Hello, I just started a new website with my wife together to share some tips with networkers.
If you are interested, please go visit:
http://www.networkcouple.com
thank you.
JC's Blog
About Me
- Chao J
- GTA, Ontario, Canada
- Hold the Door!!! CCIE 25938: CCIE Routing & Switching, Security,Voice, and latest CCIE Datacenter. Python+SDN is on going
Saturday, June 25, 2016
Saturday, May 28, 2016
A little experience with Fortigate firewall
Recently I am working on deploying Fortigate 3700D in our network. There are couple things just learned during the project.
1) 1G SFP in 10G port on Fortigate 3700D to build Port-channel with Cisco N5K. It must use 1000Auto on Fortigate side, otherwise port-channel won't come up.
2) Trust subnet configured under admin account will impact data port Ping traffic as well (not only the admin login traffic). It will block Ping on the data port as well, even Ping is allowed, as long as the subnets are not in the Trust subnets range, ping will be dropped.
Saturday, January 28, 2012
Cos-to-DSCP:
By default CoS-to-DSCP :
CoS-DSCP map :
cos: 0 1 2 3 4 5 6 7
---------------------------------------------------------
dscp :0 8 16 24 32 40 48 56
Using following command to change this map on switch:
switch(config)# mls qos map cos-dscp dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8
DSCP-to-CoS:
By default DSCP-to-CoS map:
Use following command to check switch map table:
swtich#show mls qos maps dscp-qos
To change DSCP -to-Cos map , use this command:
switch(config)# mls qos map dscp-cos dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8 to cos
Summary:
Note: EF is matching DSCP=46; COS=5 is matching DSCP=40
By default CoS-to-DSCP :
CoS-DSCP map :
cos: 0 1 2 3 4 5 6 7
---------------------------------------------------------
dscp :0 8 16 24 32 40 48 56
Using following command to change this map on switch:
switch(config)# mls qos map cos-dscp dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8
DSCP-to-CoS:
By default DSCP-to-CoS map:
DSCP | CoS |
0~7 | 0 |
8~15 | 1 |
16~23 | 2 |
24~31 | 3 |
32~39 | 4 |
40~47 | 5 |
48~55 | 6 |
56~63 | 7 |
Use following command to check switch map table:
swtich#show mls qos maps dscp-qos
To change DSCP -to-Cos map , use this command:
switch(config)# mls qos map dscp-cos dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8 to cos
Summary:
DSCP Value | DSCP Name | COS Value |
0 | Default (BF) | 0 |
8 | CS1 | 1 |
10 | AF11 | 1 |
12 | AF12 | 1 |
14 | AF13 | 1 |
16 | CS2 | 2 |
18 | AF21 | 2 |
20 | AF22 | 2 |
22 | AF23 | 2 |
24 | CS3 | 3 |
26 | AF31 | 3 |
28 | AF32 | 3 |
30 | AF33 | 3 |
32 | CS4 | 4 |
34 | AF41 | 4 |
36 | AF42 | 4 |
38 | AF43 | 4 |
40 | CS5 | 5 |
42 | 5 | |
44 | 5 | |
46 | EF | 5 |
48 | CS6 | 6 |
56 | CS7 | 7 |
Note: EF is matching DSCP=46; COS=5 is matching DSCP=40
AF Drop Level
RFC 2597 defines the assured forwarding (AF) PHB and describes it as a means for a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. The Assured Forwarding PHB guarantees a certain amount of bandwidth to an AF class and allows access to extra bandwidth, if available. There are four AF classes, AF1x through AF4x. Within each class, there are three drop probabilities. Depending on a given network's policy, packets can be selected for a PHB based on required throughput, delay, jitter, loss or according to priority of access to network services.
Classes 1 to 4 are referred to as AF classes. The following table illustrates the DSCP coding for specifying the AF class with the probability. Bits DS5, DS4 and DS3 define the class; bits DS2 and DS1 specify the drop probability; bit DS0 is always zero.
Classes 1 to 4 are referred to as AF classes. The following table illustrates the DSCP coding for specifying the AF class with the probability. Bits DS5, DS4 and DS3 define the class; bits DS2 and DS1 specify the drop probability; bit DS0 is always zero.
Drop | Class 1 | Class 2 | Class 3 | Class 4 |
---|---|---|---|---|
Low | 001010 AF11 DSCP 10 | 010010 AF21 DSCP 18 | 011010 AF31 DSCP 26 | 100010 AF41 DSCP 34 |
Medium | 001100 AF12 DSCP 12 | 010100 AF 22 DSCP 20 | 011100 AF32 DSCP 28 | 100100 AF42 DSCP 36 |
High | 001110 AF13 DSCP 14 | 010110 AF23 DSCP 22 | 011110 AF33 DSCP 30 | 100110 AF43 DSCP 38 |
Thursday, January 19, 2012
Avocent Cyclades ACS console server password reset or reset unit factory defaults
Avocent Cyclades ACS console server password reset or reset unit factory defaults
The Avocent Cycaldes ACS console servers are great little units that run Linux and even give you full root console access. The root password is “tslinux” by default, but if it has been changed then you can boot the unit into single user mode by supplying the argument “single” to the Linux kernel selection during the boot process (make sure you put a space between the existing Kernel parameters and “single”) which will drop you to a root prompt.
On my unit, this line comes up as right at the start of the boot process:
Linux/PPC load: root=/dev/ram ramdisk=0x0001F000
So you would type ” single” (remember the space!) to give you:
Linux/PPC load: root=/dev/ram ramdisk=0x0001F000 single
Then just hit enter and the unit will boot up into single user mode and give you the root prompt.
At this point, if you want to restore the entire unit to the factory default settings which will erase all of the configuration, then just run “defconf” and then reboot the unit.
If you want to keep the existing configuration intact but just reset the password then you can just use the traditional Linux passwd tool to edit /etc/passwd:
[root@(none) /]# passwd
New password:
Re-enter new password:
Password changed
[root@(none) /]# saveconf
Checking the configuration file list…
Compressing configuration files into /tmp/saving_config.tar.gz … done.
Saving configuration files to flash … done.
[root@(none) /]# reboot
[root@(none) /]# Restarting system.
Thursday, December 29, 2011
Aruba Authentication Adv Options and Misc.
There are couple Adv options under the 802.1x authentication. Let's get some brief introduction. :)
1.
The difference between Normal EAP and AAA FastConnect (EAP-Offload) :
Normal EAP:
AAA FastConnect (EAP-Offload):
It is easy to understand and configure :
2. Machine Authentication :
when a Windows device boots, it logs onto the network domain using a machine account: host/<pc-name>.<domain>
You can configure 802.1x for both User and Machine Authentication.
Machine Authentication optional : it is under L2 Authentication .
Setting Roles for Machine/User Authentication:
3 Blacklist due to failed authentication :
1.
The difference between Normal EAP and AAA FastConnect (EAP-Offload) :
Normal EAP:
AAA FastConnect (EAP-Offload):
It is easy to understand and configure :
2. Machine Authentication :
when a Windows device boots, it logs onto the network domain using a machine account: host/<pc-name>.<domain>
You can configure 802.1x for both User and Machine Authentication.
Machine Authentication optional : it is under L2 Authentication .
Setting Roles for Machine/User Authentication:
3 Blacklist due to failed authentication :
Aruba Controller Authentication Part 2 WPA/WPA2 and 802.1X
This part is about configuring WPA or WPA2 and 802.1x on Aruba Controllers.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.
802.1x Configuration Example WPA2-AES
Step 1 - Configure a Server :
Step 2 - Configure the Server Group : Create a Server Group and assign the server to it.
NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.
Step 3 - Configure the AAA Profile to use dot1x
Step 4 - Configure L2 dot1x Profile:
Step 5 Create an AP Group and Virtual AP:
Step 6 Assign the AAA Profile to the VAP
Step 7 Configure SSID to WPA2-AES
Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.
A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.
802.1x Configuration Example WPA2-AES
Step 1 - Configure a Server :
NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.
Step 3 - Configure the AAA Profile to use dot1x
Step 4 - Configure L2 dot1x Profile:
Step 5 Create an AP Group and Virtual AP:
Step 6 Assign the AAA Profile to the VAP
Step 7 Configure SSID to WPA2-AES
Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.
A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.
Subscribe to:
Posts (Atom)