Thursday, May 31, 2012

#HP #openflow demo video

#HP and the #NSF #GENI Project using #openflow

@iu Indiana University uses #openflow on #hpn

#hp supports the #ONF #openflow #network foundation

@saargillai talks about #openflow

Video on #HP #openflow technology

@hp is streamlining... watch out @cisco!!!

#hp #msr #router #ipsec configuration

MSR Configuration
acl number 3000
rule 0 permit ip source destination
rule 1 deny ip
ike peer cisco
pre-shared-key cipher KGbZf6H3xPqAzXG81XUt0g==
ipsec proposal xyz
esp authentication-algorithm sha1
ipsec policy 3com 10 isakmp
security acl 3000
ike-peer cisco
proposal xyz
interface Ethernet0/1
port link-mode route
ip address
interface Serial0/0
link-protocol ppp
ip address
ipsec policy 3com

Result à OK
<MSR2011>dis ipsec se
    total sessions : 3
    tunnel-id : 0
    session idle Oie/total duration (sec) : 44/300
    session flow :      (2 Oies matched)
        Sour Addr :             Sour Port:  179  Protocol : 6
        Dest Addr :             Dest Port:44252  Protocol : 6
    tunnel-id : 0
    session idle Oie/total duration (sec) : 9/300
    session flow :      (7 Oies matched)
        Sour Addr :             Sour Port:    0  Protocol : 89
        Dest Addr :              Dest Port:    0  Protocol : 89
    tunnel-id : 3
    session idle Oie/total duration (sec) : 0/300
    session flow :      (78 Oies matched)
  ---- More ----                        Sour Addr :             Sour Port:    0  Protocol : 1
        Dest Addr :             Dest Port:    0  Protocol : 1
<MSR2011>dis ipsec tun
    total tunnel : 1

Connection ID : 3
    Perfect forward secrecy: None
    SA's SPI :
        Inbound :  368395233 (0x15f543e1) [ESP]
        Outbound : 4233487164 (0xfc55e33c) [ESP]
    Tunnel :
        Local Address:  Remote Address :
    Flow :
        Sour Addr :  Port: 0  Protocol : IP
        Dest Addr :  Port: 0  Protocol : IP
    Current Encrypt-card : None
<MSR2011>dis ipsec stat
  the security packet statistics:
    input/output security packets: 89/89
    input/output security bytes: 5340/5340
    input/output dropped security packets: 0/5
    dropped security packet detail:
      not enough memory: 0
      can't find SA: 5
      queue is full: 0
      authentication has failed: 0
      wrong length: 0
      replay packet: 0
      packet too long: 0
      wrong SA: 0

Monday, May 21, 2012

Trying to understand #VEPA ?

How to Mirror #vlan in an #irf stack

Once you enable IRF on a device the option to mirror a VLAN or any virtual interface is disabled.

For example if you situation where you want to mirror a VLAN to send off to an IDS for inspection.  

You have two options how you can get around this when using IRF.
1.       You can mirror every port that belongs to the VLAN and send that traffic to a monitor port.
2.       You can create a QoS policy and have the action be to mirror traffic. Then apply this policy to the required ports.

Here’s an example of a mirroring policy. I created this on a 5800 but it should be similar on any Comware device.

acl number 3000 name mirror
rule 0 permit ip source
traffic classifier mirror-class operator and
if-match acl name mirror
traffic behavior mirror-behavior
mirror-to interface GigabitEthernet1/0/12
qos policy mirror-policy
classifier mirror-class behavior mirror-behavior
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 47
qos apply policy mirror-policy inbound
qos apply policy mirror-policy outbound

This is a perfect solution for many networks. You can create a policy that matches the subnets of the VLANs you wanted to mirror then apply the policy to the appropriate interfaces. You can also have create two different polices. This would allow you to have a monitor port on 12508-1 and a different monitor port on 12508-2 so the mirroring traffic will remain local and not cross the IRF links. 

#spotty support for #ipv6 on @cisco

Thursday, May 10, 2012

The #HPN #10500 is one of the top hot products of @interop by @networkworld

#SDN takes center stage @interop

#HPN releases updates to the #10500 switch

48 port line rate 10gb SFP+ module!!!   (no oversubscription to the backplane)
New 12 slot chassis!
4 port 40gb QSFP module!!!
256,000 mac address support!
Four chassis IRF allows you to build 2000+ 10gb ports in a single operational core!!!

Product info:

@networkworld loves the #HPN #VAN announcement

With 13watt poe thin clients...what does anyone need #upoe ?

I'll tell you... its all about Cisco selling more expensive ports!!!

Is your #Cisco sales person your business partner? or your business #vulture ?

Remember...he's there to make Cisco money...not look out at your best interests...

Yes, I know..I work for HP...and I already know what your thinking...

but the story in this attached article is just embarrassing

#HP releases highly extensible zero touch Dynamic VPN #DVPN solution

#HP unveils low power 13watts #thinclient


Who needs 60watts of power?  Even 30watts!!!  wow!! This is game changing!

Dont let a #monkey run your #network

Wednesday, May 9, 2012

Configure #Provision to authenticate with #Cisco #ACS

Thanks to Neil Moore for putting together a recording on this:

#Authorization of Comware using #Cisco #ACS

Thank you to Chris Evans for this sample (and tested) config:

Cisco ACS has a built in list of known IOS commands. Under my user group I had the authorization set to none, but it still rejected the Comware commands. I had to change the ‘shell command authorization set’ to ‘per group command authorization’ and then told it to permit unmatched commands.

*I’m on ACS version 4.1.1(23) so the experience might be different for newer versions.*

Final working config:
hwtacacs scheme tacacs+
primary authentication x.x.x.x
primary authorization x.x.x.x
primary accounting x.x.x.x
nas-ip <src IP>
key authentication <password>
key authorization <password>
key accounting <password>
user-name-format without-domain

domain aaa
authentication default hwtacacs-scheme tacacs+ local
authorization default hwtacacs-scheme tacacs+ local
accounting default hwtacacs-scheme tacacs+ local
access-limit disable
state active
idle-cut disable
self-service-url disable

user-interface vty 0 4
authentication-mode scheme
command authorization
command accounting

Monday, May 7, 2012

#HPN #5400 #802.1x w/mac auth and guest vlan config sample

Running configuration:

; J8697A Configuration Editor; Created on release #K.15.06.0006
; Ver #01:0d:0c

hostname "5406-Procurve"

vlan 1
   name "production"
   untagged A1-A24,B1-B24,C1-C2
   ip address
vlan 25
   name "vlan25-guest"
   ip address
   tagged A1

radius-server host key "hphp1234"

aaa accounting update periodic 15
aaa accounting network start-stop radius
aaa authentication login privilege-mode
aaa authentication telnet login radius
aaa authentication telnet enable radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius

aaa port-access authenticator B1-B20
aaa port-access authenticator B1 auth-vid 1
aaa port-access authenticator B1 client-limit 2

aaa port-access authenticator active

aaa port-access mac-based B1-B20
aaa port-access mac-based B1 unauth-period 1
aaa port-access mac-based B1 unauth-vid 25

aaa port-access mac-based addr-format multi-dash

Having problems with @apple #Bonjour #multicast on your network?

#HP #IMC #Demo

Tuesday, May 1, 2012

Local port mirror with multiple monitor ports

Example of configuring local port mirroring with multiple monitor ports

Configuration procedure
# Create remote source mirroring group 1.
<SwitchA> system-view
[SwitchA] mirroring-group 1 remote-source

# Configure GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 as mirroring ports of remote source
mirroring group 1.
[SwitchA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 to gigabitethernet 1/0/3

# Configure an unused port (GigabitEthernet 1/0/5 for example) of Switch A as the reflector port of
remote source mirroring group 1, and disable STP on the port.
[SwitchA] mirroring-group 1 reflector-port GigabitEthernet 1/0/5
[SwitchA] interface GigabitEthernet 1/0/5
[SwitchA-GigabitEthernet1/0/5] undo stp enable

# Create VLAN 10 and assign the three ports (Gigabitethernet 1/0/11 through Gigabitethernet 1/0/13)
connecting the three data monitoring devices to VLAN 10.
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/11 to gigabitethernet 1/0/13
[SwitchA-vlan10] quit

# Configure VLAN 10 as the remote probe VLAN of remote source mirroring group 1.
[SwitchA] mirroring-group 1 remote-probe vlan 10

Local port mirroring (span) config example

Local port mirroring configuration example (in mirroring port mode)
Network requirements

Configuration procedure

# Create local mirroring group 1.
1. Create a local mirroring group.

<DeviceA> system-view
[DeviceA] mirroring-group 1 local

# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as mirroring ports and port
GigabitEthernet 1/0/3 as the monitor port.
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2
[DeviceA] mirroring-group 1 monitor-port gigabitethernet 1/0/3

# Disable Spanning Tree Protocol (STP) in the monitor port GigabitEthernet1/0/3.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] undo stp enable
[DeviceA-GigabitEthernet1/0/3] quit

2. Verify the configurations.
# Display the configuration of all port mirroring groups.

[DeviceA] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
GigabitEthernet1/0/1 both
GigabitEthernet1/0/2 both
mirroring CPU:
monitor port: GigabitEthernet1/0/3

After the configurations are completed, you can monitor all the packets received and sent by the
Gig 1/0/1 and 1/0/2  and sent to the device on port Gig 1/0/3.