I installed a new license to a ASR 1002-X going from the default 5 gig to 20 gig throughput. Installing the license was no problem, but after the reboot nothing changed. I found that I had forgotten to change the hardware throughput settings – I thought the license would jus take care of this, but it didn’t.
Here are the commands/options to get the hardware throughput to match the license
First – lets check to make sure what the level is –
ASR#show platform hardware throughput level The current throughput level is 5000000 kb/s
You can also do a show version and see this info.
Now, lets change to our installed license throughput level.
ASR(config)#platform hardware throughput level ? 10000000 throughput in kbps 20000000 throughput in kbps 36000000 throughput in kbps 40000000 throughput in kbps 5000000 throughput in kbps
The Cisco C92160YC has the option to change the port layout for different bandwidth needs. Below hows the command to change the default (In my case) port config from 48x25G ports, with 2 X 100G, and 4 X40 to 4 100 Gig ports. This way
c92160yc-x-01# show run | inc port hardware profile portmode 48x25G+2x100G+4x40G
The above looks through the config for the setting – I do believe you can also “show hardware profile”.
Below shows the config to change the setting, and different options under the setting.
c92160yc-x-01# config t Enter configuration commands, one per line. End with CNTL/Z. c92160yc-x-01(config)# hardware profile portmode ? 48x25g+2x100g+4x40g 48x25G+2x100G+4x40G port mode 48x25g+4x100g 48x25G+4x100G port mode
I needed to find out what type of Optic was installed into a switch, and if it read up correctly. In most vendors its “show interface transceivers” or some other command. I struggled to find Ruckus’s – so I thought I would share.
To find the media type of the port – just use the “Show media” command – so easy!
For instance, I need to find out what type SFP is on eth 1/2/8, and if it read correctly. Check out the below:
Then, if I just want to check what all ports are: “Show media” by itself. Notice ports 1/2/1 and 1/2/3 are my stack ports – and I have DACs (twinax) in these ports.
SNMPv3 should always be enabled if possible over v2.
First enable the SNMP agent and set the location/device name. Make sure to press apply down at the bottom of the page.
Next lets create the V3 user. You can do this by just clicking “Create New” Under the V3 options.
When you create the user you have options of Authentication algorithms, encryption, the IP of the monitoring host, and what they can monitor. Also, you can drop into CLI and change the source IP for traps.
Last part is now to enable SNMP on the interface you want to connect the monitor to. You only need to have SNMP enabled on the interface the monitor is connecting to, so just do a local LAN interface.
Make sure to click SNMP under the admin access of the interface, and click OK. Thanks it!
Tracking down MACs from a switch can be very beneficial. You can use the information from the MAC table to track down where a device is plugged into, or if there is some kind of loop in the network.
This command is used from the Fortigate to drill down to the Fortiswitch. I do believe it would also work directly from the Fortiswitch.
To display the whole MAC table:
diagnose switch-controller switch-info mac-table
Lets say I need to look for the last 4 of the MAC to find exactly where this device plugs into.
I have been working a lot with the Dell N-series over last few years, and now the N2248-ON which can run OS10 as well as the default OS6. We upgraded firmware to the latest 6.6.3.10 and all seemed to go well. Somehow it did not and hosed both primary/secondary firmware. The device was boot looping – the only option was to drop into ONIE Recovery and re-install the firmware. Here are the steps I used:
The ONIE recovery area runs a version of Linux. First check out your NIC to make sure it finds it:
Great! Eth0 is found, but of course link status is down. Eth0 is the out of band management interface. We should be able to set an IP address on the interface and install firmware VIA TFTP or USB.
First I will setup and IP that can communicate with my laptop :
Perfect! My laptop is 192.168.1.99 – and connected directly to the out of band MGMT port.
Next we will TFTP the file up. This file is located in the software archive you download from Dell – Its located in the “Otherfiles” folder. In this case the file name is onie-installer-x86_64-dellemc_n22xx_6.6.3.10. Next I put this on my TFTP server and we can start the install.
First lets turn off the ONIE-Discovery attempts with the onie-stop command.
The onie-nos-install will install the OS back to the device. The firmware took a few minutes to install, with about 4 reboots I think – it was all automatic.
Now lets see if the switch was updated with the “show version” command.
I had an issue, well more of a specific formatting issue with Fortiauthenticator that I thought I would share. I have a client who is only use SMS with forticlient via fortiauth. The idea is that the user connects and authenticates to the SSL VPN, and then hits Fortiauth for token code that was sent to the client VIA SMS.
When using SMS with tokens, you have to have the users mobile number entered so it can send to them. Hard coding the users mobile number worked great, but for some reason I could not get the remote sync rule to pull in the mobile phone number. Below are the steps I used to fix this.
First in the remote sync rule under “LDAP User Mapping Attributes” modify the mobile data field with “mobile” all lower case.
Then make sure that in Active Directory the mobile number is entered under the users profile. the Auth says it wants the mobile phone number in a very specific format – +[international_number] – this threw me for a while. In the end the number in AD wasn’t the problem it was the mapping attribute. Below is how to inset the number into AD. Notice the number has +[country code]number. Thats it, after putting that in the remote sync rule worked fine.
I am more impressed with Fortiswitches every time I work with them. The ability to implement light NAC features, INTRAvlan firewall policies and overall management really gives these switches a feature set to checkout when deciding on new switches.
Below are the steps to quickly get the interface stats such as errors/packets, etc. The commands are ran on the Fortigate, which in this case is controlling the Fortiswitch.
Drop into CLI on the FGT and check what switches are connected by running the command
get switch-controller managed-switch
This command will bring back the names of the manged switches. Locate the switch you want to check the port stats on. For example, we will use the name “FS1D24T419001174”
Certificates for VPN, SSL Offloading (if using Load balancing), or a signed device cert expire, we all know this. Up until last week I had never updated a signed certificate, I had just created a new CSR, and rekeyed the cert. Updating the certificate the Fortigate is using is very easy, but I had problems with the syntax so I am documenting it here.
I had an issue following the doc so I though I would clear the water and see if I could help someone down the road. Lets say I have sslvpn.travelingpacket.com that will expire in 2 days – I log into my CA (godaddy in my case) and renew the cert. They send the new cert to me, but what do I do with it…
Open the cert with a text editor – maybe notepad – and copy the cert. you should see —BEGIN CERTIFICATE. Copy everything. Then log into the fortigate VIA cli – Putty or some kind of SSL client is way better for doing this then the web client. Then lets modify the certificate
config vpn certificate local
edit sslvpn (or your cert name)
set certificate “—–BEGIN CERTIFICATE—– mPjDQDYkYHKcTrGa6aH7e1w1uM7kdaBAjyAgM7xcmuTrsCeLYfd+BwIDAQABo4IDTDCCA0gwPQYJKwYBBAGCNxUHBDAwLgYmKwYBBAGCNxUIorRWhO7dYIKtkziB9KY0 >—–END CERTIFICATE—–“
and Press enter – The issues I had was with the quotes. I tried to first do double quotes, and past the cert in the middle – that does not work. Just simply type in the command set certificate and then a double quote “ and past the cert whole. After its pastes do the ending quote “ and press enter.
IMPORTANT: That’s it for modifying the cert – but to enact it we have to remove it from whatever we are using it for, and then add it back. That refreshes the cert. So if your using it for SSL-VPN , go to VPN – SSL-VPN settings – and set the server cert to a different one, press apply, and change it back.
This entry shows how I have been setting up ICX switches with Fortinac.
In this scenario my Fortinac is located at 192.168.226.248, the switch is 192.168.226.53, and my SNMP community is “snmp”. I know very secure. The switch I am working with is a Ruckus 7250 running SPR08092a.bin
These are the settings that I am putting into my switch:
logging host 192.168.226.248 snmp-server host 192.168.226.248 version v2c snmp
On the NAC we have to add the switch, and make sure we have a CLI user account, and SNMP creds that work. We can test this within NAC to make sure things are up and going.
After we add the device, we can validate the settings
After the device has been added you should see your interfaces/devices/status all show up.
Recent Comments