Cisco Phones on HP Comware Switches

I ran into this again last week and I thought it might be a good idea to put this in writing for people who have made the choice to move to HP switches and still want to use the Cisco UC&C platform.  This is the HP Comware platforms configuration, I hope to hit the lab and write up a ProVision configuration as well in the near future. This is ONE way of doing this. For anyone considering implementing this, or any other technology, please read the documentation and try and understand what you’re typing in. There are a couple of different ways to get this to work, this is just the one I prefer as it’s easy for legacy Cisco folk to understand what’s been done in the configuration.

 

Debunking the Myths

Cisco Phones need Cisco PoE

It’s true that Cisco was the first vendor to release Power Over Ethernet Switches. Inline power ( as it was called in those days ) was first released on the Cisco 3500XL switches back in the day. This was different and proprietary version of the 802.3af standard that we all know and love today. Fortunately for Cisco, and unfortunately for many customers, the second generation of Cisco Phones, the 7940/7960 era was only powered by Cisco’s Inline Power standard. They just wouldn’t come up with standards-based 802.3af power.

This means that many customers had no choice but to buy the Cisco switches to support the Cisco phones. You always had the option of buying a power brick per phone at a cost of about 60$ a piece. Management nightmare. I only saw one customer ever do that. ( twitch twitch… twitch twitch… ok. I’m ok now )

There are a LOT of customers who still have those device in their environments, So the question becomes:

Can I still use HP switches if I have old Cisco phones? Cisco told me that my Cisco phones don’t work on HP switches.

The answer is: Yes. They will absolutely work!   HP has done the work to get older phones to work on both the Comware and ProVision devices. This blog is Comware focused, but I’ll try to get back with a ProVision configuration soon!

Configuring your HP Comware Switch to deliver PoE to Cisco Phones

On a Comware based switch, the commands you’ll need to use to get this working are the following at the global level

[HP_E5500EI]poe legacy enable pse 4

At the port level, you may also have to enable PoE on the port

[HP_E5500EI-GigabitEthernet1/0/1]poe enable 


Cisco Phones need CDP to work

Once upon a time, CDP was the only neighbour discovery protocol in town. Cisco needed a way to push the voice vlan to their pre-standard phones, and CDP became the easiest way for them to do this. Most other vendors at this time were using specific DHCP options in a standards based environment. Then along came LLDP and LLDP-MED.  Other than the isolated cases where the customer still has the original second generation Cisco Phones in place, there is virtually no reason to be using CDP for the voice vlan today. LLDP works great and is supported by all the leading telephony vendors, including Cisco phones since around 2007. (You might need newer firmware on your phones.)

So the question is:

How do I setup my HP switch to send the right voice vlan to my cisco phone using LLDP? And what about my older phones? Are you telling me I have to buy all new phones to move to HP?

The answer: Yes, we can use lldp, and No, you don’t have to buy new phones. 

Especially in an era of Microsoft Lync, I’m starting to see more and more customers with a mobile work force who are starting to abandon the traditional handset mentality. Or in some cases, it’s even better for the business because employees are actually bringing in their own mobile devices and installing the Microsoft Lync client. Who would have thought we would ever be happy having to buy our own phones for work? 🙂

So on to the configuration, I’m going to do two configurations here and it will quickly become clear why.  For older Cisco CDP phones, HP Comware switches use the MAC Address  OUI (object unique identifier ) which is basically the first half of the MAC address that is assigned to a specific vendor.  What this means is that for some Cisco environments who have been buying phones over a few years, you could end up having to manage a TON of MAC addresses OUIs in your switch configurations. The first example will be the quick way, although arguably slightly less insecure, to assign Voice VLANs to legacy Cisco Phones.  Although arguably, if you’re concerned about security in your environment, I would recommend that you replace all your legacy Cisco phones anyways considering the ( Legacy Cisco Phones allowed a packet capture on the PC port to capture Voice VLAN traffic as well.  ) 

For those who really want to do this the “right way”, you’ll still need to run the undo commands and replace the single voice clan mac-address statement in this configuration snippet with the 128 lines included at the end of this blog. ( Anyone know why Cisco burned through so many? Seriously? That’s a LOT of OUIs! I’m SURE they could have handled this with a lot less!). 

 VLAN leaking issues.

The Environment

 

Screen Shot 2012 10 31 at 12 16 02 AM

As you can see this is a pretty simple environment. CCM in VLAN10 connected to a HP 5500EI switch. The phone is directly connected to the switch on interface gigabit 1/0/5 and the PC is plugged into the phone.  The Phone should be sending all Voice traffic tagged on VLAN 20 and the PC should be sending all traffic untagged on VLAN 30.

Any questions?

 

Configuring your HP Comware Switch to deliver the Voice VLAN to Cisco Phones

The following commands are all performed at the global level.

  • #The following commands are used to disable the factory mac-address OUIs.
  • undo voice vlan mac-address 0001-e300-0000
  • undo voice vlan mac-address 0003-6b00-0000
  • undo voice vlan mac-address 0004-0d00-0000
  • undo voice vlan mac-address 0060-b900-0000
  • undo voice vlan mac-address 00d0-1e00-0000
  • undo voice vlan mac-address 00e0-7500-0000
  • undo voice vlan mac-address 00e0-bb00-0000
  • #These command creates a couple of  mac-oui’s which will respond to any LLDP-MED or CDP capable phone plugs into the network. 
  • voice vlan mac-address 0000-0000-0000 mask ff00-0000-0000
  • voice vlan mac-address 8000-0000-0000 mask ff00-0000-0000
  • undo voice vlan security enable

 

note: We need the large “any oui” wildcards to support the number of non-contiguous and broad range of Cisco Prefixes. 

  • # You must Globally enable LLDP
  • lldp enable
  • # You must enable LLDP for CDP Compliance mode
  • lldp compliance cdp

 

As you can see above, instead of having hundreds of voice vlan mac-address… with all of the Cisco OUI  ( scroll to the bottom for a list of the different Cisco specific mac-address OUIs that my peers and I have collected over the years ),  you can instead put in a single statement that will allow you to send out the voice VLAN when any Cisco phone plugs into the network.

Now for the interface specific commands

 

  • interface GigabitEthernet1/0/5
  • port link-mode bridge    <–  Switchport, Could be a routed port, but that won’t work here.
  • port link-type trunk    <–  Turns the port into a dot1q trunk. You need this to carry a tagged VLAN across the wire
  • port trunk pvid vlan 30    <–  Tells the port that it’s untagged VLAN is 30.
  • undo port trunk permit vlan 1    <– Removes VLAN 1  from the trunk port. Not necessary for this to work.
  • port trunk permit vlan 20 30    <– Allows the trunk to carry traffic from both the designated Voice and the Data VLANs.  
  • undo voice vlan mode auto   <– Turns off voice clan auto mode. 
  • voice vlan 20 enable       <– Tells the switch to advertise dot1q VLAN 20 as the Voice VLAN via LLDP-MED and CDP on this port.
  • broadcast-suppression pps 3000
  • undo jumboframe enable
  • apply poe-profile index 1   <– This calls to a centrally defined PoE profile.
  • stp edged-port enable   <– similar to port fast in Cisco terms.
  • lldp compliance admin-status cdp txrx    <– Allows read/write of CDPv2 packets on this port.

 

 

The Right Way vs. Reality

 

As most of you already know, the real world is messy. There are very often tradeoffs in the world, mostly in the way of time. The method I showed above does indeed work, and it removes the operation burden of having to keep track of Cisco’s unique mac-address OUIs. Is it the most secure method in the world? Probably not, but security is always a tradeoff between how difficult it is to implement and operate and how important it is to secure the information asset in question. 

 

Most phone calls just aren’t that important to be honest. 

 

But… for those of you who really insist on doing this the “right way”, I’ve included this non exhaustive list of the unique mac-address OUIs that Cisco has put on their phone models over the years. This is something that my peers and I have put together over the years and hopefully it might help someone out there.  If anyone does have additional Cisco Phone OUIs that are not included in this list. Please post them in the comments and I would be happy to update them here! 

 

Hopefully someone will find this helpful. If you do notice that something has changed and this configuration doesn’t work for you; Please feel free to drop me a line and let me know. I’ll be happy to update my blog. I’d rather be wrong and someone tell me than just thinking I’m right. : )

 

@netmanchris

 

List of Cisco Phone Mac-address OUIs

  • voice vlan mac-address 0002-B900-0000
  • voice vlan mac-address 0003-6B00-0000
  • voice vlan mac-address 0003-E300-0000
  • voice vlan mac-address 0005-3200-0000
  • voice vlan mac-address 0005-9A00-0000
  • voice vlan mac-address 0005-9B00-0000
  • voice vlan mac-address 0006-D700-0000
  • voice vlan mac-address 0007-0E00-0000
  • voice vlan mac-address 0007-5000-0000
  • voice vlan mac-address 0008-2100-0000
  • voice vlan mac-address 000B-5F00-0000
  • voice vlan mac-address 000B-BE00-0000
  • voice vlan mac-address 000B-BF00-0000
  • voice vlan mac-address 000c-ce00-0000
  • voice vlan mac-address 000D-2900-0000
  • voice vlan mac-address 000D-6500-0000
  • voice vlan mac-address 000D-BC00-0000
  • voice vlan mac-address 000D-ED00-0000
  • voice vlan mac-address 000E-3800-0000
  • voice vlan mac-address 000E-8400-0000
  • voice vlan mac-address 000E-D700-0000
  • voice vlan mac-address 000F-2300-0000
  • voice vlan mac-address 000F-3400-0000
  • voice vlan mac-address 000F-8F00-0000
  • voice vlan mac-address 0011-2000-0000
  • voice vlan mac-address 0011-2100-0000
  • voice vlan mac-address 0011-5C00-0000
  • voice vlan mac-address 0011-9300-0000
  • voice vlan mac-address 0011-BB00-0000
  • voice vlan mac-address 0012-0000-0000
  • voice vlan mac-address 0012-7F00-0000
  • voice vlan mac-address 0013-1900-0000
  • voice vlan mac-address 0013-1A00-0000
  • voice vlan mac-address 0013-7F00-0000
  • voice vlan mac-address 0013-8000-0000
  • voice vlan mac-address 0013-C300-0000
  • voice vlan mac-address 0013-C400-0000
  • voice vlan mac-address 0014-1C00-0000
  • voice vlan mac-address 0014-6900-0000
  • voice vlan mac-address 0014-6A00-0000
  • voice vlan mac-address 0014-A900-0000
  • voice vlan mac-address 0014-F200-0000
  • voice vlan mac-address 0015-6200-0000
  • voice vlan mac-address 0015-2B00-0000
  • voice vlan mac-address 0015-F900-0000
  • voice vlan mac-address 0015-FA00-0000
  • voice vlan mac-address 0016-4600-0000
  • voice vlan mac-address 0016-4700-0000
  • voice vlan mac-address 0016-C800-0000
  • voice vlan mac-address 0017-0E00-0000
  • voice vlan mac-address 0017-5900-0000
  • voice vlan mac-address 0017-5A00-0000
  • voice vlan mac-address 0017-9400-0000
  • voice vlan mac-address 0017-9500-0000
  • voice vlan mac-address 0017-E000-0000
  • voice vlan mac-address 0018-1800-0000
  • voice vlan mac-address 0018-1900-0000
  • voice vlan mac-address 0018-1D00-0000
  • voice vlan mac-address 0018-7300-0000
  • voice vlan mac-address 0018-B900-0000
  • voice vlan mac-address 0018-BA00-0000
  • voice vlan mac-address 0019-0600-0000
  • voice vlan mac-address 0019-2F00-0000
  • voice vlan mac-address 0019-3000-0000
  • voice vlan mac-address 0019-AA00-0000
  • voice vlan mac-address 0019-E700-0000
  • voice vlan mac-address 0019-E800-0000
  • voice vlan mac-address 001A-2F00-0000
  • voice vlan mac-address 001A-6D00-0000
  • voice vlan mac-address 001A-A100-0000
  • voice vlan mac-address 001A-A200-0000
  • voice vlan mac-address 001B-0C00-0000
  • voice vlan mac-address 001B-2A00-0000
  • voice vlan mac-address 001B-5300-0000
  • voice vlan mac-address 001B-5400-0000
  • voice vlan mac-address 001B-D400-0000
  • voice vlan mac-address 001B-D500-0000
  • voice vlan mac-address 001C-5800-0000
  • voice vlan mac-address 001D-4500-0000
  • voice vlan mac-address 001D-A200-0000
  • voice vlan mac-address 001E-1300-0000
  • voice vlan mac-address 001E-4A00-0000
  • voice vlan mac-address 001E-7A00-0000
  • voice vlan mac-address 001E-F700-0000
  • voice vlan mac-address 001F-6C00-0000
  • voice vlan mac-address 001F-9E00-0000
  • voice vlan mac-address 0021-1B00-0000
  • voice vlan mac-address 0021-5500-0000
  • voice vlan mac-address 0021-A000-0000
  • voice vlan mac-address 0022-5500-0000
  • voice vlan mac-address 0022-9000-0000
  • voice vlan mac-address 0023-0400-0000
  • voice vlan mac-address 0023-5E00-0000
  • voice vlan mac-address 0023-EB00-0000
  • voice vlan mac-address 0024-9700-0000
  • voice vlan mac-address 0025-8400-0000
  • voice vlan mac-address 0026-0B00-0000
  • voice vlan mac-address 0026-9900-0000
  • voice vlan mac-address 0026-CB00-0000
  • voice vlan mac-address 0030-9400-0000
  • voice vlan mac-address 04C5-A400-0000
  • voice vlan mac-address 04FE-7F00-0000
  • voice vlan mac-address 0817-3500-0000
  • voice vlan mac-address 081F-F300-0000
  • voice vlan mac-address 108C-CF00-0000
  • voice vlan mac-address 18EF-6300-0000
  • voice vlan mac-address 1C17-D300-0000
  • voice vlan mac-address 2893-FE00-0000
  • voice vlan mac-address 3037-A600-0000
  • voice vlan mac-address 5475-D000-0000
  • voice vlan mac-address 58BC-2700-0000
  • voice vlan mac-address 6416-8D00-0000
  • voice vlan mac-address 68BD-AB00-0000
  • voice vlan mac-address 68EF-BD00-0000
  • voice vlan mac-address 6C50-4D00-0000
  • voice vlan mac-address 9CAF-CA00-0000
  • voice vlan mac-address A40C-C300-0000
  • voice vlan mac-address A8B1-D400-0000
  • voice vlan mac-address B414-8900-0000
  • voice vlan mac-address B4A4-E300-0000
  • voice vlan mac-address B8BE-BF00-0000
  • voice vlan mac-address D057-4C00-0000
  • voice vlan mac-address DC7B-9400-0000
  • voice vlan mac-address E804-6200-0000
  • voice vlan mac-address EC44-7600-0000
  • voice vlan mac-address ECC8-8200-0000
  • voice vlan mac-address F025-7200-0000
  • voice vlan mac-address FCFB-FB00-0000





 

Advertisements

From Cisco to HP – Quick Start

It’s not uncommon that I have customer who are making the jump to HP networking gear from a Cisco  background.

This post is just a way for me to put together some resources for them to quickly get up to speed and to help make their lives easier.

Resources

CLI Reference Guide

If you’ve got a reasonable background in Cisco networking, the first thing you’ll want to check out is the HP Networking and Cisco CLI reference guide. Someone ( thankfully not me!) went through and created 292 pages of goodness in basically what is a small rosetta stone for a dual-vendor network.

If you know the command on a cisco IOS device. Do a quick search and you’ll find the HPN equivalent.

Interoperability Cook book

It’s VERY rare that I ever get involved in a greenfield environment. Most customers have a legacy network around, and many of those were built on Cisco equipment.  HP has taken this into consideration and put together the HP/Cisco Switching and Routing Interoperability Cookbook  which gives some clear guidelines on setting up both sides of the connections.

HP Press

A lot of people still haven’t caught on that HP Press was launched last year. There are already books out covering the major HP networking certifications, not to mention other HP product lines as well.  These are great resources to have on a shelf for those times when you just have to look something up.

Tips and Tricks

Spanning-tree is turned off by default

Whether or not you agree with this decision, HP has made it and you should be aware of it. If you’d like your new switch to participate in a (r/s/pv/TP ) environment. You’ll need to turn it on.

Command Aliases

I’ll admit it. After spending years in a Cisco world, the word ” show ” jumps out of my fingers faster and onto a keyboard faster than just about anything else except perhaps ” wr”   (  write mem for those of you who grew up in a copy running-configuration startup-configuration” era.  )

Even after years working with the comware products, ( which use the word display in place of show ) I still hit situations where the reflex just kicks in.

Luckily, HP has included a nice alias function which allows you to map new keywords to existing commands.
Included here is my list of commands which I keep on all my comware lab equipment. To say this outloud, there’s no excuse to not learn the new CLI. You will be a better engineer for it. But… it’s also nice to have a safety net for those moments when you’re fingers think faster than your brain.

HP Comware Cisco Alias command List

command-alias enable

command-alias mapping undo no

command-alias mapping reboot reload

command-alias mapping header banner

command-alias mapping reset clear

command-alias mapping acl access-list

command-alias mapping port switchport

command-alias mapping stp spanning-tree

command-alias mapping snmp-agent snmp-server

command-alias mapping user-interface line

command-alias mapping display show

command-alias mapping return end

command-alias mapping quit exit

command-alias mapping sysname hostname

command-alias mapping acl access-list

command-alias mapping save write

command-alias mapping delete erase

command-alias mapping info-center logging

 

note: If anyone has any I’ve missed here, please feel free to post in the comments and I’ll try and update the post.

Hotkeys

One of the other nice touches that HP has done with Comware is to include system hotkeys. This allows you a VERY quick way to input commands without typing the whole thing out. Wonderful for those situations where you can’t see where you are typing. Turned on too many debugs? CTRL_O will perform an “undebugging all” command for you and you get your terminal session back.

There are some default system ( unchangeable ) as well as some user-definable hotkeys which are listed here.

            =Defined hotkeys=

Hotkeys Command

CTRL_G  display current-configuration

CTRL_L  display ip routing-table

CTRL_O  undo debugging all

 

           =Undefined hotkeys=

Hotkeys Command

CTRL_T  NULL

CTRL_U  NULL

 

            =System hotkeys=

Hotkeys Function

CTRL_A  Move the cursor to the beginning of the current line.

CTRL_B  Move the cursor one character left.

CTRL_C  Stop current command function.

CTRL_D  Erase current character.

CTRL_E  Move the cursor to the end of the current line.

CTRL_F  Move the cursor one character right.

CTRL_H  Erase the character left of the cursor.

CTRL_K  Kill outgoing connection.

CTRL_N  Display the next command from the history buffer.

CTRL_P  Display the previous command from the history buffer.

CTRL_R  Redisplay the current line.

CTRL_V  Paste text from the clipboard.

CTRL_W  Delete the word left of the cursor.

CTRL_X  Delete all characters up to the cursor.

CTRL_Y  Delete all characters after the cursor.

CTRL_Z  Return to the User View.

CTRL_]  Kill incoming connection or redirect connection.

ESC_B   Move the cursor one word back.

ESC_D   Delete remainder of word.

ESC_F   Move the cursor forward one word.

ESC_N   Move the cursor down a line.

ESC_P   Move the cursor up a line.

ESC_<   Specify the beginning of clipboard.

ESC_>   Specify the end of clipboard.

Display this

Wow. I can’t say enough about how much I love this command. In a nutshell, display this ( or show this if you have the alias function turned on ) is a context sensitive command that will show you the configuration elements applicable to exactly where you are in the operating system hierarchy.

You want to see what configurations is applied to a specific port? No more  ” do show run inter gig 1/5″.  You just type in “display this” and you get the output.  What about when you’re in the RADIUS configuration mode?  Yup. Display this. Configuring OSPF or BGP on a switch? Display this.

It may seem like a very minor thing, but trust me, you will appreciate the consistency and the simplicity in a very short time.

This post is not intended to make you an expert on HP’s Comware OS, but hopefully, if you’re already a reasonably good networking professional, this will give you a leg up in getting up to speed quickly.

Misc

As with most modern Network OS’s, I would also remind everyone that

  • piping is supported

ex.  display running-configuration | include SNMP

  • the TAB key does auto-complete.
  • The question mark (?) is your friend. When it doubt use it and you will probably see what you’re looking for.

 

Did I miss any other getting started tips? Please feel free to post in the comments!

@netmanchris

Providing Network Leadership

So I have to give credit where credit is due…  a lot of this post is directly inspired by the book Network Maturity Model By William J. Bauman et al.   It’s written in a very academic style, but there are a ton of little gems in there which I think are worth pointing out. I’m expanding a lot on some of these key points, so please feel free to drink from the source rather than the muddy water down river. 🙂

 

The first section of the actual maturity model deals with Enterprise Network Leadership. I think it’s important to say that when I’m using the word Enterprise, I’m not talking about a large organization. I’m just talking about the business. Whether you are responsible for a few switches and a router, firewall or UTM appliance, or you are responsible for a multinational organization with a global WAN, several large campus environments, and smaller branches spanning the globe. I think the same general guidelines apply. 

 

Have a Plan

The network leaders are responsible for creating a network business plan that aligns with business strategy. Now keep in mind, that there are a LOT of very talented people in the industry who are consultants. These hired guns are often jumping from engagement to engagement, so this might not apply to them. But for those who are in an Network Operation role, it’s critically important to understand:

  • What the business goals are?
  • Who the LOB application stakeholders are?
  • What their requirements are? What applications are important to them?
  • How the LOB stakeholders directly impact the profitability of the business?

and most importantly; 

  • How the ability, or lack thereof, to successfully run the network can impact the business directly?

The Network Leaders are responsible for creating both the vision/strategy, and the specific policies and procedures to support the vision in the short, mid, and long term. From specific policies such as acceptable-use statements to longer term procedures such as a planned equipment refresh on a well defined rotational schedule to avoid a massive CAPEX hit, the network leader is responsible for making sure the network has the appropriate capacity, resiliency, availability, redundancy, etc.. to meet the business requirements. 

To create the vision/strategy from which the policies and procedures are derived, they should also be ensuring that the requirements of those stockholders are taken into account when planning out the network and all the operational tasks around it. This is very broad and can be summed up as “understand the business requirements”.

 

Understanding the Business Requirements

This one gets thrown around a lot in our industry. But to be honest, I find that VERY few hardcore network professionals actually take the time to do this. It’s my opinion, obvious bias aside, that the network is one of the fundamental pillars of almost every network in the world now.  I’m choosing not to use the word “foundation” because I don’t believe that’s true. 

A foundation to me is something that business is built upon.  Imagine if you will that a business is responsible for making hand-made clothes. Or is responsible for growing food. I think it’s obvious that the network is not the MOST important thing. In both of these examples, I don’t think any would argue that the business will be incapable of creating it’s product without the network. 

But imagine if the network is down and they are unable to receive orders from their customers? What if the network is down and they are unable to use their ERP system to ship orders? Or to send invoices?  

I think we can all agree that if the products sit on the shelf, it’s not a good thing. Money doesn’t come in. And soon, global economic catastrophe is created, cats sleeping with dogs, total chaos!!!

All because a network went down. 

(OK… maybe I’m exaggerating a little. )

 

So what kind of things should be taken into account when we say “understand the business requirements”?  Here’s some of the top of my list:

What governance, risk, or compliance initiatives does the company have to adhere to?

GRC? Huh? Depending on the specific industry, country, or region of the world that the company operates in, there may many legally enforced burdens that are placed on the company. The major examples everyone seems to know are SOX, Graham Leech, HIPPA, etc..  These all have different, although often complimentary, requirements that depending on the nature of the business, you need to be aware of as a network leader.  

If you are a network leader and you are having trouble getting budget approval for some much needed networking upgrades. Learn about which GRC requirements apply to your organization. It’s amazing how quickly the purse strings open when the business leaders understand that the failure to do these upgrades may have a direct impact on a GRC requirement that they can be personally held liable for. 

What are the different Line of Business applications and how critical are they to the success or failure of the business?

Most companies have a LOT of applications they “need” to do their business. But there is a BIG difference between their Microsoft Lync implementation which they use to increase collaboration between globally dispersed teams, and their ERP system which is responsible for making sure that orders are received, shipping requests are sent to the warehouse, and invoices are sent to the customer. 

If you are a network leader and you are having trouble getting budget for some much needed networking upgrades. Learn which of the LOB applications are directly related to the business’s ability to take orders, ship product, or invoice customers. When requesting budget for the upgrade, make sure you make it clear what hourly business cost can for network downtime. 

An easy way to calculate this, if you have access to the numbers, is to look at the annual report. Figure out what the revenue was last year, divide by 365. divide by 8 and you know have the hourly cost of downtime. 

 

For me, these are two of the most important “understand the business” requirements, but I’m sure there are a ton of others ones.  PLease feel free to call out more examples in the comments! I’d love to hear them!

 

@netmanchris

 

 

 

Juniper EX4200T- Management Observations

So I’ve had been spending some time playing around with a juniper EX4200T from a management standpoint.

This post is just a place to put some observations and questions. Hopefully, some Junos Peeps will be able to shed a little light on some of these questions.

First, as both a criticism and a defence; Juniper does not use SNMP as their primary interface. I get that SNMP has it’s problems, but it’s what we have and if you want to bring Juniper into a network where there is already a network management system in place, I would think that they should at least do the minimum to improve their SNMP support to at least meet the bar.

I have to say; as an operationally focused network engineer, it does disturb me that I can’t even set the sys location from a simple SNMP set command.   

ifIndex

One of the first things I noticed about the Juniper box is that the seem to have some strangeness, at least compared to other vendors, around the number of interfaces. Specifically, I’ve got a 48 port switch with more than twice that many interfaces.  Upon a closer look, it seems that the Juniper switches, or at the very least the EX 4200t, seems to have two index values for every physical port.

Juniper SNMP Interfaces

 

One of the interesting questions that come up here is ” What ifIndex value do I poll?”.  I’d like to get interface stats on this device, but do I poll the ethernet port, or the prop virtual port?  And if both return the same values; Why would I chose one over the other?  

Anyone have a good explanation of WHY they went this direction? @steve did suggest to think of this like a sub interface in Cisco terms.  I’ve been trying to figure this out, but the most common reason I’ve used a sub-interface has been to create dot1q routing on a stick configurations.  I don’t see how that applies here?

 

MIB Walking 

Another strange thing is that it seems that the EX4200 cannot return all the interfaces when reading the ifTable by SNMP.  It may be that this is an issue with my MIB browser, but it’s definitely a pain in the butt.  

Junos-peeps: Anyone have a MIB browser that works here? Suggestions on code? Possibly a bug?

 

VLAN 0

One of the other things I noticed is that the default VLAN of the EX4200 is 0. Huh? VLAN 0? All of the interfaces on the switch belong to VLAN 0 initially.  I did find this article  from the Juniper website says that ” Some attached devices may not accept 802.1q-tagged frames, and therefore can reside only in VLAN 0.” 

Coming from a Cisco and HP background, I’ve always seen the native VLAN initially on a interface listed as VLAN 1.    Anyone able to explain this to me?

VLAN-Range: Anyone able to explain this to me? Now I checked the Juniper documentation .  But I wasn’t able to find an article which explained what exactly the function is for. 

 

If anyone has comments, I’d love to learn here. I freely admit I haven’t had time to get far enough into this to understand the benefits and I do bring the baggage of history to my perspective on this.  If someone has made the jump to Junos, I’d love to hear from you! 

 

@netmanchris

Configuration Management – Configuration Baselines

Many times when I’m speaking with customers, one of the first questions I get asked is

” Ok, I’ve got this NMS, what’s the first thing I should do that’s going to make the biggest difference in my network?”

There are probably a lot of opinions on the answer to this question. For me, the answer is always this:

Start with Configuration Management.

In ITILv3, one of main aspects of the configuration management domain is to track all of the configuration items that relate to an IT service. For more on ITILv3 CI’s check out this video.

For those of you who suffer from insomnia and would like a cure, most of the ITILv3 change management stuff is found in Volume III, Service Transition. In ITILv3, the first thing you need to do is to define your CMS.

Configuration Management System

This is the ITIL term for the software that handles your configs for you.

Again, remember that ITIL is about process. So it’s possible to actually run an ITIL based shop without tools in place. It’s POSSIBLE… but I think this falls in the JBYCDMYS (Just because you can doesn’t mean you should) bucket.

What to look for in your CMS

So for NMS newbie’s who are trying to get into more process driven network operations, your CMS is the software that does basic tasks like

Backup of Configurations

Any NCCM solution should allow you to backup configurations. If you’re lucky you’re NMS may have additional features that allow you to move beyond basic configuration backups. Ideally, your NMS will have features that will enable you to define configuration baselines and snapshots for any given device.

Configuration Baselines : A configuration baseline is the configuration of a service, product or infrastructure that has been formally reviewed and agreed on, that thereafter can be changed only through formal change procedures. Configuration Snapshots: A snapshot of the current state of a configuration item or an environment. It also serves as a fixed historical record.

In plain english terms, a configuration baseline is the place where you absolutely last know that everything was working. A snapshot is an automatic backup that lets you know what the state of the device was at the time of that backup.

We’ll come back to this later on a subsequent blog post, but snapshots are also great to have around for helping to address your compliance initiatives like SOX, PCI, or HIPPA.  Having a configuration snapshot from a certain date is an easy way for you to prove to the auditors what the configuration state of a given device was on that date.

Configuration Templates: A complete, or a portion, of a device configuration.

This could be your standard configuration for your access switches, a secure configuration for your routers, or even just a portion of a configuration, such as the config required to change the local admin password on all your switches.

Scheduling Configuration Changes: The ability to schedule changes to your network devices at specific time.

The ability to schedule changes is nice. Assuming your changes have gone through a peer-review process and through your companies Change Approval Board, Why do you need to be up at 3am during your companies change window?

Now there may be cases where you will still need to be onsite to verify that a critical change went through. To perform the change validation tests that I KNOW you all had in your change plan. Right?

But for those cases where you are simply changing a local admin password, or adding an NTP server, or some other low-risk change, you may want to just schedule this for the ‘wee hours of the morning while you are home in your toasty bed.

One last thing…

When making major, or minor changes to your network configurations, it’s a good practice to go back and update your CMS to reflect the new Configuration Baseline for that device.  You did actually run through a series of test to make sure you didn’t break something, right?

So although this could be a TFTP server on the network somewhere, hopefully it’s a software that will automate the backup of network device configurations for you. Examples could include HP’s Intelligent Management Center, Solarwinds Orion, Cisco Prime, or perhaps an opensource tool like RANCID.

In this video, I’ll go through the basic CMS functions of HP’s IMC to show how baselining and snapshots can be applied.