BANAS – Brocade Certification – Studying

I’m going to focus on the below things when studying for BANAS: They are based on the current objectives listed on Brocade’s page.

 

Brocade Accredited Network Advisor Specialist Exam Topics

  • The Brocade Accredited Network Advisor Specialist exam has these objectives:

Product Features

  • Demonstrate knowledge of Brocade Network Advisor product features

Installation and Configuration

  • Describe the installation and configuration of Brocade Network Advisor

  • Perform SAN Discovery

    • What are seed switches?
  • Perform IP Discovery

    • BNA 170-WBT is a course that’s currently free by Brocade – it’s about IP Discovery in BNA!
    • Once discovered devices are stored in the Management application database. First IP of the device discovered becomes the primary address of the device.
    • Simple/Profile based discovery: single: hostname/IP. Profile: range.
    • Requirements
      • Users must have Discover Setup-IP and “All IP Products AOR” privileges
        • For rediscovery only “All IP Products AOR” is needed?
      • ICMP or telnet must be enabled on devices
      • Snmpv1+v2 or v3 read-write
      • IP range of devices must be known
      • All devices must have SNMP MIB support
    • Access by: “Discover -> IP Products”.
    • One can add default username/password. One can add several and it tries the default and then the rest..
    • It uses OIDs to select products to include/exclude.
      • Cisco/Juniper are available by default.
    • Seed address: the IP the BNA server will use to contact the switches?

Migration

  • Describe considerations when migrating to Brocade Network Advisor from other tools
    • Check out the Installation Guide for BNA.

Troubleshooting

  • Demonstrate knowledge of troubleshooting Brocade Network Advisor

Brocade Certified Ethernet Fabric Professional

Brocade Certified Ethernet Fabric Professional – BCEFP – is available for free right now! I signed up and if you pass it you’re in the drawing for a $500 amazon coupon each week/month :)

Ethernet Fabric you say? “As a Brocade Certified Ethernet Fabric Professional, you must be able to demonstrate knowledge of IP, SAN, and FCoE concepts, “

What to focus on: http://community.brocade.com/t5/Certification/BCEFP-Exam-Preparation/m-p/56467

Nutshells: http://www.brocade.com/education/certification-accreditation/certified-ethernet-fabric-professional/index.page

To register for the exam, head over to the post on reddit. Basically there’s a pdf with the voucher you use when registering for the exam on pearsonvue.

Currently the “CEF 250” is free, but it’s not the main curriculum for the course.

BANAS – Brocade Accredited Network Advisor Specialist

Finally got around to start preparing the last certificate/accreditation – BANAS – to complete the Brocade Data Center Track (ok, not last. There are plenty more!).

It looks like it’s an accreditation showing that the taker can do some basic tasks in Brocade Network Advisor (BNA). This used to be a certification, so it’s probably a bit harder than it might seem!

Please note, this post is not meant to be a replacement for the official Brocade studying recommendation, just my notes on how I’m practicing for it.

Methods:

 

Install in a VM

Not much can be tested without any switches, but installing it a few times is probably helpful. Also getting acquainted with the UI and some things can still be done in the UI like:

  • Set UI options
  • Set up a firmware repository (at least import firmwares, release notes and md5 checksums)
  • Retrieve a SupportSave

Either register on Brocade’s site and get the download that way. Or get it via HP’s public page – for example here. Click on Download.
Because I’m lazy I’m installing it in a Windows 7 x64 VM 2 cores and 4GB RAM is much faster than 2GB. For just installing it you’ll need 3-4GB disk space.
Find install.exe within na1214_hp_windows.zip

The default user/password is: Administrator/password
The user/password you set during installation is for the database.

FTP/SCP/SFTP, syslog, snmp, https. Uses a postgreSQL database.

On the http/https page there are MIBs and the BNA client.

Meta Post: Blog is now also mobile friendly!

Update! If you view this blog on an a mobile device with the right user agent (and apparently very few of you do that) there’s now very little white space wasted! It’s not perfect yet but I’m working on it making it nicer. It seems to have some

Now about the normal Hemingway Ex theme, I like it. But there’s a lot of unused white areas when on 1920×1080 (17% of visitors – also the one I use ;) 

So I tweaked the stylesheets to make some sections thinner and some wider. Don’t like it? Please let me know in the comment section below.

P.s. Developer Tools in web browser are full of awesome! Trying to find the right CSS section to edit would have been mental without it.
P.s2. Just to be clear, the Blog was not hostile towards mobile users before.

Upgrade Ubuntu 12.04 LTS to 14.04

Yesterday I upgraded Ubuntu 12.04 LTS to 14.04 devel release. This is not recommended :)

I wonder what will happen when 14.04 real is out.. *update: it is out now, so the “-d” in “update-manager -d” is no longer necessary?

How to? Just run “update-manager -d” and click on some buttons!

Update process was nice, I like apt-get over yum when it sees a conflicting file it doesn’t just overwrite or write the file as .rpmsave  but instead it displays see the difference(s) between the two files and you get to decide what to do!

One issue I have heard about is VMWare Workstation 10.0.1 on 14.04 and recompiling kernel modules. Patching instructions in here: http://dandar3.blogspot.cz/ and patch file is the one at the bottom of this post https://communities.vmware.com/message/2326986

Cyanogenmod on Xperia Active (ST17i or satsuma)

Finally got fed up with the Xperia Active (ST17i or satsuma) – couldn’t update anything because all the space was used up and it was rebooting when I wasn’t touching it.
Solution? Install Cyanogenmod!

Cyanogenmod’s wiki has a good overview of how to get it installed. Basically you reinstall the operating system – but the cyanogenmod one doesn’t have all the extra crap you don’t want.

All below done from Windows 7 x64.

1. Root it! Rooted with eroot as found on http://forum.xda-developers.com/showthread.php?t=2219781

2. Install ADB. I installed the whole SDK.. apparently not needed http://forum.xda-developers.com/showthread.php?t=1474956

3. Unlock bootloader.

Poweroff the phone and get into fastboot by holding volume up while connecting the USB cable to the computer.

There is a tool called Flashtool (.net) – but it’s not necessary if you’re comfortable with the command prompt.

Also, if you can find the fastboot drivers from elsewhere that’s probably safer than installing them from flashtool (unsigned).

Run cmd as administrator if it doesn’t work or give the -waiting for device-.

Get the key from Sony via http://unlockbootloader.sonymobile.com/ – Thanks Sony!

4. Install CM 9.1.0

Or if you’re ballsy there’s CM10 the nightly build :)

Download  CM itself http://download.cyanogenmod.org/?device=satsuma and Google Apps if you want that.

Pretty straight forward after this, just follow the guide.

Use fastboot to send boot.img
Use fastboot to reboot
Your phones gets into clockwork recovery
I ran wipeall (probably should have backed up the ROM..)
Install cm9.1 from zip
Install gapps from zip

5. Conclusion

One quite annoying thing I get is: “SIM network unlock PIN” even though I’m fairly sure my phone is not locked.
First time it booted it couldn’t sign in to the phone network at all, but on second it could. I just press dismiss.. perhaps this is fixed in CM 10 Jelly Bean – but with that the phone might also be slower.
But besides that I’m quite happy with it so far. At least I won’t have to have large Office software installed anymore.
// Update a few days later: It’s been working quite nicely, not rebooting at all :)
// Update a few weeks later: DHCP on WiFi apparently stops working after a while, major bummer. But setting a fixed IP solves it. It’s apparently also possible to fix it by either setting it then back to DHCP (didn’t work for me) or by clearing out /data/misc/dhcp/* (did work for me) by opening a terminal and sending two commands: “su -” and then “rm /data/misc/dhcp/*”

Brocade – Vyatta – Future

Spoke a bit with some people in the Brocade stand at HP Discover in Barcelona. The open source / core http://www.vyatta.org/download will be kept, but could not get any commitment to what will happen to it or if they will update it. The 5400 (VSE, 6.6) and 5600 (VR, 7.x) are however available for a free 60-day trial. With the 5600 having a new architecture and is interfacing more closely with the hardware (using Intel’s DPDK to for example dedicate processes to cores) that improves performance “quite a bit”.

// Update, I since found out about VyOS: http://vyos.net/wiki/Main_Page which is a community fork of the Vyatta Core OS

Arch Linux on a T400 – Log

Trying out Arch Linux on a Lenovo T400!

First step after getting the T400 Dual Core Centrino 2.26GHz 4GB RAM: replace the 160GB spinning rust to a 120GB Samsung 840. Very easy to take out the old disk and put the new SSD in the carrier.

https://wiki.archlinux.org/index.php/Lenovo_ThinkPad_T400 has some details.

https://wiki.archlinux.org/index.php/Installation_Guide and the Beginner’s Guide are quite helpful.

To make it easy, the partition layout I created with parted was:

mklabel: MSDOS
mkpart: pri, 0%, 300M /boot ext4 – flag bootable
mkpart: pri, 300M, 100%, /, ext4
No swap!

Install base and some important packages to disk after mkfs and mounting and setting up mirrors:

pacstrap /mnt base dialog iw wpa_supplicant grub parted sudo alsa-utils vim ttf-dejavu openssh screen

Beginners’_Guide had sufficient instructions to set up the boot loader, except this was needed or the grub-mkconfig would fail with syntax error.

echo “GRUB_DISABLE_SUBMENU=y” >> /etc/default/grub

After successful boot time to get a graphical display up and running :)

Beginner’s guide to the rescue: Beginners’_Guide#Graphical_User_Interface

Lightdm was easy to set up and worked right out of the box, which GDM did not. DWM was easy too, I think I can get used to using the ABS/makepkg stuff. Nicer than compiling it and copying the binary around.

Windows key is Mod4Key in config.h for DWM.

Packages and getting chromium-pepper-flash working:

  1. Install all the dependencies for Aura
  2. Download aura and makepkg -i install it
  3. aura -A chromium-pepper-flash

alsamixer and pressing “m” mutes/unmutes a channel :)

commando.io – manage servers

https://command.io is up for public beta now. It is a page from where you can manage your servers online in a pretty web interface.

It uses ssh – you need to allow commando.io’s server to ssh into your server. You can specify with which user, which port and then it uses an ssh key to log in.

When you sign up, first you get to choose your own subdomain, like awesome.commando.io and then add your user into there. The subdomain you get, let’s say awesome.commando.io is pointing to an IP. It is with this IP that commando is connecting to your server. So this should be firewalled.

First thing I noticed was that on a CentOS 6 the command you get to copy-paste does not account for that CentOS6 sets permissions to 775 by default when running mkdir ~/.ssh.
I sent a message to commando.io with the built-in messaging tool at 13th of November at 1223. 12 minutes later I had a reply, so quite quick at responding.

Also sent in a suggestion that they look into ssh-copy-id instead of making ~/.ssh and setting permissions manually :)

Real easy to add a recipe and then run it on a server.

I could not find any existing recipes, nor where there any links to a repository or community page where one could share recipes or even example recipes.

All in all:

  • It looks nice and mostly works.
  • Is it safe? Do I want to give access to a third party provider that doesn’t have any obvious information declaring their high intent of security.
  • Some things that would be nice:
    • scheduled executions
    • using states – puppet-like, to insure that something that was done in a recipe once is still the current state of the machine.
    • group import of servers

BCvRP – Brocade Certified virtual Router Professional – Objectives

For training these I set up networks. Many.
Drawing the networks first in LibreOffice Draw and then setting them up with virtual machine templates and LAN segments.

The exam I took in October and because it was a beta exam the results aren’t out until December :)

The BCvRP has the below objectives (included for free are some of my comments on each topic).
None of this should be taken as a replacement for taking the actual course and actually doing these things on a vrouter.
And honestly, the various concepts and technologies described in the objectives below can become very complex. So before taking this course/exam you at a minimum want to know the basics of BGP and setting up an OSPF network should be a breeze.

 

OSPF Multi-Area Concepts

  • Describe OSPF routing concepts
  • Stub area – replace external routes with a default route
  • NSSA – not so stubby – can have a local external route inside a stub area
  • no-summary : exclude inter-area routes
  • LSA – link state advertisements
    • 1 All OSPFs: Lists subnets/links directly connected, does not cross area boundaries
    • 2 from DR: Lists routers connected to a network, does not cross
    • 3 from ABR: Lists networks from outside the local area
    • 4 from ASBR: Summary, lists location of ASBR
    • 5 from ASBR: AS external, list networks outside OSPF AS. 7 for NSSA.
  • Summarization: Good to have continuous addresses in an area, easier to summarize.
    • Do not summarize routes originating in Area 0.

BGP, EBGP and IBGP Concepts

  • Describe gateway protocol concepts
  • BGP Basics
    • Purpose is to determine best path (not necessarily the shortest)
    • TCP Connection, no periodic updates.
    • iBGP – within an AS / eBGP – between AS
    • Attributes – BGP policies – costs
    • eBGP – best to be on the same network
    • TCP port 179
    • A unique AS number is needed, there are private AS numbers.

eBGP

set protocols bgp AS# router-id IP
set protocols bgp AS# neighbor ip-address remote-as as-number
set protocols bgp AS# network address/mask

exact match must be in the router’s table: create a static route to blackhole on the router

iBGP = same AS on the BGP peer (the neighbor)

iBGP – a full mesh is necessary. iBGP does not forward routes learned from other iBGP peers.
One can use “next-hop-self” so that iBGP router’s change the next-hop address to a network whenever it propagates the route.
update-source – this needs to be the same as the router-id.

iBGP required settings: local AS number, neighbor address and “update source”.

bgp does not reset advertised routes after an administrator’s changes.
Changes to eBGP does not come into affect until you run the reset:
reset ip bgp external out‘. The BGP table can be large – gigabytes.
Use the word soft to only request updates and not reset the peer connection.

reset ip bgp external [ipv4 address]

 

Tuning attributes and priority

  1. Local preference – only included within an AS. Default is 100. Higher is better.
  2. AS Path – always forwarded – shorter is better
  3. Origin – lowest
  4. Multi-exit discriminator # modified by an ISP to indicate preference
  5. eBGP preferred over iBGP
  6. Lowest Peer ID
  7. Community # group of prefixes with a common property. Can be used in filters.

 

Prepending: insert your AS number in the AS in the beginning of the AS path.
Communities are created with: set policy community list

BGP troubleshooting

An active peer – not good. Trying to actively set up a session.

 

iBGP design

  • Does not have to be physically connected (as in BGP).
    • Connectivity over BGP
  • Peer to loopback address
  • Full mesh is required
    • Doesn’t scale. You can use a Route reflector (“concentrator”) and have other iBGP routers as clients.
    • route reflectors must be meshed
    • You can also create multiple private AS within your AS. Reduces members in the mesh. Called a confederation.
      • Public AS number is only visible in the config
      • The Private numbers are visible in the show ip bgp commands.

 

Create a peer group, set BGP settings on the peer group. Then assign peers to the group.

Route Redistribution

  • Describe route redistribution design and configuration
  • Best practices:
    • Set metrics
    • Do not redistribute into or out of BGP
    • Use network statements
    • Statements to direct towards BGP exit points
    • Only redistribute a network from one host (VRRP)
  • OSPF: metric type (increase cost)
  • Only active routes are redistributed

IPsec VPNs

  • Identify IKE Phase 1 and Phase 2 operations
  • Describe how to configure and troubleshoot an IPsec VPN

OpenVPN Concepts

  • Identify the features of OpenVPN
  • Describe OpenVPN configuration

VRRP Concepts

  • Describe VRRP concepts and operations

Optimization

  • Describe the attributes of WAN load balancing
  • Describe QoS features and configuration

Policy-Based Routing

  • Explain where policy-based routing falls in Brocade Vyatta packet flow
  • Configure and verify policy-based routing
  • Default: drop route entry . By default it only takes the first action that matches.
  • Rule -> Filter -> Route Map (excluding deny filters) > Take action as defined
  • Filter list: prefix 172.16.0.0/16, le 24. Any netmasks between /16 and 24, including /16.
  • Regexp for matching AS lists – use underscore to match whitespaces
  • Filter has the rules.
    • permit/deny in the filters affects if the rule is applied to the filter.
  • Route-maps has the rules.

Multicast Routing

  • Describe multicast protocols/elements
  • Configure and troubleshoot multicast routing

BCvRE – Brocade Certified virtual Router Engineer – Objectives

This post will be continuously updated with my short notes under each concept.
It’s not meant to be a replacement of the official training materials.
I’m just starting out playing with the vRouter Core / open source version and installing it in a VM and set up some networks and firewalls is probably one of the best way to learn this.
Learn by doing!

The Brocade Certified vRouter Engineer 2013 exam has these objectives:

 

Brocade Vyatta vRouter System Operations

  • Describe show command system usage
    • show – in operational mode shows status of components
    • show – in configurational mode shows the configurations
    • run show –  in configurational mode shows status of components
  • Identify key CLI operations
    • set/delete
    • copy (configs)
    • renew (new dhcp IP)
    • install (to disk)
  • Describe the commit and save processes

Ethernet Concepts

  • Identify Ethernet operations
  • Identify VLAN operations and settings
    • set interface ethernet eth0 vif <vlanid> # this creates eth0.<vlanid> a subinterface. This looks like a normal ethernet interface.
    • set interface pseudo-ethernet # these can be used if you want to set the MAC-address. Some features are not allowed for these peth devices though (VLAN, bonding).
  • Identify bonded interface operations
    • Two NICs on the same network
    • set interface bonding (IP address, mode)
    • set interface ethernet (bond-group)
  • Demonstrate knowledge of configuration and operation using show commands

TCP/IP

  • Demonstrate knowledge of the relationship between Layer 2, IP and TCP/IP
  • Identify TCD and UDP differences
  • Identify address subnets

DHCP and DNS Troubleshooting

http://www.guldmyr.com/blog/?p=2022 I’m going through how to set it up.

  • Describe troubleshooting of DHCP operations
    • show dhcp server leases
    • show log dhcp
  • Describe troubleshooting of DNS forwarding
    • monitor dns forwarding # I could not get anything into the log)
    • show dns forwarding # shows cache size for example)

Routing

http://www.guldmyr.com/blog/?p=2022 went through how to set up static routes

  • Identify uses for routing
  • Identify show commands for use with routing
  • Identify configuration of different types of static routes

Firewalls

  • Describe firewall operations and troubleshooting using show commands
  • Describe firewall rulebase operations
    • set firewall name <name> default-action
    • set firewall name <name> rule 1 destination/source
    • set firewall name <name> rule 1 action <action>
    • set interface bonding bond0 firewall in/local/out name <name>
      • in – into the router (matching on destination IP)
      • out – out from the router  (matching on source IP)
      • local – to the router itself

NAT

  • Describe NAT concepts

Upgrades

  • Describe the Brocade Vyatta upgrade process
    • 1. Install 6.5R1 to disk.
    • 2. add system image URL
    • 3. reboot
    • It is also possible to copy the config elsewhere and reinstall

Logging and Packet Captures

  • Identify logging options for firewall and NAT operations
    • set firewall name <name> rule <num> log enable
    • commit; exit
    • monitor firewall .. # and see matches to the rule.
  • Identify methods to verify operations and troubleshooting

OSPF Single-Area

http://www.guldmyr.com/blog/?p=2022 set up an area 0 OSPF

  • Describe OSPF show command output
  • Describe how to configure OSPF

BCvRE – Brocade Certified virtual Router Engineer

Been checking out the Vyatta vRouter a bit closer. Mostly because of the BCvRE exam but I’m slowly starting to think there might be some benefits to using it elsewhere too.

  1. See vyatta-a-routervpnfirewall-in-a-vm-brocade-certified-vrouter-engineer/ for where to find manuals or training materials.
  2. See the objectives.

I tried installing Vyatta vRouter 6.6 amd64 Live ISO to disk first in a Virtualbox VDI file and then uploading said file to openstack. This works, but:

Ethernet interfaces might get renamed but a startup, log in and save, poweroff and another boot should get the first interface back to eth0.

In the openstack available to me I could set up my own networking topology like this:

  • Create one network (VLAN) and define several subnets inside (these are still kind of firewalled based on IP and MACs).
  • Then create machines and add the network.
  • Power off and start the machines again (or the links stay DOWN).

VMs should see an individual eth interface per subnet.
The machines still get an IP assigned to each interface/subnet even if DHCP is disabled. If DHCP is disabled you still have to statically assign only this assigned address on the interface.
The interfaces are in order: the IP listed at the top is the IP you need to put on the first interface (eth0).

Because a lot of the things you can do with a router involves creating networks and assigning IP addresses, which openstack would block for security reasons – it was much easier to do all of these in VMWare Workstation:

DHCP/DNS

  1. Install a Vyatta VM – bridged and a private network (without a DHCP).
  2. Install another OS in a VM – this will be a client – only on the private network.
  3. Put both VMs in the same network.
  4. Configure dhcp on the Vyatta VM:
configure
delete interfaces ethernet eth1 address dhcp 
set interfaces ethernet eth1 address 10.1.1.1/24
commit

Configure dhcpd on the Vyatta VM:

configure
set service dhcp-server
set service dhcp-server shared-network-name ETH1_POOL subnet ??? # pool, dns, router

Then, set up so that the Vyatta VM routes traffic from the private network to the Internets. A NAT. This is called a source NAT in the vyatta CLI.

set nat source rule 10 ??? # Put in the settings you need. Source, outbound interface and the IP they should be seen as from the outside.

Real easy to set up a DNS forwarding server too:

set service dns forwarding listen-on eth1 
set service dns forwarding name-server 8.8.8.8
commit

Now we have a client behind the Vyatta gateway that can access the Internet!

It’s possible to set up different kinds of VPNs. For example site-to-site or remote access.

It is possible to ssh from the vyatta VM – you can even run ssh-keygen. How to add an authorized key you wonder?:

set system login user vyatta authentication ...

Routing

Another thing to test: launch a bunch of Vyatta VM and use them to route IP traffic, woop woop! The BCvRE objectives actually mention OSPF so this would be wise to test.

Starting with static routing

Key: Network Name (IP subnet, interface on the host)

  • VM hostname – Interface inside the VM: IP address

Topology:

Public (192.168.1.0/24, bridged):

  • Vyatta – eth0: 192.168.0.23

Network A (10.1.1.0/24, vmnet2):

  • Vyatta – eth1: 10.1.1.1
  • V1 – eth0: 10.1.1.10
  • V2 – eth1: 10.1.1.20

Nework B (10.2.2.0/24 , vmnet3):

  • V2 – eth2: 10.2.2.20
  • V3 – eth0: 10.2.2.30

Static routing:

Vyatta: set protocol static 10.2.2.0/24 next-hop 10.1.1.20
V1: set protocol static 10.2.2.0/24 next-hop 10.1.1.20
V3: set protocol static 10.1.1.0/24 next-hop 10.2.2.20
V3: ping 10.1.1.10

OSPF!

Adding host V4 that is in Network B and Network C.
Basically Vyatta, V2 and V4 are routers.
V1 and V3 do not run OSPF, they have their default gateway to one of their local routers.
So V3 has 10.2.2.20 and V1 has 10.1.1.1.

Public (192.168.1.0/24, bridged):

  • Vyatta – eth0: 192.168.0.23

Network A (10.1.1.0/24, vmnet2):

  • Vyatta – eth1: 10.1.1.1
  • V1 – eth0: 10.1.1.10
  • V2 – eth1: 10.1.1.20

Network B: (10.2.2.0/24, vmnet3)

  • V2 – eth2: 10.2.2.20
  • V3 – eth0: 10.2.2.30
  • V4 – eth0: 10.2.2.40

Network C: (10.3.3.0/24, vmnet4)

  • V4 – eth1: 10.3.3.40

Remove all static routes we did previously on Vyatta and V[1-2,4]:

delete protocols static route
commit
save
show proto

Set up OSPF – define the networks on each router that that router share with another router:

ALL: set loopback interface IP to something unique and with a /32
ALL: set protocols ospf redistribute connected
V4: set protocols ospf area 0 10.2.2.0/24
V2: set protocols ospf area 0 10.2.2.0/24
V2: set protocols ospf area 0 10.1.1.0/24
Vyatta: set protocols ospf area 0 10.1.1.0/24
V3: set system gateway 10.2.2.20
V1: set system gateway 10.1.1.1

Test:

V4: ping 192.168.0.23
V4: show ip ospf route

Debug:

V2: monitor protocol ospf enable lsa
V4: reboot # and wait
V2: show log|less

Vyatta: a router/vpn/firewall in a VM

Brocade has a beta exam up for BCVRE – Certified vRouter Engineer – which is on the Vyatta software from the company with the same name that Brocade bought last year.

There is the free open source core. Download from here: http://vyatta.org/downloads (no you don’t have to register).  The evaluation/subscriber version has the API and web gui available, I’ll probably check those out closer to the exam date.

I grabbed VC6.6 – Virtualization ISO. Use it in a VM and assign 5GB disk (install only requires 1G, or you could just run it on the iso, but then it doesn’t keep state between reboots) and 1GB RAM. Two NICs: One NAT and one private. But to get more acquainted with it you’ll likely have to do a bit more configuration on the hypervisor side. Such as turn off dhcpd in your virtual networks.

To install it to disk: hit “install system” at the CLI after it’s booted.

More documentation: http://docs.vyatta.com/current/wwhelp/wwhimpl/js/html/wwhelp.htm – there are descriptions how to get for example ssh management working ( set service ssh ).

The server is basically Debian with a more recent kernel (6.6 has 3.3) and a shell to make it more switch-like. It actually uses the bash completion to make it look like this. Check out /etc/bash_completion.d/vyatta-*

To remove a setting use “delete” (comparable to no in other CLIs). There is a web interface, but this is only for subscribers. Core version allows SNMP though if you want to use that :)

What to do with vyatta? A bunch of tutorials are here: http://www.vyatta.org/documentation/tips-tricks

  • NAT
  • VPN (for example connect private cloud <-> Amazon VPN)
  • Firewall
  • Routing (OSPF, BGP, etc)

But no SDN stuff (separate data and the control plane). It looks like it’s not possible to modify the flow table of a switch via Vyatta. This looks like a software router/VPN/firewall with some extras added to it.

Red Hat – Clustering and Storage Management – Course Objectives – part 2

Post 1 – http://www.guldmyr.com/blog/red-hat-clustering-and-storage-management-course-objectives/ Where I checked out udev, multipathing, iscsi, LVM and xfs.

This post is about getting using luci/ricci to get a Red Hat cluster working, but not on a RHEL machine because sadly I do not have one available for practice purposes. So CentOS64 it is. Using openstack for virtualization.

Topology: Four hosts on all three networks, -a, -b and internal. Three cluster nodes and one management node.

Get the basic cluster going:

  • image four identical nodes
  • ssh-key is distributed
  • /etc/hosts file has all hosts, IPs and networks
    • network interfaces are configured –
    • set a gateway in /etc/sysconfig/network
  • firewall
    • all traffic allowed from -a and -b networks
    • at a minimum allow traffic from the network that the hostname corresponds to that you enter in luci
  • dns (PEERDNS=no is good with several dhcp interfaces)
  • timesync with ntpd
  • luci installed on mgmt-node # ricci is a web gui
  • ricci installed on all cluster nodes # this is the service talks with corosync
    • password set for user ricci on cluster nodes
  • create cluster in luci
    • multicast perhaps doesn’t work so well in openstack ?
    • on cluster nodes this runs “yum -y install cman rgmanager lvm2-cluster sg3_utils gfs2-utils” if shared storage is selected, probably less if not.
  • fencing is really important, how to do it in openstack would require a bit of work though. Not as easy as with kvm/xvm to send a destroy domain message.

Tests:

  • Update and distribute cluster.conf
  • Have a service run on a node on the cluster (doesn’t have to have a shared storage for this).
  • Commands:
    • clustat
    • cman_tool
    • rg_test test /etc/cluster/cluster.conf start service name-of-service
    • ccs_config_validate

 

Share an iSCSI target between all nodes:

  • Using management node to share the iSCSI LUN.
  • tgtd, multipath
  • clvmd running on all nodes
  • lvmconf – make sure locking is set correctly
  • create vg with clustering
  • partprobe; multipath -r # do this often
  • vgs/lvs and make sure all nodes see the clusterd lv
  • minimum GFS filesystem is around 128M – you didn’t use all the vg right? =)
    • for testing/small cluster lowering the journal size is goodness
  • mount!

 

Red Hat – Clustering and Storage Management – Course Objectives

Attending “Red Hat Enterprise Clustering and Storage Management” in August. Quite a few of these technologies I haven’t touched upon before so probably best to go through them before the course.

Initially I wonder how many of these are Red Hat specific, or how many of these I can accomplish by using the free clones such as CentOS or Scientific Linux. We’ll see :) At least a lot of Red Hat’s guides will include their Storage Server.

I used the course content summary as a template for this post, my notes are made within them.. below.

For future questions and trolls: this is not a how-to for lazy people who just want to copy and paste. There are plenty of other sites for that. This is just the basics and it might have some pointers so that I know which are the basic steps and names/commands for each task. That way I hope it’s possible to figure out how to use the commands and such by RTFM.

 

 

Course content summary :

Clusters and storage

Get an overview of storage and cluster technologies.

ISCSI configuration

Set up and manage iSCSI.

Step 1: Setup a server that can present iSCSI LUNs. A target.

  1. CentOS 6.4 – minimal. Set up basic stuff like networking, user account, yum update, ntp/time sync then make a clone of the VM.
  2. Install some useful software like: yum install ntp parted man
  3. Add a new disk to the VM

Step 2: Make nodes for the cluster.

  1. yum install iscsi-initiator-utils

Step 3: Setup an iSCSI target on the iSCSI server.

http://www.server-world.info/en/note?os=CentOS_6&p=iscsi

  1. yum install scsi-target-utils
  2. allow port 3260
  3. edit /etc/tgt/target.conf
  4. if you do comment out the ip range and authentication it’s free-for-all

http://www.server-world.info/en/note?os=CentOS_6&p=iscsi&f=2

Step 4: Login to the target from at least two nodes by running ‘iscsiadm’ commands.

Next step would be to put an appropriate file system on the LUN.

UDEV

Learn basic manipulation and creation of udev rules.

http://www.reactivated.net/writing_udev_rules.html is an old link but just change the commands to “udevadm” instead of “udev*” and at least the sections I read worked the same.

udevadm info -a -n /dev/sdb

Above command helps you find properties which you can build rules from. Only use properties from one parent.

I have a USB key that I can pass through to my VM in VirtualBox, without any modifications it pops up as /dev/sdc.

By looking in the output of the above command I can create /etc/udev/rules.d/10-usb.rules that contains:

SUBSYSTEMS=="usb", ATTRS{serial}=="001CC0EC3450BB40E71401C9", NAME="my_usb_disk"

After “removing” the USB disk from the VM and adding it again the disk (and also all partitions!) will be called /dev/my_usb_disk. This is bad.

By using SYMLINK+=”my_usb_disk” instead of NAME=”my_usb_disk” all the /dev/sdc devices are kept and /dev/my_usb_disk points to /dev/sdc5. And on next boot it pointed to sdc6 (and before that sg3 and sdc7..). This is also bad.

To make one specific partition with a specific size be symlinked to /dev/my_usb_disk I could set this rule:

SUBSYSTEM=="block", ATTR{partition}=="5", ATTR{size}=="1933312", SYMLINK+="my_usb_disk"

You could do:

KERNEL=="sd*" SUBSYSTEM=="block", ATTR{partition}=="5", ATTR{size}=="1933312", SYMLINK+="my_usb_disk%n"

Which will create /dev/my_usb_disk5 !

This would perhaps be acceptable, but if you ever want to re-partition the disk then you’d have to change the udev rules accordingly.

If you want to create symlinks for each partition (based on it being a usb, a disk and have the USB with specified serial number):

SUBSYSTEMS=="usb", KERNEL=="sd*", ATTRS{serial}=="001CC0EC3450BB40E71401C9", SYMLINK+="my_usb_disk%n"

These things can be useful if you have several USB disks but you always want the disk to be called /dev/my_usb_disk and not sometimes /dev/sdb and sometimes /dev/sdc.

For testing one can use “udevadm test /sys/class/block/sdc”

Multipathing

Combine multiple paths to SAN devices into one fault-tolerant virtual device.

Ah, this one I’ve been in touch with before with fibrechannel, it also works with iSCSI.
Multipath is the command and be wary of devices/multipaths vs default settings.
Multipathd can be used in case there are actually multiple paths to a LUN (the target is perhaps available on two IP addresses/networks) but it can also be used to set a user_friendly name to a disk, based on its wwid.

Some good commands:

service multipathd status
yum provides */multipath.conf # device-mapper-multipath is the package. 
multipath -ll

Copy in default multipath.conf to /etc; reload and hit multipath -ll to see what it does.
After that the Fun begins!

 

Red Hat high-availability overview

Learn the architecture and component technologies in the Red Hat® High Availability Add-On.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/High_Availability_Add-On_Overview/index.html

Quorum

Understand quorum and quorum calculations.

Fencing

Understand Fencing and fencing configuration.

Resources and resource groups

Understand rgmanager and the configuration of resources and resource groups.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/High_Availability_Add-On_Overview/ch.gfscs.cluster-overview-rgmanager.html

Advanced resource management

Understand resource dependencies and complex resources.

Two-node cluster issues

Understand the use and limitations of 2-node clusters.

http://en.wikipedia.org/wiki/Split-brain_(computing)

LVM management

Review LVM commands and Clustered LVM (clvm).

Create Normal LVM and make a snapshot:

Tutonics has a good “ubuntu” guide for LVMs, but at least the snapshot part works the same.

  1. yum install lvm2
  2. parted /dev/vda # create two primary large physical partitions. With a CentOS64 VM in openstack I had to reboot after this step.
  3. pvcreate /dev/vda3 pvcreate /dev/vda4
  4. vgcreate VG1 /dev/vda3 /dev/vda4
  5. lvcreate -L 1G VG1 # create a smaller logical volume (to give room for snapshot volume)
  6. mkfs.ext4 /dev/VG1/
  7. mount /dev/VG1/lvol0 /mnt
  8. date >> /mnt/datehere
  9. lvcreate -L 1G -s -n snap_lvol0 /dev/VG1/lvol0
  10. date >> /mnt/datehere
  11. mkdir /snapmount
  12. mount /dev/VG1/snap_lvol0 /snapmount # mount the snapshot :)
  13. diff /snapmount/datehere /mnt/datehere

Revert a Logival Volume to the state of the snapshot:

  1. umount /mnt /snapmount
  2. lvconvert –merge /dev/VG1/snap_lvol0 # this also removes the snapshot under /dev/VG1/
  3. mount /mnt
  4. cat /mnt/datehere

XFS

Explore the Features of the XFS® file system and tools required for creating, maintaining, and troubleshooting.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/xfsmain.html

yum provides */mkfs.xfs

yum install quota

XFS Quotas:

mount with uquota for user quotas, mount with uqnoenforce for soft quotas.
use xfs_quota -x to set quotas
help limit

To illustrate the quotas: set a limit for user “user”:

xfs -x -c "limit bsoft=100m bhard=110m user"

Then create two 50M files. While writing the 3rd file the cp command will halt when it is at the hard limit:

[user@rhce3 home]$ cp 50M 50M_2
cp: writing `50M_2': Disk quota exceeded
[user@rhce3 home]$ ls -l
total 112636
-rw-rw-r-- 1 user user 52428800 Aug 15 09:29 50M
-rw-rw-r-- 1 user user 52428800 Aug 15 09:29 50M_1
-rw-rw-r-- 1 user user 10477568 Aug 15 09:29 50M_2

Red Hat Storage

Work with Gluster to create and maintain a scale-out storage solution.

http://chauhan-rhce.blogspot.fi/2013/04/gluster-file-system-configuration-steps.html

Updates to the Red Hat Enterprise Clustering and Storage Management course

Comprehensive review

Set up high-availability services and storage.

SDN Course – Interview with Google Network Lead

This week in the SDN course on coursera there were lots of examples of real use of SDN stuff, for example like the B4 WAN by Google. They got a really interesting and cool interview with the Network Lead at Google – Amin Vahdat.
And! They actually put this interview up on youtube so you don’t have to be registered for the course on coursera to view the interview. Actually I just noticed all the interviews are there, including the one I mentioned before with the Internetz Architect David Clark.

Programming assignment for this week is to work with pyresonance, which is based on resonance + pyretic which is a controller that can change how network is forwarded/routed based on outside things, like network intrusion or bandwidth caps. This is really new stuff. The code that was put on github was put there just 3 days ago :)

Assignment is to create a load balancer and forward traffic to hosts depending on load :)

Factory reset of a Brocade SAN switch

Ever wondered which is the easiest way?

Using the “configDefault –all” does not clear everything, for example it doesn’t clear: system name, zoning, etc.

Setting the switch to AG mode (Access Gateway) – will clear more things as it basically dumbs down the switch, it does not remove the licenses, IP and password.

ag --modeenable
ag --modedisable

The ‘ag –modedisable’ (puts switch back in normal switch mode) command sets the default zones access to No Access, so if you want to merge this switch into a fabric you’ll most likely need to change that and disable/enable the E_Ports.

Quite often there are some good tips on the Brocade’s community forum.

Make your own L2 Firewall!

Is what I did this week during the SDN Course on Coursera :)

Within mininet or with a real OpenFlow capable switch, you can point the switch to use a controller. The controller would figure out all the smart stuff and the switch only does what the controller tells it to do.

POX is one of these APIs that you can use to create controllers, it’s good for learning about controllers as it’s not so low level as it’s sibling NOX, which is in C++. There are switches in JAVA too (Floodlight) and many more.

With POX there are some example switches, for example a basic L2 learning switch. It remembers (among quite a few other things) MAC addresses for hosts and remembers in which ports the MAC addresses can be found. With a simple ping: After L2 broadcast is done to find the MAC of the recipient, the controllers install the MAC_source+port and MAC_destination+port as flows on the switches.

What we did this week was to right after the switch is executed, run some extra code that parses a .csv file for MAC address pairs that are not allowed to talk and add these pairs into the flow table.

Pretty cool I think :)

SDN Course on Coursera

Halfway now, in week3, and just finished the first programming assignment in the course Software Defined Networking.

Quite happy with the course so far, the quizzes are not too hard if you actually listen to the video lectures and after taking Coursera’s “Learn to Program: Crafting Quality Code” the python code was not too much for me. It took me about day to get my head around it again (I don’t write programs or scripts in python so often) and complete this first assignment where we got to create a custom topology with customized links.

I think it was a great first assignment as it got me used to playing with python again and also some of the features and what one can do with mininet.

 

SDN course on coursera

Even though I’m on summer holiday I’d squeeze in time for a Software-Defined Networking course on coursera! https://www.coursera.org/course/sdn

It’s given by a professor from Georgia University.

It’s still not too late to register, it’s only on the second week (until tomorrow Monday 8/7) and the first two weeks are not too complicated, just some introductions and history for SDN. Programming things should start soon though.
The hard deadlines for each week’s quiz aren’t until 5th of August so plenty of time to catch up.

In particular I’d recommend a quite cool interview with David D. Clark and who is that? Quote from wikipedia: “… acted as chief protocol architect in the development of the Internet…” Which is pretty awesome. Hearing about some design decisions around the internet was quite interesting.

Mininet – Software Defined Networking

Mininet

Mininet is a network emulator written in Python. With it you can create a test network consisting of many devices, for example inside your laptop.
It’s a lot more light-weight compared to emulating switches/routers in GSN3. Initially Mininet appears to be more about easily getting working network rather than tinkering with all the features of devices, but OpenFlow has a lot of nifty capabilities that Mininet makes it a lot easier to explore.
Anyway I think it’s great that there are free software tools to learn how to setup the network.
Check out the link below, there are some assignments that are used at Stanford about how to create your own link state routing protocol. Cool!

It’s easy to set up a network with many switches, routers and hosts. You can specify packet loss, queue size and delays on links.

They did some tests between ssh and mosh, to see how much better mush was when there were packet loss or delays.

You could deploy a setup similar to what you’ve tested inmininet, with real products. OpenFlow is used in both mininet and in the real products :)

Install the mininet VM and test it!

There are many ways to install mininet. They provide a VM that you can boot or you can install it in your OS, but it requires root access.

They got a walkthrough that is quite a nice intro to how to set things up mininet.

A note when using the VM image: If you’re already running Linux, for example I run Ubuntu on my machine all I had to do was to “ssh -X mininet@ip-to-vm” to be able to run wireshark in the vm. That’s a capital X.

 

SDN –  software defined networking

Some sources of information:

http://mininet.org/ – The network emulator

https://github.com/mininet/mininet/wiki/Documentation – On the github there are assignments that you can use to learn more about mininet.

https://www.coursera.org/course/sdn – On Coursera there is a free introduction course to SDN starting May 27! I’m joining it, are you?

http://www.opennetsummit.org/archives-april2013/ Free presentations about SDN inside.

http://tech.slashdot.org/story/13/04/29/2324200/inventor-of-openflow-sdn-admits-most-sdn-today-is-hype SDN is just a hype?

Command View P6000 EVA Simulator 10.0

Due to somewhat popular demand here’s another post detailing the steps for somewhat successfully installing HP P6000 Command View Simulator on Windows 7 x64. It can be a bitch.

The older post is from 2011 with CV 9.4, this one also has PA – performance advisory bundled.

  • Download: http://software.hp.com
  • Two files: EVA Simulator 10.0 (Z7550-00252_EvasimInstaller_100fr_v1.exe) and a readme
  • There is an e-mail listed in the readme!
    • But if you want to, you can put in a comment below saying how sexy I am :p
  • The readme is quite long but most of it is about how to use the PA (performance analyzer), Appendix B is a required read. It describes how to add the Groups so you can log on to CV.
    • A previous blog post by myself truly also goes through how to add a user group :)

For lazy hounds:

  1. (optional) Disable UAC in Windows and make yourself admin.
  2. Put an account in the Windows Group called “HP Storage Admins”.
  3. Launch the downloaded file (it extracts a setup.exe and .msi file)
  4. Launch setup.exe – it’s located in the same directory where you launched the Z7550-00252_EvasimInstaller_100fr_v1.exe
  5. Next, next, next, next, yes, yes, Wait, yes, Installed!
  6. Try out the “Start HP P6000 EVA Simulator” new icon on your desktop, does it work? Profit!

“XF application has stopped working” – some friendly error I got and CV simulator did not start.. Most likely permission issue. Peaking through one of the command-prompts it repeats access denied.

It’s amazing that the CV simulator still relies on .bat scripts. Guess it’s for backwards compatibility with XP and Vista? Only one file necessary for all those Windows OS variants.

With default Windows security, the Simulator runs into a problem when it tries to write to files under c:\program files (x86)\ . There are probably many ways to remedy that, one might be step 1 above. This worked:

  1. Go to C:\Program Files (x86)\Hewlett-Packard\HP P6000 EVA Simulator\evasim
  2. Right-click on ‘start_bundle.bat’ and run it as an administrator. This should start the simulator.
  3. Open up a command prompt with Admin Privileges, cd your way into evasim directory and type: “start startcv.bat”
  4. That should launch the Command View process and also IE pointing to CV.
  5. If not, point your web-browser to: https://localhost:2374/SPoG/ or https://localhost:2374/
  6. Log in with the user/password you added into the “HP Storage Admins” group earlier.

Some tips:

In one of the “DOS” windows, there might be more clues as to what’s going on.

Open a command prompt with admin privilieges by typing “cmd” in the search bar then right-clicking and starting as administrator.

Inside the Simulator DOS prompt you can hit enter and if you see some commands (save, stop, exit, start) then that’s the simulator window.

If you want your changes to be kept, type “save” in the simulator window before quitting.

Some thoughts:

It feels a bit ruggish. I bet this whole mess could be improved quite easily with some decent scripts. Here’s one I’d like to see:

if $os == Win7:
    if $write_read_permissions_in_program_files != "allowed":
        print_in_big_letter("You need more axx! Do $THIS")
        exit_everything_and_die

 

Studying for BCNE – Brocade Certified Network Engineer

In early April of 2013 Brocade had a great offer – ask for it and you’ll get a voucher to an exam – for free!

I took them up on their offer and scored a voucher for the BCNE – Brocade Certified Network Engineer.

After that I noticed that Brocade also has a limited offer for BCNE http://www.brocade.com/education/CNE_250.page , you can take them up on it if you already have a CCNA. By doing that you also get a free voucher to the BCNE exam..

I chose to try it without the recommended course. A bit risky but a long time ago I took the CCNA and passed. For me this exam was probably more about remembering and looking at improvements to all the things in CCNA back in 2005. This post is about my study technique or perhaps more of a record of how I did things. To find places for improvement.

Do you have any study tips you would like to share?

Some really useful links:

  • BCNE in a Nutshell guide – It’s also available on their saba/education page. But it’s out of date in there.
  • Brocade IP Primer – this is a great refresher on most Ethernet things if you’ve been out of touch.
  • Go through the manuals – but read the material in the newer released manuals.
  • IP Quick Reference – CLI Quick and quite comprehensive overview not only of commands but also of technologies.

http://community.brocade.com/docs/DOC-2613 has the list of pages and manuals and guides, but to get the newest documents you have to look elsewhere.
One place to get them is on each Product’s page on brocade.com, at the bottom there is a place to get some manuals.

First thing I did before diving into the materials was to take the BCNE Knowledge Assessment test. Get some sort of idea of what kind of topic the exam is about.

Then I read the nutshell guide and marked the things I needed to learn more about (basically all). Last time I took an exam with Brocade I only read the nutshell in the beginning of my study time, this time I’m re-reading it every now and then to see if I catch something that is not clear and I want to focus extra on. I’m also keeping a focus on the objectives of the exam. Reading the objectives and trying to answer them with as much detail as I can.-The objectives are general so there’s quite a lot of room for freedom there. As a bonus, if you can’t describe something in the objectives well, you just found something you do not know well  enough.

After going through the nutshell guide and checking up on a few acronyms and technologies I hadn’t heard about I read through the IP Primer and did the same things there: Mark the things that I thought would be of interest and what I would need to dig deeper into.

Then went through the NetIron and FastIron configuration guides. Not only did I have a peak at all the pages that were listed as relevant, but also read chapters that was not listed. Either because I found them interesting or perhaps because the subject in those chapters are touched upon in Nutshell. To me that just means the more you know about the subject the better.

Rehash objectives/previous notes and dig deeper. Perhaps first time you read it you glanced over some part. By digging deeper I mean finding the chapters in all the manuals that touch on this subject and reading them, making more notes. Could also be surfing the Internets or Wikipedia for basic overview of how a technology operates. Eventually all of this crystallizes into a view that describes things in your own words.

To me there are parts of IT exams that you just can’t know even if you’ve been working with it for a long time. For example license options or feature differences between all the products. To learn things like these (also other types of questions I thought would come on the exam) I made flashcards in a spreadsheet and printed it on normal A4 so that the question is on one side and the answer is on the back. This was no easy feat.

After going through all these documents you should be able to figure out yourself which areas are being focused on – which you should be making sure that you know.

Some good articles/blog posts:

P.s. I passed :)