My new Website http://www.networkcouple.com

Hello, I just started a new website with my wife together to share some tips with networkers.
If you are interested, please go visit:
http://www.networkcouple.com

thank you.

A little experience with Fortigate firewall

Recently I am working on deploying Fortigate 3700D in our network. There are couple things just learned during the project.

1) 1G SFP in 10G port on Fortigate 3700D to build Port-channel with Cisco N5K. It must use 1000Auto on Fortigate side, otherwise port-channel won't come up. 

2) Trust subnet configured under admin account will impact data port Ping traffic as well (not only the admin login traffic). It will block Ping on the data port as well, even Ping is allowed, as long as the subnets are not in the Trust subnets range, ping will be dropped.

Cos-to-DSCP:
By default CoS-to-DSCP :
CoS-DSCP map :

cos:   0     1      2      3       4      5     6      7
---------------------------------------------------------
dscp :0    8    16    24    32    40    48    56


Using following command to change this map on switch:

switch(config)# mls qos map cos-dscp dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8

DSCP-to-CoS:
By default DSCP-to-CoS map:

DSCP	CoS
0~7	0
8~15	1
16~23	2
24~31	3
32~39	4
40~47	5
48~55	6
56~63	7

Use following command to check switch map table:
swtich#show mls qos maps dscp-qos

To change DSCP -to-Cos map , use this command:

switch(config)# mls qos map dscp-cos dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8 to cos


Summary: 

DSCP Value	DSCP Name	COS Value
0	Default (BF)	0
8	CS1	1
10	AF11	1
12	AF12	1
14	AF13	1
16	CS2	2
18	AF21	2
20	AF22	2
22	AF23	2
24	CS3	3
26	AF31	3
28	AF32	3
30	AF33	3
32	CS4	4
34	AF41	4
36	AF42	4
38	AF43	4
40	CS5	5
42		5
44		5
46	EF	5
48	CS6	6
56	CS7	7

Note: EF is matching DSCP=46; COS=5 is matching DSCP=40

AF Drop Level

RFC 2597 defines the assured forwarding (AF) PHB and describes it as a means for a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. The Assured Forwarding PHB guarantees a certain amount of bandwidth to an AF class and allows access to extra bandwidth, if available. There are four AF classes, AF1x through AF4x. Within each class, there are three drop probabilities. Depending on a given network's policy, packets can be selected for a PHB based on required throughput, delay, jitter, loss or according to priority of access to network services.
Classes 1 to 4 are referred to as AF classes. The following table illustrates the DSCP coding for specifying the AF class with the probability. Bits DS5, DS4 and DS3 define the class; bits DS2 and DS1 specify the drop probability; bit DS0 is always zero.

Drop	Class 1	Class 2	Class 3	Class 4
Low	001010 AF11 DSCP 10	010010 AF21 DSCP 18	011010 AF31 DSCP 26	100010 AF41 DSCP 34
Medium	001100 AF12 DSCP 12	010100 AF 22 DSCP 20	011100 AF32 DSCP 28	100100 AF42 DSCP 36
High	001110 AF13 DSCP 14	010110 AF23 DSCP 22	011110 AF33 DSCP 30	100110 AF43 DSCP 38

Avocent Cyclades ACS console server password reset or reset unit factory defaults

Avocent Cyclades ACS console server password reset or reset unit factory defaults

The Avocent Cycaldes ACS console servers are great little units that run Linux and even give you full root console access. The root password is “tslinux” by default, but if it has been changed then you can boot the unit into single user mode by supplying the argument “single” to the Linux kernel selection during the boot process (make sure you put a space between the existing Kernel parameters and “single”) which will drop you to a root prompt.

On my unit, this line comes up as right at the start of the boot process:

Linux/PPC load: root=/dev/ram ramdisk=0x0001F000

So you would type ” single” (remember the space!) to give you:

Linux/PPC load: root=/dev/ram ramdisk=0x0001F000 single

Then just hit enter and the unit will boot up into single user mode and give you the root prompt.

At this point, if you want to restore the entire unit to the factory default settings which will erase all of the configuration, then just run “defconf” and then reboot the unit.

If you want to keep the existing configuration intact but just reset the password then you can just use the traditional Linux passwd tool to edit /etc/passwd:

[root@(none) /]# passwd
New password:
Re-enter new password:
Password changed
[root@(none) /]# saveconf
Checking the configuration file list…
Compressing configuration files into /tmp/saving_config.tar.gz … done.
Saving configuration files to flash … done.
[root@(none) /]# reboot
[root@(none) /]# Restarting system.

 Original link : http://new.spheron1.co.uk/2010/11/06/avocent-cyclades-acs-console-server-password-reset-or-reset-unit-factory-defaults/ 

Aruba Authentication Adv Options and Misc.

There are couple Adv options under  the 802.1x authentication. Let's get some brief introduction. :)
1.
The difference between Normal EAP and AAA FastConnect (EAP-Offload) :

Normal EAP:

AAA FastConnect (EAP-Offload):

It is easy to understand and configure :

2. Machine Authentication :
when a Windows device boots, it logs onto the network domain using a machine account: host/<pc-name>.<domain>
You can configure 802.1x for both User and Machine Authentication.
Machine Authentication optional : it is under L2 Authentication .

Setting Roles for Machine/User Authentication:

  3 Blacklist due to failed authentication :

Aruba Controller Authentication Part 2 WPA/WPA2 and 802.1X

This part is about configuring WPA or WPA2 and 802.1x on Aruba Controllers.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.

 802.1x Configuration Example WPA2-AES

Step 1 - Configure a Server :

 

 Step 2 - Configure the Server Group : Create a Server Group and assign the server to it.

 NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.

 Step 3 - Configure the AAA Profile to use dot1x

 Step 4 - Configure L2 dot1x Profile:

 Step 5 Create an AP Group and Virtual AP:

 Step 6 Assign the AAA Profile to the VAP

Step 7 Configure SSID to WPA2-AES

 Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.

A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.