About Me

My photo
GTA, Ontario, Canada
Hold the Door!!! CCIE 25938: CCIE Routing & Switching, Security,Voice, and latest CCIE Datacenter. Python+SDN is on going

Saturday, June 25, 2016

My new Website http://www.networkcouple.com

Hello, I just started a new website with my wife together to share some tips with networkers.
If you are interested, please go visit:

thank you.

Saturday, May 28, 2016

A little experience with Fortigate firewall

Recently I am working on deploying Fortigate 3700D in our network. There are couple things just learned during the project.

1) 1G SFP in 10G port on Fortigate 3700D to build Port-channel with Cisco N5K. It must use 1000Auto on Fortigate side, otherwise port-channel won't come up. 

2) Trust subnet configured under admin account will impact data port Ping traffic as well (not only the admin login traffic). It will block Ping on the data port as well, even Ping is allowed, as long as the subnets are not in the Trust subnets range, ping will be dropped.

Saturday, January 28, 2012

By default CoS-to-DSCP :
CoS-DSCP map :

cos:   0     1      2      3       4      5     6      7
dscp :0    8    16    24    32    40    48    56

Using following command to change this map on switch:

switch(config)# mls qos map cos-dscp dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8

By default DSCP-to-CoS map:

0~7 0
8~15 1
16~23 2
24~31 3
32~39 4
40~47 5
48~55 6
56~63 7

Use following command to check switch map table:
swtich#show mls qos maps dscp-qos

To change DSCP -to-Cos map , use this command:

switch(config)# mls qos map dscp-cos dscp1 dscp2 dscp3 dscp4 dscp5 dscp6 dscp7 dscp8 to cos


DSCP Value DSCP Name COS Value
0 Default (BF) 0
8 CS1 1
10 AF11 1
12 AF12 1
14 AF13 1
16 CS2 2
18 AF21 2
20 AF22 2
22 AF23 2
24 CS3 3
26 AF31 3
28 AF32 3
30 AF33 3
32 CS4 4
34 AF41 4
36 AF42 4
38 AF43 4
40 CS5 5
42   5
44   5
46 EF 5
48 CS6 6
56 CS7 7

Note: EF is matching DSCP=46; COS=5 is matching DSCP=40

AF Drop Level

RFC 2597 leavingcisco.com defines the assured forwarding (AF) PHB and describes it as a means for a provider DS domain to offer different levels of forwarding assurances for IP packets received from a customer DS domain. The Assured Forwarding PHB guarantees a certain amount of bandwidth to an AF class and allows access to extra bandwidth, if available. There are four AF classes, AF1x through AF4x. Within each class, there are three drop probabilities. Depending on a given network's policy, packets can be selected for a PHB based on required throughput, delay, jitter, loss or according to priority of access to network services.
Classes 1 to 4 are referred to as AF classes. The following table illustrates the DSCP coding for specifying the AF class with the probability. Bits DS5, DS4 and DS3 define the class; bits DS2 and DS1 specify the drop probability; bit DS0 is always zero.
Drop Class 1 Class 2 Class 3 Class 4
Low 001010
Medium 001100
AF 22
High 001110
DSCP 38 

Thursday, January 19, 2012

Avocent Cyclades ACS console server password reset or reset unit factory defaults

Avocent Cyclades ACS console server password reset or reset unit factory defaults

The Avocent Cycaldes ACS console servers are great little units that run Linux and even give you full root console access. The root password is “tslinux” by default, but if it has been changed then you can boot the unit into single user mode by supplying the argument “single” to the Linux kernel selection during the boot process (make sure you put a space between the existing Kernel parameters and “single”) which will drop you to a root prompt.
On my unit, this line comes up as right at the start of the boot process:
Linux/PPC load: root=/dev/ram ramdisk=0x0001F000
So you would type ” single” (remember the space!) to give you:
Linux/PPC load: root=/dev/ram ramdisk=0x0001F000 single
Then just hit enter and the unit will boot up into single user mode and give you the root prompt.
At this point, if you want to restore the entire unit to the factory default settings which will erase all of the configuration, then just run “defconf” and then reboot the unit.
If you want to keep the existing configuration intact but just reset the password then you can just use the traditional Linux passwd tool to edit /etc/passwd:
[root@(none) /]# passwd
New password:
Re-enter new password:
Password changed
[root@(none) /]# saveconf
Checking the configuration file list…
Compressing configuration files into /tmp/saving_config.tar.gz … done.
Saving configuration files to flash … done.
[root@(none) /]# reboot
[root@(none) /]# Restarting system.

 Original link : http://new.spheron1.co.uk/2010/11/06/avocent-cyclades-acs-console-server-password-reset-or-reset-unit-factory-defaults/ 

Thursday, December 29, 2011

Aruba Authentication Adv Options and Misc.

There are couple Adv options under  the 802.1x authentication. Let's get some brief introduction. :)
The difference between Normal EAP and AAA FastConnect (EAP-Offload) :

Normal EAP:

AAA FastConnect (EAP-Offload):
It is easy to understand and configure :

2. Machine Authentication :
when a Windows device boots, it logs onto the network domain using a machine account: host/<pc-name>.<domain>
You can configure 802.1x for both User and Machine Authentication.
Machine Authentication optional : it is under L2 Authentication .

Setting Roles for Machine/User Authentication:
  3 Blacklist due to failed authentication :

Aruba Controller Authentication Part 2 WPA/WPA2 and 802.1X

This part is about configuring WPA or WPA2 and 802.1x on Aruba Controllers.
1. Configure the external auth-server or internal-db
2. Create a server group and assign the configured auth-server to it.
3. Create a dot1x profile and configure the required dot1x parameters (EAP-Offload, Key rotation, re-auth, etc)
4. Create a AAA profile and assign the dot1x profile and dot1x server-groups created in Step 2 and 3.
5. Create an AP Group and Virtual AP
6. Assign the AAA to the Virtual AP
7. Configure the SSID profile with the SSID and required operations mode and authentication (etc.) to use with dot1x... and other parameters.

 802.1x Configuration Example WPA2-AES

Step 1 - Configure a Server :

 Step 2 - Configure the Server Group : Create a Server Group and assign the server to it.
 NOTE: Multiple servers are allowed. When "Fail Through" box is unchecked, if one server denied the auth, then no request sent to rest servers. When "Fail Through" box is checked, if one server denied the auth, the auth request will keep sending to rest servers. Furthermore, when using 802.1x authentication, Fail Through only works with AAA FastConnect enabled.

 Step 3 - Configure the AAA Profile to use dot1x

 Step 4 - Configure L2 dot1x Profile:

 Step 5 Create an AP Group and Virtual AP:

 Step 6 Assign the AAA Profile to the VAP

Step 7 Configure SSID to WPA2-AES

 Note: 802.11i supports both TKIP and AES-CCM. 802.11i intends for users to ultimately take advantage of AES-CCM as it is better than other existing options. However, as mentioned in earlier slides, it generally requires a hardware upgrade for the wireless clients. Therefore, TKIP is available as an alternative to basic WEP to improve security without the neeed for a full-fledged hardware upgrade.

A better solution than PSK is to use dynamic keys. Here, dynamic keys are used to provide te greatest level of security.