Nexus C9372PX NX-OS Upgrade

Recently upgraded a pair of C9372PX switches with the following commands:

  1. Copy new .bin file over to switch
    copy scp://username@scpserverIPaddress//n9000-dk9.7.0.3.I1.2.bin bootflash:n9000-dk9.7.0.3.I1.2.bin
  2. Show the impact of installing the new version
    show install all impact nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
  3. Install the new version
    install all nxos bootflash:n9000-dk9.7.0.3.I1.2.bin
  4. After you run the install, it will do the impact evaluation again and ask you to confirm installation
  5. Install took less than 5 minutes and then rebooted

The official Cisco install guide can be found HERE

Optimize Ruckus Configuration

I came across a good post here: that goes over some CLI configuration changes to optimize your Ruckus setup.  Personally, I changed the bss-minrate and have seen better roaming behavior:

  1. SSH into your ZoneDirector
  2. Verify your current WLAN settings with > show wlan name “wlan name”
  3. Enter config mode with > config
  4. Enter WLAN configuration wtih # wlan “wlan name”
  5. Change the bss-minrate with # bss-minrate 5.5
  6. Then exit and the changes are saved

Palo Alto GlobalProtect VPN Users

Two quick commands to see who is currently logged in, and who logged in previously:

>show global-protect-gateway current-user

>show global-protect-gateway previous-user

You can also specify the username with each command to see specific results.

If want want to force a user logout (from my testing, the user will not see a notification they have been logged out):

>request global-protect-gateway client-logout domain yourdomain reason force-logout computer computername gateway gatewayname user username

Ruckus DHCP Filtering/Manipulation

By default, when a client connects to a Ruckus AP and sends a DHCP request, the DHCP request is converted to unicast, and once provided, additional DHCP requests seem to be ignored.  This normally works great, and significantly reduces broadcast traffic on your wireless network.  The only time this has proved to be an issue is if you have multiple virtual machines running on your laptop whose network adapters are bridged to your wireless nic.  Your laptop will get an IP address successfully, but your VM’s will not.

To solve this, you can either assign static IP’s to your virtual machines, or disable the Ruckus “Directed DHCP” feature on the AP.

To disable it per AP, SSH into the AP, and run this command:

#set qos directedDHCP disable

Use the “get qos” command to verify the command applied successfully.  If you want to apply this to all AP’s in your environment, SSH into the Zone Director and run:

#remote_ap_cli -A set qos directedDHCP disable

Linux Packet Capture

If you need to debug traffic going to a linux server or appliance, you can use tcpdump to generate a pcap file you can analyze in wireshark.

For example, ssh into the server, and use the following command:

tcpdump -s0 port 80 and host -wDebugTraffic.pcap

This will capture all traffic coming into port 80 from host and saved as file DebugTraffic.pcap

You can then use an ftp program (like WinSCP) to grab the file and analyze it in wireshark.

Here is a great resource for tcpdump commands:

Cisco vs HP vs Dell CLI – VLAN Configuration

This post continues my series on the differences between these three manufacturers and how they implement L2 and L3 VLANs.

Scenario 1: Create a Layer 2 VLAN

vlan 10

vlan 10

vlan database
vlan 10

Scenario 2: Create a Layer 3 VLAN (that’s routable)

interface vlan 10
ip address

vlan 10
ip address

interface vlan 10
ip address

The biggest difference between all three manufacturers is that HP does not implement a separate VLAN interface for L3 configuration.  Cisco and Dell both require you to go into interface vlan mode before configuring L3 information (IP addressing).  Dell also requires the routing keyword to actually route that VLAN.

**All three manufacturers do require you to input the command IP Routing if you want the switch to route packets**

Cisco vs HP vs Dell CLI – Interface Configuration

After working with all three switch manufacturers in a short period of time, I figured I would do a quick post on how each chooses how to implement VLANs at the interface level.

Scenario 1: Switchport needs to be part of a single native VLAN (VLAN 10)

interface GigabitEthernet1/1
switchport mode access
switchport access vlan 10

vlan 10
untag 1

interface ethernet 1/g1
switchport mode access
switchport access vlan 10

Scenario 2: Switchport needs to be part of a single native VLAN (VLAN 10) and multiple tagged VLANS (VLAN 20,30)

interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30 (not necessary, but added for security)

vlan 10
untag 1
vlan 20
tagged 1
vlan 30
tagged 1

interface ethernet 1/g1
switchport mode general
switchport general pvid 10
switchport general allowed vlan add 10
switchport general allowed vlan add 20,30 tagged
switchport general allowed vlan remove 1

Obviously the Dell configuration looks a bit convoluted here, but they do require you to manually remove VLAN 1 even though you have specified a different PVID.

HP ProCurve Switch Configuration

After working with ProCurve switches for a while, I figured I would post my general configuration for others to use as a template.  This configuration will be a simple setup with 2 VLANS, if you have any questions, feel free to ask.

hostname HP-Procurve-Core

time timezone -480
time daylight-time-rule Continental-US-and-Canada
sntp server priority 1
timesync sntp
sntp unicast

qos type-of-service diff-services

spanning-tree 1-24 bpdu-protection (do not apply this to ports connected to switches)
spanning-tree bpdu-protection-timeout 300

ip routing
ip route

vlan 1 name Data
vlan 1 ip address
vlan 1 untag 1-22, 23-24

vlan 10 name Voice
vlan 10 ip address
vlan 10 voice
vlan 10 tag 1-20
vlan 10 untag 21-22
vlan 10 ip helper-address

password manager username hpadmin plaintext hpadminpassword

802.1X Wireless Authentication in a Windows Environment

Recently came across an issue where users in an 802.1x wireless environment were logging into their laptops, and the AD logon script would run before they had wireless network connectivity.  This was a problem since their network drives would not map.

While the users blamed the wireless network, the problem is actually resolved in AD Group Policy by specifying the order of operations for wireless authentication/user logon/domain logon.  Technet has a great article on how to resolve this issue:

QoS DSCP/ToS Values

DSCP Class DSCP (bin) DSCP (dec) ToS (dec) ToS (bin) ToS Prec. (bin) ToS Prec. (dec)
none 000000 0 0 00000000 000 0
cs1 001000 8 32 00100000 001 1
af11 001010 10 40 00101000 001 1
af12 001100 12 48 00110000 001 1
af13 001110 14 56 00111000 001 1
cs2 010000 16 64 01000000 010 2
af21 010010 18 72 01001000 010 2
af22 010100 20 80 01010000 010 2
af23 010110 22 88 01011000 010 2
cs3 011000 24 96 01100000 011 3
af31 011010 26 104 01101000 011 3
af32 011100 28 112 01110000 011 3
af33 011110 30 120 01111000 011 3
cs4 100000 32 128 10000000 100 4
af41 100010 34 136 10001000 100 4
af42 100100 36 144 10010000 100 4
af43 100110 38 152 10011000 100 4
cs5 101000 40 160 10100000 101 5
ef 101110 46 184 10111000 101 5
cs6 110000 48 192 11000000 110 6
cs7 111000 56 224 11100000 111 7