               Net  172.16.3.2      3.3.3.3         80000002 499  0x2357
5     0               Net  172.16.2.1      2.2.2.2         80000002 499  0x0286

FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
3.3.3.3         255.255.255.255 172.16.2.1      3.3.3.3         v2   2    IR 
172.16.3.0      255.255.255.252 172.16.2.1      3.3.3.3         v2   2    IR 


FES12GCF Router#sh   ip route
Total number of IP routes: 5, avail: 79992 (out of max 80000)
Start index: 1  B:BGP D:Connected  R:RIP  S:Static  O:OSPF *:Candidate default
        Destination     NetMask         Gateway         Port       Cost   Type
1       1.1.1.1         255.255.255.255 0.0.0.0         lb1        1      D  
2       2.2.2.2         255.255.255.255 172.16.2.1      v2         1      O  
3       3.3.3.3         255.255.255.255 172.16.2.1      v2         2      O  
4       172.16.2.0      255.255.255.252 0.0.0.0         v2         1      D  
5       172.16.3.0      255.255.255.252 172.16.2.1      v2         2      O  

FES12GCF Router#traceroute  3.3.3.3
Type Control-c to abort
Tracing the route to IP node 3.3.3.3 from 1 to 30 hops

  1    <1 ms   <1 ms   <1 ms 172.16.2.1 
  2    <1 ms   14 ms   <1 ms 3.3.3.3 

FES12GCF Router#
FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
3.3.3.3         255.255.255.255 172.16.2.1      2.2.2.2         v2   2    IA 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   2    IA 
FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
3.3.3.3         255.255.255.255 172.16.2.1      2.2.2.2         v2   2    IA 
172.16.3.0      255.255.255.0   172.16.2.1      2.2.2.2         v2   2    IA 


FES12GCF Router#qconfi      config t
FES12GCF Router(config)#int loo 1
FES12GCF Router(config-lbif-1)#no ip ospf ara ea 0
FES12GCF Router(config-lbif-1)#
FES12GCF Router(config-lbif-1)#
FES12GCF Router(config-lbif-1)#router opf  sfo  pf
FES12GCF Router(config-ospf-router)#redu isc     
FES12GCF Router(config-ospf-router)#res distributr e connected
Invalid input -> redistribute connected
Type ? for a list
FES12GCF Router(config-ospf-router)#red
  redistribution                Enable route redistribution
FES12GCF Router(config-ospf-router)#redistribution conne
  connected   Connected
FES12GCF Router(config-ospf-router)#redistribution connected
FES12GCF Router(config-ospf-router)#exit
FES12GCF Router(config)#exit

FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   2    IA 
FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
3.3.3.3         255.255.255.255 172.16.2.1      2.2.2.2         v2   2    IA 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   2    IA 
FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
3.3.3.3         255.255.255.255 172.16.2.1      2.2.2.2         v2   2    IA 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   2    IA 
FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   10   E2 
FES12GCF Router#sh ip route ospf
Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   10   E2 

Start index: 1  IA:Inter area  IR:Intra area  E1:External type 1  E2:External type 2
Destination     NetMask         Gateway         RouterID        Port Cost Type
2.2.2.2         255.255.255.255 172.16.2.1      2.2.2.2         v2   1    IR 
172.16.3.0      255.255.255.252 172.16.2.1      2.2.2.2         v2   2    IA 
FES12GCF Router#

Note*** 'ip ospf passive' is for interfaces that you do not want to send tospf traffic out of.  that means going to a switch downstream that does not need ospf


Posted by

Brocade: Basic Config Of OSPF On A Brocade Switch

Here is a very basic config of OSPF in area 0 on a Brocade switch below.  Its just enough to get it up and running.
======= BASIC OSPF CONFIG ON BROCADE SWITCH ==============
!
!
vlan 399 name DEFAULT-VLAN by port
!
vlan 3 by port
 untagged ethe 1
 router-interface ve 3
!
!
!
!
default-vlan-id 399
router ospf
 area 0
!
interface loopback 1
 ip address 1.1.1.1 255.255.255.255
!
interface ve 3
 ip address 172.16.3.2 255.255.255.252
 ip ospf area 0
!
======= END BASIC OSPF CONFIG ON BROCADE SWITCH ==============
Posted by

Friday, July 27, 2012

Check Point Upgrade Process Via WebUI: Step By Step From R65 To R75.30

Here was the process I and another engineer took to do an upgrade from R65 (came on the box) to R75.30.  One really good thing I noticed in this procedure below is that when we went from R65 directly to R75 via the webUI, we did not have to edit the boot file when we went to R75.20.  I talk about editing that boot file in this link if you would like to see that. That was the only difference than in the past that we did.  I suspect that Check Point fixed something in their upgrade package that fixed that issue.  Anyway, see below for the step by step procedure we took.

rack unit.
power on.
webUI into 192.168.1.1 on management port.
initialize check point (ip addresses, cluster membership, routes, etc) through webUI.
upgrade direct from r65 to r75 successfully via webUI.  It took about 8 minutes to do.
added static routes in webUI.
broke cluster in check point software on management station.
establish sic in CLI on new firewall.
establish sic in check point software on management station.
detach license in smart update on the new firewall.
reattach license for new firewall. (NOTE: license is the wrong mac address at this point)
upgrade from r75 to r75.10
upgrade from r75.10 to r75.20 (option for safe upgrade is greyed out when going to r75.20).
did NOT have to edit boot file (bug).
upgrade from r75.20 to r75.30 in webUI (option for safe upgrade was available when going to r75.30).
NOTE*** at some point, correct the license.  you may have to do this through the licensing team at CP.
create policy, etc.
push policy.
Posted by

Thursday, July 26, 2012

Cisco Core Switch: Config For PXE Boot

Here is some config I did some time back on a core Cisco switch for PXE boot'ing.  These are the commands I put in on a 6500:
ip helper-address pxeServerIPAddress
ip helper-address dhcpServerIPAddress
ip dhcp relay information trusted

the only other command you might need for multicast is
ip pim dense-mode

On the 6500 Core switch:
!
interface Vlan102
 ip address 172.16.21.1 255.255.255.0
 ip pim sparse-dense-mode  <-----For Multicast Mode
!
interface Vlan103
 ip address 172.16.22.1 255.255.254.0
 ip helper-address 172.16.21.11   <-----DHCP server
 ip helper-address 172.16.20.19  <-----PXE server
 ip pim sparse-dense-mode      <-----For Multicast Mode
 ip igmp query-interval 125
Posted by

Wednesday, July 25, 2012

Check Point: How To Update The Ethernet Driver On A UTM-1 Firewall


-Copy the 2.6_e1000.ko-7.6.15.5.gz file to a temporary directory on the firewall, perhaps /var/tmp.

-Decompress the file:
gzip -d 2.6_e1000.ko-7.6.15.5.gz

-Change the file name:
mv 2.6_e1000.ko-7.6.15.5 e1000.ko
-Set the file permissions:
chmod 644 e1000.ko

-Rename the original 7.6.12 driver, so it won't be used:
cd /lib/modules/2.6.18-92cp/kernel/drivers/addon/e1000-7.6.12
mv e1000.ko e1000.ko-7.6.12.original

-Copy the file into place
cp /<path_to_new_driver>/e1000.ko /lib/modules/2.6.18-92cp/kernel/drivers/addon/e1000-7.6.12

-Reboot.

-Recheck the driver version has been updated:
ethtool -i eth0

output should look like this:
[Expert@r70patchtest~]# ethtool -i <interface_name>
driver: e1000
version: 7.6.15.5-NAPI
firmware-version: N/A
bus-info: 0000:02:00.0
Posted by

Monday, July 23, 2012

Cisco Switch: Configuring VTP On A 3506/2940

I learned something about VTP today on a Cisco 3506 (not 3560) switch and a Cisco 2940.  I realized that on these switches, in order to do some VTP config, you have to go into the vlan database to do it, unlike on most other Cisco switches.  Here is a sample of what I had to do.

Cisco_3508(config)#vtp ?
  file  Configure IFS filesystem file where VTP configuration is stored.
Cisco_3508(config)#vtp file ?
  WORD  The ascii name of the IFS filesystem file where VTP configuration is stored.
Cisco_3508(config)#vtp file vtp ?
  <cr>

Cisco_3508#vlan data
Cisco_3508(vlan)#vtp domain swoozy
Changing VTP domain name from NULL to swoozy
Cisco_3508(vlan)#exit
Cisco_3508#

I certainly did not know this.  I was thinking I should be able to go into config mode and do the VTP config.  Like this:

Cisco_2950#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco_2950(config)#vtp domain swoozy
Changing VTP domain name from NULL to swoozy
Cisco_2950(config)#exit
Cisco_2950#


Posted by

Sunday, July 22, 2012

Skill Set Gains: Working For An IT Services Company Verses A Single Company

Just some thoughts that I have had for some time about working for an IT services company.  I have done both, so I can speak to this for sure.  I have noticed that engineers coming into the company that have never worked for an IT services company before typically see a HIGH jump in their skill set within the first 6 months. Their skill set usually continues to climb throughout their employment with the IT services company.  This may not be so true for a large sized IT services company, but for a small to medium sized company like the one I work for, I generally see the skill set curve climb on a continuous basis.  Even now, as I have been with this one company for over 5.5 years now, I still see my skill set curve climb.  I see new technologies all the time that build upon my current skill set.  I can recall the days when I worked for a single company that my skill set climbed as the company decided to do things.  Typically speaking though, most companies only did what they 'had' to do and finances where a big factor in that.  Infrastructure was low on the priority list unless something actually died.  If a server was working great, you might do patches and maybe evaluate security on it.  If the routers and switches were up and running, they were just up.  You might get to evaluate security and QoS or something, but once you did that, you were back to the same ole same ole. 
I specifically remember coming out of a healthcare company after doing a lot of general IT stuff (servers, PCs, network, applications, printers, etc), but really trying to focus on Cisco.  I thought I knew a lot about Cisco until I got my first IT services job.  I remember thinking to myself early in that job: "Man, I don't know anything".  Time sure flies, and our skills only get better as we go along this IT trek.  Below is a graph of what I believe the skill set differences are in working for a single company verses working for an IT services company.  This does not say its 100% true for every company, but I think for the most part it is.


Now, one thought I had.  Don't get me wrong on this.  I know people's skills do get better as they work for a single company.  You learn new things about the company or even about the general realm of the type of business your company works in.  Im talking about IT skill set.  YOUR IT technical knowledge gains.  Not about IT management.  Not that you learned what DSL was or what a switch does.  I mean actually working with this stuff.
Posted by

Saturday, July 21, 2012

Cisco Router: Generic 2911 Object-Tracking Example/Sample Config

Here is a generic object tracking config I put together on an install yesterday.  Its not completed, as I have some security stuff to do on it, but you will get the idea for the topic at hand, which is Cisco's object-tracking feature.  I have changed IPs and taken out userIDs, etc. for the obvious reasons.  I have a good post about object-tracking configuration and notes here at this link.  Enjoy.

Cisco2911#sh run
Building configuration...

Current configuration : 4489 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Cisco2911
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
aaa new-model
aaa authentication login default local
aaa session-id common
no ipv6 cef
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name cisco.com
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-XXXXXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXXXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXXXXX
crypto pki certificate chain TP-self-signed-XXXXXXX
 certificate self-signed 01
      quit
license udi pid CISCO2911/K9 sn FTXXXXXXXX
redundancy
ip ssh time-out 60
!
track 10 ip sla 1 reachability
 delay down 2 up 2
!
track 20 ip sla 2 reachability
 delay down 2 up 2
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Internal Network
 ip address 172.16.0.5 255.255.254.0
 no ip unreachables
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description To ISP DSL
 ip address 30.30.30.194 255.255.255.248
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/2
 no ip address
 no ip unreachables
 shutdown
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 172.16.0.2 track 10
ip route 0.0.0.0 0.0.0.0 30.30.30.193 5 track 20
ip route 4.2.2.2 255.255.255.255 30.30.30.193 permanent
ip route 40.41.42.43 255.255.255.255 172.16.0.2 permanent
!
ip sla 1
 icmp-echo 40.41.42.43 source-ip 172.16.0.5
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 4.2.2.2 source-ip 30.30.30.194
 frequency 5
ip sla schedule 2 life forever start-time now
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 104 permit ip any any
!
no cdp run
!
route-map nat permit 10
 match ip address 104
!
control-plane
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 15
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
end
Posted by

Thursday, July 19, 2012

Cisco Switch: How To Forward DHCP Requests To A Server On Another Vlan (Network)

I run into this a lot.  If you only have one DHCP server, and have devices on multiple vlans, how do you get traffic to forward to that DHCP server.  DHCP broadcasts do not traverse vlans, unless you 'help' it.  That is where the 'ip helper-address' comes into play.  See below the topology:

When a computer or an IP phone is on a separate vlan (2 and 3 above), and the DHCP server is in Vlan 1, here is the config you would need to do:

interface vlan 1
ip address 10.10.1.1 255.255.255.0

interface vlan 2
ip address 10.10.2.1 255.255.255.0 
ip helper-address 10.10.1.2   <---- IP of the DHCP server

interface vlan 3
ip address 10.10.3.1 255.255.255.0 
ip helper-address 10.10.1.2   <---- IP of the DHCP server

The 'ip helper-address' command forwards traffic over to the DHCP server.  Since the packet comes from the interface of vlan 2 for the computer (vlan 3 for the ip phone), the DHCP server matches the ip address of that vlan interface with a scope programmed in the DHCP server.  The server responds appropriately, and the switch hands the fulfilled request back to the device that broadcasted out the request.  Simple as that.
Posted by

Wednesday, July 18, 2012

'The Entertainer'

There is a song by Billy Joel called 'The Entertainer'.  Every time I hear that song, it makes me think of the IT services business.  There are several things in that song that make me think that, but in particular, these verses below stand out.  If you are in IT services, see if it hits home to you:

But if I go cold,
I won't get sold.
I'll get put in the back
In the discount rack,
Like another can of beans.

Funny that the life of the IT guy in the services business seems to be just like that.
Posted by

Sunday, July 15, 2012

How To Upgrade The Ethernet Driver On A Check Point UTM-1: Step By Step

Do a full backup of your current system before installation, a snapshot is recommended.

To install the kernel RPM with fixed driver, run the following commands:
# rpm -Uvh --force ilsiebel01_7608_5360_0_kernel-2.6.18-92cp_979006001.i686.rpm
# reboot

To verify that the new kernel was installed, run the following command
# rpm -qa | grep kernel-
you should see the same build number that appears in the name of new kernel RPM.

To verify that the new driver was loaded, run the following command:
# ethtool -i IF_NAME
You should see:
driver: e1000
version: 7.6.15.5-NAPI
Posted by

Magic Mac Address: What To Do When You Have Multiple Check Point Clusters On The Same Subnet OR In Parallel With Each Other

(NOTE*** Please read through this whole posting. This isn't one of those posts where you can just go to the config and get the answer right away.  Thanks.)  Also, this was a two man team effort.  Thanks Chris.
See the below topology.  Because the clusters by default have the same MAC address for the virtual IP address, and because the two clusters are in parallel with each other, you have to change one of the cluster MAC addresses so that they are not the same.  If you do not, then the upstream router will wig out and cause you all kinds of instability issues.  Think about how ARP works, then think about if you had two MAC addresses that were the same on the network.  You can see that that's a big no no. 
[Expert@CPfirewall1]# cphaconf set_ccp broadcast       <---- You can change this mode, but multicast is the default and recommended.
[Expert@CPfirewall1]# cphaconf set_ccp multicast      <---- Multicast is the default, you prefer this.
[Expert@CPfirewall1]# CPfirewall ctl set int CPfirewallha_mac_magic 251   <---- (251 in Decimal is FB in Hex)(CCP traffic)
[Expert@CPfirewall1]# CPfirewall ctl set int CPfirewallha_mac_forward_magic 250  <---- (250 in Decimal FA in Hex)(Forwarding Layer traffic)
Expert@CPfirewall1]# CPfirewall ctl get int CPfirewallha_mac_magic      <---- This command tells you what the value is set to for "CPfirewall ctl set int CPfirewallha_mac_magic"
CPfirewallha_mac_magic = 251                     <---- (251 in Decimal FA in Hex)(CCP traffic)
[Expert@CPfirewall1]# CPfirewall ctl get int CPfirewallha_mac_forward_magic    <---- This command tells you what the value is set to for "CPfirewall ctl set int CPfirewallha_mac_forward_magic"
CPfirewallha_mac_forward_magic = 250      <---- (250 in Decimal is FB in Hex)(Forwarding Layer traffic)
[Expert@CPfirewall1]#

The defaults for the Cluster MAC address is as follows:
For (CCP traffic): "fwha_mac_magic=0xfe" OR "CPfirewall ctl set int CPfirewallha_mac_magic 254"
For (Forwarding Layer traffic): "fwha_mac_forward_magic=0xfd" OR "CPfirewall ctl set int  CPfirewallha_mac_forward_magic 253"
Now, one question I have had is this: Are the above commands the same?  Meaning, do "fwha_mac_magic=0xfe" OR "CPfirewall ctl set int CPfirewallha_mac_magic 254" mean the same thing?  It does appear that they are. 

So I think I can conclude also that these two are the same as well: "fwha_mac_forward_magic=0xfd" OR "CPfirewall ctl set int CPfirewallha_mac_forward_magic 253"
So from what I can find, these two for each set should be the same.  Especially after what we read next.
-------------
(addition...)
So I contacted Check Point TAC to verify that the two sets of commands above were actually the same.  This is what they responded back to me with via email:
(email...)
The valid kernel parameters to change the magic Mac are:

fwha_mac_magic 
fwha_mac_forward_magic

And the procedure should be:
On each of the Cluster Modules
1. cd $FWDIR/boot/modules
2. create the fwkern.conf file by: # vi fwkern.conf
3. Add the required parameters and values as given below:
fwha_mac_magic = 250
fwha_mac_forward_magic = 251
4. Save the fwkern.conf
5. Verify the fwker.conf is correctly configured by: # more fwkern.conf
6. Reboot the Module
7. Verify the new mac magic setups correctly configured by:
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
8. Verify the Cluster Module status by:
# cphaprob stat
** the 250/251 should be the SAME on both cluster member , but should be DIFFERENT for each different cluster **
We do not recognize the second parameter, if you think it is relevant please let me know where you took it from.
(END email...)
 
Ok, to me, this TAC answer seems different than what the Check Point sk36913 says.  Below is a cut and paste from that sk...
 
---------------------- (BEGIN of sk36913) ----------------------
Cause
The Cluster Control Protocol (CCP) packets that are sent between the members of the same cluster reach the neighbor cluster (connected to the same network) and "confuse" it.
Solution
The "confusion" rises from the fact that CCP packets in Check Point clusters have the same Source MAC address - 00:00:00:00:mac_magic:member_id (where - mac_magic (5th field) designates the type of CCP packet, and member_id (6th field) designates the Member ID).

Refer to any version ClusterXL Administration Guide -> Chapter ClusterXL Advanced Configuration -> Working with VLANS and Clusters -> Connecting Several Clusters on the Same VLAN

The 5th field of Source MAC Address - mac_magic - has to be unique for each cluster.
This is controlled with the following kernel parameters :
fwha_mac_magic
fwha_mac_forward_magic

  • To get the values of these parameters, run: 
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
Note: in this case, the numbers will be shown in Decimal format

Default values on non-VSX : fwha_mac_magic = 254 , fwha_mac_forward_magic = 253
Default values on VSX : fwha_mac_magic = 246 , fwha_mac_forward_magic = 245

  • To set the values of these parameters on-the-fly
# fw ctl set int fwha_mac_magic YY
# fw ctl set int fwha_mac_forward_magic ZZ

Note: YY and ZZ have to be given in Decimal format
Example :
# fw ctl set int fwha_mac_magic 57
# fw ctl set int fwha_mac_forward_magic 56


  • To set the values of these parameters permanently, refer to sk26202 (I reference this below)
Note: the YY and ZZ should be set in Decimal format; if the values are not accepted after reboot, then set them in Hexadecimal format (like 0xYY and 0xZZ)
---------------------- (END of sk36913) ----------------------

Ok, so make matters a little more confusing, here is another sk about this same issue.  Its sk25977.  See below the cut and paste for that sk.  By the way, didnt that TAC engineer say in their email to me that they didnt recognize the commands in sk36913 (above)???

---------------------- (BEGIN of sk25977) --------------------
Cause
The Cluster Control Protocol (CCP) packets that are sent between the members of the same cluster reach the neighbor cluster (connected to the same network) and "confuse" it
Solution
It is not recommended to connect interfaces of multiple clusters to the same network segment (same VLAN, same switch). A separate VLAN and/or switch is recommended for each cluster. A crossover link may be used for the sync (secured) interfaces.

If there is a need to connect the interfaces (secured or non-secured) of multiple clusters to the same network segment, you need to make changes to:
  • The "Source MAC address" of the Cluster Control Protocol, to enable communication between cluster members.
    (For all ClusterXL modes, both High Availability and Load Sharing).

  • The "Destination MAC address", to enable communication between the cluster and machines outside the cluster.
    (For ClusterXL Load Sharing Multicast Mode clusters only).


Steps to change Source MAC Addresses:
(For all ClusterXL modes, both High Availability and Load Sharing)

How the Source Cluster MAC Address is assigned:
Cluster members communicate with each other using the Cluster Control Protocol (CCP). CCP packets are distinguished from ordinary network traffic by giving CCP packets a unique Source MAC address.
  • The first four bytes of the source MAC address are all zero: 00:00:00:00
  • The 5th byte of the source MAC address is a 'magic number'. Its value indicates its purpose. The default value is:
       CCP traffic - 0xFE on ClusterXL , 0xF6 on VSX cluster
       Forwarding Layer traffic - 0xFD , 0xF5 on VSX cluster
  • The 6th byte is the ID of the sending cluster member.
PROBLEM OVERVIEW (Duplicate Source Cluster MAC Addresses):
When more than one cluster is connected to the same VLAN, if CCP and forwarding layer traffic uses multicast, this traffic reaches only the intended cluster.
If CCP and forwarding layer traffic (and in certain other cases) use broadcast, cluster traffic intended for one cluster is seen by all connected clusters, and is processed by the wrong cluster, which causes communication problems.

SOLUTION:
To ensure that the source MAC address in packets coming from different clusters that are connected to the same VLAN can be distinguished, change the source MAC address of the cluster interface that is connected to the VLAN in all but one of the clusters. Configure the following security gateway parameters to set more than one cluster on the same VLAN (these parameters apply to both ClusterXL and OPSEC certified clustering products. Note that CCP traffic is transmitted only through the Sync interface of OPSEC certified clustering products:

Module parameters with default values of 5th byte:
fwha_mac_magic=0xfe (CCP traffic)
fwha_mac_forward_magic=0xfd (Forwarding Layer traffic)

These parameters apply to both ClusterXL and OPSEC certified clustering products. Changing the values of these module configuration parameters alters the fifth part of the source MAC address of Cluster Control Protocol and forwarded packets. Use any value as long as the two module configuration parameters are different. To avoid confusion, do not use the value 0x00 or 0xFF.

For example you may want to configure these parameters as the following:
fwha_mac_magic=0xfb
fwha_mac_forward_magic=0xfa

Note:
When Performance Pack is used to enhance the performance of ClusterXL Load Sharing Multicast Mode, it is recommended that the chosen numbers be consecutive, with the lower one being even (e.g., 0x10 and 0x11, or 0xBE and 0xBF, in the example above 'a' and 'b').

PROCEDURE (configuration surviving reboot per sk26202):
To be performed on each cluster member that is connected to the same network segment.
Very important: when editing multiple clusters, please make sure that values are different (values should be same for 2 members of one cluster), for example 'fe' and 'fd' for same cluster members, but for different cluster it would be i.e., 'ba' and 'bb' values.


Steps to change Destination Multicast MAC Addresses:
(For ClusterXL Load Sharing Multicast Mode clusters only)

PROCEDURE (For user-defined multicast MAC address):
  1. In the ClusterXL page of the cluster object, select Load Sharing Multicast Mode. In the 'Topology' tab, edit the cluster interface that is connected to same network segment as other cluster(s).
  2. In the 'Interface Properties' window - 'General' tab - click 'Advanced'.
  3. Change the default MAC address, and carefully type the new user-defined MAC address. It must be of the form 01:00:5e:xy:yy:yy, where X is between 0 and 7, and Y is between 0 and F (Hex).
  4. Click 'OK'.
  5. Install the Security Policy onto the cluster.

---------------------- (END of sk25977) --------------------

 OK, FINAL CONCLUSION:  I sent an email to a couple of technical engineers at Check Point that I know.  I point blank asked them which one is it that is accurate.  One engineer said this, among other things: "I think what the TAC sent you in the included email is probably as good as anything to follow since it includes the method for making it a permanent change." 
 
I trust the engineer enough to go with what he says. 
 
Now, just one more confusing note in case you see it.  In sk26202, it says the following to make the change permanent.  It was referenced in sk36913 (above).  I tried this below, it didnt work for me.
------------------(BEGIN sk26202)--------------
Solution
Global kernel parameters exist to control (customize) the behavior of Security Gateway (kernel parameters are located in $FWDIR/boot/modules/fw*mod* kernel modules).
This control (customization) can be done on-the-fly using the fw ctl set int command (change takes effect immediately). However, the value of the kernel parameter returns to its default value after a reboot. At times, it may be required to control (customize) the behavior of Security Gateway permanently. In addition, it is necessary for some kernel parameters to be changed upon boot.
  1. Setting kernel global parameters on-the-fly is the same on all OS's using the fw ctl set int command.
    Warning: applies to Security Gateways ONLY.
    Note: Verify the existence of the kernel parameter first using fw ctl get int command.
    Example:   fw ctl set int fwseqvalid_exact_syn_on_rst 2
  2. Setting kernel global parameters permanently is unique for some OS's.
    Warning: applies to Security Gateways ONLY.
    Note: Verify the existance of the kernel parameter parameter first using fw ctl get int command.
    Example:   fw ctl get int fwseqvalid_exact_syn_on_rst
Note: For SecureXL global kernel parameters (located in $PPKDIR/boot/modules/sim*mod* kernel modules) refer to sk43387.
------------------(END sk26202)--------------
 
***SOLUTION UPDATE:  I did what the TAC engineer said to do in the email above, with exception of one thing.  I put in the HEX number instead of the DECIMAL number.  What I did worked, and it now shows up correctly in the ARP table of my Cisco switch. Below, in yellow, is what I changed on my second cluster.  In orange, is the default original cluster. 
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   2    0000.0000.fe00    DYNAMIC     Gi1/0/13
   2    0000.0000.fe01    DYNAMIC     Gi1/0/14
   1    0000.0000.fb00    DYNAMIC     Gi1/0/8
   1    0000.0000.fb01    DYNAMIC     Gi1/0/7
 
Now, when I hook this up and verify everything is all as it should be, I see the following on the Cisco switch:
Switch#sh mac-address-table dyn
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports        ***NOTES***
----    -----------       --------    -----
   2    0000.0000.fe00    DYNAMIC     Gi1/0/13    (Sync - Cluster#1 Device#1 Virtual MAC)
   2    0000.0000.fe01    DYNAMIC     Gi1/0/14    (Sync - Cluster#1 Device#2 Virtual MAC)
   2    0091.5yh8.9e4b    DYNAMIC     Gi1/0/14    (Sync - Cluster#1 Device#2 Real MAC)
   2    0091.5yh8.a19b    DYNAMIC     Gi1/0/13    (Sync - Cluster#1 Device#1 Real MAC)
   1    0000.0000.fb00    DYNAMIC     Gi1/0/8      (Public - Cluster#2 Device#1 Virtual MAC)
   1    0000.0000.fb01    DYNAMIC     Gi1/0/7      (Public - Cluster#2 Device#2 Virtual MAC)
   1    0000.0000.fe00    DYNAMIC     Gi1/0/23    (Public - Cluster#1 Device#1 Virtual MAC)
   1    0000.0000.fe01    DYNAMIC     Gi1/0/24    (Public - Cluster#1 Device#2 Virtual MAC)
   1    002a.6r4t.104d    DYNAMIC     Gi1/0/7      (Public - Cluster#2 Device#2 Real MAC)
   1    002a.6r4t.10c5    DYNAMIC     Gi1/0/8      (Public - Cluster#2 Device#1 Real MAC)
   1    0091.5yh8.a194    DYNAMIC     Gi1/0/23   (Public - Cluster#1 Device#1 Real MAC)
   3    0000.0000.fa00    DYNAMIC     Gi1/0/15   (Sync - Cluster#2 Device#1 Virtual MAC for CCP Traffic)
   3    0000.0000.fb00    DYNAMIC     Gi1/0/16   (Sync - Cluster#2 Device#2 Virtual MAC)
   3    0000.0000.fb01    DYNAMIC     Gi1/0/15   (Sync - Cluster#2 Device#1 Virtual MAC)
   3    001c.6r4t.08ae    DYNAMIC     Gi1/0/16   (Sync - Cluster#2 Device#2 Real MAC)
   3    001c.6r4t.0932    DYNAMIC     Gi1/0/15   (Sync - Cluster#2 Device#1 Real MAC) 
 
Posted by

Wednesday, July 11, 2012

Brocade ICX 6430-24: An Initial Configuration To Get Started

When Im doing a lot of switches, I usually like to put it all in notepad and get it ready for cut and pasting into all the switches.  That way, I can all the work up front in notepad, and very little changes (except hostnames and ip addresses) when pasting it all in.  I can get 10 switches done in a matter of minutes.  Now that is having them already powered up and ready.  Below is a cut and paste of a generic config I did for many switches.  This is exactly what I pasted in, minus a few vlans.  I cut those down to make this post shorter.

ICX6430-24 Switch>
ICX6430-24 Switch>en
No password has been assigned yet...
ICX6430-24 Switch#config t
ICX6430-24 Switch(config)#default-vlan-id 499
ICX6430-24 Switch(config)#vlan 1
ICX6430-24 Switch(config-vlan-1)# tagged ethe 1/2/1 to 1/2/4
Added tagged port(s) ethe 1/2/1 to 1/2/4 to port-vlan 1.
ICX6430-24 Switch(config-vlan-1)#tagged ethe 1/1/24
Added tagged port(s) ethe 1/1/24 to port-vlan 1.
ICX6430-24 Switch(config-vlan-1)#vlan 2
ICX6430-24 Switch(config-vlan-2)#  tagged ethe 1/2/1 to 1/2/4
Added tagged port(s) ethe 1/2/1 to 1/2/4 to port-vlan 2.
ICX6430-24 Switch(config-vlan-2)#tagged ethe 1/1/24
Added tagged port(s) ethe 1/1/24 to port-vlan 2.
ICX6430-24 Switch(config-vlan-2)#vlan 3
ICX6430-24 Switch(config-vlan-3)#  tagged ethe 1/2/1 to 1/2/4
Added tagged port(s) ethe 1/2/1 to 1/2/4 to port-vlan 3.
ICX6430-24 Switch(config-vlan-3)#tagged ethe 1/1/24
Added tagged port(s) ethe 1/1/24 to port-vlan 3.
ICX6430-24 Switch(config-vlan-3)#management-vlan
ICX6430-24 Switch(config-vlan-3)# default-gateway  172.16.3.1 1
ICX6430-24 Switch(config-vlan-3)#exit
ICX6430-24 Switch(config)#int eth 1/2/1 to 1/2/4
ICX6430-24 Switch(config-mif-1/2/1-1/2/4)#port-name *** Uplinks ***
ICX6430-24 Switch(config-mif-1/2/1-1/2/4)#dual-mode 1
ICX6430-24 Switch(config-mif-1/2/1-1/2/4)#int eth 1/1/24
ICX6430-24 Switch(config-if-e1000-1/1/24)#port-name *** To Access Point ***
ICX6430-24 Switch(config-if-e1000-1/1/24)#dual-mode 1
ICX6430-24 Switch(config-if-e1000-1/1/24)#exit
ICX6430-24 Switch(config)#hostname Switch9
Switch9(config)#ip address 172.16.3.23 255.255.255.0
Switch9(config)#cdp run
Switch9(config)#fdp run
Switch9(config)#snmp-server community xxxxx rw
Switch9(config)#enable telnet pass xxxxx
Switch9(config)#wr mem
Write startup-config done.
Switch9(config)#exit
Flash Memory Write (8192 bytes per dot) .
Flash to Flash Done.
Switch9#
Posted by 19 comments:

Tuesday, July 10, 2012

Fiber Connections: Patch Cable From One GBIC To Another

I thought I would post this simply because it can be easy to get this mixed up.  I have had fiber patch cables that were crossed incorrectly (from the manufacturer), etc. to the point where I just thought Id post a picture of what its supposed to look like.  See below.  TX and RX are crossed over at the other end .  Notice in the picture below the orange cable.  Notice how on the top GBIC, the orange cable is on the left side.  Now look at the bottom GBIC.  Its on the right side of the GBIC.  They cross these over so that TX goes to RX and RX goes to TX.

Posted by

Monday, July 9, 2012

Check Point VPN Troubleshooting: Updating The LIBSW Files On The Head End Firewall When You Have An Edge Device Connected Via VPN

Well, here it is again.  Check Point never ceases to amaze me really.  I have the topology below.  It turns out that IF your code on the Edge device is higher than the version of the libsw files on your UTM-1 270 (or any head end Check Point), than it looks like you are going to have to 'upgrade' your libsw files.  Not a big deal really, but a real pain to remember.  I ran into VPN problems and could not get any traffic across the vpn.  Phase I and Phase II would come up without issue though.  I actually remember this from a few years ago, and had the same problems.
Anyway, if you know your code is higher on the Edge device than on your Check Point head end firewall, you need to go through this process.  Here are the commands I had to do (I found them on a sk on the Check Point site somewhere):

1.  mv   /opt/CPEdgecmp-R75.20/libsw   /opt/CPEdgecmp-R75.20/libsw_BKP
2.  mv   /home/admin/libsw8250.tar   /opt/CPEdgecmp-R75.20/
3.  tar xvf   /opt/CPEdgecmp-R75.20/libsw8250.tar
4.  mv   /opt/CPEdgecmp-R75.20/libsw8.2.50   /opt/CPEdgecmp-R75.20/libsw
5.  dos2unix   /opt/CPEdgecmp-R75.20/libsw/*

Lets go through the process, exactly as I did it.
[Expert@CPfirewall]#
[Expert@CPfirewall]#
[Expert@CPfirewall]# cd /home/admin
[Expert@CPfirewall]# tftp
tftp> connect 192.168.15.11
tftp> get libsw8250.tar
Received 512000 bytes in 0.6 seconds
tftp> quit
[Expert@CPfirewall]# pwd
/home/admin
[Expert@CPfirewall]# ls
libsw8250.tar
[Expert@CPfirewall]# mv   /opt/CPEdgecmp-R75.20/libsw   /opt/CPEdgecmp-R75.20/libsw_BKP
[Expert@CPfirewall]# mv   /home/admin/libsw8250.tar   /opt/CPEdgecmp-R75.20/
[Expert@CPfirewall]# tar xvf   /opt/CPEdgecmp-R75.20/libsw8250.tar
libsw8.2.50/
libsw8.2.50/auth.def
libsw8.2.50/base.def
libsw8.2.50/clcrypt.def
libsw8.2.50/code.def
libsw8.2.50/cp_algs.def
libsw8.2.50/crypt.def
libsw8.2.50/dcerpc.def
libsw8.2.50/dcom.def
libsw8.2.50/dup.def
libsw8.2.50/exchange.def
libsw8.2.50/formats.def
libsw8.2.50/fwconn.h
libsw8.2.50/fwctrnm.h
libsw8.2.50/fwctrs.ini
libsw8.2.50/fwui_head.def
libsw8.2.50/fwui_trail.def
libsw8.2.50/h323.def
libsw8.2.50/init.def
libsw8.2.50/kerntabs.h
libsw8.2.50/policy.ini
libsw8.2.50/snmp.def
libsw8.2.50/sofaware.def
libsw8.2.50/sofaware.h
libsw8.2.50/sofaware_base.def
libsw8.2.50/std.def
libsw8.2.50/swalgs.def
libsw8.2.50/swh323_in.def
libsw8.2.50/swh323_out.def
libsw8.2.50/sw_conn_helpers.def
libsw8.2.50/sw_ftp.def
libsw8.2.50/sw_nat.def
libsw8.2.50/sw_p2p_block.def
libsw8.2.50/sw_proxy.def
libsw8.2.50/sw_record_conn.def
libsw8.2.50/sw_sd.def
libsw8.2.50/sw_sd_functions.def
libsw8.2.50/sw_sip.def
libsw8.2.50/sw_sip_functions.def
libsw8.2.50/sw_skinny.def
libsw8.2.50/sw_tunneling.def
libsw8.2.50/sw_user_rules.def
libsw8.2.50/sw_vpn.def
libsw8.2.50/sw_vpn_helpers.def
libsw8.2.50/table.def
libsw8.2.50/tcpip.def
libsw8.2.50/traps.def
libsw8.2.50/traps.h
libsw8.2.50/user.def
libsw8.2.50/xtreme.def
libsw8.2.50/version.txt
[Expert@CPfirewall]# mv   /opt/CPEdgecmp-R75.20/libsw8.2.50   /opt/CPEdgecmp-R75.20/libsw
[Expert@CPfirewall]# dos2unix   /opt/CPEdgecmp-R75.20/libsw/*
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/auth.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/base.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/clcrypt.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/code.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/cp_algs.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/crypt.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/dcerpc.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/dcom.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/dup.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/exchange.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/formats.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/fwconn.h to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/fwctrnm.h to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/fwctrs.ini to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/fwui_head.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/fwui_trail.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/h323.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/init.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/kerntabs.h to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/policy.ini to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/snmp.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sofaware.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sofaware.h to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sofaware_base.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/std.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_conn_helpers.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_ftp.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_nat.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_p2p_block.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_proxy.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_record_conn.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_sd.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_sd_functions.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_sip.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_sip_functions.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_skinny.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_tunneling.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_user_rules.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_vpn.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/sw_vpn_helpers.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/swalgs.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/swh323_in.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/swh323_out.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/table.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/tcpip.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/traps.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/traps.h to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/user.def to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/version.txt to UNIX format ...
dos2unix: converting file /opt/CPEdgecmp-R75.20/libsw/xtreme.def to UNIX format ...
[Expert@CPfirewall]#
[Expert@CPfirewall]# cat   /opt/CPEdgecmp-R75.20/libsw/version.txt   <--- To Verify the libsw file version
libsw built with version 8.2.50
File list:
auth.def                990 bytes
base.def              28031 bytes
clcrypt.def            8824 bytes
code.def               9249 bytes
cp_algs.def           68974 bytes
crypt.def             28264 bytes
dcerpc.def            22309 bytes
dcom.def               9513 bytes
dup.def                 571 bytes
exchange.def           3760 bytes
formats.def           10257 bytes
fwconn.h               8423 bytes
fwctrnm.h               946 bytes
fwctrs.ini             1722 bytes
fwui_head.def         13874 bytes
fwui_trail.def          710 bytes
h323.def              23854 bytes
init.def               2847 bytes
kerntabs.h             3678 bytes
policy.ini               52 bytes
snmp.def               2472 bytes
sofaware.def          18069 bytes
sofaware.h             5765 bytes
sofaware_base.def      2030 bytes
std.def                 640 bytes
sw_conn_helpers.def    6118 bytes
sw_ftp.def            18810 bytes
sw_nat.def            11415 bytes
sw_p2p_block.def      18871 bytes
sw_proxy.def           4191 bytes
sw_record_conn.def     6248 bytes
sw_sd.def              7380 bytes
sw_sd_functions.def    4716 bytes
sw_sip.def             3832 bytes
sw_sip_functions.def   4592 bytes
sw_skinny.def          5235 bytes
sw_tunneling.def       8767 bytes
sw_user_rules.def      5679 bytes
sw_vpn.def             6293 bytes
sw_vpn_helpers.def     4479 bytes
swalgs.def             3170 bytes
swh323_in.def          4256 bytes
swh323_out.def         3166 bytes
table.def             11764 bytes
tcpip.def              4742 bytes
traps.def              5076 bytes
traps.h               15391 bytes
user.def              10582 bytes
version.txt              43 bytes
xtreme.def             9636 bytes
[Expert@CPfirewall]#
Posted by No comments:

Sunday, July 8, 2012

Brocade Wireless Controller GUI: How To Put A Static IP Address On An 650/7131 Access Point (AP)

Follow the screenshots:


Uncheck dhcp option below.

Click 'OK', 'Commit', and 'Save'.
Posted by No comments:

Using Cisco Switches As A DHCP Server

On occasion, I do use Cisco switches as a DHCP server on the network.  There are a few reasons why you might do this.  I take the view that if the Microsoft DHCP server dies, you still have the network.  You just have to rebuild a DHCP server somewhere.  However, if your core switch dies and it does DHCP also, its not like DHCP is your primary concern at that point.  If you don't have a core, you don't have anything really.  Here is a configuration example I used at a customer site, along with notes to tell what it does.

ip dhcp excluded-address 192.168.150.1 192.168.150.10  <--- This address range gets excluded from being handed out.

ip dhcp pool Data                                           <---  This pool's name is "Data".
   network 192.168.150.0 255.255.255.0     <--- This is the network that DHCP will hand out for.
   default-router 192.168.150.250     <--- This is the default gateway for the devices getting an IP address from this scope.
   dns-server 192.168.150.5                          <--- DNS server.
   netbios-name-server 192.168.150.5             <--- WINS server.
   option 150 ip 72.1.64.130                           <--- Option 150 is for Cisco phones.  You dont need this for data networks.
Posted by

Brocade Wireless Install: RS6000 Install Step-By-Step


If you are a Brocade Partner and would like to see this, you can email me .  You would need to email me from your company email so that I can verify that you are from a Brocade partner.  Let me know why you would like to see this in your email. Thanks.

This post is password protected.
Posted by No comments:

Saturday, July 7, 2012

VPN Troubleshooting Tip: I Cant Get Traffic Across The Site To Site VPN

There is really only 4 things you need to setup a vpn:  phase I, phase II, interesting traffic ACL, and a nonat ACL.  Yes, there is some information embedded in these, but for the concept Im trying to get across today, thats all we will say about that.  So, if phase I and phase II look good, but you can not get traffic across the vpn, here is a simple test IF you just cant see a problem with the interesting traffic ACL or the nonat ACL.  Just simply do a traceroute from your pc to a device across the vpn.  You will want to watch the second hop and what it reports back.  The first hop should always be your default gateway.  The next hop should be across the vpn.  Look in this one below.  Notice the second hop.  It shows a public IP address.  Because it shows this, I KNOW it IS nat'ing the traffic.  Meaning, I need to go check both my interesting traffic ACL and my nonat ACL.

Posted by

Thursday, July 5, 2012

What Cisco Output Commands Are In A "Show Tech VPC" On A Nexus 5000?

I wrote about what commands would be run in a "show tech" on a Nexus 5000 switch just moments ago.  But now, I wanted to list the commands that would be run when you do a "show tech vpc".  There is a difference in the two, and here are the ones for a "show tech vpc" on the Nexus 5000.

show version
show module
show vpc brief
show vpc role
show running-config vpc
show system internal vpcm event-history global
show system internal vpcm event-history errors
show system internal vpcm event-history msgs
show system internal vpcm mem-stats detail
show system internal vpcm info all
show system internal vpcm info global
show system internal vpcm info trace
show cfs internal ethernet-peer database
show spanning-tree
show fex
show cfs internal ethernet-peer statistics
show spanning-tree internal info vpc
show vpc consistency-parameters global
show system internal vpcm transport packet-counter statistics
show system internal vpcm transport packet-counter error
show feature
Posted by

What Cisco Output Commands Are In A "Show Tech" On The Nexus 5000?

Have you ever wondered what commands were actually in a "show tech" on the Nexus 5000?  Well, I did.  There seems to be a lot of info in there, and there really is.  I compiled a list of commands that a show tech runs on a Nexus 5000 and have listed them below.  Enjoy!

show switchname
show system uptime
show interface mgmt0
show system resources
show version
show inventory
show diagnostic result module all
show logging log
show fex detail
show interface fex-fabric
show module
show module 1 port type
show module 2 port type
show module 3 port type
show module 4 port type
show module fex all
show environment
show environment fex all
show sprom backplane
show sprom fex all
show clock
show callhome
show cfs application
show cfs lock
show snmp
show interface brief
show interface
show running-config
show startup-config
show accounting log
show process
show process cpu
show processes cpu history
show process log
show process memory
show processes log details
show system reset-reason
show logging nvram
show install all status
show install all failure-reason
show system internal log install
show system internal log install details
show cores
show system internal kernel aipc
show tech-support acl
show system internal aclmgr status
show system internal aclmgr log
show system internal aclmgr ppf subscription
show system internal aclmgr ppf sessions
show system internal aclmgr ppf dsets
show system internal aclmgr ppf nodes
show system internal aclmgr ppf contro
show system internal aclmgr dictionaries
show system internal aclmgr state-cache
show access-lists
show vlan access-map
show system internal aclmgr event-history msgs
show system internal aclmgr event-history sessions
show system internal aclmgr event-history errors
show vlan
show logging onboard obfl-logs
show hardware internal cpu-mac mgmt counters
show hardware internal cpu-mac mgmt stats
show hardware internal cpu-mac inband counters
show hardware internal cpu-mac inband stats
show system internal fex info fport all verbose
show system internal fex info satellite all verbose
show system internal fex info satport all verbose
show system internal fex info slot all verbose
show spanning-tree internal info global | grep Total
show tech-support port-profile
show port-profile
show port-profile usage
show port-profile brief
show port-profile expand-interface
show port-profile sync-status
show accounting log
show system internal port-profile command-cache
show system internal port-profile event-queue
show system internal port-profile interface database
show system internal port-profile event-history errors
show system internal port-profile profile-fsm
show system internal port-profile interface-fsm
show system internal port-profile mem-stats
show system internal port-profile mem-stats detail
show system internal mts buffers
show system internal mts buffers details
show switch-profile status
show running-config switch-profile
show switch-profile session-history
show system internal csm info global-db cmd-tbl detail
show system internal csm info global-db seq-tbl detail
show system internal csm info switch-profile cfgd-db cmd-tbl detail
show system internal csm info switch-profile cfgd-db seq-tbl detail
show system internal csm info switch-profile local-db cmd-tbl detail
show system internal csm info switch-profile local-db seq-tbl detail
show system internal csm info trace
show system internal csm info transport detail
show cdp neighbors
show cdp neighbors detail
show queuing interface
show system internal mts buffers details
show hardware internal carmel counters interrupt
show hardware internal carmel interrupt
show ip route vrf all
show ip arp vrf all
show monitor session all
show mac-address-table
show spanning-tree summary
show spanning-tree active
show interface trunk
show system internal ethpm info al
show tech-support port-channel
show port-channel internal event-history all
show port-channel internal event-history errors
show port-channel internal event-history msgs
show port-channel internal event-history lock
show port-channel internal mem-stats detail
show port-channel usage
show port-channel summary
show tech-support lacp
show lacp internal info all
show lacp internal event-history errors
show lacp internal event-history msgs
show lacp internal event-history lock
show lacp internal event-history global
show lacp internal mem-stats detail
show lacp counters
show tech-support ipqos
show system internal ipqos event-history msgs
show system internal ipqos event-history errors
show system internal ipqos class-map type qos
show system internal ipqos class-map type queuing
show system internal ipqos policy-map type qos
show system internal ipqos policy-map type queuing
show system internal ipqos global-defaults
show system internal ipqos locks
show system internal ipqos event-history locks
show system internal ipqos event-history mts-msgs
show system internal ipqos event-history sessions
show system internal ipqos ppf-lib
show system internal ipqos mem-stats detail
show system internal ipqos port-node
show system internal ipqos vlan-tbl 1-4094
show system internal ipqos log
show system internal ipqos statistics bucket
show system internal ipqos status
show system internal ipqos session
show class-map type qos
show class-map type queuing
show policy-map type qos
show policy-map type queuing
show policy-map interface brief
show class-map type network-qos
show policy-map type network-qos
show policy-map system type network-qos
show system internal ipqos system-node
show system internal ipqos class-map type network-qos
show system internal ipqos policy-map type network-qos
show system internal ipqos vlmgr info
show system internal ipqos vlmgr fsm
show interface priority-flow-control
show system internal ipqos dcbxp info
show plat software qd info
show plat software qd info eth
show plat software qd info fex
show plat software qd info sup
show plat software qd info fc
show plat software qd info system
show plat software qd info module
show plat software qd info interface
show plat software qd info bundle
show plat software qd info pss
show wrr-queue cos-map
show platform software qd mem-stats
show platform software qd errors
show platform software qd msgs
show platform software qd event-history msgs
show platform software qd event-history errors
show tech-support lldp
show lldp neighbors
show lldp timers
show lldp traffic
show system internal lldp event-history msgs
show system internal lldp event-history errors
show system internal lldp info
show system internal lldp info global
show tech-support dcbx
show lldp dcbx interface mgmt0
show lldp dcbx interface Ethernet1/1
show lldp dcbx interface Ethernet1/2
show lldp dcbx interface Ethernet1/3
show lldp dcbx interface Ethernet1/4
show lldp dcbx interface Ethernet1/5
show lldp dcbx interface Ethernet1/6
show lldp dcbx interface Ethernet1/7
show lldp dcbx interface Ethernet1/8
show lldp dcbx interface Ethernet1/9
show lldp dcbx interface Ethernet1/10
show lldp dcbx interface Ethernet1/11
show lldp dcbx interface Ethernet1/12
show lldp dcbx interface Ethernet1/13
show lldp dcbx interface Ethernet1/14
show lldp dcbx interface Ethernet1/15
show lldp dcbx interface Ethernet1/16
show lldp dcbx interface Ethernet1/17
show lldp dcbx interface Ethernet1/18
show lldp dcbx interface Ethernet1/19
show lldp dcbx interface Ethernet1/20
show lldp dcbx interface Ethernet1/21
show lldp dcbx interface Ethernet1/22
show lldp dcbx interface Ethernet1/23
show lldp dcbx interface Ethernet1/24
show lldp dcbx interface Ethernet1/25
show lldp dcbx interface Ethernet1/26
show lldp dcbx interface Ethernet1/27
show lldp dcbx interface Ethernet1/28
show lldp dcbx interface Ethernet1/29
show lldp dcbx interface Ethernet1/30
show lldp dcbx interface Ethernet1/31
show lldp dcbx interface Ethernet1/32
show system internal dcbx info global
show system internal dcbx info interface ethernet 1/1
show system internal dcbx info interface ethernet 1/2
show system internal dcbx info interface ethernet 1/3
show system internal dcbx info interface ethernet 1/4
show system internal dcbx info interface ethernet 1/5
show system internal dcbx info interface ethernet 1/6
show system internal dcbx info interface ethernet 1/7
show system internal dcbx info interface ethernet 1/8
show system internal dcbx info interface ethernet 1/9
show system internal dcbx info interface ethernet 1/10
show system internal dcbx info interface ethernet 1/11
show system internal dcbx info interface ethernet 1/12
show system internal dcbx info interface ethernet 1/13
show system internal dcbx info interface ethernet 1/14
show system internal dcbx info interface ethernet 1/15
show system internal dcbx info interface ethernet 1/16
show system internal dcbx info interface ethernet 1/17
show system internal dcbx info interface ethernet 1/18
show system internal dcbx info interface ethernet 1/19
show system internal dcbx info interface ethernet 1/20
show system internal dcbx info interface ethernet 1/21
show system internal dcbx info interface ethernet 1/22
show system internal dcbx info interface ethernet 1/23
show system internal dcbx info interface ethernet 1/24
show system internal dcbx info interface ethernet 1/25
show system internal dcbx info interface ethernet 1/26
show system internal dcbx info interface ethernet 1/27
show system internal dcbx info interface ethernet 1/28
show system internal dcbx info interface ethernet 1/29
show system internal dcbx info interface ethernet 1/30
show system internal dcbx info interface ethernet 1/31
show system internal dcbx info interface ethernet 1/32
show system internal dcbx info interface ethernet 1/33
show system internal dcbx info interface ethernet 1/34
show system internal dcbx info interface ethernet 1/35
show system internal dcbx info interface ethernet 1/36
show system internal dcbx info interface ethernet 1/37
show system internal dcbx info interface ethernet 1/38
show system internal dcbx info interface ethernet 1/39
show system internal dcbx info interface ethernet 1/40
show system internal dcbx info interface ethernet 1/41
show system internal dcbx info interface ethernet 1/42
show system internal dcbx info interface ethernet 1/43
show system internal dcbx info interface ethernet 1/44
show system internal dcbx info interface ethernet 1/45
show system internal dcbx info interface ethernet 1/46
show system internal dcbx info interface ethernet 1/47
show system internal dcbx info interface ethernet 1/48
show tech-support port-security
show system internal btcm info
show vpc
show fcflow stats module 3
show fcflow stats aggregated module 3
Posted by
Subscribe to: Posts (Atom)