Upgrading Procurve switch firmware from USB

The ProCurve 5400zl series have a USB port on them that you can use to transfer files, in addition to TFTP and SCP/SFTP. Since I had a few of these to upgrade and they were in a lab environment (e.g. not connected to any “real” networks), I didn’t want to bother with setting up a TFTP server. The upgrade process is pretty straightforward and is similar to doing an upgrade via TFTP.

We can find the latest software for our ProCurve switches on the “Software for switches” page. Software (“firmware”) updates do not require that you have a valid login or service contract, unlike Cisco. I grabbed the latest version (at the time of writing), which is K.13.45 (be sure to read the Release Notes that accompany each release as well, prior to performing an upgrade). Save the .downloaded file to your USB flash drive and plug the flash drive into the switch.

To check what version of the software is currently running, issue the “show version” command:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Aug 4 2008 15:08:24
K.13.25
93
Boot Image: PrimaryWe can see that we’re running version K.13.25 and that we booted from the primary flash. We can see the current contents of flash, as well as our USB drive:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : PrimarySW1# dir

Listing Directory /ufa0:
-rwxrwxAwx 1 0 0 7442476 Nov 3 2008 K_13_25.SWI
-rwxrwxAwx 1 0 0 7494786 Oct 30 2008 K_13_45.SWI
SW1#Because I’ve been running K.13.25 and it’s been stable, I’m going to copy it to secondary flash and then overwrite the primary with the new software. We’ll then reboot the switch with the new software (keeping the previous version in secondary as a “backup” in case anything goes wrong).

SW1# copy flash flash secondaryThis command isn’t real intuitive (and it takes a while as well), but here we’re basically copying from flash, to flash, with the secondary as our destination. In this case, the contents of the primary flash will be copied to the secondary. “copy flash flash primary” would copy the contents of the secondary into the primary. Let’s verify what we have now:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 7442476 08/04/08 K.13.25
Boot Rom Version: K.12.12
Default Boot : PrimaryWe can see that the contents of the primary have now been copied to the secondary as well. Let’s copy the K_13_45.SWI image from the USB drive to primary flash:

SW1# copy usb flash K_13_45.SWI primary
The Primary OS Image will be deleted, continue [y/n]? yAfter a moment, we’ll see this message:

Validating and Writing System Software to the Filesystem …When the copy has completed, we need to reload the switch with the new software:

SW1# boot system flash primary
System will be rebooted from primary image. Do you want to continue [y/n]? yThe switch will take a minute to reboot (I won’t bother pasting the complete bootup process) and then we can, again, use “show version” to verify that we’re now running the latest software:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Oct 17 2008 20:03:02
K.13.45
706
Boot Image: PrimarySee, wasn’t that easy!? We’ve successfully upgraded the firmware, and we’ve also kept a backup copy of the previous software in case things go badly. If that happens, just issue the “boot system flash secondary” command to reload the switch with the previous software.

Juniper Networks – changing to a more reliable network

I had recently attended a Juniper course at Dynamic World Wide Training Consultants. While at this training I felt even more confident that our switch to Juniper was the right choice. There are several reasons why we are making this change from Cisco, but rest assured that cost was not the primary deciding factor (although a very tempting one).

Cisco on the other hand has been running in another direction, selling their name but missing their mark on quality products unless your willing to buy their new G2, ASA, or higher end routers. I could go on, but compared to Juniper I would say Cisco’s education and certification program needs a serious overhaul.

1. A solid Education Program:
Juniper not only has full control of their certification program, but they also have a solid curriculum, that takes you from just knowing how to say TCP/IP to the advanced wonders of dynamic routing and high availability. Did I mention they will basically give away vouchers this year for those who attend training or even take pre certification tests. Also be sure to ask for Juniper Training Credits when you purchase your hardware, this is just one way you will know Juniper cares about your business.

2. A solid reputation with Internet Service providers:
Why is this important, well Cisco and Juniper have been around for a while, they just entered the market from two different directions. Cisco entered in the consumer market and later competed in the service provider market. Juniper started in the Service provider market learning from many of the issues that Network Admins had with Cisco, they built-in most of their products a standard Operating system called Junos. Juniper also includes high availability options, and the internal software with separate routing engines and forwarding planes makes this possible.

3. A lot of features – in a little box:
Did I mention their OS is based on Free BSD, which is somewhat like Unix or Linux. This allows Juniper to include a number of modules and features which if for some reason you need to restart a daemon you can rest assured that you probably won’t affect the rest of your traffic. With this in mind when you boot a Juniper be prepared for the 5 to 7 minutes for it to boot much like an appliance. Also you will want to safely shut down your Juniper like you would a Linux server, not a simple flip of a power button.

4. Standards based Networking:
While many of us would probably like to stay with a single vendor for all our networking needs, you probably have multiple vendors with their own way of doing things on your network. Many of the cool things Juniper does, they do so in such a way as to maintain standards. While there are a few features that Juniper has pioneered, you always have the option to keep your network standards based by default.

5. Support:
While I don’t have experience with this so far, I’ll be sure to report on any findings. I have found Junipers website very helpful, and Juniper’s TAC team is made available for all current support customers from day one.

6. Cost:
Ok, I will break down the cost for you just this once. With Cisco just over $120k may get you 6 G2 routers with the works and 3 years of SmartNet. Juniper did much better and threw in some training for free, for the same cost of the 6 G2 routers(I will post the models later), Juniper was able to provide 4 J-Series routers, 16- SRX Series routers/firewalls, 3 years support, training and certification, and professional services. The professional services actually costs as much as the equipment, but even then it was a much better deal.

So with all this in mind, when you hear Juniper around the corner, I would highly recommend you continue your research and take a few classes. I promise you this one thing. You will not only grow into it quickly, but will wonder how you would have done it without Juniper.

HP Procurve and Protecting VLANs with ACLs

How to protect a OOB Management VLAN from access, or protect a VLAN from being directly plugged into by a switch from another VLAN (with another subnet, or  another DHCP server)

Now some of this is still under testing, but I feel that I have pretty much mastered the art of ACLs to protect a VLAN such as one used to manage a bunch of devices such as routers, switches, firewalls, UPS, environmental monitors, or just traffic that you would rather not see have access to a VLAN or devices plugged into a Procurve switch.

Now, it is a best practise network wise to use ACLs to block traffic at the source. So this may seem a little backwords, but I want to use this ACL as a last line of defence to block traffic on the port as it leaves out of the vlan to the device. So we will be using the “out” and not the “in” for the first part.

Another important thing to remember to about ACLs, is that if you do not list a permit or deny statement anything not on the list will be blocked. So as a best practise I will only list those IP addresses that need access. Also you have the option of using an extended or a standard ACL list. Again I will keep this simple, if you want more flexability to block only certain protocols or even access to only a portion of a subnet then you should look into extended ACLs, for this exercise we will only be permiting source IP addresses (all protocols) using a standard ACL.

Note: these ACLs are considered RACLs, and are only applied if IP Routing is enabled on the switch (Layer 3), if this is just a Layer 2 switch then you may want to try a VACL instead. I will probably post information on a VLAN ACL later, but it controls all traffic entering a switch from a particular VLAN. So with that said I’m assuming you will be using a Layer 3 enabled switch for this exercise.

 Here is the ACL I will create for access to devices on my Out Of Band (OOB) Mangement Interfaces on my devices:

ip access-list standard "OOB-Access-out"
   1 remark "OOB subnet"
   2 permit 192.168.0.0 0.0.0.255
   10 remark "NPM System"
   11 permit host 192.168.13.64
   20 remark "IT Department"
   21 permit 192.168.82.0 0.0.0.255
   30 remark "Managemnet Workstation"
   31 permit host 192.168.12.54

Now the “Out” part means as the packet leaves out a port on the switch it will be applied. This can mean a number of things but again it is important to keep it simple. so now and just focus on the primary goal of only allowing authorized subnets access to management devices.

Applying to your vlan is simple

vlan 6 ip access-group OOB-Access-out out

Observe I used out instead of in. In our next example I will use an “in” so that I block and avoid multinetting my vlan with unauthorised traffic.

ip access-list standard "OOB-Access-in"
1 remark "OOB subnet"
2 permit 192.168.0.0 0.0.0.255

Applying the VLAN is the same but remember the “in” instead of the out

vlan 6 ip access-group OOB-Access-in in

The above Standard ACL should only allow devices configured with an IP address 192.168.0.0/24 to access this VLAN, you may need to modify this a bit to allow other traffic, but with a little testing this could protect your network from for example someone pluging a cable in one jack for one network into the other network with another VLAN causing all sorts of strange traffic such as a DHCP handing out the wrong IP addresses.

There is a lot more you can do with ACLs, and extended ACLs offer much more, but I would recommend getting used to how standard ACLs first, then work with extended ACLs.

Setting Up Jumbo Frames on a VMware ESX Hosts

Jumbo Frames can be an important part of a IP Storage network, it reduces the overhead for a TCP/IP packet by increasing the MTU from 1500 to 9000 per packet. Now there are some strict requirements you need to follow to make this happen, or you will have MTU miss match errors that will actually slow down your storage network instead of speeding it up.

First Make sure you configure your SWITCH VLAN that will handle the traffic to use jumbo frames. For example on a HP Procurve from the configuration prompt:

vlan 30
jumbo

Second make sure that you configure a an interface on the Storage device that is also on this VLAN to use jumbo frames to communicate with your Host device. This depends on your storage vendor, but reading the documentation you should figure it out quickly.

Third configure all your host devices to communicate with your storage device via jumbo frames on the same vlan. Now I keep saying “same VLAN” for a very good reason, as you will quickly run into the dredded MTU missmatch errors if you try to route communications between VLANs. If you need to route to other devices or a device of a WAN that are not using jumbo frames then you must use a dedicated interface to communicate with the other device with MTU 1500. This interface does not have to be physical, on NetApp this can just be a VIF without -9000 configured on it.

Now that you have soem background on Jumbo frames here is how to enable them on a vSwitch on a VMware ESX host.

I created the VMware Networks port group on vSwitch2 called IPStorage before running the following CLI commands on the ESX host

First in the vCenter or Network Configuration add your vSwitch and setup a portgroup, in this example I used vSwitch2 and called the port group IPStorage. Once this is setup use put or login to the console of your ESX host.

Prep the vSwitch with the following command subsitute vSwitch2 with the vSwitch you wish to target

esxcfg-vswitch -m 9000 vSwitch2

now configure the portgroup as you named it earlier and assign it an IP at the same time

esxcfg-vmknic -a -i 10.10.2.10 -n 255.255.255.0 -m 9000 IPStorage

Finally test your configuration by trying to ping your storage interface with a jumbo frame packet:

vmkping -s 9000 10.10.2.101

If your ping fails make sure that your storage interface is correctly configured and on the same VLAN and subnet, also ensure that you have Jumbo Frames enabled the switch in the VLAN you are using. Also make sure that when you setup your portgroup in the VMware GUI that you input the VLAN number if you are using tagged vlans on the port.

Lansweeper – Network Auditing and mangement

http://www.lansweeper.com

I like to call Lansweeper the google search of network management. The ease of setting up custom remote actions on the system, is by far the best part of this very useful utility. Also I should metion the price is low, free even for those light users. When I first tried the free version, I was so impressed I spent the little extra to go pro. Now the price is a little higher now then when I first started just using it over a year ago, but I’m sure you will find it worth more then you pay for.

I should also add that if you want to create custom reports about your network and have them e-mailed to you every morning, this is the tool for you.

The user forum is useful as well, it almost has the feeling of Open Source because everyone has some bit of code to help add some value to the program.

When you pay for the pro version you gain access to what I like to call the Lansweeper Tool Suite – many helpful tools that help you to remotely manage your computers and network devices.

Hiding internal IP from the internet through Squid proxy

Did you know our internal IP address could be advertised all over the internet through your proxy, or even better yet with no proxy. Do you want to now how to check?

This site will tell you what information your header is passing out, including your internal IP address.

http://www.ip-adress.com/what_is_my_ip/

An easy way to fix this it to add the following into your Squid config:

forwarded_for off

Then reload your squid configuration:

sudo squid3 reload