Cisco ASA 5505

asa-5505-front

I was recently asked by a friend to help out with a config for a cisco ASA 5505. An additional network and VLAN had been added on the ASA 5505 and we needed anyconnect VPN users to be able to access devices on that new network. I’m used to working with checkpoint firewalls, but most firewalls function in a similar fashion. I first logged onto the ASA using the ASDM gui. I checked the firewall rules and access looked to be permitted between the vpn network and the new network. I was a little stumped because it seemed that I needed a little more than just a firewall rule to allow both networks to communicate. I then consoled into the ASA and looked at the routing table. All looked good there. The ASA management interface was able to communicate with devices on both networks, so something else was missing. I then looked at the log files in the ASDM gui and was receiving the following message when trying to rdp into a server after connecting to the VPN:

Asymmetric NAT rules matched for forward and reverse denied due to NAT reverse path failure. An attempt to connect to a mapped host using its actual address was rejected.

I searched cisco for a solution and found a few vague possible solutions. I then pinged Network guru Shane to see if he could point me in the right direction. He hinted that I might have needed a “no nat statement”. Bingo, that worked. Here’s the command that I needed:

Nat(vlan1) 0 access-list vlan1_nat0_outbound

In the ASDM gui, its called a nat exempt statement. This rule makes sure that the internal traffic from the new network going to the VPN network would not get nat’d on its way out.

Since then, I opened up my safari books account back up for $9.99 a month which includes 5 book slots a month. The first thing I checked out was a Cisco Press ASA book. Safari books is a great resource for low cost e-learning. I highly recommend you give it a try. They don’t really advertise the $9.99 subscription, but if you sign up for a free trial, you can still choose the $9.99 pricing. I’m not 100 percent sure if they are still offering this to new users, but its worth checking out. As a network administrator, its important to know the fundamentals. Don’t get stuck in the, “I only know cisco or juniper” mode. If you know the fundamentals, then learning a new syntax and a few different config parameters is not the end of the world. After all you don’t want to limit yourself by putting a vendor name in front of your title, i.e. Cisco Network Administrator or Brocade Network Administrator. Be (emphasis added) the “Network Administrator”.

 

asa-5505-back

Extreme Networks EOS 802.3ad link aggregation

Since we saved some cash by purchasing more 2×2 3705i Enterasys Extreme Networks AP’s instead of 3×3 AP’s during our AP upgrades, we were able to purchase a few other items. We picked up three c5g Enterasys Extreme Networks 48 port POE switches, gbics, and a few other parts. The first thing I did after we deployed 96 AP’s in our dorm rooms was setup 802.3ad link aggregation with my extra gbic’s from our current N3 chassis to our g3 series switch. Phase two will be to install another DFE blade in the N3 chassis and spread the link aggregation between two DFE blades.

On with the Enterasys Extreme Networks switch commands:

1.) Egress all the proper vlan’s you want trunked across the additional physical port. We will be setting up a lag.0.x port and at that point, the physical port egress no longer matters, but if the lag breaks down for some reason, then the physical port will have the correct vlan’s trunked. You could also ensure that the single port lag command is set, but again I like to have the extra safety precautions in place.

Example ->set vlan egress ->set vlan egress 20 ge.4.24

2.) Egress all the proper vlan’s on the lag port. Use the “show lacp” command to view the available lags and to make sure that lacp is globally enabled.

Example ->set vlan egress
->set vlan egress 20 lag.0.1

3.) Create a unique lacp admin key to statically set which ports will be joined to the lag

Example ->set lacp aadminkey
->set lacp aadminkey lag.0.1 20

4.) Set the aadminkey to the physical port

->set port lacp port ge.4.24 aadminkey 20

5.) Perform the same commands on the other switch that you will be connecting to. The aadminkey can be different on the other switch, but I like to try and use the same admin key on the opposite end if possible. Make sure you also have lacp enabled on the physical interfaces as well.

-> show port lacp port ge.4.24 status detail
wpid-IMG_20140109_143458643.jpg

Losing control

As server administrators continue migrating to virtualization, network admins lose control. I’m not talking about psychological control, but network resource and management control. Server admins probably feel a sense of freedom. They are probably saying, “Now I don’t have to go and bother those pesky network admins to fire up a new server.” This can decrease the provision time, but this can also cause a very adverse side effect. See, I’m a network administrator and I work with networks all day long. From time to time I dabble in ESX and I also manage and maintain a few Linux and windows servers. However, I’m by no means up to the task of daily server administration. I’m sure I can learn how to administer AD, mail, file shares, and print servers, but that’s not what I do on a daily basis. The same holds true for a server admin. I’m not saying they can’t figure out networking or do the basics, they just don’t do networking every day.

What that means, is that from time to time you end up with virtual switches not configured or optimized properly. Firewall rules are bypassed by server admins with ease. QOS settings are not configured properly. You get the point. You thought the BYOD network was bad, well the wild, wild, west has just infiltrated your server network infrastructure as well. You now have BYOS (bring your own server). How secure are those prebuilt OVA’s? Who really knows?

With all these thoughts and ideas in mind, what are the available options? I have currently been researching how we can regain control within these VM environments. Our current vendor Enterasys, now Extreme Networks provides a method to mac auth all devices seen on the switch port or lag that goes through a VM environment. This allows identification of VM’s with their NAC solution. The Enterasys Extreme Networks switch can then apply dynamic policies to each frame coming across the switch port or lag. The default number of polices we can apply at one time is 8 on their S series switch. We would need a license to do 128 per port. Now maybe this is not the best strategy, but it’s one that I know of that can help. You can then create a default policy which blocks whatever you want based on rules up to L4. The server admin would then have to reach out to those good old network admins for correct policy enforcement. Enterasys even has a data center manager esx plugin that can be used to ease management. Now I don’t believe that this is the best solution for all environments, as it has downsides as well. MAC spoofing is one that comes to mind and this setup doesn’t come without cost.

Therefore, the next solution I’m looking into is open vswitch. This would act as a front end add-on piece in ESX as I understand. Other hypervisors already use open vswitch. Using openflow to control traffic qos/policy could be another avenue to maintain network harmony. I will continue my research and will post my findings….

Extreme Networks acquires Enterasys – Comparison

The Acquisition

Its official, Extreme Networks has acquired Enterasys Networks. We have lots of Enterasys gear, so we were highly interested to know the path that would be taken after the acquisition. At first, I couldn’t help think if the acquisition was a play for Enterasys patents. However, that’s just pure speculation. We were informed by product management that all existing products would continue to follow the current end of support and end of life cycle, so that’s good news.

Overall, I think that the acquisition will be pretty positive. The current Extreme Networks profile was missing things that Enterasys offered such as their highly customized L2-L4 policy and NAC integration. Extreme also looks like they OEM Motorola wireless and Enterasys has their own wireless portfolio.

The biggest plus will be the extension of the switching/routing lineup. Enterasys had a small gap in their WAN solution. We discovered this when we were looking for a smaller port density WAN 1-10G BGP/OSPF capable router. Extreme networks fills that gap and I’m sure there are many more compliments that I haven’t mentioned.

Extreme Networks overview

The Summit x460 series would have fit the ticket as a smaller device we were looking for when we were planning to replace our old Juniper M7i tank. However, we ended up purchasing a few brocade icx-6610’s. This was a few months back before we heard of the acquisition.

Here’s the lineup of what the current offering looks like from a few vendors that would have meet our requirements at that time:

Vendor

Extreme Summit x460

Brocade icx-6610

Enterasys SSA

10/100/100BASE-T Ports

24 or 48

24 or 48

48

Max 10G

2 or 4 or 6 total (modules)

8 total (lic to unlock)

4

40G

2(summit stacking module)

4(stacking only)

na

Form Factor

Fixed/1RU

Fixed/1RU

Fixed/1RU

Stacking Support

yes

yes

yes

Redundant power

yes/hot swap

yes/hot swap

yes/hot swap

Routing – BGP4

yes (lic to unlock)

yes(lic to unlock)

yes(lic to unlock)

Each vendor may have more of a product lineup, for instance Enterasys does have a 1-Slot chassis S-Series that can provide more options. However we were trying to keep costs down and the move up to the 1-slot chassis increases costs. There are other vendors out there such as Juniper, HP, and Dell as well. Each has its ups and downs. The Enterasys SSA is built with custom ASICs and some other vendors typically carry the Broadcom chipset. Switching capacity was left out due to the fact that each vendor spec sheet may not compare equally. You can find more details with the links provided below:

http://www.enterasys.com/company/literature/s-ds.pdf

http://www.brocade.com/products/all/switches/product-details/icx-6610-switch/specifications.page

http://www.extremenetworks.com/libraries/products/MSComparisonChart_1636.pdf

Brocade ICX 6610 – enabling ssh and a few other things…Part 2

It seems that this is one of the more popular posts, so I’ve compiled some more useful commands that can be used on the brocade ICX 6610. You can view my original brocade icx-6610 post here.

Here are a few pictures of an ICX multilayer switch. The 24 port version, ICX 6610-24 has 8 sfp+ and 24 10/100/1000 ports in the front. You also have an out of band ethernet port and your serial port in the front as well. In order to use some of the advanced features, you will need to purchase and apply additional lic’s.
brocade-icx-6610-front.jpg

In the rear of the 6610 series, you have 4 40Gbps stacking ports. You also have 2 power supply slots and 2 fan slots. They are redundant and hot-swappable. Depending on which power/fan option you buy, you could reverse the air flow.
brocade-icx-6610-rear.jpg

Now back to the good stuff.

Use the following command to run a cable test from the brocade icx6610:
phy cable-diag tdr 1/1/1

Then run the following command to see the results of your test
show cable-diag tdr 1/1/1

The next set of commands will allow you to run optical diagnostics on your fiber mini gbic’s.
Note: You must be using brocade optics or optics that are brocade compatible to run the optical diagnostics commands.

First, run the following command in config mode to enable optical monitoring:
(config)# opical-monitor

Then run the next command with the proper port number:
show optic stackid/slot/port

Show port counters:
show statistics ethernet stackid/slot/port

Show additional stats, such as packets queued or dropped:
show interface ethernet stackid/slot/port

Extreme Networks Oneview/NAC

I have finally made it back for another blog entry. I have been pretty busy at work getting ready for the start of the new semester. A few projects that I have been working on include wireless upgrades, multipath bgp, adding a third core, and spending time on documentation.  We are an Enterasys shop, now Extreme Networks. I know, I know, some of you are thinking who’s Enterasys? Well, we have been running their switching, routing, and wireless gear for quite some time now. I remember having equipment that still had the Cabletron label. Enterasys, now Extreme Networks does some pretty cool stuff, so I would recommend that you check them out. Especially if your into all-in-one tools to help assist you.

I figured I would give you a taste of what Extreme Networks Oneview has to offer. We just upgraded to version 5 and there are a lot of cool wireless features that have been added. Check it out.

oneview

The oneview web portal ties in the Extreme Networks EAC (extreme access control) stats piece as well. As soon as we get netflow going, we will be able to tie in user and netflow data together. Just to give you a little background on Extreme Networks NAC, we can basically apply up to L4 dynamic policy on any of our Extreme Networks edge switching and wireless devices. You can use 802.1x, MAC authentication, or even web registration. If you tie back into AD or LDAP, you can assign different policies based on group policies. You can even fire up the Extreme Networks NAC agent on machines and make sure everyone is up to date on windows updates, anti-virus, or any other service you want to check up on. If they are not compliant, you can just inform on that or you can deny traffic all together. It’s up to you.

NAC

Brocade, Enterasys, Juniper Brainstorm Lab Gen up

Brain storming is something that you should do quite often. Find a whiteboard and start drawing. Even a piece of paper will do. Get others involved in your brainstorm. Developing new services or improving upon existing services will greatly benefit from this. We can’t be content with the “if its not broken, then don’t fix it” mentality.

With that said, here’s a diagram that came from a brainstorm/whiteboard session. This came out of my lab gen to replace our aging Juniper m7i with some Brocade icx 6610’s. There’s an old school Enterasys DFE in there as well that simulated our building distribution router.

WAN

 

@jhazesnooty

 

Brocade ICX 6610 – enabling ssh and a few other things…

After an exhaustive search of a WAN switch, we finally made our minds up to go with the brocade ICX series. We are primarily an enterasys extreme networks shop, but we are on a budget, like most other public education institutions. In my experience, I have seen many shops stick to what they know, cough, cough cisco, but is that always going to be the best price/solution? The brocade command line is very similar to cisco, so for you peep’s out there looking for an alternative to cisco, take a look at the brocade ICX lineup.

Now on to the good stuff. I’ve listed a few pointers to get ssh properly setup on an ICX 6610. You can also view more icx 6610 commands in my brocade ICX 6610 part 2 article.

//This command enables ssh on the icx 6610
(config)#crypto key generate dsa
//We can then setup a local account to use for ssh, but we first want to mask passwords
(config)#enable user password-masking
(config)#username yourusername password
//The next command enables the brocade to use the local user for ssh login
(config)#aaa authentication login default local
//We can then further secure by which IP’s are allowed to ssh
(config)#ip ssh client yourclientip
//Here is how we disable ssh.
(config)#crypto key zeroize dsa

Thanks,

@jhazesnooty

1 2