HiddenOne

At work we recently migrated to a different Internet Service Provider. This migration brought many changes, but a big one for me as the network administrator was the fact that we would be handling our own address space and network address translation (NAT). Although Fortigate support was great at confirming the NAT configuration process for me, I found that the documentation of NAT Overload/PAT configuration was lacking. My hope is that someone out there will find this document useful in their work environment.

I will be using the Fortigate web interface for all configuration steps. The unit I am using is a Fortigate 800 running software 4.0.2,build0099. Other versions or Fortigate models may use a different process to configure NAT.

Before starting, ensure that your Fortigate is in NAT mode. This can be accomplished by going to the “Operation” tab under System -> Config. Keep in mind that you will lose many, if not all, of your policies and settings by making this change. Be sure to backup your configuration file first so you have something to fall back on if things go south.

NAT Overload/PAT Configuration

NAT overload, also called Port Address Translation (PAT), is a process used to allow many computers to access the Internet using one or more IP addresses. This is used when you have a large number of computers on your LAN, but your public IP address space does not allow for a one to one mapping of public IP addresses for each computer. Without going into detail, PAT uses one public IP address with a TCP port number appended to the IP address. The port number is what is used to identify which session maps to which computer.

First a public IP address must be assigned to the external interface on your firewall. This can be accomplished by going to System -> Network -> Interface tab. On the Interface tab, click the edit icon for the external interface. You will see the screen below:

Under “Addressing mode”, click “Manual” and enter the IP address and subnet mask. The IP address and subnet mask should be separated by a forward slash like this: “176.16.1.2/255.255.255.0”. Click “Ok” to save your changes.

Next, we need to make sure the firewall knows how to get where it needs to go. This is done through routes under the Router -> Static -> Static Routes tab. Here, you’re probably going to need at least two routes. The first route you will need is a default route, which is represented using “0.0.0.0/0.0.0.0”. Here the gateway address should be set to the next hop of your Internet bound routing equipment.
Now your firewall needs to know how to get back to your LAN subnets. It’s up to you how you configure this, but for simplicity sake we will use a blanket route. Say all of the IP addresses on your LAN subnets start with “10.70.xxx.xxx”, you can simply create a route for all of the subnets that start with “10.70” using the following IP address and subnet mask combination: “10.70.0.0/255.255.0.0”. You may choose to be more specific with your routes.

Below is an example route configuration. This is used on a production Fortigate, so I have blocked out some information to protect the innocent.

Now that the routing has been setup we can create a policy to allow outbound traffic and enable NAT. This is accomplished by going to the “Policy” tab under Firewall -> Policy. Once there, click the “Create New” tab. Here you will be presented with a list of options, but we will focus on a select few.

The “Source Interface” and “Destination Interface” options are self explanatory. We are going to set the source to “Internal” and the destination to “External” since we want to configure internal to external translation (the translation table will automatically handle the reverse mapping). The next crucial step is to ensure that the “NAT” checkbox is selected to enable NAT for this policy. You can create an “allow all” policy for now just to test if NAT is working. Various “what’s my IP” web sites should be able to confirm that the public IP address of the external interface on the firewall is being used for NAT.

One note about the NAT checkbox; it needs to be checked for any internal to external policy that you wish to allow traffic. At work I have a policy that blocks outbound RDP access; however there is one vendor’s server to which we need to permit outbound RDP access. If you create the outbound policy and place it in the appropriate spot on the policy list, but forget to check the NAT option the policy will not work. If things don’t seem to be working as they should, or is seems that the policy is being ignored, always check the Nat checkbox!

That covers NAT overload/PAT configuration on the Fortigate 800. In a follow-up article I will cover static NAT configuration, which is a less involved process.

IP Telephony is something that every network administrator is going to run into at some point in time. Its many features really do help reduce costs across the board. Having a unified network that carries voice and other data services reduces cabling, equipment, and maintenance costs just to name a few. Even with the popularity of IP telephony there are many organizations out there they have yet to take the plunge. This further increases chances that you will find yourself working as part of a telephony project at some point.

If your company has a network with all Cisco devices and a Cisco IP telephony system has been chosen, everything seems straightforward. Cisco is going to make sure their products work well together; otherwise they’re going to have a tough time marketing their telephony system to current Cisco customers. Concerns arise when you have a mixed vendor environment. Will it work? How do the switches need to be configured?

If you have an HP Procurve based network, Procurve has you covered with their interoperability guides. These guides detail how to get phones from various vendors to work with Procurve networking equipment. The guides are very detailed covering configuration of the phones, the switching equipment, and even Call Manager (In the case of Cisco). Each section of the guide includes screen shots of any web interfaces as well as command prompt output you may encounter along the way.

If you are planning to run an IP telephony system on top of HP Procurve gear, these guides will be your source of knowledge more than a few times!

Thanks to “procurvehelp” on Twitter for posting a link to these documents!

In some cases you can use a RADIUS server to perform port authentication based on the MAC address of the connecting device. In other cases the port usage may remain static, but you still may want to lock down the ports without going through the process of configuring a RADIUS server. The ‘port-security’ command can be used to lock down ports without the need for a RADIUS server or even knowing the MAC address of the computers that will connect to the port.

Where would this be useful? At work I use this to secure ports in our computer labs. In the labs the desktops stay in one place. In this situation, seeing multiple MAC addresses through any port (except for the uplink port) would indicate that either someone setup a rouge switch/hub or a game of musical computers is being played. This particular command allows me to set the maximum amount of MAC addresses allowed though a port to one.

The command that makes all of this happen is ‘port-security’. Here is an example of a command that I use in our computer labs at work:

port-security 1-20 address-limit 1 learn-mode static action send-disable

Breaking the command down into sections makes it easier to understand:

‘port-security 1-20’ – Apply the command and all of the following options to ports 1 thru 20. A single port or group of ports can be specified in addition to a range.

‘address-limit 1’ – Set the amount of MAC addresses that can gain access through the switch port(s). Most HP switches support an address limit of up to about 38.

‘learn-mode static’ – This configures how the switch will learn or know the MAC addresses that are allowed to gain access through the port(s).

‘action send-disable’ – This sets the action to be taken once the threshold defined by ‘address-limit’ is crossed. ‘send-disable’ sends an error message and disables the port.

My preferred option for ‘learn-mode’ is static. In this case I do not predefine any MAC addresses, which leaves many people wondering how the switch knows which MAC addresses to allow though which ports. When the above command is first issued, the switch doesn’t know that information. With the ‘learn-mode static’ option the switch will take the first source MAC address is sees on a port and assign that MAC address as an authorized MAC address for that particular port. This process is repeated for each port in this case. The picture below illustrates this process so that it is easier to understand.

Our basic training has told us that when you first take a switch out of the box it is a blank slate. For the sake of explanation we are going to assume this for our scenario. We are also going to assume that the previously discussed ‘port-security’ command has been applied to interfaces one thru twenty. You connect Computer A to interface one of the switch. Soon after that Computer A sends a packet which enters the switch through interface one. The switch reviews the packet and one of the steps it takes is to add the source MAC address (AAAAAA-AAAAAA) to its MAC address table. This accomplishes multiple things at once. First it now tells the switch which interface Computer A is attached to, which allows more efficient forwarding of packets destined for Computer A. This MAC address table is also used by the ‘port-security’ command to determine if another computer should be allowed to gain access to the network through that port.

If some black hat comes by and connects their laptop to interface one, the switch will now see a new source MAC address attached to the packets. In this case the ‘address-limit’ was set to one, and the switch already has one MAC address associated with port one in its MAC address table. This means that the switch will take the ‘send-disable’ action, disabling the interface.

There you have it! This is a quick and easy way to add another layer of security to your network! I caution to use this command wisely as using it in the wrong situation could make you one unpopular network administrator!

As always consult the manual for your HP Procurve switch for the exact command syntax.

I use many different tools to monitor, diagnose, and test my network on a daily basis. One tool that is often overlooked is a cell phone. Cell phones have enjoyed an explosive growth in popularity over the years. PDAs in particular have bridged a major gap, going from a device for business people to a device for the every day consumer. With the popularity of PDAs comes the likelihood that most, if not all, of these phones have a data plan associated to them.

When making changes to any network it is often important to test all services from inside and outside the network. With tightening budgets, you can consider yourself lucky if your employer springs for an Internet connection strictly for testing. That’s ok, since you can use that fancy phone that’s attached to your hip for testing.

At work we recently changed Internet service providers. Along with this change came changes to our address space, DNS zones, firewall policies and more. It was important for me to test connectivity to our external facing services after the migration, particularly since I was taking this opportunity to apply hardened policies to our firewall. Once the migration was complete, I was able to use my cell phone to see check the status of our DNS zone propagation as well as to test how well my firewall policies were working (sometimes they work too well).

Tethering your cell phone to your computer can be a tricky subject. Many carriers charge an extra monthly fee for tethering for one reason or another. There are ways to tether your cell phone to your computer without the need for an additional tethering plan. I caution you in following any of these processes. There is the likelihood that if you abuse the “free” tethering your cell phone provider can find out and you may be stuck with a fat bill.

Moderation is the key here. In my opinion you should only use the free tethering process minimally, such a when you need to do testing. These processes should not be used if you plan to tether regularly, or use your phone as you would a data card.

Below are some links to tutorials on how to setup various cell phones for tethering. Remember; use them wisely and at your own risk.

• Using a Blackberry as a modem
• Windows Mobile phone as a modem
• Tetherbot (Proxy) for Android Phones
• Palm Pre Bluetooth Tethering

The voices in my head have spoken! After a few weeks of back and forth between CCNA-Voice and starting the CCNP, I have decided to begin studying for the CCNP certification. My feeling is that the CCNP will go a long way to further solidify and build my routing and switching knowledge.

The CCNA-Voice is not completely out of the running. There is still a strong part of me that is interested in learning about the voice side of networking. I’m not sure if I will actually go for the CCNA-Voice certification, but chances are strong that I will at least pickup the Cisco Press book and maybe some hardware.

Back on the CCNP side of things, I have “unofficially” started the studying process. Basically I have just started going through the early sections of the BCMSN module of TestOut (CBT provided by my employer). Once I catch up on some of the leisure books that have been on my to-do list, I will probably pickup the Cisco Press CCNP exam certification library. Later I will likely add the Train Signal CCNP training library.

Train Signal has a very nice package for CCNP candidates. You get their training material for all four CCNP exams, which includes audio and video format for both your computer and portable media player. The added bonus that drew me in was the addition of the Transcender practice exams for all four of the CCNP exams. I had never heard for Transcender before, but after taking the exam tour on their site it appears that they have a very good product.

That’s enough talk on what I will be using to study. Until next time!

This morning I finally took and passed the CCNA 640-802 exam. After probably over a year of off again and on again studying, it’s a relief to finally have something tangible to show for it!

Passing the exam may mark the end of my CCNA studies, but this is only the beginning of the studying process for me. I have already begun looking into the next certification I would like to work towards. CCNP is a given for me, but I have been looking into the CCNA Voice certification. The possibility of an upcoming IP telepony project at work combined with the high demand for IP telephony skills right now are two motivators.

At this point I am going to take a short break from studying and catch up on some reading I have been putting off (all networking related, of course).

Port/Traffic mirroring is a tool that you will quickly learn to love as a network administrator. The process of port mirroring copies the traffic from the source port to the destination/exit port. Usually the source port has the traffic of interest, and the exit port usually has some sort of network monitoring tool attached (such as a laptop running Wireshark).

Today I am going to detail the process of configuring local port mirroring on a switch. The act of local port mirroring copies the traffic from one port to another port on the same switch. It is possible to redirect the traffic from the source port to a port on another switch (This is called remote mirroring), but this will be covered in another article.

Local port mirroring can be configured with two commands. The first command defines the mirroring session (you can have up to four per switch), as well as the exit port (the port to which the traffic should be mirrored). The following is an example of this command:

mirror 1 port A2

The mirror session number can be any number from one to four. Obviously the exit port can be any port on the switch, as long as it’s not the same as the source port.

Next the interface command is used to configure the source interface. Below is an example command:

interface A1 monitor all both mirror 1

The interface that is specified is the source interface. Next, the “monitor all both” command specifies to monitor all traffic in both directions (in and outbound). You have the option to change “both” to just “in” or “out”. Finally, you specify the mirror session that the traffic should be copied to. The session number should be the same number that you used in the previous “mirror” command.

This covers basic configuration of local port mirroring. With these commands you will be able to quickly configure a local mirroring session for troubleshooting. As with anything, refer to the manual for your switch for further configuration options.

Future articles will cover applying ACLs to mirroring sessions, as well as configuring remote mirroring sessions.

Recent news about at least two major fiber cuts in California have been stirring thoughts about how fragile the our network infrastructure really can be. These cuts have some very obvious consequences, such as wide spread internet outages that can have a major impact on many businesses. Many other services usually transition to fiber optic cable for their long-haul transit. The result in this particular case is that some areas are sans cell phone, land line, and emergency (911) services! Being without voice, video and data services today is the equivalent of being cut off from the rest of the world!

What concerns me the most is that were no backup links to keep mission critical services up and running in this case. From a networking perspective we design our networks to have multiple diverse paths in an attempt to avoid such outages. We also implement disaster recovery (DR) plans in the event that our best laid engineering plans are thwarted.

One question to answer is where does the responsibility lie with respect to maintaining emergency services in such a situation? Is it the responsibility of the carrier that is moving the packets to ensure that in the event of a fiber cut, packets deemed mission critical have an alternate route? It is my opinion that the responsibility for ensuring emergency service are not effected by fiber cuts lies with the local government. Just as it is the responsibility of a company to maintain redundant paths in the event that their primary service provider fails to meet their SLA.

From a business perspective, the company has the right to file for penalties according to their network agreement when their service provider does not meet their SLA, however the onus lies with the company to ensure business functions can continue when the service provider has a failure. I feel this same principal can extend to local governments and the emergency services they provide.

The best way to prevent mistakes in the future is to learn from those in the past. With any luck, this incident will bring some of these concerns into the public light so that they may be addressesed.

The lack of updates here recently has been compounded by a number of issues. The first of these issues is my “9-5″, which can be anything from an “8-4″, a “7-7″ or anything in between. Many times going home simply means I go home only to VPN in and complete some tasks I didn’t get to during the day.

Over the past few weeks we have been having some issues with our tape backups. Back in December of 2008 I inherited the duties of Backup Administrator since I had some experience at a previous employer. The first issue was that our tape library was appearing as offline in BackupExec. This was related to SCSI cable which was an easy fix. After we resolved that issue, we noticed that the “Job Rate” on our backups drastically dropped. Drastically means the job rates went from about 1,200 MB/Min to 190 MB/Min! This meant that the 100 GB Exchange database backup went from a little over two hours start to finish to over 26 hours! After some troubleshooting it was discovered that the tape library had been changed to use the HP drivers while I was troubleshooting the previous issue with our vendor. After changing the drivers back to the ones provided by BackupExec the job rates have returned to normal.

On the network front, I have been doing some work to bring the management of our network up to par. First I have deployed RADIUS authentication on our switches in order to better control and monitor access. Additionally I have deployed a banner or message of the day (MOTD) on each switch. This is the message you see before you are prompted to provide your login credentials. On HP Procurve switches HP provides a boring canned message asking you to register the switch. Deploying a banner is accomplished with one command:

banner motd #
This is my custom banner!

Don't mess with my network gear!
#

Once I get some additional copper modules installed in some of our switches, I will be enabling BPDU protection on the edge ports (Port that end-users connect into). Evil Routers has an article that covers configuring BPDU protection on HP Procurve switches.

BPDU protection prevents a rouge switch from changing your spanning tree topology. If the switch sees a BPDU on a port that has BPDU protection enabled, it can react in a number of different ways. My personal choice is to have the port disabled permanently. This requires the invention of a network administrator for the Port to be enabled me again. This gives me a chance to talk to the user, explain what happened, and why it happened.

My CCNA studies are still progressing slowly. I am hoping to begin the final preparation for the exam in the coming weeks.

Continuing with my Procurve articles, my current article will detail how to use a RADIUS server to handle authentication on a switch. This article will cover using a RADIUS server to handle authentication for the following methods of access on a Procurve switch:

• Web Interface
• Console
• Telnet
• SSH

This configuration was tested on an HP Procurve 5412zl switch running K.13.25 software. Configuration on other switches with different software versions may vary. Consult the Access Security Guide for your switch for further details.

Configuring your RADIUS server is beyond the scope of this article, particularly since there are many options for RADIUS servers out there. Free Radius is one popular option. I can personally confirm that this configuration works with Microsoft’s IAS which was setup to authenticate against Active Directory.

Once your RADIUS server has been properly configured, you need to configure your switch so that it knows how to communicate with the server. This is done using the command:

radius-server host IP Address key 'MyKey01'

This command accomplishes a few tasks. First, it tells the switch at what IP address to reach the RADIUS server. You should substitute IP Address with the IP address of your server. The second part establishes the password or key that has been set for this switch. This key is used by the RADIUS server to verify the identity of the switch. On your RADIUS server, you can set a unique key for each switch (which are usually called RAIDUS clients).

With the connection to the RADIUS server established, you are now ready to configure authentication for each of the modes of access. This will be accomplished using the aaa authentication command. Below is an example of the format of the command.

aaa authentication method enable/login auth1 auth2

The first option is the access method for which you would like to apply the authentication. Your options here are: console, telnet, ssh, and web. The enable/login options specify when authentication should be attempted. Login specifies that authentication should be attempted when a user first attempts to login. Enable specifies that authentication should be attempted when a user enters the “enable” command. The enable option will not apply to web access.

The last two options specify the means of authentication. Auth1 is the primary means of authentication, which in this case you should set to radius. Auth2 is optional as it is a backup means of authentication. However, it is a good idea to set this to local, just in case the switch cannot communicate with the RADIUS server. Local specifies that the passwords set locally will be used for authentication.

Here are some of the various commands that could be used to enable RADIUS authentication.

aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication web login radius local
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local

One final command to note is something that many network administrators may find useful. That command is:

aaa authentication login privilege-mode

This command tells the switch to expect additional parameters from the RADIUS server upon successful authentication. These parameters tell the switch which mode the user can gain access into. You can configure the RADIUS server to send the Administrative-User service type for users that are granted access to enable/configuration modes. On the other hand, you can configure the server to return the NAS-Prompt-User service type for users that you only want to grant access to operator mode.

This is very useful if you have a group of users that you only wish to have minimal access to your switches. If these limited access users attempt to enter manager mode with the enable command, they will be prompted to login again but they will then be presented with an “Access Denied” error message.

After everything has been configured, you can confirm that the proper forms of primary and secondary authentication have been applied with the following command:

show authentication

Below is some output produced by this command:

J8698A-01# show authentication

 Status and Counters - Authentication Information

  Login Attempts : 3
  Respect Privilege : Enabled

              | Login      Login      Enable     Enable
  Access Task | Primary    Secondary  Primary    Secondary
  ----------- + ---------- ---------- ---------- ----------
  Console     | Local      None       Local      None
  Telnet      | Radius     Local      Radius     Local
  Port-Access | Local      None
  Webui       | Radius     None       Local      None
  SSH         | Local      None       Local      None
  Web-Auth    | ChapRadius None
  MAC-Auth    | ChapRadius None