Optical ByPass Switching

Optical Bypass Switches

bypass switch (or bypass TAP) is a hardware device that provides a fail-safe access port for an in-line active network device such as an intrusion prevention system (IPS), next-generation firewall, network switch etc. if the device loses power, experiences a software failure, or is taken off-line for updates or upgrades, traffic can no longer flow through the critical link. The bypass switch or bypass tap removes this point of failure by automatically ‘switching traffic via bypass mode’ to keep the critical network link up.

A bypass switch has four ports. Two network ports create an in-line connection in the network link that is to be monitored. This connection is fully passive; if the bypass switch itself loses power, traffic continues to flow unimpeded through the link.

Two monitor ports are used to connect the in-line device. During normal operation, the bypass switch passes all network traffic through the network (CPE) switch as if it were directly in-line itself. But when the switch (CPE) loses power, is disconnected, or otherwise fails, the bypass switch passes traffic directly between its network ports, bypassing the CPE, and ensuring that traffic continues to flow on the network link.

A bypass switch monitors the health of the CPE by sending heartbeats to the network switch (CPE) as long as the network device/switch is on-line, the heartbeat packets will be returned to the optical bypass switch and the link traffic will continue to flow through the CPE.

If the heartbeat packets are not returned to the Optical Bypass Switch (CPE has gone off-line), the Optical Bypass will automatically bypass the CPE and keep the link traffic flowing. The Optical Bypass also removes the heartbeat packets before sending the network traffic back onto the critical link.

Using cacti to monitor bandwidth consumption

Cacti is a free network graphing tool that is used to visualize the time series data obtained by the Round-Robin database tool (RDD tool).

The tool polls network devices like switches and routers via SNMP and then graphs their data. Some of the data that are polled are CPU load, temperature, uptime and network bandwidth utilization.                                                                                                                                        

Here we shall focus on how you can monitor your bandwidth from the cacti graphs.

Continue reading “Using cacti to monitor bandwidth consumption”

Intel Reports

Accessible RDP

This report identifies hosts that have Remote Desktop (RDP) Service running and accessible to the world on the Internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information gathering on a target host as the SSL certificate used by RDP often contains the system’s trivial hostname.

Remedy: Disable RDP from being world accessible by applying firewall rules either at the border or at the server itself

Accessible Telnet

This report identifies hosts that have a Telnet instance running on port 23/TCP that accessible on the Internet. Telnet provides no encryption and may expose sensitive information or system credentials.

Remedy: Disable Telnet service and use more secure protocols such as SSH or firewall the telnet services

SSL Scan

This report identifies hosts that allow the use of SSL v3.0 with cipher-block chaining (CBC) mode ciphers which are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. See US-CERT alert TA14-290A at: https://www.us-cert.gov/ncas/alerts/TA14-290A for more information on this vulnerability and exploit.

Continue reading “Intel Reports”

Junos MX5 error after OS upgrade: System is running on alternate media device (/dev/da1s1a)

After OS upgrade on Junos MX5, you are hit with following notice upon reboot;
— JUNOS 13.3R9.13 built 2016-03-01 07:16:35 UTC
NOTICE: System is running on alternate media device (/dev/da1s1a)

This error is as a result of various scenarios and below are the possible causes:
1.) A software failure/error on the primary media (flash)
2.) A hardware failure on the primary media (flash)
3.) A request issue reboot on the secondary media (disk)

Continue reading “Junos MX5 error after OS upgrade: System is running on alternate media device (/dev/da1s1a)”

Traffic Flow Sampling in Juniper Mx-5 and Mx-480 Routers IPv4 and IPv6

Traffic Analysis is a critical component in network planning, security and troubleshooting. For you to perform traffic analysis, you need to collect network traffic flows from the different aggregation points in your network such as routers and switches.

In Juniper, they take advantage of ‘sampling’ packets and frames going through a switch or router. The sampled flows can used by third party applications such as nfsen and ntop.

This configuration solution was done on a Juniper Mx 5 Router using ipfix .

Create a sampling instance at the chassis level in this case it was named ‘1to1’
set chassis tfeb slot 0 sampling-instance 1to1

Place the flow table size at the chassis level on tfeb for both IPv4 and IPv6
set chassis tfeb slot 0 inline-services flow-table-size ipv4-flow-table-size 5
set chassis tfeb slot 0 inline-services flow-table-size ipv6-flow-table-size 5

Continue reading “Traffic Flow Sampling in Juniper Mx-5 and Mx-480 Routers IPv4 and IPv6”

Q-in-Q Vlan Translation for Juniper

In networks where end-users determine the vlan-id’s to be ran across your backbone network with a possibility that these vlans-id’s will clash, Q-in-Q vlan translation is the solution for you.

Q-in-Q vlan translation allows you bundle end-user vlans into a single vlan giving you the power to determine what vlan-id to use without requesting the end-users to change their vlan-id schemes.

With Q-in-Q vlan translation, the end-user id’s are not critical and this is what makes it a very suitable solution for service providers.

This configuration solution was done on a Juniper Ex 2200 switch.

Set the switch to be aware of the Q-in-Q vlan translation
set ethernet-switching-options dot1q-tunneling ether-type 0x8100

Set the Q-in-Q vlan translation vlan – Vlan ID ‘1049’ named ‘qinqvlan’
set vlans qinqvlan vlan-id 1049

Attach the enduser interface and backbone facing interface to the Q-in-Q vlan translation vlan
set vlans qinqvlan interface ge-0/1/0.0
set vlans qinqvlan interface ge-0/0/22.0

Attach the end-user vlan in this case ‘187’ to the Q-in-Q vlan translation vlan definition
set vlans qinqvlan dot1q-tunneling customer-vlans 187

On the interface ge-0/0/22 facing the end-user, run the command push on input and pop on output.
set interfaces ge-0/0/22 unit 0 input-vlan-map push
set interfaces ge-0/0/22 unit 0 output-vlan-map pop

Make the interface ge-0/0/22 facing the end-user an access port. This is key for the Q-in-Q vlan translation solution to identify the end-user facing interface.
set interfaces ge-0/0/22 unit 0 family ethernet-switching port-mode access

Attach the Q-in-Q vlan translation vlan.
set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members 1049

Make the interface ge-0/1/0 facing the network backbone a trunk port. This is key for the Q-in-Q vlan translation solution to identify the backbone facing interface.
set interfaces ge-0/1/0 unit 0 family ethernet-switching port-mode trunk
Attach the Q-in-Q vlan translation vlan.
set interfaces ge-0/1/0 unit 0 family ethernet-switching vlan members 1049

 

Uploading Cisco IOS using XMODEM

Problem Statement

There are times when a router/switch can only boot up in ROMmon. This happens when the router/switch has no valid Cisco IOS software or bootflash image to boot from. This disaster recovery situation arises when, for example, the Cisco IOS software on the router/switch is corrupted or has crashed.

There are also cases where the router/switch has no USB port, or where it is not possible to set up a network connection with the router/switch, and hence using the Trivial File Transfer Protocol (TFTP) is not a solution.

Continue reading “Uploading Cisco IOS using XMODEM”

Zimbra: Install a Comodo SSL Certificate

1. Get the bundle from Comodo in crt format, or sometimes like a zip file. You can also login to https://cert-manager.com/customer/eI4Africa and download the X.509 Root/Intermediate(s) bundle.

2.  Copy the downloaded bundle to the mail server under /tmp. The bundle contains the following files:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt

Continue reading “Zimbra: Install a Comodo SSL Certificate”