Install snmpwalk snmpget on CentOS

How to install SNMPWALK and SNMPGET into CentOS

Step 1: First try this command to ensure if you have SNMPWALK


[root@localhost ~]# snmpwalk
-bash: snmpwalk: command not found
[root@localhost ~]#

Step 2: Install snmpwalk and snmpget

[root@usevlx08-almighty ~]# yum install net-snmp-utils
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: centos.someimage.com
 * extras: bay.uchicago.edu
 * updates: centos.mirror.constant.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package net-snmp-utils.x86_64 1:5.5-49.el6_5.3 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                          Arch                     Version                            Repository                 Size
==============================================================================================================================
Installing:
 net-snmp-utils                   x86_64                   1:5.5-49.el6_5.3                   updates                   174 k

Transaction Summary
==============================================================================================================================
Install       1 Package(s)

Total download size: 174 k
Installed size: 362 k
Is this ok [y/N]: y
Downloading Packages:
net-snmp-utils-5.5-49.el6_5.3.x86_64.rpm                                                               | 174 kB     00:00    
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 1:net-snmp-utils-5.5-49.el6_5.3.x86_64                                                                     1/1
  Verifying  : 1:net-snmp-utils-5.5-49.el6_5.3.x86_64                                                                     1/1

Installed:
  net-snmp-utils.x86_64 1:5.5-49.el6_5.3                                                                                     

Complete!

This Device has booted from the the backup Junos Image

When i booted a Juniper SRX240 after shipment to other country I experienced this error message.

!!!

WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE

It is possible that the primary copy of JUNOS failed to boot up

properly, and so this device has booted from the backup copy.

Please re-install JUNOS to recover the primary copy in case

it has been corrupted

!!!

So you panic and wonder if there is any hardware problem. But before panicking, try these things. If below still not helps, then you should contact Juniper TAC if you have a support agreement.

1. Since the system has booted on the backup junos image, we know its up and running, so we want to copy existing backup image to the primary image, also known to snapshot backup to primary.

To prove that you are actually running on the backup image

root@SRX240> show system storage partitions

Boot Media: internal (da0)

Active Partition: da0s2a

Backup Partition: da0s1a

Currently booted from: backup (da0s1a)

Partitions information:

Partition Size Mountpoint

s1a 292M /

s2a 293M altroot

s3e 24M /config

s3f 342M /var

s4a 30M recovery

As you can see, its booted from Backup. Now execute the below command to do a snapshot

root@srx1> request system snapshot slice alternate

Formatting alternate root (/dev/da0s2a)…

Copying ‘/dev/da0s1a’ to ‘/dev/da0s2a’ .. (this may take a few minutes)

The following filesystems were archived: /

You can now reboot "request system reboot" After reboot, you can use "show system storage partitions" to verify that you are booted from the "active" partition.

When that is done, you can upgrade your primary partiion as usual. for more info for that. check this Juniper KB, http://kb.juniper.net/InfoCenter/index?page=content&id=KB16652

VPN between Netscreen and Checkpoint 1 kept failing from Checkpoint side

VPN between Netscreen ScreenOS and Checkpoint-1.

We have all been in the situation when a project, a Solution architect, a partner or customer wont listen to our recommendation to NOT mix products when setting up VPN.

In this situation it was a customer to my enterprise company that refused to accept us sending active equipment to be placed on their premises, and the customer of course did not want to put active equipment on our side. We strongly recommend to do either or, to have a clear, and more manageable demarcation point. And when i say demarcation point, i mean, sharing responsibility in the easiest way without any doubts of where the fault might be. Port-Cable-Port, within the same Rack if possible.

That left us with setting up an IPSEC tunnel over Internet between 2 different products, Checkpoint and Netscreen.

Checkpoint uses policy vpn, and Netscreen is more prune to Route based.

Im not debating on which Firewall/VPN Concentrator is the best etc, ill let others do that. But in general, most network companies dont follow the various RFC down to the spot. They all make some small adjustment as they find fitting for their need.

The problem we faced was that traffic initiated from the Checkpoint side when the VPN was down, didnt seem to bite, with that I mean it seems that the Phase1 from checkponit was not compatible what the Netscreen expected.

VPN would always go up if traffic was initiated from Netscreen to Checkpoint.

But since traffic was not always initiated from our side, we had a problem

Solution:
The solution was to enable monitor and rekey on the netscreen, ensuring VPN was re-negotiated without the need of traffic. We can still monitor the VPN by doing a simple IP-monitor on the other side.

In netscreen we have to use proxy-ids to match the Policy vpn configuration in Checkpoint, and ontop of that, have "monitor rekey" enabled.

set vpn "<vpn name>" monitor rekey

set vpn "<vpn name>" proxy-id local-ip 192.168.1.1&32 remote-ip 172.16.1.1&32 "ANY"


If you have any questions of the actual config, let me know.

Helpful Dell Force 10 commands

When working with Dell Force 10 networking equpment. the following CLI commands is very helpful.

"show int status" - shows all interfaces and what vlans its member of. unfortunately it will not show which vlans its tagged and untagged in.

"show vlan" - shows your vlans, and what ports are member of those vlans.

"show vlt brief" - if you are using vlt lag portchannel, use this to show your status of your vlt's.

"q" - will exit the switch compared with HP-switches were you have to write "exit" to logout.

in config mode "int tengigbitethernet range <ports>" - with this you can set commands on multiple ports at the same time, like "switchport" or "spanning-tree"-options. instead of per interface.

Using tcpdump correctly in Linux

A common mistake made by engineers using tcpdump in linux is not reviewing the options. There is only so many times i had to correct engineers not able to grep specific ip-address from a tcpdump when reverse dns lookup is enabled.

As an example, if you use: "tcpdump -i eth0 | grep 172.16.1.1" and expect a response, but fail, please remove the pipe command and grep to see the raw data first. If you host has DNS configured, and that specific IP you trying to grep actually exists in the reverse-DNS, the tcpdump will post the dnsname instead of the ip. So always use the "-n" option to not resolve ips to DNS.

$tcpdump -i -n eth0 | grep <ip address>

If you want to avoid tcpdump to resolve known port number, add another "n"

$tcpdump -i -nn eth0 | grep <ip address>

for more option and more verbose you can add "-v" ir "-vv" or type "man tcpdump"

Force 10 % Error: Port is in Layer-2 mode Te-xx

Force 10 % Error: Port is in Layer-2 mode Te-xx

You probably get this message if you try to change mode of a a port that is already configured as switchport and spanning-tree edge-port.

The drawback with Dell Force 10 is that you have remove spanning tree and switchport before you can change portmode. then add back "switchport" and "spaning-tree edge-port"not sure why they did that.

interface TenGigabitEthernet 0/36
 description whatever
 no ip address
 mtu 12000
 switchport
 flowcontrol rx on tx off 
 spanning-tree rstp edge-port

so first
#no spanning-tree rstp edge-port
#no switchport
#portmode hybrid
#switchport
#spanning-tree rstp edge-port

Then it should show this.

interface TenGigabitEthernet 0/36
 description whatever
 no ip address
 mtu 12000
 portmode hybrid
 switchport
 flowcontrol rx on tx off 
 spanning-tree rstp edge-port

Voila, and you should be able to tag the port to a vlan, and have it untagged to another vlan.

Force 10 Network LLDP Neighbor Config

Force 10 Network LLDP Neighbor Config

If you are using lldp or Local Link Discovery Protocol in your Dell Force 10 Network deployment, enabling the ability to see the attached hostname by name when you punch "show lldp neighbor" would probably be very helpful in reference, especially when you are troubleshooting.

The command is:
#advertise management-tlv system-capabilities system-description system-name
and goes under interface/protocoll lldp. See below as an example.




interface fortyGigE 0/48
 description anything
 no ip address
 mtu 12000
 switchport
 flowcontrol rx on tx off 
!
 protocol lldp
  advertise management-tlv system-capabilities system-description system-name
  advertise interface-port-desc
 no shutdown

If you have any other question, message me.

/Silverfox

Dell FS8600 FS Networking

Dell FS8600 FS Networking

Working with the Dell Storage Compellent FS8600 is a bit of a challenge. Especially if you are the network engineer trying to comply with the Server and Storage guys.

The core issue with the current version 3.0.9x, is that all interfaces uses the same routing domain/table, even the mgmt-interface.

Most of us are used to using network devices having a mgmt-interface in a different routing domain/table, making it a pure OOB mgmt-interface for the device. But this does not exist in the Dell FS8600, so you have to rethink your design.

If you want to use a separate subnet for your mgmt-interface compared with the client network, which is still possible, it will follow the client network default route. You can still add static routes for your client networks, but NOT for the mgmt-interface, which is STUPID! that means that Dell designed it for the mgmt-ips to be on the same network of any of your Client networks.

So if you still want to use a separate subnet for the mgmt-interface, my suggestion would be to use a firewall/router, if your firewall have an interface on the considered mgmt-interface-subnet and do a Destination NAT with Source NAT enabled, so that the mgmt-interfaces of the FS86000 can be reached without having to think of the routing table.

You can of course still manage the FS8600 via the client network, but it would not be recommended you don't if you need to change tags and ip-ranges on the client network for any reason. Always better to use the dedicated mgmt-inteface to ensure you don't loose the connection, aka "cut your leg off".

Hopefully Dell will reconsider and change this in their next major release so that the mgmt-interface will have its own routing domain/table with its own default route.

Good luck. if anything, you can email me.

Dell M1000e Initial Network Configuration

So your company/enterprise or organization is considering to purchase, or has purchased a Dell M1000e Server Enclosure. Congratulations, Its an awesome piece of machinery in terms of CPU/Watt.

If your organization has budgeted for this type of hardware, you most probably have a support contract, and might have also bought Dell Professional services to help you design and do initial setup. If not, this article might help you on your way to save some costs.

 

Spec Info
The server enclosure can fit 8 full height or 16 half height server blades. The server blades comes in various configurations.

On the Back side of the enclosure, one can fit a wide range of various network blade switches and fiber switches, depending on what your organizations requirements are.

Initial Configuration
The Enclosure comes with a management module called CMC, Chassis Management Controller, like HP iLO. There is 2 CMCs that works in Active/Passive, on in each upper corner on the rear of the enclosure. it has 2 RJ45s for redundancy.

You set the initial IP of the CMC on the LCD display on the front of the Enclosure. You also set the iDrac IP's of the blades, later used to configure the individual blade and load with the preferred software. I really don't see a need to use the Serial interface unless for any kind of troubleshooting. Connect the RJ45

After you configured the CMC-ip, connect to the IP via SSH. default username and password for the CMS is root/calvin.

You will be presented with a prompt "$". This CLI is not very advanced, its intended mostly to connect to the various modules in the chassis that has its own CLI.

Since i will only be covering the networking part here, I will write up another blog about the server/hard disk another time.

Now some basics of the back side. as you might have seen, there is indicators showing A1, B1, C1, C2, B2 and A2.

Its important to understand these different Fabrics. Depending on the BW you planning to use, and if you are using 10GbE and 40GbE its recommended that use use 1 fabric for one type. Say you plan to use 40GbE networking for Data traffic and another 40GbE toward your external Storage, then it would be recommended to use Fabric A for Network toward your clients/servers, and Fabric B toward your NAS/iSCSI/Fibre-Channel. You can of course equip a fabric with a larger switch-blade with more ports and cover both live traffic and storage traffic within same fabric.

This would mean that you use A1 and A2 for Network, and B1 and B2 for your Storage.

To connect to each of the Fabrics thru the CMC you type,

"connect switch-A1" where A1 obviously means Fabric A1 and so forth.

This is now like a console access to the Switch, of whatever configuration you put in.

If you are using Dell Force10 modules, the CLI will be very much alike a Cisco/HP Switch with some modifications.

Good luck with your configurations. If you have any questions about the configurations, don't hesitate to send me a message.