#HP #openflow demo video

http://hpbroadband.com/program.aspx?key=DanMontesanto

#HP and the #NSF #GENI Project using #openflow

http://hpbroadband.com/program.aspx?key=ChipElliott

@iu Indiana University uses #openflow on #hpn

http://hpbroadband.com/program.aspx?key=MatthewDavy

#hp supports the #ONF #openflow #network foundation

http://hpbroadband.com/program.aspx?key=DanPitt

@saargillai talks about #openflow

http://hpbroadband.com/program.aspx?key=SaarGillai

Video on #HP #openflow technology

http://hpbroadband.com/program.aspx?key=QONRLJMDGE

@hp is streamlining... watch out @cisco!!!

#hp #msr #router #ipsec configuration

MSR Configuration

#

acl number 3000

rule 0 permit ip source 50.50.50.0 0.0.0.255 destination 30.30.30.0 0.0.0.255

rule 1 deny ip

#

ike peer cisco

pre-shared-key cipher KGbZf6H3xPqAzXG81XUt0g==

remote-address 10.10.10.2

#

ipsec proposal xyz

esp authentication-algorithm sha1

#

ipsec policy 3com 10 isakmp

security acl 3000

ike-peer cisco

proposal xyz

#

#

interface Ethernet0/1

port link-mode route

ip address 50.50.50.1 255.255.255.0

#

interface Serial0/0

link-protocol ppp

ip address 10.10.10.1 255.255.255.252

ipsec policy 3com

Result à OK

<MSR2011>dis ipsec se

    ------------------------------------------------------------

    total sessions : 3

    ------------------------------------------------------------

    tunnel-id : 0

    session idle Oie/total duration (sec) : 44/300

    session flow :      (2 Oies matched)

        Sour Addr : 10.10.10.1             Sour Port:  179  Protocol : 6

        Dest Addr : 10.10.10.2             Dest Port:44252  Protocol : 6

    ------------------------------------------------------------

    tunnel-id : 0

    session idle Oie/total duration (sec) : 9/300

    session flow :      (7 Oies matched)

        Sour Addr : 10.10.10.1             Sour Port:    0  Protocol : 89

        Dest Addr : 224.0.0.5              Dest Port:    0  Protocol : 89

    ------------------------------------------------------------

    tunnel-id : 3

    session idle Oie/total duration (sec) : 0/300

    session flow :      (78 Oies matched)

  ---- More ----                        Sour Addr : 50.50.50.2             Sour Port:    0  Protocol : 1

        Dest Addr : 30.30.30.2             Dest Port:    0  Protocol : 1

<MSR2011>dis ipsec tun

    total tunnel : 1

    ------------------------------------------------

Connection ID : 3

    Perfect forward secrecy: None

    SA's SPI :

        Inbound :  368395233 (0x15f543e1) [ESP]

        Outbound : 4233487164 (0xfc55e33c) [ESP]

    Tunnel :

        Local Address:  10.10.10.1  Remote Address : 10.10.10.2

    Flow :

        Sour Addr : 50.50.50.0/255.255.255.0  Port: 0  Protocol : IP

        Dest Addr : 30.30.30.0/255.255.255.0  Port: 0  Protocol : IP

    Current Encrypt-card : None

<MSR2011>dis ipsec stat

  the security packet statistics:

    input/output security packets: 89/89

    input/output security bytes: 5340/5340

    input/output dropped security packets: 0/5

    dropped security packet detail:

      not enough memory: 0

      can't find SA: 5

      queue is full: 0

      authentication has failed: 0

      wrong length: 0

      replay packet: 0

      packet too long: 0

      wrong SA: 0

<MSR2011>

Old news..but still cool.. #HPN on the @internationalspacestation

a customer of mine just brought this up this morning...

http://www.hp.com/rnd/pdfs/space_station.pdf

@absolutelywindows visits #HP @interop

http://absolutelywindows.com/blog/2012/5/25/hp-networking-at-interop-spring-2012.html

Previously predicted.... @cisco close to killing #cius

http://m.networkworld.com/news/2012/052512-cisco-cius-259634.html?hpg1=bn

Is @cisco stuck between a rock and a #san ?

http://nerdtwilight.wordpress.com/2012/05/22/ciscos-storage-trap/

@ralphnader continues to attack @johnchambers @cisco

http://www.eurasiareview.com/15052012-ralph-nader-letter-to-cisco-ceo-john-chambers-regarding-his-predictable-gloom-oped/

#Spirent tests #HP #routers

http://h30507.www3.hp.com/t5/HP-Networking/HP-raising-the-bar-on-router-performance-Tested-with-Spirent/ba-p/112597

More info on #HP #VAN

Check out Les' blog:

http://h30507.www3.hp.com/t5/HP-Networking/HP-Virtual-Application-Networks-drill-down-on-its-inner-workings/ba-p/112845

Trying to understand #VEPA ?

Some useful links:

http://wikibon.org/wiki/v/Edge_Virtual_Bridging#Virtual_Ethernet_Port_Aggregator_.28VEPA.29

http://www.netcraftsmen.net/component/content/article/69-data-center/927.html

http://www.itc22.com/fileadmin/ITC22_files/vepa-dccaves10-workshop.pdf

How to Mirror #vlan in an #irf stack

Once you enable IRF on a device the option to mirror a VLAN or any virtual interface is disabled.

For example if you situation where you want to mirror a VLAN to send off to an IDS for inspection.  

You have two options how you can get around this when using IRF.

1.       You can mirror every port that belongs to the VLAN and send that traffic to a monitor port.

2.       You can create a QoS policy and have the action be to mirror traffic. Then apply this policy to the required ports.

Here’s an example of a mirroring policy. I created this on a 5800 but it should be similar on any Comware device.

acl number 3000 name mirror

rule 0 permit ip source 10.0.0.0 0.255.255.255

#

traffic classifier mirror-class operator and

if-match acl name mirror

#

traffic behavior mirror-behavior

mirror-to interface GigabitEthernet1/0/12

#

qos policy mirror-policy

classifier mirror-class behavior mirror-behavior

#

interface GigabitEthernet1/0/4

port link-mode bridge

port access vlan 47

qos apply policy mirror-policy inbound

qos apply policy mirror-policy outbound

This is a perfect solution for many networks. You can create a policy that matches the subnets of the VLANs you wanted to mirror then apply the policy to the appropriate interfaces. You can also have create two different polices. This would allow you to have a monitor port on 12508-1 and a different monitor port on 12508-2 so the mirroring traffic will remain local and not cross the IRF links. 

#spotty support for #ipv6 on @cisco

http://blog.ioshints.info/2012/05/http-over-ipv6-on-cisco-ios.html?utm_source=feedburner&utm_medium=RSS&utm_campaign=IOS+hints+Feed

Analysts are #positive on #HP #VAN

http://www.esg-global.com/blogs/what-i-like-about-hps-virtual-application-network-van-announcement/

#Beware of huge design issues with #Cisco #Nexus

http://www.netcraftsmen.net/component/content/article/69-data-center/1275.html

The #HPN #10500 is one of the top hot products of @interop by @networkworld

http://www.networkworld.com/slideshow/46017

#SDN takes center stage @interop

http://www.networkworld.com/news/2012/050212-interop-sdn-258907.html

#HPN releases updates to the #10500 switch

48 port line rate 10gb SFP+ module!!!   (no oversubscription to the backplane)
New 12 slot chassis!
4 port 40gb QSFP module!!!
256,000 mac address support!
Four chassis IRF allows you to build 2000+ 10gb ports in a single operational core!!!

Product info:
http://h17007.www1.hp.com/us/en/products/switches/HP_10500_Switch_Series/index.aspx

@networkworld loves the #HPN #VAN announcement

http://www.networkworld.com/community/node/80250

With 13watt poe thin clients...what does anyone need #upoe ?

I'll tell you... its all about Cisco selling more expensive ports!!!

Is your #Cisco sales person your business partner? or your business #vulture ?

Remember...he's there to make Cisco money...not look out at your best interests...

Yes, I know..I work for HP...and I already know what your thinking...

but the story in this attached article is just embarrassing

http://arstechnica.com/tech-policy/2012/05/a-bizarre-operation-why-west-virginia-stuck-22600-routers-in-tiny-libraries/

#HP releases highly extensible zero touch Dynamic VPN #DVPN solution

http://h17007.www1.hp.com/us/en/solutions/technology/dvpn/index.aspx

#HP unveils low power 13watts #thinclient

WOW!!!!

Who needs 60watts of power?  Even 30watts!!!  wow!! This is game changing!

http://www.hp.com/united-states/campaigns/thin-client-solutions/t410.html?jumpid=reg_r1002_usen

Dont let a #monkey run your #network

Funny but true blogpost...

http://blog.ioshints.info/2012/04/monkey-design-still-doesnt-work-well.html

Configure #Provision to authenticate with #Cisco #ACS

Thanks to Neil Moore for putting together a recording on this:

#Authorization of Comware using #Cisco #ACS

Thank you to Chris Evans for this sample (and tested) config:

Cisco ACS has a built in list of known IOS commands. Under my user group I had the authorization set to none, but it still rejected the Comware commands. I had to change the ‘shell command authorization set’ to ‘per group command authorization’ and then told it to permit unmatched commands.

*I’m on ACS version 4.1.1(23) so the experience might be different for newer versions.*

Final working config:

hwtacacs scheme tacacs+

primary authentication x.x.x.x

primary authorization x.x.x.x

primary accounting x.x.x.x

nas-ip <src IP>

key authentication <password>

key authorization <password>

key accounting <password>

user-name-format without-domain

domain aaa

authentication default hwtacacs-scheme tacacs+ local

authorization default hwtacacs-scheme tacacs+ local

accounting default hwtacacs-scheme tacacs+ local

access-limit disable

state active

idle-cut disable

self-service-url disable

user-interface vty 0 4

authentication-mode scheme

command authorization

command accounting

#HPN #5400 #802.1x w/mac auth and guest vlan config sample

Running configuration:

; J8697A Configuration Editor; Created on release #K.15.06.0006
; Ver #01:0d:0c

hostname "5406-Procurve"

vlan 1
   name "production"
   untagged A1-A24,B1-B24,C1-C2
   ip address 192.168.1.40 255.255.255.0
   exit
vlan 25
   name "vlan25-guest"
   ip address 172.16.1.40 255.255.255.0
   tagged A1
   exit

radius-server host 192.168.1.100 key "hphp1234"

aaa accounting update periodic 15
aaa accounting network start-stop radius
aaa authentication login privilege-mode
aaa authentication telnet login radius
aaa authentication telnet enable radius local
aaa authentication ssh enable radius local
aaa authentication port-access eap-radius


aaa port-access authenticator B1-B20
aaa port-access authenticator B1 auth-vid 1
aaa port-access authenticator B1 client-limit 2

aaa port-access authenticator active


aaa port-access mac-based B1-B20
aaa port-access mac-based B1 unauth-period 1
aaa port-access mac-based B1 unauth-vid 25

aaa port-access mac-based addr-format multi-dash

Having problems with @apple #Bonjour #multicast on your network?

Try these suggestions:

https://developer.apple.com/library/mac/#documentation/Cocoa/Conceptual/NetServices/Introduction.html#//apple_ref/doc/uid/10000119i

#HP #IMC #Demo

http://h17007.www1.hp.com/us/en/demos/hpnw001.aspx

Looking for a #riverbed pricelist

if so, can you email me?

jeff@thenetworkmonkey.com

Local port mirror with multiple monitor ports

Example of configuring local port mirroring with multiple monitor ports

Configuration procedure
# Create remote source mirroring group 1.
<SwitchA> system-view
[SwitchA] mirroring-group 1 remote-source

# Configure GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 as mirroring ports of remote source
mirroring group 1.
[SwitchA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 to gigabitethernet 1/0/3
both

# Configure an unused port (GigabitEthernet 1/0/5 for example) of Switch A as the reflector port of
remote source mirroring group 1, and disable STP on the port.
[SwitchA] mirroring-group 1 reflector-port GigabitEthernet 1/0/5
[SwitchA] interface GigabitEthernet 1/0/5
[SwitchA-GigabitEthernet1/0/5] undo stp enable

# Create VLAN 10 and assign the three ports (Gigabitethernet 1/0/11 through Gigabitethernet 1/0/13)
connecting the three data monitoring devices to VLAN 10.
[SwitchA] vlan 10
[SwitchA-vlan10] port gigabitethernet 1/0/11 to gigabitethernet 1/0/13
[SwitchA-vlan10] quit

# Configure VLAN 10 as the remote probe VLAN of remote source mirroring group 1.
[SwitchA] mirroring-group 1 remote-probe vlan 10

Local port mirroring (span) config example

Local port mirroring configuration example (in mirroring port mode)
Network requirements


Configuration procedure

# Create local mirroring group 1.
1. Create a local mirroring group.


<DeviceA> system-view
[DeviceA] mirroring-group 1 local

# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as mirroring ports and port
GigabitEthernet 1/0/3 as the monitor port.
[DeviceA] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2
both
[DeviceA] mirroring-group 1 monitor-port gigabitethernet 1/0/3

# Disable Spanning Tree Protocol (STP) in the monitor port GigabitEthernet1/0/3.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] undo stp enable
[DeviceA-GigabitEthernet1/0/3] quit

2. Verify the configurations.
# Display the configuration of all port mirroring groups.

[DeviceA] display mirroring-group all
mirroring-group 1:
type: local
status: active
mirroring port:
GigabitEthernet1/0/1 both
GigabitEthernet1/0/2 both
mirroring CPU:
monitor port: GigabitEthernet1/0/3

After the configurations are completed, you can monitor all the packets received and sent by the
Gig 1/0/1 and 1/0/2  and sent to the device on port Gig 1/0/3.