Friday, December 14, 2012

Ubiquiti Unifi POE

The Ubiquiti Unifi is a fairly cheap and straightforward managed WiFi solution if you are happy with a L2 bridging architecture with not too much additional stuff.
My biggest issue with the hardware is the non-standard POE implementation, which uses 24V "Ubiquiti POE".

Based on the datasheet and experience (http://www.ubnt.com/downloads/datasheets/unifi/UniFi_AP_Datasheet.pdf), our base UAP devices can't directly use 802.3af POE, only the Pro UAP-Pro models can do that. Luckily, an official POE-adapter is sold by Ubiquiti (http://www.ubnt.com/8023af), and it's pretty cheap.

The 802.3af POE is 48V, but fear not: standard POE uses a detection mechanism before sending out the juice, so it won't fry your Unifi AP if you connect it directly to a POE switch, it just won't start up.

If you want to go with long cable runs, as higher voltage is better suited for longer runs, I'd suggest to use standard 48V POE to drive the cable, and use the Unifi adapter near the AP to convert it to 24V.

Thursday, December 6, 2012

Fun factsheet for Cisco 3500XL and 2900XL switches

It still seems like a popular topic, and these switches never really die, so here are some fun facts about them that I found to be useful (both from my experience and from the documentation):
  • These are layer 2 switches;
  • So they don't have DHCP snooping capabilities;
  • Nor any ARP inspection (DAI).
  • They can't do IP routing, or NAT.
  • Traffic distribution over an etherchannel can be based on source or destination MAC addresses, but not both. Distribution can be configured per etherchannel, not just system-wide. You can't distribute based on layer3-4 (IP,TCP/UDP) info.
  • No layer3 ACLs for switching. (Just for the control plane).
  • They have 2 hardware priority queues.
  • They only support L2 COS, not DSCP or TOS.
  • For IP phones, you have to go with a switchport trunk, encapsulation dot1q, nonegotiate, native vlan , allowed vlan ,, swichport voice vlan  type of setup.
  • The 3500XL and 2900XL use the same software, you can run 2900XL images on a 3500XL box.
  • The only members of the 2900XL family with Gigabit ports are the modular, 2U high chassis.
  • They do not support MSTP and GVRP.
  • They do not support LLDP.
  • The 2900 series does not support POE; but some 3500 series models do: look for the -PWR in the model name.
So far that's it, I might extend the list if something comes to mind.

Friday, November 30, 2012

Ethernet filtering fun in hexa with D-Link DES-3250

Most network admins in education know that the source of the most evil is the dormitory. Mostly ignorance with just a touch of malice for the flavor. Rogue DHCP servers, IPv6 router advertisements, IP collisions and the occasional ARP spoofing.

The D-Link DES-3250 series is our choice of switch for our dormitory, as it's cheap and fairly reliable. It can't perform proper DHCP snooping, dymanic-ARP-inspection or even the ARP protection the DES-3526 can, but it can do some filtering, based on IP, MAC or raw ethernet packets.

Credits for the first two go to Gavin McCullagh, not me.

You can filter DHCP replies easily:


create access_profile ip udp src_port_mask 0xFFFF port 1-48 profile_id 1 
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 deny 


Now this one is a thing of beauty: filtering IPv6 Router advertisements:


create access_profile packet_content_mask offset_0-15  0x0  0x0  0x0  0xFFFF0000 offset_16-31  0x0  0xFF000000  0x0  0x0 offset_48-63  0x0  0xFF00  0x0  0x0 port 1-48 profile_id 2 
config access_profile profile_id 2 add access_id 1 packet_content offset_0-15  0x0  0x0  0x0  0x86DD0000 offset_16-31  0x0  0x3A000000  0x0  0x0 offset_48-63  0x0  0x8600  0x0  0x0 deny 


IPv6 uses ethertype 0x86dd, and the type for RA in ICMPv6 is 0x86

Yesterday I had 4 TP-Link APs configured as 192.168.1.254. This wouldn't be a big issue normally, but these ones were dead-set on sending gratuitous ARPs against each other at speeds of 10Mpps...
The DES-3250 has broadcast control, which was set at 8pps, but something went wrong, as the switches still forwarded around 4kpps of ARPs on all ports.
So next up is IPv4 ARP filtering for anything with the source 192.168.0.0/16:


create access_profile packet_content_mask offset_0-15  0x0  0x0  0x0  0xFFFF0000 offset_16-31  0x0  0x0  0x0  0xFFFF0000 port 1-48 profile_id 3 
config access_profile profile_id 3 add access_id 1 packet_content offset_0-15  0x0  0x0  0x0  0x08060000 offset_16-31  0x0  0x0  0x0  0xC0A80000 deny 

The ethertype for ARP is 0x8060, and 192.168 is 0xc0a8.

ARP spoofing of the gateway is not that popular on this subnet, but next time it happens, I'll do an entry with that.

Edit: 19/02/2013 - fixed ethertype value in ARP filter

Sunday, November 25, 2012

3Com 4050 and D-Link DGS-3324SR spanning tree native vlan

My new place uses a 3Com 4050 as a layer2 core/distribution switch. It's linked to DES-3526, DGS-3324SR and DGS-3100 switches. Protocol of choice is RSTP. Without native/untagged vlan on the links, the following happens:

  • 3Com 4050 - DES-3526 - RSTP works okay
  • 3Com 4050 - DGS-3100 - RSTP breaks, needs vlan1 untagged
  • 3Com 4050 - DGS-3224SR - RSTP breaks, needs vlan1 untagged
  • 3Com 4050 - DES-3052P - RSTP breaks, needs vlan1 untagged
  • DGS-3224SR - DES3250 - RSTP works okay
  • DES-3526 - DES-3052P - RSTP breaks, needs vlan1 untagged
  • DGS-3324SR - 3Com 4400 - RSTP works okay
Bottom line: you've gotta love standard implementations of STP...

Alive N Kickin'

In case anybody wonders, I'm still active.
In the past 6 months I changed employment and countries, so it was a bit hectic.

My new place primarily uses Fortigate, Vyatta, D-Link and old 3Com gear, so expect less Cisco for a while. HP will be on the plate as I'm going for the ASE and MASE.
On a related note, I'm Brocade BCNE and BCNP since July, thanks to the BNCE/P 2012 beta program.

So for the time being, stay tuned for D-Link and 3Com stuff.

Friday, May 4, 2012

HP Procurve LLDP-MED and voice vlan configuration FAQ

These are quotations from the Software release notes and config guides, but maybe they'll make your life easier.


ProCurve does not recommend configuring a voice VLAN to accept jumbo packets. Voice VLAN packets are typically small, and allowing a voice VLAN to accept jumbo packet traffic can degrade the voice transmission performance.

Beginning with Release H.08.89, LLDP-MED is supported on ProCurve Series 2600 switches.

VLAN Operating Rules
These rules affect advertisements of VLANs in network policy TLVs:
  • The VLAN ID TLV subelement applies only to a VLAN configured for voice operation: vlan < vid > voice
  • If there are multiple voice VLANs configured on a port, LLDP-MED advertises the voice VLAN having the lowest VID.
  • The voice VLAN port membership configured on the switch can be tagged or untagged. However, if the LLDP-MED endpoint expects a tagged membership when the switch port is configured for untagged, or the reverse, then a configuration mismatch results. (Typically, the endpoint expects the switch port to have a tagged voice VLAN membership.)
  • If a given port does not belong to a voice VLAN, then the switch does not advertise the VLAN ID TLV through this port.

The QoS and voice VLAN policy elements can be statically configured with the following CLI
commands:
vlan < vid > voice
vlan < vid > < tagged | untagged > < port-list >
int < port-list > qos priority < 0 - 7 >
vlan < vid > qos dscp < codepoint >

Minimum software versions for LLDP-MED.
Source: HP ProCurve LAN products software feature matrix

LLDP-MED (Media Endpoint Discovery) H.08.89 R.11.04 R.11.04 T.11.xx W.14.03 L.10.02  K.14.xx K.11.1x K.14.xx E.10.02 H.07.57 K.14.03 K.14.xx K.12.31

Thursday, May 3, 2012

Bridged OpenVPN server on VMware ESXi host

After migrating our virtual firewall from a XenSource to an ESXi server, our bridged OpenVPN server stopped working: users could ping the server, but nothing else.
Since we were talking about Vista clients, we started with the usual suspects: reboot, reinstall TAP driver, reboot. No joy, so I had to start to actually think.

Turns out ESXi vSwitches are not in promiscuous mode by default. You can turn it on like this:
http://petermolnar.eu/linux-tech-coding/vmware-esxi-and-promiscuous-mode/

Thursday, April 26, 2012

Huawei Quidway S2309 as a CPE

Just a quick photoblog entry: after a relocation, Invitel provided us with a S2309, instead of the usual Catalyst Metro:

This makes pretty evident that our service is a QinQ Ethernet link, not an MPLS tunnel, as we thought earlier.

Wednesday, April 25, 2012

HP Procurve 2510 voice vlan and LLDP-MED

Just because it's a hot search topic, and I love to divert attention to myself, here's a short post for you:

The Procurve 2510 while supporting LLDP, does not support LLDP-MED.
Here's a quote from the latest firmware release notes:

CLI (PR_0000069348) - The switch allows configuration of a “voice” VLAN even though
the switch does not support LLDP-MED.
That said, it's still a pretty good switch.
For more details on Procurve and LLDP, check out my older post:

http://packetparking.blogspot.com/2011/09/lldp-support-on-hp-devices-versus-my.html

Tuesday, February 28, 2012

Cisco IPS Manager Express performace tuning

A few weeks ago I did a clean install of IME on a virtual XP with 2GB of RAM. The user experience was okay, after it loaded the gadgets, but I just had to check out the system resources graph.
The java process used around a 100MB of RAM, and the MySQL used under 15MB. While I had a lot of free RAM as buffer, from my experiences it never hurts to give MySQL a lot of RAM.
The config file is "my.ini" under the base installation folder, and this is how it looks like after some tweaks:


[mysqld]
basedir=C:\Program Files\Cisco Systems\Cisco IPS Manager Express/MYSQL
datadir=C:\Program Files\Cisco Systems\Cisco IPS Manager Express/MYSQL/data
port=47007
myisam-recover=DEFAULT,FORCE,QUICK
bind-address=127.0.0.1


# performance options
key_buffer_size=128M
table_cache=256
sort_buffer_size=32M
read_buffer_size=8M


Now it uses around 120MB, and once started, it loads the gadgets noticeably faster.
I tried to add some InnoDB options too, but the options are not recognized. I guess that InnoDB support is not compiled in, or something.

Thursday, February 9, 2012

Cisco MARS 20 upgrade

I'm not sure where can you find performance evaluations for MARS models, but our MARS 20 definitely had issues with managing 100+ switches and our main ASA cluster and FWSM logs. Since it's EOL soon, we don't want to buy a bigger one. But it's just a PC, so we looked into upgrade possibilities.

The MARS 20 has a SuperMicro P4SCT mainboard and 1GB of RAM, so our options are:
  • A new CPU, possibly with Hyperthreading. Problem is, the kernel is not SMP compatible, and I don't really want to compile a new one.
  • More RAM. That's always good, the maximum supported is 4GB DDR-400 in 4 sticks of 1GB.
  • A new HDD. Our old one is, well, old (40k+ hours), so I decided to replace it with a 160GB standard IDE Western Digital drive.
In the end, we opted to upgrade the RAM and replace the HDD.

The RAM upgrade was no problem at all, and I used a RescueCD USB stick to 'dd' the MARS OS between drives. The new drive is a good 2 times faster, and the new memory usage stats are eye-candy:

[root@voyager bin]# free -m
             total       used       free     shared    buffers     cached
Mem:          3772       3764          7        210         98       2141
-/+ buffers/cache:       1523       2248
Swap:         1027        851        175

Overall, the responsiveness of the system is way better in the web interface, and cron tasks are much faster.

Friday, January 13, 2012

Catalyst 3500XL layer 3 frozen

I'm not sure about the reason (most likely a broadcast storm), but one of our 3500XL switches stopped processing L3 traffic. Layer 2 switching was normal, and since it's our distribution switch (Cisco Modular Campus Design, here we come!), I didn't really want to reload it.

Consoling to the switch provided me with a responsive CLI, so no trouble there, either. CPU utilization was normal too.

After a few show commands, it turned out that it can't even resolve IPs with ARP.
I tried clear arp-cache, clear mac-address table, clear int vlan 10; no joy. I had to delete the entire vlan interface (no interface vlan 10), clear the caches, and re-create the vlan interface to make it work again. Of course it's running the latest IOS out there (12.0(5)WC17).

Wednesday, January 11, 2012

A new kind of sexy: Huawei Quidway S2309


During winter break I managed to acquire a new baby to my collection:
a Huawei Quidway S2309 switch.

It's a layer2, carrier CPE grade box, with a lot of features:

It runs the Huawei VRP software, which is almost like the 3Com Comware, so I can use this baby to practice for my HP ASE exams.

Stay tuned for updates on this baby...