Network Labs

Automation of switch configuration

Configuring access switches in an enterprise may involve deploying a bunch of identical settings to a load of devices, this kind of work is time consuming and not to say BORING AS HELL!

In case you are working with Cisco or Juniper as the vendor of the devices there is a way of deploying the configuration automatically by using a DHCP+TFTP server.

The process is very simple, at their default configuration a switch will try to receive an IP via DHCP at this moment we can use DHCP in order to point it to the tftp server with a predefined configuration file, after getting this file the device will load it automatically

I'll start with Cisco being the simplest, in case you have a Cisco router and a Cisco switch you can use the router as both the DHCP and the TFTP server, to do so:

P2P interface facing the switch, all we need here is an IP

Interface GigabitEthernet x/y
Ip address x.x.x.1 255.255.255.0

DCHP scope

ip dhcp pool <SCOPE NAME>
   network x.x.x.0 255.255.255.0
   bootfile network-confg
   option 150 ip x.x.x.1

Enable TFTP server function of the router (don’t forget to put the file in the local flash of the Router)

tftp-server flash: network-confg

In case there is no Router, the Router doesn't support the TFTP-Server function or you just have a dedicated servers you want to use

All you need is to use all you need is to is to configure the pool with option 150 pointing to the TFTP server and put a config file on the TFTP root folder.

Note that Cisco will first load a file with one of the following names: network-confg\ router-confg\ ciscortr.cfg \ cisconet.cfg
I suggest including "no service config" in the base configuration file, otherwise as the configuration is loaded the device will try to load a new file with its' new host-name every time it renews the DHCP lease.

Now let's move to another vendor – Juniper, in this case it's a bit more complicated as we need a couple more DHCP options.

In Juniper's case the process is very similar, with the difference that the switch includes a software upgrade as part of the process so we need more free space on the tftp server, for this example I used Red Hat Linux for both the DHCP and the TFTP, here is the configuration the DHCP side, first of all DHCPD has to be ISC 4 and above.

Edit /etc/dhcp/dhcpd.conf

Under "# Define Custom Options"

Configure new option group, in my case named Juniper

option space JUNIPER; #option;

configure all the suboptions to be "text" type

option JUNIPER.config-file-name code 1 = text;

option JUNIPER.image-file-type code 2 = text;

option JUNIPER.transfer-mode code 3 = text;

option JUNIPER.image-file-name code 00= text;

option JUNIPER.alt-image-file-name code 4= text;

add options 43 and 150 to the group

option JUNIPER -encapsulation code 43 = encapsulate JUNIPER;

option option-150 code 150 = ip-address;

*Note the type of option 150 is IP.

After we configured the group we can use it in the scope itself, in the same file add the scope configuration

subnet x.x.x.0 netmask 255.255.255.0

option routers <Default Gateway IP>;

option host-name "default";

host-name option will change the hostname of the switch, note that the switch will only load the configuration file with the name of its hostname.

option subnet-mask 255.255.255.0;

option domain-search "networklabs.info";

option domain-name-servers <DNS SERVER IP>;

option ntp-servers <NTP SERVER IP>;

option option-150 <TFTP SERVER IP>;

option tftp-server-name "<TFTP SERVER IP/HOSTNAME>";

option JUNIPER.image-file-name "/<NEW JUNOS VERSION FOR THE SWITCH TO LOAD>";

option JUNIPER.config-file-name "/<CONFIG FILE, MUST BE HOST-NAME.config>";

Image type is the Vendor requirement.

option JUNIPER.image-file-type "symlink";

The transfer more can be http/ftp/tftp/sftp but must be defined.

option JUNIPER.transfer-mode "tftp";

option JUNIPER.alt-image-file-name "/<NEW JUNOS VERSION FOR THE SWITCH TO LOAD ON THE ALTERNATE SLICE, RECOMMENDED TO BE IDENTICAL>"

Define the range of IP's for the DHCP server.

range x.x.x.100 x.x.x.150;

}

In FTP transfer mode request will be made via anonymous user.

Big thanks to Omer Shtivi for the resources and help with implementation.

Hope this post was helpful, If it was please consider a donation

BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

"Recovering" F5 from Appliance mode

When a device is activated with license that include App Mode the root user and all access to the BASH is being blocked.

In case the activation of the app mode was not wanted we need to install a different license without this feature and modify the DB to disable this mode, to do so just run the following command after installing the new key :

(tmos)# modify /sys db systemauth.disablerootlogin value false

in case a key is yet to be changed you'll get an error :

01070356:3: Root Account feature not licensed.

To better secure the device it is recomended to keep it in this mode.
Enable this mode by running:

(tmos)# modify /sys db systemauth.disablerootlogin value true

Hope this post was helpful, If it was please consider a donation

BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Cisco Line Menu

Hi all,

Here is a nice feature you can use on a Cisco device to make the usage easier in case of a console server or just for limiting access for an experienced user - We can create a menu with pre-configured commands \ actions.

Here is an example for I used for a terminal access server

Configure aliases for the host which we'll connect to

ip host <Device-Name> <Connection-Port> <Device-IP>
ip host R2 23 1.1.1.2
ip host R3 23 1.1.1.3

Create a banner for the menu

menu Menu-1 title ^
**********************************************************
You have reached NetworkLabs-R1
Please use the menu bellow

**********************************************************
^

And now we create the menu

menu Menu-1 prompt ^C Your selection : ^C
menu Menu-1 text 1 Connect to R2 - 23
menu Menu-1 text s show active sessions
menu Menu-1 text e exit the menu
menu Menu-1 text q close the connection
menu Menu-1 command 1 resume R2 /connect telnet R2
menu Menu-1 command s show sessions
menu Menu-1 command e menu-exit
menu Menu-1 command q exit

First we configured the prompt for the command selection, then the text for "1,s,e,q' then the commands that will be issued according to the selection.

Suggest to add the following for the menu to clear the screen and allow only and loop back to the prompt after each selection

menu Menu-1 clear-screen
menu Menu-1 line-mode

At this point the menu can be activated by running "menu Menu-1" from the command line.

you may want to add the menu to be activated automatically on VTY login by adding

line vty 0 4
autocommand menu Menu-1

Hope this post was helpful, If it was please consider a donation:

BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

F5 BigIP Cluster

Here is a sort of "Best practices guide" for a Cluster configuration on F5's Big-IP devices, I will refer to the configuration of two devices but same applyed to a larger cluster.

First of all we need to make sure

Our license is valid

GUI - System ›› License
CLI - show /sys license

Date and time are synced

GUI - System ›› Configuration ›› Device ›› NTP
CLI - tmsh list /sys ntp servers or ntpq -npdate or date -s "Day Month Year HH:mm:ss"

both devices have a VLAN for the sync, hopefully it's a point to point link connected between both devices

Layer 2 - Network ›› VLAN ›› Create

CLI > tmsh create net vlan Sync interfaces add { 1.1 }

Layer 3 - Netwok ›› Self IPs ›› Create

CLI > tmsh create net self Sync vlan Sync allow-service default address 1.1.1.1/30

An important note here is the "Port Lockdown" - make not to use "allow none" as it will not allow sync traffic between the devices. other than that - only the IP\Subnet configuration.

Append the P2P to the cluster mechanism - Device Management ›› Devices ››<DEVICE_NAME> ››Device Connectivity

ConfigSyn (The interface will be used for synchronizing the configuration between the devices)

Failover:

**It is highly recommended to use a "real" network Vlan for the failover interface this way a problem with the Vlan which is actually used for traffic will cause a faileover.

Mirroring ( the interface used to synchronize connection tables between the devices ) :

CLI > tmsh modify cm device <Device_Name> configsync-ip 1.1.1.1 mirror-ip 1.1.1.1 unicast-address { { effective-ip 1.1.1.1 effective-port cap ip 1.1.1.1 } }

I like to resetting the device trust prior configuring the cluster so that any leftovers of privious config will be cleared and the local certificate will be regenerated.

To do so - Device Management ›› Device Trust ›› Reset Device Trust

At this point we are done with the preparations.

From one of the devices go to - Device Management ›› Device Trust : Peer List ›› Create

I Like using the P2P IP's but it's an identifier only so Management IP are good as well.

After clicking "Retrieve Device Information" we should get the 2nd device's certificate, IP and couple more details.

To make sure connectivity is correct, go to Device Management ›› Devices

In case of a problem one of the devices will be red ( disconnected ) in which case check steps above the steps above

Next group the devices - Device Management ›› Device Groups

CLI - tmsh create cm device-group sync-fail devices add { <Device_Names> } network-failover enabled

The Type should be Sync-Failover and both devices are selected.

Now one of the devices will become standby ( If not - check steps above)

Now all we have to do is initiate a sync between the devices - Device Management ›› Overview ›› Sync

CLI - run cm config-sync to-group sync-fail

Select the device containing the newest configuration, select "Sync Device to Group" and click "Sync"

I like to create a more proactive configuration by adding a pool which consists of a couple of servers as the representation of the LAN and the ISP \ FW as the representation of the WAN, so as long as this pool is active we have both LAN and WAN connectivity from the device and if the pool fails F5 lost WAN\LAN access so we need to failover.

Then add the pool as a trigger for a failover - System ›› High Availability

CLI - create sys ha-group HA active-bonus 0 enabled pools add { <Pool_Name> { weight 80 } }

*The highest Weight will become active

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

F5 - SSL offloading and intermediate Certificates

The concept of the ssl offloading is very simple, we perform the encryption before reaching the end server,
in other words let's say we have a Data Center with 50 Web servers, we want to make the data more secure by implementing SSL encryption on our HTTP data, at this point we can configure each server to work with https OR we can add a device that adds the SSL on an outgoing packet and removes it from the once coming back, that way our traffic is secured and we save on server resources.

before getting to the configuration part i want to spend a moment on the CA-Bundle or also known as intermediate Certificates .. There are some CA's out there that in order to use them we have to append an Intermediate certificate to the Certificate we have, the intermediate is sort of a reference of our CA pointing it to the root that will verify it, in other words it's the certificate of the CA that authorized our certificate.
for example some browsers will not have the root of Go-daddy even though they're CA is well known and authorized so in case a website using one of there certificates (but no intermediate is installed) will be accessed by and old browser it will show the certificate is not verified and we'll have an error message accessing.

Using the intermediate in the F5 is very simple, all we need to do is import it to the device and append it in the client profile as "Chain Certificate"

Importing the Certificate to the device:
System > File Management > SSL Certificate List > Import

We'll group the intermediate to the certificate and the key using a Profile
Local Traffic > Profiles > SSL > Client

Name the Profile mark Certificate, Key and Chain
Certificate is the certificate we just loaded
key is the private key associated to the certificate, in case we uploaded the certificate that includes the key (for example a 'p12') choose the certificate
and the Chain is the intermediate certificate of our CA

Now all we have to do is apply the Profile on the wanted traffic by adding it to the appropriate virtual server
Local Traffic > Virtual Server

Basic config, Name IP and port

Just need to make sure we choose an HTTP profile and the SSL profile we have configured earlier.

Don't forget to point the Virtual server to the pool you need,
other than that we're all done.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Cisco MacSec over Juniper\Cisco MPLS

I would like to share a case I had involving MacSec over a layer 3 link.

The equipment was: 2 Cisco Switches (3750X), Cisco 2821 Router, Juniper J4350 Router.

Objective: establish MacSec between the Switches.

First of all MacSec will not work on layer 3, to make it work we need to emulate layer 1 between the switches, I did this VIA MPLS (Ethernet over MPLS).

OSPF configuration :

Router-1 (Juniper)

# Set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.1/30
# Set interfaces lo0 unit 0 family inet address 1.1.1.1/32
# Set protocols ospf area 0.0.0.0 interface ge-0/0/1
# Set protocols ospf area 0.0.0.0 interface lo0

Router-2 (Cisco)

interface FastEthernet0/0
ip address 10.10.10.2 255.255.255.252
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
router ospf 10
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.10.10.0 0.0.0.3 area 0

At this point we should see the OSPF neighboring is up and the loopbacks are known to both routers

MPLS configuration :

Router-1

# set interfaces ge-0/0/1 unit 0 family mpls
# set interfaces ge-0/0/2 encapsulation ethernet-ccc;
# set interfaces ge-0/0/2 unit 0 family ccc;
# set protocols mpls interface all
# set protocols ldp interface ge-0/0/1
# set protocols ldp interface lo0
# set protocols l2circuit neighbor 2.2.2.2 interface ge-0/0/2.0 virtual-circuit-id 10

Router-2

mpls ldp router-id Loopback1 force
interface FastEthernet0/0
mpls ip
interface FastEthernet0/1
xconnect 1.1.1.1 10 encapsulation mpls

Now we should see the MPLS is also up, both the LDP and the virtual circuit
In case the VC is not up try to change the circuit number..

Finally the MacSec itself..

From Both Switches

interface GigabitEthernet2/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
cts manual
no propagate sgt
sap pmk [MacSec Key] mode-list gcm-encrypt null no-encap

Let's test..!

Switch-1#show macsec summary
Interface Transmit SC Receive SC
GigabitEthernet2/0/1 1 1

For more info:

Switch-2#show macsec interface gigabitEthernet 1/0/1
MACsec is enabled
Replay protect : enabled
Replay window : 0
Include SCI : yes
Cipher : GCM-AES-128
Confidentiality Offset : 0
Capabilities
Max. Rx SA : 16
Max. Tx SA : 16
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
Transmit Secure Channels
SCI : 503DE58713810000
Elapsed time : 03:58:49
Current AN: 1 Previous AN: -
SC Statistics
Auth-only (0 / 0)
Encrypt (30755 / 0)
Receive Secure Channels
SCI : C89C1D66EF010000
Elapsed time : 03:58:49
Current AN: 1 Previous AN: -
SC Statistics
Notvalid pkts 0 Invalid pkts 0
Valid pkts 3044 Late pkts 0
Uncheck pkts 0 Delay pkts 0
Port Statistics
Ingress untag pkts 0 Ingress notag pkts 1852
Ingress badtag pkts 0 Ingress unknownSCI pkts 0
Ingress noSCI pkts 0 Unused pkts 0
Notusing pkts 0 Decrypt bytes 6953955
Ingress miss pkts 1852

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

Cisco Catalyst 3560 - IPv6

A quick tip on IPv6 support in a Cisco 3560 Switch, unlike other devices (such as the 3750) the default configuration of the 3560 switch has all IPv6 functionality disabled,
In order to enable the IPv6 on this Catalyst all we need to do is apply the correct template on the device
this can be achieved by running the following command from Global config mode

sdm preferdual-ipv4-and-ipv6 {default |routing | vlan}

After we apply the template the device needs to be rebooted, take into consideration the boot will take about 8-10 minutes...

to read more about this - Visit Cisco's article on the matter: http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_53_se/configuration/guide/swipv6.html#wp1059828

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR