HowTo: Enable Traceroute on HPE FF5700

On HPEs Comware based FlexFabric switches by default answering to traceroute is disabled. To enable traceroute on a FF5700 families switch you need to activate:


ip unreachable enable
ip ttl-expires enable

As of then, the switch should show up in traceroutes with something different than timeouts.

Kyp. F.

HowTo: Broken SMB Communication through PanOs 8.1. Firewalls Fix

Anybody who installed PanOS 8.1 on his Palo Alto firewall – we use the PA 220 in quite some numbers, may have experienced quite some strange behaviour if through IPSEC tunnels connected file shares user SMB. So did I.

With the latest firmware upgrade, no write or read jobs through any of these VPN tunnels succeded. The mapped drives lit up in the file explorer. in some cases even browsing directories may have succeded … perhaps even two or three levels down. Then the explorer started to hang, crashed, even some systems blue screened. Copied files showed perhaps up in the destination with a filename aka. directory entry but never any content showed up.

Since we updated the Microsoft world on top, the assumption some backward compatibility stack or group policy setting may have caused the headache. Many Continue reading

Building HP-VSA virtualized storage on VMWare

Konkret sieht die Installation der Software zur Storage Virtualisierung wie folgt aus:

Ich installiere zuerst auf zwei Hosts vmWare vSphere 5.5 und lizenziere diese mit Enterprise Plus. Danach installiere ich einen vCenter Server – oder nehme denjenigen, der in meiner Umgebung zur Verfügung steht. Die VMWare Installation lasse ich an dieser Stelle außen vor – zu berücksichtigende Konfigurationen oder Ausstattungen folgen später im Thread.

Drittens installiere ich die VSA Appliances mit dem entsprechenden Installer. Auch hier fasse ich mich recht kurz, da das zuvor schon gepostet wurde.

VSAInstallationProgress3

Hierbei sind im Wesentlichen drei Dinge zu beachten:

Continue reading

PanOS – Palo Alto basic commands after web console lockout

Since I’m still a big fan of the Palo Alto firewall family, there are some things, which really feel strangely disturbing. Nothing functional, otherwise I won”t be as convinced but in terms of administration. The most advanced network security device is better managed by webinterface – something every network guru feels goosebumps in his neck.

The worse it is, if the webinterface hangs and you need to use the unfamiliar command line interface. Whereas many vendors simply follow SNMP logic and somehow end up with something similar to the industry standard context setup, PanOs CLI feels strangely different.

Here are your survival commands to make login on the web interface work again:

  1. Have you rebooted the System?
    request restart system
  2. Did you restart the management service?
    debug software restart process management-server
  3. Did you check the file system and free space?
    show system disk-space
  4. In case you need to delete crash dumps or free space anyway:
    delete debug-log mp-log file *
  5. And finally if the system still does not respond due to hanging commits:
    commit force

This list is far from being complete, but after experiencing one software version which filled up the root file system after failed content updates and locking out the admins from the web interface, combinations of these commands helped to make the firewall accessible again.

To be fair, this was a one time error in three years running twelve of these boxes, nevertheless it felt quite uncomfortable.

Kyp. F.

How To Configure Multiple VLANs on one Synology Bond

Some times you may need perhaps more than one network at home connected to your Synology NAS. You are a geek and want to do srange VMWare things or you simply want your kids friends not to find the private family pictures.

Accessrights are one thing, hard network separation probably something entirely different. Even id you don’t want to separate traffic but want to support storage in different subnets probably you don’t want your homeuse- router do handle storage traffic. At least it is very smart to avoid that.

Conceptional this may be solved by interface overloading on the network interface of the storage device. You may have different network cards, to separatre traffic, but why would Continue reading

How To build a 19″ Server Rack

Every serious consultant and technichian walks through this phase of having his private test environment and wants to bring whatever environment to live. In the former days this was occasionally heavy iron, piling up to some extend and everybody had somehow to handle the hardware.

Today virtualisation and the meltdown in memory pricing helps. Entire companies may be simulated virtually in little more than an PC. What doesn’t change is communications and given the fact that nice replication or virtulisation technologies sometimes shall work over a far stretched wide area connection. So the today home lab looks first compressed in a Continue reading

How To Configure IRF on HPE FF5700

Approaching a certain quality level of switching and routing, high availability evolves to be an obligation. In these terms, according to the different OSI service layers, there are many high availability protocols, securing the according network services. The Spanning Tree family as STP, RSTP, MSTP, PVST, protocols for link aggregation as LACP and layer three routing redundancy services like VRRP.

These protocols have the advantage, being vendor independent standards and presume to be interoperable. But either design gets complex, interoperability keeps its caveats or ressources are simply disabled and take over in failiure. Thats not exactly performance driving.

So vendors created stacks – which failed otherwise, or they started to create systems of higher complexity which proprietary created load sharing high availability clusters in the Continue reading

HowTo activate SNMP on vSphere 6.0 hosts

Monitoring ESXi with an standard open source monitoring tool usually requires SNMP. Searching for SNMP in the vCenter configuration context this simply allows you to start the service – but not exactly leads to success in the first place. Probably you get an error.

You check in the security profiles and find the service stopped although it is configured to start with the host. Manual start delivers an “ooops”.

Looking for an clickable configuration context did not lead to an solution I was aware of. Continue reading

How-To: Init HPE FF5700 FlexFabric Switches

Left alone by some consultants, which charged a lot and did not accomplish to much, I ended up configuring FF5700 felx fabric switches myself. Some of the insights, other posts will follow.

To start with the basic initialization settings, configuring management access and doing initial firmware maintenance. After unpacking the switch and mounting fans and power supplies connect through the serial console – although there is dhcp client running on the switch which probably allows you to gain management access over the network. Remember there is a Gigabit- Ethernet- Port on the backside of the switch, dedicated for management access only. The console port is adjacent. Default serial settings are 9600/n/1/n as with any other HPE switch.

After the boot procedure press enter and you have access to the switch. Elevate your access level to configuration mode with:

system-view

To start with I actually disable the DHCP client and activate LLDP for further use.

undo dhcp enable
lldp global enable

After that prepare the desired VLANs according to whatever you later use. I strictly recommend leaving the default VLAN untouched, leaving the Primary VLAN ID on 1 and transport that untagged on any switch to switch link, but remove all access and server Continue reading