Computer and IT knowledge - things to know
number of matches found: 152
Network Kernel Parameters
These Parameters have been suggested by TIBCO to bring the performance of a LINUX machine to the maximum regarding the network.
We have used these tuning parameters successfully to reduce retransmissions on heavy loaded machines. You will find similar tuning tips, when searching for web-server optimization.
Parameter Red Hat Enterprise Linux Server 5.6 (Tikanga) VALUES proposal
net.core.rmem_max 131071 16777216
net.core.rmem_default 129024
net.core.wmem_max 131071 16777216
net.core.wmem_default 12902?
net.ipv4.tcp_rmem (3) 4096 4096
87380 87380
4194304 16777216
net.ipv4.tcp_wmem (3) 4096 4096
16384 65536
4194304 16777216
txqueuelen 1000 7000
net.core.netdev_max_backlog 1000 30000
Performance daten: missed/pkts und retrans/pkts are good quality parameters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\profiles\<Profil>
3. Änder den Wert "Category" entsprechend deinen Wünschen ab.
Öffentlich = 0
Privat = 1
Arbeitsplatz = 2
http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html#resetting-permissions-unix
1. Stop mysqld and restart it with the --skip-grant-tables option. This enables anyone to connect without a password and with all privileges. Because this is insecure, you might want to use --skip-grant-tables in conjunction with --skip-networking to prevent remote clients from connecting.
2. Connect to the mysqld server with this command: mysql
3. mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
4. mysql> FLUSH PRIVILEGES;
IBM 8239
useful Commands:
display tr_surrogate ...
display rmon log_data All //out errors ...
display stack //model, version
display network_map all_stations //welche MAC gibts?
display port all
display management_interface all //eigene MAC adresse ...
display trap_log
unwrap data_io //DI oder RO Verbindung ins Netz einfügen
display wrap_points //Status der Datenschnittstelle
save //save configuration
<strg>+<r> repeat last command
<strg>+<f> go forward in command protocol
<strg>+<b> go backward in command protocol
Beacon-Betrieb wird typischerweise aufgrund einer fehlerhaften DAtenstations-NIC oder eines
fehlerhaften Anschlusskables verursacht. Hilfe bringt Befehl DISPLAY PORT.
RI/RO Status: wenn LED nicht an -> etwas falsch mit ferner Einheit!
http://kbase.redhat.com/faq/FAQ_79_2561.shtm
Resolution:The new way to add static routes on Red Hat Enterprise Linux systems is to create a file
/etc/sysconfig/network-scripts/route-ethX where X corresponds to the network interface you wish to use
the alternate route(s). This file deals with three fields: GATEWAY, NETMASK, and ADDRESS. Each field
should have a number appended to it indicating what route it relates to. The example below shows two
static routes configured for the eth0 network interface.
/etc/sysconfig/network-scripts/route-eth0
GATEWAY0=10.10.0.1
NETMASK0=255.0.0.0
ADDRESS0=10.0.0.0
GATEWAY1=10.2.0.1
NETMASK1=255.255.0.0
ADDRESS1=192.168.0.0
#######################
#using netcat
#######################
#see open ports on target ..
echo QUIT | nc -v -w 5 target 20-250 500-600 5990-7000
Netcat can be used as a simple data transfer agent, and it doesn't really
matter which end is the listener and which end is the client -- input at one
side arrives at the other side as output. It is helpful to start the listener
at the receiving side with no timeout specified, and then give the sending side
a small timeout. That way the listener stays listening until you contact it,
and after data stops flowing the client will time out, shut down, and take the
listener with it. Unless the intervening network is fraught with problems,
this should be completely reliable, and you can always increase the timeout. A
typical example of something "rsh" is often used for: on one side,
nc -l -p 1234 | uncompress -c | tar xvfp -
and then on the other side
tar cfp - /some/dir | compress -c | nc -w 3 othermachine 1234
will transfer the contents of a directory from one machine to another, without
having to worry about .rhosts files, user accounts, or inetd configurations
at either end.
talk 5 / network 0 / LE-services
Action IOS SET
passwords enable password level 1 <pwd> set password <cr>
enable password level 15 <pwd> set enablepass <cr>
hostname hostname <name> set prompt <name>
IP address (config)# ip address <ip> <mask> (ena) set interf so= <ip><mask>
set interf so0 <vlan>
port description (config-if)#description <string> set port name x/x <string>
speed n/a set port speed x/x {10/100/auto}
duplex mode (config-if)#duplex {auto|full| set port duplex x/x {full/half}
full-flow-control|half}
conf. VLANS n/a set vlan <vlan#> x/x
conf. trunk (config-if)#trunk on set trunk x/x [on|off|desirable|auto|nonegotiate]
<vlan-range> [isl|dot1q|dot10|lane|negotiate]
clear VLANS from trunk n/a clear trunk x/x <vlan-range>
choose vtp version n/a set vtp v2 enable
vtp doamin + mode n/a set vtp domain <str> password <str>
set vtp domain <str> mode [clslt]
show vtp show vtp statistics
show vtp domain
vtp pruning set vtp pruneeligible <vlan_range>
clear vtp pruneeligible <vlan_range>
show trunk
enable STP (config)#spantree <vlan_list> set spantree enable x/x
set spantree disable x/x
set spantree enable all
show spantree <vlan>
STP Root Bridge set spantree root <vlans> ..
STP Port Cost (config-if)#spantree cost <xx> set spantree portcost 2/1 <xx>
STP Priority (config-if)#spantree priority <xxx> set spantree portpri x/x <xx>
Multicast (config)#ip multicast-routing
(config-if)#ip pim {dense-mode|
sparse-mode|sparse-dens-mode}
show ip pim interface [<if>][count]
show ip pim neighbour [<if>]
(config)#ip pim rp-address <ip#>
[group-access-list-number]
[override]
(config)#ip pim send rp announce x/x
scope <#> group-list <ad#>
(config)#ip pim send-rp-discovery scope
(config)#ip multicast <xx> threshold <xx>
show ip mroute
debug ip mpacket [detail][add][group]
(config)#ip igmp join-group <gr#>
(config)#ip igmp version {2|1}
show ip igmp interface
(config)#ip cgmp set cgmp enable
set cgmp leave
show cgmp statistics [<vlan>]
show multicast group cgmp [<vlan>]
Channel (config#)port-channel mode [on|off show port capabilities x/x
|des] set port channel x/x {on|off|auto|desirable}
portfast (config#)spantree start-forwarding set spantree portfast x/x enable
uplinkfast (config#)uplink-fast set spantree uplinkfast enable
show uplink-fast show spantree uplink fast
show uplinkfast statistics
backbonefast set spantree backbonefast
ip rout. on route proc. (config)#ip routing router <protocol> n/a
(config-router)#network <#>
VLAN if on external RP Router(config)#int eth 2/1.1 n/a
(config)# encapsulation isl <vlan#>
default gw ip default-gateway <ip addr> set ip route default <ip addr>
MSL (config)#mls rp ip set mls flow [destination|destination-source..
(config-if)#msl rp vlan-id <#> set mls enable
" " mls rp vtp-domain <str> set mls agingtime (#)
" " mls rp ip
show mls rp
show mls rp vtp-domain show mls
(config-if)#mls rp management-intf
show mls rp inteface
(config-if)# mlsrp ip input-ad show mls entry
show mls entry ..
HSRP (config-if)#standby <gr#> ip <ip#>
" " priority <pr#>
" " preempt
" " timers <hello> <hold>
" " track <if> <prio>
debug standby
show standby [<if>|<gr#>|brief]
Network Time protocol: NTP
linux: ntpdate IP-Adress
linux packet: ntp-4.0.99k-15
#ntp time synchronization
30 1 * * * /usr/sbin/ntpdate ntp1.ptb.de
-----------------------------------------------
information from colleage F:
ntp installieren und diese 4 zeilen in /etc/ntp.conf
server xyz
multicastclient
driftfile /var/lib/ntp/drift/ntp.drift # path for drift file
logfile /var/log/ntp # alternate log file
-----------------------------------------------
#check difference
/usr/sbin/ntpq -c peers
AIX - vmstat
-> install:
- It's in the perfagent.tools fileset on your AIX distribution.
- Look for bos.acct on the second installation disk.
-> #vmstat 2 20
> kthr memory page faults cpu
> ----- ----------- ------------------------ ------------ -----------
> r b avm fre re pi po fr sr cy in sy cs us sy id wa
> 0 2 81249 807 0 0 0 0 0 0 431 997 69 0 1 91 8
> 0 2 81249 800 0 1 0 0 0 0 482 2300 148 1 2 41 56
> 0 3 81249 783 0 0 0 0 0 0 507 727 203 0 3 6 91
> 0 2 81249 685 0 0 0 0 0 0 508 2588 102 1 2 68 29
> 0 2 81250 678 0 0 0 0 0 0 447 2393 138 1 1 86 11
> 0 2 81250 677 0 0 0 0 0 0 438 1594 89 0 1 94 4
> 0 2 81299 611 0 0 0 0 0 0 450 2658 129 1 2 88 9
> 0 2 81419 460 0 0 0 0 0 0 467 3099 162 2 3 79 16
>
Hi,
first look response, ( it's a long time I took AIX Perf & Tuning :-)
r = 0 : no jobs running, not so good
b = 2 : 2 jobs waiting I/O, not so good too
avm = 80K : 320 Mb of active Ram for jobs
fre = 800 : free slots ... not many
middle colums = 0 : no paging activity : good: no Ram shortage, no Disk I/O
in,sy,cs : device interrupts, system time, context switch, average load
us = 1 : doing nothing for you
sy = 2 : doing nothing for itself
idle = 90 : wasting CPU cycles
wa = 5-90 : waiting fow slow devices to answer, should be network, since not
paging
comp.dcom.net-analysis
comp.dcom.net-management
comp.dcom.lans.ethernet
comp.dcom.fax
comp.dcom.servers
comp.dcom.sys.cisco
comp.dcom.vpn
comp.doc.management
comp.groupware.lotus-notes.programmer
comp.groupware.lotus-notes.admin
comp.groupware.lotus-notes.misc
comp.groupware.lotus-notes.apps
comp.os.linux.networking
comp.protocols.snmp
comp.unix.aix
comp.unix.shell
comp.lang.perl.tk
8260: redbook gg244370
s.47 Superuser Reset
8260 Multiprotocol Intelligent Switching Hub
MRTG Latency script
> I'm looking for scripts to measure latency in my IP network. Can someone
> help ?
Well, since you didn't specify an operating system, I'll assume
that you're following in my footsteps and doing battle with NT4
as a server. Note that the following requires that you use the
ping.exe supplied with Windoze 95/98 instead of the useless ping
supplies with NT4. See the MRTG stuff somewhere on:
http://www.lns.com
which is from where I stole the script. I also have a somewhat
different version for Linux (RH 7.1) but which I can't get to
as I managed to break SSH and can't grab it.
------------
# MRTGPING.PL
# Plagerized by Jeff Liebermann from original by Tim Pozar.
# 09/14/00 First hack for NT4.
$ipaddr = "NULL";
$ipaddr = $ARGV[0];
$numpings = 3;
if ($ipaddr eq "NULL"){
print "Usage mrtgping.pl [ipaddress]\n";
exit;
}
# Note that "ping95.exe" is the Windoze 95/98 version
# and not the useless ping supplied with NT4.
#
# Windoze ping will return...
# Minimum = 494ms, Maximum = 574ms, Average = 520ms
$result = `ping95 -n $numpings $ipaddr | find /i "average" `;
# Break result apart at the commas.
chop($result);
($Mins,$Maxs,$Avgs) = split(/,/,$result);
# Break each value apart at the = sign.
($Mint,$min) = split(/=/,$Mins);
($Maxt,$max) = split(/=/,$Maxs);
($Avgt,$avg) = split(/=/,$Avgs);
# Remove the "ms" at the end.
$min1 = substr($min,0,-2);
$max1 = substr($max,0,-2);
$avg1 = substr($avg,0,-2);
$min1 =~ s/ //g;
$max1 =~ s/ //g;
$avg1 =~ s/ //g;
# Belch results in 4 lines.
print "$avg1\n";
print "$max1\n";
print "0\n";
print "$ipaddr\n";
------------
If Perl is a bit of a heavy hammer, the following is what
I use on my SCO Unix OSR5 3.2v5.0.5 machines. The use of
the first ping return is intentional as I'm trying to plot
the latency of the Starband satellite flying cache, which
caches everything exept the first packet.
#!/bin/sh
# by Jeff Liebermann 04/15/98
#
# Record ping times.
#
# Results of:
# ping -c 1 -s 1024 bloat
#
# PING bloat (192.168.111.30): 1024 data bytes
# 1032 bytes from bloat (192.168.111.30): icmp_seq=0 ttl=128 time=10 ms
#
# --- bloat ping statistics ---
# 1 packets transmitted, 1 packets received, 0% packet loss
# round-trip min/avg/max = 10/10/10 ms
# Really disgusting way to get rid of extra leading spaces
# by feeding it to a shell variable. Ugly at best.
#
# usage: whatever machine_name_or_ip
# i.e. whatever bloat.comix.santa-cruz.ca.us
#
retch=`ping -c 1 -s 1025 $1 | grep "time"` # extract line with ping time.
set $retch # break apart into fields using IFS seperators
ping=`echo $8 | cut -c 6-` # extract ping time.
echo $ping # ping time=xxx
echo $ping # ping time=xxx
echo "0" # Filler
echo "0" # Filler
#
when the aventail socks server, does not forward the network packets as expected it could be that the connection order need to be changed.
To do that, you have to check the connect directory:
Aventail: change connection order
-> c:\Program Files\Aventail\Connect
-> SPMOD->Layered Service Providers: Aventail to top!
Crossover cable:
1 <-> 3 short version: TX+ (1) <-> (3) RX+
2 <-> 6 TX- (2) <-> (6) RX-
3 <-> 1 RX+ (3) <-> (1) TX+
4 <-> 4 RX- (6) <-> (2) TX-
5 <-> 5
6 <-> 2
7 <-> 7
8 <-> 8
Regular end:
|1|2|3|4|5|6|7|8|
^ ^ ^ ^
And at the crossover end:
|3|6|1|4|5|2|7|8|
^ ^ ^ ^
I just want masquerading! Help!
This is what most people want. If you have a dynamically allocated IP PPP dialup (if
you don't know, you do have one), you simply want to tell your box that all packets
coming from your internal network should be made to look like they are coming from the
PPP dialup box.
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Note that you are not doing any packet filtering here: for that, see the Packet
Filtering HOWTO: `Mixing NAT and Packet Filtering'.
#transparent proxy with squid
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
#anschauen mit: iptables -L -t nat
IP Routing,
Enabling IP Routing
By default, IP routing is disabled. To enable IP routing, you must allow the computer to
forward IP packets it receives. This requires a change to the Windows 2000 system registry.
When you enable the Routing and Remote Access service for IP routing,
this registry entry is made automatically.
To enable IP routing
1 .From the Start menu, click Run.
2.Type regedt32.exe or regedit.exe, and then click OK.
3.In a registry editor, navigate to
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip \Parameters
4. Select the "IPEnableRouter" entry.
5. To enable IP routing for all network connections installed and used by this computer, assign a value of 1.
To do this in regedit.exe, right-click the entry, and then click Modify.
In regedt32.exe, click on the wanted entry, click on Edit, and then click on the appropriate menu choice.
6.Close the registry editor.
It is required to reboot Windows 2000 for this change to take effect.
I have used this in a configuration, where the Windows 2000 Professional system works
as a router between an Ethernet network and a USB-network.
/etc/sysconfig/network-scripts
edit ifcfg-eth0 ...
In use since 1995 and on a variety of accounts.
Out of the box type software and works on discovery of network. Easy to setup and configure.
Platform - NT or Unix (Sun or HP). No AIX.
If the network is large with many elements (ports, switches, routers etc), then best use Unix.
They have used in network of between 5K and 8K elements.
Reports can be setup for SM or technical staff.
Has web i/f.
Can perform network (WAN & LAN), server and application performance management.
Has real-time analysis.
Excellent backup support from reseller.
Have used for SLA reports.
Great success with linking tool to Helpdesk and ease of reporting/tracking/communication problems.
VitalAnalysis - response times.
VitalNet - network components.
VitalEvent - Threshold limits etc.
Many features the same as Concord.
GUI very good and has web i/f. Can be setup with many view for SM, technical, CIO.
Has agents on end stations for end-to-end analysis.
No realtime data - minimum of two hours delay. Lucent don't say it's realtime.
Sample times are minimum of one hour, so it's already averaged - slight disadvantage.
Lucent will send data from end station to server, whereas Concord will poll. Therefore, Concord server has more load.
Support not always quick and responsive.
http://nullhaus.com/2013/08/hp-port-troubles-part-1-monitoring/
turn on: fault-finder all action warn sensitivity high
to find port errors and more ..
HP ProCurve Switch Stack Firmware Update
1. save the config. (write memory)
2. save current software to secondary (copy flash flash secondary)
3. upload the new software to primary - it doesn't matter which way:
- via menu
- via web
- via tftp: copy tftp flash <ip-address> <remote-os-file> [<primary | secondary>]
3.1: verify image using "show flash"
4. reboot the stack (boot system flash primary)
Things to know:
- A "reboot" or "reload" (and the corresponding MIB) would cause only the commander to get rebooted.
A "boot system" would boot the entire stack
- uploading software to the commander will cause all members to have that software loaded as well
- scheduled stack reboot can be done via command job:
----> your-switch(config)# job reboot at 08:55 "boot system"
You can specify the default flash to boot from on the next boot by entering the
boot set-default flash command:
HP Switch(config)# boot set-default flash secondary
Booting from the default flash
Syntax: boot[system[flash | <primary | secondary> ]] [config FILENAME]
- system:Boots the switch. You can specify the flash image to boot from. When using
redundant management, boots both the active and standby management modules.
#reload command
This command boots the switch from the currently active flash image and
startup-config file. Because reload bypasses some subsystem self-tests, the switch
boots faster than if you use a boot command.
#schedule a reload:
- To schedule a reload in 15 minutes: HP Switch# reload after 15
- To schedule a reload in 3 hours: HP Switch# reload after 03:00
- To schedule a reload for the same day at 12:05: HP Switch# reload at 12:05
- To schedule a reload for some future date: HP Switch# reload at 12:05 01/01/2008
#scheduled stack reboot:
----> your-switch(config)# job reboot at 08:55 "boot system"
in most cases it is better not to use flowcontrol, see also this discussion:
https://community.hpe.com/t5/Switches-Hubs-and-Modems/When-to-use-Flow-Control/td-p/4337588
ls /sys/class/net/
>> shows which nics are there, e.g:
br0 lo p5p1
>> p5p1 .. nothing was shown when running kernel 4.4.0-93
lspci -nnk |grep iA3 net
>> shows the ethernet device and which driver is loaded
>> here was no driver loaded
>> when starting a later kernel, you see the module and the driver is loaded
kernel: 4.4.0-96 contains module modnifo r8169
>> /lib/modules/4.4.0-96-generic/kernel/drivers/net/ethernet/realtek/r8169.ko
>> solution: upgraded just to 4.4.0-97 ;-))
sample
#create port group
mirroring-group 5 local
#select port that you want to be monitored >> for example 1/0/1
mirroring-group 4 mirroring-port GigabitEthernet 1/0/1 both
#define monitor port, where you are plugged in notebook / wireshark, e.g. 1/0/24
mirroring-group 4 monitor-port GigabitEthernet 1/0/24
Transceiver info
display transceiver diagnosis interface Ten-GigabitEthernet 1/0/49
Ten-GigabitEthernet1/0/49 transceiver diagnostic information:
Current diagnostic parameters:
Temp.(°C) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)
46 3.39 45.34 -0.99 -2.53
Alarm thresholds:
Temp.(°C) Voltage(V) Bias(mA) RX power(dBm) TX power(dBm)
High 73 3.80 88.00 3.50 3.50
Low -3 2.80 1.00 -8.00 -9.50
mibs:
hh3cTransceiver
VendorName
.1.3.6.1.4.1.25506.2.70.1.1.1.4 Name/OID: hh3cTransceiverVendorName.49; Value (OctetString): HPE
Distance
.1.3.6.1.4.1.25506.2.70.1.1.1.7 Name/OID: hh3cTransceiverTransferDistance.49; Value (Integer): 220 >> 220m
Cur TX power (dBm)
.1.3.6.1.4.1.25506.2.70.1.1.1.9 Name/OID: hh3cTransceiverCurTXPower.49; Value (Integer): -252
Indicating the current transmitted power.The unit is in hundredths of dBM. >> -2.52dBm
Cur RX power (dBm)
.1.3.6.1.4.1.25506.2.70.1.1.1.12 Name/OID: hh3cTransceiverCurRXPower.49; Value (Integer): -99
Indicating the current received power. The unit is in hundredths of dBM. >> -0.99dBm
Cur Temp °C
.1.3.6.1.4.1.25506.2.70.1.1.1.15 Name/OID: hh3cTransceiverTemperature.49; Value (Integer): 46
Indicating the current temperature. The unit is Celsius centigrade. >> 45C
Cur Voltage (V)
.1.3.6.1.4.1.25506.2.70.1.1.1.16 Name/OID: hh3cTransceiverVoltage.49; Value (Integer): 339
Indicating the current voltage. The unit is in hundredths of V >> 3.39V
Cur Bias (mA)
.1.3.6.1.4.1.25506.2.70.1.1.1.17 Name/OID: hh3cTransceiverBiasCurrent.49; Value (Integer): 4534
Indicating the current bias electric current. The unit is in hundredths of mA >> 45.34mA
Alarm Temp High
.1.3.6.1.4.1.25506.2.70.1.1.1.18 Name/OID: hh3cTransceiverTempHiAlarm.49; Value (Integer): 73000 >> 73°C
Transceiver temperature high alarm threshold limit in thousandths of degrees Celsius.
As an example:49120 is 49.120 degrees Celsius.
Alarm Temp Low
.1.3.6.1.4.1.25506.2.70.1.1.1.19 Name/OID: hh3cTransceiverTempLoAlarm.49; Value (Integer): -3000 >> -3°C
Alarm Voltage High
.1.3.6.1.4.1.25506.2.70.1.1.1.22 Name/OID: hh3cTransceiverVccHiAlarm.49; Value (Integer): 37952 >> 3.80V
Transceiver VCC high alarm threshold limit in hundreds of microvolts.
As an example:32928 is 3.2928 volts. Returns zero if not supported on the transceiver.
Alarm Voltage Low
.1.3.6.1.4.1.25506.2.70.1.1.1.23 Name/OID: hh3cTransceiverVccLoAlarm.49; Value (Integer): 28048 >> 2.80V
Alarm Bias High
.1.3.6.1.4.1.25506.2.70.1.1.1.26 Name/OID: hh3cTransceiverBiasHiAlarm.49; Value (Integer): 88000 >> 88.00mA
Transceiver bias high alarm threshold limit in microamps
Alarm Bias Low
.1.3.6.1.4.1.25506.2.70.1.1.1.27 Name/OID: hh3cTransceiverBiasLoAlarm.50; Value (Integer): 1000 >> 1.00mA
!!dBm = 10 * log ( Leistung / 1mw)
Alarm TX power dBM high
.1.3.6.1.4.1.25506.2.70.1.1.1.30 Name/OID: hh3cTransceiverPwrOutHiAlarm.49; Value (Integer): 22387
Transceiver transmit power high alarm threshold limit in tenths of microwatts.
As an example:10000 is 1 milliwatt.
Alarm TX power dBM low
.1.3.6.1.4.1.25506.2.70.1.1.1.31 Name/OID: hh3cTransceiverPwrOutLoAlarm.49; Value (Integer): 1122
Alarm RX power dBM high
.1.3.6.1.4.1.25506.2.70.1.1.1.34 Name/OID: hh3cTransceiverRcvPwrHiAlarm.49; Value (Integer): 22387
Alarm RX power dBM low
.1.3.6.1.4.1.25506.2.70.1.1.1.35 Name/OID: hh3cTransceiverRcvPwrLoAlarm.49; Value (Integer): 1585
TransceiverErrors
.1.3.6.1.4.1.25506.2.70.1.1.1.38 OctetString List with Errors
Bitmask indicating transceiver errors.
Transceiver information I/O error(0)
Transceiver information checksum error(1)
Transceiver type and port configuration mismatch(2)
Transceiver type not supported by port hardware(3)
WIS local fault(4)
Receive optical power fault(5)
PMA/PMD receiver local fault(6)
PCS receive local fault(7)
PHY XS receive local fault(8)
Laser bias current fault(9)
Laser temperature fault(10)
Laser output power fault(11)
TX fault(12)
PMA/PMD transmitter local fault(13)
PCS transmit local fault(14)
PHY XS Transmit Local Fault(15)
RX loss of signal(16)
Unused(17-31)
##################################################################
#
# auf IRF xx
#
##################################################################
DHCP Pool ist configuriert / vorbereitet:
dhcp server ip-pool vlan99
network 10.99.99 mask 255.255.255.0
address range 10.99.99.10 10.99.99.11
gateway-list 10.99.99.1
##################################################################
# aktivieren (vorher am besten schauen ob pool adressen frei sind)
##################################################################
interface Vlan-interface33
ip address 10.99.99.1 255.255.255.0
folgenden Befehl absetzten:
dhcp server apply ip-pool vlan99
DHCP Clients anschauen:
disp dhcp server ip-in-use
IP address Client identifier/ Lease expiration Type
Hardware address
10.99.99.10 ...
##################################################################
#deaktivieren
##################################################################
interface Vlan-interface99
undo dhcp server apply ip-pool
esxcfg-vswitch -l #show vswitch config
esxcfg-vmknic -l #list vmkerne interfaces - their ip and mac
esxcfg-nics -l #list physical interfaces
esxcli network nic stats get -n vmnic5 #see interface statistic
Performance on esx
>>
esxcli network firewall set --enabled false
server:
/usr/lib/vmware/vsan/bin//iperf3.copy -s
network top - see network statistics
esxtop > pressing N will show network statistics
client:
/usr/lib/vmware/vsan/bin//iperf3.copy -c 192.168.2.10
https://humdi.net/vnstat/
vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won't actually be sniffing any traffic and also ensures light use of system resources.
#!/bin/bash
# findDoSVisotor
#
# useful if CPU is very high .. find out the visitor, which causes the most
# network activity
#
netstat -lanp |grep ":443" | awk {' print $5'} | cut -d: -f 1 |sort |uniq -c | sort -nk 1
###########################
#!/bin/bash
# blockIPaddress.sh
#
# block IP address to access 443
#
if [ -z "$1" ]
then
echo "usage: blockIPaddress.sh <IP>"
exit
fi
iptables -A INPUT -p tcp --dport 443 -i eth0 -s $1 -j DROP
How to mount QEMU's qcow2 partitions:
using the "network block device" (nbd) driver and the qemu-nbd tool
step 1:load the module
$ modprobe nbd max_part=8
step 2: > make the image available as block device
$ qemu-nbd --connect=/dev/nbd0 /hdd-fil.qcow2
step 3: list the available partitions by using command:
$ fdisk -l /dev/nbd0
step 4: mount the partion
$ mount /dev/nbd0p1 /tmp/mymountpoint/
>> if this step fails with the warning: mount: special device /dev/nbd0p1 does not exist
>> run the command: partx -a /dev/nbd0
>> and repeat step 4!
step 5: disconnect partion + block device
$ umount /dev/nbd0p1
$ qemu-nbd --disconnect /dev/nbd0
Problem: after a vmware virtual server (windows 2012) was using 10gbit instead of 1gbit it was not able anymore to build up valid tcp session to some specific hosts
Solution: after using wireshark we found out, that the difference was the tcp ECN bit, which was set when using 10gbit
>> disable ecn on the virtual windows machine:
netsh int tcp set global ecncapability=Disabled
>> check windows settings:
netsh int tcp show global
see also:
- https://de.wikipedia.org/wiki/Explicit_Congestion_Notification
- http://lifeofageekadmin.com/network-performance/
Cisco 200 Series Smart Switches
reboot / reset:
- just rebooting: press the reset button for < 10 seconds
factory Default:
- with power on press and hold the reset button > 10 seconds
default logon:
username = cisco
password = cisco
default ip: 192.168.1.254 if there is no dhcp
firmwareupgrade:
https://community.cisco.com/t5/small-business-switches/sg200-26-26-port-switch-firmware-upgrade/td-p/2768163
>rfb files are boot code files .. install them via tftp !!
Problem: Network Traffic Analyser (NTA) import problem - no data is seen on HPE Aruba Intelligent Management Center (IMC)
software version:
- iMC PLAT v7.3 (E0705P06)
- IMC NTA 7.3 (E0509) + SP1
-----------------
Analysing:
- validate that sflow data is beeing received using wireshark
- c:\Program Files\iMC\data\processorData\data
>> directory shows that data is coming in but the data is not processed!
- error found in logfile!
logfile: c:\Program files\iMC\unba\log\processor.current-date
-----------------
Solution:
>>error: mysql error code=3948, error message=Loading local data is disabled; this must be enabled on both the client and server sides
solution:
in mysql my.ini:
[client]
local_infile=1
[mysql]
local_infile=1
[mysqld]
local_infile=1
>> stop IMC + restart Database
-----------------
other help: HPE IMC NTA/UBA Troubleshooting Guide
https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-c05247038
#########################
# Huawei - Switches
#########################
!##### Enter System-View mode #####
system-view
!
!
!##### System Information #####
sysname "System-Name"
!
!
!###### OOBM ####
ip vpn-instance mgmt
description mgmt-vpn-instance
ipv4-family
quit
!
interface MEth0/0/0
ip binding vpn-instance mgmt
ip address 192.168.2.99 255.255.255.0
quit
!
ip route-static vpn-instance mgmt 0.0.0.0 0 192.168.2.1
!
!##### User ####
aaa
undo local-user policy security-enhance
local-user admin password irreversible-cipher my-password
local-user admin service-type ssh terminal
local-user admin level 3
stelnet server enable
ssh authentication-type default password
!
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound ssh
quit
!
user-interface console 0
authentication-mode aaa
quit
!
rsa local-key-pair create
!
!##### SNMP version2 Configuration #####
snmp-agent
snmp-agent sys-info version v2c
snmp-agent sys-info location "Standort"
snmp-agent sys-info contact my company
snmp-agent community read my-snmp-read
!# snmp-agent community write private
!
!
!##### Timezone & NTP Configuration #####
!# WARNING! Important for troubleshooting and correlating network incidents
undo ntp server disable
ntp unicast-server 192.168.2.1 vpn-instance mgmt
clock timezone CET add 01:00:00
clock daylight-saving-time CEST repeating 01:00 last Sun Mar 03:00 last Sun Oct 01:00
!
!
lldp enable
!
!
!##### Loop Protection #####
stp bpdu-protection
stp enable
stp root primary
!stp root secondary
interface range 25GE 1/0/1 to 25GE 1/0/47
stp edged-port enable
quit
interface range 25GE 2/0/1 to 25GE 2/0/47
stp edged-port enable
quit
!
!
!
!##### Exit System-View mode #####
commit
quit
save
- zeroconf "standard"
- wireshark mDNS filter: dns and udp.port eq 5353
- windows commands:
- dns-sd -B _airplay._tcp #show up airplay devices in local network (in same vlan)
- dns-sd -B _servcies._dns-sd._udp #see available services in local network (in same vlan)
- switching environment:
problem with different vlan's: client can not find apple tv
>> solution on hpe switch: mdns gateway vlan 3,4,10
>> see also: https://www.youtube.com/watch?v=gMUnkp6Ao8o
ubuntu 20 uses netplan as default ip configuration utility
usefule netplan commands:
- netplan get #shows the actual configuration
- /etc/netplan #in this configuration directory the netplan yaml file is located
- netplan try #test the new configuration
- netplan apply #apply the configuration
#a sample bash script to set some new parameters comes here:
changeIP.sh:
#!/bin/bash
configfile="/etc/netplan/00-installer-config.yaml"
# make a backup
cp $configfile $configfile.save.`date +%Y%m%d%H%M`
# Changes dhcp from 'yes' to 'no'
sed -i "s/dhcp4: yes/dhcp4: no/g" $configfile
# Retrieves the NIC information
nic=`ifconfig | awk 'NR==1{print $1}'`
# Ask for input on network configuration
read -p "Enter the static IP of the server (example 192.168.2.20/24): " staticip
read -p "Enter the IP of your gateway: " gatewayip
read -p "Enter the IP of your nameservers (seperated by a coma if > 1): " nameserversip
echo
cat > $configfile <<EOF
network:
version: 2
ethernets:
$nic
addresses:
- $staticip
gateway4: $gatewayip
nameservers:
addresses: [$nameserversip]
EOF
sudo netplan apply
echo ">>> new settings are now activated"
echo
problem occured on ubuntu 18.04.xx
>> connect not possible via:
mysql -u root -p -h 127.0.0.1 -P 3306
>> only connect via console / pipe is possible
solution 1: create an extra database admin user for network access
--------------------------------------
Mysql –u root –p
#create user sqladmin
MariaDB [(none)]> CREATE USER 'sqladmin'@'localhost' IDENTIFIED BY 'your-password';
#grant all privileges to the user
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'sqladmin'@'localhost';
#making the changes take effekt
MariaDB [(none)]> FLUSH PRIVILEGES;
solution 2: enable root user
--------------------------------------
use mysql;
update user set plugin='mysql_native_password' where user='root';
flush privileges;
exit;
>> check your password access afterwards!
maybe you need to set a new password:
MariaDB [(none)]> UPDATE mysql.user SET Password=PASSWORD('your-new-password') where user='root';
#!/usr/bin/perl
######################################################################
# getMacAddress.pl
#
# see also:
# - https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/44800-mactoport44800.html
#
# version 2021-04-07
#
# example:
# getMacAddress.pl -ip=10.20.49.250 -type=hpe -community=mypub
# result:
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:3d:d8;ip;192.168.1.10
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:2f:3c;ip;192.168.1.11
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:3f:e0;ip;192.168.1.12
# switch;10.20.49.250;vlan;VLAN27;mac;7c:5a:1c:11:44:b8;ip;192.168.1.13
# switch;10.20.49.250;vlan;VLAN30;mac;94:40:c9:4a:31:1c;ip;192.168.1.14
# switch;10.20.49.250;vlan;VLAN30;mac;52:54:00:4e:cd:c4;ip;192.168.1.15
#
#
# (c) m.wendig
#
######################################################################
use Data::Dumper;
use strict;
use DBI;
my $num_args = $#ARGV;
if ($#ARGV == -1 ){
usage();
}
#my $ip="172.20.12.50";
my $ip='';
if ($ARGV[0]=~/-ip=(.*)$/){
$ip=$1;
}
print usage() if $ip eq '';
my $updatedb=0;
if (($ARGV[2]=~/-db/) || ($ARGV[3]=~/-db/)){
$updatedb=1;
}
my $type= "";
if ($ARGV[1]=~/-type=(.*)$/){
$type=$1;
}
if (($type eq 'hpe') || ($type eq 'cisco') || ($type eq 'watchguard')){
}else{usage();}
my $community = "public";
if ($ARGV[2]=~/-community=(.*)$/){
$community=$1;
}
my $dbname="mactable";
my $dbuser="root",
my $dbpwd="";
my $dbhost="localhost";
my $debug=0;
my $snmpwalk = '/usr/bin/snmpwalk';
my $line;
my @vlans=();
my $dbh;
if ($updatedb){
$dbh = DBI->connect("DBI:mysql:$dbname;host=$dbhost", "$dbuser", "$dbpwd") || die "Could not connect to database: $DBI::errstr";
}
#######################################
#1 retrieve vlan
#######################################
my $cmd ='';
if ($type eq "cisco"){
$cmd= "$snmpwalk -v 2c -c $community $ip .1.3.6.1.4.1.9.9.46.1.3.1.1.2";
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect someting like: SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.2.1.41 = INTEGER: 1
if ($line =~ /(\d*)\s\=/){
my $vlan = $1;
print "vlan=$vlan.\n" if $debug;
#print "$line\n";
push @vlans,$vlan;
}
}
close(IN);
}
if ($type eq "hpe"){
#get all interface type 53 = vlan
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.3";
print "$cmd\n" if $debug;
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect something like: iso.3.6.1.2.1.2.2.1.3.2249 = INTEGER: 53
if ($line =~ /(\d*)\s\=\sINTEGER: 53/){
my $vlan = $1;
print "vlan=$vlan.\n" if $debug;
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.2.$vlan";
open(IN2, "$cmd |");
my $vlanname='';
while(<IN2>){
my $line2=$_;
chomp($line2);
#we expect something like: iso.3.6.1.2.1.2.2.1.2.2249 = STRING: "VLAN1000"
if ($line2 =~ /STRING:\s\"(.*)\"$/){
$vlanname=$1;
}
print ">>$line2: vlanname=$vlanname\n" if $debug;
}
close(IN2);
#print "$line\n";
push @vlans,[$vlan,$vlanname];
}
}
close(IN);
}
if ($type eq "watchguard"){
#get all interface type 6 = vlan
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.3";
print "$cmd\n" if $debug;
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect something like: iso.3.6.1.2.1.2.2.1.3.2249 = INTEGER: 6
if ($line =~ /(\d*)\s\=\sINTEGER: 6/){
my $vlan = $1;
print "vlan=$vlan.\n" if $debug;
$cmd= "$snmpwalk -v 2c -c $community $ip iso.3.6.1.2.1.2.2.1.2.$vlan";
open(IN2, "$cmd |");
my $vlanname='';
while(<IN2>){
my $line2=$_;
chomp($line2);
#we expect something like: iso.3.6.1.2.1.2.2.1.2.2249 = STRING: "VLAN1000"
if ($line2 =~ /STRING:\s\"(.*)\"$/){
$vlanname=$1;
}
print ">>$line2: vlanname=$vlanname\n" if $debug;
}
close(IN2);
#print "$line\n";
push @vlans,[$vlan,$vlanname];
}
}
close(IN);
}
#we should have a datastructure like the following now:
#$VAR46 = [
# '2249',
# 'VLAN1000'
# ];
#$VAR47 = [
# '3249',
# 'VLAN2000'
# ];
#print Dumper(@vlans);
####################################
#2 foreach vlan do something
####################################
if ($type eq "cisco"){
foreach my $vlanelem (@vlans){
my $vlan = @$vlanelem[0];
my $vlanname = @$vlanelem[1];
#print "check vlan $vlan.\n";
next if $vlan > 1000;
my $cmd = "$snmpwalk -v 2c -c $community\@$vlan $ip .1.3.6.1.2.1.17.4.3.1.1";
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect someting like: SNMPv2-SMI::mib-2.17.4.3.1.1.254.175.11.155.132.164 = Hex-STRING: FE AF 0B 9B 84 A4
if ($line =~ /\.(\d*\.\d*.\d*\.\d*) = Hex-STRING: (.*)$/){
my $macip = $1;
my $mac = $2;
$mac =~s/\s*$//g;
$mac =~s/\s/:/g;
$mac =lc($mac);
print "switch;$ip;vlan;$vlanname;mac;$mac;ip;$macip\n";
updateDatabase($ip,$vlanname,$mac,$macip)if $updatedb;
}
}
close(IN);
}
}
####################################
if (($type eq "hpe") || ($type eq "watchguard")) {
foreach my $vlanelem (@vlans){
my $vlan = @$vlanelem[0];
my $vlanname = @$vlanelem[1];
#print "check vlan $vlan.\n";
#next if $vlan > 1000;
my $cmd = "$snmpwalk -v 2c -c $community $ip .1.3.6.1.2.1.4.22.1.2.$vlan ";
open(IN, "$cmd |");
while(<IN>){
$line=$_;
chomp($line);
print "$line\n" if $debug;
#we expect someting like: SNMPv2-SMI::mib-2.17.4.3.1.1.254.175.11.155.132.164 = Hex-STRING: FE AF 0B 9B 84 A4
if ($line =~ /\.(\d*\.\d*.\d*\.\d*) = Hex-STRING: (.*)$/){
my $macip = $1;
my $mac = $2;
$mac =~s/\s*$//g;
$mac =~s/\s/:/g;
$mac =lc($mac);
print "switch;$ip;vlan;$vlanname;mac;$mac;ip;$macip\n";
updateDatabase($ip,$vlanname,$mac,$macip)if $updatedb;
}
}
close(IN);
}
}
if ($updatedb){
$dbh->disconnect();
}
########
# updateDatabase(switch,vlan,mac)
########
sub updateDatabase($$$){
my $switch=$_[0];
my $vlan=$_[1];
my $mac=$_[2];
my $ip=$_[3];
print "run db update for vlan $vlan and mac $mac and ip $ip.\n" if $debug;
#my $sth = $dbh->prepare('select id, count from macs where vlan like \''.$vlan.'\' and mac like \''.$mac.'\' and switch like \''.$switch.'\'');
my $sth = $dbh->prepare('select id, count from macs where vlan like \''.$vlan.'\' and mac like \''.$mac.'\' and ip like \''.$ip.'\'');
$sth->execute();
my $result =$sth->fetchrow_hashref();
my $rows = $sth->rows;
#print "Value returned: $result->{id}. rows: $rows.\n";
if ($rows > 0){
#update
my $count = $result->{count} + 1;
my $sqlstr = 'update macs set count='.$count.' where id='.$result->{id}.' ';
print "sqlstr=$sqlstr\n" if $debug;
$dbh->do($sqlstr);
}else{
#insert
$dbh->do('insert into macs (switch,vlan,mac,ip,count,firstseen) values (\''.$switch.'\',\''.$vlan.'\',\''.$mac.'\',\''.$ip.'\',1,now() )');
}
}
sub usage(){
print "usage:\n";
print "\n";
print "getMacAddress -ip=<IP-Address> -type=<hpe|cisco|watchguard> -community=<SNMP-community> <-db>\n";
print "\n";
print " -ip: IP Address of switch to query\n";
print " -type: supported type = hpe or cisco or watchguard\n";
print " -community: SNMP community if unspecified default is public\n";
print " -db: if specified update database\n";
print "\n";
exit(1);
}
#########################################
##### needed database schema
#########################################
=sqlschema
CREATE TABLE IF NOT EXISTS `macs` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`switch` char(50) NOT NULL,
`vlan` char(50) NOT NULL,
`mac` char(50) NOT NULL,
`ip` char(50) NOT NULL,
`count` int(11) NOT NULL DEFAULT '0',
`firstseen` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`lastseen` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
=END
hostname korenix-4508-testswitch
vlan learning independent
!
vlan 1
!
vlan 99
name not-in-use
!
vlan 11
name vlan11
!
vlan 12
name vlan12
!
vlan 10
name management
!
interface fastethernet1
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet2
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet3
description vlan11
spanning-tree bpdufilter
switchport access vlan add 11
switchport trunk native vlan 11
!
interface fastethernet4
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet5
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet6
description not-in-use
spanning-tree bpdufilter
switchport access vlan add 99
switchport trunk native vlan 99
!
interface fastethernet7
acceptable frame type vlantaggedonly
description Uplink Trunk
switchport trunk allowed vlan add 10-12,99
!
interface fastethernet8
description management
switchport access vlan add 10
switchport trunk native vlan 10
!
interface lo
ip address 127.0.0.1/8
!
interface vlan1
shutdown
!
interface vlan10
ip address 10.20.30.250/24
no shutdown
!
ip route 0.0.0.0/0 10.20.30.254
!
log syslog local
log syslog remote 10.20.30.10
service http disable
service telnet disable
spanning-tree mst configuration
exit
clock timezone 27
clock set 0:0:0 1 1 2008
administrator admin my-secred-pwd
snmp-server community s4cpub ro
snmp-server host 10.20.30.10 version 2 s4cpub
snmp-server contact "my-contact"
snmp-server location Test-Location
warning-event coldstart
warning-event warmstart
warning-event authentication
warning-event linkdown fa1-8
warning-event linkup fa1-8
warning-event power 1
warning-event ring
warning-event fault-relay
dot1x radius server-ip 192.168.10.10 key radius-key 1812 1813
dot1x system-auth-control
dot1x authentic-method local
dot1x username admin passwd my-secred-pwd vlan 10
ntp peer enable
ntp peer primary 10.20.30.254
!
hiveos - network interface kills the local network
problem: a rig with nvidea rtx 3080 cards kills from time to the the whole network and also the wlan
on the fritzbox (7490) - seen with hive os version: 5.4.80-hiveos · H 0.6-190 · N 465.24.02 (april 2021)
solution:
>> see also https://forum.hiveos.farm/t/asus-b250-asrock-h110-e1000e-nic-hangs-entire-network-solution/32708
>> steps to do
1.)use command: ethtool -i eth0
to see your driver
root@myrig:~# ethtool -i eth0
driver: e1000e
version: 3.8.4-NAPI
firmware-version: 0.2-4
>> if it's an intel driver continue, if not I don't know if it helps as well ;-)
2.) turn off tcp-segmentation-offload and alos generic-segementation-offload
> in file /etc/network/interfaces, add the following line:
post-up ethtool -K eth0 tso off gso off
2.1) reboot the system
3.) now check if the settings have applied, by using command:
ethtool -k eth0 |grep tcp-segmentation-offload
ethtool -k eth0 |grep tx-tcp-segmentation
ethtool -k eth0 |grep generic-segmentation-offload
>> all the parameters above should now be "off"
Setup Windows Plotting machine
- installed standard chia client
- enter your security seed
- disable now upnp:
>> find chia.exe under
old path : c:\users\<username>\AppData\Local\chia-blockchain\app-1.1.1\resources\app.asar.unpacked\daemon\
new path: C:\ProgramData\<username>\chia-blockchain\app-1.1.5\resources\app.asar.unpacked\daemon>
>> chia.exe configure --enable-upnp false
>>restart application to active the change
-----------------
see also article > Farming on many machines > How to harvest on other machines that are not your main maschine
>> this is more secure but more complex ;-)
- https://github.com/Chia-Network/chia-blockchain/wiki/Farming-on-many-machines
- the main thing here is: then creating plots on the other harvesters, use chia plots create -f farmer_key -p pool_key, inserting the farmer and pool keys from your main machine.
Alternatively, you could copy your private keys over by using chia keys add, but this is less secure. After creating a plot, run chia plots check to ensure everything is working correctly.
let's have the scenario:
- domain controller is in trusted network
- a domain member is in DMZ, for example a Remote Desktop Farm and the users are authenticated through the domain
->> you need to open a lot of ports to get things running
>> see also document at microsoft page: Service overview and network port requirements for Windows
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements
my sample firewall rule look like this:
rds / windows server > to domain controller
53 udp dns
88 tcp kerberos
123 udp ntp
135 tcp location servcies
389 tcp ldap unsecure
445 tcp smb
636 tcp ldap secure
3268 tcp ldap gc
3269 tcp ldap secure gc
49152-65535 tcp upper portrange
Aruba CX Switch
for example 6100 series
commandline interface
- usb-c console port (usb-a to usb-c cable needed)
- usb console driver needed > get it from https://asp.arubanetworks.com > Software > search for "usb console driver"
- get com port number from device manager
- serial settings: speed = 115200
- initial username = admin, password is blank
- show running
- ntp server is enabled by default
some configurations
- vlan 1 static ip:
config
int vlan 1
description vlan-1
ip address 192.168.1.10/24
no shut
- interface config
int 1/1/1
descripton interface-1
vlan access 1
no shutdown
end
write memory
- some vlan
config
vlan 12
description vlan12
voice
exit
vlan 13
description vlan13
exit
interface 1/1/10-1/1/11
vlan trunk native 12
vlan trunk allowed 13,1
- show vlan port 1/1/10
- sh version #see firmware
- get firmware from https://asp.arubanetworkds.com, search for switch model > download latest firmware
- terminal monitor #live log (only available in ssh session)
if you use wireshark to check this error you see a tftp timeout and you thing there is a "network problem"
>> this was not the case in my case. The problem was a audio problem.
After I reset the audio settings to default and rebooted the machine the problem was gone
> there is a tool that is called "collect data", that comes with the softphone client software. You can use this tool to analyse the error, just press windows button and enter "collect data" to find and start the tool!
Aruba Instant version 8.5.0.1 now supports multiple PSKs (MPSK) for the same SSID. This means that each client
connected to the PSK based SSID will have its own unique PSK that is not shared with the rest of the clients. This feature
requires Aruba ClearPass 6.8.x to be the authentication server.
https://community.arubanetworks.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=1bb73a74-0ea1-4111-b5cb-ebed597e91b5
for example to be used with aruba iap accesspoints
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=34748
example:
port-access lldp-group IAP-group
seq 30 match vendor-oui 000b86
exit
port-access role IAP-role
description Aruba IAP
poe-priority high
trust-mode dscp
vlan trunk native 1
vlan trunk allowed 1-3,99
exit
port-access device-profile IAP-prof
enable
associate role IAP-role
associate lldp-group IAP-group
hpe procurve / aruba os - dhcp
>> you need to turn on "dhcp-server enable" in the global config to enable the dhcp server!
## in vlan section enable using the dhcp-server command
vlan 20
name "mgmt"
untagged 1/41-1/43
tagged Trk3
ip address 10.99.22.250 255.255.255.0
dhcp-server <<<<<<<<<<<<<<<<<<<
exit
#define a pool using the same name as the vlan
dhcp-server pool "mgmt" <<<<<<<<<<<<<<<<<<
authoritative
default-router "10.99.22.250"
dns-server "192.168.2.1"
network 10.99.22.0 255.255.255.0
range 10.99.22.10 10.99.22.20
exit
Error message:
W 11/19/21 04:12:15 00562 ports: port 2 PD Over Current indication.
>> enabled "device profiles" for access points are consuming to "much" power but only reservered power. if you check the real power consumtion, there is still enough power left on the device
>> workaround
(1): disable device profiles and add vlan configuration in a static way
(2): reconfigure the lldp "talk" between switch and access point, by using the setting:
no lldp config <port#> dot3TlvEnable poeplus_config
##see also:
https://www.reddit.com/r/networking/comments/4dl6rv/hp_2530_2448_port_poe_not_delivering_poe/
ClearPass Admin Access via Active Directory
- see also Workshop: https://www.youtube.com/watch?v=L2U_IjWFmUI
- Configuration -> Services
>> make a copy of Default Service Rule [Policy Manager Admin Network Login Service]
[ square braket’s mean default rule ]
call the new server “yoursuffix_Policy Manager Admin Network Login Service”
- Reorder new service > move to first position
- Service configuration:
- Authentication Tab: Authentication Sources
remove [Local User Repository]
remove [Admin User Repository]
add your Active Directory “Authentication Source”
- Roles >> no Role Mapping
- Enforcement
>> make a copy of Default Enformement Policy [Admin Network Login Policy]
[ square braket’s mean default rule ]
call the Enforcement Policy “yoursuffix_Admin Network Login Policy”
>> Add a Rule:
Authorization:your-Active-Directory-authentication source
memberOf EQUALS “your-add-group”
>> Profile Names: choose [TACACS+ Super Admin]
- Test login in private browser windows + check under Monitoring > Access Tracer
- User “admin” will always work!
HPE ArubaOS-CX - ZTP events are beeing logged all the time
this events are seen all the time (every 2-3 minutes), seen on Version: GL.10.08.1021
2021-10-10T16:10:53.086141+0200 dhcp_options[890470] <INFO> Event|8714|LOG_INFO|AMM|-|ZTP: TFTP server option not provided
2021-10-10T16:10:53.086631+0200 dhcp_options[890470] <INFO> Event|8712|LOG_INFO|AMM|-|ZTP: Image file not provided
2021-10-10T16:10:53.086683+0200 dhcp_options[890470] <INFO> Event|8713|LOG_INFO|AMM|-|ZTP: Config file not provided
2021-10-10T16:10:53.086714+0200 dhcp_options[890470] <INFO> Event|8723|LOG_INFO|AMM|-|ZTP: Aruba Central location option not provided
2021-10-10T16:10:53.086752+0200 dhcp_options[890470] <INFO> Event|8726|LOG_INFO|AMM|-|ZTP: HTTP proxy location was not received in the DHCP offer.
show ztp information
TFTP Server : NA
Image File : NA
Configuration File : NA
Status : Failed - Custom startup configuration detected
Aruba Central Location : NA
Force-Provision : Disabled
HTTP Proxy Location : NA
from Aruba documentation:
Zero Touch Provisioning
Zero Touch Provisioning (ZTP) enables the auto-configuration of factory default switches without a network administrator onsite.
When a switch is booted from its factory default configuration, ZTP autoprovisions the switch by automatically downloading and
installing a firmware file, a configuration file, or both.
With ZTP, even a nontechnical user (for example: a store manager in a retail chain or a teacher in a school)
can deploy devices at a site.
#handle with care ;-)
ztp force-provision
Usage
DHCP options received are processed independent of he current state of configuration on the switch.
Previous ZTP TFTP Server, Image File, Configuration File, Aruba Central Location, and HTTP Proxy location
options are cleared and the switch sends a DHCP request.
>> disable with "no ztp force-provision"
#
########################
Solution
#######################
>>> currently no command to disable this event
>>> solution to filter out messages in event log:
logging filter ztp
enable
10 deny event-id 8714
20 deny event-id 8712
30 deny event-id 8713
40 deny event-id 8723
50 deny event-id 8726
60 deny event-id 8709
70 deny event-id 8730
80 deny event-id 8701
>> check with "show event -r"
###see also:
https://www.youtube.com/watch?v=lI3mChuUhr0
https://ase.arubanetworks.com/solutions?page=1&page_size=20&order=-modified
- template builder for radius aaa and more
scenario: copy a virtual linux system and give the new system another ip address
1) find out the new mac adress ( for example in vmware settings)
2) disconnect network interface and boot up the system
3) make changes in this files
---- /etc/hosts #maybe change ip
---- /etc/sysconfig/network-scirpts/ifcfg-eth0 #change mac to new mac + ip
---- /etc/udev/rules.d/70-persistent-net-rules #change mac to new mac
4) shutdown system
5) connect interface > start system > ping + tests
6300xx example
- show images (check Active Image - should be primary)
- 2 partition on switch: primary / secondary
- show version: see the Active Image
- copy primary secondary #backup primary to secondary
- copy tftp://ip/filename.swi primary <vrf mgm>
sample: copy tftp://192.168.100.1/ArubaOS-CX_6400-6300_10_08_1030.swi primary <vrf mgmt>
- copy sftp://user@ip/filename.swi primary <vrf mgmt>
sample: copy sftp://pi@192.168.100.1//srv/tftp/ArubaOS-CX_6400-6300_10_08_1030.swi primary
- [not necessary since we boot on primary] boot set-default secondary #set boot-image to secondary
- show images (check versions again)
- boot system >> Continue >> Enter "y"
> Multiple components will be updated and several reboots will be triggered during these updates. When
>all component updates are completed, the switch console port will arrive at the login prompt
- vsf environment
- if image is uploaded to the "conductor" > all members will also upgrade
- vsf member <x> reboots #reboot a member
- boot system #whole stack will be rebooted
#see also
- documentation: https://www.arubanetworks.com/techdocs/AOS-CX/10.09/PDF/vsf.pdf
- Firmware update
- https://www.youtube.com/watch?v=kCNK5djDq0k
#Monitoring Lenovo Xclarity Controller
- for example ThinkSystem SR630
on XClarity Controller
(1) Define contact and location
To enable the SNMPv3 agent, the following criteria must be met:
A BMC contact is specified
A BMC location is specified
Server Configuration > Server Properties:
define contact and building (= location)
(2) add a local user
BMC Configuration
User /LDAP > Global Settings: unset option "Force to change password on first access"
User/LDAP: add a local user
monitor / <password>
Authority level: Read-only
under SNMP Settings choose Authentication protocol "HMAC-SHA"
(3) enable snmp-v3
BMC Configuration
Network > SNMP setup
>> Enable SNMPv3 Agent >> Apply
(4) test snmp query
snmpwalk -v 3 -u monitor <host||ip-address> #if there is no Authentication protocol
snmpwalk -v 3 -u monitor <host||ip-address> -l authNoPriv -a SHA -A <password> #if Authentication protocol = HMAC-SHA
(5) don't forget to disable password expiration!
BMC Configuration
User /LDAP > Global Settings:
Password expiration period: 0
Password expiration warning period:0
-----------------------------------
>> now get check_ lenovo xcc script from exchange.nagios.org:
https://exchange.nagios.org/directory/Plugins/Hardware/Server-Hardware/Lenovo/check_-lenovo-xcc-bash/details
run test:
check_lenovo_xcc.sh -H $HOSTADDRESS$ -u monitor -l authNoPriv -a SHA -A <password> -T health
-----------------------------------
errors and solutions:
- snmpwalk: Unknown user name
>> solution: BMC configuration > User/LDAP > Global Settings
>> unset option "Force to change password on first access"
- snmpwalk: Unsupported security level
>> solution: maybe missing Authentication protocol under User/LDAP > user specific SNMP Settings
WatchGuard FireCluster configuration
####################################
pre-config:
-----------
0.1 get feature key from member_2 via the WatchGuard website
0.2 comply with naming convention
0.3 save feature key from member_2
config:
-------
1.1 network > configuration > interface
1.2 last available interface will become the cluster_interface
1.2.1 activate interface
1.2.2 name interface
1.2.3 deactivate interface
1.3 firecluster > configure
1.4 enable firecluster
1.5 enable active/passive cluster
1.6 select cluster_interface
1.7 managment interface is the one you access the firewall with
1.8 switch to advanced tab
1.8.1 enable monitor hardware status
1.9 switch to member tab
1.10 edit member_1
1.10.1 primary cluster > 169.254.254.1/24 (for heartbeat only)
1.10.2 enter management ipv4 > ex. 10.0.0.251/24
1.11 add new member_2
1.11.1 add saved feature key
1.11.2 primary cluster > 169.254.254.2/24 (for heartbeat only)
1.11.3 enter management ipv4 > ex. 10.0.0.252/24
1.12 setup > system > change name to wg...-ha (high availability)
nice and simple ping tools to measure availability in your network
(1)
PingInfoView - Ping monitor utility
https://www.nirsoft.net/utils/multiple_ping_tool.html
(2)
Multiping Grapher
just a simple exe file, software is not up2date anymore but still works
https://www.heise.de/download/product/multiping-grapher-38992
ArubaOS-CX wake on lan / ip directed broadcast
how to handle wake on lan packets on ArubaOS-CX switches?
using ip directed broadcast to get WOL (wake on LAN) running over different routed subnets.
On ArubaOS-CX switches IP directed broadcast is supported on:
- Route Only Port (ROP)
- Switched Virtual Interface (SVI)
- Layer 3 Link Aggregation Group (L3LAG) interfaces
example:
turn ip directed broadcast on for vlan 999:
switch(config)# interface vlan 999
no shutdown
ip address 10.0.21.1/24
ip directed-broadcast
> now all ip directed broadcast will be "broadcasted" to all members in vlan 999
> ACL (Access lists) can be used to only allow this ip-directed broadcast from specific ip-adresses,
for example only ip 10.0.20.20 is allowed to send wol
access-list ip ipdb
10 permit udp 10.0.20.20 any eq 7
100 deny udp any any eq 7
#apply access list on interface where the packets are initiated
interface vlan500
apply access-list ip ipdb routed-in
#commands
show ip interface vlan999 #show ip directed broadcast status on interface
show ip directed-broadcast #gives you an overview where ip directed broadasts are enabled
see also:
https://www.arubanetworks.com/techdocs/AOS-CX/10.08/PDF/ip_route_6300-6400-83xx.pdf
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=28864
---------------------------------------------------------
how to use wol.exe to initiate a ip directed broadcast packet:
wol.exe <<destination mac>> /d 10.0.21.255
>> 10.0.21.255 is the broadcast network address of the subnet 10.0.21.0/24
>> wol.exe - you can download it from: https://www.heise.de/download/product/wol.exe-43799
Pin TIA-568A
1 green-white
2 green
3 orange-white
4 blue
5 blue-white
6 orange
7 brown-white
8 brown
Pin TIA-568B
1 orange-white
2 orange
3 green-white
4 blue
5 blue-white
6 green
7 brown-white
8 brown
essential information from youtube videos of Airhead Broadcasting channel:
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #1 Wired 802.1X
---------------------------------------------------------------------------------------------------
- see also: HPE Aruba Wired Enforcement Guide
- 802.1x on windows: services > Wired AutoConfig > set to automatic
after service is enabled, an "authentication" tab is visable in the network settings of the interface
>> decide between user or computer authentication
- in clearpass create a network device + a shared secret
- port bounce: interface 1/x/x > shutdown > no shutdown
- in clearpass create a a 802.1X Wired service, choose active directory as authenticaton source
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #2 Wired User Roles
---------------------------------------------------------------------------------------------------
- Rolebased access with local user roles
- best practise enable accounting: aaa accounting port-access start-stop interim 60 group clearpass
- best practise enable client visability:
client track ip #enable on global level
vlan xx
client track ip #enable per vlan
#on uplink port do a: client track ip disable
- in Clearpass Enforcement profile assign a role: for example admin
- create role on switch:
port-access role admin
vlan access name Management VLAN
- check on switch with: show port-access clients
- make username visable > create enforcement profile that reads out the username and sends it back via radius,
than the "show port-access client" will also show the username,
you can make the same with the computername
- Video about Aruba Dynamic Segmentation on AOS-CX: downloadable user roles and more
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #3 Device Profiling
---------------------------------------------------------------------------------------------------
- device profiling: dhcp profiling, ip helper on core switch
- trigger a new dhcp request: Clearpass Access Tracker -> Change Status > choose port bounce
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #4 Wired MAC Authentication
---------------------------------------------------------------------------------------------------
- default setting the switch will first try and timeout for 802.1X before it attempts MAC Authentication,
default timeout is 2 minutes and 30 seconds
>> solution: port-access onboarding-method concurrent enable
- configure the Profiling tab in our service to automatically trigger a port bounce as soon as ClearPass profiles a new or changed device.
- Clearpasss Radius Mac Authentication service
- enable Profile Endpoints
- Authentication Method: Allow All Mac Auth (with All only "known" endpoints are considered)
- Authentication Source: Endpoint Repository (so you can use the profiling information)
- Profiler: Radius CoA Action > AOS-CX Bounce Port, triggered it to "Any category / OS Family / Name",
so if the device is connection the first time it will be bounced, and we know the device type
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #5 Wired MAC Enforcement
---------------------------------------------------------------------------------------------------
allow role based traffice for the endpoint
- define some classes, like: "class ip class-dns", "class ip class-private", "class ip class-pbx"
- bring the classes together to policies:
port-access policy pol-internet
10 class ip class-dhcp
20 class ip class-dns
30 class ip class-private action drop
40 class ip class-any
- port-access role profiler
associate policy pol-profile
vlan access name Untrusted VLAN
- port-access role machine
vlan access name Corporate VLAN
- port-access role voip
associate policy pol-voip
vlan access name Voice VLAN
- in clearpass define roles, and define rolemapping
- in clearpass define enforcement profiles, to return the role names, for example:
Radius:Aruba > Aruba-User-Role(1) = voip
Radius:Aruba > Aruba-User-Role(1) = profiler
- check with "show port-access clients" on switch
---------------------------------------------------------------------------------------------------
Aruba ClearPass Workshop (2021) - AOS-CX Wired #6 Wired Device behind phone - AP with tagged VLANs
---------------------------------------------------------------------------------------------------
- allow more devices behind a port:
interface 1/1/1-1/1/24
aaa authentication port-access client-limit 3 #default is one
- show client ip
- special role for a accesspoint, the special thing is the "auth-mode":
port-access role instant-ap
vlan trunk native name Management VLAN
vlan trunk allowed name Guest1 VLAN
vlan trunk allowed name Guest2 VLAN
auth-mode device-mode
- auth-mode:
client-mode: authenticate all devices
device-mode: authenticate just the first device
multi-domain: authentication for the native vlan and one for the voice vlan
- check with "show port-access clients" >> Authentication Mode should be seen as "device-mode"
see information about security advisories here:
https://www.arubanetworks.com/support-services/security-bulletins/
checkmk performance tuning
usually your checkmk site is becoming bigger and bigger .. this could lead to error messagen and performance issues if there are many services and hosts to be monitored
> use global fetcher and checker settings to optimize execution of checks. The
> settings can be found under Setup > General > Global settings:
> Use spearate fetchers and checkers should be on!
- fetchers:
they make the network communication, for example the snmp query or the query for the checkmk agent.
This query takes some time and uses about 30MB per process
Rule: increase that number, if you have enough free memory left on the server
- checker:
the checker processes are processing the collected data from the fetchers. A checker needs at least 90MB. Use only so many checkers as your machine has cores!
Rule: Use only so many checkers as your machine has cores!
### further reading
- https://docs.checkmk.com/latest/en/cmc_differences.html
in switch log I detected messages like:
Mar 09 10:34:38 switch-8320-1 hpe-restd[4889]: Event|7708|LOG_INFO|AMM|1/1|Certificate devices-v2.arubanetworks.com verified and accepted
>> since I don't want to use Aruba central in this setup let's disable it:
switch-8320-1# conf t
switch-8320-1(config)# aruba-central
switch-8320-1(config-aruba-central)# disable
switch-8320-1(config-aruba-central)# exit
switch-8320-1(config)#
---
to check the Aruba Central settings run command:
switch-8320-1(config)# show aruba-central
Central admin state : disabled
Central location : N/A
VRF for connection : N/A
Shared Token : N/A
Central connection status : N/A
Central source : none
Central source connection status : N/A
Central source last connected on : N/A
System time synchronized from Activate : False
Activate Server URL : devices-v2.arubanetworks.com
CLI location : N/A
CLI VRF : N/A
Source IP : N/A
Source IP Overridden : False
Central support mode : disabled
>> you should see the admin state "disabled"
Monitoring Riello USV with NetMan 204 adapter using snmp
NetMan 204 Network Adapter
> users manual: https://www.riello-ups.com/uploads/file/768/2768/0MNACCSA4ENUL__MAN_ACC_NETMAN_204_EN_.pdf
> mib files can be found, also on riello-ups website: https://www.riello-ups.com/uploads/file/136/1136/MIBs.zip
>> important mib: RFC1628A.MIB
>> short solution:
(1):
use a simple perl script to get data in checkmk format:
https://computer2know.de/checknetman.pl-script-to-get-usv-load-and-power-in-watts-from-a-riello-usv-in-checkmk-agent-format:::656.html
(2):
use a Nagios script
https://exchange.nagios.org/directory/Plugins/Hardware/UPS/SNMP-UPS-Check/details
run it like:
./check_ups_snmp -H 10.115.0.82 -C pnpub -t status
OK: Battery Status Normal.
or
./check_ups_snmp -H 10.115.0.82 -C pnpub -t alarm
OK: 0 alarms present.|'alarms'=0
=====================================================================================================
my detail analysis ....
Doing a snmpwalk on the device:
------------------------------------
snmpwalk -c my-community -v 2c usv-ip-address
SNMPv2-MIB::sysDescr.0 = STRING: NetMan 204
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.5491.6
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (2761455986) 319 days, 14:42:39.86
SNMPv2-MIB::sysContact.0 = STRING: my-organisation
SNMPv2-MIB::sysName.0 = STRING: my-usv-name
SNMPv2-MIB::sysLocation.0 = STRING: my-localtion
SNMPv2-MIB::sysServices.0 = INTEGER: 0
IF-MIB::ifNumber.0 = INTEGER: 1
IF-MIB::ifPhysAddress = STRING: 0:0:0:5:22:99
SNMPv2-SMI::mib-2.33.1.1.1.0 = STRING: "RPS SpA"
SNMPv2-SMI::mib-2.33.1.1.2.0 = STRING: "T2MK20 "
SNMPv2-SMI::mib-2.33.1.1.3.0 = STRING: "SWM022-02-21"
SNMPv2-SMI::mib-2.33.1.1.4.0 = STRING: "AppVer. 01.03.010"
SNMPv2-SMI::mib-2.33.1.1.5.0 = STRING: "FT-H 20 kVA "
SNMPv2-SMI::mib-2.33.1.1.6.0 = STRING: "??? "
SNMPv2-SMI::mib-2.33.1.2.1.0 = INTEGER: 2 !!#upsBatteryStatus 2 = should be on batteryNormal
SNMPv2-SMI::mib-2.33.1.2.2.0 = INTEGER: 0 #upsSecondsOnBattery
SNMPv2-SMI::mib-2.33.1.2.3.0 = INTEGER: 60 #upsEstimatedMinutesRemaining
SNMPv2-SMI::mib-2.33.1.2.4.0 = INTEGER: 100 #upsEstimatedChargeRemaining
SNMPv2-SMI::mib-2.33.1.2.5.0 = INTEGER: 2726 #upsBatteryVoltage
SNMPv2-SMI::mib-2.33.1.2.6.0 = INTEGER: 0 #upsBatteryCurrent
SNMPv2-SMI::mib-2.33.1.2.7.0 = INTEGER: 23 !!#upsBatteryTemperature - The ambient temperature at or near the UPS Battery casing.
SNMPv2-SMI::mib-2.33.1.3.1.0 = Counter32: 0
SNMPv2-SMI::mib-2.33.1.3.2.0 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.3.3.1.1.1 = INTEGER: 1 #upsInputLineBads
SNMPv2-SMI::mib-2.33.1.3.3.1.1.2 = INTEGER: 2 #upsInputNumLines
SNMPv2-SMI::mib-2.33.1.3.3.1.1.3 = INTEGER: 3 #upsInputTable
SNMPv2-SMI::mib-2.33.1.3.3.1.2.1 = INTEGER: 500 #upsInputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.3.3.1.2.2 = INTEGER: 500 #upsInputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.3.3.1.2.3 = INTEGER: 500 #upsInputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.3.3.1.3.1 = INTEGER: 232 #upsInputVoltage
SNMPv2-SMI::mib-2.33.1.3.3.1.3.2 = INTEGER: 233 #upsInputVoltage
SNMPv2-SMI::mib-2.33.1.3.3.1.3.3 = INTEGER: 232 #upsInputVoltage
SNMPv2-SMI::mib-2.33.1.3.3.1.4.1 = INTEGER: -1 #upsInputCurrent
SNMPv2-SMI::mib-2.33.1.3.3.1.4.2 = INTEGER: -1 #upsInputCurrent
SNMPv2-SMI::mib-2.33.1.3.3.1.4.3 = INTEGER: -1 #upsInputCurrent
SNMPv2-SMI::mib-2.33.1.3.3.1.5.1 = INTEGER: 0 #upsInputTruePower
SNMPv2-SMI::mib-2.33.1.3.3.1.5.2 = INTEGER: 0 #upsInputTruePower
SNMPv2-SMI::mib-2.33.1.3.3.1.5.3 = INTEGER: 0 #upsInputTruePower
SNMPv2-SMI::mib-2.33.1.4.1.0 = INTEGER: 3 !!#upsOutputSource 3 = normal
SNMPv2-SMI::mib-2.33.1.4.2.0 = INTEGER: 500 #upsOutputFrequency -- UNITS 0.1 Hertz
SNMPv2-SMI::mib-2.33.1.4.3.0 = INTEGER: 3 #upsOutputNumLines
SNMPv2-SMI::mib-2.33.1.4.4.1.1.1 = INTEGER: 1 #upsOutputLineIndex >> 3 out put lines!
SNMPv2-SMI::mib-2.33.1.4.4.1.1.2 = INTEGER: 2 #upsOutputLineIndex
SNMPv2-SMI::mib-2.33.1.4.4.1.1.3 = INTEGER: 3 #upsOutputLineIndex
SNMPv2-SMI::mib-2.33.1.4.4.1.2.1 = INTEGER: 230 #upsOutputVoltage
SNMPv2-SMI::mib-2.33.1.4.4.1.2.2 = INTEGER: 230 #upsOutputVoltage
SNMPv2-SMI::mib-2.33.1.4.4.1.2.3 = INTEGER: 230 #upsOutputVoltage
SNMPv2-SMI::mib-2.33.1.4.4.1.3.1 = INTEGER: 110 #upsOutputCurrent -- UNITS 0.1 RMS Amp
SNMPv2-SMI::mib-2.33.1.4.4.1.3.2 = INTEGER: 75 #upsOutputCurrent -- UNITS 0.1 RMS Amp
SNMPv2-SMI::mib-2.33.1.4.4.1.3.3 = INTEGER: 23 #upsOutputCurrent -- UNITS 0.1 RMS Amp
SNMPv2-SMI::mib-2.33.1.4.4.1.4.1 = INTEGER: 2290 !!#upsOutputPower -- UNITS Watts
SNMPv2-SMI::mib-2.33.1.4.4.1.4.2 = INTEGER: 1590 !!#upsOutputPower -- UNITS Watts
SNMPv2-SMI::mib-2.33.1.4.4.1.4.3 = INTEGER: 432 !!#upsOutputPower -- UNITS Watts
SNMPv2-SMI::mib-2.33.1.4.4.1.5.1 = INTEGER: 38 !!#upsOutputPercentLoad
SNMPv2-SMI::mib-2.33.1.4.4.1.5.2 = INTEGER: 26 !!#upsOutputPercentLoad
SNMPv2-SMI::mib-2.33.1.4.4.1.5.3 = INTEGER: 7 !!#upsOutputPercentLoad
SNMPv2-SMI::mib-2.33.1.5.1.0 = INTEGER: 500 #upsBypassFrequency
SNMPv2-SMI::mib-2.33.1.5.2.0 = INTEGER: 3 #upsBypassNumLines
SNMPv2-SMI::mib-2.33.1.5.3.1.1.1 = INTEGER: 1
SNMPv2-SMI::mib-2.33.1.5.3.1.1.2 = INTEGER: 2
SNMPv2-SMI::mib-2.33.1.5.3.1.1.3 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.5.3.1.2.1 = INTEGER: 232
SNMPv2-SMI::mib-2.33.1.5.3.1.2.2 = INTEGER: 231
SNMPv2-SMI::mib-2.33.1.5.3.1.2.3 = INTEGER: 233
SNMPv2-SMI::mib-2.33.1.5.3.1.3.1 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.3.2 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.3.3 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.4.1 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.4.2 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.5.3.1.4.3 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.6.1.0 = Gauge32: 0 #upsALARM : The present number of active alarm conditions. >> if 0 == No alarms present.
SNMPv2-SMI::mib-2.33.1.6.2.1.1.1 = INTEGER: 1
SNMPv2-SMI::mib-2.33.1.6.2.1.1.2 = INTEGER: 2
SNMPv2-SMI::mib-2.33.1.6.2.1.1.3 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.6.2.1.1.4 = INTEGER: 4
SNMPv2-SMI::mib-2.33.1.6.2.1.1.5 = INTEGER: 5
SNMPv2-SMI::mib-2.33.1.6.2.1.1.6 = INTEGER: 6
SNMPv2-SMI::mib-2.33.1.6.2.1.1.7 = INTEGER: 7
SNMPv2-SMI::mib-2.33.1.6.2.1.1.8 = INTEGER: 8
SNMPv2-SMI::mib-2.33.1.6.2.1.1.9 = INTEGER: 9
SNMPv2-SMI::mib-2.33.1.6.2.1.1.10 = INTEGER: 10
SNMPv2-SMI::mib-2.33.1.6.2.1.2.1 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.2 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.3 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.4 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.5 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.6 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.7 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.8 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.9 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.2.10 = OID: SNMPv2-SMI::zeroDotZero.0.0.0.0.0.0.0.0.0
SNMPv2-SMI::mib-2.33.1.6.2.1.3.1 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.2 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.3 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.4 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.5 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.6 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.7 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.8 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.9 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.6.2.1.3.10 = Timeticks: (0) 0:00:00.00
SNMPv2-SMI::mib-2.33.1.8.1.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.2.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.3.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.4.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.8.5.0 = INTEGER: -1
SNMPv2-SMI::mib-2.33.1.9.1.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.2.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.3.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.4.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.5.0 = INTEGER: 20000
SNMPv2-SMI::mib-2.33.1.9.6.0 = INTEGER: 18000
SNMPv2-SMI::mib-2.33.1.9.7.0 = INTEGER: 3
SNMPv2-SMI::mib-2.33.1.9.8.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.9.0 = INTEGER: 0
SNMPv2-SMI::mib-2.33.1.9.10.0 = INTEGER: 0
---------------------------------------------------------------------------
- if you want to react on snmp traps
---------------------------------------------------------------------------
SensorTrap.mib:
-- IRMS-MIB { iso org(3) dod(6) internet(1) private(4)
-- enterprises(1) riello(5491) }
SENSORTRAP-MIB DEFINITIONS ::= BEGIN
-- Title: SENSOR TRAP MIB
-- Version: 1.0 by Michele Marcon
-- Date: 02.11.2009
IMPORTS
enterprises
FROM RFC1155-SMI
OBJECT-TYPE
FROM RFC-1212
TRAP-TYPE
FROM RFC-1215;
rielloMIB OBJECT IDENTIFIER ::= { enterprises 5491 }
sensorgroup OBJECT IDENTIFIER ::= { rielloMIB 9 }
sensor OBJECT IDENTIFIER ::= { sensorgroup 1 }
sensorId OBJECT-TYPE
SYNTAX INTEGER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The number of the sensor."
::= { sensor 1 }
sensorTrapGroup OBJECT IDENTIFIER ::= { sensor 2 }
sensorAlarmTMax TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when temperature reaches maximum level"
::= 1
sensorAlarmTMaxRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when temperature returns to standard level"
::= 2
sensorAlarmTMin TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when temperature reaches minimum level"
::= 3
sensorAlarmTMinRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when temperature returns to standard level"
::= 4
sensorIOAlarm TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when input contact is in alarm"
::= 5
sensorIOAlarmRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when input contact is normal"
::= 6
sensorHumidityAlarm TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when humidity reaches maximum level"
::= 7
sensorHumidityAlarmRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when humidity returns to normal level"
::= 8
sensorHumidityLowAlarm TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent each minute when humidity reaches minimum level"
::= 9
sensorHumidityLowAlarmRemoved TRAP-TYPE
ENTERPRISE sensorTrapGroup
VARIABLES { sensorId }
DESCRIPTION "This trap is sent when humidity returns to normal level"
::= 10
END
sample snmpwalk command to get out, some information from the vsa:
#default community string ist public
snmpwalk -v 2c -c public <vsa-ip-address> .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.19
some interesting snmp mib variables can be found in the file "LEFTHAND-NETWORKS-NSM-CLUSTERING-MIB.mib", which can be found on the internet
for example:
clusModuleStorageStatus storage status of a module .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.19
clusModuleRaidStatus RAID status of a module .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.10
clusModuleName hostname of module .1.3.6.1.4.1.9804.3.1.1.2.12.46.1.4
.1.3.6.1.4.1.9804.3.1.1.2.12.46.1.2
>> have this knowledge, you can easily build a simple perl script that queries the information from the VSA and formats to "checkmk" format, so that it can be used as an "individual script":
--------------------------------------------------------------------------------------
checkVSACluster.pl
--------------------------------------------------------------------------------------
#!/bin/perl
######################################################################################
#
# VSA Cluster Monitor
#
#
#
#[root@pnrtnagios01 ~]# snmpwalk -c public -v 2c 10.10.10.10 .1.3.6.1.4.1.9804.3.1.1.2.12.48.1
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.2.1 = STRING: "MyCluster" #Clustername
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.3.1 = Gauge32: 2
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.4.1 = Gauge32: 3
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.7.1 = Counter64: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.8.1 = Gauge32: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.15.1 = Gauge32: 1
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.16.1 = INTEGER: 1
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.17.1 = Counter64: 13773420544 #clusClusterAvailableSpace /Space available to create volumes (assuming one replica) in the cluster.
# Divide by the number of replicas to obtain the true number.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.20.1 = Counter64: 322388095 #clusClusterStatsIOsRead /A counter of IO read operations in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.21.1 = Counter64: 605929634 #clusClusterStatsIOsWrite /A counter of IO write operations in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.22.1 = Counter64: 26001669629952 # clusClusterStatsBytesRead /The number of bytes read from the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.23.1 = Counter64: 15787429566976 # clusClusterStatsBytesWrite /The number of bytes written to the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.24.1 = Gauge32: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.25.1 = Gauge32: 0
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.26.1 = Counter64: 882064504 #clusClusterStatsIoLatencyRead /The total time spent waiting for read operations to complete in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.27.1 = Counter64: 4432349402 #clusClusterStatsIoLatencyWrite /The total time spent waiting for write operations to complete in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.28.1 = Counter64: 221403500 #clusClusterStatsCacheHits /The number of read cache hits and read ahead hits in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.29.1 = Counter64: 20930038784 #clusClusterTotalSpace /The total space for data storage in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.30.1 = Counter64: 7156618240 #clusClusterProvisionedSpace /The amount of storage space that has been provisioned in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.31.1 = Counter64: 7154634240 #clusClusterUsedSpace /The amount of storage space that has been used in the cluster.
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.32.1 = Gauge32: 34 #ClusterUtilization /The percentage of storage space that has been used in the cluster.
#
# sample nagios check output
# OK - www.google.de: rta 33,341ms, lost 0%|rta=33,341ms;200,000;500,000;0; pl=0%;40;80;; rtmax=33,362ms;;;; rtmin=33,309ms;;;;
#
# see also: http://community.hpe.com/t5/HPE-StoreVirtual-Storage/SNMP-Monitoring/td-p/4390990
# 4. PNP Templates for local checks
# https://mathias-kettner.de/checkmk_localchecks.html#PNP%20Templates%20for%20local%20checks
# All those files are expected to be in the same directory as check_mk-local.php.
#
######################################################################################
if ($ARGV[0] eq '' ){
print "Usage: checkVSACluster.pl <hostname or ip-address> <snmp community - if not specified public is used> <80 - warning> <90 - critical>\n";
print " example checkVSACluster.pl 192.168.2.1 public 80 90\n";
print "\n";
exit(1);
}
$clusterip = $ARGV[0];
$community = $ARGV[1];
$warning = $ARGV[2];
$critical= $ARGV[3];
$warning=80 if $warning eq '';
$critical=87 if $critical eq '';
#$clusterip='10.125.30.15';
$community='public' if $community eq '';
$debug=0; #1=on
%foundHash={};
$clustername = '';
print "<<<check_mk>>>\n";
print "Version: pn-v2016-07-22\n";
print "<<<local>>>\n";
open(IN,"snmpwalk -v 2c -c $community $clusterip .1.3.6.1.4.1.9804.3.1.1.2.12.48.1 2>/dev/null |");
while(<IN>){
$line = $_;
chomp($line);
print "$line\n" if $debug;
if ($line =~ /9804.3.1.1.2.12.48.1.2.1.*\"(.*)\"$/){
print "clustername = $1\n" if $debug;
$clustername=$1;
}
#read write information
if ($line =~ /9804.3.1.1.2.12.48.1.20.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIOsRead count=$1c $clustername: counter of IO read operations in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIOsRead'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.21.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIOsWrite count=$1c $clustername: counter of IO write operations in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIOsWrite'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.22.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsBytesRead count=$1c $clustername: The number of bytes read from the cluster $1.\n";
$foundHash{'VSA-ClusterStatsBytesRead'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.23.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsBytesWrite count=$1c $clustername: The number of bytes written to the cluster $1.\n";
$foundHash{'VSA-ClusterStatsBytesWrite'}=1;
}
#Io Latency
if ($line =~ /9804.3.1.1.2.12.48.1.26.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIoLatencyRead count=$1c $clustername: The total time spent waiting for read operations to complete in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIoLatencyRead'}=1;
}
if ($line =~ /9804.3.1.1.2.12.48.1.27.1.*Counter64:\s(\d*)$/){
print "0 VSA-ClusterStatsIoLatencyWrite count=$1c $clustername: The total time spent waiting for write operations to complete in the cluster $1.\n";
$foundHash{'VSA-ClusterStatsIoLatencyWrite'}=1;
}
#space used
#print "$line\n";
#SNMPv2-SMI::enterprises.9804.3.1.1.2.12.48.1.32.1 = Gauge32: 80
if ($line =~ /9804.3.1.1.2.12.48.1.32.1.*Gauge32:\s(\d*)$/){
if ($1 >= $critical){
print "2 VSA-ClusterUtilization count=$1 $clustername: percentage of storage space used = $1.\n";
}else{
if ($1 >= $warning ){
print "1 VSA-ClusterUtilization count=$1 $clustername: percentage of storage space used = $1.\n";
}else{
print "0 VSA-ClusterUtilization count=$1 $clustername: percentage of storage space used = $1.\n";
}
}
$foundHash{'VSA-ClusterUtilization'}=1;
}
}
close(IN);
if (! exists $foundHash{'VSA-ClusterStatsIOsRead'}){print "1 VSA-ClusterStatsIOsRead count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsIOsWrite'}){print "1 VSA-ClusterStatsIOsWrite count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsBytesRead'}){print "1 VSA-ClusterStatsBytesRead count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsBytesWrite'}){print "1 VSA-ClusterStatsBytesWrite count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsIoLatencyRead'}){print "1 VSA-ClusterStatsIoLatencyRead count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterStatsIoLatencyWrite'}){print "1 VSA-ClusterStatsIoLatencyWrite count=c $clustername: no values found!\n";}
if (! exists $foundHash{'VSA-ClusterUtilization'}){print "1 VSA-ClusterUtilization count=c $clustername: no values found!\n";}
#1# Curent Management IP Configuraiton
admin:/>show system management_ip
Port ID : CTE0.A.MGMT
IPv4 Address : xxx.xxx.xxx.182
Subnet Mask : 255.255.255.0
IPv4 Gateway : xxx.xxx.xxx.250
IPv6 Address : --
IPv6 Prefix Length : --
IPv6 Gateway :
-------------------------------------
Port ID : CTE0.B.MGMT
IPv4 Address : xxx.xxx.xxx.183
Subnet Mask : 255.255.255.0
IPv4 Gateway : xxx.xxx.xxx.250
IPv6 Address : --
IPv6 Prefix Length : --
IPv6 Gateway :
#2# Change Management IP Configuration
admin:/>change system management_ip eth_port_id=CTE0.A.MGMT ip_type=ipv4_address ipv4_address=xxx.xxx.xxx.182 mask=255.255.255.0 gateway_ipv4=xxx.xxx.xxx.250
Reference:
https://support.huawei.com/enterprise/de/doc/EDOC1100112639/f4ff0349/changing-ip-addresses-of-management-network-ports-using-a-serial-port
#click on ? in the right corner > click "documentation center" >> now a new page is opened:
for example:
https://www.arubanetworks.com/techdocs/central/2.5.7/content/nms/nwk-services/conf-visitors.htm
>> in this case the version is 2.5.7
---------------------------------------------------------------------
#how to see the version until 2.5.4?
1) click on "?" in the top right courner
2) click on "Documentation Center"
3) see under "What's New": See What's New in 2.5.5 for more information
>> in this case "2.5.5" is the version your instance is running at
#this worked until version 2.5.4
https://app-eucentral3.central.arubanetworks.com/admin/version
>> for example: AUTO-ATH-2.5.4-269-P
IMC license transfer
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-a00052171en_us
------------------------
IMC license transfer instructions (text only):
IMC license keys are locked to the software serial number.
If you move your IMC licenses to another computer or a new VM a new IMC software serial number will be created.
To obtain a fresh license key for the new software serial number, you need to transfer the IMC licenses from the old software serial number to the new one.
Before you start the license transfer make a note of the current IMC software serial number and the new IMC software serial number.
An IMC license transfer will move all the licenses to the new serial number.
IMC licenses can be transferred up to 3 times without Customer Support assistance.
- Step 1: Sign in to the My Networking account where the current IMC serial number is registered.
My Networking portal: http://hpe.com/networking/mynetworking/
- Step 2: On the home page/dashboard, select “Transfer licenses to new platform”.
Note: There are several paths to the transfer license pages such as the My License dropdown menu, on the My Licenses page and from the License Details page.
- Step 3: On the Transfer Licenses page, enter the current IMC software serial number in the Search field and click Search. All the licenses registered to the software serial number will be displayed for your review.
- Step 4: Click the Select icon (>>) to the right of the platform license. This will open the License Details page.
Review the license information to confirm this is the serial number whose licenses will be transferred to the new serial number.
Click Next to proceed.
- Step 5: On the Transfer licenses to a new platform page, enter the new IMC software serial number in the Target serial number* field and click the Transfer button.
- Step 6A successful transfer will display a confirmation page with the new license key file and the transfer details for each license.
- Last Step: Download and install the license key file.
the IAP controller always tries to talk to the aruba cloud (aruba central),
you can disable this!
logon via ssh to the vc controller:
#show status of cloud connection
- show activate
#disable cloud connection
- configure
config# activate-disable
commit apply
- show status
# to enable the service again, run in config mode:
no activate-disable
----------------
see also:
https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=833f6d35-c9eb-4c54-9506-25dc5971466a
------------------------
#disable aruba activate#
if you see logs like: May 22 08:22:04 10.151.8.53 05220 activate: Unable to resolve the Activate server address device.arubanetworks.com.
aruba-central disable
activate software-update disable
activate provision disable
if you are the owner of a helium miner for the helium blockchain you get a lot of small income transaction day by day. To make the report for your taxes there is a great tool, that helps you:
https://helium-reports.com
helium-report.com is a great tool, that help you to get your helium income value!!
checkmk network monitoring -> best practice when monitoring all network ports
idea comes from article "3 rules to rule them all" by Alexander Wilms
( https://checkmk.com/de/blog/network-monitoring-with-checkmk-2-0 )
1) rename important switch ports on the devices, e.g. uplink_server1, access_point
> a problem is: some vendors use the SNMP table Alias, others the table Description
> solution: 2 x checkmk rules ( 1 x alias + 1 x decription) +
>> define a new Host Tag "if_alias_desc" / Title: Interface: by Alias/by Description
>>> Tag ID: default - Title: default
>>> Tag ID: if_alias - Title: use Alias
>>> Tag ID: if_desc - Title: use Description
2) rule to discover all network ports:
> Network interface and switch port discovery > create 2 new rules
> >from "Use Index" to "Use alias" and condition tag "use Alias" + Condations for this rule to apply: Match all interfaces
3) rule to separete access ports from "vip" ports
Services > Service monitoring > new rule: Network interfaces and switch ports
3.1: rule for access ports, name is for example 0001:
- Operating speed: ignore speed
- Operational state: ignroe the operational state
- port specification: \d+ || Gigabit Ethernet || and more
- maybe use label condition: cmk/device_type:switch
wget is a very useful linux command line tool:
>>> Wget - The non-interactive network downloader.
----------------------------------------------------------------------------
to make a offline copy of a webpage just run this command:
wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://your-page-to-backup
problem:
the lan ports of the switches, where the aruba access points are connected, are showing regular errors .. giant packets etc.
solution:
the default settings of the aruba ap's is, that they are doing a path MTU discovery every minute, to find out the best MTU size for them.
if you want to stop this "unnecessary traffic" you need to define a static value:
>> on wlan controller:
ap-group ->> ap system profile ->> AP system profile has an mtu parameter that you can change to 1500 or less.
see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=24850
at the moment there is no easy method that "I know" - to set for example 200 printer endpoints from unkown to know in a easy way!
the methods that are know by me, are at the moment:
1) Export selected endpoints / edit xml file / import xml list
--go to Identity > Endpoints and run a filter to select your endpoints that needs to be changed.
-- press "Export All" at the right top
-- save to a xml file: Endpoint.xml
-- open the xml file in a text editor like Notepad++ and press <STRG> +<H> to replace a string: search for status="Unknown" and replace it through: status="Known"
-- import the file to clearpass under Identity > Endpoints
2) manual selection of several endpoints
-- go to Monitoring > Profiler and Network Scan > Endpoint Profiler and run a filter to select your endpoints that needs to be changed. To see the Filter section press on "Change Filter Selection"
-- after you selected some endpoints make sure to press "Hide Filter Selection" then you will see the buttons "Mark Known" or "Mark Unknown" again .. and press "Mark Known" if you want to set them to known
- aruba-os switch# copy command-output "show tech all" tftp 10.0.0.99 show-tech.txt
- aruba-cx switch# copy command-output "show tech" tftp://10.0.0.99/show-tech.txt <vrf xyz>
see also:
https://community.arubanetworks.com/blogs/esupport1/2020/04/30/how-to-save-the-output-of-a-show-tech-all-command-to-a-tftp-server
especially if you use data + mgmt port make sure to restricte the access to the ClearPass policy manager only to your trusted networks!
>> Administration » Server Manager » Server Configuration
>>>>> Network >> Application Access Control
https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=b5d3c132-7a57-4277-ae35-400fa7d7a8fc
add an Aruba CX switch with existing configuration to Aruba Central
1) switch# show system
note serial + mac-address
2) Aruba Central > greenlake > add device >> using serial + mac-address
2.1) make sure license is assigned (that you have a licence available)
3) on device make sure that Aruba-Central is not in "disable" mode, to enable it run a "Aruba-Central" > "enable",
check with command "show Aruba-Central" on device, if the connection to Aruba Central is there
4) in Aruba Central > go to Global
4.1) Under Maintain > Organization > Groups you should find now an unprovisioned device,
add the device to a new group, press "preserve" configuration if you want to keep the config
#documentation:
https://www.Arubanetworks.com/techdocs/Central/latest/content/nms/aos-cx/get-started/prov-tmplt-prcnf-cx.htm
Configuration -> System
- Show Advanced options: Deny local routing (if this is not enabled users that are connected to the same access point can connect to each other!! (a connect between different vlan's works - security issue?!!))
help text from aruba = If you have security and traffic management policies defined in upstream devices, you can use this option to disable routing traffic between two clients on the same AP on different VLANs.
Routing traffic between the clients will be sent to the upstream device to make the forwarding decision.
https://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/GeneralConfTasks/Adv_conf_tasks/ConfigureLocalRouting.htm
there is a document from hpe, regarding routing behavior:
https://www.hpe.com/psnow/doc/a00100349en_us
see details in the mentioned document ...
if you use both interfaces, always consider how the behavior of ClearPass is ...
for example - one important rule is:
"If the destination network is not in either management or data subnets, then we use the data interface by default. "
>> B5 devices do not have wifi chips anymore since Feb 2021!!
https://community.mimosa.co/t/2-4-ghz-network-missing-b5c/15412
https://community.mimosa.co/t/b5-2-4-ghz-wifi-management-console/15315/2
sample config on ArubaCX:
port-access role testrole1
auth-mode device-mode
reauth-period 3600
cached-reauth-period 28800
vlan trunk native 1
vlan trunk allowed 1-50
needed Radius attribute:
Radius:Aruba:Aruba-User-Role: testrole1
-----------------------------------------------
- see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=34779
-----------------------------------------------
- good to know:
- bug in version 10.08 + 10.09 !! only 50 vlan's per role permitted! "Failed to associate VLANs to the Role. Maximum of 50 VLANs is allowed"
- according to documentation, 256 vlan's should be permitted!
>> https://www.arubanetworks.com/techdocs/AOS-CX/10.10/HTML/security_4100i-6000-6100/Content/Chp_Port_acc/Port_acc_rol_cmds/vla-por-acc-fl-ml-10.htm
Aruba AOS-CX Basics 2 - Management Network Config
https://www.youtube.com/watch?v=4F1RaMOV2FU
ip dns server-address x.x.x.x vrf mgmt
ip dns domain-name xxxx.xxx verf mgmt
show clock
show ntp status
ntp server x.x.x.x iburst version 4 #iburst = faster sync
ntp vrf mgmt
ntp enable
------
ArubaOS-CX Switching Series - How to Stack Switches using VSF
https://www.youtube.com/watch?v=TjYSi4l-2OM
show vsf
#switch 1
vsf member 1
link 1 1/1/49
link 2/1/1/50
show vsf link
#switch2
vsf member 1
link 1 1/1/49
link 2/1/1/50
vsf renumber 1 to 2
#vsf-factory-reset #in case you need to clean
#switch 3
vsf member 1
link 1 1/1/49
link 2/1/1/50
vsf renumber 1 to 3
show vsf #see 3 switches, see topology >> best redundancy is ring topology ;-)
vsf secondary member 2 #make sure to have a secondary member, so that there is a standby
solution:
see aruba tac:
https://community.arubanetworks.com/blogs/arunhasan11/2020/10/20/what-cause-iap-does-not-have-a-cloud-activate-key
----------------------
nstant AP is unable to communicate with device.arubanetworks.com via HTTP/HTTPS.
>> information from the tac page:
1. Can the Instant AP resolve device.aruabnetworks.com?
From CLI of Instant AP ping device.arubanetworks.com
If no resolution check the Instant AP is configured with a DNS server to send DNS queries to Use CLI command ‘show summary support | include NameServer’
2. Can the Instant AP route to device.arubanetworks.com?
From CLI of Instant AP ping device.arubanetworks.com
If there is no response it may just be that ICMP is blocked along the path. HTTP and HTTPS may still be allowed.
3. Are HTTP and HTTPS blocked by a firewall along the path?
Connect a PC to a port in the same vlan/subnet as the master Instant AP. Telnet to port 80 and 443, on device.arubanetworks.com.
If above is working and still IAP doesn't have cloud activation key, kindly contact Aruba TAC with above details.
2 methods are available (at least)
1) use dhcp snooping
turn on:
(SW)<config># dhcp-snooping enable
(SW)<config># dhcp-snooping vlan 99
(SW)<config># show dhcp-snooping
>> define trusted interface where the dhcp answers are coming from, for example interface 49 (your uplink)
see the clients: (Switch)<config># show dhcp-snooping binding
2) client tracker
turn on: (SW)<config># ip client-tracker
see the clients: show port-access clients
see also:
https://community.arubanetworks.com/blogs/esupport1/2020/05/12/how-to-learn-the-ip-address-of-the-clients-connected-in-switch
see also:
if you look for example for a visio shape for aruba switch
-- HPE Aruba CX 6000 48G PoE+ 370W CL4 4SFP Part.-Nr. R8N85A
or
-- HPE Aruba CX 6000 12G PoE CL4 2SFP 139W Part.-Nr. R8N89A
you find them in Shape: HPE-Aruba-Switches-small
see also:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=32690
Operation System: Centos 7.9
checkmk version 2.1.p17 and also 2.1.p16
when trying to create a map using nagvis, on the webfronted we get the error message:
> "Failed to execute ajax call. Maybe a network issue or webserver is not available. HTTP-Status-Cdoe:500,
> /mysite/nagvis/server/core/ajax_handler.php?mod=Map&act=manage&_ajaxid=1669804880
in the apache log file > /opt/omd/sites/mysite/var/log/apache/error_log, we see the error:
> Wed Nov 11 11:41:22.645532 2022] [fcgid:warn] [pid 7254] [client 127.0.0.1:59876] mod_fcgid: stderr:
> PHP Fatal error: Arrays are not allowed as constants in
> /opt/omd/versions/2.1.0p17.cee/share/nagvis/htdocs/server/core/sources/geomap.php on line 9,
> referer: http://192.168.2.99/mysite/nagvis/frontend/nagvis-js/index.php
Quick and dirty solution:
go to file: /opt/omd/versions/2.1.0p17.cee/share/nagvis/htdocs/server/core/sources/geomap.php on line 9
>> comment out line 9: const ACCEPTED_GEOMAP_SERVER_URL_SCHEMES = ["http", "https"];
>> after that it worked!!
Dell Switches N2000 Series (N2024P)
tested with version 6.6.3.17
####################################
# Static Port security
####################################
#How to configure MAC based port security on Dell N2000, N3000, and N4000 series switches.
https://www.dell.com/support/kbdoc/de-de/000121440/how-to-configure-mac-based-port-security-on-dell-n2000-n3000-and-n4000-series-switches?lang=en
#turn on port security on port gi1/0/1 (needs configure mode)
switchport port-security
interface gi1/0/1
> switchport port-security #turn on security
> switchport port-security maximum 5 #define a maxium of 5 mac-addresses on this port
>> now all learned mac-addresses will be removed on interface gi1/0/1 and the port will authenticate them
#add static mac-addresses to an interface
console(config)# mac address-table static abcd.2233.1221 vlan 1 interface gi1/0/1
####################################
# Dynamic / Radius based Port security (mac-authentication)
####################################
console#configure
console(config)#aaa authentication dot1x default radius
console(config)#dot1x system-auth-control #enable 802.1 port-based access
console(config)#authentication enable
console(config)#radius server <radius-server-ip>
console(config)#radius server key <your-radius-key>
console(config)#aaa authorization network default radius #allow the radius server to assign vlans
#enable authentiction on device port
#MAC Authentication Bypass (MAB) >> authenticate using a MAC address as identifier
#using freeradius as authentication servers needs mab authtype pap or chap!!
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#authentication port-control auto
console(config-if-Gi1/0/1)#mab
console(config-if-Gi1/0/1)#mab auth-type pap
console(config-if-Gi1/0/1)#switchport mode general
#uplink interface > no authentication on this port
console(config)#interface gigabitethernet 1/0/24
console(config-if-Gi1/0/24)#authentication port-control force-authorized
####################################
# useful show commands
####################################
show authentication statistics gigabitethernet 1/0/1
console(config)#show authentication
console#show authentication clients all
show authentication interface gigabitethernet 1/0/1
show radius statistics
show dot1x users #show authenticated users
show dot1x statistics gigabitethernet 1/0/1
####################################
# Documentation
####################################
https://usermanual.wiki/Dell/DellDellNetworkingN2000SeriesUsersManual136323.1551399830/html#pf42
Name of document:
Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON and N3200-ON Switches User’s Configuration Guide Version 6.6.3
page 371: Authentication, Authorization, and Accounting
####################################
useful common dell switch commands:
####################################
#turn on ssh server
console(config)# ip ssh server
#see interfaces
show interfaces status
save settings:
console#copy running-config startup-config
#set user / password with high privileges
console(config)#username admin password adminadmin privilege 15
#privilege 15 means read and write access
#what is the ip address of the switch?
show ip interface
####################################
#log messages
####################################
#after successful mac authentication you should see in the log
<190> Dec 15 14:02:59 172.16.99.20-1 AUTHMGR[authmgrTask]: auth_mgr_sm.c(420) 548 %% INFO Client authorized on port (Gi1/0/1) with VLAN type RADIUS.
###################################
# Sample Configs
###################################
#######
#interface gi1/0/1 with some mac-auth settings
#######
interface Gi1/0/1
switchport mode general
authentication event fail action authorize vlan 200
authentication event no-response action authorize vlan 300
authentication periodic
authentication timer reauthenticate 300
authentication timer restart 60
mab
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
#######
# Sample config when tested with freeradius server
#######
!Current Configuration:
!System Description "Dell EMC Networking N2024P, 6.6.3.17, Linux 4.14.138, Not Available"
!System Software Version 6.6.3.17
!
configure
vlan 99
exit
vlan 99
name "isolated"
exit
slot 1/0 3 ! Dell EMC Networking N2024P
stack
member 1 2 ! N2024P
exit
interface vlan 1
ip address dhcp
exit
authentication enable
authentication dynamic-vlan enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
radius server key 7 "asdlfjasdlkfjasdklfj"
radius server auth 192.168.2.87
name "Default-RADIUS-Server"
exit
application install SupportAssist auto-restart start-on-boot
!
interface Gi1/0/1
switchport mode general
authentication timer reauthenticate 300
mab auth-type pap
authentication order mab dot1x
authentication priority mab dot1x
exit
!
interface Gi1/0/24
authentication port-control force-authorized
exit
snmp-server engineid local 800002a203fasfasdfasdf
eula-consent hiveagent reject
exit
Fortinet - Basic configuration
- put your notebook to the fortinet default subnet, 192.168.1.0/24.
The default ip of the fortinet device is 192.168.1.99
plug the ethernetcable on port 1
> access the webfronted https://192.168.1.99/
--------------------------------------------------
do some basic configuration,
let us setup the following configuration
>> port 1: leave it as it is >> 192.168.1.99
>> port 2-3: create a software switch >> 192.168.178.1/24
>> port 4: configure it as "wan" interface
System > Network > Interfaces
>> create new Interface, Type Software Switch
-- Interface Name = 178
-- Physical Interface Members: port2 and port3
-- Addressing mode: Manual, IP/Network Mask: 192.168.178.1/255.255.255.0
-- Administrative Access: HTTPS + PING
-- DHCP Server: Enable, Starting IP: 192.168.178.100, End IP: 192.168.178.200, Netmaskk 255.255.255.0, Default Gateway: Same as Interface IP, DNS Server: Same as System DNS
System > Network > Interfaces
>> edit port4 > the wan interface
-- Alias: wan
-- Addressing mode: DHCP
-- Retrieve default gateway from server: yes
-- Administrative Access: HTTPS PING SSH SNMP
-- [ port4 will be connected to the default gateway in may case a fritzbox ]
System > Config > SNMP
-- create a SNMPv1/v2c community name to monitor the box using a tool like checkmk
no lets create some Policy Rules, under: Policy & Objects > Policy > IPv4
-- lets make some simple rules, so that no addresses in the wan subnet can be access, except the router (fritz.box)
-- 1: source=all, destination=192.168.2.1, always, service=HTTPS, deny
-- 2: source=all, destination=192.168.2.1, always, service=ALL, accept, NAT=enable enabled
-- 3: source=all, destination=192.168.2.0/25, always, service=ALL, deny
-- 4: source=all, destination=all, always, service=ALL, ACCEPT, NAT=enable
>> problem is always the same: smb is too slow ;-))
because of the latency which is about 10ms (at least) .. that means 2 x 10ms = 20ms waiting for confirmation etc.
https://www.msxfaq.de/netzwerk/smb_im_wan.htm
- default host ip: dhcp
- there is a reset button: press for 10 seconds to restore default values
- default password is:1234
- configuration through: webfrontend
documentation:
- https://support.intellinet-network.com/
- https://cdn-reichelt.de/documents/datenblatt/E910/INT_524827_DB_DEU.pdf
- https://support.intellinet-network.com/products/intellinet-en-guestgate-mk-ii-524827
https://www.arubanetworks.com/support-services/end-of-life/#product=aruba-central
for example - Aruba InstantOS Access Points:
https://www.arubanetworks.com/support-services/end-of-life/#product=instantos&version=0
InstantOS 8.10.x (LSR) 8.10.0.0: 13-Apr-22 13-Apr-26 13-Apr-27
some useful documentation you can find here:
- Aruba 2530 Multicasting and Routing Guide for AOS-S Switch 16.09
- AIRPLAY AND AIRPRINT ON CAMPUS NETWORKS AN ARUBA AIRGROUP SOLUTION GUIDE:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiWhKOjheX8AhVHdcAKHUOJCdUQFnoECAsQAQ&url=https%3A%2F%2Fhigherlogicdownload.s3.amazonaws.com%2FHPE%2FMigratedAttachments%2FE1200F32-65FA-4153-AC23-5657EFCBADAA-1-AirGroup%2520TB_080112_FINAL.pdf&usg=AOvVaw3SLHQxLnYdcYN7K6lGT3Q8
the problem is there are a lot of HPE visio files that contain many objects,
but how to find them?
I copied all shape files to one directory and in that directory I run a grep query ;-)
user@mypc/cygdrive/c/users/user/Documents/Meine Shapes
$ grep -i j9576a *
grep: HPE-Networking-3xxx-Switches.vss: binary file matches
grep: _private: Is a directory
pktmon is a build in packet sniffer for windows. It is available via the pktmon.exe command, and via Windows Admin Center extensions.
commands:
- pktmon start help
- pktmon counters help
#run a realtime sniffing session
- pktmon start --etw --log-mode real-time
#save sniffing to file:
pktmon start -c --comp 12 --pkt-size 0 -f cap1.etl
#convert etl format to wireshark
pktmon etl2pcap cap1.etl --out cap1.pcapng
#see also
https://www.securitynik.com/2020/08/beginning-packet-capturing-with-windows.html
https://majornetwork.net/2023/05/capturing-packets-on-windows-with-packet-monitor-pktmon/
Windows Defender Firewall > settings > Logging:
here you can turn on logging, make sure that you turned on writing the dropped log
the log files can be found here:
C:\Windows\System32\LogFiles\Firewall
Problem: a module like J4858D does not work in a Aruba CX 8325 switch, before the module was working with an HPE 5406 switch, but it does not work with an Aruab 8325 CX Switch
for example:
switch = JL635A Aruba 8325-48Y8C 48p 25G 8p 100G Switch
sfp module = J4858D (1G-SX)
>> in documentation, we find:
https://www.arubanetworks.com/assets/ds/DS_8325Series.pdf
1 Consult the ArubaOS-Switch and AOS-CX Transceiver Guide in the Aruba Support Portal for the minimum required software releases to support these transceivers. Guide also provides certain limitations for specific transceivers for use on switch models
>>> from the "Transceiver Guide" we find the information:
1G optics at the opposite end of the link
must NOT enable auto-negotiation and operate in full duplex mode.!!!
>> so this is the solution:
>>>> set the neighbor interface to full duplex
for example, if the neighbor switch is a hpe 2540 (aruba os / procurve), the uplink interface should look like:
interface 52
speed-duplex 1000-full
####################################################################
# >> very important!!!
# 1G optics at the opposite end of the link
# must NOT enable auto-negotiation and operate in full duplex mode.!!!
####################################################################
if you search for the good old network settings under windows just run a:
execute: ncpa.cpl
(c:\windows\system32\ncpa.cpl)
Problem: service SQLServer (JTLWAWI) was not automatically started, and fails when trying to do it manually
>> check log files: C:\Program Files\Microsoft SQL Server\MSSQL15.JTLWAWI\MSSQL\Log\...lates log
Error: Initializing the FallBack certificate failed with error code: 15, state: 29, error number: 0.
2023-03-22 17:56:58.29 Server Database Instant File Initialization: deaktiviert. For security and performance considerations see the topic 'Database Instant File Initialization' in SQL Server Books Online. This is an informational message only. No user action is required.
2023-03-22 17:56:58.30 Server Total Log Writer threads: 3. This is an informational message; no user action is required.
2023-03-22 17:56:58.32 Server clflush is selected for pmem flush operation.
2023-03-22 17:56:58.32 Server Software Usage Metrics is disabled.
2023-03-22 17:56:58.35 spid11s Starting up database 'master'.
2023-03-22 17:56:58.45 spid11s 4 transactions rolled forward in database 'master' (1:0). This is an informational message only. No user action is required.
2023-03-22 17:56:58.49 spid11s 0 transactions rolled back in database 'master' (1:0). This is an informational message only. No user action is required.
2023-03-22 17:56:58.58 Server Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
2023-03-22 17:56:58.83 spid11s Resource governor reconfiguration succeeded.
2023-03-22 17:56:58.83 spid11s SQL Server Audit is starting the audits. This is an informational message. No user action is required.
2023-03-22 17:56:58.84 spid11s SQL Server Audit has started the audits. This is an informational message. No user action is required.
2023-03-22 17:56:58.86 spid11s FILESTREAM: connected to kernel driver RsFx0600. This is an informational message. No user action is required.
2023-03-22 17:56:58.87 spid11s FILESTREAM: effective level = 2 (remote access disabled), configured level = 2, file system access share name = 'JTLWAWI'.
2023-03-22 17:56:58.87 spid11s FILESTREAM feature is enabled. This is an informational message. No user action is required.
2023-03-22 17:56:59.00 spid11s SQL Trace ID 1 was started by login "sa".
2023-03-22 17:56:59.01 spid11s Server name is 'WAWI-SERVER\JTLWAWI'. This is an informational message only. No user action is required.
2023-03-22 17:56:59.05 spid29s Error: 17190, Severity: 16, State: 1.
2023-03-22 17:56:59.05 spid29s Initializing the FallBack certificate failed with error code: 15, state: 29, error number: 0.
2023-03-22 17:56:59.06 spid29s Unable to initialize SSL encryption because a valid certificate could not be found, and it is not possible to create a self-signed certificate.
2023-03-22 17:56:59.06 spid29s Error: 17182, Severity: 16, State: 1.
2023-03-22 17:56:59.06 spid29s TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support.
2023-03-22 17:56:59.06 spid29s Error: 17182, Severity: 16, State: 1.
2023-03-22 17:56:59.06 spid29s TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors.
2023-03-22 17:56:59.06 spid29s Error: 17826, Severity: 18, State: 3.
2023-03-22 17:56:59.06 spid29s Could not start the network library b
>> https://blog.sqlauthority.com/2018/11/12/sql-server-initializing-the-fallback-certificate-failed-with-error-code-1-state-20-error-number-0/
>> it looks like the user profile, from the service user is corrupted in the registry
>> check the profiles: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
>> in our case, there was a .bak profile .. we renamed the new created profile and removed the .bak from the old profile name and everything was fine again
KNX IP devices - with aruba os switches
----------------------------------------------------------------------
>> for communication the multicast default address is 224.0.23.12 !
>> it is very important that igmp is configured, and on of the switches has the igmp querier role !
----------------------------------------------------------------------
The IP routing multicast address defines the destination address for the IP messages of KNX IP devices.
The default address 224.0.23.12 is the address for KNXnet/IP devices set by the KNX Association in conjunction with IANA.
This address should be maintained and only changed if the existing network requires the use of a different address.
By default, these messages are sent as multicast messages to the multicast IP address 224.0.23.12, port 3671.
------------------------------------------
Configuration on Arubo OS switch side
------------------------------------------
- own vlan, for example vlan 100 name knx
- configure all knx ip devices to be in vlan 100 (untagged)
- enable igmp on the switch and the vlan!
(1) set ip lookup mode, to be able to use igmp version 3
>> igmp lookup-mode ip
(2)
>enable igmp in the vlan, and assign for example port 1 to 5 on the switch, also give the switch an ip address so that the igmp network can have a querier!
>> vlan 100
name "knx"
untagged 1-5
ip address 10.24.100.50 255.255.255.0
ip igmp
ip igmp version 3
exit
- igmp show commands
(1)
show ip igmp groups
IGMP Group Address Information
VLAN ID Group Address Expires UpTime Last Reporter | Type
------- --------------- ------------- ------------- --------------- + ------
100 224.0.23.12 0h 4m 14s 0h 28m 31s 10.24.100.20 | Filter
100 224.22.4.224 0h 4m 17s 0h 28m 32s 10.196.69.10 | Filter
(2)
show ip igmp
> here you should see the Querier Address
- how to see the igmp messages? debugging on switch
>> debug ip igmp
>> debug destination session
>> to turn off, say: no debug ip igmp
you should see messages like this:
0008:18:05:26.57 IGMP mIpPktRecv: Received an IGMP v3 membership report; VID:100
port:1 src:10.24.100.20 dest:224.0.23.12
example KNX ip device: ABB i-bus® KNX IP-Router IPR/S 3.1.1 Produkthandbuch
-- https://new.abb.com/products/de/2CDG110175R0011/ipr-s3-1-1
solution: a script called "getArpFromRouter.pl"
--------------------------------------------------------------------------------------------------
#!/usr/bin/perl
##############################################################################
#
# This script is designed to retrieve the ARP table entries for a router using
# the Simple Network Management Protocol (SNMP) and display them in a
# human-readable format.
#
# The script first sets SNMP credentials and the target router IP address,
# then retrieves VLAN names from the IF-MIB::ifName table using the snmpwalk
# command. The VLAN names are stored in an associative array called vlannames.
# The script then walks the IP-MIB::ipNetToMediaPhysAddress table to retrieve
# ARP table entries, which contain IP addresses, MAC addresses, and VLAN IDs.
# The script uses the VLAN IDs to look up the corresponding VLAN names in the
# vlannames array, and then prints out the IP address, MAC address, VLAN name,
# and VLAN ID in a formatted table.
#
# Overall, this script provides a quick and easy way to retrieve and view ARP
# table entries for a router, which can be useful for troubleshooting network
# issues or monitoring network activity.
#
# usage: ./getArpFromRouter.pl
#
# output sample:
#
# 10.20.30.141 aa:bb:cc:1f:a5:75 vlantest 1712.
# 10.20.30.142 aa:bb:cc:1f:a5:7a vlantest 1712.
#
#
##############################################################################
use strict;
use warnings;
# Set SNMP credentials and target router IP address
my $community = "public";
my $router_ip = "192.168.2.1";
# OID for IP-MIB::ipNetToMediaPhysAddress table
my $ip_oid = "IP-MIB::ipNetToMediaPhysAddress";
# OID for IF-MIB::ifName table
my $vlan_oid = "IF-MIB::ifName";
# Set debug flag
my $debug = 1;
my %vlannames;
sub main {
# Walk the IF-MIB::ifName table and store VLAN names in an associative array
if ($debug) {
print "DEBUG: Retrieving VLAN names from $vlan_oid\n";
}
open(my $SNMPWALK, "-|", "snmpwalk -c $community -v 2c $router_ip $vlan_oid") or die "Could not run snmpwalk: $!";
while (my $line = <$SNMPWALK>) {
chomp($line);
# Extract VLAN ID and name from line
my ($vlan_id, $vlan_name) = ($line =~ /.*\.(\d+)\s+=\s+STRING:\s+(.+)/);
$vlannames{$vlan_id} = $vlan_name;
# Print VLAN name if debug flag is set
if ($debug) {
print "DEBUG: Received VLAN name: $vlan_name (VLAN ID: $vlan_id)\n";
}
}
close($SNMPWALK);
print "---- VLAN Names ----\n";
foreach my $vlan_id (keys %vlannames) {
my $vlan_name = $vlannames{$vlan_id};
print "VLAN ID: $vlan_id, VLAN name: $vlan_name\n";
}
# Walk the IP-MIB::ipNetToMediaPhysAddress table and print out VLAN name, IP, and MAC
if ($debug) {
print "DEBUG: Retrieving IP-MIB::ipNetToMediaPhysAddress table from $router_ip\n";
}
open(my $SNMPWALK, "-|", "snmpwalk -c $community -v 2c $router_ip $ip_oid") or die "Could not run snmpwalk: $!";
while (my $line = <$SNMPWALK>) {
chomp($line);
#print "$line\n" if $debug;
# Extract VLAN ID, IP, and MAC from line
my ($vlan_id) = $line =~ /IP-MIB::ipNetToMediaPhysAddress\.(\d+)/;
my ($ip) = $line =~ /IP-MIB::ipNetToMediaPhysAddress\.\d+\.(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/;
my ($mac) = $line =~ /STRING: (.+)$/;
#print " vlan_id=$vlan_id\n" if $debug;
#print " ip=$ip\n" if $debug;
#print " mac=$mac\n" if $debug;
# Look up VLAN name in associative array
my $vlan_name = $vlannames{$vlan_id};
# Print VLAN name, IP, and MAC in the desired format
printf("%-15s %-20s %-20s %-10s\n", $ip, $mac, $vlan_name, "$vlan_id.");
#exit;
}
close($SNMPWALK);
}
# Call main function
main();
go to the command line of the Aruba virtual controler, and send a test request:
aaa test-server <servername> username <username> password <passwd> auth-type <type>
#see also:
https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#CLI_commands/aaa_test_server.htm
The status screen can be used to gain insight into the player setting, its hardware, and its environment. It is available at the following URL:
http://<sonos_ip>:1400/status
http://<sonos_ip>:1400/support/review
Rebooting the player
Accessing the following URL will trigger an immediate reboot of the player:
http://<sonos_ip>:1400/reboot
Troubleshooting Network Connectivity
Sonos offer 3 traditional network debugging tools (ping, traceroute and nmblookup) from this URL:
http://<sonos_ip>:1400/tools.htm
Controling the WiFi network link
The WiFi link can be enabled or disabled through the wifictfl URL. If the WiFi is turned on, it will use different frequency channels based on the region in which the player was sold. For example, the use of channels 12 through 14 is not allowed in the United States. You can update this setting at the following URL:
http://<sonos_ip>:1400/region.htm
>> use this individual script:
#!/usr/bin/perl
######################################################################################
#
# checkMimosa.pl
#
# Mib Reference - see also
# http://backhaul.help.mimosa.co/snmp-usage-examples-snmpget
#
# Examples (Rx signal strength)
# snmpget -v 1 -c public 192.168.1.20 1.3.6.1.4.1.43356.2.1.2.6.6.0
# MIMOSA-NETWORKS-BFIVE-MIB::mimosaTotalRxPower.0 = INTEGER: -42.7 dBm
#
# update log:
# -----------
# - 2023-04-26: first version
#
######################################################################################
$hostname=$ARGV[0];
$community=$ARGV[1];
$param=$ARGV[2];
$debug=0; #1=on
$error=0;
$errmsg='';
if (($hostname eq '') || ($community eq '')){
print "usage: checkMimosa.pl <hostname> <community> <-p=xxx>\n";
print " -p port number for snmp query is optional\n";
exit 1;
}
if ($param =~ /^-p=(\d*)$/){
$hostname="$hostname:$1";
}
print "<<<check_mk>>>\n";
print "Version: pn-v2023-04-26\n";
print "<<<local>>>\n";
#Rx signal strength
my $name="rx_signal_strength";
open(IN,"snmpget -v 2c -c $community $hostname .1.3.6.1.4.1.43356.2.1.2.6.6.0 | ");
if ($? != 0){
print "1 $name dbm=- Cannot get value for rx signal strength\n";
}else{
while(<IN>){
$line=$_;
chomp($line);
#print ">>>> $line\n";
if ($line =~ /= Integer:\s(.*)$/i){
$value=$1 / 10;
print "0 $name dbm=$value Rx signal strength is: $value dbm\n";
}
}
close(IN);
}
QinQ is a networking technology that stands for "Quality in Quality". It is also known as VLAN stacking or VLAN double tagging. QinQ is an extension of the IEEE 802.1Q VLAN tagging standard and allows service providers to transport multiple VLANs over a single physical link between two switches or routers.
In a QinQ scenario, two VLAN tags are added to Ethernet frames, with the outer tag used to identify the service provider's VLAN and the inner tag used to identify the customer's VLAN. This allows service providers to provide multiple customers with VLAN services over a single physical link, while also ensuring that each customer's VLAN remains isolated and secure from other customers' VLANs.
QinQ is commonly used in metropolitan area networks (MANs) and wide area networks (WANs) to provide connectivity between customer sites and service provider networks. It is also used in data center environments to provide isolation and segregation of different virtualized networks.
Overall, QinQ technology is an important tool for service providers and network engineers to ensure efficient and secure network communication between different VLANs over a single physical link.
---------------
hpe comware switches documentation: https://techhub.hpe.com/eginfolib/networking/docs/switches/5940/5200-1018b_l2-lan_cg/content/491966409.htm
solution: ser2net
https://sourceforge.net/projects/ser2net/
to use sonos with the wireless lan from aruba following settings must be set:
- configuration > networks > selected_network > show advanced options:
>> Broadcast filtering: disabled
>> Deny inter user bridging: off
>> Deny intra VLAN traffic: off
WARNING! Do NOT use the integrated default DHCP-Scope! The vc will replace the mac-addresses with his own. This was tested with version: 8.10.0.6 LSR
With ser2net you can map serial devices to a port.
installation:
>> apt install ser2net
how to get the usb device id:
>> all connected usb-devices are listed here: /dev/serial/by-path/
config:
>> the config file can be found at /etc/ser2net.yaml
>> <accepter> can be tcp or telnet, if tcp is selected tab and arrow keys won't work because the data is transmitted raw
>> example:
#####################################################
%YAML 1.1
---
# This is a ser2net configuration file, tailored to be rather
# simple.
#
# Find detailed documentation in ser2net.yaml(5)
# A fully featured configuration file is in
# /usr/share/doc/ser2net/examples/ser2net.yaml.gz
#
# If you find your configuration more useful than this very simple
# one, please submit it as a bugreport
define: &banner \r\n\ port \p device \d [\B] (Debian GNU/Linux) \r\n\r\n
connection: &con001
accepter: telnet,5001
enable: on
options:
banner: *banner
kickolduser: true
telnet-brk-on-sync: true
connector: serialdev,
/dev/serial/by-path/pci-0000:00:14.0-usb-0:4:1.0,
115200n81,local
#####################################################
troubleshooting:
>> if you restart the machine the ser2net service will fail, because the usb ports are not ready on startup
>> to fix this add the following line to ser2net.service in the [Unit] section:
After=network-online.target
Wants=network-online.target
link: https://manpages.ubuntu.com/manpages/impish/man5/ser2net.yaml.5.html
Validated Solution Guide: https://www.arubanetworks.com/techdocs/VSG/
If you encounter a problem with the bandwidth limit on aruba's access points the fritzbox might be the problem.
To solve the bandwdith limit not working properly you have to go to:
Fritz!Box >> home-network >> network >> remove (to remove all inactive devices)
For all active devices go to:
device >> pencil >> reset
This was tested with the firmware (fritzbox): 161.07.29
https://www.arubanetworks.com/products/wireless/antennas/
>> there is a Antenna Product Line Matrix pdf file, that gives you a good overview: matrix-antennas.pdf
Digitus Print Server - DN-13003-2
default-ip: 192.168.0.10
-> give your pc a static ip, like 192.168.0.99 > go to the webmenu of the printserver and change it to dhcp
the mac-addresse of the device is on the device itself > find the mac-address in your network and the final dhcp ip
now install the device and test it with a label printer, like hotlabel:
------------------------------------------------------
on a mac:
> Drucker hinzufügen / Add printer:
>> Adresse: 192.168.2.168
>> Protokoll: Line Printer Daemon - LPD
>> Warteliste / queue: p1
>> Name: Labelprinter via Printserver
>> zu verwendender Treiber / driver to use: 4BARCODE 4B-3044A
you cannot use vlan 4041 to 4094 by default on a hpe 8325 aurba cx switch!
>> but you can change this range!
Setting a new internal VLAN range:
switch(config)# system internal-vlan-range 3041-3094 This will briefly interrupt traffic. Continue (y/n)?
https://www.arubanetworks.com/techdocs/AOS-CX/AOSCX-CLI-Bank/cli_9300/Content/Chp_VLANs/VLAN_cmds/sys-int-vla-ran-gl-tl-10.htm
Aruba WLAN Mobility Controller - 2 know
documentation:
- ArubaOS 8.10.0.0 User Guide: https://www.arubanetworks.com/techdocs/ArubaOS-8.x-Books/810/ArubaOS-8.10.0.0-User-Guide.pdf
show log security 50 | include aaa
https://www.arubanetworks.com/techdocs/CLI-Bank/Content/aos8/sh-log.htm
tutorials / further readings:
----------------------------------------------
- https://wifiwizardofoz.com/802-1x-wlan-using-aruba-controller-clearpass/
- https://community.arubanetworks.com/discussion/dynamic-vlan-assignment-with-radius-and-aruba-controller
check if application access control is in place!
Administration > Server Manager > Server Configuration -> Network
>> Application Access Control:
Allow IP Adress of new subscriber to the Clearpass API!!
#####################
#1) create user role with only necessary restrictions
#####################
[HPE]role name switchbackup
[HPE-role-switchbackup]rule 1 permit command display current-configuration
[HPE-role-switchbackup]rule 2 permit command display saved-configuration
[HPE-role-switchbackup]rule 3 permit command screen-length disable
#####################
#2) review your created role, by using the following command:
#####################
[HPE]display role name switchbackup
Role: switchbackup
Description:
VLAN policy: permit (default)
Interface policy: permit (default)
VPN instance policy: permit (default)
-------------------------------------------------------------------
Rule Perm Type Scope Entity
-------------------------------------------------------------------
1 permit command display current-configuration
2 permit command display saved-configuration
3 permit command screen-length disable
R:Read W:Write X:Execute
#####################
#3) create the user and assign the user-role switchbackup to it
#####################
[HPE]local-user backup
[HPE-luser-manage-backup]password simple StrongPassword
[HPE-luser-manage-backup]authorization-attribute user-role switchbackup
[HPE-luser-manage-backup]no authorization-attribute user-role network-operator
[HPE-luser-manage-backup]service-type ssh
#####################
#4) review the created user, make sure that there are no other assigned roles than switchbackup
#####################
[HPE]display local-user user-name backup class manage
Total 1 local users matched.
Device management user backup:
State: Active
Service type: SSH
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: switchbackup
Password control configurations:
Password complexity: username checking
#####################
#5) run a ssh login test, maybe you need to change the password once
#####################
login as: backup
backup@192.168.99.10's password:
First login or password reset. For security reason, you need to change your password.
Old password:
#########################################################
# tested with following switch configuration
#########################################################
#
version 7.1.070, Release 3507
#
sysname HPE
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
lldp global enable
#
password-recovery enable
#
vlan 1
#
stp global enable
#
interface NULL0
#
interface Vlan-interface1
ip address dhcp-alloc
#
interface GigabitEthernet1/0/1
#
interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/3
#
interface GigabitEthernet1/0/4
#
interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/6
#
interface GigabitEthernet1/0/7
#
interface GigabitEthernet1/0/8
#
interface GigabitEthernet1/0/9
#
interface GigabitEthernet1/0/10
#
interface GigabitEthernet1/0/11
#
interface GigabitEthernet1/0/12
#
interface GigabitEthernet1/0/13
#
interface GigabitEthernet1/0/14
#
interface GigabitEthernet1/0/15
#
interface GigabitEthernet1/0/16
#
interface GigabitEthernet1/0/17
#
interface GigabitEthernet1/0/18
#
interface GigabitEthernet1/0/19
#
interface GigabitEthernet1/0/20
#
interface GigabitEthernet1/0/21
#
interface GigabitEthernet1/0/22
#
interface GigabitEthernet1/0/23
#
interface GigabitEthernet1/0/24
#
interface GigabitEthernet1/0/25
#
interface GigabitEthernet1/0/26
#
interface GigabitEthernet1/0/27
#
interface GigabitEthernet1/0/28
#
interface GigabitEthernet1/0/29
#
interface GigabitEthernet1/0/30
#
interface GigabitEthernet1/0/31
#
interface GigabitEthernet1/0/32
#
interface GigabitEthernet1/0/33
#
interface GigabitEthernet1/0/34
#
interface GigabitEthernet1/0/35
#
interface GigabitEthernet1/0/36
#
interface GigabitEthernet1/0/37
#
interface GigabitEthernet1/0/38
#
interface GigabitEthernet1/0/39
#
interface GigabitEthernet1/0/40
#
interface GigabitEthernet1/0/41
#
interface GigabitEthernet1/0/42
#
interface GigabitEthernet1/0/43
#
interface GigabitEthernet1/0/44
#
interface GigabitEthernet1/0/45
#
interface GigabitEthernet1/0/46
#
interface GigabitEthernet1/0/47
#
interface GigabitEthernet1/0/48
#
interface Ten-GigabitEthernet1/0/49
#
interface Ten-GigabitEthernet1/0/50
#
interface Ten-GigabitEthernet1/0/51
#
interface Ten-GigabitEthernet1/0/52
#
scheduler logfile size 16
#
line class aux
authentication-mode scheme
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
password-control enable
undo password-control aging enable
undo password-control length enable
undo password-control composition enable
undo password-control history enable
password-control login-attempt 3 exceed unlock
password-control update-interval 0
password-control login idle-time 0
#
radius scheme system
user-name-format without-domain
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
role name switchbackup
rule 1 permit command display current-configuration
rule 2 permit command display saved-configuration
rule 3 permit command screen-length disable
#
user-group system
#
local-user admin class manage
service-type ssh terminal
authorization-attribute user-role network-admin
#
local-user backup class manage
service-type ssh
authorization-attribute user-role switchbackup
#
return
tp-link - Range extender - essential things to know
model: RE330EU
setup
---------
1) via the Tether App (Apple Store / Google Play) > you need a TP-Link ID for that!
2) via web browser:
- connect to wifi network: TP-Link_Extender,
- visit http://tplinkrepeater.net or http://192.168.0.254 > create password and login
3) via wps button
- press wps button on your router
- within 2 minutes press the wps button on the extender for 1 second
no ssh logins possible anymore! Maximum number of sessions
Problem:
Aug 18 17:48:46 yourservername sshd[9846]: pam_systemd(sshd:session): Failed to create session: Maximum number of sessions (…sessions.
solution:
- see "man sshd_config" parameter MaxSessions:
MaxSessions
Specifies the maximum number of open shell, login or subsystem (e.g. sftp) sessions permitted per network connection. Multiple
sessions may be established by clients that support connection multiplexing. Setting MaxSessions to 1 will effectively disable
session multiplexing, whereas setting it to 0 will prevent all shell, login and subsystem sessions while still permitting for?
warding. The default is 10.
>> default is 10
let it increase to 20:
file /etc/ssh/sshd_config:
new line with:
MaxSessions 20
and restart sshd: /etc/init.d/ssh restart
steps to do:
#goto default directory
cd /etc/default
#make a backup of grub config
cp -p grub grub.save.original
#edit file /etc/default/grub >> change there the GRUB_CMDLINE_LINUX_DEFAULT to:
GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 console=tty0"
#aktivate the settings by running the command:
update-grub . /boot/grub/grub.cfg
>> now reboot and connect using a serial cable and a tool like Tera Term VT or a putty serial connection, make sure to use only 9600bps as setting.
>> enjoy this new feature, you can now administrate the machien without a display ;-)
----------------------------------------
tested on a debian based proxmox linux system:
pveversion
pve-manager/8.0.4/d258a813cfa6b390 (running kernel: 6.2.16-3-pve)
----------------------------------------
see also:
https://cweiske.de/tagebuch/serial-console-debian9.htm
error message on switch:
W 10/05/23 11:01:04 03425 crypto: Certificate used by http-ssl application is
expired.
W 10/05/23 11:01:04 03425 crypto: Certificate used by http-ssl ap
what to do:
#command to see your certificates
show crypto pki local-certificate
#remove the certificates (handle this careful if you have other usage for certificates)
crypto pki zeroize
#create a new selfsigned certificate
crypto pki enroll-self-signed certificate-name your-switch valid-star
t 01/01/2023 valid-end 12/31/2043 subject common-name your-switch
#see also
https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=1e6a17ec-f054-47e0-bd46-7915973fa844&CommunityKey=2fd943a6-8898-4dbe-915f-4f09e4d3c317&tab=librarydocuments
STP Spanning tree
STP comes with extra features that help keep the network stable. Here's a simple explanation of these features and when to use them:
Root Guard: This stops devices from sending certain kinds of messages on certain connections. Use Root Guard on certain connections to make sure the main part of the network stays stable. Don't use it on connections between important switches.
Admin Edge: This lets a connection start working without waiting. It's good for connections with only one device or with a computer connected to a phone. But be careful, because it might not catch network problems. Only use Admin Edge on connections facing devices like computers.
BPDU Guard: This automatically stops certain messages from being sent on certain connections. You should usually activate this feature on specific ports that connect to devices used by users, like computers or printers, on access switches. BPDU Guard is especially helpful because it ensures that BPDUs are not received on access ports, which prevents loops and, importantly, guards against spoofed BPDU packets. This means it adds an extra layer of protection against fake or deceptive messages in the network.
BPDU Filter: This ignores certain messages on a connection and doesn't send its own messages. It's used in special cases, like when different groups want separate networks. Normally, it's best not to use BPDU Filter, unless you're in a specific situation.
Loop Protect: This is like a backup system for STP. It can find problems when a device causes a loop but doesn't follow STP rules. It stops connections when it senses a loop and restarts them when the problem is fixed. Use this for all the connections facing devices to avoid accidental loops. Don't use it on important connections in the network.
Fault Monitor: This watches for big traffic or errors in connections. It can log events, send alerts, or temporarily stop a connection. Turn on Fault Monitor to get alerts for recognized problems, and use it on all connections for a stable network. But don't use the "stop" feature with Fault Monitor, because Loop Protect handles that.
--------------------------------------
links
--------------------------------------
https://www.arubanetworks.com/techdocs/VSG/docs/010-campus-design/esp-campus-design-044-lan-design-switching/
#netedit useful commands
console:
sudo su -
service networking restart
ip addr #show ip addr
version 2.2.1 > upgrade to 2.9.0
> netedit userguide for 2.9.0:
-- chapter "Upgrade to Debian 10", since with the release of NetEdit 2.4.0 Debian 10 (Buster) is the base operating system
-- console logon to NetEdit 2.2.1, follow the instructions from the userguide to upgrade Debian 9 to Debian 10
-- after following all steps reboot the machine
-- login to netedit webuser frontend again > click on the ? in the right corner > and select Upgrade NetEdit > upload the file "Aruba_Netedit_2.9.0_upgrade.tar.gz" > press upgrade after upload
#nice network flow view
Tenants > Security Policies
>> instead of Table View choose Network Graph in the right corner above
Best practise for rules
- assign policy to egress direction
- assign a bigger vrf policy to the vrf, but there things like deny ssh, or allow rdp only for this hosts
- network policies attached to vlan's for more specific rules
- allows consider: if you assign an empty policy to a network or vrf it means "deny any"!!
#persona best practice > always access except special vsx ports
- interface 1/1/1-1/1/47 > persona access
- interface 1/1/48 > no persona (vsx keepalive)
- interface 1/1/49+50 > no persona (vsx isl)
- interface 1/1/51-54 > persona access
#commands to know
- pdsctl show security-policy
run: resmon.exe
in german: Resourcenmonitor via taskmanager
an alternative program is tcpview in case you want to understand who is talking to whom on the network stack: https://learn.microsoft.com/de-de/sysinternals/downloads/tcpview
tcpview it gives you deep insight above network connectivity
check_snmp_firecluster.sh is a script to monitor watchguard's cluster status,
the script can be downloaded here:
https://exchange.nagios.org/directory/Plugins/Hardware/Network-Gear/Others/check_snmp_firecluster/details
=======================================================
-----------------------
Problem:
-----------------------
check_snmp_firecluster.sh > does not run on ubuntu 22.04 minimal installation
-----------------------
Solution:
-----------------------
#analysing the script:
#working example
snmpget -t 10 -v 1 -c public 192.168.2.10 .1.3.6.1.4.1.3097.6.6.9.0
SNMPv2-SMI::enterprises.3097.6.6.9.0 = INTEGER: 3
#not working example
snmpget -t 10 -v 1 -c pnpub 192.168.2.10 .1.3.6.1.4.1.3097.6.6.9.0
iso.3.6.1.4.1.3097.6.6.9.0 = INTEGER: 3
>> the problem is that the parsing of the result was failing, since there where only numeric oid's
>> so let's turn on SNMP mibs, in file /etc/snmp/snmp.conf:
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :
mibs SNMPv2-SMI
>> the line mibs SNMPv2-SMI was added after that the snmpget commands receives "SNMPv2-SMI::enterprises.3097.6.6.9.0 = INTEGER: 3" as result and the parsing was ok again
-----------------------------------
snmp packages installed on ubunut 22.04 LTS minimal installation:
----------------------------------
ii libsnmp-base 5.9.1+dfsg-1ubuntu2.6 all SNMP configuration script, MIBs and documentation
ii libsnmp40:amd64 5.9.1+dfsg-1ubuntu2.6 amd64 SNMP (Simple Network Management Protocol) library
ii snmp 5.9.1+dfsg-1ubuntu2.6 amd64 SNMP (Simple Network Management Protocol) applications
ii snmp-mibs-downloader 1.5 all install and manage Management Information Base (MIB) files
How to Access API Swagger documentation page?
https://developer.arubanetworks.com/aruba-central/docs/api-swagger-documentation
HPE GreenLake > Choose your Workspace > Aruba Central
in Aruba Central
- Global > Maintain > Organization > Platform Integration > API Gateway
>> hier you see:
>>> All Published APIs(1): https://apigw-eucentral3.central.arubanetworks.com/swagger/apps/nms/
>>> My Apps & Token / System Apps & Tokens: here you can create tokens to access the api
A token looks like:
Name: token-2024-01-26
Client ID: 5ojXi9VA2M....
Client Secret: weADaFKs....
Redirect URI: https://arubanetworks.com
{"access_token":"naMvrERSNB....",
"appname":"nms",
"authenticated_userid":"...."
,"created_at":1706258335937,
"credential_id":"afb0cc34-ceef-....",
"expires_in":7200,
"id":"164017b7-04dc-49a5-.....3",
"refresh_token":"mPYTOxctckc2J.......TihBVIeKiv",
"scope":"all",
"token_type":"bearer"}
After you created a token let's go to the API page:
https://apigw-eucentral3.central.arubanetworks.com/swagger/apps/nms/
example 1: get list of all access points
Request URL:
https://apigw-eucentral3.central.arubanetworks.com/monitoring/v2/aps
#########################################################
python mini script sample
#########################################################
#!/usr/bin/python3
import requests
# Aruba Central API details
#access_token: don't use the token id with dashes like "02828cde-2f1f-.....",
#use the access_token (click on download on webpage!)
access_token = "EHhi6Y18W....."
api_endpoint = "https://apigw-eucentral3.central.arubanetworks.com/monitoring/v2/aps"
# Make request to Aruba Central API for access points
headers = {"Authorization": f"Bearer {access_token}"}
api_response = requests.get(api_endpoint, headers=headers)
api_response.raise_for_status()
# Parse and print the response
access_points_data = api_response.json()
print("Aruba Central Access Points Information:")
print(access_points_data)
############################################################
use command:
checkpoint auto 3
the following messages is coming before end of time:
WARNING Please "checkpoint auto confirm" within 2 minutes
info from HPE page (see link below):
------------------------------------------------------
Usage
To save the runtime checkpoint permanently, run the checkpoint auto confirm command during the time lapse value set by the checkpoint auto <TIME-LAPSE-INTERVAL> command. The generated checkpoint name will be in the format AUTO<YYYYMMDDHHMMSS>. If the checkpoint auto confirm command is not entered during the specified time lapse interval, the previous runtime configuration is restored.
----
see also:
https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7851/Content/Chp_Cfg_FW_mgt/Chk_cmds/che-aut-con.htm
- list ruleset:
> esxcli network firewall ruleset list
- enable ruleset (ex. sshClient):
> esxcli network firewall ruleset set --enabled=true --ruleset-id=sshClient
- disable ruleset (ex. sshClient):
> esxcli network firewall ruleset set --enabled=false --ruleset-id=sshClient
via the cli, issue the following command:
>> esxcli network nic stats get -n <vmnic>
it is possible to run v2 modules, but it depends on your configuration!
check v3-specific settings:
# show running-config v3-specific
No V3-specific settings are configured.
run command "allow-v2-modules" to enable support mode ...
>> the switch needs a reboot
see also from documentation:
- https://www.arubanetworks.com/techdocs/AOS-S/16.11/MCG/KB/content/kb/all-v2-mod.htm
Unconfigure all v3-only features before moving to compatibility mode.
If the v3-native configuration is not present, the device reboots with the non-v3 configuration and issues the following message:This command will save the running configuration and reboot the system with all V3 modules operating
in v2-compatibility mode.Continue (y/n)?
- network scanning
- building a network map / topology?
>> good old tool called netdisco:
https://netdisco.org/
check network sockets
- use tool ss
>> ss - another utility to investigate sockets
- summary: ss -s
- all sockets: ss -a
- all udp sockets: ss -u -a
- all tcp sockets: ss -t -a
error message seen in typo3 backend, when something is selected on page tree:
Connection Problem
Sorry, but an error occurred while connecting to the server. Please check your network connection.
>> see solutions here .. it seams to be a reverse proxy issue:
https://forge.typo3.org/issues/26088
default setting is to have chrony installed
you can check with: rpm -qa |grep chrony
check file /etc/chrony.conf
in may case this was the ntp setting:
pool 2.rocky.pool.ntp.org iburst
comment out this line and change to your preferred ntp server
>> replace pool line with your ntp server
-------------------------------------------------------------
show update interval and other ntp status:
chronyc tracking
--------------------------------------------------------------
configure shorter update interval (default is 1024 seconds):
server ptbtime1.ptb.de iburst minpoll 4 maxpoll 6
server ptbtime2.ptb.de iburst minpoll 4 maxpoll 6
server ptbtime3.ptb.de iburst minpoll 4 maxpoll 6
poll explanation:
minpoll poll
This option specifies the minimum interval between requests sent to the server as a power of 2 in seconds. For example, minpoll 5 would mean that the polling interval should not drop below 32 seconds. The default is 6 (64 seconds), the minimum is -6 (1/64th of a second), and the maximum is 24 (6 months). Note that intervals shorter than 6 (64 seconds) should generally not be used with public servers on the Internet, because it might be considered abuse. A sub-second interval will be enabled only when the server is reachable and the round-trip delay is shorter than 10 milliseconds, i.e. the server should be in a local network.
maxpoll poll
This option specifies the maximum interval between requests sent to the server as a power of 2 in seconds. For example, maxpoll 9 indicates that the polling interval should stay at or below 9 (512 seconds). The default is 10 (1024 seconds), the minimum is -6 (1/64th of a second), and the maximum is 24 (6 months).
----------------------------------------------------------------
show sources:
chronyc sources -v
.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current best, '+' = combined, '-' = not combined,
| / 'x' = may be in error, '~' = too variable, '?' = unusable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ptbtime1.ptb.de 1 6 17 23 +179us[+1141us] +/- 6840us
^- ptbtime2.ptb.de 1 6 17 23 +1743us[+1743us] +/- 5624us
^- ptbtime3.ptb.de 1 6 17 22 +950us[ +950us] +/- 6064us
normal vswitch:
--------------------------------
- properties of your vswitch .. for example vSwitch0
>> enable CDP
- on cli:
show status:
>> [root@server root]# esxcfg-vswitch -b vSwitch1
enable:
>> [root@server root]# esxcfg-vswitch -B both vSwitch1
see also:
https://docs.vmware.com/en/VMware-Smart-Assurance/10.1.12/esm-user-configuration-guide-10112/GUID-338EBA5A-36C1-4A51-AD55-31524524AA52.html
distributed vswitch:
--------------------------------
https://docs.vmware.com/de/VMware-vSphere/7.0/com.vmware.vsphere.networking.doc/GUID-0A6E5650-D05B-41FA-9A4B-E2354DAB64F7.html
2024-03:
------------
https://www.arubanetworks.com/techdocs/central/2.5.8/content/whats_new/central258.htm
good documentation is here: https://docs.checkmk.com/latest/en/omd_basics.html#omd_backup_restore
- you don't have to stop the site to backup, the rrd data will be cached
- just use command: "omd backup <sitename> your-backupfile.tar.gz
- you can backup directly over network to the new system:
.. omd backup <sitename> - | ssh username@new-system "cat >/tmp/sitename-backup.tar.gz"
.. once the backup is finised use "omd restore /tmp/sitename-backup.tar.gz" on the new system
installation via docker ...
-------------------------------------------------------
cd /opt/
mkdir netdisco
mkdir netdisco/logs
mkdir netdisco/config
mkdir netdisco/nd-site-local
chown -R 901:901 netdisco/
#the cursor is still in /opt directory
curl -Ls -o docker-compose.yml https://tinyurl.com/nd2-dockercompose
vi docker-compose.yml (just check the file)
netstat -nat (check if tcp 5000 Listening port is free)
apt-get install docker.io (ubuntu 20)
apt-get install docker-compose
apt-get install docker-compose-v2
#build the docker:
root@linux:/opt/netdisco# docker-compose up
ERROR: The Compose file './docker-compose.yml' is invalid because:
Unsupported config option for services.netdisco-do: 'profiles'
>> comment out line with profiles! after that try again!
#build the docker > when error message "no configuration file provided: not found" appears:
root@linux: /usr/libexec/docker/cli-plugins/docker-compose up
#check docker
docker ps
#check if port 5000 comes up!
http://server-name:5000/
#on webfrontend enter a subnet to discover like
#192.168.2.0/24
#under Admin > Discover All you see the status of the discovery
#under Admin > User Management
>> add an admin user + password and remove the guest account
#disable anoymous logon:
./netdisco/config/deployment.yml
#see also:
- https://hub.docker.com/r/netdisco/netdisco
- https://stackoverflow.com/questions/45764477/docker-compose-error-while-creating-mount-source-path (when read-only filesystem error occurs)
HPE Aruba > port access > client inactivity timeout problem > for example a printer that sleeps
problem: if you have a device that does not initiate any periodic network traffic, since it sleeps will be forgotten
by the switch, since the default inactivity timer is 5 minutes (300 seconds)
>> you can change this using a local role!
#create a new local role
cx-switch(config)# port-access role printer
cx-switch(config-pa-role)# client-inactivity timeout 4294967295
cx-switch(config-pa-role)# exit
#assign the role to a interface
cx-switch(config)# interface 1/1/16
cx-switch(config-if)# aaa authentication port-access auth-role printer
#sample of a whole interface config, with mac authentication
cx-switch# show running-config interface 1/1/16
interface 1/1/16
no shutdown
no routing
vlan access 14
aaa authentication port-access client-limit 2
aaa authentication port-access reject-role unknown
aaa authentication port-access auth-role printer
aaa authentication port-access mac-auth
cached-reauth
cached-reauth-period 86400
enable
dhcpv4-snooping trust
dhcpv6-snooping trust
loop-protect
exit
#how to mix the role parameters with radius parameters? >> use aaa authentication port-access radius-override
aaa authentication port-access radius-override enable
Description
Enables or disables radius-override support at the interface context. When radius-override support is enabled, a new RADIUS overridden role is created with a combination of LUR/DUR along with RADIUS attributes for the corresponding client-role attributes such as VLANs, captive portal URL, and downloadable gateway role. When the RADIUS override support is disabled, then only the user-roles get applied to the client.
-----------------------------------
documentation
- https://www.arubanetworks.com/techdocs/AOS-CX/10.11/HTML/security_6200-6300-6400/Content/Chp_Port_acc/Port_acc_gen_cmds/aaa-aut-por-acc-rad-ove.htm
Client-inactivity/idle timeout
-----------------------------------------------------
1: Local User Role
6300-VSF(config)# port-access role silent
6300-VSF(config-pa-role)# client-inactivity timeout
<300-4294967295> Set client inactivity timeout value in seconds.
none
2: Radius
Radius:IETF Idle-Timeout = 0
Allow-Flood-Traffic
---------------------------------
>> wol etc ...
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)# port-access allow-flood-traffic enable
6300-VSF(config-if)# exit
• Caveat
>> Custom Port vlan membership , as the admin must configure the right broadcast/wol server vlan in the silent end client connected ports even before
authentication.
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)# vlan access <>
6300-VSF(config-if)# exit
Client IP Tracker
----------------------------------
Recommended for Client Types – All client types
6300-VSF(config)# client track ip
6300-VSF(config)# client track ip all-vlans
Or
6300-VSF(config)# vlan 2
6300-VSF(config-vlan-2)# client track ip
6300-VSF(config-vlan-2)# exit
6300-VSF(config)# interface 1/1/1
6300-VSF(config-if)#client track ip update-interval <60-28000s>(Default: 1800)
6300-VSF(config-if)#exit
6300-VSF(config)# show client ip
how the switch tracks the ip?
>>
• After the configured update interval , switch will start sniffing for packets from the client mac-address for 15s.
• If there are no packets received after 15s, it will start the ARP probe – 3 times with each 3s delay
• Client will respond back to arp probe and it will not age out.
################################################################################################
see the original document on:
https://community.arubanetworks.com/discussion/hpe-anw-cx-switches-silent-client-support
document: Silent Client Support – AOS-CX.pdf
for HPE Aruba solutions for example how to configure radius logon authentication, use this nice page:
- https://ase.arubanetworks.com/
================================================================================
solution example:
Creates a Aruba ClearPass Policy Manager (CPPM) XML files and CLI to enable TACACS+ or RADIUS.
Configuration Notes
This will configure the basic TACACS+ or RADIUS on an ArubaOS switch and generate the ClearPass Policy Manager (CPPM) service, enforcement profile and policy for importing into the ClearPass server
https://ase.arubanetworks.com/solutions/id/126
On Friday June 21st 2024, the My Networking Portal (MNP) got renamed to IMC Licensing Tool (ILT), while the functionality remains unchanged.
You can continue using this portal for MSR router licenses management as well.
>> link to portal is: https://www.hpe.com/networking/mynetworking
1) under internet / access type / port configuration, you can now select which lan port you would like to use for a static client. all lan ports (except port 1) are always activated in the default settings. please note that dhcp is activated on the lan ports without a check mark. you can now connect the client set up with static ip to the configured lan port connect. please check whether the client you have set up with the static ip address is visible in the "network" tab in the "home network" area.
2) if the client is stored with a private ip address, then this must first be manually with the static ip. to do this, call up the details.
3) then enter the static ip in the "ip address" field and confirm with ok.
4) a second entry is now created in the network overview, which shows the client with the static ip.
5) now please call up the port sharing page
6) select the appropriate client from the drop-down menu. please note that the ipv4 address cannot be entered manually.
7) you have the option of setting up the port individually or via "exposed host". exposed host, individual port releases are no longer necessary, as the entire data traffic is traffic is forwarded to the static ip client. for "exposed host", check the box next to ipv4 settings.
------------
link: https://forum.vodafone.de/vodafonede/attachments/vodafonede/Internet-Endgeraete/198842/1/FB_Client_mit_static-IP_2020.pdf
documentation:
- https://community.arubanetworks.com/community-home/librarydocuments/viewdocument?DocumentKey=583911d8-9723-4be9-9807-75c4690d339b&CommunityKey=3dd64143-3ac3-4152-9abd-06dc0b4ecdd1&tab=librarydocuments
- Aruba ClearPass Workshop - Wireless #4 - AD Client Certificates EAP-TLS: https://www.youtube.com/watch?v=buNyG5WneKY
== EtherApe: tool to display network activity
- install with apt install etherape
- run with "etherape -i eth0"
- or run with "etherape -f tcp" to see only tcp traffic
- there is a graphical interface or you can log it a file using command: "etherape -p -w output_file"
- stop etherape after number of packets: etherape -c 1000
- use it with pcap: "etherape -r input_file.pcap"
- get remote data using ssh: "etherape -r ssh://username@remote_host/"
== ARPwatch: tool to monitor arp activity
- install: apt get install arpwatch
- watch log file: "tail -f /var/log/arpwatch.log"
links:
- https://www.ip-insider.de/so-nutzen-sie-den-arp-cache-fuer-die-netzwerkdiagnose-a-c4ce2ba83d76eae190a0776208c01e11/
- https://www.ip-insider.de/troubleshooting-und-sicherheitsanalyse-im-netzwerk-a-cd1bbf617b71b76920894db7a09a00e7/
if cloud guest is not working, there is probably no connection to the specified cloud Radsec Port TCP 2083.
In the following some useful command to check on a access point console:
- commands to use
show radius-servers
-> here you should see an established session to Radsec port TCP 2083
show radius status
-> here you should see an established session to Radsec port TCP 2083
ping euw1.cloudguest.central.arubanetworks.com
-> check if dns resulution works > if you see an ip
show ap debug radius-statistics
-> check if guest / cloud server is "Up"
show log security
-> see logs regarding radsec
show datapath session
-> you should see an established session to destination port 2083 (Radsec)
show ap debug cloud-connectivity
-> see cloud status
show ap debug cloud-pingpong-stats
ping statistics 744(744)
pong statistics 744(744)
------------------------------------------------
important document!
>> https://www.arubanetworks.com/techdocs/central/2.5.7/content/nms/device-mgmt/communication_ports.htm
------------------------------------------------
computer2know :: thank you for your visit :: have a nice day :: © 2024