Tuesday, February 21, 2012

IMC trap adjustments

IMC is a great piece of code but it does require some adjustments from the defaults, specifically with some traps and their description, along with the default traps to alarms not always escalating what does require attention.

This post is a draft but I am using it to document things I would change on a factory default IMC WRT the above. You will notice that the adjustments that I make tend to revolve around making us of the parameters passed with the trap and making sure to highlight in bold the name of the feature / process which is rising the trap so that glancing through alarms lets you easily see what to look when analyzing on the CLI.

Loopback-detection: broadcast probing for loops when STP isnt.

Often enough I find myself recommending this function on edge devices as an additional peace-of-mind loop prevention measure. Loopback-detection sends a broadcast probe on the port and if it hears itself (by default same port, you can enable multi-port) it will block inbound packets until it stops hearing itself for a duration equal to 2 or 3 times the probe timer. Its a low maintenance feature which does its thing and auto recovers from incidents by default (you can have it action to shutdown too). IMC's descriptions are poor for the related traps and they are not escalated to alarms by default.


OID1.3.6.1.4.1.25506.2.95.1.6.1
Original descriptionLoopback detected on an interface.
New descriptionLOOPBACK-DETECTION: Loop detected on interface $2.
CommentWe are being passed ifDescr (param 2) as a trap parameter - how about using it?

OID 1.3.6.1.4.1.25506.2.95.1.6.2
Original descriptionTrap message is generated when the loops on the interface are eliminated.
New description LOOPBACK-DETECTION: Loop no longer exists on interface $2.
Comment We are being passed ifDescr (param 2) as a trap parameter - how about using it?


Add the above to a Trap to Alarm object titled "Loopback-detection". You can also program OID.2 as a recovery for OID.1 if desirable.


Storm-constrain: metered broadcast/multicast/unicast with rising and falling thresholds and actions

OID1.3.6.1.4.1.25506.2.66.3.6.1
Original descriptionAny type of the flux "$2" exceeds its upper limit "$3" on a port of Device "$R($a)".
New descriptionSTORM-CONSTRAIN: $2(Broadcast:1,Multicast:2,Unicast:3) storm rising on port $c of device "$R($a)". Port status is $4(controlled:1,normal:2).
CommentLets use the parameter switch with parenthesis which the related falling trap below factory description was making us of. I wish HP reported ifDescr as a parameter for this trap: tracking by port index in a 600 port chassis is a pleasure that only a select few seem to appreciate, myself excluded.


OID1.3.6.1.4.1.25506.2.66.3.6.1
Original descriptionA flux which used to overflow its upper limit, falls below its lower limit "$3" on a port(Index:$c) of Device "$R($a)". Trap type is $2. The port status is $4.
New descriptionSTORM-CONSTRAIN: $2(Broadcast:1,Multicast:2,Unicast:3) storm rising on port $c of device "$R($a)". Port status is $4(controlled:1,normal:2).
CommentLets use the parameter switch with parenthesis which the falling trap below base description was making us of. Here again, I wish HP reported ifDescr as a parameter for this trap. Or we could have a function in IMC which returns ifDescr (Gig4/0/34) from the index (167, arbitrary example of the kind of madness you get trying to locate what the hell is port 167 in your 10 slot 7500).
Posted by at 1 comment:

Sunday, February 19, 2012

HP A-Series / H3C / Comware HTTPS howto with Microsoft CA 2008

As most leading switching vendors, Comware has an HTTPS management interface available. Unlike some of the leading switching vendors, Comware's web interface actually lets you do a whole lot of core stuff besides applying macros to interfaces.
With that said, Comware based switches do not have provisions for creating self signed certificates. Some are flustered by this shortcoming - usually the same folks that get a false feeling of security just typing https:// instead of http:// and who dont understand that it takes 5 seconds to fire up an MITM tool with HTTPS support to intercept the credentials.
This article is a short howto on using a Microsoft Windows 2008 CA to automatically (SCEP) generate certificates for HP Comware-based switches, including Comware configuration to get this going. 
Before we begin lets make sure NTP is correctly setup and that your switches are somewhat in sync with the CA's time. This isnt a requirement per-se, but the switch will refuse CA certificates with issuance times in the future.
 1) Configure the PKI entity, which defined parameters for the switch itself.
#
pki entity a5120
  common-name a5120.mforelab.com
  country CA
#

2) Configure the PKI domain, which defines parameters for your CA.
#
pki domain mforelab
  ca identifier win2k8
  certificate request url http://10.1.4.65/certsrv/mscep/mscep.dll
  certificate request from ra
  certificate request entity a5120
  crl check disable
#


3) Request the CA certificate through SCEP.
[A5120-24G-PoE+]pki retrieval-certificate ca domain mforelab
The trusted CA's finger print is:
    MD5  fingerprint:E27E 2F32 9ADF B410 C5C1 12B9 2A45 5DA7
    SHA1 fingerprint:4AD6 5188 2394 441F 66F7 65B8 0D41 EB89 1CB8 7FB8

Is the finger print correct?(Y/N):Y

Saving CA/RA certificates chain, please wait a moment......
%Feb 19 21:46:44:336 2012 A5120-24G-PoE+ PKI/6/PKI_CA_CERT_TRUSTED: Root CA certificate of the domain mforelab is trusted.....
CA certificates retrieval success.
%Feb 19 21:46:49:064 2012 A5120-24G-PoE+ PKI/6/PKI_RETRIEVAL_CA_SUCC: Retrieved the CA certificates of domain mforelab successfully.

3) Comware does not support SCEP challenge, so on 2008 you have to set the following registry key to 0 (its an actual configuration option in 2003):
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword

4) Lets request the certificate. The first attempt is what happens if your Windows CA is still enforcing the challenge password. The second, successful one is with SCEP password disabled with the previously mentioned registry entry (don’t forget to restart the services – that’s why I got the below failure on the first try).

[A5120-24G-PoE+]pki request-certificate domain mforelab
Certificate is being requested, please wait......
[A5120-24G-PoE+]
Enrolling the local certificate,please wait a while......
Certificate request failed.

### ... forgot to restart the darn CA service after regedit - here we go again ###
[A5120-24G-PoE+]pki request-certificate domain mforelab
Certificate is being requested, please wait......
[A5120-24G-PoE+]
Enrolling the local certificate,please wait a while......
Certificate request Successfully!
Saving the local certificate to device......
Done!

%Feb 19 21:53:26:224 2012 A5120-24G-PoE+ PKI/6/PKI_REQUEST_CERT_SUCC: Requested the local certificate of domain mforelab successfully.
[A5120-24G-PoE+]

4) Configure the SSL policy, bind to HTTPS service and enable HTTPS
#
ssl server-policy sslswitch
 pki-domain mforelab
#
 ip https ssl-server-policy sslswitch
 ip https enable
#

Dont forget that you must trust the CA certificate of the issuing CA on the machines from which you plan on managing your Comware environment from in addition of creating A records for all the managed devices in DNS and/or static host file.

Posted by at 3 comments:
Labels:
Subscribe to: Posts (Atom)