Thursday, 12 March 2020

Stack Master Election Process


How is the stack master elected?


These rules have been defined to determine which unit within a stack is chosen as the master. When switches are added or stacks are merged, the master will be chosen based on these rules, in the order specified:

1. The switch that is currently the stack master.

Note: When stacks merge, the elected stack master would have been the master of one of the merged stacks.

Note: When stacks partition, the stack master of the original stack will be the master of its partition.

2. The switch with the highest stack member priority value.

Note: Cisco recommends that you assign the highest priority value to the switch that you prefer to be the stack master. This ensures that the switch is re-elected as stack master if a re-election occurs.

3. The switch that uses the non-default interface-level configuration.

4. The switch with the higher Hardware/Software priority. These switch software versions are listed from highest to lowest priority:

Cryptographic IP services image software

Noncryptographic IP services image software

Cryptographic IP base image software

Noncryptographic IP base image software

Note: Switches that run Cryptographic or IP services image will take a longer time to load than Non-Cryptographic or IP base image. When you power on or reset an entire switch stack, some stack members will not participate in the stack master election. This is because stack members that are powered on within the same 20-second time frame participate in the stack master election and have a chance to become the stack master. Stack members that are powered on after the 20-second time frame do not participate in this initial election and only become stack members. At times, switches with lower software priority can become the stack master, but all stack members will participate in the stack master re-election.

5. The switch with the longest system up-time.

6. The switch with the lowest MAC address.




When is the stack master elected?

  • When the whole switch stack is reset1
  • When the stack master is reset or powered off (Note: If you reset the stack master, it would reset the whole stack).
  • When the stack master is removed from the stack
  • When the stack master switch has failed
  • The switch stack membership is increased by if you add powered-on standalone switches or switch stacks.1







Wednesday, 9 October 2019

Upgrading Junos OS on EX 3400 Switch using USB Format install method.


My intent of this post is to be a quick reference guide for recovering, installing and upgrading Junos OS using USB format install method. Juniper switches are well know for software corruption caused mainly due to unexpected power failure. This will be an easy and useful document for the engineers who use Juniper Switches in their organization.

Before you begin

 

Prerequisites

  • Copy JUNOS OS upgrade image on a USB flash disk Copy JUNOS OS upgrade image on a USB flash disk
  • Check for adequate space on the EX Series device.
  • Preparing the Flash Drive

    •  Any USB key formatted with FAT or FAT32 file systems can be used
    •  Plug the USB key to a Windows PC/Laptop
    •  Right-Click  the removable disk and format the drive with FAT/FAT32 file system
    •  Copy the JUNOS OS package to the USB.

    Now insert the USB disk to the EX Series switch and follow the below commands.


    CLI Commands 

     

    root> start shell
    root@:RE:0% mount_msdosfs /dev/da1s1 /mnt
    root@:RE:0% cd /mnt
    root@:RE:0% ls
    junos-arm-32-18.1R3-S4.2.tgz
    root@:RE:0% cp junos-arm-32-18.1R3-S4.2.tgz /var/tmp/
    root@:RE:0% cd /var/tmp
    root@:RE:0% ls
    bcast.bdisp.log                 mmcq_sdb_bbe_mmcq
    bcast.disp.log                  pc
    bcast.rstdisp.log               pfe_debug_commands
    bcast.undisp.log                pics
    ex_autod_config                 pkg_cleanup.log.err
    ex_autod_rollback_cfg           rtsdb
    junos-arm-32-18.1R3-S4.2.tgz    sd-upgrade
    krt_rpf_filter.txt              stable
    mmcq_mmdb_rep_mmcq
    root@:RE:0% cli
    {master:0}
    root>request system software add /var/tmp/junos-arm-32-18.1R3-S4.2.tgz no-copy no-validate unlink force reboot

    Post reboot you switch firmware should be upgraded to the new version, you can verify this using below command

    root> show version

    fpc0:
    --------------------------------------------------------------------------
    Model: ex3400-48t
    Junos: 18.1R3-S4.2

     


Tuesday, 13 November 2018

Security Hardening Avaya Switch Step-by-Step

Setting up banner: 

Avaya_ERS5530(config)# banner custom
Avaya_ERS5530(config)#banner 1 “Welcome to ITINFRATECH Network” 

 

System user name and password using ACLI:

 

Avaya_ERS5530(config)# username superadmin rw
Enter password: ********* 
Confirm password: ********* 

To delete users, you need to overwrite with default value

 

 

Create a prompt to login:


There are only two users can be created for switch and stack each.(RO and RW level)

Avaya_ERS5530(config)# cli password telnet local (using local user account)
Avaya_ERS5530(config)# cli password telnet radius (using radius)
Avaya_ERS5530(config)# cli password telnet tacacs (using tacacs)
Avaya_ERS5530(config)# cli password telnet none (disable)
Avaya_ERS5530(config)# cli password stack telnet local
Avaya_ERS5530(config)# cli password stack telnet radius
Avaya_ERS5530(config)# cli password stack telnet tacacs
Avaya_ERS5530(config)# cli password stack telnet none

* Don't forget fallback command when you setup with RADIUS or TACACS.

 

Configure the password for selected access or a specific authentication type by using the following commands: 

 

Avaya_ERS5530(config)#cli password [serial | telnet] [local | none | radius | tacacs] cli password {read-only | read-write} [<password>]  

 

Enabling or disabling password security using ACLI:

 

Avaya_ERS5530(config)#password security
Avaya_ERS5530(config)#no password security 

 

Setting the password aging time using ACLI:


Avaya_ERS5530(config)#password aging-time day <1–2730>   

 

Setting the HTTP port number using ACLI:


Avaya_ERS5530(config)#http-port <1024–65535>

 

To enable Telnet remote access:


Avaya_ERS5530(config)#telnet-access enable 


To enable SSH remote access:


Avaya_ERS5530(config)# ssh 

 

To enable SNMP remote access:


Avaya_ERS5530(config)#snmp-server enable 
Avaya_ERS5530(config)#snmp-server community ro
Avaya_ERS5530(config)#snmp-server community rw

Configure SNMP host to add trap receiver to the trap-receiver table. 
Avaya_ERS5530(config)#snmp-server host <Host-IP> <comunity-String>


Set the system name:

 

Avaya_ERS5530(config)#snmp-server name "<text>" 

 

To enable Web Page remote access: 

 

Avaya_ERS5530(config)#web-server enable


Configuring Simple Network Time Protocol:

 

Avaya_ERS5530(config)#sntp enable
Avaya_ERS5530(config)#sntp server primary address 10.100.10.15
Avaya_ERS5530(config)#sntp sync-interval 1
Avaya_ERS5530(config)#clock set 10:38:16 25 March 2011
Avaya_ERS5530(config)#clock time-zone UTC 5 30

 

AVAYA POE Power ON/OFF:

 

Avaya_ERS5530(config)#interface ethernet 8
Avaya_ERS5530(config)#poe poe-shutdown
Avaya_ERS5530(config)#interface ethernet 8
Avaya_ERS5530(config)#no poe-shutdown

 

To delete a VLAN: 

 

Avaya_ERS5530(config)#vlan delete (2-4094)



To Enable Port Mirroring:


Avaya_ERS5530(config)#Port mirroring 2 mode Xrx monitor-port 10 mirror port 12
Avaya_ERS5530(config)#Show port mirroring(To View)
Avaya_ERS5530(config)#No port mirrioring(To Disable)

 


Enable Syslog:


Avaya_ERS5530(config)# logging remote address 10.0.0.10
Avaya_ERS5530(config)# logging remote level informational
Avaya_ERS5530(config)# logging remote enable

 

 

Enable RADIUS telnet authentication:

 

Avaya_ERS5530(config)# radius reachability use-icmp ; to allow ICMP to RADIUS srv.
Avaya_ERS5530(config)# radius reachability use-radius ; to send regular request.
Avaya_ERS5530(config)# radius-server host 10.0.0.11 key 123456789
Avaya_ERS5530(config)# radius accounting enable
Avaya_ERS5530(config)# cli password telnet radius


If the switch is used in a stack, enter the following:
Avaya_ERS5530(config)# cli password stack telnet radius
Avaya_ERS5530(config)# radius-server password fallback ; If RADIUS is not available use local user/pwd
Avaya_ERS5530(config)# radius use-management-ip

 

 

To Create L3 VLAN:

 

Avaya_ERS5530(config)#interface vlan 3
Avaya_ERS5530(config)#ip add 10.0.0.9 netmask 255.255.255.0
Avaya_ERS5530(config)#ip routing
Avaya_ERS5530(config)#exit


 

 Port Security:

 

Avaya_ERS5530(config)mac-security enable(Globally enable Mac-security)
Avaya_ERS5530(config)#mac-security mac-address table address xx:xx:xx:xx:xx:xx:xx(mac address) port 10
Avaya_ERS5530(config)#interface ethernet 10
Avaya_ERS5530(config-if)#mac-security enable

 

Basic CLI show command list:


show vlan
show audit log telnet
show ip route
show ipmgr
show running-config
show license all
show cli password
show cli password type
show tacacs
show Radius-Server
show ssh session
show ssh global
show snmp-server
show snmp-server view
show mac-security mac-address table
show interfaces
show interfaces names



Change VLAN assignment:



Avaya_ERS5530>enable
Avaya_ERS5530# conf t
Avaya_ERS5530(config)# vlan members remove 1 1/23
Avaya_ERS5530(config)# vlan members add 10 1/24
Avaya_ERS5530(config)# vlan ports 1/24 pvid 10


Save configuration:


Avaya_ERS5530# copy config nvram / wr me

 

 





Monday, 5 November 2018

Google Nexus Wifi saved. But not connecting to Hidden SSID.

I have number of Wi-Fi Connections saved on my Mobile(Including hidden and Open SSID) but recently i noticed a peculiar issue with my Google Nexus Mobile not connecting to Hidden SSID rather Wi-Fi profiles goes to saved mode. From there on i don't see much option to connect back to SSID, To connect to hidden SSID again i need to forget and reconfigure the Wi-Fi profile.

I tried updating the device to latest updates available, resetting network settings even tried factory reset but no luck still same issue. Every time I reconfigure the profile i was able to connect the hidden SSID but when I move out of coverage area and come back again or if i try to edit the Wi-Fi profile proxy settings manually then turn off/turn on Wi-Fi profile goes saved mode.

By replicating the same scenario, I did packet capture to see what is happening in back end. From the packet capture came to know that every time profile goes to saved mode the devices not sending any probe request to AP hence the connection process is not happening. As this issue is specific to Hidden SSID and not to open SSID, Seems like the Nexus mobiles not saving hidden SSID Wi-Fi Profiles.


From the above capture you can see once i turn off the Wi-Fi the mobile gets de-authenticated  from AP and when i turn on the Wi-Fi the profiles goes Saved mode and there is no probe request being sent from mobile to AP.

If anyone know the workaround to automate the connection requests from Saved Wi-Fi Profiles, Kindly revert me on this post.

Saturday, 27 October 2018

The response from the remote server was:553 Message filtered. Refer to the Troubleshooting page at http://www.symanteccloud.com/troubleshooting for more information.

Past two days all the emails i send to a particular domains are getting bounced with an error. "The response from the remote server was:553 Message filtered. Refer to the Troubleshooting page at http://www.symanteccloud.com/troubleshooting for more information." The error indicates that my email was blocked as spam by Symantec anti-spam filter.Got to know from the Symantec Forums
Email bounce backs occur when an email is sent to an Email Security.cloud client, and a rule is triggered by the email recipient's configuration. As suggested by Symantec i tried  all the possible recommendations to resolve the issue but unfortunately these recommendations doesn't prove to be an issue in my case(Symantec Recommendation).

Upon reaching my Suite support I understand that my email message has bounced because a Google IP address has been blacklisted by Symantec Cloud filtering and As suggested by Suite i was asked to contact the recipients support to allow Gmail IP addresses to their Simple Mail Transfer Protocol (SMTP) gateway's whitelist.



It is really tough job to reach out all the customers to whitelist the google IP address to their Simple Mail Transfer Protocol (SMTP) gateway's. However I'm able to send emails without adding Hyperlinks to my Email Signature or in my body of the email. Seems like Symantec is filtering the Hyperlinks added to the Emails, As I don't have visibility of how the third party is treating  the links or how their filtering works.

If someone who is aware of this Symantec Cloud filtering on this regard can elaborate on how the hyperlinks can be modified or altered to successfully process the email it will be really helpful for me to resolve the issue.

Tuesday, 16 October 2018

HP Procurve Switch Privilege level access via Radius

Integrating Switches with Radius Server and authenticating using AD Credential is pretty much easy to setup but the interesting and configuring part where many people may find difficulties is the  User Privilege level access through Radius Server.First lets understand how to integrate switches with Radius Server and later we can control  user level access through Radius server.

Integrating Switch With Radius Server:


Hope everyone is aware of how to make a Secure Certificate Infrastructure, With Active Windows Certificate and NPS (Network Policy Server) Role installed in your Server, You need to create Connection request policy and Network Policy as mentioned below.

NPS Policy Configuration:

Connection Request Policy: NAS Port Type=Virtual(VPN)

Network policy: NAS Port Type= Virtual (VPN) + Windows Group.






Switch End Configuration:

I've added the following fairly standard Radius Configuration to the Switch, Since I've already completed my testing phase with WEB  authentication. I'm configuring SSH.

aaa authentication SSH login radius local
aaa authentication SSH enable radius local

radius-server host 10.100.10.229 key 123456789

With this configuration I'm able to login the switch using AD Credentials but the problem hear is all the user accounts specified in NPS Network Policy windows group have full access to switch. Let's restrict user level privilege access through RADIUS Server.



User Privilege level access through Radius Server:


You can assign the privilege level access on RADIUS server by using Service-Type attribute.This will only take effect when you configure your switch with below command.

hostname(config)# aaa authentication login privilege-mode

–Service-Type 6 (Administrative) - Allows full access to any services specified by the aaa authentication console commands.

–Service-Type 7 (NAS prompt) - If you configure the aaa authentication for TELNET/SSH it allows access to CLI but Configuration Mode is blocked.Only Monitoring access is allowed.









Sunday, 14 October 2018

An error occurred while trying to save or publish your post. Please try again. Dismiss


I'm  new to blogging, When i was working on my first post I was repeatedly prompted with the following error.

" An error occurred while trying to save or publish your post. Please try again. Dismiss" , Initially i was not getting this error but when I'm about to complete my very long post  I  get this error repeatedly and it never goes. Even I was not allowed to save my document, When i try to save my document and exit i used to get a POP-UP saying you've unsaved data and if i click on OK to proceed i lost all my document. I Was really frustrated and wondering on the cause of this issue and i never came up with a proper solution. Anyhow i tried to figure it out the issue and some of my trouble shootings are given below

1.Internet and Cache - Initially i tried clearing the browser cache and verified the Internet connectivity. I tried to edit the document and again at same page i got the error again.


2. Text Formatting - The another suspect was Text Formatting, Since I've my document ready with MS Word and I did copied all the contents from word. I tried  again by reformatting the text but no luck still the same error.
3. Copying Images - I Copied all my documents related images directly from MS WORD most of the blogs gave suggestions to save the images and the import them. I Imported all my i mages using the import option but no luck still same error.

Finally I Isolated the problem by deleting some data and saving it, By doing this at certain point the error goes off. To replicate the issue i started typing a some 50 characters but this time i get into the same error but when i delete the 50 characters the error goes off. After struggling more that a day with this error i came to conclusion that when the blog data exceeds certain size, we will not be able to either save or preview the blog.