Connecting the world…

ProCurve

ProCurve – Secure Management

Managing networking components is possible via a web interface or via a command-line interface. It doesn’t matter which method you prefer, but it does matter that the connection should be secure. If you use telnet (cli) or http (web interface) the management traffic is send clear-text across the network.

I still notice that a lot of people use insecure communiction methods. It is preferred to use ssh (cli) or https (web interface) to manage your components. The commands below can be used with HP ProCurve components to enable ssh and https and disable telnet and http management protocols.(The key size depends on the type of component and firmware version used)

CLI

switch01(config)# crypto key generate ssh rsa bits 2048
switch01(config)# ip ssh
switch01(config)# no telnet-server

Web Interface

switch01(config)# crypto key generate cert rsa <1024|2048>
switch01(config)# crypto host-cert generate self-signed
Validity start date [02/16/2015]:
Validity end date   [02/16/2016]: 09/23/2320
Common name          [10.10.1.99]: switch01.booches.local
Organizational unit  [Dept Name]: ICT
Organization      [Company Name]: Booches
City or location          [City]: Bocholtz
State name               [State]: Limburg
Country code                [US]: NL
switch01(config)# web-management ssl
switch01(config)# no web-management plaintext

Next to using secure protocols, it is preferred to create unique credentials for every administrator. One way to create unique credentials is by configuring RADIUS / TACACS authentication. A common way is you configure RADIUS between the switch and the Active Directory. The following commands can be used to configure RADIUS on HP ProCurve switches.

switch01(config)# radius-server host 10.10.100.1 key <shared key>
switch01(config)# radius-server host 10.10.100.2 key <shared key>
switch01(config)# aaa authentication web login radius local
switch01(config)# aaa authentication web enable radius local
switch01(config)# aaa authentication ssh login radius local
switch01(config)# aaa authentication ssh enable radius local
switch01(config)# aaa authentication login privilege-mode

Cacti and HP Procurve

Finding a template for HP Procurve switches wasn’t that hard. I needed to find a template for HP Procurve 2510G switches. The place to look for templates is forums.cacti.net. I searched the forums on the key word “procurve”, which resulted in many hits. I used the template from the article HP procurve 2600 series.

After importing all template you have the ability to monitor the MAC count on the switch and the memory usage. You also have the option to monitor the CPU usage, but you have to do some extra configuration. The zip file only contains a data template for the HP switches, but no graph template. I created my own graph template by duplicating the Cisco CPU graph template and changed the data source to the HP data template.

Graph Template Data Source

I changed the data source for the first 4 Items in the Graph Template to the HP procurve CPU data source. Next I created a device for the HP switches and added the appropriate “Associated Graph Templates” for HP procurve CPU, MAC count and memory usage. Now you only need to create a graph for the template and you are set to go.

Cacti - HP Procurve graphs

WebMarshal performance problems

One of our customers is using WebMarshal for HTTP/HTTPS URL filtering and content scanning. The WebMarshall software is installed on two Microsoft ISA 2003 servers. These ISA servers are behind a Cisco Content Switch for load-balancing and redundancy purposes.

The problem with the WebMarshal is the PERFORMANCE. Internet browsing with the WebMarshal as proxy just doesn’t perform. I tried to troubleshoot the WebMarshal to check where the performance problems are coming from, but you cannot troubleshoot the software on a decent way. I disabled the Access Policies, and guess what, the performance is great. I added a allow all rule on top of every Access Policy subcategory, but no success.

I know the customer is running an old version (3.0.x), and of course if you contact the supplier, the first thing they say is: “Upgrade to the last version!!”. It seems the solution is always upgrading the last version. The second thing the supplier told us, was using Microsoft Network Load Balancing and not the Content Switches. Sadly the customer is using HP ProCurve switches, which don’t support static ARP entries. So NLB is no option.

But again, I give them the benefit of the doubt, so we will install two new servers, which are dedicated for WebMarshal software. Still the servers will be behind the Content Switch, because I believe that the Content Switches are the reason for the bad performance.

I will tell you more about the outcome of the latest version of WebMarshal on dedicated hardware. My opinion so far: “Feed the WebMarshal software to the dogs and buy something else!!!!!!!!!!”

HP ProCurve licenses

During an check-up on a network, I looked at the configuration of two HP ProCurve 5400zl switches. One of these switches functions as the core switch and default gateway for the various VLANs. To improve the availability and redundancy of the default gateway, I mentioned the configuration of VRRP (Virtual Router Redundancy Protocol).

On of the two core switches had the opportunity to enable VRRP with the command: router vrrp. The other core switch didn’t had the option to enable VRRP. I found this a bit strange, because both switches have the same hardware properties and firmware version. I spent some time looking at the HP Procure website.There I noticed that theHP ProCurve 5400zl switches require a Premium License to enable VRRP. I didn’t even knew that HP ProCurve switches had different kind of licenses, but after contacting the supplier and obtaining the license, I could enable VRRP and improve the availability of the network.