Duke Today: 2013

Thursday, November 28, 2013

DHCP Snooping for Procurve and Comware

Intro

You can use DHCP snooping to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports (connected to a DHCP server or switch) and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped.

Condition for Dropping a Packet Types

A packet from a DHCP server received on an untrusted port DHCPOFFER, DHCPACK, DHCPNACK

If the switch is configured with a list of authorized DHCP DHCPOFFER, DHCPACK, DHCPNACK

server addresses and a packet is received from a DHCP

server on a trusted port with a source IP address that is not

in the list of authorized DHCP server addresses.

Unless configured to not perform this check, a DHCP packet N/A

received on an untrusted port where the DHCP client

hardware address field does not match the source MAC

address in the packet

Unless configured to not perform this check, a DHCP packet N/A

containing DHCP relay information (option 82) received from

an untrusted port

A broadcast packet that has a MAC address in the DHCP DHCPRELEASE, DHCPDECLINE

binding database, but the port in the DHCP binding database

is different from the port on which the packet is received

Configuration restrictions and guidelines

When you configure DHCP snooping, follow these restrictions and guidelines:

· DHCP snooping operates between the DHCP client and DHCP server, or between the DHCP client and DHCP relay agent. It does not operate between the DHCP server and DHCP relay agent.

· The DHCP snooping enabled device cannot act as a DHCP server or DHCP relay agent.

· The trusted port and the port connected to the DHCP client must be in the same VLAN.

· You can configure Layer 2 Ethernet interfaces and Layer 2 aggregate interface as trusted interfaces.

· When a Layer 2 Ethernet interface is added to an aggregation group, the DHCP snooping configuration on the interface does not take effect. After the interface is removed from the aggregation group, the configuration takes effect.

HPN Procurve Switches

Enable Globally

dhcp-snooping

Enable Per vlan

dhcp-snooping vlan 1

dhcp-snooping vlan 10

dhcp-snooping vlan 40

dhcp-snooping vlan 50

Designate authorized servers

dhcp-snooping authorized-server 10.11.12.13

dhcp-snooping authorized-server 10.15.20.25

dhcp-snooping authorized-server 10.20.30.40

dhcp-snooping authorized-server 10.9.8.7

Apply to uplink interface to the Core switch

interface Trk1

dhcp-snooping trust

exit

To display the DHCP snooping configuration:

# show dhcp-snooping

DHCP Snooping Information

DHCP Snooping : Yes

Enabled Vlans : 1 10 40 50

Verify MAC : No

Option 82 untrusted policy : drop

Option 82 Insertion : No

Option 82 remote-id : mac

Store lease database : Not configured

Port Trust

----- -----

1 No

2 No

Trk1 Yes

To display statistics about the DHCP snooping process:

# show dhcp-snooping stats

Packet type Action Reason Count

----------- ------- ---------------------------- ---------

Server forward from trusted port 8

Client forward to trusted port 8

Server drop received on untrusted port 2

Server drop unauthorized server 0

Client drop destination on untrusted port 0

Client drop untrusted option 82 field 0

Client drop bad DHCP release request 0

Client drop failed verify MAC check 0

ProCurve - PIM Dense

Thursday, April 18, 2013

Cisco, Comware, Procurve - Redistribution of EIGRP, OSPF, and RIP

Cisco 2600	Procurve	H3C	Cisco 2500
interface Loopback0	interface loopback 0	interface LoopBack0	interface Loopback0
ip address 1.1.1.1 255.255.255.255	ip address 4.4.4.4/32	ip address 2.2.2.2 255.255.255.255	ip address 3.3.3.3 255.255.255.255
		#	!
interface FastEthernet0/0	ip routing	vlan 10	interface Serial0
ip address 10.10.10.1 255.255.255.252		#	ip address 10.10.20.2 255.255.255.252
!	vlan 1	interface Vlan-interface10	!
interface Serial0/0	untagged 48	ip address 10.10.10.2 255.255.255.252	router eigrp 100
ip address 10.10.20.1 255.255.255.252	ip address 192.168.1.50 255.255.255.0	#	network 3.0.0.0
clockrate 64000	ip rip 192.168.1.50	interface Ethernet1/0/1	network 10.0.0.0
!		port access vlan 10	no auto-summary
interface FastEthernet0/1	vlan 30	#
ip address 10.10.30.1 255.255.255.252	untagged 1	ospf 1
!	ip address 10.10.30.2 255.255.255.252	area 0.0.0.0
router eigrp 100	ip rip 10.10.30.2	network 2.2.2.2 0.0.0.0
redistribute ospf 1 metric 1000 1000 255 255 1500	ip rip 10.10.30.2 receive v1-or-v2	network 10.10.10.0 0.0.0.3
redistribute rip metric 100 1000 255 255 1500
network 1.1.1.1 0.0.0.0	router rip
network 10.10.20.0 0.0.0.3	no auto-summary
no auto-summary	redistribute connected
!	enable
router ospf 1
log-adjacency-changes
redistribute eigrp 100 subnets
redistribute rip metric 100 subnets
network 1.1.1.1 0.0.0.0 area 0
network 10.10.10.0 0.0.0.3 area 0
!
router rip
version 2
redistribute eigrp 100 metric 8
redistribute ospf 1 metric 8
network 1.0.0.0
network 10.0.0.0
no auto-summary

2600#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2 [110/2] via 10.10.10.2, 07:20:56, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/2297856] via 10.10.20.2, 07:21:51, Serial0/0
4.0.0.0/32 is subnetted, 1 subnets
R 4.4.4.4 [120/1] via 10.10.30.2, 00:00:24, FastEthernet0/1
10.0.0.0/30 is subnetted, 3 subnets
C 10.10.10.0 is directly connected, FastEthernet0/0
C 10.10.20.0 is directly connected, Serial0/0
C 10.10.30.0 is directly connected, FastEthernet0/1
R 192.168.1.0/24 [120/1] via 10.10.30.2, 00:00:24, FastEthernet0/1

Procurve# show ip route

IP Route Entries

Destination Gateway VLAN Type Sub-Type Metric Dist.

------------------ --------------- ---- --------- ---------- ---------- -----

1.1.1.1/32 10.10.30.1 30 rip 2 120

2.2.2.2/32 10.10.30.1 30 rip 9 120

3.3.3.3/32 10.10.30.1 30 rip 9 120

4.4.4.4/32 lo0 connected 1 0

10.10.10.0/30 10.10.30.1 30 rip 2 120

10.10.20.0/30 10.10.30.1 30 rip 2 120

10.10.30.0/30 VLAN30 30 connected 1 0

127.0.0.0/8 reject static 0 0

127.0.0.1/32 lo0 connected 1 0

192.168.1.0/24 DEFAULT_VLAN 1 connected 1 0

<H3C>display ip routing-table

Routing Table: public net

Destination/Mask Protocol Pre Cost Nexthop Interface

1.1.1.1/32 OSPF 10 11 10.10.10.1 Vlan-interface10

2.2.2.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0

3.3.3.3/32 O_ASE 150 20 10.10.10.1 Vlan-interface10

4.4.4.4/32 O_ASE 150 100 10.10.10.1 Vlan-interface10

10.10.10.0/30 DIRECT 0 0 10.10.10.2 Vlan-interface10

10.10.10.2/32 DIRECT 0 0 127.0.0.1 InLoopBack0

10.10.20.0/30 O_ASE 150 20 10.10.10.1 Vlan-interface10

10.10.30.0/30 O_ASE 150 100 10.10.10.1 Vlan-interface10

127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0

127.0.0.1/32 DIRECT 0 0 127.0.0.1 InLoopBack0

192.168.1.0/24 O_ASE 150 100 10.10.10.1 Vlan-interface10

2500-hub#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

U - per-user static route, o - ODR

Gateway of last resort is not set

1.0.0.0/32 is subnetted, 1 subnets

D 1.1.1.1 [90/2297856] via 10.10.20.1, 07:26:09, Serial0

2.0.0.0/32 is subnetted, 1 subnets

D EX 2.2.2.2 [170/3328000] via 10.10.20.1, 00:23:15, Serial0

3.0.0.0/32 is subnetted, 1 subnets

C 3.3.3.3 is directly connected, Loopback0

4.0.0.0/32 is subnetted, 1 subnets

D EX 4.4.4.4 [170/26368000] via 10.10.20.1, 00:24:23, Serial0

10.0.0.0/30 is subnetted, 3 subnets

D EX 10.10.10.0 [170/3328000] via 10.10.20.1, 00:23:15, Serial0

C 10.10.20.0 is directly connected, Serial0

D EX 10.10.30.0 [170/26368000] via 10.10.20.1, 00:24:24, Serial0

D EX 192.168.1.0/24 [170/26368000] via 10.10.20.1, 00:24:24, Serial0

Tuesday, April 16, 2013

Cisco, Comware, Procurve - Redistribution of EIGRP and OSPF

Procurve

ip routing

interface loopback 0

ip address 4.4.4.4

ip ospf 4.4.4.4 area backbone

exit

router ospf

area backbone

enable

exit

vlan 1

untagged 48

ip address 192.168.1.50 255.255.255.0

ip ospf 192.168.1.50 area backbone

exit

vlan 30

name "VLAN30"

untagged 1

ip address 10.10.30.2 255.255.255.252

ip ospf 10.10.30.2 area backbone

exit

vlan 999

name "NOMANVLAN"

untagged 2-47

no ip address

exit

H3C

sysname 5500-EI

vlan 10

vlan 30

interface Vlan-interface10

ip address 10.10.10.2 255.255.255.252

interface Vlan-interface30

ip address 10.10.30.1 255.255.255.252

interface Ethernet1/0/1

port access vlan 10

interface Ethernet1/0/2

port access vlan 30

interface LoopBack0

ip address 2.2.2.2 255.255.255.255

ospf 1

area 0.0.0.0

network 2.2.2.2 0.0.0.0

network 10.10.10.0 0.0.0.3

network 10.10.30.0 0.0.0.3

user-interface vty 0 4

authentication-mode none

user privilege level 3

Return

Cisco 2600

hostname 2600

no ip domain-lookup

interface Loopback0

ip address 1.1.1.1 255.255.255.255

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.252

interface FastEthernet0/1

ip address 10.10.20.1 255.255.255.252

router eigrp 100 ßNote that “100” is an AS (must be the same on all routers) and not just an arbitrary “process id” as in ospf

redistribute ospf 1 metric 1000 1000 255 1 1500

network 1.1.1.1 0.0.0.0

network 10.10.20.0 0.0.0.3

no auto-summary

router ospf 1

log-adjacency-changes

redistribute eigrp 100 subnets ß Very important to use the correct AS number

network 1.1.1.1 0.0.0.0 area 0

network 10.10.10.0 0.0.0.3 area 0

ip classless

enable password cisco

line vty 0 4

password cisco

end

Cisco 2500

hostname R2500-hub

no ip domain-lookup

interface Loopback0

ip address 3.3.3.3 255.255.255.255

interface Ethernet0

ip address 10.10.20.2 255.255.255.252

router eigrp 100 ßNote that “100” is an AS (must be the same on all routers) and not just an arbitrary “process id” as in ospf

network 3.3.3.3

network 10.10.20.0

no auto-summary ß On my old 2500 hub there is no mask set so auto summary is a must

ip classless

enable password cisco

line vty 0 4

password cisco

end

Note:

NOTE: The 2500 see's the redistributed eigrp routes with an AD of 170 as opposed to 90. The 2600 redistributes other routing protocols into eigrp and adds 80 to the AD.

On windows PC I am working with added

C:\>route add 10.0.0.0 mask 255.0.0.0 192.168.1.50

OK!

On home router to go from production to test-bed, added this route

Monday, April 15, 2013

Cisco, ProCurve, Comware - Basic file management (save, copy. start-up, erase)

Save configuration with user defined name and Define the saved configuration as the startup-config.

On Cisco switches:

Cisco-A# write memory

Cisco-A# copy running flash:interop-3a.cfg

Cisco-A# dir flash:

Cisco-A(config)#boot config flash:interop-3a.cfg

Cisco-A# show boot

Cisco-A# more flash:interop-3a.cfg

Entering “write mem” after will overwrite this configuration, so take care.

Cisco-A# reload

To set to factory

Cisco# erase startup-config

Cisco# reload

Say “No” if it asks to save the config file

Cisco-6503#dir ?

/all List all files

/recursive List files recursively

all-filesystems List files on all filesystems

bootflash: Directory or file name

cns: Directory or file name

const_nvram: Directory or file name

dfc#2-bootflash: Directory or file name

disk0: Directory or file name

disk1: Directory or file name

flexwan-fpd: Directory or file name

null: Directory or file name

nvram: Directory or file name

sup-bootflash: Directory or file name

sup-microcode: Directory or file name

system: Directory or file name

tar: Directory or file name

tmpsys: Directory or file name

| Output modifiers

<cr>

Cisco-6503#dir /all

Directory of disk0:/

1 -rw- 80462372 Nov 10 2011 00:32:18 +00:00 s72033-adventerprisek9_wan-mz.122-33.SXH8a.bin

2 -rw- 145081188 Nov 10 2011 08:53:56 +00:00 s72033-adventerprisek9_wan-mz.122-33.SXJ1.bin

3 -rw- 46615200 Dec 1 2011 03:32:38 +00:00 s72033-pk9sv-mz.122-18.SXD3.bin

4 -rw- 48227168 Dec 1 2011 03:34:50 +00:00 s72033-jk9sv-mz.122-18.SXD7b.bin

5 -rw- 81728516 Dec 5 2011 13:19:36 +00:00 s72033-ipservicesk9_wan-mz.122-18.SXF6.bin

On HP A-Series switches:

<HP> display startup ß (note the name)

<HP> save h3c_config.cfg

<HP> dir /all ß Displays all files in flash

<HP> more flash:/h3c_config.cfg

Change the current startup config file to the one you just saved.

<HP> startup saved h3c_config.cfg

<HP> display startup ß (should now be h3c_config.cfg)

<HP> reboot

Note: Don’t ”save” here when prompted if you don’t want changes to be with the startup configuration file.

To set to factory

<HP> reset saved-configuration

<HP> reboot

Updating the flash and bootrom files

Display the firmware in use

<HP>dis boot-loader

Slot 1

The current boot app is: flash:/s5120ei-cmw520-r2202p06.bin

The main boot app is: flash:/s5120ei-cmw520-r2202p06.bin

The backup boot app is: flash:/s5120ei-cmw520-r2202p06.bin

Note: The backup and the main are the same.

Remote Software Loading

You can telnet to the switch, and use FTP or TFTP to load BootROM and host software

remotely.

Remote Loading Using TFTP

Console to the switch and set up an ip address:

[5500-EI]vlan 1

[5500-EI-vlan1]quit

[5500-EI]interface Vlan-interface 1

[5500-EI-Vlan-interface1]ip add 192.168.1.22 24

[5500-EI-Vlan-interface1]quit

[5500-EI]interface Giga 1/0/5

[5500-EI-Ethernet1/0/5]port access vlan 1

[5500-EI-Ethernet1/0/5]undo shut

Connect a PC to port giga 1/0/5, set the PC’s ip address to be on the same subnet as the switch, telnet to the switch, and execute the tftp commands to download the firmware from the remote TFTP server (with IP

address 192.168.1.105) to the switch.

Step 1: Download the software and bootrom to the switch using tftp commands.

<H3C> tftp 192.168.1.105 get s5120ei-cmw520-r2304p01.bin

Downloading file from remote tftp server, please wait......................................................................

<H3C> tftp 192.168.1.105 get S5120-EI.btm

Downloading file from remote tftp server, please wait......................................................................

Step 2: Update the BootROM program on the switch. (if needed…use ‘dis device’)

<H3C> bootrom update file S5120-EI.btm slot 1

This command will update BootRom file, Continue? [Y/N]y

Updating BootRom, please wait...

Step 3: Update the host software on the switch.

<H3C> boot-loader file s5120ei-cmw520-r2304p01.bin slot all main

<H3C> display boot-loader

Slot 1

The current boot app is: flash:/ s5120ei-cmw520-r2202p06.bin

The main boot app is: flash:/ s5120ei-cmw520-r2304p01.bin

The backup boot app is: flash:/ s5120ei-cmw520-r2202p06.bin

Step 4: Restart the switch.

<H3C> reboot

NOTE:

Before restarting the switch, make sure other configurations are all saved to avoid the loss of configuration information.

After the steps above, the BootROM and host software loading is completed.

Pay attention to the following points:

• Host software loading takes effect only after you restart the switch with the reboot command.

• If the space of the flash memory is not enough, you can delete the useless files in the flash memory before software downloading.

• Power interruption is not allowed during software loading.

<HP>dir /all

Directory of flash:/

0 -rw- 8984448 Aug 20 2010 15:50:35 s5120ei-cmw520-r2202p06.bin

2 -rw- 9420 Jul 25 2011 16:29:17 startup.cfg

3 -rw- 9530 Sep 28 2011 16:29:17 h3c_config.cfg

6 -rw- 11585434 Sep 28 2011 10:58:05 s5120ei-cmw520-r2304p01.bin

7 -rw- 465412 Jul 28 2011 10:58:44 s5120ei-btm-2304.btm

Display the LPU’s and slot info

display version

display device

On HP E-Series switches:

HP-E# write mem

HP-E# show config-files

The config file name should be interop2a. Rename the file to interop3a.

HP-E# copy config interop2a config interop3a

HP-E# show config interop3a

To make this configuration the startup-config, enter this command:

HP-E(config)# startup-default config interop3a

HP-E# boot system flash primary config interop3a

To remove files

HP-E(config)# erase config interop2a

To set to factory

HP-E# erase start

Duke Today

Thursday, November 28, 2013

DHCP Snooping for Procurve and Comware

Intro

Condition for Dropping a Packet Types

Configuration restrictions and guidelines

HPN Procurve Switches

Enable Globally

Enable Per vlan

Designate authorized servers

Apply to uplink interface to the Core switch

To display the DHCP snooping configuration:

To display statistics about the DHCP snooping process:

Friday, May 3, 2013

ProCurve - PIM Dense

Thursday, April 18, 2013

Cisco, Comware, Procurve - Redistribution of EIGRP, OSPF, and RIP

Tuesday, April 16, 2013

Cisco, Comware, Procurve - Redistribution of EIGRP and OSPF

Monday, April 15, 2013

Cisco, ProCurve, Comware - Basic file management (save, copy. start-up, erase)

On Cisco switches:

On HP A-Series switches:

On HP E-Series switches:

Search Duke

Links

About the Author