My Ethernet mind: 2018

Wednesday, October 17, 2018

HPE Comware packet capture

How to activate and use built-in packet capture on HPE Comware switches

In every firmware upgrade file, you probably found a feature image package:

After upgrading to the required image version, login into the switch and run the following command:

install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1

You should see the following output:

<HPE-5130-EI>install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1

Verifying the file flash:/5130ei-cmw710-packet-capture-r3208p10.bin on slot 1.....Done.

Identifying the upgrade methods....Done.

Upgrade summary according to following table:

flash:/5130ei-cmw710-packet-capture-r3208p10.bin

Running Version New Version

None Release 3208P10

Slot Upgrade Way

1 Service Upgrade

Upgrading software images to compatible versions. Continue? [Y/N]:y

This operation might take several minutes, please wait..................Done.

Then do install commit:

<HPE-5130-EI>install commit

This operation will take several minutes, please wait........................Done.

Check that the feature package is activated:

<HPE-5130-EI>show install active

Active packages on slot 1:

flash:/5130ei-cmw710-boot-r3208p10.bin

flash:/5130ei-cmw710-system-r3208p10.bin

flash:/5130ei-cmw710-packet-capture-r3208p10.bin

Then reboot the switch:

<HPE-5130-EI>reboot

Start to check configuration with next startup configuration file, please wait.........DONE!

This command will reboot the device. Continue? [Y/N]:y

After the switch reloads, you can start using the built-in packet capture:

<HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52 ?

autostop Specify the autostop criteria for packet capture

brief Brief information

capture-filter Specify a filter rule for packet capture

capture-ring-buffer Specify the criteria for saving captured frames to a

new capture file

display-filter Specify a filter rule for displaying captured frames

limit-captured-frames Specify the maximum number of captured frames

limit-frame-size Specify the maximum size of a frame to be captured

raw Display the packet data in hexadecimal format

verbose Detailed information

write Specify the directory for saving captured frames

<cr>

<HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52

Monday, August 13, 2018

pfSense DHCP option 43 for Aruba Networks

Here is a quick post for configuring DHCP option 43 and option 60 for Aruba Networks AP's on pfSense.

DHCP option 43 tells the AP the IP address of the master controller, hence when an AP first boots up he needs to connect to the master controller in order to get his first configuration (AP name, group, LMS/Backup LMS). There are several ways to instruct the AP who is the master controller, DHCP option 43 is one of them.

DHCP option 60 helps the server to identify the client specific vendor.

Scroll down to Additional BOOTP/DHCP Options, and add the following options:

Note that option 43 should be expressed in HEX, but we convert ASCII text and not numbers!

So, in my example I need to convert the master controller IP: 10.100.110.200, we can use the following URL to ease the conversion: https://www.asciitohex.com/

In the end click save and let the AP boot up

Here is the pcap result:

Friday, April 6, 2018

Aruba Remote AP (RAP) Configuration step-by-step

Aruba OS version: 6.5.4.5 build 63925

This guide will take you through step-by-step to configure Aruba Remote AP (RAP)

I will use the following topology:

Device/Host	IP Address	Description
Aruba MC	192.168.99.1	Internal address used as master IP address
Campus AP	192.168.99.2	Internal IP
FW #1	192.168.99.254	Internal IP
	10.0.0.1	External IP
FW #2	172.16.0.254	Internal IP
	10.0.0.2	External IP
Remote AP	172.16.0.5	Internal IP

The Aruba MC and the remote AP are behind firewalls which using NAT when accessing the internet.

1. Log in into the MC

2. Go to Configuration -> Advanced Services -> VPN Services -> IPSEC

3. Under Address Pools click Add

4. Configure address pool for remote AP's:

5. Click Done

6. Under NAT-T Check Enable NAT-T:

7. Scroll down and click Apply

8. Next go to Configuration -> Wireless -> AP Configuration and create new group for remote AP's

9. In the group (KS-RAP in this example) go to AP -> AP system profile and create new profile for this group:

10. In this profile make sure that the LMS IP address is the MC external IP:

11. Now go to Configuration -> Wireless -> AP Installation -> Whitelist, click on Remote AP and then click on Entries:

12. Insert the MAC address of the remote AP to the MC localdb and choose the newly created AP group (KS-RAP) and click Add:

13. Click the Save Configuration on the MC to save all changes.

Next let's configure the remote AP, connect to the RAP using console cable

1. Click Enter to stop the autoboot process

2. Type setenv remote_ap 1

3. Type setenv master 10.0.0.1

4. Type setenv serverip 10.0.0.1

5. Type saveenv

6. Type boot

NAT Traversal

Because the firewalls are doing NAT we will have to use NAT traversal (UDP port 4500) to allow traffic between the MC and the RAP.

On firewall #1 we will need to configure static NAT with port forwarding and to allow UDP port 4500 to the MC (outside to inside), while on FW #2 we will need to configure policy to allow the remote AP access to UDP port 4500 outside.

Each firewall/router configuration is different and it's not part of the scope of this post.

Remote AP Authentication

In the following example I'm using certificate-based authentication where the RAP using factory-based certificate and the MC authenticate the RAP MAC address using the localdb. In this way we can configure pre-provision AP which never was connected to the MC before.

We can also use IPSec PSK but this requires the RAP to be connected to the MC as campus AP prior to conversion to RAP

Search This Blog