Upgrading Procurve switch firmware from USB

The ProCurve 5400zl series have a USB port on them that you can use to transfer files, in addition to TFTP and SCP/SFTP. Since I had a few of these to upgrade and they were in a lab environment (e.g. not connected to any “real” networks), I didn’t want to bother with setting up a TFTP server. The upgrade process is pretty straightforward and is similar to doing an upgrade via TFTP.

We can find the latest software for our ProCurve switches on the “Software for switches” page. Software (“firmware”) updates do not require that you have a valid login or service contract, unlike Cisco. I grabbed the latest version (at the time of writing), which is K.13.45 (be sure to read the Release Notes that accompany each release as well, prior to performing an upgrade). Save the .downloaded file to your USB flash drive and plug the flash drive into the switch.

To check what version of the software is currently running, issue the “show version” command:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Aug 4 2008 15:08:24
K.13.25
93
Boot Image: PrimaryWe can see that we’re running version K.13.25 and that we booted from the primary flash. We can see the current contents of flash, as well as our USB drive:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 6782942 12/07/07 K.12.57
Boot Rom Version: K.12.12
Default Boot : PrimarySW1# dir

Listing Directory /ufa0:
-rwxrwxAwx 1 0 0 7442476 Nov 3 2008 K_13_25.SWI
-rwxrwxAwx 1 0 0 7494786 Oct 30 2008 K_13_45.SWI
SW1#Because I’ve been running K.13.25 and it’s been stable, I’m going to copy it to secondary flash and then overwrite the primary with the new software. We’ll then reboot the switch with the new software (keeping the previous version in secondary as a “backup” in case anything goes wrong).

SW1# copy flash flash secondaryThis command isn’t real intuitive (and it takes a while as well), but here we’re basically copying from flash, to flash, with the secondary as our destination. In this case, the contents of the primary flash will be copied to the secondary. “copy flash flash primary” would copy the contents of the secondary into the primary. Let’s verify what we have now:

SW1# show flash
Image Size(Bytes) Date Version
—– ———- ——– ——-
Primary Image : 7442476 08/04/08 K.13.25
Secondary Image : 7442476 08/04/08 K.13.25
Boot Rom Version: K.12.12
Default Boot : PrimaryWe can see that the contents of the primary have now been copied to the secondary as well. Let’s copy the K_13_45.SWI image from the USB drive to primary flash:

SW1# copy usb flash K_13_45.SWI primary
The Primary OS Image will be deleted, continue [y/n]? yAfter a moment, we’ll see this message:

Validating and Writing System Software to the Filesystem …When the copy has completed, we need to reload the switch with the new software:

SW1# boot system flash primary
System will be rebooted from primary image. Do you want to continue [y/n]? yThe switch will take a minute to reboot (I won’t bother pasting the complete bootup process) and then we can, again, use “show version” to verify that we’re now running the latest software:

SW1# show version
Image stamp: /sw/code/build/btm(t3a)
Oct 17 2008 20:03:02
K.13.45
706
Boot Image: PrimarySee, wasn’t that easy!? We’ve successfully upgraded the firmware, and we’ve also kept a backup copy of the previous software in case things go badly. If that happens, just issue the “boot system flash secondary” command to reload the switch with the previous software.

Juniper Networks – changing to a more reliable network

I had recently attended a Juniper course at Dynamic World Wide Training Consultants. While at this training I felt even more confident that our switch to Juniper was the right choice. There are several reasons why we are making this change from Cisco, but rest assured that cost was not the primary deciding factor (although a very tempting one).

Cisco on the other hand has been running in another direction, selling their name but missing their mark on quality products unless your willing to buy their new G2, ASA, or higher end routers. I could go on, but compared to Juniper I would say Cisco’s education and certification program needs a serious overhaul.

1. A solid Education Program:
Juniper not only has full control of their certification program, but they also have a solid curriculum, that takes you from just knowing how to say TCP/IP to the advanced wonders of dynamic routing and high availability. Did I mention they will basically give away vouchers this year for those who attend training or even take pre certification tests. Also be sure to ask for Juniper Training Credits when you purchase your hardware, this is just one way you will know Juniper cares about your business.

2. A solid reputation with Internet Service providers:
Why is this important, well Cisco and Juniper have been around for a while, they just entered the market from two different directions. Cisco entered in the consumer market and later competed in the service provider market. Juniper started in the Service provider market learning from many of the issues that Network Admins had with Cisco, they built-in most of their products a standard Operating system called Junos. Juniper also includes high availability options, and the internal software with separate routing engines and forwarding planes makes this possible.

3. A lot of features – in a little box:
Did I mention their OS is based on Free BSD, which is somewhat like Unix or Linux. This allows Juniper to include a number of modules and features which if for some reason you need to restart a daemon you can rest assured that you probably won’t affect the rest of your traffic. With this in mind when you boot a Juniper be prepared for the 5 to 7 minutes for it to boot much like an appliance. Also you will want to safely shut down your Juniper like you would a Linux server, not a simple flip of a power button.

4. Standards based Networking:
While many of us would probably like to stay with a single vendor for all our networking needs, you probably have multiple vendors with their own way of doing things on your network. Many of the cool things Juniper does, they do so in such a way as to maintain standards. While there are a few features that Juniper has pioneered, you always have the option to keep your network standards based by default.

5. Support:
While I don’t have experience with this so far, I’ll be sure to report on any findings. I have found Junipers website very helpful, and Juniper’s TAC team is made available for all current support customers from day one.

6. Cost:
Ok, I will break down the cost for you just this once. With Cisco just over $120k may get you 6 G2 routers with the works and 3 years of SmartNet. Juniper did much better and threw in some training for free, for the same cost of the 6 G2 routers(I will post the models later), Juniper was able to provide 4 J-Series routers, 16- SRX Series routers/firewalls, 3 years support, training and certification, and professional services. The professional services actually costs as much as the equipment, but even then it was a much better deal.

So with all this in mind, when you hear Juniper around the corner, I would highly recommend you continue your research and take a few classes. I promise you this one thing. You will not only grow into it quickly, but will wonder how you would have done it without Juniper.

HP Procurve and Protecting VLANs with ACLs

How to protect a OOB Management VLAN from access, or protect a VLAN from being directly plugged into by a switch from another VLAN (with another subnet, or  another DHCP server)

Now some of this is still under testing, but I feel that I have pretty much mastered the art of ACLs to protect a VLAN such as one used to manage a bunch of devices such as routers, switches, firewalls, UPS, environmental monitors, or just traffic that you would rather not see have access to a VLAN or devices plugged into a Procurve switch.

Now, it is a best practise network wise to use ACLs to block traffic at the source. So this may seem a little backwords, but I want to use this ACL as a last line of defence to block traffic on the port as it leaves out of the vlan to the device. So we will be using the “out” and not the “in” for the first part.

Another important thing to remember to about ACLs, is that if you do not list a permit or deny statement anything not on the list will be blocked. So as a best practise I will only list those IP addresses that need access. Also you have the option of using an extended or a standard ACL list. Again I will keep this simple, if you want more flexability to block only certain protocols or even access to only a portion of a subnet then you should look into extended ACLs, for this exercise we will only be permiting source IP addresses (all protocols) using a standard ACL.

Note: these ACLs are considered RACLs, and are only applied if IP Routing is enabled on the switch (Layer 3), if this is just a Layer 2 switch then you may want to try a VACL instead. I will probably post information on a VLAN ACL later, but it controls all traffic entering a switch from a particular VLAN. So with that said I’m assuming you will be using a Layer 3 enabled switch for this exercise.

 Here is the ACL I will create for access to devices on my Out Of Band (OOB) Mangement Interfaces on my devices:

ip access-list standard "OOB-Access-out"
   1 remark "OOB subnet"
   2 permit 192.168.0.0 0.0.0.255
   10 remark "NPM System"
   11 permit host 192.168.13.64
   20 remark "IT Department"
   21 permit 192.168.82.0 0.0.0.255
   30 remark "Managemnet Workstation"
   31 permit host 192.168.12.54

Now the “Out” part means as the packet leaves out a port on the switch it will be applied. This can mean a number of things but again it is important to keep it simple. so now and just focus on the primary goal of only allowing authorized subnets access to management devices.

Applying to your vlan is simple

vlan 6 ip access-group OOB-Access-out out

Observe I used out instead of in. In our next example I will use an “in” so that I block and avoid multinetting my vlan with unauthorised traffic.

ip access-list standard "OOB-Access-in"
1 remark "OOB subnet"
2 permit 192.168.0.0 0.0.0.255

Applying the VLAN is the same but remember the “in” instead of the out

vlan 6 ip access-group OOB-Access-in in

The above Standard ACL should only allow devices configured with an IP address 192.168.0.0/24 to access this VLAN, you may need to modify this a bit to allow other traffic, but with a little testing this could protect your network from for example someone pluging a cable in one jack for one network into the other network with another VLAN causing all sorts of strange traffic such as a DHCP handing out the wrong IP addresses.

There is a lot more you can do with ACLs, and extended ACLs offer much more, but I would recommend getting used to how standard ACLs first, then work with extended ACLs.

Windows Filtering Platform Audit Noise

Did you know that Windows Server 2008 and 2008 R2, as well as Vista can pump out just as many audit logs as your standard hardware firewall. I can understand some audit trails for file access and user account changes but every single TCP and UPD connection is a little over considering windows is already logging this in the firewall log. If your tracking down security issue on you network and you have an SIM trying to correlate all these logs then most of these additional logs are just noise.

There are a couple of ways of dealing with this little issue, the one machine at a time or the GPO. For me the Group Policy option is a must as I don;t have time to go through every server and every workstation that might have these audit logs turned on. The main one I want to focus on is called the “Audit Filtering Platform Connection”

After much searching on the internet I found a pretty good blog that pointed me in the right direction:

computer configuration –> policies –> windows settings –> security settings –> advanced audit policy configuration –> audit policies –> object access. Then double-click “Audit Filtering Platform Connection” and check only the box next to “configure the following audit events.” DO NOT CLICK THE OTHER TWO BOXES. Repeat for “Audit Filtering Platform Packet Drop”

For the one system solution use these command line options:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable

References:
http://msdn.microsoft.com/en-us/library/bb309058(VS.85).aspx
http://actualreverend.blogspot.com/2010/11/windows-auditing-can-be-annoying-shut.html

Testing Branch Network Bandwidth

Now it is easy to run a speedtest against your internet connection, but what if you want to test the speed between two branch offices.

The solution is iPerf.exe. A simple commandline tool you can setup on your windows servers and run speeptests to ensure you are getting what your paying for from your provider.

You can download the current version here:
https://publishing.ucf.edu/sites/itr/cst/Pages/IPerf.aspx

On the server run:
iperf.exe -s

On the Client run:
iperf.exe -c x.x.x.x

Where x.x.x.x equals the IP address of your server. Check out the link above for more information and sample input. I’m planning to add a custom action to my Lansweeper deployment, when I get a chance to think it through, but command tools like these make for great custom scripts and actions for other plugins.

Cloud Computing – What does it mean?

“The Cloud” is the term that has been thrown around a lot in the past few years. Some people miss understand what this means, and at times it is just a catch phrase that some IT professionals use because it just looks good on paper. I hope to clarify the general idea here in simple terms, and give a few good examples of cloud computing you may have been using all along.

For the most part Cloud computing is a hosted service of some sorts, or even software as a service. Basically you don’t have to manage the hardware that is hosting your application. Sometimes this means huge savings in administration costs. This sounds too easy right, you probably thought there was more magic to it and that there was more too this didn’t you. Well for the average user, it is business as usual, but in the back end it usually involves much more to support.

Goals of Cloud Computing:
* Reliability
* Simple and Automated
* Access from anywhere
* Ability to collaborate
* Not hardware dependent (Meaning that it probably runs on a hypervisor)

To achieve these goals the next cache phrase that is used is “Virtualization”, Virtual networks, virtual storage, virtual servers, even virtual switches. Virtual IT technology has enabled us to do more by adding layers called hypervizors between our applications and servers and the hardware, and allow us to use hardware more efficiently. Instead of one to one ratio we now run 4,5,6, and even 10 or more servers on a single physical host, which are usually clustered together with several other hosts that allow migration of applications between hosts to balance the load.

Vendors such as NetApp and EMC have done what VMware did with virtual servers and applied it to centralized storage. This allows us to do things with our data and storage growth we would have never thought possible a few years ago.

These technologies can be used to create both public and private clouds, and many times it is a mixture.

Ok, now you’re asking “What do I use today that is probably in the cloud?”

The list is huge here because technically speaking the cloud is really not a new thing, but rather a new way of thinking about internet technology. For example Google and Amazon are a couple of the most well known providers of public cloud interfaces for many services such as e-commerce, e-mail, office software, file storage, Voice over IP, spam filtering, anti-virus, web content filtering, accounting software, project management, Social Networking, and on and on.

So what can be on the cloud you ask? Well pretty much everything, and even Microsoft is trying to get in on the action with enterprise services such as Office 365.

How secure is the cloud? Well that depends, and I could go on and on about network security. My suggestion is to do your homework and read the privacy policies for where your service is hosted. Make sure that compliance needs are met and that vendors are held accountable for their security measures should they fail. Pretty much all the same rules apply as always.

In short Clouds are nothing new, other then the technologies that support them on the back end. They allow you to have access from anywhere (Mac, PC, smartphone).

Resizing NetApp SnapMirror Target Volumes

Now I found that there are many ways to do this, and for the most part it can get pretty complicated. Here is a simple and effective way to ensure that your target volume is large enough for your source volume to SnapMirror to.

The basic size requirement for snapmirror is that the target volume is equal or greater then the source volume. So if you are planning on growing that volume in the future and you already have plenty of space in the aggregate then you could just increase it to what ever you want as long as it is equal and greater then the source volume.

Here are the commands you will want to run on the source to make sure you understand the size of the source volume

FILERSOURCE1> vol size volumename

This should return the size of your volume

Next you will want to do the same on the target volume so you will know the minimum you will need to .

FILERTARGET1> vol size volumename

Now you will need to break the snapmirror

FILERTARGET1> snapmirror break volumename

Then turn off fs_size_fixed

FILERTARGET1> vol options volumename fs_size_fixed off

Here is the command to resize the volume. Note: this is how much you want to add to the volume.

FILERTARGET1> vol size volumename +25g

Turn fs_size_fixed on

FILERTARGET1> vol options volumename fs_size_fixed on

Resync Snapmirror

FILERTARGET1> snapmirror resync FILERSOURCE1:volumename FILERTARGET1:volumename

For resizing the source volume you can disregard the snapmirror commands but otherwise it is pretty much the same. I would recommend you increase the size on the snapmirror target before you increase the size on your source, your eventlog will thank me.