ProCurve

If you are running an HPE Aruba (formally ProCurve) switch you may come across cases where your switch (in the example above a 5400R zl2) has multiple IP Addresses/VLANs and you need it to talk to another service (in my case syslog and sFlow receivers) on a set interface.

When this occurs you can use the ip source-interface command (make sure you are in config mode first) to define the IP Address or VLAN that you want the switch to talk out on. In my case VLAN2 which is used as the management network for the network switches (VLAN1 being the default network that switches use if multiple addresses are configured).

Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).

SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.

and

SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

To secure the switch simply run the following commands while logged into the switch

config
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
write memory

When working with a lab full of HPE ProCurve/Aruba switches (or you just want to know who is who in a stack of switches) the chassislocate CLI command comes in really handy by either blinking or holding solid the blue locator light. See the screenshots below for a little more info.

It’s that magical time of the year where…new network switches arrive! Given that the new Aruba branding has taken full control of what was ProCurve I thought I should post some photos of the new paintwork. Happy to say the colour black isn’t half bad!

Included in the images are

  • J9729A 2920-48G-PoE+
  • J9728A 2920-48G
  • J9731A 2920 2-Port 10Gbe SFP+ Module
  • J9733A 2920 2-Port Stacking Module
  • J9734A 2920 0.5m Stacking Cable

Work is coming along nicely with the Server Room, we’ve now removed the last Cisco switch from our infrastructure and the HP 5400R series switch is deployed replacing the 2530 that was in its place; over time we’ll be bringing more fibre from our edge switches into this room as well hence the number of SFP+ ports on the 5400R. The entire front of the cabinet is now populated with hardware or a blanking panel as well (panels available from Comms Express) to keep things looking tidy. I wish there were a little more that I could do with the cables coming into the 5400R however with a very narrow rack there’s not much that can be done.

Some interesting things have come out of both Rucks and PaloAlto recently in that they offer Hyper-V compatible VMs for their services which could free up a further 3U of space and remove a further 4-6 cables out of the picture.

Procurve 5406R zl2Although it may not be the most glamorous side of IT every sysadmin will appreciate the value of a rock solid backup system. All too often though these systems do not extend down to the ’embedded’ systems like network switches and firewalls.

However with a little WinSCP (and its fantastic .NET assembly automation package) and PowerShell combined its pretty easy to cook up something that is 100% less of the cost of any management solution.

This guide shows how to setup the backup of a HP ProCurve switch (I’ve tested it with the ProCurve 8200 series, 5400 series the 2920s, a 2626 and a 2530 all of which were running the most recent firmware) although it should be a simple matter of changing the relevant paths to make it work with other manufacturers kit (e.g. Cisco).

1Download Source Files

First up grab the source files from the link below and extract the contents to C:\Network Switch Backup (you can use any other path but will just need to update the paths inside the PowerShell) you should then have a folder which contains a .cmd file, a .ps1, a sample .csv and a sub folder called Backups.

  Network Switch Backup (1.7 KiB, 1,316 hits)

Getting your Switch ready and filling out the CSV

Each switch will now need ip ssh and ip ssh filetransfer running on it through the CLI (if its not already setup); be sure to set a manager password (if you haven’t done so already!) as well. In addition you will need to find the Server host key fingerprint for each switch; the screen shots below show one way of doing this.

Continue reading

In this guide I am going to show how to perform a very basic setup of a HP ProCurve 2610 Layer 2 network switch using a serial to console cable.

First up you will need a serial to console cable and a PC that has a serial port. If you don’t have a PC with a serial port (old HPs are great for this purpose) then you can get a USB to serial adapter – a point to note here is watch out for the super cheap ones, quite often you will find that they use counterfeit chips meaning USB drivers don’t work reliably.

Anywhos on with the guide!

First up the network switch that I have has been previously protected with a password, in addition I want to configure the switch from scratch. To do this I am going to perform a factory reset and clear…

Now its time to configure the switch, for the configuration I will be using PuTTY which can be downloaded from here – http://www.chiark.greenend.org.uk/~sgtatham/putty/.

sFlow - Top TalkersPRTG is by far my favoured tool for monitoring IT infrastructure. With its built in sensors you can check the PING time for a server, check that windows services are up and running or with a little tweaking monitor paper trays in a MFP (and so much more).

A recently discovered feature for me is the sFlow monitor. This tracks in near real time the flow of different types of data (e.g. SMTP/HTTP/FTP/DNS lookups) that flow through network infrastructure.

In my case the entire network is built on HP ProCurve layer 2/3 switches which makes for pretty easy setup.

To follow this guide you will need

  • The IP address of your PRTG server (in my case 172.16.8.27)
  • Admin access to your PRTG console and a ‘device’ setup for your switch
  • Admin access to your switches through Telnet/SSH (I use PuTTY to administer my switches through Telnet)
  • 5 minutes

So now that I have all of this extra info what am I to do with it? Well with the sFlow sensor setup you can…

  • See if your network infrastructure is experiencing bottlenecks…
  • …and if so where the bottleneck is and what kind of data is causing it (e.g. large file transfers)…
  • …and see what clients are causing it.