Duke Today: 2015

Saturday, December 19, 2015

Recover lost password on HPE Comware 12500's

If you have an IRF of these chassis-based switches and just reboot the entire cluster then break the boot sequence and bypass the current config, when the switch reboots it will load the config from MPU 1/1 or 2/0 or 2/1. Therefore I had to isolate myself to a single MPU. The steps that I had to do to recover was:

· Break the IRF by unplugging IRF physical interfaces (te1/2/0/15 and te1/2/0/16 in this case).

· Pull the standby CPU from slot 1 in chassis 1 (1/1)

· Connect console cable to chassis 1 slot 0 MPU (1/0)

· Reboot switch

· Stop with control B at bootrom (screen output and selections are listed below)

o Select 9

o Select 4

o Select 0

o Switch will now reboot without current config

· Load current config with “config replace file flash:/config.cfg” command. The switch will load the mangled startup-config file into current configuration but will NOT log you out.

· At a minimum, 1) strip the console password and add privilege level 3, and 2) create a temporary local user with terminal access and privilege level 3. (user "admin" with password “hp” in below example).

user-interface con 1/0 2/1

authentication-mode none

user privilege level 3

local-user admin

password simple hp

authorization-attribute level 3

service-type ssh telnet terminal

· Add back irf-port 1/1 (it gets stripped from config when it is pulled in via the “config replace .. “ command.

int ran te1/2/0/15 to te1/2/0/16

shut

quit

irf-port 1/1

port group int te1/2/0/15

port group int te1/2/0/16

quit

int ran te1/2/0/15 to te1/2/0/16

undo shut

quit

· Save config. Verify the changes in the current config with “more” command from user context

· Insert MPU in chassis 1 slot 1

· Verify it comes up and replaces MPU slot 1/1 config.cfg with MPU 1/0 config.sys1/1

dis device ß verify slot loads with correct code version

copy config.sys chassis1#slot1#flash:/config.sys

· Connect irf links (te1/2/0/15 and te1/2/0/16)

· Verify in logbuffer that the switch detects that there is an irf merge

%Dec 18 11:48:16:274 2015 hp IFNET/3/LINK_UPDOWN: Ten-GigabitEthernet1/2/0/15 link status is UP.

%Dec 18 11:48:21:845 2015 hp IFNET/3/LINK_UPDOWN: Ten-GigabitEthernet1/2/0/16 link status is UP.

IRF merge occurs and the IRF system does not need to reboot.

%Dec 18 11:48:27:391 2015 hp STM/5/STM_MERGE:

· Reboot switch 2

· Verify that all modules load with the correct version of code (dis device)

· After switch 2 comes up, replace MPU’s 2/0 and 2/1 config.cfg with MPU 1/0 config.sys

Here are the boot rom halt steps

Board self testing...........................

Board steady testing... [ PASS ]

Board SlotNo... [ 1 ]

Subcard exist testing... [ PASS ]

DX246 testing... [ PASS ]

PHY88E1111 testing... [ PASS ]

CPLD1 testing... [ PASS ]

CPLD2 testing... [ PASS ]

NS16550 register testing... [ PASS ]

The switch's Mac address... [5C:8A:38:C0:CA:00]

CF Card testing... [ PASS ]

BootWare Validating...

Backup Extend BootWare is newer than Normal Extend BootWare,Update? [Y/N]

Press Ctrl+B to enter extended boot menu...

Please input BootWare password:

Note: The current operating device is cfa0

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Modify BootWare Password |

|<6> BootWare Operation Menu |

|<7> Clear Super Password |

|<8> Storage Device Operation |

|<9> Product Special Operation |

|<0> Reboot |

============================================================================

Enter your choice(0-9):

========================<PRODUCT SPECIAL OPERATION>=========================

|<1> Modify Chassis ID Operation |

|<2> Modify Working Mode |

|<3> Modify PCL Key |

|<4> Skip Current System Configuration |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4): 4

Flag Set Success.

========================<PRODUCT SPECIAL OPERATION>=========================

|<1> Modify Chassis ID Operation |

|<2> Modify Working Mode |

|<3> Modify PCL Key |

|<4> Skip Current System Configuration |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4): 0

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Modify BootWare Password |

|<6> BootWare Operation Menu |

|<7> Clear Super Password |

|<8> Storage Device Operation |

|<9> Product Special Operation |

|<0> Reboot |

============================================================================

Enter your choice(0-9): 0

DDR2 SDRAM test successful.

System is starting...

Booting Normal Extend BootWare

The Extend BootWare is self-decompressing...................

Done!

Now console access will NOT have a password OR will have the user and password you added.

Before logging out, to test verify telnet/ssh access

· Connect one end of an rj45 cable to one of a switch port and the other end into your laptop

· Set your laptop nic to be in the same subnet as the switch ports network and telnet/ssh to the switch

· login with username admin (password hp) above

Logout of the console and then back in

Thursday, November 12, 2015

Comware Unified Wired and Wireless Controllers (830, 850, 870)

General

License AP's - license register ap <license key that is obtained from the HP license center>

"remote forwarding" is the same thing as "Distributed forwarding" in the MSM

"local forwarding" is the same as "access controlled" in the MSM

In the WWLAN Controller engine

port-security enable

oap management-ip 10.0.124.3 slot 0 (10.0.124.3 is the switch's ip)

undo interface Vlan-interface1

To See Clients on AP's

For tunneled client , you will have to enable arp-snooping with the command

[HP] arp-snooping enable

For locally switched client, there are several ways but the easiest way is to use the command

[HP]wlan client learn-ipaddr enable

Remote forwarding

wlan ap a048-1234-5678 model MSM430-AM id 61

serial-id CN3ABCDEF

provision

vlan tagged 128

vlan untagged 1 124

country-code US

radio 1

service-template 1

service-template 2

radio enable

radio 2

service-template 1

service-template 2

radio enable

Switch and Controller Engine Contexts

The appliance has 2 devices built into one: A switch and a Controller; each with their own context (or engines as the docs refer to them as)

When you log into to an 830/850/870, you are place at the Controller engine context.

The controller has only virtual interfaces in BAGG1 which link to the switch engine via the backplane.

The default ip (192.168.0.100) can be changed. Vlan tagging/untagging is applied to BAGG 1 as needed to forward traffic to the switch.

The switch has a BAGG1 by default with virtual interfaces that link directly to the Controllers BAGG1.

All interfaces on the front panel of the wwlan controller belong to the switch engine.

The only existent interface for the controller is BAGG1. The interfaces that are virtual for the various platforms can be found by looking at the interfaces in BAG1 (dis link-agg verbose bridge 1).

From the Controller context, to move to the switch context:

<HP> oap connect slot 0

to Return to Controller Engine

cntrl-k

Flash

The switch uses flash while the controller use a compact flash: switch=flash controller=cfa0

Switch

<HP>save

Please input the file name(*.cfg)[flash:/startup.cfg]

To move back into the Controller engine

<HP> cntrl-k

Controller

<HP>save

Please input the file name(*.cfg)[cfa0:/startup.cfg]

Moving from gui to cli

When I wasn’t able to figure out how to configure something in the gui, I'd use the cli commands from the configs and would then look at the gui to see what changed

Auto discovery of AP's

To discover AP's, turn auto-ap on from global context. After they are discovered, you can turn auto discovery off and then move the AP's int a group. I moved mine into the default group. It would be easy enough to create other groups and move some AP's into those groups (same concept as MSM AP groups).

Creating group with the cli:

[AC1] ap-group <group_name>

Portal

Load Authentication Web Pages on the Unified Controller

Create a directory called “portal” on the root directory

<AC1>mkdir portal

%Created dir cfa0:/portal.

Verify the directory was created by issuing the “dir” command again

<AC1>dir

Directory of cfa0:/

6 -rw- 102913024 Dec 19 2013 10:51:12 hp6000-cmw520-r2308p29.bin

7 drw- - Feb 11 2014 09:55:36 portal

Change to the portal directory

<AC1>cd portal

Upload the portal web pages zip file to the portal directory (via tftp,ftp,sftp,scp,usb)

This was my portal configuration

portal server WEB ip 10.0.132.2 url http://10.0.132.2/portal/logon.htm

portal free-rule 0 source interface Bridge-Aggregation1 destination any

portal free-rule 1 source ip any destination ip 10.0.132.1 mask 255.255.255.255

portal wlan ssid GUEST server WEB domain wireless

portal local-server http

portal local-server bind ssid GUEST file defaultfile.zip

NOTE: 10.0.132.2 is the controllers ip while 10.0.132.1 was the gateway for vlan 10.0.132.0/23

domain wireless

authentication portal local

authorization portal local

accounting portal local

access-limit disable

state active

idle-cut enable 120 10240

self-service-url disable

Some Other Links on Portal Auth

http://abouthpnetworking.com/2014/06/02/hp-unified-wireless-free-access-option-on-guest-portal/

http://abouthpnetworking.com/2014/05/29/hp-unified-wireless-guest-central-authentication-with-data-local-breakout/

Comware Multicast Routing with PIM-SM and IGMP

IGMP snooping

IGMP snooping runs on a Layer 2 switch as a multicast constraining mechanism to improve multicast forwarding efficiency. It creates Layer 2 multicast forwarding entries from IGMP packets that are exchanged between the hosts and the router. When IGMP snooping is not enabled, the Layer 2 switch floods multicast packets to all devices. When IGMP snooping is enabled, the Layer 2 switch forwards multicast packets of known multicast groups to only the receivers.

Common notations in multicast

The following notations are commonly used in multicast transmission:

o (*, G)—Rendezvous point tree (RPT), or a multicast packet that any multicast source sends to multicast group G. The asterisk (*) represents any multicast source, and "G" represents a specific multicast group.

o (S, G)—Shortest path tree (SPT), or a multicast packet that multicast source "S" sends to multicast group "G." "S" represents a specific multicast source, and "G" represents a specific multicast group.

Multicast Routing

IGMP (delivers the multicast to the host)

PIM (delivers the multicast to the switch)

IGMP

show commands

display igmp group

display igmp-snooping group

Minimize multicast flooding

igmp-snooping

Enable in vlan

vlan X

igmp-snooping enable

IGMP & MSTP

Set static router ports to recover from failed links more quickly.

Timers

igmp robust-count x

x = times the query interval plus the max response time - default 2

igmp max-response-time 10 (default)

igmp last-member-query-interval 1 (default)

IGMP Example

vlan 12

description Jumbo Frame Multicast VLAN

igmp-snooping enable

igmp-snooping drop-unknown ß This is highly recommended if using jumbo frames

igmp-snooping querier ß Makes a querier for the vlan segment

Multicast Routing

· Enable globally

multicast routing

PIM

display multicast routing-table

display pim routing-table

PIM-SM

· Does not forward multicasts unless requested to by a join message

· Periodic joins required to maintain the tree

· Used on lower bandwidth router connections

Configuring PIM-SM

Enable PIM-SM on every interface between multicast sources and receivers, including:

· Interfaces on which multicast sources reside

· Interfaces on which multicast receivers reside (IGMP-enabled interfaces)

· Interfaces between all routers and routing switches that connect sources and receivers

(*, G) entry has an upstream interface, which enables the PIM routing switch to explicitly join the tree. The switch discovers the upstream interface by looking up the forwarding interface in the unicast route to the RP.

interface vlan 10

igmp enable

igmp version 3

pim sm

· Every PIM-SM router or routing switch in the domain must always select the same RP for the same multicast addresses.

· Should be backbone routers.

· Near the multicast source.

Dynamic RP:

· For the simplest setup, have all C-RPs advertise support for all multicast addresses with the same priority. Set the priority on all C-RPs to the same value:

pim

c-rp <interface type> <number> priority <0-255> ß Comware 5

c-rp <ip address> priority <0-255> ß Comware 7

· It is best to explicitly set the same priority on each C-RP because different models of switches could use different default priorities.

· This allows the hash function to select RPs.

· Adjust the hash mask length on C-BSRs to adjust the size of the block of addresses always assigned to the same RP

- Default: 30 (block of four)

CM5

pim

c-bsr <interface type> <number> <0-32>

-or-

c-bsr <interface type> <number>

c-bsr hash-length <0-32>

CM7

pim

c-bsr <ip address> <0-32>

-or-

c-bsr <ip address>

c-bsr hash-length <0-32>

Bootstrap and RP Routers

multicast routing-enable

igmp

interface vlan 10

igmp enable

igmp version 3

pim sm

pim

c-bsr hash-length 24

c-bsr priority 100

c-bsr Vlan-interface10 priority 100

--or—

c-bsr 10.1.1.1 priority 100

Other Routers

multicast routing-enable

igmp

interface vlan 10

ip address 10.x.x.x 255.255.255.0

igmp enable

igmp version 3

pim sm

Layer 2 Switches (Non-Querier)

igmp-snooping

vlan X

igmp-snooping enable

Duke Today

Saturday, December 19, 2015

Recover lost password on HPE Comware 12500's

Thursday, November 12, 2015

Comware Unified Wired and Wireless Controllers (830, 850, 870)

Comware Multicast Routing with PIM-SM and IGMP

Bootstrap and RP Routers

Other Routers

Layer 2 Switches (Non-Querier)

Search Duke

Links

About the Author