Hardware

Processors, graphics cards, solid state drives and much more is all in this section of the site!

Normally the little 8 (well 10 if you include the ‘uplink’ ports) port switches we buy end up under a desk or on a shelf but for a one off we’ve got one going in a comms cabinet. Quite luckily the HPE Aruba 2530-8G come with the ears in the box to do this (I recall seeing some models of switches with this being an additional item or needing a special shelf).

You’ll still need a place to keep the power supply but that’s nothing a few cable ties can’t sort!


Today I had the pleasure of presenting at the Oxford ICTF Conference on Multi-Factor Authentication and Password Stores with Smart Cards and YubiKeys, the video recording is online now here – https://youtu.be/WGtCxS2YFNA and the presentation can be downloaded through the link below.

A special shout out goes to the Yubico press office for providing a set of YubiKey 4s, YubiKey NEOs and Security Keys which helped fuel a very lively Q and A session!

  Presentation.pdf (5.5 MiB, 48 hits)

Yes! Yes it they do!

In preparing for a presentation to some peers in the wider IT community tomorrow I have access to some YubiKey Neo authentication keys; in doing some extra reading up on the keys I thought – I wonder if these work with the MIFARE readers (note that these are MIFARE readers not the proprietary Paxton only readers) that are part of our Door Access Control system.

Lone behold they do; in the revision of the keys we have it’s a NXP MIFARE Classic 1k chip.

Recently I was inspired to take on some more information about routing and the associated protocols. To help support that I’ve gone and bought a Mikrotik RouterBoard hAP ac from Amazon (along with a RouterBoard hAP Lite). I hope to kick out a few blog posts on it along with my learning points over the next few days/weeks.

In the meantime enjoy the photos!

If you have ever seen this post Server Room – The latest you will notice we have a pretty awesome HPE Aruba 5400R zl2 Core Switch; however (at least until now), I’ve been yet to find a really simple guide which shows the best way to reboot the management modules following a firmware update.

So after much research and a live firmware update this morning (last time round I just reloaded both management modules at the same time) I’m going to go with the following plan.

  1. Update the firmware (wait a few minutes for the firmware to copy from the primary to the secondary module – this is automatic)
  2. Reboot the standby module using the boot standby command (and wait a few minutes)
  3. Confirm that the standby module is now running the new firmware with  show redundancy
  4. Failover from the active to the standby module – this caused a few seconds of downtime in my environment
  5. Once the failover is complete the previously active module will now also be running the new firmware

For easy copy and paste see the commands on GitHub below along with the screenshot sequence which shows you how this will look on a switch running the 16.x branch firmware.

With thanks to the 50 staff from across the University for attending please see below the links to the videos and PowerPoints of the day!

Direct link to Playlist – https://www.youtube.com/watch?list=PLRxbdlgJzwyjAf820T0u4GpP0E01a9LEX&v=u-GVJ_0VuRM

Slides as PowerPoint

  1 Intro (4.3 MiB, 262 hits)

  2 MDT (85.2 MiB, 321 hits)

  3 PowerShell (27.5 MiB, 245 hits)

  4 PRTG Network Monitor (47.5 MiB, 290 hits)

  5 OpenVAS (32.9 MiB, 241 hits)

  6 WSUS and Chocolatey (60.3 MiB, 275 hits)

  7 NPS and VLANs (10.7 MiB, 312 hits)

Slides as PDF

  1 Intro (2.0 MiB, 256 hits)

  2 MDT (2.2 MiB, 292 hits)

  3 PowerShell (1.8 MiB, 293 hits)

  4 PRTG Network Monitor (3.2 MiB, 314 hits)

  5 OpenVAS (2.3 MiB, 304 hits)

  6 WSUS and Chocolatey (2.9 MiB, 328 hits)

  7 NPS and VLANs (1.4 MiB, 277 hits)

Stay tuned over the coming days for the scripts that are mentioned through the video which will be linked to from this post.

If you are running an HPE Aruba (formally ProCurve) switch you may come across cases where your switch (in the example above a 5400R zl2) has multiple IP Addresses/VLANs and you need it to talk to another service (in my case syslog and sFlow receivers) on a set interface.

When this occurs you can use the ip source-interface command (make sure you are in config mode first) to define the IP Address or VLAN that you want the switch to talk out on. In my case VLAN2 which is used as the management network for the network switches (VLAN1 being the default network that switches use if multiple addresses are configured).

Not the first time I’ve run into this issue and probably won’t be the last! While building a new Windows Server 2016 (Full) Microsoft Deployment Toolkit server when attempting to run the ‘Update Deployment Share’ wizard I was getting the following error message.

Unable to mount the WIM, so the update process cannot continue.

The solution is simple; if you are running this machine on Hyper-V (presumably other Hypervisors as well) you will need to shutdown the VM, disable Secure Boot (on the VM only) and then power it back on. The next time you run the wizard it will complete as normal.

The error message in full context for reference.

=== Making sure the deployment share has the latest x86 tools ===
=== Making sure the deployment share has the latest x64 tools ===

=== Processing LiteTouchPE (x64) boot image ===

Building requested boot image profile.
Determining if any changes have been made in the boot image configuration.
No existing boot image profile found for platform x64 so a new image will be created.
Calculating hashes for requested content.
Changes have been made, boot image will be updated.
Windows PE WIM C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim will be used.
Unable to mount the WIM, so the update process cannot continue.

=== Completed processing platform x64 ===

 

=== Processing complete ===

Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).

SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.

and

SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

To secure the switch simply run the following commands while logged into the switch

config
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
write memory

About
my world of IT is a blog about both the business and consumer world of IT as seen by a common garden SysAdmin. For more information click here!