Simple, Configurable Switching.

Greetings All. A quick-ish post today, but an important one for those of us set in our ways when it comes to different technologies.

I recently found myself in need of a new, small network-switch for my home office. Like many other professionals, I work from home. Unlike many other professionals, I have worked from home (when not traveling) for the last 12+ years. My home office resembles something of a lab meets a meeting space meets a man cave, with an office in the middle of that madness somewhere. I wired the home with Cat6 upon purchasing it but I need far more than just one wall drop (I converted Cat6 phone jacks to RJ45s, I love when contractors over-build!). To that end, I have a switch in my office that uplinks to the core/server switches in my network room. I need power over ethernet (PoE) as I have multiple IP phones and video units in various states of configuration as well as a Unifi AP installed that uses in-line power. I also need layer 2 capabilities and either LLDP-MED or CDP for my phones. On the flip-side I need a quiet switch as I am on the phone (or headset) multiple hours of the day dealing with customers that hold me to higher standards than they hold themselves.

In the past I’ve used, almost exclusively, Cisco switches as I work with the brand often in my professional endeavors and find them to be easy to deploy and understand (for the most part). The switch that I am replacing in this narrative is, in fact, a Cisco 3560CX-8PS. This flavor of 3560 is fan-less (quiet) and provides 8 Gigabit Ethernet ports with PoE+ (15.4 watts). It also has two copper/SFP Gigabit uplink ports as well. Additionally it supports basic inter-VLAN routing, which is not terribly important given the satellite nature of where it is deployed (VTP from the core). While this switch is great, it is bigger (physically) than it needs to be and it cost me around $800 on the gray market. Additionally, I found that I needed it for another project and thus I began searching for an office replacement. I first started my search by looking for another 3560CX, I can find refurbished models for $500-1000. I like Cisco gear, but not for that price. I looked at some HPE/Aruba options but those too are more expensive than I’d like and have roughly the same size constraints as mentioned above.

At this point I started to question what I really needed. I need the ability to tag and trunk VLANS and perform the other basic tenants of a solid Layer 2 switch. I need either Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol – Media (LLDP-MED) for my phones and video units. I need PoE, as stated before, but I honestly don’t need 8 ports, I could do with 4 in most situations. I want something small and I need something quiet. To that I end I looked where I should have started looking in the first place…Ubiquiti.

If you’ve read any of my other blog posts, you know that I have Ubiquiti wireless APs and that I also have a Ubiquiti USG security gateway, I’ll put a link here if you are curious about that adventure. With the APs and USG I have a Unifi Network Controller that is constantly running and provides very useful insights on the wireless and security portions of my network. With all of that said, their switching offerings were my next logical step and I went on Amazon and found a US-8-60W switch for $125 with tax (and free shipping). If you know Ubiquiti models, you will figure out that this is a previous generation of the controller-based 8-port PoE (on 4 ports) Gigabit Layer 2 switch. It is fan-less (quiet!) and has an external power supply that can be easily hidden. The 4 PoE+ ports supply up to 15.4 watts of power per interface and it has native support for LLDP-MED.

The installation was simple. I plugged it in and connected the uplink. It was adopted by the controller (with the help of Layer 2 discovery and DNS records) and the code was upgraded. From there I created port profiles and assigned them to the 8 ports.

From my initial testing, I found that LLDP-MED does exactly what I need it to and the interoperability with my Cisco core/server switches is seamless.

I also found that my Cisco IP phones had plenty of power and registered without issue on the correct VLANs.

I have been incredibly impressed by this switch, and the rest of my Ubiquiti gear. I am sure there are those that will argue that comparing Ubiquiti and Cisco is far from an apples to apples comparison. I believe that argument has merit, but I prefer to respond in this way; I was able to deploy Layer 2 switching with PoE for $125. I don’t really think anything else needs to be said.

Justin

Quick & Dirty: Cisco Modern Router (ISR, ASR) Software Upgrades

Hello World!

Just a quick post today, and my usual apology for not posting more frequently.

If, like me, you find yourself doing ISR IOS XE upgrades, you realize that although it can be a quick process there is always room for improvement.

Today, while upgrading 15+ ISR 4451 CUBE routers, I decided to quickly “notepad script” my upgrade commands. For reference I am using an SFTP server for this upgrade but the plan works for FTP or TFTP if you wish.

My quick and dirty notepad script looks like this…

copy sftp: bootflash:
IP ADDRESS OF SFTP SERVER
USERNAME for SFTP SERVER
REMOTE SOFTWARE-PATH
LOCAL SOFTWARE-PATH
PASSWORD for SFTP SERVER
! (for Enter)

A quick copy and paste and the process has started. Once the copy is successful, a second quick and dirty script will change the boot path and then reboot your router.

config t
boot system bootflash:IOSXEFileName
exit
wr mem
reload
y

There is nothing special here, and there are far more elegant solutions but this works for me and hopefully it can work for you!

Justin

Ubiquiti USG: Quick & Easy Remote Access VPN

Hello World!

When I decided to purchase and install a Ubiquiti USG-3P security appliance, which you can read about here, one of the determining factors was that I could configure VPN service for remote connectivity. As I use Dynamic DNS (DynDns) with the USG (read about that here), I have a reliable VPN url that is always available.

Whenever you put “Quick & Easy” in the title of anything, the expectation is that the process is not difficult and does not take all day. Ubiquiti has made the process very simple, I’ll outline the steps below.

Step 1.  Configure the local Radius server

This first step is located under the Settings -> Services -> RADIUS -> Server   within the Unifi Controller software. Turn it on and set your Secret and you are good to go!

Step 2. Configure your Radius (VPN) User

This second step is located under the Settings -> Services -> RADIUS -> Users   within the Unifi Controller software. Turn it on and set your Password and you are good to go! Notice I left the VLAN blank. If I was using the USG as a switched Layer 3 device this would need to be filled in. As it stands my USG is basically running as a transparent firewall.

Step 3. Build your VPN Network (VPN Profile)

This third and final step (on the UBNT side) is located within the Settings section under Networks. You will create a new network and select Remote User VPN as the purpose. In my case I selected an L2TP  Server, you could select PPTP as well, but L2TP works for my purposes. You’ll then configure your Pre-Shared Key (PSK) and define your VPN subnet. I recommend making this network small and keeping it on a network convention dissimilar from your internal networks. Configure your Name (DNS) server(s) and other options and then select your Radius profile. In my case the simple Default profile was all I needed. Within the Radius profile configuration you could add an external Radius server if you have one in place currently. If that is the case the first two steps are not necessary.  The MS-CHAP v2 requirement is checked by default and you should use it for security.

At this point, we are done with our Ubiquiti configuration! That means it is time to move on to the client side. In my case that means Windows 10. There are L2TP/PPTP configuration guides out there for Mac and Linux as well but since I am using Windows, that is what I’ll cover.

Step 1. Go to the VPN Configuration Screen

In the image below you’ll see the VPN configuration screen that is under Settings -> Network & Internet -> VPN from here you can Add a VPN Connection. Once your connection is added you’ll see it in the list (as shown below) and also in the network status icon on your Windows taskbar (Windows 10).

Step 2. Configure the VPN Profile

Configuring the VPN profile for Windows 10 is very straightforward. You’ll need the public address of your USG (or your Dynamic DNS url) and you’ll need the Pre-Shared Key (PSK). You’ll also need (optionally) your username and password. If you don’t enter your username and password (shown in the image below) you’ll be prompted every time you connect.

Step 3. Connect

To connect to your VPN in Windows 10, select the network status icon in the task bar (usually a computer screen for wired or a wireless signal graph for wireless) and click on the VPN connection at the top of the box.

If you entered your username and password into the configuration page you should not be prompted for them, if you did not, you will need to enter them when prompted. Once connected, you’ll see the status above.

When I show my connection status I can see the VPN settings that I configured earlier (shown below).

In closing, this really is a quick and easy process. If you need easy and reliable remote access it is definitely something to consider. Also worth considering is that we are doing this configuration with PSKs and not with certificates. There are security considerations to take into account here.  With all of that said, I would 100% choose this option over users accessing systems remotely via the questionable applications that exist in the software client remote access space today.

I hope this helps someone! Questions? Comments? Post them below.

-Justin

When Good VTP Goes Bad

Just a quickie tonight folks…

I am expanding my network and relocating my servers and other “noisy” hardware to my basement. The cooling value of the dry subterranean environment is great but in all honesty I’m trying to keep my better half happy and my office is not a great place for network gear and servers apparently.

With this relocation I am expanding my switching infrastructure from my core 3560G to include a 2960G as well. The addition of this switch gives me the opportunity to play with VTP or the VLAN Trunking Protocol.

VTP is a Layer 2 protocol that allows you to configure all of your VLANs on the “server” and then feed them down to the “clients”. VTP is a proprietary Cisco protocol and for large, diverse networks it may not be the best option but for me it works, at least it was supposed to.

I say supposed to, because I configured it, using version 2 and nothing happened. Below are my configurations…

CORE-3560G-01(config-vlan)#do show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : SPRNET
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 000a.b8d3.0400
Configuration last modified by 10.10.0.254 at 8-22-16 01:52:57
Local updater ID is 10.10.0.254 on interface Vl1 (lowest numbered VLAN interface found)
Preferred interface name is gig0/49

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 23
Configuration Revision            : 0
MD5 digest                        : 0x85 0x94 0x36 0x46 0xC1 0xCE 0xE0 0xD0          
                                    0x87 0x0A 0xF2 0xD4 0x24 0xD0 0xF8 0xD2
BASEMENT-2960G-01#show vtp sta
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : SPRNET
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0017.594c.b180
Configuration last modified by 10.10.0.244 at 3-15-93 06:29:46

Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 255
Number of existing VLANs          : 5
Configuration Revision            : 0
MD5 digest                        : 0x7D 0x73 0xB1 0x19 0x35 0xDC 0xE2 0xA8
                                    0x3A 0x07 0xE0 0xBF 0x92 0xFA 0x53 0x2A

As you can see everything looks like it should work. My passwords match and my domain matches but still no joy. After banging my head on my desk to figure this out, I see the below error message at the bottom of my client’s VTP status.

*** MD5 digest checksum mismatch on trunk: Gi0/21 ***

What is this error? What does it mean?

What it means is that the key exchange between the VTP server and client is incorrect and thus no one talks. What it also means is that I am hitting a long running bug. See the Cisco forum post here

If you read that post, you’ll find the fix, but here it is for your reference.

Basically, you need to make your server regenerate its MD5 Checksum value. Once that value is regenerated, VTP messages are exchanged between the server and client(s) and VLAN joy is had by all. To regenerate this value, simply create a new Layer 2 Vlan.  A simple fix for a complex problem. For those of you that want to upgrade code to solve the problem, good luck, Cisco hasn’t fixed this bug in over 20 revisions of IOS software.

I hope this has helped someone, thank you for reading.

-Justin