Nexus C9372PX NX-OS Upgrade

Recently upgraded a pair of C9372PX switches with the following commands:

1. Copy new .bin file over to switch
   copy scp://username@scpserverIPaddress//n9000-dk9.7.0.3.I1.2.bin bootflash:n9000-dk9.7.0.3.I1.2.bin
2. Show the impact of installing the new version
   show install all impact nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
3. Install the new version
   install all nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
4. After you run the install, it will do the impact evaluation again and ask you to confirm installation
5. Install took less than 5 minutes and then rebooted

The official Cisco install guide can be found HERE

Optimize Ruckus Configuration

I came across a good post here: https://forums.ruckuswireless.com/ruckuswireless/topics/best_practice_optimization_by_cli_for_zone_director that goes over some CLI configuration changes to optimize your Ruckus setup.  Personally, I changed the bss-minrate and have seen better roaming behavior:

1. SSH into your ZoneDirector
2. Verify your current WLAN settings with > show wlan name “wlan name”
3. Enter config mode with > config
4. Enter WLAN configuration wtih # wlan “wlan name”
5. Change the bss-minrate with # bss-minrate 5.5
6. Then exit and the changes are saved

Palo Alto GlobalProtect VPN Users

Two quick commands to see who is currently logged in, and who logged in previously:

>show global-protect-gateway current-user

>show global-protect-gateway previous-user

You can also specify the username with each command to see specific results.

If want want to force a user logout (from my testing, the user will not see a notification they have been logged out):

>request global-protect-gateway client-logout domain yourdomain reason force-logout computer computername gateway gatewayname user username

Ruckus DHCP Filtering/Manipulation

By default, when a client connects to a Ruckus AP and sends a DHCP request, the DHCP request is converted to unicast, and once provided, additional DHCP requests seem to be ignored.  This normally works great, and significantly reduces broadcast traffic on your wireless network.  The only time this has proved to be an issue is if you have multiple virtual machines running on your laptop whose network adapters are bridged to your wireless nic.  Your laptop will get an IP address successfully, but your VM’s will not.

To solve this, you can either assign static IP’s to your virtual machines, or disable the Ruckus “Directed DHCP” feature on the AP.

To disable it per AP, SSH into the AP, and run this command:

#set qos directedDHCP disable

Use the “get qos” command to verify the command applied successfully.  If you want to apply this to all AP’s in your environment, SSH into the Zone Director and run:

#remote_ap_cli -A set qos directedDHCP disable

Linux Packet Capture

If you need to debug traffic going to a linux server or appliance, you can use tcpdump to generate a pcap file you can analyze in wireshark.

For example, ssh into the server, and use the following command:

tcpdump -s0 port 80 and host 192.168.1.10 -wDebugTraffic.pcap

This will capture all traffic coming into port 80 from host 192.168.1.10 and saved as file DebugTraffic.pcap

You can then use an ftp program (like WinSCP) to grab the file and analyze it in wireshark.

Here is a great resource for tcpdump commands: http://packetlife.net/media/library/12/tcpdump.pdf

Cisco vs HP vs Dell CLI – VLAN Configuration

This post continues my series on the differences between these three manufacturers and how they implement L2 and L3 VLANs.

Scenario 1: Create a Layer 2 VLAN

Cisco:
vlan 10

HP:
vlan 10

Dell:
vlan database
vlan 10

Scenario 2: Create a Layer 3 VLAN (that’s routable)

Cisco:
interface vlan 10
ip address 192.168.1.1 255.255.255.0

HP:
vlan 10
ip address 192.168.1.1 255.255.255.0

Dell:
interface vlan 10
ip address 192.168.1.1 255.255.255.0
routing

The biggest difference between all three manufacturers is that HP does not implement a separate VLAN interface for L3 configuration.  Cisco and Dell both require you to go into interface vlan mode before configuring L3 information (IP addressing).  Dell also requires the routing keyword to actually route that VLAN.

**All three manufacturers do require you to input the command IP Routing if you want the switch to route packets**

Cisco vs HP vs Dell CLI – Interface Configuration

After working with all three switch manufacturers in a short period of time, I figured I would do a quick post on how each chooses how to implement VLANs at the interface level.

Scenario 1: Switchport needs to be part of a single native VLAN (VLAN 10)

Cisco:
interface GigabitEthernet1/1
switchport mode access
switchport access vlan 10

HP:
vlan 10
untag 1

Dell:
interface ethernet 1/g1
switchport mode access
switchport access vlan 10

Scenario 2: Switchport needs to be part of a single native VLAN (VLAN 10) and multiple tagged VLANS (VLAN 20,30)

Cisco:
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30 (not necessary, but added for security)

HP:
vlan 10
untag 1
vlan 20
tagged 1
vlan 30
tagged 1

Dell:
interface ethernet 1/g1
switchport mode general
switchport general pvid 10
switchport general allowed vlan add 10
switchport general allowed vlan add 20,30 tagged
switchport general allowed vlan remove 1

Obviously the Dell configuration looks a bit convoluted here, but they do require you to manually remove VLAN 1 even though you have specified a different PVID.

HP ProCurve Switch Configuration

After working with ProCurve switches for a while, I figured I would post my general configuration for others to use as a template.  This configuration will be a simple setup with 2 VLANS, if you have any questions, feel free to ask.

hostname HP-Procurve-Core

time timezone -480
time daylight-time-rule Continental-US-and-Canada
sntp server priority 1 69.25.96.13
timesync sntp
sntp unicast

qos type-of-service diff-services

spanning-tree
spanning-tree 1-24 bpdu-protection (do not apply this to ports connected to switches)
spanning-tree bpdu-protection-timeout 300

ip routing
ip route 0.0.0.0/0 10.0.0.254

vlan 1 name Data
vlan 1 ip address 10.0.0.1/24
vlan 1 untag 1-22, 23-24

vlan 10 name Voice
vlan 10 ip address 10.0.10.1/24
vlan 10 voice
vlan 10 tag 1-20
vlan 10 untag 21-22
vlan 10 ip helper-address 10.0.0.110

password manager username hpadmin plaintext hpadminpassword

802.1X Wireless Authentication in a Windows Environment

Recently came across an issue where users in an 802.1x wireless environment were logging into their laptops, and the AD logon script would run before they had wireless network connectivity.  This was a problem since their network drives would not map.

While the users blamed the wireless network, the problem is actually resolved in AD Group Policy by specifying the order of operations for wireless authentication/user logon/domain logon.  Technet has a great article on how to resolve this issue:  http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

QoS DSCP/ToS Values

DSCP Class	DSCP (bin)	DSCP (dec)	ToS (dec)	ToS (bin)	ToS Prec. (bin)	ToS Prec. (dec)
none	000000	0	0	00000000	000	0
cs1	001000	8	32	00100000	001	1
af11	001010	10	40	00101000	001	1
af12	001100	12	48	00110000	001	1
af13	001110	14	56	00111000	001	1
cs2	010000	16	64	01000000	010	2
af21	010010	18	72	01001000	010	2
af22	010100	20	80	01010000	010	2
af23	010110	22	88	01011000	010	2
cs3	011000	24	96	01100000	011	3
af31	011010	26	104	01101000	011	3
af32	011100	28	112	01110000	011	3
af33	011110	30	120	01111000	011	3
cs4	100000	32	128	10000000	100	4
af41	100010	34	136	10001000	100	4
af42	100100	36	144	10010000	100	4
af43	100110	38	152	10011000	100	4
cs5	101000	40	160	10100000	101	5
ef	101110	46	184	10111000	101	5
cs6	110000	48	192	11000000	110	6
cs7	111000	56	224	11100000	111	7