Archive for the ‘cisco’ Category

Brocade ICX/VDX firmware update cheatsheet

Wednesday, July 11th, 2018

Kind of a cheatsheet for updating firmware on Brocade’s ICX (nowadays Ruckus Networks) and VDX (nowadays Extreme Networks) switches.

-=ICX=-

– Make sure to check the release notes to ensure that your model is supported. For example, with ICX6xxx switches (which are EOL though) 08.0.30 branch is the highest you can go. 08.0.60 or 08.0.80 don’t support ICX6xxx.

copy scp flash 10.10.11.146 /home/brcdsup/fastiron/08030/ICX64S08030s.bin primary

– If you immediately get ‘Connecting to remote host… Connection Closed’ error, then check whether your SSH server config includes legacy options (to be added into sshd_config file):

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes128-ctr,aes256-ctr

-=VDX=-

– Version upgrades such as 6.0 to 7.0, or 7.0 to 7.1 are considered as major upgrades hence destructive. Be prepared for ~30 minutes of outage + ~10 minutes for fabric recovery (with data traffic being forwarded).

firmware download logical-chassis scp directory /home/brcdsup/nos/nos7.1.0b host 10.10.11.146 user brcdsup password xxx rbridge-id all coldboot

FreeBSD template for ManageEngine OpManager

Friday, March 18th, 2016

We use OpManager by ManageEngine to monitor our infrastructure. Most of Linux flavors are already covered by default templates in OpManager. Moreover, you’ll be able to get interface statistics and CPU/RAM utilization of FreeBSD servers with the included UCD SNMP MIBs. The only bit that was missing was the monitoring of partitions for FreeBSD, hence I decided to spend a bit of my time and finally make the template that could be used in OpManager to monitor FreeBSD servers.

It’s confirmed to work with the latest OpManager 11 (build 11600) and FreeBSD 10.x without UCD Net-SNMP installed but only bsnmp with bsnmp-ucd. The reason why bsnmp is simple: bsnmp is light and is part of the base FreeBSD, so you don’t need to install anything and bsnmp-ucd (available under /usr/ports/net-mgmt/bsnmp-ucd) is a module for bsnmpd which implements parts of UCD-SNMP-MIB, while UCD Net-SNMP requires a massive amount of dependencies to be installed.

Once bsnmp-ucd is installed you might want to enable ucd module in /etc/snmpd.config and restart bsnmpd:

# UCD module
begemotSnmpdModulePath."ucd" = "/usr/local/lib/snmp_ucd.so"

So here we go (you can also download it from here, just make sure to change the extension to XML):






















Noteworthy sections:

SysOID oid=: this is the FreeBSD system identifier. When you’re going to add a new FreeBSD server the template will be automatically attached based on SysOID.

CPU and RAM sections were copied from the standard Linux template.

DisplayColumn=: .1.3.6.1.4.1.2021.9.1.2 is a list of available partitions (/, /usr, /var, etc.).

Index=: .1.3.6.1.4.1.2021.9.1.1 is a list of IDs of available partitions.

oid=: (.1.3.6.1.4.1.2021.9.1.8*100/.1.3.6.1.4.1.2021.9.1.7) is used to calculate the percentage of utilization of a particular partition, where .1.3.6.1.4.1.2021.9.1.8 is used space and .1.3.6.1.4.1.2021.9.1.7 is available space.

Hope it helps.

How to configure vLAG on a Brocade VDX 6740T-1G switch to work with SafeNet Network HSM

Tuesday, January 26th, 2016

Caution! I deleted my previous post on how to configure vLAG on Brocade VDX 6740T-1G switch to work with SafeNet Network HSM because actually it didn’t work as it should. If you get a cached version somewhere please disregard it.

I have no idea how I managed to get bonding to operate in round-robin mode on SafeNet Network HSM:

[hsm-node-1] lunash:>network interface bonding show

-----------------------------------------------------------
Ethernet Channel Bonding Driver: v3.4.0-2 (October 7, 2008)

Bonding Mode: load balancing (round-robin)

Because once the appliance was rebooted the bonding mode has changed to active-backup and the whole story with LAGs became irrelevant. The primary interface started flapping again and the only way to stabilize connectivity to HSM was to disable the slave interface.

[hsm-node-1] lunash:>network interface bonding show

-----------------------------------------------------------
Ethernet Channel Bonding Driver: v3.4.0-2 (October 7, 2008)

Bonding Mode: fault-tolerance (active-backup)

So, back to the original subject of the post: how do you configure a LAG on Brocade switch to work with SafeNet Network HSM? The answer is — you don’t. In fault-tolerance bonding mode, when one interface is active and another one is backup (read passive), you don’t create any LAGs on the switch. All you have to do is to bring both interfaces to switchport mode access mode and ensure that VLAN and speed settings are identical. Here is how our switch config looks like:

!
interface TenGigabitEthernet 12/0/2
 speed 1000
 description -=HSM-NODE-1:ETH0=-
 switchport
 switchport mode access
 switchport access vlan 12
 spanning-tree shutdown
 no fabric isl enable
 no fabric trunk enable
 no shutdown
!
interface TenGigabitEthernet 13/0/2
 speed 1000
 description -=HSM-NODE-1:ETH1=-
 switchport
 switchport mode access
 switchport access vlan 12
 spanning-tree shutdown
 no fabric isl enable
 no fabric trunk enable
 no shutdown
!

Now, you certainly lose link aggregation and load balancing functionalities, because only one interface will be passing traffic at a time. The slave interface comes into play only if the primary interface is down. We’re still good though when it comes to redundancy — you can disconnect the cable from ETH0 without any impact on connectivity.

On a HSM side, you don’t have many options so you follow the standard procedure: assign the IP address to the bond (network interface bonding config -ip x.x.x.x -netmask y.y.y.y -gateway z.z.z.z) and bring it up (network interface bonding enable).

To check the status:

[hsm-node-1] lunash:>network interface bonding show

-----------------------------------------------------------
Ethernet Channel Bonding Driver: v3.4.0-2 (October 7, 2008)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: eth0 (primary_reselect failure)
Currently Active Slave: eth1
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 2000
Down Delay (ms): 0

Slave Interface: eth0
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:15:c4:n7:13:06

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:15:c4:n7:6a:34
-----------------------------------------------------------
-----------------------------------------------------------
Status for eth0:
        Link detected: yes

Status for eth1:
        Link detected: yes
-----------------------------------------------------------

Command Result : 0 (Success)
[hsm-node-1] lunash:>status interface

bond0     Link encap:Ethernet  HWaddr 00:15:C4:N7:13:06
          inet addr:192.168.100.42  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:13479 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3183 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1059045 (1.0 MiB)  TX bytes:446623 (436.1 KiB)

eth0      Link encap:Ethernet  HWaddr 00:15:C4:N7:13:06
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:12670 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2082 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:996811 (973.4 KiB)  TX bytes:300205 (293.1 KiB)
          Interrupt:58 Memory:fb4c0000-fb4e0000

eth1      Link encap:Ethernet  HWaddr 00:15:C4:N7:6A:34
          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1
          RX packets:809 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1101 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:62234 (60.7 KiB)  TX bytes:146418 (142.9 KiB)
          Interrupt:169 Memory:fb6e0000-fb700000

Command Result : 0 (Success)

How to configure SNMP on a Brocade VDX 6740T-1G switch

Monday, January 25th, 2016

Below is a snippet of the config that worked for me to allow SNMP v1 polling of a Brocade VDX 6740T-1G switch. Nothing fancy, I just wanted to enable read-only, SNMP v1 access to the switch to start capturing the load of the interfaces. Note that the NOS version is 6.0.2.

snmp-server contact "Your network crew"
snmp-server location "DC A"
snmp-server sys-descr "Brocade VDX 6740T-1G"
snmp-server community XXXXX groupname monitor
snmp-server view monitor 1.3.6 included
snmp-server group monitor v1 read monitor

The first three lines are not interesting. The forth and the last one will enable SNMP v1 read-only access. Note that you have to specify a groupname. You can name it whatever you like but it has to be consistent.

Finally, without ‘snmp-server view monitor 1.3.6 included’ line you will be able to poll the switch but no data will be returned. Perhaps it could be useful if you have multiple teams and you want to separate who can monitor what, but since I don’t need it I allowed access to the whole MIB.

How to add a license to a Brocade VDX6740T-1G switch

Sunday, January 24th, 2016

In order to license a particular feature on a Brocade VDX 6740T-1G switch you’ll need:

  • transaction key (22 characters long string received from your Brocade supplier, which is bound to a particular feature, for example BR-VDX6740T-1G-16X10G-COD (to add 16x10GB Capacity on Demand feature) or BR-VDX6740-2X40G-POD (to unlock two remaining QSFP ports));
  • access to the Brocade portal (Software Licensing section);
  • license ID of the switch where the license is going to be attached to.

To get a license ID, log in to the switch and run:

show license id rbridge-id 12

===================================================
  12                    XX:XX:XX:XX:XX:XX:XX:XX

Since all my VDXs are in a VCS Logical Chassis mode, I have to specify the rbridge-id of the member.

Login to the Brocade portal, go to Software Licensing and enter the transaction key. On the next page you’ll be prompted for an email address and the license ID.

Once generated, you’ll receive a XML file with the long string between licKey tags.

Copy it (omit licKey tags) and execute on the switch:

license add rbridge-id 12 licStr "XX XXXXXXXX#"

Make sure to place the license inside quotes, since normally there is a space in the license key.

To check whether the license was deployed run:

show license rbridge-id 12

rbridge-id: 12
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
       10G Port Upgrade license
       Feature name:PORT_10G_UPGRADE
       License is valid
       Capacity: 16

Configuring shared network with DHCP

Monday, August 20th, 2012

Say you have a DHCP server in the LAN serving /24 network and one day you’re running out of IP addresses. You want to add additional /24 network that should be distributed in the same LAN. Ugly, but what to do.

According to man dhcpd.conf:

The shared-network statement is used to inform the DHCP server that some IP subnets actually share the same physical network. Any subnets in a shared network should be declared within a shared-network statement. Parameters specified in the shared-network statement will be used when booting clients on those subnets unless parameters provided at the subnet or host level override them. If any subnet in a shared network has addresses available for dynamic allocation, those addresses are collected into a common pool for that shared network and assigned to clients as needed. There is no way to distinguish on which subnet of a shared network a client should boot.

Here is how you add additional network to be included into DHCP scope. Done on Ubuntu 9.10 (karmic) and ISC DHCP v3.1.2.

shared-network "officea01" {
  option domain-name "officea01.domain.org";
  option domain-name-servers 192.168.1.1;
    subnet 192.168.1.0 netmask 255.255.255.0 {
      authoritative;
      option routers 192.168.1.1;
      allow unknown-clients;
      range 192.168.1.10 192.168.1.254;
    }
    subnet 192.168.2.0 netmask 255.255.255.0 {
      authoritative;
      option routers 192.168.1.1;
      allow unknown-clients;
      range 192.168.2.10 192.168.2.254;
    }
  }

Instructions below are not necessary, however I decided to add an alias to the LAN interface so I can see 192.168.2.0/24 addresses in the ARP table.

ifconfig eth1:0 192.168.2.1 netmask 255.255.255.0 up

And to make it permanent edit /etc/network/interfaces:

auto eth1:0
iface eth1:0 inet static
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255
network 192.168.2.0

Policy routing with IP Filter on FreeBSD

Saturday, January 3rd, 2009

In this post I’ll write about implementation of policy routing with IP Filter on FreeBSD. Policy routing is a process of forcing packets to follow a particular route not necessary through default gateway. This is very useful in a multihomed environment when your FreeBSD server acts as a router and you want different networks to be routed differently based on a source network or interface.

(more…)

Routing networks differently on a multihomed Cisco router with NAT

Monday, July 21st, 2008
  • Cisco 3745 with three network interfaces: one Serial (SER0/0) and two FastEthernet (ETH0/0, ETH0/1)
  • Provider A — primary ISP providing satellite link (SER0/0).
  • Provider B — secondary ISP with fiber link (ETH0/0).
  • Site X — our LAN (ETH0/1)

(more…)