Palo-Alto, Create Tech-Support File

admin@5250-PAN(active-secondary)> scp export tech-support to admin@10.1.2.3:/fw/
Group 'batch' suspend
Collecting command output...
configure
save config to techsupport-saved-currcfg.xml
exit
show admins all
show clock
show system software status
show jobs pending
show jobs processed
show system info
show system files
show system logdb-quota
show system disk-space
debug software disk-usage dangling-fds
show system setting url-database
request system software info
request license info
show system setting logging
debug device-server dump logging statistics
show system setting pow
show system setting ssl-decrypt memory
show system setting ssl-decrypt certificate
show system setting ssl-decrypt certificate-cache
show system setting ssl-decrypt exclude-cache
show system setting ssl-decrypt setting
show system setting ssl-decrypt dns-cache
show system setting ssl-decrypt rewrite-stats
show global-protect-portal statistics
debug dataplane show ssl-decrypt ssl-stats 
debug sslmgr view ocsp all
show system environmentals
debug dataplane internal pdt pci list
debug system disk-smart-info disk-1
debug management-server telemetry-triggers counters show 
debug log-receiver telemetry-triggers counters 
debug system disk-smart-info disk-2
debug system interface-xcvr-info aux-1
debug system interface-xcvr-info aux-2
show system packet-path-test status
debug cord stats show
debug cord corr-mgr stats show
debug log-receiver correlation stats show
debug log-receiver correlation filters show
debug log-receiver corr-mgr show filter search name *
show counter global
show counter global filter delta yes
show counter global filter delta yes
show counter interface all
set system setting target-dp s1dp0
show counter global
show counter global filter delta yes
show counter global filter delta yes
show counter interface all
set system setting target-dp s1dp1
show counter global
show counter global filter delta yes
show counter global filter delta yes
show counter interface all
set system setting target-dp s1dp2
show counter global
show counter global filter delta yes
show counter global filter delta yes
show counter interface all
set system setting target-dp none
show statistics
show session info
show session meter
show session all
set system setting target-dp s1dp0
show session distribution policy
show session distribution statistics
show session info
show session all
show sctp all
show session all filter protocol 132
set system setting target-dp s1dp1
show session info
show session allshow sctp all
show session all filter protocol 132
set system setting target-dp s1dp2
show session info
show session all
show sctp all
show session all filter protocol 132
set system setting target-dp none
debug dataplane internal pdt fpp sw stats
show zone-protection
debug dataplane memory status
debug dataplane pool statistics
debug dataplane show memory-pool top-ref
debug dataplane pow performance all
debug dataplane pow status 
debug dataplane pow status 
debug dataplane pow status 
show running resource-monitor 
debug dataplane packet-diag show setting
debug dataplane fpga state
debug dataplane show cfg-memstat statistics
show running security-policy 
show running nat-policy 
show running nat-policy 
show running application-override-policy
show running authentication-policy
show running authentication-policy
show running decryption-policy
show running decryption-policy
show running dos-policy
show running pbf-policy
show running qos-policy
show running qos-policy
show running tunnel-inspect-policy
show running nat-rule-cache 
show running nat-rule-cache 
show running global-ippool 
show running ippool
show running ipv6 address
show arp management
debug dataplane internal vif link
debug dataplane internal vif address
debug dataplane internal vif rule
debug dataplane internal vif vr
debug dataplane internal vif route 254
debug dataplane internal vif route 255
debug dataplane internal vif route 0
debug dataplane internal pdt oct pip stats
debug dataplane internal pdt oct pko stats
debug dataplane internal pdt oct gmx stats
debug dataplane packet-diag show setting
debug dataplane mmdbg status
show high-availability all
show high-availability state-synchronization
set system setting target-dp s1dp0
show high-availability state-synchronization
set system setting target-dp s1dp1
show high-availability state-synchronization
set system setting target-dp s1dp2
show high-availability state-synchronization
set system setting target-dp none
show high-availability path-monitoring
debug device-server dump idmgr high-availability state
debug user-id dump idmgr high-availability state 
show interface all
show arp all
show neighbor interface all
show neighbor ndp-monitor all
show vlan allshow mac all
debug routing socket
show routing resource
show routing summary
show routing protocol ospf area
show routing protocol ospf dumplsdb
show routing protocol ospf interface
show routing protocol ospf neighbor
show routing protocol ospf virt-link
show routing protocol ospf virt-neighbor
show routing protocol ospf summar
show routing protocol ospfv3 area
show routing protocol ospfv3 dumplsdb
show routing protocol ospfv3 interface
show routing protocol ospfv3 neighbor
show routing protocol ospfv3 virt-link
show routing protocol ospfv3 virt-neighbor
show routing protocol ospfv3 summary
show routing protocol rip interface
show routing protocol rip peer
show routing protocol rip database
show routing protocol bgp peer
show routing protocol bgp peer-group
show routing protocol bgp policy import
show routing protocol bgp policy export
show routing protocol bgp policy cond-adv
show routing protocol bgp policy aggregate
show routing protocol bgp loc-rib-detail
show routing protocol bgp rib-out-detail
show routing protocol redist all
show routing route
show routing route ecmp yes
show routing fib
show routing fib ecmp yes
debug routing fib stats
debug routing list-mib
show routing multicast route
show routing multicast fib
show routing multicast group-permission
show routing multicast group-permission
show routing multicast igmp interface
show routing multicast igmp membership
show routing multicast igmp membership
show routing multicast igmp statistics
show routing multicast pim elected-bsr
show routing multicast pim elected-bsr
show routing multicast pim neighbor
show routing multicast pim neighbor
show routing multicast pim state
show routing multicast pim state
show routing multicast pim statistics 
show routing multicast pim statistics 
show routing bfd summary
debug routing mpf stats
show vpn gateway
show vpn tunnel
show vpn ike-sa
show vpn ipsec-sa
debug ike socket
debug ike stat fqdn
debug keymgr list-sa
show vpn flow
show dhcp server lease all
show dhcp client state all 
show global-protect-gateway gateway
show global-protect-gateway flow
show global-protect-gateway statistics
show global-protect-satellite current-gateway
show global-protect-satellite interface all
show global-protect-satellite satellite
debug user-id dump hip-profile-database statistics
show running tunnel flow 
show running tunnel flow info
show running tunnel flow lookup
show running tunnel flow nexthop
debug device-server dump dynamic-url statistics
debug device-server dump dynamic-url database
debug device-server dump regips summary
show user ts-agent statistics
show user user-id-agent statistics
show user user-id-agent state all
show user user-id-agent state all
show user user-id-service statusshow user user-id-service client all
show user group-mapping state all
show user ip-port-user-mapping all
debug user-id dump ts-agent user-ids
debug user-id dump memory summary
debug user-id dump state
show user user-ids all option count
show user ip-user-mapping-mp all option count 
show user ip-user-mapping all option count 
show user ip-user-mapping all option count type UNKNOWN
show user user-id-service client all 
show user user-id-service status 
show user group list
show user credential-filter statistics
debug dataplane show ctd credential-enforcement group-mapping
debug dataplane show ctd credential-enforcement domain-credential
debug user-id dump ntlm-stats 
debug user-id dump xmlapi-stats 
debug user-id dump probing-stats 
debug user-id dump l3svc-stats
show vm-monitor source all
show object registered-ip all option count
show running application cache
show running application setting
show running application statistics
show running application-signature statistics
show system setting zip
show system setting ctd state
debug dataplane show ctd version
debug dataplane show ctd regex-group dump
debug dataplane show ctd regex-stats dump
debug dataplane show dos block-table
debug dataplane show dos classification-table
show running url-cache statistics
debug device-server bc-url-db show-stats
debug device-server pan-url-db db-perf
debug device-server pan-url-db show-stats 
show url-cloud status
show hsm servers
show hsm state
show hsm slots
show hsm info
show hsm ha-status
show hsm nshield-connect-rfs
show lacp aggregate-ethernet all
show lldp neighbors all
show lldp config all
show lldp local all
show system raid detail
show wildfire status
show wildfire statistics
show wildfire disk-usage
show wildfire cloud-info
debug wildfire content-info
debug wildfire dp-status
debug vardata-receiver statistics
show report jobs
show report cache info
show report exec_mgr info
show log-collector preference-list
show logging-status
debug cord stats show
debug cord corr-mgr stats show
debug log-receiver correlation stats show
debug log-receiver correlation filters show
debug log-receiver corr-mgr show filter search name *
debug log-receiver corr-mgr show instance summary
debug management-server conn
debug log-receiver rawlog_fwd connmgr
debug log-receiver rawlog_fwd evtmgr
request logging-service-forwarding status
request log-collector-forwarding status
Generating in ``/opt/pancfg/tmp/techsupport/1600074941.96'' with free_size 39881384.
Skipping /tmp/panorama_pushed: does not exist
Skipping /tmp/curlog: does not exist
Skipping /tmp/content_install*: does not exist
Skipping /opt/pancfg/mgmt/global/resolved_fqdns.xml: does not exist
Skipping /opt/pancfg/mgmt/global/lcs-pref.xml: does not exist
Skipping /opt/pancfg/mgmt/global/lcaas-pref.xml: does not exist
Skipping /opt/pancfg/mgmt/groups: does not exist
Skipping /opt/pancfg/opt/pan/content/pan/urlcloud_static_list.txt: does not exist
package /opt/var.dp0/cores/crashinfo
Skipping /opt/var.dp0/cores/crashinfo: entire source was excluded from packaging.
package /opt/var.dp0/log
package /opt/var.dp1/cores/crashinfo
Skipping /opt/var.dp1/cores/crashinfo: entire source was excluded from packaging.
package /opt/var.dp1/log
package /opt/var.dp2/cores/crashinfo
Skipping /opt/var.dp2/cores/crashinfo: entire source was excluded from packaging.
package /opt/var.dp2/log
Skipping /opt/var.dp2/log: entire source was excluded from packaging.
package /var/cores/crashinfo
Skipping /var/cores/crashinfo: entire source was excluded from packaging.
package /opt/panrepo/logs
package /var/log
package /opt/pancfg/mgmt/tmp
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/tmp
package /etc/Chrystoki.conf
package /opt/nfast/kmdata/config/config
package /opt/nfast/log
Skipping /opt/nfast/log/logfile: exception encountered when trying to stat this file.
package /opt/pancfg/mgmt/audit
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/audit
package /opt/pancfg/mgmt/sp
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/sp
package /opt/pancfg/mgmt/template
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/template
package /opt/pancfg/mgmt/saved-configs/running-config.xml
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/saved-configs/running-config.xml
package /opt/pancfg/mgmt/saved-configs/techsupport-saved-currcfg.xml
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/saved-configs/techsupport-saved
currcfg.xml
package /opt/pancfg/mgmt/saved-configs/.ha-remote-rc.xml
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/saved-configs/.ha-remote-rc.xml
package /opt/pancfg/mgmt/saved-configs/.ha-remote2-rc.xml
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/saved-configs/.ha-remote2-rc.xml
package /opt/pancfg/mgmt/saved-configs/.merged-running-config.xml
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/saved-configs/.merged-running
config.xml
package /opt/pancfg/mgmt/devices/localhost.localdomain
Running /usr/local/bin/remove-private-info.sh
/opt/pancfg/tmp/techsupport/1600074941.96/opt/pancfg/mgmt/devices/localhost.localdomain
package /opt/pancfg/mgmt/updates/curav/pan_avversion
package /opt/pancfg/mgmt/updates/oldav/pan_avversion
package /opt/pancfg/mgmt/updates/curcontent/pan_appversion
package /opt/pancfg/mgmt/updates/oldcontent/pan_appversion
package /opt/pancfg/mgmt/updates/curcontent/pan_threatversion
package /opt/pancfg/mgmt/updates/oldcontent/global/global.xml
package /opt/pancfg/mgmt/updates/curcontent/global/global.xml
package /opt/pancfg/mgmt/updates/oldcontent/pan_threatversion
package /opt/pancfg/mgmt/syslogng/pan_sysng.cfg
package /opt/pancfg/mgmt/global/avinfo.current.xml
package /opt/pancfg/mgmt/global/avinfo.prev.xml
package /opt/pancfg/mgmt/global/avinfo.xml
package /opt/pancfg/mgmt/global/contentinfo.current.xml
package /opt/pancfg/mgmt/global/contentinfo.prev.xml
package /opt/pancfg/mgmt/global/contentinfo.xml
package /opt/pancfg/mgmt/global/userinfo.xml
package /opt/pancfg/mgmt/global/regip
Skipping /opt/pancfg/mgmt/global/regip: entire source was excluded from packaging.
package /opt/pancfg/opt/pan/content/pan/urlcloud_list.txt
package /opt/pancfg/hsm/config
package /opt/var.cp/cores/crashinfo
Skipping /opt/var.cp/cores/crashinfo: entire source was excluded from packaging.
package /opt/var.cp/log
package /tmp/cli.16330.dir.F6zI8B/r3SOeY/techsupport.txt
Exporting system logs...
Exporting alarm logs...
Exporting config logs...
Getting report list...
Getting sysd output...
Getting netstat verbose output...
Getting netstat interface output...
Getting pmap mgmtsrvr output...
Running pdt debug commands...
Measuring disk usage...
Group 'batch' resume
Finish generating tech support.

admin@10.1.2.3's password: 
PA_01310100f3f6173_ts.tar.gz                                                              100%  
90MB  44.8MB/s   00:02    

admin@5250-PAN(active-secondary)> exit

Connection to 10.1.2.4 closed.

A simple How-To generate a tech support file on Palo-Alto Firewalls. I've copied it all here for reference as it also shows a whole load of commands which I find a useful reference.

ArubaOS-CX, OSPFv2 Configuration

OSPF configuration is simple on Aruba, with a few simple differences between OS-CX and Cisco’s approach. Once both configured though, the two vendors equipment works very well, just as expected.

For clarity, to confirm the current OSPF state we can check to see if it is running. I’ve checked both the Default VRF and the FWTEST VRF whose configuration is explained here.

ArubaOS-CX# sh ip ospf
OSPF Process is not running on VRF default.
ArubaOS-CX# sh ip ospf vrf FWTEST
OSPF Process is not running on VRF FWTEST.
ArubaOS-CX# 

Initially in this example we will configure OSPFv2 to run in the FWTEST VRF, whilst leaving the Default VRF as it is. To start the process, we need to define OSPF

ArubaOS-CX# 
ArubaOS-CX# conf t
ArubaOS-CX(config)# router ospf 
  <1-63>  Specify the OSPF Process ID 
ArubaOS-CX(config)# router ospf 39 
  vrf   VRF Instance. 
  <cr>  
ArubaOS-CX(config)# router ospf 39 vrf FWTEST
ArubaOS-CX(config-ospf-39)# router ospf 39 vrf FWTEST

Much like the Cisco CLI, you can use the ? to show command help as appropriate. Here for example, we can see that Aruba use 6-bits to store the process ID. The process ID is only locally significant and good practise would be to use different process ID’s for each VRF. In testing though ArubaOS-CX does appear to allow you to use the same number for default and another VRF. I was surprised that it didn’t seem to break anything, but going forward I will use separate IDs. Here I chose 39 and specified which VRF it applied to.

We then go on to specify a router-id and other operating behaviours we need.

ArubaOS-CX(config-ospf-39)# 
ArubaOS-CX(config-ospf-39)# router-id 192.168.40.30
ArubaOS-CX(config-ospf-39)# reference-bandwidth 40000
ArubaOS-CX(config-ospf-39)# passive-interface default
ArubaOS-CX(config-ospf-39)# redistribute connected
ArubaOS-CX(config-ospf-39)# area 0.0.0.40
ArubaOS-CX(config-ospf-39)# 

At this stage, we do not have any ospf interfaces attached to the vhf FWTEST.

ArubaOS-CX# sh ip ospf vrf FWTEST
Routing Process 39 with ID : 192.168.40.30 VRF FWTEST
------------------------------------------------------


OSPFv2 Protocol is enabled
Graceful-restart is configured
Restart Interval: 120, State: inactive
Last Graceful Restart Exit Status: none
SPF: Start Time: 200ms, Hold Time: 1000ms, Max Wait Time: 5000ms
Maximum Paths to Destination: 4
Number of external LSAs 0, checksum sum 0
Number of areas is 1, 1 normal, 0 stub, 0 NSSA
Number of active areas is 0, 0 normal, 0 stub, 0 NSSA
BFD is disabled
Reference Bandwidth: 40000 Mbps
Area (0.0.0.40) (Inactive)
  Interfaces in this Area: 0 Active Interfaces: 0 
  Passive Interfaces: 0 Loopback Interfaces: 0 
  SPF calculation has run 1 times
  Area ranges: 
  Number of LSAs: 0, checksum sum 0 


ArubaOS-CX#
ArubaOS-CX# sh ip ospf interface vrf FWTEST
OSPF Interface is not attached to VRF FWTEST.
ArubaOS-CX# 

So next we need to attach at least one interface, the area were are attaching to is already defined above, if it isn’t defined you will get an error.

ArubaOS-CX# conf t
ArubaOS-CX(config)# interface vlan999 
ArubaOS-CX(config-if-vlan)#                             
           config-if-vlan)# ip ospf 39 area 0.0.0.40                         
ArubaOS-CX(config-if-vlan)# no ip ospf passive              
ArubaOS-CX(config-if-vlan)# 

For a basic configuration that the config that’s required. We are not running VRF-lite, with a Cisco 4500 as a neighbour. We can see from our routing table all is well.

ArubaOS-CX# sh ip ro vrf FWTEST


Displaying ipv4 routes selected for forwarding


'[x/y]' denotes [distance/metric]


0.0.0.0/0, vrf FWTEST 
        via  172.31.255.129,  [110/114],  ospf
172.31.255.240/28, vrf FWTEST 
        via  vlan998,  [0/0],  connected
172.31.255.192/28, vrf FWTEST 
        via  loopback99,  [0/0],  connected
172.31.255.128/28, vrf FWTEST 
        via  vlan999,  [0/0],  connected
172.31.255.4/30, vrf FWTEST 
        via  172.31.255.129,  [110/64],  ospf
172.31.255.12/30, vrf FWTEST 
        via  172.31.255.129,  [110/44],  ospf
172.31.255.8/30, vrf FWTEST 
        via  172.31.255.129,  [110/54],  ospf
172.31.255.0/30, vrf FWTEST 
        via  172.31.255.129,  [110/84],  ospf
172.31.255.130/32, vrf FWTEST 
        via  vlan999,  [0/0],  local
172.31.255.193/32, vrf FWTEST 
        via  loopback99,  [0/0],  local
172.31.255.241/32, vrf FWTEST 
        via  vlan998,  [0/0],  local


ArubaOS-CX#  

As you would expect for a standards based protocol, it just works !

Finally just for reference, this was all done on an 6300 running AribaOS-CX FL.10.04.0030

ArubaOS-CX, VRF Configuration

Adding the basics of a VRF configuration to an ArubaOS-CX is both simple, and very similar to other vendors platforms. In the example below we are adding a VRF called FWTEST and assigning two SVI’s to it along with a Loopback.

First we can see what VRFs are already configured, in this case none:

ArubaOS-CX# show vrf
VRF Configuration:
------------------
VRF Name   : default
        Interfaces             Status
        -----------------------------
        vlan1                    up
        vlan254                  up

ArubaOS-CX#

Then define the VRF, including the route distinguisher.

ArubaOS-CX# conf t
ArubaOS-CX(config)# vrf FWTEST
ArubaOS-CX(config-vrf)# rd 10:39
ArubaOS-CX(config-vrf)#

Ensure that any VLANs that require SVI’s in the new VRF are defined. If not we need to create them.

ArubaOS-CX(config-vrf)# vlan 998
ArubaOS-CX(config-vlan-998)# name FWTEST_Clients
ArubaOS-CX(config-vlan-998)# vlan 999
ArubaOS-CX(config-vlan-999)# name FWTEST_L3
ArubaOS-CX(config-vlan-999)# 

Configure the required SVIs and any other layer 3 interfaces, in our case Loopback 99.

ArubaOS-CX(config)# # interface vlan998
ArubaOS-CX(config-if-vlan)# vrf attach FWTEST
ArubaOS-CX(config-if-vlan)# ip address 172.31.255.241/28
ArubaOS-CX(config-if-vlan)# 
ArubaOS-CX(config-if-vlan)# interface vlan999
ArubaOS-CX(config-if-vlan)# vrf attach FWTEST
ArubaOS-CX(config-if-vlan)# ip address 172.31.255.130/28
ArubaOS-CX(config-if-vlan)# 
ArubaOS-CX(config-if-vlan)# interface loopback 99
ArubaOS-CX(config-loopback-if)# vrf attach FWTEST
ArubaOS-CX(config-loopback-if)# ip address 172.31.255.193/28
ArubaOS-CX(config-loopback-if)# 

Now if we check the VRFs on the switch, we can see our new SVIs and the Lo99 are all attached to the VRF FWTEST.

 
ArubaOS-CX# show vrf
VRF Configuration:
------------------
VRF Name   : default
        Interfaces             Status
        -----------------------------
        vlan1                    up
        vlan254                  up


VRF Name   : FWTEST
        Interfaces             Status
        -----------------------------
        loopback99               up
        vlan998                  up
        vlan999                  up


ArubaOS-CX# 

Finally, we can check the FWTEST routing table. This shows us the routes for the attached networks we have just defined. No other routes are shown as we are not going any routing with other devices yet.

ArubaOS-CX# 
ArubaOS-CX# sh ip ro vrf FWTEST

Displaying ipv4 routes selected for forwarding

'[x/y]' denotes [distance/metric]

172.31.255.240/28, vrf FWTEST 
        via  vlan998,  [0/0],  connected
172.31.255.192/28, vrf FWTEST 
        via  loopback99,  [0/0],  connected
172.31.255.128/28, vrf FWTEST 
        via  vlan999,  [0/0],  connected
172.31.255.130/32, vrf FWTEST 
        via  vlan999,  [0/0],  local
172.31.255.193/32, vrf FWTEST 
        via  loopback99,  [0/0],  local
172.31.255.241/32, vrf FWTEST 
        via  vlan998,  [0/0],  local

ArubaOS-CX# 

Next we can go on to configure OSPF

Finally just for reference, this was all done on an 6300 running AribaOS-CX FL.10.04.0030

Ubuntu Samba Install

Following on from my efforts building a dedicated data recovery box, I decided to use Samba as an easy way of looking through the recovered data, in addition to the local client disks.

First of all, a quick update as always to check the latest packages in the repo:

root@moe:~# apt update && apt upgrade -y

Next the samba install:

root@moe:~# apt install samba -y

The samba setup required is very simple, I want one account with write access, then a guest account with read access for everyone else. Make sure you understand the implications of this insecure configuration before blindly following it. My folder structure is very basic, with everything from the /media directory being visible.

Rather than wade through the sea of options in the default config file, I simply backed it up and started from a blank slate.

root@moe:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.original
root@moe:~# vi /etc/samba/smb.conf

I then used the following config in the new smb.conf file

======================= Global Settings =======================
[global]
workgroup = WORKGROUP
dns proxy = no
load printers = no
printcap name = /dev/null
disable spoolss = yes

#### Networking ####
interfaces = 127.0.0.0/8
bind interfaces only = yes

#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000

####### Authentication #######
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user

############ Misc ############
usershare allow guests = yes

#======================= Share Definitions =======================
[media]
comment = Media Share on Moe
path = /media
valid users = "jon"
write list = "jon"
guest ok = no
browseable = no


[store]
comment = Data Store on Moe
path = /media/store/
read only = yes
guest ok = yes

Once you have saved the file, use the testparm command to check for configuration errors. Then simply restart as below:

root@moe:~# service smbd restart
root@moe:~# service smbd status
● smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-05-07 11:04:22 UTC; 4s ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 28444 (smbd)
   Status: "smbd: ready to serve connections..."
    Tasks: 3 (limit: 4915)
   CGroup: /system.slice/smbd.service
           ├─28444 /usr/sbin/smbd --foreground --no-process-group
           ├─28479 /usr/sbin/smbd --foreground --no-process-group
           └─28480 /usr/sbin/smbd --foreground --no-process-group


May 07 11:04:22 moe systemd[1]: Starting Samba SMB Daemon...
May 07 11:04:22 moe systemd[1]: Started Samba SMB Daemon.
May 07 11:04:22 moe smbd[28444]: [2020/05/07 11:04:22.166574,  0] ../lib/util/become_daemon.c:124(daemon_ready)
May 07 11:04:22 moe smbd[28444]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections
root@moe:~# 
root@moe:~# 

I can’t stress enough that this is far from a secure or recommended setup. However in my single use case it is fine, I’m only working on data believed to be lost, and this isn’t my livelyhood.

ArubaOS-CX VSF

Aruba VSF (Virtual Switch Framework) on the Aruba CX line of switches provides the ability to manage a number of switches (upto 10 from memory) as a single virtual network node. This simple How-To gives a quick overview of an addition and removal of a switch to/from a stack. There is lots of official documentation available, and may well be other methods, but this works fine for me.

Adding a switch to an existing stack

When adding a new switch, boot the new switch up and configure it as switch 1 with the appropriate type and links.

6300-New# show run vsf
!
vsf member 1
 type jl665a
 link 1 1/1/49
 link 2 1/1/50
!

On the existing stack, provision the new switch with appropriate number type and links. In this example we are adding switch 3 to the existing stack.

6300-Stack# show run vsf
!
vsf member 1
 type jl665a
 link 1 1/1/49
 link 2 1/1/50
vsf member 2
 type jl665a
 link 1 2/1/49
 link 2 2/1/50
vsf member 3
 type jl665a
 link 1 3/1/49
 link 2 3/1/50
!

We can check to confirm the VSF member is defined correctly and isn’t currently present as shown for switch 3 below.

6300-Stack# sh vsf de
VSF Stack
MAC Address : 88:3a:30:97:dd:c0
Secondary : 2
Topology : chain
Status : No Split
Split Detection Method : None
Software Version : FL.10.04.0030


Name : Aruba-VSF-6300
Contact : "Network Team"
Location :


Member ID : 1
MAC Address : 88:3a:30:97:dd:c0
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Master
ROM Version : FL.01.05.0003
Serial Number : SG9XXXKX8B
Uptime : 16 hours, 21 minutes
CPU Utilization : 17%
Memory Utilization : 20%
VSF Link 1 : Down
VSF Link 2 : Up, connected to peer member 2, link 1


Member ID : 2
MAC Address : 88:3a:30:99:d6:40
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Standby
ROM Version : FL.01.05.0003
Serial Number : SG9XXKXX8X
Uptime : 15 hours, 52 minutes
CPU Utilization : 5%
Memory Utilization : 11%
VSF Link 1 : Up, connected to peer member 1, link 2
VSF Link 2 : Down


Member ID : 3
MAC Address :
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Not Present
ROM Version :
Serial Number :
Uptime :
CPU Utilization : 0%
Memory Utilization :
VSF Link 1 : Down
VSF Link 2 : Down


6300-Stack#

Install new switch in rack etc and connect cables etc. On the new switch issue the renumber from 1 (standalone) to 3 which is our planned stack number.

6300-New#
6300-New# conf
6300-New(config)# vsf renumber-to 3
This will save the VSF configuration and reboot the switch.
Do you want to continue (y/n)? y


2020/01/01 09:07:30 Registration with Credential Manager successful or deferred.
2020/01/01 09:07:30 Encrypt value in User table in password column ,
2020/01/01 09:07:30 Ignoring ssh_host_keygen_requested in system table to be saved in config

Switch will reboot and should join the stack assuming the cables are all patched etc.

Once the switch has rebooted, the VSF status can be checked as shown below.

6300-Stack# sh vsf de
VSF Stack
MAC Address : 88:3a:30:97:dd:c0
<<<SNIP>>>
Name : Aruba-VSF-6300
Contact : "Network Team"
Location :


Member ID : 1
MAC Address : 88:3a:30:97:dd:c0
<<<SNIP>>>
VSF Link 1 : Up, connected to peer member 3, link 2
VSF Link 2 : Up, connected to peer member 2, link 1


Member ID : 2
MAC Address : 88:3a:30:99:d6:40
<<<SNIP>>>
VSF Link 1 : Up, connected to peer member 1, link 2
VSF Link 2 : Up, connected to peer member 3, link 1


Member ID : 3
MAC Address : 88:3a:30:98:cf:00
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : OS Version Mismatch
ROM Version :
Serial Number :
Uptime :
CPU Utilization : 0%
Memory Utilization :
VSF Link 1 : Up, connected to peer member 2, link 2
VSF Link 2 : Up, connected to peer member 1, link 1link 2 1/1/50

However as you can see the OS is miss-matched, the new switch will be upgraded / downgraded and be rebooted automagically.

6300-Stack# sh vsf de
VSF Stack
MAC Address : 88:3a:30:97:dd:c0
<<<SNIP>>>
Name : Aruba-VSF-6300
Contact : "Network Team"
Location :


Member ID : 1
MAC Address : 88:3a:30:97:dd:c0
<<<SNIP>>>
VSF Link 1 : Down
VSF Link 2 : Up, connected to peer member 2, link 1


Member ID : 2
MAC Address : 88:3a:30:99:d6:40
<<<SNIP>>>
VSF Link 1 : Up, connected to peer member 1, link 2
VSF Link 2 : Down


Member ID : 3
MAC Address :
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Not Present
ROM Version :
Serial Number :
Uptime :
CPU Utilization : 0%
Memory Utilization :
VSF Link 1 : Down
VSF Link 2 : Down


6300-Stack#

After new switch is booted, the VSF will show connected with details.

6300-Stack# sh vsf de
VSF Stack
MAC Address : 88:3a:30:97:dd:c0
Secondary : 2
Topology : ring
Status : No Split
Split Detection Method : None
Software Version : FL.10.04.0030


Name : Aruba-VSF-6300
Contact : "Network Team"
Location :


Member ID : 1
MAC Address : 88:3a:30:97:dd:c0
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Master
ROM Version : FL.01.05.0003
Serial Number : SG9XXXKX8B
Uptime : 16 hours, 27 minutes
CPU Utilization : 4%
Memory Utilization : 20%
VSF Link 1 : Up, connected to peer member 3, link 2
VSF Link 2 : Up, connected to peer member 2, link 1


Member ID : 2
MAC Address : 88:3a:30:99:d6:40
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Standby
ROM Version : FL.01.05.0003
Serial Number : SG9XXKXX8X
Uptime : 15 hours, 58 minutes
CPU Utilization : 6%
Memory Utilization : 11%
VSF Link 1 : Up, connected to peer member 1, link 2
VSF Link 2 : Up, connected to peer member 3, link 1


Member ID : 3
MAC Address : 88:3a:30:98:cf:00
Type : JL665A
Model : 6300F 48-port 1GbE Class 4 PoE and 4-port SFP56 Switch
Status : Member
ROM Version : FL.01.05.0003
Serial Number : SG9XKXXX8V
Uptime : under a minute
CPU Utilization : 0%
Memory Utilization : 8%
VSF Link 1 : Up, connected to peer member 2, link 2
VSF Link 2 : Up, connected to peer member 1, link 1


6300-Stack#

Other commands available show the connectivity within the stack.

6300-Stack# sh vsf topol
Mstr Stdby
+---+      +---+      +---+
| 1 | 1==2 | 3 | 1==2 | 2 |
+---+      +---+      +---+
  2                     1
  +=====================+


6300-Stack# sh vsf link

VSF Member 1

Link Peer Peer
Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 3 2 1/1/49
2 up 2 1 1/1/50



VSF Member 2

Link Peer Peer
Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 1 2 2/1/49
2 up 3 1 2/1/50



VSF Member 3

Link Peer Peer
Link State Member Link Interfaces
---- ---------- ------- ------ ---------------------------
1 up 2 2 3/1/49
2 up 1 1 3/1/50


6300-Stack#

Interestingly if you connect a USB console to anything other than the stack master, you can log in, but only with local account. Tacacs etc only appear to function on the stack master. I suspect this will be fixed in a later version of code as this appears to be the opposite of the expected desired behaviour.

Finally just for reference, this was all done on an 6300 running AribaOS-CX FL.10.04.0030

Working Ubuntu Linux & WPA2e (enterprise) Configuration

Following on from my recent entry WPA2 Enterprise on a Raspberry PI I was asked if I could offer some guidance for a couple of linux distributions, in particular Ubuntu Mate and Elementary OS. The instructions here may be applicable to other Linux distributions, but I’ve only confirmed them on Ubuntu Mate 18.04 and Elementary Junos.

So starting with ubuntu Mate, select the WPA2 enterprise protected network in the normal manner from the desktop. Forgive the images, I’ve hidden some of the network names.

Once you have clicked on the relevant WPA2e protected network, you will see a dialogue box as below. Choose all the options in WiFi security, and others as shown below. Before going on to choose the option “select from file” under the CA certificate option. If you select the CA cert to early other options may become inaccessible. We will be returned to this shortly so if an option isn’t available now, it will be soon.

Once the dialogue box below pops open, navigate to the directory /etc/ssl/certs go and choose the ca-certificates.crt as shown below.

Once you have selected the ca-certificates.crt file, and have returned to the earlier dialogue box, make sure PEAP Version is set to Automatic and the inner authentication is MSCHAPv2 if they are not already set.

Finally make sure you put your username and password in the relevant spaces. This screenshot was taken where Active Directory usernames were used hence the fields being populated with appropriate ad prefixed strings.

Finally click the NO CA Certificate is required. If you click this radio button early, it prevents you entering your username and password.

Finally click connect and it will attempt to connect to your chosen WPA2 enterprise protected network.

In Elementary OS Junos, it doesn’t let you click on the WPA2e protected network, in which case you will need to click on network settings.

Once in the Network Settings dialogue box, you can then select the WPA2 enterprise protected network.

After selecting your network, you should be able to mimic the Ubuntu-Mate instructions above.

Working Raspberry Pi & WPA2e (enterprise) Configuration.

I’ve seen numerous posts with many different approaches to getting the working. I’ve had to do this recently so did some testing along what way and made some notes. I had the opportunity to test on a number of Pi’s so should it should work with any WPA2e network regardless of the commercial entity or University. One final point here, just because I’ve detailed how to connect, you may still need permission from the appropriate Network Security body before connecting your device to WPA2e protected networks.

The instructions were tested on both the Raspberry Pi 3b and Raspberry Pi 4, running any of the images below:

  • Raspbian Buster with desktop and recommended software(September 2019)
  • Raspbian Buster with desktop (September 2019)
  • Raspbian Buster Lite (September 2019)

I didn’t do any updates to the base image, just so I knew I had a common starting point. I don’t expect any issues if I had done the updates, and did try at the time with no issues. However over time there will obviously be many updates that were not included in my testing.

So from a fresh boot using a new image, after the normal re-sizing of the root partition etc, the first thing we need to determine is a hashed version of the password for the WPA2 enterprise network. We could use clear text instead, but given we are going to be storing it in a config file in /etc a hashed password is obviously best practice. The following command (using the correct password) will give us the cached password.

Through the snippets below, always be aware the it may appear word wrapped on you screen.

pi@raspberry:~ $ echo -n 'WiFi-Password' | iconv -t utf16le | openssl md4 | cut -d " " -f2
01c5a3f0c2cad4e614d5e3c3d92906f6

It’s the string 01c5a3f0c2cad4e614d5e3c3d92906f6 we need later so keep it safe.

Next we create a new file:

pi@raspberry:~ $ vi /etc/network/interfaces.d/wpa2enterprise

With the following text:

auto wlan0

iface wlan0 inet dhcp
  pre-up wpa_supplicant -B -Dwext -i wlan0  -c/etc/wpa_supplicant/wpa_supplicant.conf
  post-down killall -q wpa_supplicant

Next we create the new referenced `/etc/wpa_supplicant/wpa_supplicant.conf` with the following details:

  • Wi-Fi Network name (The SSID to connect to)
  • Your Username to connect to the network with.
  • The Hashed Password (generated earlier)
pi@raspberry:~ $ vi /etc/wpa_supplicant/wpa_supplicant.conf

With the following content, updating the details as appropriate (marked with —).

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=GB

network={
 ssid="---WIFI-NAME---"
 proto=RSN
 key_mgmt=WPA-EAP
 auth_alg=OPEN
 eap=PEAP
 identity="---USERNAME---"
 password=hash:---PASSWORD-HASHED-VALUE---
 phase1="peaplabel=0"
 phase2="auth=MSCHAPV2"
 priority=1
}

Once you have created the files as specified above, with the appropriate details updated. Reboot the Raspberry Pi and it should auto connect to the WPA 2 enterprise (WPA2e) network.

Finally, when you password is changed, you just need to generate a new hash and update the /etc/wpa_supplicant/wpa_supplicant.conf file as appropriate.

Emergency Null Modem Cable

At some point in time, many engineers from numerous backgrounds have at some time or other had an emergency requirement for a Null Modem Cable. I was in one such situation recently and had to cobble together one quick to get a box back up and running.

With just a pocket (pen) knife and a couple of Cisco DB9-8p8c (or RJ45 if you prefer) I was able to cobble one together. I needed DB9 at both ends so chopped of the RJ45 connectors.

The pins we are interested in viewed from the RJ45 ends are :-

3 – TXD (red)
5 – RXD (green)
6 – GRND (yellow)

When doing a quick search to confirm the pins, the colours people report don’t always seem consistent. I would work from the pin number and confirm the colours.

Once identified it is simply a case of stripping the insulation on the required pins back, (red, green and yellow) to reveal the copper beneath, they could be twisted together again in the right order to make a Null Modem Cable with DB9 on both ends.

So I twisted the two GRND yellow cables together, then the red and green cables were crossed and twisted together, Finally a paper clip was used to try and provide some strain relief to the cables. I had no tape or wire crimping tools so that was the best I could do at the time.

Obviously in an ideal world, solder and insulation is highly recommended, but as a quick get out of jail card it worked just fine.

The finished article, if you call it finished.

I didn’t think about it at the time, but in hindsight I could have stripped all the other colours and twisted the copper together to help provide some resilience.

It was good enough to get the few bits back and forth at 9600, to get an ancient bit of kit back up and serviceable on the network. I’ve since soldered and insulated it all, but have never used it since. It is still in my draw ready for use though.