Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco IOS: Ether-Channel Trunks

KB ID 0001533

Problem

This is a subject that every time I need to create an Ether-Channel I end up checking beforehand, so it’s about time I wrote it up. We are combining two different things, an Ether-channel, (an aggregation of links) and a Trunk (the ability to carry many VLANS). If you are NOT from a Cisco background then you might want to read though the following post first to avoid confusion about the world ‘Trunk‘.

HP and Cisco – VLANs and Trunks Confusion!

So this is what I’m going to create;

I will combine the TWO links between the switches to act at one link (Ether-Channel). An Ether-Channel can have up to eight links.

Note: I’m only concentrating on the Ether-Channel setup so VLANs/VTP and Routing are not covered.

Solution

You can use two types of Ether-Channels PAgP (Port Aggregation Protocol), but WHY when it only works on Cisco switches. LACP (Link Aggregation control Protocol) which is supported by just about everything else, so let’s stick with that! By default a ‘Trunk’ will pass ALL VLANS, you might not want that, I’ll cover filtering VLANs a bit further down.

WARNING: If you simply connect two switches with two cables you will create a LOOP, if you have STP enabled the network will recover and block one of the links, but your colleagues will shake their heads and pull a ‘frowny face’. For that reason ‘SHUT THE PORTS DOWN BEFORE YOU CABLE / CONFIGURE THEM“. 

Starting on Switch1 make sure there’s is no existing Ether-Channels configured;

[box]

SW-1#show etherchannel
                Channel-group listing:
                ----------------------

Group: 1
----------
Group state = L2
Ports: 2   Maxports = 4
Port-channels: 1 Max Port-channels = 4
Protocol:   LACP
Minimum Links: 0

[/box]

Above there is already an Ether-Channel (port-channel) on the switch (group 1) so you would have to use group 2. For arguments sake we will say I don’t have one, so I can use group 1.

Note: ‘show etherchannel summary’ is also a handy command to remember!

[box]

First shut down the uplinks, Note the syntax for the 'range interfaces', may differ from device to device, 
so use the TAB key.

SW-1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW-1(config)#interface range ethernet 0/1 - 2
SW-1(config-if-range)#shutdown

Add the ports to channel group 1, Note 'Active' denotes use LACP, (Passive also works, but one (or both) ends
should be active.)

SW-1(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1

Create a 'trunk' with 802.1q encapsulation.

SW-1(config-if-range)#switchport trunk encapsulation dot1q
SW-1(config-if-range)#switchport mode trunk

[/box]

Then configure the other end the same, (assuming the port numbers are the same!) As mentioned above you can use LACP mode ‘passive‘ but I tend to set both ends active.

Once you have both ends configured and the cables in place, enable the interfaces with a ‘no shutdown‘ command, on both ends!

[box]

SW-1(config)#interface range ethernet 0/1 - 2
SW-1(config-if-range)#no shutdown

[/box]

Filtering VLANs on an Ether-Channel Trunk

Any further port-channel changes need to be done on the port-channel interface, so if you want to filter what’s allowed you simply use the following syntax;

[box]

SW-1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW-1(config)#interface Port-channel1
SW-1(config-if)#switchport trunk allowed vlan 1,10,100,200

[/box]

Note: When adding any future VLANS check the syntax, if you simply add a new one it will overwrite all the others, and things will break!

Do all Ether-Channels need to be Trunks? No! Not at all, they can be access ports (as long as they are all in the same VLAN), and they can also be routed uplinks, with an IP address at both ends, (specified in the port-channel interface). 

Related Articles, References, Credits, or External Links

NA

Cisco Stacking 3750 Switches

KB ID 0001205 

Problem

You can stack Cisco 3750-X Switches in groups of up to 9 switches, and they can then be managed as one switch. Here I’ve got 2 switches.

 

Solution

Removing 3750-X Switches Stack Configuration

One of my switches had already been in a stack, so I needed to remove its stack configuration. It thought it was switch 4 in the stack so I issued the following commands;

[box]

Switch(config)# no switch 4 provision 
Switch(config)# wr mem 

[/box]

Cisco 3750-X Configure Stacking

Don’t connect any stacking cables yet, decide which switch is going to the the ‘master’ and log onto that switch, and issue the following commands;

[box]

Switch#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)#switch 1 priority 15
Changing the Switch Priority of Switch Number 1 to 15
Do you want to continue?[confirm] {Enter}
New Priority has been set successfully
Switch(config)#do write mem
Building configuration...
[OK]

Switch(config)#do reload
Proceed with reload? [confirm] {Enter}
[/box]

When the switch reloads you will see.

[box]

Waiting for Stack Master Election...
SM: Waiting for other switches in stack to boot...
###############################################################

[/box]

At this point you can connect the stack cables and power on the second switch. With multiple switches connect each stack port one, to the switch below’s stack port two. Then on the last switch connect its stack port one back to stack port two on the top switch, (so there is a ‘ring’.)

If you have more than two switches you can set their priority (as you did above) priority 15 will always win the ‘elections’ and be the master switch, number the rest accordingly. The default is ‘1’ so if you don’t then it works out the order based on MAC addresses, (which is not good!).

When all the switches are booted, check all is well;

[box]

Switch#show switch
Switch/Stack Mac Address : 74a2.e69a.0c00
                                           H/W   Current
Switch#  Role   Mac Address     Priority Version  State
----------------------------------------------------------
*1       Master 74a2.e69a.0c00     15     3       Ready
 2       Member 204c.9e5f.4000     1      3       Ready

Switch#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  unassigned      YES NVRAM  administratively down down
FastEthernet0          unassigned      YES NVRAM  administratively down down
GigabitEthernet1/0/1   unassigned      YES unset  down                  down
GigabitEthernet1/0/2   unassigned      YES unset  down                  down
GigabitEthernet1/0/3   unassigned      YES unset  down                  down
GigabitEthernet1/0/4   unassigned      YES unset  down                  down
{----------------Output Removed For the Sake of Brevity---------------------}
GigabitEthernet1/1/1   unassigned      YES unset  down                  down
GigabitEthernet1/1/2   unassigned      YES unset  down                  down
GigabitEthernet1/1/3   unassigned      YES unset  down                  down
GigabitEthernet1/1/4   unassigned      YES unset  down                  down
Te1/1/1                unassigned      YES unset  down                  down
Te1/1/2                unassigned      YES unset  down                  down
GigabitEthernet2/0/1   unassigned      YES unset  down                  down
GigabitEthernet2/0/2   unassigned      YES unset  down                  down
GigabitEthernet2/0/3   unassigned      YES unset  down                  down
{----------------Output Removed For the Sake of Brevity---------------------}
GigabitEthernet2/1/1   unassigned      YES unset  down                  down
GigabitEthernet2/1/2   unassigned      YES unset  down                  down
GigabitEthernet2/1/3   unassigned      YES unset  down                  down
GigabitEthernet2/1/4   unassigned      YES unset  down                  down
Te2/1/1                unassigned      YES unset  down                  down
Te2/1/2                unassigned      YES unset  down                  down
Switch#

[/box]

Make sure your stack cabling is OK;

[box]

Switch# show switch stack-ports summary

Switch#/  Stack   Neighbor   Cable    Link   Link   Sync      #         In
 Port#     Port              Length    OK   Active   OK    Changes   Loopback
          Status                                          To LinkOK
--------  ------  --------  --------  ----  ------  ----  ---------  --------
  1/1     OK         2      50 cm     Yes    Yes    Yes        1        No
  1/2     OK         2      50 cm     Yes    Yes    Yes        1        No
  2/1     OK         1      50 cm     Yes    Yes    Yes        1        No
  2/2     OK         1      50 cm     Yes    Yes    Yes        1        No

Switch# show switch stack-ring speed

Stack Ring Speed        : 32G
Stack Ring Configuration: Full
Stack Ring Protocol     : StackWisePlus
Switch#

[/box]

If you are also using XPS redundant power cables remember that’s only supported for up to four switches, (without an extra XPS-2200 rack power unit). I power off the switches before I fit these.

Why do they have green and yellow ends: If you look on the switch you will see the ‘socket’ is marked with a yellow and a green ‘semi-circle’. that means a green end or a yellow end can be plugged into that socket.

That makes no sense, so anything can plug into anything, why colour code them? That’s because there is a different cable that has a ‘red’ end on it for plugging into an XPS-2200 rack power supply, like this;

Then to test your XPS Power  Cables.

[box]

Switch>show env power all
SW  PID                 Serial#     Status           Sys Pwr  PoE Pwr  Watts
---  ------------------  ----------  ---------------  -------  -------  -----
1A  C3KX-PWR-350WAC     LIT18410MD4 OK              Good     Good     350/0
1B  Not Present
2A  C3KX-PWR-350WAC     LIT18410JJ3 OK              Good     Good     350/0
2B  Not Present

Switch#show stack-power neighbors
Power Stack           Stack   Stack    Total   Rsvd    Alloc   Unused  Num  Num
Name                  Mode    Topolgy  Pwr(W)  Pwr(W)  Pwr(W)  Pwr(W)  SW   PS
--------------------  ------  -------  ------  ------  ------  ------  ---  ---
Powerstack-2          SP-PSS  Ring     700     320     380     0       2    2

    Power Stack           Port 1  Port 1             Port 2  Port 2
SW  Name                  Status  Neighbor SW:MAC    Status  Neighbor SW:MAC
--  --------------------  ------  ----------------   ------  ----------------
1   Powerstack-2          Conn    2:204c.9e5f.4000   Conn    2:204c.9e5f.4000
2   Powerstack-2          Conn    1:74a2.e69a.0c00   Conn    1:74a2.e69a.0c00

[/box]

Stack Power Profiles (Setting Up)

Stack Power Modes

Default (Power sharing Mode): All the power from all the power supplies, is aggregated together, and no power is reserved – if a power supply failed there is a chance that there might not be enough power.

Redundant Mode: The power supplied by the largest power supply in the stack, is taken away from the total power output in case there is an outage.

Stand Alone Mode: Stops a switch participating in a power stack completely.

Each mode can be configured to run strict, or non-strict, (with the exception of a stand alone mode).

Strict: If actual power drops below budgeted power, things may get powered down.
Non Strict: Actual power can run above budgeted power, if that extra power is available.

[box]

Switch(config)# stack-power switch 1 port 1 enable 
Switch(config)# stack-power switch 1 port 2 enable 
Switch(config)# stack-power switch 2 port 1 enable 
Switch(config)# stack-power switch 2 port 2 enable
Switch(config)# stack-power stack Power-Stack-1 
Switch(config-stackpower)# mode redundant
Switch(config-stackpower)# stack-power switch 1
Switch(config-stackpower)# stack-power switch 2
Switch(config-stackpower)# exit

[/box]

 

Related Articles, References, Credits, or External Links

Cisco Catalyst – Upgrading ‘Stacked’ Switches

HP – Switches The IP (or subnet) Already Exists

KB ID 0001176 

Problem

I was changing a clients LAN subnet this week, (dropping the mask from /24 to /16). When I attempted to change the management IP on the clients HP switches this happened;

[box]

HP2510-24G(config)# vlan 1
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0
The IP address (or subnet) 10.0.0.250/16 already exists.
HP2510-24G(vlan-1)#

[/box]

At first I though the switch was complaining because the IP was remaining the same, I was just changing the mask, (which is a bit bobbins, but there you go).  Turns out this is normal behaviour? Yes I could have got my console cable out, and walked to the comms room and done this;

[box]

HP2510-24G(config)# vlan 1
HP2510-24G(config)#no ip address 10.0.0.250 255.255.255.0
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0 
HP2510-24G(vlan-1)#

[/box]

But that would mean getting off my lazy backside, and what if I was hundred of miles from the switch?

 

Solution

To solve the problem you need to enter the HP switch menu system, this will let you change the IP on the fly. Obviously if you change the IP, make sure you can connect to it’s old, (and new), IPs or you will lose remote management.

From CLI type ‘menu’ {Enter}, you may be asked if you want to save the config. Choose ‘Switch Configuration’.

IP Configuration.

Edit.

Use the cursor keys and navigate to the IP/Subnet mask, and change accordingly > {Enter}

Select Save > Reconnect to the new IP address.

Related Articles, References, Credits, or External Links

HP Networking – Tracing Networks and Locating IP addresses

Cisco IOS – DHCP Helper (DHCP Relay) – IP-Helper Setup

KB ID 0001168 

Problem

Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic).

So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a different network segment (layer 2, or layer3).

To do that you need an agent to be on the same network segment as the client listening for DHCP requests, when it receives one it talks to the DHCP server on the clients behalf and gets the correct address.

Solution

Example 1 Cisco Router

Here we need to lease two different DHCP scopes to two different network segments, R1 will act as the IP-Helper for both of those networks, R2 and R3 will get their IP addresses from the correct DHCP scope.

This works because each (client facing) interface on R1 has an IP-Helper address defined that points to the DHCP server.

So How Does It Know Which Scope To Lease From? This is because the Router supplies the IP address of a RELAY AGENT, which is just the IP address of the physical interface that intercepted the DHCP request. When it asks for an IP address from the DHCP server, the Server leases an address from the same range, (again I’ve tracked all this in Wireshark below).

IP-Helper Router Configuration

[box]

R1 Config

!
interface GigabitEthernet0/0
 description Uplink to DHCP Server
 ip address 10.2.2.254 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 description Uplink to 192_168_2_0
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
interface GigabitEthernet3/0
 description Uplink to 192_168_3_0
 ip address 192.168.3.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
!


R2 Config

!
interface GigabitEthernet2/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!

R3 Config

!
interface GigabitEthernet3/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0
!

[/box]

You can see this works because the DHCP server has matching scopes for both network segments. (Yes one of my test servers is 2003, you’re going to see some Windows XP in a minute!

Well that’s fine for routers, but what about machines? They send a DHCP Discover just like any other client. I’ve replaced one of the routers with an actual machine.

With its network card set to DHCP you will again get a lease from the correct scope, because the Router brokered it for us.

Back on the DHCP server you can see the lease to the windows XP machine entered in the current scope leases, It knows the name of the client because (as you will see below) the relay agent (Router) passed that information (along with the MAC address of the client) to the DHCP server.

Example 2 Cisco Switches

OK, I did the routers first because I find it easier to explain things at layer 3. Not that you can’t create sub interfaces on the router, add those sub interfaces to VLANs, and run DHCP relays from them. But in most cases you will be setting up DHCP helpers on switches. Here the principle is the same but you define the ip-helper on the VLAN, (unless it’s routed port then treat it the same as a router interface). Let’s modern things up a bit, and use a 2012 R2 DHCP server, and some Windows 8 clients.

I need to lease addresses from my second scope to clients in VLAN 200, (the other client and server are in the same VLAN, so that will just work. (Remember a VLAN is a broadcast domain, and DHCP is using broadcasts).

Here’s the two scopes setup on the 2012 server;

And my client, (DHCP Client in VLAN 200) gets the correct IP.

IP-Helper Switch Configuration (VLANS)

[box]

SW1 Config

interface FastEthernet1/0/1
 description Uplink to DHCP Server
 switchport access vlan 100
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/4
 description Uplink 192_168_200_0
 switchport access vlan 200
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/5
 description Uplink 192_168_100_0
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
!

IF YOU HAVE MULTIPLE/FAILOVER IP-HELPERS OR SPLIT SCOPES YOU CAN ADD A SECOND 
ADDRESS LIKE SO;

!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
 ip helper-address 192.168.100.15
!

[/box]

Analysing (Packet-Sniffing) DHCP Relay Sequence with Wireshark

Other packet sniffers are available, but I’ve got a soft spot for Wireshark. To filter DHCP traffic you can use the following ‘filter’.

bootp.option.type == 53

DHCP works by using four messages, (which I remember using the acronym DORA: Discover, Offer, Request, Acknowledge). If you sniff the traffic on the DHCP server, you can watch this process being brokered by your DHCP Relay Agent.

Discover

Offer

Request

Acknowledge

And just to prove it’s not all ‘smoke and mirrors’, here’s the client with the leased address, showing a matching MAC address, and hostname.

Related Articles, References, Credits, or External Links

NA

Cisco Small Business (SG500) Link Aggregation (LAG) With LACP

KB ID 0001277 

Problem

At work a client was having trouble with a NAS Drive (Buffalo Terastation). It was being used as a backup target and some of the servers were dropping connections. I knew the client had some Catalist 3750’s So I suggested going and creating an Ether Channel to the two NICs in the NAS box, to try and cure the problem.

However when I went onsite, I noticed the 3750 didn’t have any spare Gigabit ports only FastEthernet ones. So I thought I’d create a port channel on one of their Cisco Small Business Switches (SG500-52P). I mean how difficult can that be?

Solution

SG500 LAG Configuration

Note: Configure the switch FIRST.

Before you start, the ports you want to use MUST NOT be a member of a VLAN, and this needs to be done for EVERY VLAN, and saved each time. VLAN Management  > Port to VLAN.

So the port should be a simple access port set as below, VLAN Management > Interface Settings.

Now you can create the Link Aggregate Group > Port Management > LAG Management > I set the global option to ‘IP/MAC Address’ > Then select the first free LAG  > Edit.

Tick LACP BEFORE you add in the ports. If you don’t, it creates the LAG, but the LACP option is ‘greyed out’. (The only way to solve this, is remove all the ports, save the settings, add LACP, then add the ports back in again!)

At this point you need to add your LAG interface into the appropriate VLAN, or more likely set it as a Trunk.

Buffalo Terastation NAS Settings for LACP

For LACP to work both ends need to be configured, on the NAS box, bond the two networks cards together, then set the ‘Port Trunking’ mode to ‘Dynamic link aggregation’ > Accept.

Related Articles, References, Credits, or External Links

NA

HP Networking ‘ProCurve’ – Trunking / Aggregating Ports

KB ID 0000638 

Problem

I was lending a hand this week, while my colleague swapped out a lot of switches. I don’t usually deploy a large number of HP switches, so I was surprised when we installed a chassis switch and after patching the fiber links, the Cisco Catalyst switches all got upset and we lost three out of four ping packets.

I (wrongly) assumed that STP would be enabled, so I wandered back and pulled the second fiber link. I knew from conversations I’d had before, that HP call having multiple uplinks between the same switch, to increase throughput “Trunking”. (Note: For people like me, who think that switch trunks are links for carrying multiple VLAN traffic. In “HP Land” trunking means aggregating switch uplinks).

Solution

Note: Up to four uplinks can be aggregated into one trunk.

Option 1 Configure a Trunk via Telnet/Console Cable

1. Connect to the switch either by Telnet or via the console cable > Log in > type menu {Enter} > The Switch menu will load > Select “2. Switch Configuration…”.

2. Port/Trunk Settings.

3. Press {Enter} > Edit >Scroll to the first port you want to add to the trunk > Use the arrow keys to navigate to the “Group” column > Press {Space} > Select the first unused trunk > Arrow to the “Type” column > Change to “Trunk” > Press Enter > Save.

4. Repeat to add the additional “Links”, then configure the mirror image on the switch at the other end.

Option 2 Configure a Trunk via the Web / GUI Console

1. Log into the wen console > Interface >Port Info/Config > Select the first link you want to trunk > Change.

2. Set the Trunk Type to “Trunk” > Change the Trunk Group to the next available trunk > Save.

3. Repeat to add the additional “Links”, then configure the mirror image on the switch at the other end.

 

Related Articles, References, Credits, or External Links

NA