ipnetworking.net

linux and networking articles

Brocade VDX – Interconnecting Fabrics – line protocol down (ISL down)

While interconnecting two Brocade VDX VCS fabrics using normal ethernet trunks i stumbled on the following interface status during a migration:

The interface configuration was configured as follows on both ends:

Note that ISL is disabled and fabric trunking is disabled as well. No problem to connect two separate fabrics this way you would think….. :)

After some attempts getting this interface up and running, it appears there is a neighbor discovery protocol on the VDX that still checks for the VCS ID configured on the fabrics ( you cant turn it off).  When both fabrics that you would like to interconnect are using the same VCS ID you will not be able to get a normal trunk up even if you disable ISL on these links. Solution is to renumber one of the fabrics to another VCS id. Sad thing is that renumbering a VCS id means you will loose the current configuration of the fabric member.

I hope this post helps, as it took me some time to figure this stupid thing out.

Cheers!

Synology NAS backup with rsync

This post will outline the configuration needed to backup a Synology NAS to a remote rsync server running Ubuntu server 16.04

rsyncd server configuration

Configure rsync to run as daemon

edit /etc/rsync/defaults and set:

edit /etc/rsyncd.conf and set the following vars, path should be edited to where your mountpoint is. Below mount point is a NFS mount.

edit /etc/rsyncd.secrets and add the following:

This is the username and password you will need to configure on the Synology NAS when setting up the backup target with hyperbackup.

Set the file permissions correctly:

After this restart rsyncd:

NFS mountpoint

The configuration below is my own setup and related to the content above.

edit /etc/fstab and add the following entry:

The ls command should now trigger automount:

 

Packetcapture in Nexus VDC

This post will outline how to make a packetcapture in a VDC using a Cisco Nexus device.

The ethanalyzer tool is only available in the Admin VDC, in order to make a packetcapture in a regular VDC some commands are needed to be able to capture the traffic in the Admin VDC.

This can be done by creating ACL’s in the VDC you would like to capture traffic from. If you use the “log” statements per ACE, the packet is punted to the supervisor and you can capture it in the Admin VDC.

Regular VDC configuration:

Creating the ACL:

It is important to permit ip any any at the end of the ACL.

Adding the ACL to a switchport (L2 interface):

Adding the ACL to a routed port (L3 interface):

Note that that the packetcapture is unidirectional. If you want to make a bidirectional packetcapture apply it to the appropiate interface with reverse ACL logic.

You can use wireshark’s mergecap to merge the two packetcaptures.

Admin VDC configuration:

Here is the ethanalyzer capture command syntax. Ofcourse you can use the other available parameters to capture the traffic or even store the pcaps locally on flash for analysis in wireshark.

 

Deny SSH on Brocade VDX

Yet another Brocade VDX post! This time on how to block SSH access on VE interfaces. Sounds pretty simple, but took some time to find out how to do it!

After some Cisco Catalyst to Brocade VDX configuration conversions, i was not able to block SSH access to the IP interfaces that existed on the Brocade VDX. Usually some of these options are available:

  1. SSH access-group (not supported)
  2. VTY lines configured with access-group and transport set to SSH
  3. VRF aware SSH daemon support (not supported), current Brocade NOS versions (>5.x) have mgmt-vrf capabilities. So you would think SSH could be limited to the mgmt-vrf, unfortunately not (yet).
  4.  ip access-list denying non-management networks to SSH

So i focused on solution 4, but couldn’t get it work. What i tried to use was the following configuration stanza, for this internet facing ve:

I was still able to SSH to the ip address configured on ve 100.

Apparently there is a Brocade style ACE action, named “hard-drop”. The hard-drop action denies traffic to the CPU of the VDX and also works for ‘transit traffic’.

The access-list INET-IN should be configured to:

Now the ACL is doing what it is supposed to do, dropping SSH access to the VDX VE interface from the big bad interwebz. Eventually pretty easy!

« Older posts

© 2016 ipnetworking.net

Theme by Anders NorenUp ↑