Tag Archives: certification

BCEFP 2015 certified!

Passed the Brocade Certified Ethernet Fabric Professional 2015 exam in May and I finally got the results back!

https://www.certmetrics.com/brocade/public/transcript.aspx?transcript=8XRF1FE12MR41GC4

This one felt quite hairy compared to the other tests I’ve taken. Definitely recommend doing the course / getting some real hands-on experience for these certifications.

BCEFP 2015 – Studying for the exam – part 3

Leave a reply

This third post focuses on the remaining sources of information I had for studying for the BCEPF. At the time this post is published I have taken the exam.

When I make comments to CLI commands I put them after a #.

This is part of a series of posts on the topic of studying for Brocade’s Certified Ethernet Fabric Professional.

The two previous posts: Objectives and reading materials, course and nutshell guide and NOS Admin Guide

VDX Troubleshooting Course

The material available also feels very short, same as the beta material available for the CEF300 , like only the parts of the slides that were updated for the BCEFP 2015 beta were included.
When a slide says “(cont.)” but there was no previous slides on this topic, that’s a hint :)
Take the (currently free) course on Brocade’s SABA – it’s under Education on my.brocade.com. It has way more slides and info.

Some notes from the course:

Firmware Upgrade

Can upgrade all/selected RBridges in a logical chassis: firmware download logical-chassis
FTP/SCP/SFTP/USB(only local switch with USB)
By default it stages firmware only – so no reboot or activate. By adding auto-activate it reboots all RBRidges at the same time, not recommended.

SNMP

When BNA discovers a switch it automagically configures the switch to send traps (UDP 162) to the BNA server.

Fabric Formation:

Requires: Licenses. Same VCS ID, unique RBridge ID and same VCS mode (Fabric Cluster or Logical Chassis)
Check:
- ISL ports are operational (show fabric islports)
- Incompatible Firmware Levels

ISLs:

no fabric isl enable # this disables ISL formation. This makes it an edge port
CPU could be too busy to send ISL keepalives
If ISL is segmented and interface is up/up – it’s probably a config issue.

vLAGs:

show running-config interface TenGigabitEthernet 1/0/2 # shows config
- no shutdown
- channel-group $NUMBER mode active type standard # active – LACP. Standard/Brocade proprietary.
show interface TenGigabitEthernet 1/0/2 # shows status
- When counters are non-zero and looking for errors. Clear them and compare the delta.

Other:

show interface stats brief # shows discards, errors and CRC
VRRP:
- show vrrp detail
- pre-empting : if a virtual router comes online with higher priority than the current it will take over
- VRRPE: Can enable short-path-forwarding. If one of the backup virtual routers (that don’t own the Virtual IP) can actually forward traffic if that is advantageous.

FCoE:

show running-config zoning # show FCoE zoning
show fabric all #
- RBRidge with this name: fcr_fd_160 # this comes online when fabrics are connected and Fibre Channel Routing is used.
- RBRidge with this name: fcr_xd_4_100 # this comes online when devices across FC Fabrics can communicate. Don’t see this? Check zoning.

iSCSI:

BCEFP practice questions / answers

http://community.brocade.com/t5/Certification/BCEFP-2013-Exam-150-180-Practice-Questions/ta-p/4099

These are decent practice questions and is nice because the answers give some explanation to the answers too.

Other

Intro to VCS Fabric Technology: http://www.brocade.com/downloads/documents/white_papers/intro-vcs-fabric-technology-wp.pdf

CFP- MSA CFP2 Hardweare Specs:

about the 40/100Gbps CFP2 SFP. MSA – multi-source agreement.
CFP2 module shall support LC, MTP12 and MTP24 optical connector types. MPO

NOS 4.1.1 release notes (p4,10,28,50):

4.1.0 and later support VRRP-E across VCS fabrics.
4.1.0 and later have vlag ignore split on by default
clear mac-address-table can clear MAC addresses associated with vLAGs and on other switches
Page 50 Has a table of scalability numbers for various features such as (6710 VCS, 6740 VCS, 8770 VCS):
- max members of a LAG (8,16,8)
- max switches in a fabric/logical cluster (24,32,32)
- max ECMP paths (8,8,16)
- max member ports in a vLAG (64)
- max member of VMs (8k)
- max ARP entries (8k,12,50k)

Network OS Command Reference v4.1.1 53-1003226-01

Pages 299, 1258-1260,1266,1297,1317,1318

firmware download
snmp-server user # access
snmp-server v3host # trap recipients
spanning-tree edgeport # quickly transitions to forwarding state: only for RSTP/MSTP. Portfast for STP.
switchport access # only allows untagged and priority tagged
switchport trunk allowed vlan ${rspan-vlan} # add allowed VLAN on trunks on L2 interfaces in trunk mode
switchport trunk default-vlan # put all non-matching traffic into this VLAN

Hardware reference manuals

VDX 6740 Hardware Reference Manual 53-1002829-02: Page 1

6470: 24 1/10GbE SFP+ ports.
6740T: 24 RJ-45
6740-1G: 48 RJ-45 Base-T. 10Gb with license.

VDX 8770-4 / 8770-8 Hardware Reference Manual 53-1002563-03:

Chapter 1, Page 1:
- Features CloudPlex.
- Requires NOS 3.0.0 or greater.
- 8770-8:
  - Up to 384 10GbE or 96 40GbE. Dual MM. 6 SFM. Max 8 PSU. 4 Fans. SX or LX 1Gbps SFP transceivers.
- 8770-4:
Chapter 3, Page 32
- For copper connections to < 1Gbps BaseT switches a crossover cable is needed (but it might not be if MDI/MDIX works..).
- LC connectors for fiber ports

VDX 6730 Hardware Reference Manual 53-1002389-06: Pages 1,2,15

6730-32: 32-ports. 6730-76: 76 ports. 8 or 16 x 8GB FC ports.

Network OS Software Licensing Guide v4.1 53-1003164-01

Pages 11-13

All have FCoE license (except 6710).
All have POD licenses (except 8770)
6740 have 10/40GbE port upgrades
8770 have L3 and Advanced Services

Notes:

for multi-hop FCoE it is needed on each node
L3: OSFP, VRRP, PIM-SM, Route-Maps, prefix list
Advanced: FCoE and L3
After installing a time-based license you cannot change system date or time. NTP is however not blocked. If you are using NTP, don’t change system date/time when a time-based license is installed.

BCEFP 2015 – Studying for the exam – part 2

Leave a reply

This second post focuses on the NOS Admin Guide.

When I make comments to CLI commands I put them after a #.

This is part of a series of posts on the topic of studying for Brocade’s Certified Ethernet Fabric Professional.

The two previous posts: Objectives and reading materials and course and nutshell guide

The NOS 4.1.1 Admin Guide

I’ve been reading the pages on paper (together with a highlighter :) that I printed with the help of my script below and there is lots of goodness in there.
For sure some topics are brought up without any preamble so for these I just make a note in the paper that I need to check out this other thing later.
Especially the Fibre Channel things take up quite a lot of pages. I thought in these devices FC would not be with so much focus but it seems like they do re-use a lot of the things in FC that works.

Notes and acronyms (page in NOS Admin Guide):

DCB – lossless. Able to allocate bandwidth on links.
TRILL – transparent interconnections of lots of links.
RBridge – Routing Bridge. Lowest WWN or priority.
Looks like on p54 only the text about Logical Chassis cluster config is applicable.
Trunking between VDX8770 and B8000 are not supported (B8000 is some early version of FCoE from Brocade, not visible on Brocade’s page where they list their switches)
ECMP – Equal-cost multi-path routing (p149)
AG – VCS must be enabled for Access Gateway
AMPP – Automatic Migration of Port Profiles – some OK pictures around p375
VRF – Virtual Routing and Forwarding

Questions:

There is also a Openstack Neutron Plugin (p29)
Would be good to include also page 114 before page 115 to see what they mean with leaf/spine/core (p115)
OOB access to console is via serial (p115)
How to reload a group of switches? (p115)
- reload system rbridge-id all
Does trill use IS-IS type link-state? (p136) Yes
Can VF_Ports be anywhere in the fabric? (p202) Yes, they must be mapped to N_Ports.
Is there no web interface on the VDX? (p269) Probably not, there are some “http server” and “ip http-server” commands.
What are valid upgrade paths? Not so clear. 3.0.0 to 4.0.0 is not OK. 3.0.1 to 4.0.0 is OK. (p341)
What is this netinstall? (p371) – 10 hits on google: brocade “netinstall” vdx
What does the asterisk mean in the output of “do show vcs” ? (p597) The one you are running the command on? Is not principal RBRidge, that is >.

Commands (# comments) (page):

backup config: copy rbridge-running-config rbridge-id rbridge-id location_config
- copy rbridge-running-config rbridge-id 2 scp://user:pw@host
vcs
- no vcs logical-chassis enable # remove a node from logical chassis cluster (p76)
- vcs replace rbridge-id 3 # replace RBridge with id 3 (p77)
- enable (p139)
- virtual ip address 10.1.1.1 (p143)
config terminal # to enter global exec mode (p94)
firmware download (p119)
logical-chassis principal-switchover (p138)
- and logical-chassis principal-priority are the only logical-chassis commands
disabling a port:
- shutdown # on an ISL brings down link and FSPF adjacency.
- no fabric isl enable # link stays up, shorter reconvergence
show
- vcs virtual-ip (p143)
vcenter/vnetwork # used to connect to a vcenter and to discover hosts. (p243)
bind # create persistent binding between logical FCoE port and 10G/40G/LAG port. Port or MAC, not both. (p345)
enable statistics direction # for VXLAN tunnels to enable statistics on VLANs. (p365)
no spanning-tree shutdown # default for all VLANs – meaning it’s enabled. (p381)
lacp system-priority 25000 # For deciding which system is in charge of resolving LAG conflicts. (p437)
nas server-ip IP/PREFIX # Set IPs for AutoQoS for NAS (p506)
address-family ipv4 unicast # Used to enter IPv4 config in a VRF (p609)
debug lacp pdu # turn on debug (p714)
- terminal monitor # view debug messages in terminal

Printing the NOS Admin Guide relevant pages:

Because the slides for the BCEFP course were insufficient I would get a lot of the basic information about the NOS from the NOS Admin Guide.
In the materials provided the NOS Admin Guide was separated into two documents. The guide is of course available in one pdf. Go to the web version and click on the pdf icon.
This makes printing based on the numbers provided easier. However the NOS Admin Guide for v4.1.1 referenced was one version below the one on the html version.

Now the numbers referenced are the numbers in the document, not the one told by the pdf viewer. So actually page 11 is page 13. Page 135 is 137. 311 is 313. 425 is 427. 517 is 519. 661 is 663. 714 is 716.
I checked a few to make sure there were no major increase due to version difference or elsewhere. One could with a bit of scripting increase each number with two like:

1,13-22,28-33,56-58,77-79,96,117,121,137-146,151,152,193,203-205,212,245-249,255,263,271,313-316,323,324,340-347,363-387,402,405,408,427-435,439,467,485,497,506,508,519-523,543,561,565,567,585,595,596,599,605-611,663-665,670,678,684,688,716,717

Cover page added to make it look nicer when printing. Old numbers:

Network OS Administrator’s Guide v4.1.1 53-1003225-01

Pages 11-20,26-31,54-56,75-77,94,115,119,135-144,149,150,191,201-203,210,243-247,253,261,269,311-314,321,322,338-345,361-385,400,403,406,425-433,437,465,483,495,504,506,517-521,541,559,563,565,583,593,594,597,603-609,661-663,668,676,682,686,714,715

BCEFP 2015 – Studying for the exam

3 Replies

In a previous post I listed a some of the sources Brocade listed that one should use when studying for the BCEFP exam. Here I’m going through a those I found some comments on what what they are and what I think of them.

Beta Course Material

The first of the beta material available is something called “Brocade Ethernet Fabric Administration“. This is a few pdfs/slides with notes on them. Introduction of various features and components. Not much detail in the first 10 modules and basically all the modules are awfully short, some are one slide even. Hopefully this is just because it’s a beta. Progressively they become more detailed, which is good to not overwhelm the reader I guess. Checking out the data sheet for the CEF 300 course should give you some idea what you should learn after going through the materials. There are free materials available for the Ethernet Fabric Specialist Accreditation – it’s even on the tube. The youtube video is quite long but it’s an introduction to the thought behind the Ethernet Fabrics. It’s a bit outdated already I hope as they the talk talks about immaturity a lot, less than a year old. The presenter – Chip Copper – also mentions a Fabric Essentials 201 that should be out “later on down the line” – which is not out yet. Boo Urns!

Questions I got while reading material:

What is a hard-drop option in an extended ACL?
What does “override the control packet trap entries” mean? Brocade communities to the rescue. Is for normal transit traffic and traffic to the CPU == the management interface?

BCEFP Nutshell

I usually print these out, read through a few times and note down anything I don’t get so that I can go through the course materials and user guides to completely understand it. This one is vital.

Some really useful sections:

VCS Data Path
VCS Fabric – Layer 3 Routing

Some questions I needed to clarify after reading the BCEFP nutshell guide (page numbers):

Are there any new hardware represented in the BCEFP 2015 compared to the BCEFP 2013?
- 6740 – 10GbE, 10GbE/FC and 40GbE ports
- 6740T – 48 x 1/10GbE
VDX6720:
- Is the VDX 6720-60 oversubscribed?
- Is the difference between switching and forwarding bandwidth that one is how much the backplane can handle and the other is how much the ports could do?
  - Looks like that, an older version of the 6720 Data Sheet shows this, it’s been removed in a future data sheet.
VCS / Logical chassis / Distributed:
- VCS Modes:
  - Logical Chassis: Requires NOS 4.0.0. Data and config paths are distributed. All is configured from the principal node.
    - Distributed
  - Fabric Cluster Mode: Data paths are distributed. Config is done independently on each node.
    - 8770 and 6740* boot up into this mode by default.
    - Local Only
- Standalone Mode: Only compact switches support this restricted mode – 6710-6730. Only support NOS 2.1 features. Only IP static routes and in-band management.
VDX 8770 and what does N+1 mean? Active passive.
- 8770-8 is N+1 with loss of one SFM
  - So it can loose one SFM and it still has a redundant SFM? Aye, this can have up to 6 SFM.
- 8770-4 is not N+1 if one SFM is lost
  - This can have 3 SFM
NOS 3 requires cold reboot of standby MM during failover & firmware upgrades. Does NOS 4 do too?
What is an unsigned integer? – Hop Count Field in the trill frame.
- It cannot be negative.
VCS features:
- VCS Edge Port config + LACP: With Brocade type are there more models than a CNA, VDX or Brocade 8000?
- With NOS v2.0.0a max 8 ECMP paths per switch. Different with NOS 4?
From show vcs detail (shows switches in the fabric):
- What is the Internal IP used for? Unclear, the pattern is: 127.1.0.RBRIDGE ID
- What does the state “Testing” indicate? Unclear, perhaps when running “diag *” commands?
show fabric
- “show fabric islports” is similar to switchshow shows islports only, how to see device ports
  - show interface switchport # shows all ports in L2 mode (VLAN1)
- “show fabric all” shows a short list of switches in fabric, similar to fabricshow
What is “Static MAC Pre-Provisioning on vLAG” ? (p55)
The fibre length of a link should have deskew value of 7 microseconds. Is this configurable?
- Looks like it’s not. It’s not in the NOS 411 cmd reference guide anyway.
FCOE
- FCF = FCoE Forwarder. A switch that does both Ethernet and FC
- ENode = FCoE Node
- FSB = FIP Snooping Bridge (Can I get a Yay for nested acronyms?) A FCoE Switch that needs to be connected to an FCF (p67)
- FCoE Profiles = (p84)
priority-table command is just messed up. What do the numbers mean? (p66)
- It’s a mapping of Priority Groups to Classes of Services.
Are Virtual Fabrics on FCoE supported these days?
- No. FCoE needs to be on VLANs with ID < 4096.
- Btw, Virtual Fabrics is also a feature on Ethernet. Not only FC. Used when one needs overlapping VLAN IDs – multitenancy.
Is the max amount of RBridges in a fabric still 24? (p77)
- Max 24 in Logical Chassis with VDX 6710-6730. Max 32 for 6740 and 8770.
- It is the recommended amount. Theoretical max in NOS4 is 239. One below 1111000.
Is there a pattern to the MAC addresses of the Switches/RBridges/FD/XD?
What is a VMWare Port Group?
- Found in VMWare Virtual Networking Concepts
- Important with VMotion, makes sure that when a VM moves to a different hypervisor it gets the same network configuration.
In RBAC what does it mean that one can access a command but not execute it? (p86)
- It means one can view the settings, like a ‘show command’ works but not ‘command’ to set the setting.
- Btw: admin/user accounts are locked, only pw can be changed
What are these FRUs: cid-card, compact-flash, mm, SFM? (p89)
- MM – Management Module
- SFM – Switch Fabric Modules
- Compact-Flash – Supposedly where the firmware/configs are stored.
- CID-Card – Chassis ID – each card has two EEPROM – one critical and a non-critical. The non-critical can be fixed with a “CID Recovery Tool”
oscmd – more details about this, how to run a command? (p96)
- oscmd arp -a
- oscmd scp localfile remote.server:

The below I’ll bring up in a later post:

VDX Troubleshooting Course

BCEFP practice questions / answers

http://community.brocade.com/t5/Certification/BCEFP-2013-Exam-150-180-Practice-Questions/ta-p/4099

Other

Intro to VCS Fabric Technology: http://www.brocade.com/downloads/documents/white_papers/intro-vcs-fabric-technology-wp.pdf
CFP- MSA CFP2 Hardweare Specs: About the 40/100Gbps CFP2 SFP. MSA – multi-source agreement.
Code names of switches? Find the NOS firmware and look in the file “platform_names”. Quite a few bird names (nighthawk, dragon, superhawk, tomahawk ;), kestrel, falcon, blackbird).

Brocade Certified Ethernet Fabric Professional 2015 Beta Exam

4 Replies

Intro

http://community.brocade.com/t5/Certification/BCEFP-2015-Beta-Exam-Information-and-Study-Material/ta-p/58276

The course materials, including references to various resources such as the NOS Admin guide are available on the page above.

The Advanced Ethernet Fabric Troubleshooting (VDX-TS 300-WBT) has the pdf’s on the link above, but it’s also currently free on brocade’s saba education page.

Objectives for 2013 exam

Objectives for the exam (2013 version, so might be different for 2015) are:

Theory and Concepts

Describe the VCS implementations of TRILL
Describe the rate-limiting features in a VCS fabric
Identify basic routing concepts and how they interact with an Ethernet fabric
Identify VDX hardware components support.

Design

Describe the benefits of using TRILL
Describe QoS in a VCS fabric
Demonstrate knowledge of various types of link aggregation in a VCS fabric
Describe VDX hardware used in the design of a VCS fabric
Describe AMPP concepts

Implementation and Configuration

Demonstrate knowledge of sharing native FC storage with FCoE devices in a VCS fabric
Describe the implementation of lossless Ethernet for FCoE and iSCSI traffic
Describe how to integrate AMPP into a vCenter environment
Demonstrate knowledge how to implement Layer2/Layer3 ACLs in a VCS fabric
Demonstrate knowledge how to configure VRRP/VRRP-E on a VDX
Demonstrate knowledge how to configure a VCS fabric to connect to traditional Layer 2/Layer 3 switches
Demonstrate knowledge how to implement vLAGs

Management

Demonstrate knowledge of VDX management features

Troubleshooting

Demonstrate advanced troubleshooting knowledge
Demonstrate knowledge how to troubleshoot native FCoE and VCS to FC SAN bridging
Demonstrate knowledge how to troubleshoot VCS to an IP network

Page numbers for 2015 beta exam below:

Network OS Administrator’s Guide v4.1.1 53-1003225-01

Pages 11-20,26-31,54-56,75-77,94,115,119,135-144,149,150,191,201-203,210,243-247,253,261,269,311-314,321,

322,338-345,361-385,400,403,406,425-433,437,465,483,495,504,506,517-521,541,559,563,565,583,593,594,597,

603-609,661-663,668,676,682,686,714,715

Network OS Command Reference v4.1.1 53-1003226-01

Pages 299, 1258-1260,1266,1297,1317,1318

Network OS v4.1.1 Brocade VDX Release Notes

Pages 4,10,28,50

Network OS Software Licensing Guide v4.1 53-1003164-01

Pages 11-13

VDX 6740 Hardware Reference Manual 53-1002829-02

Page 1
VDX 8770-4 Hardware Reference Manual 53-1002563-03

Chapter 1, Page 1; Chapter 3, Page 32

VDX 8770-8 Hardware Reference Manual 53-1002564-03

Chapter 1, Page 1
VDX 6730 Hardware Reference Manual 53-1002389-06

Pages 1,2,15

Brocade VDX 8770 Switch Data Sheet GA-DS-1701-04

CFP2 Hardware Specification Draft Revision 0.3

Page 46

Brocade Certified Professional Data Center Track – Check!

Leave a reply

After ~49 posts on this blog on the topic Brocade the first larger block is finally complete: the Brocade Certified Professional Data Center Track (BCPDC)!

What’s that? So Brocade has several (4) tracks which consist of certifications/accrediations, some are shared between the tracks and some are only in one track.
Currently, after completing 3 out of 4 you gets the title Brocade Distinguished Architect! Woop!

It took me ~3.5 years (counting since first blog post about BCFA (certified fabric administrator)) to complete all the prerequisites for BCPDC, but naturally I didn’t do it as fast as I could. I was patient and many of the certificates I got by being signing up for Brocade’s beta tests of their certs.

Not that many certificates left to take actually before I can complete another track.
Most of the remaining ones are labeled accreditations, which are unproctored tests one does at home.

For Brocade Certified Professional Converged Networking (BCPCN) I have 3 accrediations left (Fabric Specialist, FCoE Specialist and Ethernet Fabric Support Specialist) and 1 certification: Ethernet Fabric Professional 2013. The certification I have signed up for the free one I mentioned in an earlier blog post.
For Brocade Certified Professional FICON (BCPF) there’s one accrediation (Accredited FICON Specialist) an done certification (Certified Architect for FICON 2013) remaining.
For Brocade Certified Professional Internetworking (BCPI) there’s 3 certifications: Certified Layer 4-7 Engineer 2010, Certified Network Professional 2012 and Certified Layer 4-7 Professional 2013.

BANAS – Brocade Certification – Studying

Leave a reply

I’m going to focus on the below things when studying for BANAS: They are based on the current objectives listed on Brocade’s page.

Brocade Accredited Network Advisor Specialist Exam Topics

The Brocade Accredited Network Advisor Specialist exam has these objectives:

Product Features

Demonstrate knowledge of Brocade Network Advisor product features

Installation and Configuration

Describe the installation and configuration of Brocade Network Advisor
- Taken care of in my previous blog post. Can be installed in a VM for practice.
Perform SAN Discovery
- What are seed switches?
Perform IP Discovery
- BNA 170-WBT is a course that’s currently free by Brocade – it’s about IP Discovery in BNA!
- Once discovered devices are stored in the Management application database. First IP of the device discovered becomes the primary address of the device.
- Simple/Profile based discovery: single: hostname/IP. Profile: range.
- Requirements
  - Users must have Discover Setup-IP and “All IP Products AOR” privileges
    - For rediscovery only “All IP Products AOR” is needed?
  - ICMP or telnet must be enabled on devices
  - Snmpv1+v2 or v3 read-write
  - IP range of devices must be known
  - All devices must have SNMP MIB support
- Access by: “Discover -> IP Products”.
- One can add default username/password. One can add several and it tries the default and then the rest..
- It uses OIDs to select products to include/exclude.
  - Cisco/Juniper are available by default.
- Seed address: the IP the BNA server will use to contact the switches?

Migration

Describe considerations when migrating to Brocade Network Advisor from other tools
- Check out the Installation Guide for BNA.

Troubleshooting

Demonstrate knowledge of troubleshooting Brocade Network Advisor

Brocade Certified Ethernet Fabric Professional

1 Reply

Brocade Certified Ethernet Fabric Professional – BCEFP – is available for free right now! I signed up and if you pass it you’re in the drawing for a $500 amazon coupon each week/month :)

Ethernet Fabric you say? “As a Brocade Certified Ethernet Fabric Professional, you must be able to demonstrate knowledge of IP, SAN, and FCoE concepts, “

What to focus on: http://community.brocade.com/t5/Certification/BCEFP-Exam-Preparation/m-p/56467

Nutshells: http://www.brocade.com/education/certification-accreditation/certified-ethernet-fabric-professional/index.page

To register for the exam, head over to the post on reddit. Basically there’s a pdf with the voucher you use when registering for the exam on pearsonvue.

Currently the “CEF 250” is free, but it’s not the main curriculum for the course.

BANAS – Brocade Accredited Network Advisor Specialist

1 Reply

Finally got around to start preparing the last certificate/accreditation – BANAS – to complete the Brocade Data Center Track (ok, not last. There are plenty more!).

It looks like it’s an accreditation showing that the taker can do some basic tasks in Brocade Network Advisor (BNA). This used to be a certification, so it’s probably a bit harder than it might seem!

Please note, this post is not meant to be a replacement for the official Brocade studying recommendation, just my notes on how I’m practicing for it.

Methods:

Learn about the different features of BNA.
Install BNA 12.1.4 in a VM – the “SAN Professional” version is free and there is a try-out version available too.
Use it with some switches attached.
Check out the “BNA 101 – Introduction to BNA” course on Brocade’s training page. There is also BNA 200-WBT Brocade Network Advisor Training but I’m gonna try to do it without that.
Until May 15 2014 there is also this: http://community.brocade.com/t5/Certification/Free-Training-Through-May-15th-on-Brocade-Network-Advisor/ta-p/56511
Learn about the different licensing options and versions of the software. FAQ is useful.
Watch youtube videos of BNA
Good documents
- BNA FAQ http://www.brocade.com/downloads/documents/faqs/brocade-network-advisor-faq.pdf
- Brocade Network Advisor SAN + IP User Manual
- Brocade Network Advisor Installation and Migration Guide

Install in a VM

Not much can be tested without any switches, but installing it a few times is probably helpful. Also getting acquainted with the UI and some things can still be done in the UI like:

Set UI options
Set up a firmware repository (at least import firmwares, release notes and md5 checksums)
Retrieve a SupportSave

Either register on Brocade’s site and get the download that way. Or get it via HP’s public page – for example here. Click on Download.
Because I’m lazy I’m installing it in a Windows 7 x64 VM 2 cores and 4GB RAM is much faster than 2GB. For just installing it you’ll need 3-4GB disk space.
Find install.exe within na1214_hp_windows.zip

The default user/password is: Administrator/password
The user/password you set during installation is for the database.

FTP/SCP/SFTP, syslog, snmp, https. Uses a postgreSQL database.

On the http/https page there are MIBs and the BNA client.

Certificate of Expertise

Leave a reply

Yay I passed the EX436 Red Hat Enterprise Storage Management !

https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-207-403&isSearch=False&verify=Verify

Red Hat – Clustering and Storage Management – Course Objectives – part 2

Leave a reply

Post 1 – http://www.guldmyr.com/blog/red-hat-clustering-and-storage-management-course-objectives/ Where I checked out udev, multipathing, iscsi, LVM and xfs.

This post is about getting using luci/ricci to get a Red Hat cluster working, but not on a RHEL machine because sadly I do not have one available for practice purposes. So CentOS64 it is. Using openstack for virtualization.

Topology: Four hosts on all three networks, -a, -b and internal. Three cluster nodes and one management node.

Get the basic cluster going:

image four identical nodes
ssh-key is distributed
/etc/hosts file has all hosts, IPs and networks
- network interfaces are configured –
- set a gateway in /etc/sysconfig/network
firewall
- all traffic allowed from -a and -b networks
- at a minimum allow traffic from the network that the hostname corresponds to that you enter in luci
dns (PEERDNS=no is good with several dhcp interfaces)
timesync with ntpd
luci installed on mgmt-node # ricci is a web gui
ricci installed on all cluster nodes # this is the service talks with corosync
- password set for user ricci on cluster nodes
create cluster in luci
- multicast perhaps doesn’t work so well in openstack ?
- on cluster nodes this runs “yum -y install cman rgmanager lvm2-cluster sg3_utils gfs2-utils” if shared storage is selected, probably less if not.
fencing is really important, how to do it in openstack would require a bit of work though. Not as easy as with kvm/xvm to send a destroy domain message.

Tests:

Update and distribute cluster.conf
Have a service run on a node on the cluster (doesn’t have to have a shared storage for this).
Commands:
- clustat
- cman_tool
- rg_test test /etc/cluster/cluster.conf start service name-of-service
- ccs_config_validate

Share an iSCSI target between all nodes:

Using management node to share the iSCSI LUN.
tgtd, multipath
clvmd running on all nodes
lvmconf – make sure locking is set correctly
create vg with clustering
partprobe; multipath -r # do this often
vgs/lvs and make sure all nodes see the clusterd lv
minimum GFS filesystem is around 128M – you didn’t use all the vg right? =)
- for testing/small cluster lowering the journal size is goodness
mount!

Red Hat – Clustering and Storage Management – Course Objectives

1 Reply

Attending “Red Hat Enterprise Clustering and Storage Management” in August. Quite a few of these technologies I haven’t touched upon before so probably best to go through them before the course.

Initially I wonder how many of these are Red Hat specific, or how many of these I can accomplish by using the free clones such as CentOS or Scientific Linux. We’ll see :) At least a lot of Red Hat’s guides will include their Storage Server.

I used the course content summary as a template for this post, my notes are made within them.. below.

For future questions and trolls: this is not a how-to for lazy people who just want to copy and paste. There are plenty of other sites for that. This is just the basics and it might have some pointers so that I know which are the basic steps and names/commands for each task. That way I hope it’s possible to figure out how to use the commands and such by RTFM.

Course content summary :

Clusters and storage

Get an overview of storage and cluster technologies.

ISCSI configuration

Set up and manage iSCSI.

Step 1: Setup a server that can present iSCSI LUNs. A target.

CentOS 6.4 – minimal. Set up basic stuff like networking, user account, yum update, ntp/time sync then make a clone of the VM.
Install some useful software like: yum install ntp parted man
Add a new disk to the VM

Step 2: Make nodes for the cluster.

yum install iscsi-initiator-utils

Step 3: Setup an iSCSI target on the iSCSI server.

http://www.server-world.info/en/note?os=CentOS_6&p=iscsi

yum install scsi-target-utils
allow port 3260
edit /etc/tgt/target.conf
if you do comment out the ip range and authentication it’s free-for-all

http://www.server-world.info/en/note?os=CentOS_6&p=iscsi&f=2

Step 4: Login to the target from at least two nodes by running ‘iscsiadm’ commands.

Next step would be to put an appropriate file system on the LUN.

UDEV

Learn basic manipulation and creation of udev rules.

http://www.reactivated.net/writing_udev_rules.html is an old link but just change the commands to “udevadm” instead of “udev*” and at least the sections I read worked the same.

udevadm info -a -n /dev/sdb

Above command helps you find properties which you can build rules from. Only use properties from one parent.

I have a USB key that I can pass through to my VM in VirtualBox, without any modifications it pops up as /dev/sdc.

By looking in the output of the above command I can create /etc/udev/rules.d/10-usb.rules that contains:

SUBSYSTEMS=="usb", ATTRS{serial}=="001CC0EC3450BB40E71401C9", NAME="my_usb_disk"

After “removing” the USB disk from the VM and adding it again the disk (and also all partitions!) will be called /dev/my_usb_disk. This is bad.

By using SYMLINK+=”my_usb_disk” instead of NAME=”my_usb_disk” all the /dev/sdc devices are kept and /dev/my_usb_disk points to /dev/sdc5. And on next boot it pointed to sdc6 (and before that sg3 and sdc7..). This is also bad.

To make one specific partition with a specific size be symlinked to /dev/my_usb_disk I could set this rule:

SUBSYSTEM=="block", ATTR{partition}=="5", ATTR{size}=="1933312", SYMLINK+="my_usb_disk"

You could do:

KERNEL=="sd*" SUBSYSTEM=="block", ATTR{partition}=="5", ATTR{size}=="1933312", SYMLINK+="my_usb_disk%n"

Which will create /dev/my_usb_disk5 !

This would perhaps be acceptable, but if you ever want to re-partition the disk then you’d have to change the udev rules accordingly.

If you want to create symlinks for each partition (based on it being a usb, a disk and have the USB with specified serial number):

SUBSYSTEMS=="usb", KERNEL=="sd*", ATTRS{serial}=="001CC0EC3450BB40E71401C9", SYMLINK+="my_usb_disk%n"

These things can be useful if you have several USB disks but you always want the disk to be called /dev/my_usb_disk and not sometimes /dev/sdb and sometimes /dev/sdc.

For testing one can use “udevadm test /sys/class/block/sdc”

Multipathing

Combine multiple paths to SAN devices into one fault-tolerant virtual device.

Ah, this one I’ve been in touch with before with fibrechannel, it also works with iSCSI.
Multipath is the command and be wary of devices/multipaths vs default settings.
Multipathd can be used in case there are actually multiple paths to a LUN (the target is perhaps available on two IP addresses/networks) but it can also be used to set a user_friendly name to a disk, based on its wwid.

Some good commands:

service multipathd status
yum provides */multipath.conf # device-mapper-multipath is the package. 
multipath -ll

Copy in default multipath.conf to /etc; reload and hit multipath -ll to see what it does.
After that the Fun begins!

Red Hat high-availability overview

Learn the architecture and component technologies in the Red Hat® High Availability Add-On.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/High_Availability_Add-On_Overview/index.html

Quorum

Understand quorum and quorum calculations.

Fencing

Understand Fencing and fencing configuration.

Resources and resource groups

Understand rgmanager and the configuration of resources and resource groups.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/High_Availability_Add-On_Overview/ch.gfscs.cluster-overview-rgmanager.html

Advanced resource management

Understand resource dependencies and complex resources.

Two-node cluster issues

Understand the use and limitations of 2-node clusters.

http://en.wikipedia.org/wiki/Split-brain_(computing)

LVM management

Review LVM commands and Clustered LVM (clvm).

Create Normal LVM and make a snapshot:

Tutonics has a good “ubuntu” guide for LVMs, but at least the snapshot part works the same.

yum install lvm2
parted /dev/vda # create two primary large physical partitions. With a CentOS64 VM in openstack I had to reboot after this step.
pvcreate /dev/vda3 pvcreate /dev/vda4
vgcreate VG1 /dev/vda3 /dev/vda4
lvcreate -L 1G VG1 # create a smaller logical volume (to give room for snapshot volume)
mkfs.ext4 /dev/VG1/
mount /dev/VG1/lvol0 /mnt
date >> /mnt/datehere
lvcreate -L 1G -s -n snap_lvol0 /dev/VG1/lvol0
date >> /mnt/datehere
mkdir /snapmount
mount /dev/VG1/snap_lvol0 /snapmount # mount the snapshot :)
diff /snapmount/datehere /mnt/datehere

Revert a Logival Volume to the state of the snapshot:

umount /mnt /snapmount
lvconvert –merge /dev/VG1/snap_lvol0 # this also removes the snapshot under /dev/VG1/
mount /mnt
cat /mnt/datehere

XFS

Explore the Features of the XFS® file system and tools required for creating, maintaining, and troubleshooting.

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/xfsmain.html

yum provides */mkfs.xfs

yum install quota

XFS Quotas:

mount with uquota for user quotas, mount with uqnoenforce for soft quotas.
use xfs_quota -x to set quotas
help limit

To illustrate the quotas: set a limit for user “user”:

xfs -x -c "limit bsoft=100m bhard=110m user"

Then create two 50M files. While writing the 3rd file the cp command will halt when it is at the hard limit:

[user@rhce3 home]$ cp 50M 50M_2
cp: writing `50M_2': Disk quota exceeded
[user@rhce3 home]$ ls -l
total 112636
-rw-rw-r-- 1 user user 52428800 Aug 15 09:29 50M
-rw-rw-r-- 1 user user 52428800 Aug 15 09:29 50M_1
-rw-rw-r-- 1 user user 10477568 Aug 15 09:29 50M_2

Red Hat Storage

Work with Gluster to create and maintain a scale-out storage solution.

http://chauhan-rhce.blogspot.fi/2013/04/gluster-file-system-configuration-steps.html

Updates to the Red Hat Enterprise Clustering and Storage Management course

Comprehensive review

Set up high-availability services and storage.

Studying for BCNE – Brocade Certified Network Engineer

4 Replies

In early April of 2013 Brocade had a great offer – ask for it and you’ll get a voucher to an exam – for free!

I took them up on their offer and scored a voucher for the BCNE – Brocade Certified Network Engineer.

After that I noticed that Brocade also has a limited offer for BCNE http://www.brocade.com/education/CNE_250.page , you can take them up on it if you already have a CCNA. By doing that you also get a free voucher to the BCNE exam..

I chose to try it without the recommended course. A bit risky but a long time ago I took the CCNA and passed. For me this exam was probably more about remembering and looking at improvements to all the things in CCNA back in 2005. This post is about my study technique or perhaps more of a record of how I did things. To find places for improvement.

Do you have any study tips you would like to share?

—

Some really useful links:

BCNE in a Nutshell guide – It’s also available on their saba/education page. But it’s out of date in there.
Brocade IP Primer – this is a great refresher on most Ethernet things if you’ve been out of touch.
Go through the manuals – but read the material in the newer released manuals.
IP Quick Reference – CLI Quick and quite comprehensive overview not only of commands but also of technologies.

http://community.brocade.com/docs/DOC-2613 has the list of pages and manuals and guides, but to get the newest documents you have to look elsewhere.
One place to get them is on each Product’s page on brocade.com, at the bottom there is a place to get some manuals.

First thing I did before diving into the materials was to take the BCNE Knowledge Assessment test. Get some sort of idea of what kind of topic the exam is about.

Then I read the nutshell guide and marked the things I needed to learn more about (basically all). Last time I took an exam with Brocade I only read the nutshell in the beginning of my study time, this time I’m re-reading it every now and then to see if I catch something that is not clear and I want to focus extra on. I’m also keeping a focus on the objectives of the exam. Reading the objectives and trying to answer them with as much detail as I can.-The objectives are general so there’s quite a lot of room for freedom there. As a bonus, if you can’t describe something in the objectives well, you just found something you do not know well enough.

After going through the nutshell guide and checking up on a few acronyms and technologies I hadn’t heard about I read through the IP Primer and did the same things there: Mark the things that I thought would be of interest and what I would need to dig deeper into.

Then went through the NetIron and FastIron configuration guides. Not only did I have a peak at all the pages that were listed as relevant, but also read chapters that was not listed. Either because I found them interesting or perhaps because the subject in those chapters are touched upon in Nutshell. To me that just means the more you know about the subject the better.

Rehash objectives/previous notes and dig deeper. Perhaps first time you read it you glanced over some part. By digging deeper I mean finding the chapters in all the manuals that touch on this subject and reading them, making more notes. Could also be surfing the Internets or Wikipedia for basic overview of how a technology operates. Eventually all of this crystallizes into a view that describes things in your own words.

To me there are parts of IT exams that you just can’t know even if you’ve been working with it for a long time. For example license options or feature differences between all the products. To learn things like these (also other types of questions I thought would come on the exam) I made flashcards in a spreadsheet and printed it on normal A4 so that the question is on one side and the answer is on the back. This was no easy feat.

After going through all these documents you should be able to figure out yourself which areas are being focused on – which you should be making sure that you know.

Some good articles/blog posts:

What Unkonwn Unicast is.
STP overview – these were great:
- 802.1d Plain Old Dumb STP
- 802.1w RSTP Rapid STP – Fast as in WOW
- 802.1s MSTP Multiple STP – Multiple, as in s.
Multicast Routing

P.s. I passed :)

sage on ipv6.he.net

Leave a reply

http://ipv6.he.net/certification/

This was really fun!

If you complete this with your own domain and server you’ll learn to set up these:

set up IPv6 address and routing
point your DNS to the IPv6 address – this would applies mostly if you have your own nameserver
point the IPv6 address to the DNS – rDNS – requires quite long entries!
set up e-mail – both receiving (imap/pop3) and sending (smtp)
slightly more advanced use of dig :)

The e-mail part was the trickiest for me as I hadn’t done that before. Used courier and exim4 to set this up on a Debian Virtual Machine.

Brocade Accredited Server Specialist – BASP

Leave a reply

http://www.brocade.com/education/certification-accreditation/accredited_server_connectivity/curriculum.page

I’m currently preparing for yet another accreditation, the previous one I took was the BADCS,

The BASP (Brocade Accredited Server Specialist) appear to focus on the server side. Things like:

how to install drivers
HBA management tools
describe features
how to run diagnostics

This accrediation has the most questions of all the current ones, but it has the same amount of time allotted (one hour) so this exam will have a lot less time available for each question.

The curriculum for this accreditation are also free, they are called Introduction to HBA and Introduction to CNA. There’s also some docs about the 1860 Fibre Adapter. They can be found on Brocade’s Saba/training website under my.brocade.com.

// Update 20140422: This accrediation has been replaced with something else. See the current list here: http://www.brocade.com/education/certification-accreditation/index.page?

Brocade Accredited Data Center Specialist – BADCS

5 Replies

Time to study for another one :) Working my way towards the “Data Center Track”. To complete it it would be enough for me to complete 5 accreditations.

This one has a pretty cool name – BADCS!

http://www.brocade.com/education/certification-accreditation/accredited-data-center-specialist/prerequisites.page

I haven’t tried one of these Accredited exams before, but as far as I can tell:

Cheap: only 20$ USD
The exam is web based, no need to find a test center, you can do it exactly when you want to.
Accreditations do not expire
You don’t _have_ to take the course in the prerequisites before taking the exam, but it is recommended :)

Also, for this Accreditation the pre-requisite is the FC-101 course on brocade’s SABA page – and it’s free!

– The BADCS exam consists of 38 questions and lasts 60 minutes
– To pass this exam you must get a score of 71% or better

So that’s about 27 correct out of 38 questions.

The objectives are on this page.

The only part I was initially not entirely sure about is the “Given a scenario, describe when portlog dumps are required”. The objectives indicate that a Fibre Channel theory knowledge is necessary, so the FC-101 course seems like a very good idea to study. I doubt many people remember specific FC mechanisms/theory if they don’t work with these occasionally. Like the well-known addresses – who remembers the address of the name-server or controller? =)

My general tip for the BADCS: Learn the material of the FC-101 course. Really. Learn. it.

You may be tricked into thinking that Brocade’s accrediations are easy because you can do them from home.

RHCE Certified

2 Replies

Passed the exam!

https://www.redhat.com/wapps/training/certification/verify.html?certNumber=111-207-403

Red Hat Certification – RHCE – KVM via CLI

Leave a reply

In a previous post while preparing for RHCSA I installed kvm post-installation, via the GUI.

But how to install, configure and use it only from the CLI?

Virt-Manager

http://virt-manager.org/page/Main_Page has some details

As a test-machine I’m using a server with Scientific Linux 6.2 (with virtualization enabled as seen by ‘cat /proc/cpuinfo|grep vmx’).

None of the Virtualization Groups are installed, as seen by ‘yum grouplist’. While doing that you’ll find four different groups. You can use

yum groupinfo "Virtualization Client"

or correspondingly to get more information about the group.

yum groupinstall Virtualization "Virtualization Tools" "Virtualization Platform" "Virtualization Client"

This installs a lot of things. Libvirt, virt-manager, qemu, gnome and python things.

lsmod|grep kvm
service libvirtd start
lsmod|grep kvm

This also sets up a bridge-interface (virbr0).

Now, how to install a machine or connect to the hypervisor?

How to get console?

ssh -XYC user@kvmserver
virt-manager

did not work.

On the client you could try to do:

yum groupinstall "Virtualization Client"
yum install libvirt
virt-manager

Then start virt-manager and connect to your server. However this didn’t work for me either. Is virtualization needed on the client too?

Noit is not, first: check if Virtualization is enabled on the server. Look in /var/log/messages for

kernel: kvm: disabled by bios

If it says that you’ll need to go into BIOS / Processor Options / and enable Virtualization.

Then you can start virt-manager, check that you can connect to the KVMserver.

Copy a .iso to /var/lib/libvirt/images on the server.

Re-connect to the kvm-server in virt-manager.

Add a new VM called test. Using 6.2 net-install and NAT network interface. This may take a while.

Pointing the VM to kvm-server where a httpd is running (remember firewall rules) and an SL 6.2 is stored. Installing a Basic Server.

OK, we could use virt-manager, it’s quite straight-forward and doesn’t require any edits of config files at all.

Moving on to virsh.

To install a vm you use ‘virt-install’.

You can get lots of info from ‘virsh’

virsh pool-list
virsh vol-list default
virsh list
virsh list-all
virsh dumpxml test > /tmp/test.xml
cp /tmp/test.xml /tmp/new.xml

Edit new.xml

change name to new and remove line with UUID

virt-xml-validate /tmp/new.xml
virsh help create
virsh create --file /tmp/new.xml
virsh list

This creates a new VM that uses the same disk and setup. But, if you shut down this new domain, it will disappear from virsh list –all and the list. To keep it you need to define it first:

virsh define --file /tmp/new.xml
virsh start new

This can become quite a bit more complicated. You would probably want to make clones (virt-clone) or snapshots (virsh help snapshot) instead of using the same disk file.

Making your own .xml from scratch looks fairly complicated. You could use ‘virt-install’ however.

virt-install --help
virt-install -n awesome -r 1024 --vcpus 1 --description=AWESOME --cdrom /var/lib/libvirt/images/CentOS-6.2-x86_64-netinstall.iso --os-type=linux --os-variant=rhel6 --disk path=/var/lib/libvirt/images/awesome,size=8 --hvm

For this the console actually works while running ‘virt-install’ over ssh on the kvm-server.

To make edit to a vm over ssh:

virsh edit NAMEOFVM

Red Hat Certification – RHCE – Course Outline

Leave a reply

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

–Netfilter Overview
-Rules: General Considerations
–Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

CA – certificate authority – issues and verifies digital certiciates
RA – registration authoriy – verifies user identity requesting info from the CA
central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
–Name Service Switch (NSS)
–Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

Red Hat Certification – RHCE – Network Services – NTP

1 Reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service.
Configure SELinux to support the service.
Configure the service to start when the system is booted.
Configure the service for basic operation.
Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NTP:

You could possibly test this from Windows as well.

On linux it’s fairly straight-forward, you can use ntpd both as a client and as a server.

Check in /var/log/messages for details

The time-synchronization with ntpd is slow by design (to not overload or cause dramatic changes in the time set).

ntpdate is instant but it’s not recommended to be used. For example with ‘ntpdate -q’.

man ntp.conf
this then points to :
man ntp_acc
man ntp_auth
man ntp_clock
man ntp_misc

Install the packages needed to provide the service.

yum install ntp

Configure SELinux to support the service

nothing to configure??

Configure the service to start when the system is booted.

chkconfig ntpd on

Configure the service for basic operation.

/etc/ntp.conf

server ntp.server.com

service ntpd start
ntpq -p # to see status

Configure host-based and user-based security for the service

iptables

port 123 (UDP)

Enable ntpd as a client

What’s a bit reverse for ntpd is that first you need to configure the server as a client

So that your local ntp-server gets good time from somewhere else. You can find a good time-server to use on www.pool.ntp.org

You only need to add one server line but for redundancy you should probably have more than one.

As an example with your client on 192.168.0.0/24 and server is on 192.168.1.0/24.

All you need to do is for the client part:

server ntp.example.com
service ntpd restart
ntpq -p

Enable ntpd as a server

You need to add a restrict line in ntp.conf.

You also need to allow port 123 UDP in the firewall.

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
service ntpd restart

Client to use your ntp server

Basically the same as the above for client, but you specify the address to your NTP-server instead of one from pool.ntp.org.

Extra

Synchronize time using other NTP peers.

I believe this has been covered.

More Extra

One extra thing you may want to check out is the ‘tinker’ command.

This is put on top of ntp.conf and more info are available in ‘man ntp_misc’.

However, most of the time you just need to wait a bit for the time change to come through.

tcpdump

There’s not much to go in logs on either server or client for ntpd. You’ll get messages in /var/log/messages though that says “synchronized” and when the service is starting.

You can also use tcpdump on the server to see if there are any packets coming in.

tcpdump -i eth0 -w /tmp/tcmpdump.123 -s0 'udp port 123 and host NTP.CLIENT.IP'
# wait a while, restart ntpd on client
tcpdump -r /tmp/tcmpdump.123
# this will then show some packets if you have a working communication between server and client

To test that it’s working

Start with the server still connecting to an ntp-server with good time.

You could then set the date and time manually on the server to something else. For example, let’s say the current time is 6 JUN 2012 17:15:00.

Set it to 15 minutes before:

date -s "6 JUN 2012 17:00:00"
service ntpd restart

Also restart ntpd on the client, then wait, this will probably take a bit longer than before.

If you set the time manually to something too big it won’t work. You could then experiment with ‘tinker panic 0’

Red Hat Certification – RHCE – Network Services – ssh

1 Reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service.
Configure SELinux to support the service.
Configure the service to start when the system is booted.
Configure the service for basic operation.
Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SSH:

To test from windows you can use putty.

But in linux you just need ssh for client and sshd for server.

man 5 sshd_config and this blogpost has an overview.

Install the packages needed to provide the service.

yum install openssh

Configure SELinux to support the service

getsebool -a|grep ssh

Configure the service to start when the system is booted.

chkconfig sshd on

Configure the service for basic operation.

/etc/ssh/sshd_config

Configure host-based and user-based security for the service

iptables

port 22 (TCP)

tcp.wrapper

TCP Wrapper

More info in man tcpd and man 5 hosts_access

Check that your daemon supports it:

which sshd
ldd /usr/sbin/sshd|grep wrap

For this test, let’s say that the server you are configuring has IP/netmask 192.168.1.1/24 and that you have a client on 192.168.0.0/24

cat /etc/hosts.allow

sshd: 192.168.0.0/255.255.255.0
sshd: ALL : twist /bin/echo DEATH

The last row sends a special message to a client connecting from a non-allowed network.

cat /etc/hosts.deny

ALL: ALL

If you on the server with these settings try to do “ssh -v root@localhost” or “ssh -v root@192.168.1.1” you’ll get the message from twist.

If you in hosts.allow add:

sshd: KNOWN

You can log on to the localhost, but not if you add “LOCAL”.

If you add

sshd: 192.168.1.

you can log on from localhost to the public IP of the server.

Extra

Configure key-based authentication.

ssh-keygen
ssh-copy-id user@host
ssh user@host
set PasswordAuthentication to no in sshd_config
service sshd restart

Configure additional options described in documentation.

many things can be done, see “man 5 sshd_config”
chrootdirectory looks quite cool but requires a bit of work

Red Hat Certification – RHCE – Network Services – e-mail

2 Replies

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service.
Configure SELinux to support the service.
Configure the service to start when the system is booted.
Configure the service for basic operation.
Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

http/https
dns
ftp
nfs
smb
smtp
ssh
ntp

SMTP:

Hackmode has a good article about setting postfix for the first time.

To test that e-mail is working you can – tada – use an e-mail client.

You have lots of details in /usr/share/doc/postfix-N ( the path should be in /etc/postfix/main.cf )

Install the packages needed to provide the service.

yum install postfix

Configure SELinux to support the service

getsebool -a|grep postfix

Configure the service to start when the system is booted.

chkconfig postfix on

Configure the service for basic operation.

set hostname to host.example.com
/etc/postfix/main.cf and define (this assumes hostname is host.example.com):

myhostname = host.example.com
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
mydestination = add $mydomain to the default one
home_mailbox = Maildir/
Update firewall to allow port 25 tcp
Test with: nc localhost 25

Configure host-based and user-based security for the service

iptables or $mynetworks in main.cf
user: postmap

In CLI (important to use ‘ and not “):

#hostname - record the output of this
postconf -e 'myhostname = output from hostname in here'
#hostname -d
postconf -e 'mydomain = output from hostname -d in here'
postconf -e 'myorigin = $mydomain'
postconf -e 'inet_interface = all'
postconf -e 'mydestination = $myhostname, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8 [::1]/128, /32'
postconf -e 'relay_domains = $mydestination'
postconf -e 'home_mailbox = Maildir/'

To use it:

useradd -s /sbin/nologin labber
passwd labber

Edit /etc/aliases and add:

labber: labber

Then run:

newaliases
service postfix start
service postfix status
netstat -nlp|grep master

Send e-mail:

mail -s "Test e-mail here" labber@mydomain
test123
.

The . at the end is quite nice, that stops the input.

Check e-mail:

cat /home/labber/Maildir/new/*

Real E-mail Client

But, perhaps you want to check this out with a real e-mail client like thunderbird 10.

For this there needs to be a e-mail server that stores the e-mails on the server.

For this we can use ‘dovecot’

yum install dovecot
service dovecot start

Update iptables to allow ports 25 and 143 (TCP)
Update main.cf to allow from your IP
Restart services
Add new account in thunderbird –

do use the IP address of your server, not the DNS
do not use SMTP security (or username), but use password authentication
do use IMAP STARTTLS security, username: labber, password auth

Thunderbird is quite nice, it will often tell you which setting is wrong.

You can use /var/log/maillog for details on the server-side (to see if you get connections at all for example).

Deny a User

To illustrate this feature we first need to add a second user/e-mail account:

useradd -s /sbin/nologin labrat
passwd labrat
echo "labrat: labrat" >> /etc/aliases
newaliases
service postfix restart
service dovecot restart
mail -s "test" labrat@mydomain

You need to send an e-mail to the e-mail address before you can add it in Thunderbird (because the user does not have a $HOME/Maildir until you do).

After the new user has been created and added to your e-mail client do the following:

cd /etc/postfix
echo "labber@mydomain REJECT" >> sender_access
postmap hash:sender_access
echo "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access" >> /etc/postfix/main.cf
service postfix restart

Try:

to send an e-mail from and to both accounts

Extra

Configure a mail transfer agent (MTA) to accept inbound email from other systems.

inet_interfaces = all

Configure an MTA to forward (relay) email through a smart host.

relayhost=hostname.domain.com

If I understand this correctly to setup the above two we would need to have two servers.

Red Hat Certification – RHCE – Network Services – SMB

Leave a reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service.
Configure SELinux to support the service.
Configure the service to start when the system is booted.
Configure the service for basic operation.
Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

http/https
dns
ftp
nfs
smb
smtp
ssh
ntp

SMB:

Testing an SMB server may be quite easy from Windows, but from Linux I suppose it’s a bit trickier.

The CLI client is called ‘smbclient’

The tool to set passwords: ‘smbpasswd’

You can also get some information with commands starting with ‘net’, for example ‘net -U username session’

testparm is another tool you can use to test that the config file – smb.conf – is not missing anything structural or in syntax.

The server is called ‘samba’.

There are more packages, for example ‘samba-doc’, samba4. You can find them by typing: ‘yum install samba*’

samba-doc installs lots of files in /usr/share/doc/samba*

Install the packages needed to provide the service.

yum install samba

Configure SELinux to support the service

getsebool -a |grep smb; getsebool -a|grep samba
/etc/samba/smb.conf # has some information about selinux

Configure the service to start when the system is booted.

chkconfig samba on

Configure the service for basic operation.

server#: open firewall (check man smb.conf, port 445 and 139 are mentioned)
server#: mkdir /samba; chcon -t type_in_smb_conf /samba
server#: edit /etc/samba/smb.conf:

copy an existing share – make it browseable and allow guest to access

server#: service smb start
server#: touch /samba/fileonshare
client#: smbclient \\\\ip.to.smb.server\\share

hit enter and it will attempt to log in as anonymous (guest)

client#: get fileonehsare

Configure host-based and user-based security for the service

server#: check that ‘security = user’ in smb.conf.
server#: add” writable = yes” or “read only = no” to the share in smb.conf
server#: smbpasswd -a username
server#: mkdir /samba/upload
server#: chown username /samba/upload
server#: chmod 777 /samba/upload
client#: smbclient -U username \\\\ip.to.smb.server\\share
client#: cd upload; mkdir newfolder; cd newfolder
client#: put file

Extra

Provide network shares to specific clients.

things you can set on the share:

write list = +staff
invalid users =
valid users =
hosts allow = 192.168.0.0/255.255.255.0
hosts deny =

Provide network shares suitable for group collaboration.

groupadd staff
usermod -a -G staff bosse
chown root.staff /samba/upload
chmod 775 /samba/upload
connect with bosse – do things,
connect with another user – can you do things?

Red Hat Certification – RHCE – Network Services – NFS

Leave a reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

Install the packages needed to provide the service.
Configure SELinux to support the service.
Configure the service to start when the system is booted.
Configure the service for basic operation.
Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

http/https
dns
ftp
nfs
smb
smtp
ssh
ntp

NFS:

Testing an NFS server is generally easier from another linux-server.

Install the packages needed to provide the service.

yum install nfs ?? (already installed on mine)

Configure SELinux to support the service

getsebool -a |grep nfs

Configure the service to start when the system is booted.

chkconfig nfs on
edit /etc/fstab on the client to mount on boot

Configure the service for basic operation.

server#: mkdir /foo
server#: vi /etc/exports

/foo 192.168.0.0/24(rw)

server#: iptables – port 2049 tcp and udp
server#: service nfs start
client#: mount -t nfs IP:/foo /mnt
server#: mkdir /foo/upload
server#: chown username.username /foo/upload
server#: chmod 777 /foo/upload
client#: touch /mnt/upload/file2
server#: cd /net/ip.to.server/foo

Configure host-based and user-based security for the service

iptables to deny hosts
add permissions appropriately in /etc/exports

man exports

Extra

Provide network shares to specific clients.

Add a new folder / line in /etc/exports and only allow certain clients to connect to it

Provide network shares suitable for group collaboration.

With the help of permissions. Use unix group ID number or names.

VDX Troubleshooting Course

BCEFP practice questions / answers

Other

CFP- MSA CFP2 Hardweare Specs:

NOS 4.1.1 release notes (p4,10,28,50):

Network OS Command Reference v4.1.1 53-1003226-01

Hardware reference manuals

Network OS Software Licensing Guide v4.1 53-1003164-01

The NOS 4.1.1 Admin Guide

Printing the NOS Admin Guide relevant pages:

Beta Course Material

VDX Troubleshooting Course

BCEFP practice questions / answers

Other

Intro

Objectives for 2013 exam

Theory and Concepts

Design

Implementation and Configuration

Management

Troubleshooting

Page numbers for 2015 beta exam below:

Brocade Accredited Network Advisor Specialist Exam Topics

Product Features

Installation and Configuration

Describe the installation and configuration of Brocade Network Advisor

Perform SAN Discovery

Perform IP Discovery

Migration

Troubleshooting

Methods:

Install in a VM

Course content summary :

Clusters and storage

ISCSI configuration

Step 1: Setup a server that can present iSCSI LUNs. A target.

UDEV

Multipathing

Red Hat high-availability overview

Quorum

Fencing

Resources and resource groups

Advanced resource management

Two-node cluster issues

LVM management

Create Normal LVM and make a snapshot:

XFS

Red Hat Storage

Comprehensive review

Virt-Manager

Moving on to virsh.

Network Resource Access Controls

IPv6

iptables

Web Services

E-mail Services

Securing Data

-The Need For Encryption

-Asymmetric Encryption

-Public Key Infrastructures – PKI

Account Management

PAM

Network services

NTP:

Enable ntpd as a client

Enable ntpd as a server

Client to use your ntp server

Extra

More Extra

tcpdump

To test that it’s working

Network services

SSH:

TCP Wrapper

Extra

Network services

SMTP:

Real E-mail Client

Deny a User

Extra