Deploy the SourceFire Cisco FireSight Management Virtual Appliance

As you know, Cisco entered the game of NGFW purchasing SourceFire. Still now, SourceFire is still a not integrated with ASA, which imo represents 2 different products to manage.

Here we will just deploy the FireSight Management Virtual Appliance which is the new name for the Defense Center. This is the configuration/control center for all of our FirePower devices. But first, let’s get it started.

Download the firesight ovf from the cisco web site. (log in required)
The current package is called:  Cisco_Firepower_Management_Center_VMware-6.0.1-1213 – use the DuckDuckGo Power instead of the browsing the Cisco site.

Somehow there are 2 OVFs:
Cisco_Firepower_Management_Center_Virtual_VMware-VI-6.0.1-1213.ovf
Cisco_Firepower_Management_Center_Virtual_VMware-ESXi-6.0.1-1213.ovf

They offer different style of setup. I am just going to pick the VI one as it includes a wizard to configure the network of the VM.

fire1

I find funny that this is a ovf that doesn’t support much vmware stuff. Not to say, it is officially not supported under ESX6!
The guide makes it look like nothing virtual is supported…
Guidelines and Limitations
The following limitations exist when deploying Firepower NGIPSv for VMware:

  • vMotion is not supported.
  • Cloning a virtual machine is not supported.
  • Restoring a virtual machine with snapshot is not supported.
  • Restoring a backup is not supported.

Something else puzzle me, while the memory and cpu are configurable, the disk size is not!
I wonder how we can increase the size for additional logging/retention.

fire2
Nonetheless, install the ovf as usual using the ovf wizard.
The wizard also include so configuration item for name, dns, and network settings…

It boots, and then says it is going to take forever to initialize. The Ui says up to 30 minutes, the manual says up to 40 minutes!

fire3

25 minutes later
WebUI seems started however

fire4

fire5
Once ready, onto some basic configuration:
Verifying network settings, ntp, smtp
Enabling VMware tools

fire6
Rules and Geolocation updates
Do the recurring update imports as well

fire7
Enable auto-backup
And of course register.

fire8
I usually would do the integrations with your ASA/Firepower device so that you can objects to create rules on and so on. Let me know what you want to see.

 

Comparing the free load balancers – VPX express, LoadMaster

I am looking for free load balancing solutions for lab or perhaps tiny production systems. can you help me filling out the blanks and perhaps recommending others?

 

Features Citrix VPX express Kemp Free loadmaster Some open source
Virtual appliance Yes Yes  
Balancer Throughout (L7) Up to 5Mbps Up to 20Mpbs  
TLS (SSL) TPS License (2K Keys) Up to Up to 50  
Layer 4 concurrent connections   Up to max’d memory  
Max Servers / Virtual Clusters   1000/256  
GSLB Multi-Site Load Balancing   Yes  
Support   Community  
Layer 4/7 Load Balancing   Yes  
Web Application Firewall Pack (AFP)   Yes  
Content Switching Yes Yes  
Caching, Compression Engine   Yes  
IPS (SNORT-Rules compatible)   Yes  
L7 Cookie Persistence (Active/Passive)   Yes  
Templates major application workloads   SPS2013, SfB, EXC2013, ADFS v3  
Active/Hot-standby Redundant Operation   No  
IPSec Tunnels Yes – up to 5 users Yes  
Licensing Mechanism 1 year – manual renew Online –  auto renewal every 30 days  
URL rewrite Yes Yes  
Footprint 200Mb 70Mb  

HP Comware 5500 Initial Config and Essentials

#go to conf

system-view

System View: return to User View with Ctrl+Z.

#Set the hostname

sysname TT-SWCR-1

#Time settings

ntp-service unicast-server 192.168.1.8

ntp-service unicast-server 192.168.1.5
clock timezone EST minus 4:00:00
clock summer-time EDT repeating 02:00:00 2012 March second Sunday 02:00:00 2012 November first Sunday 02:00:00

#logging to Alienvault

info-center loghost 192.168.1.247

#snmp

snmp-agent community write your_snmp

snmp-agent sys-info contact “IT Infrastructure”

snmp-agent sys-info location “Server Rack 9th Floor”

#enable snmpv2

snmp-agent sys-info version v2c

#Set up some access

header motd %

#######################################################################

# Authorised Users Only

# Property of Yours Ltd. All unauthorized access will be prosecuted.

# If you are not authorized to access this device,

# please disconnect immediately. Your activities are

# monitored for security reasons.

########################################################################

%

#Create users and security

[TT-SWCR-1]local-user manager

[TT-SWCR-1-luser-manager]password simple epl$#hp1w

[TT-SWCR-1-luser-manager]service-type ssh

[TT-SWCR-1-luser-manager]authorization-attribute level 3

#Crypto

public-key local create rsa

ssh server enable

#no telnet

user-interface vty 0 4

authentication-mode scheme

protocol inbound ssh

#Do some verification

#[TT-SWCR-1]display ssh server status

# SSH server: Enable

# SSH version : 1.99

# SSH authentication-timeout : 60 second(s)

# SSH server key generating interval : 0 hour(s)

# SSH authentication retries : 3 time(s)

# SFTP server: Disable

# SFTP server Idle-Timeout: 10 minute(s)

user-interface aux 0

[TT-SWCR-1-ui-aux0]idle-timeout 10

#Enable Network features

stp enable

#dhcp-snoop if config well done. Otherwise can block dhcp relay

#create vlan and interface

[]vlan 99

[vlan 99]name 99-mgmt

[vlan 99]quit

[] interface vlan-interface 99

[interface vlan-interface 99]ip address 10.80.99.10 255.255.255.0

[]quit

#configure a port as trunk for all vlans

[]int ten 1/0/29
port link-mode bridge
port link-type trunk
port trunk permit vlan all

#OR do a LACP group – dynamic is important for inter-make connection such as comware/procurve

interface Bridge-Aggregation10

description LACP to old Core

link-aggregation mode dynamic

#then put the interface inside

interface GigabitEthernet1/0/10
port link-aggregation group 10

#only then configure the trunk type and so on

[TT-SWCR-1-Bridge-Aggregation10]port link-type trunk
[TT-SWCR-1-Bridge-Aggregation10]port trunk permit vlan all

Please wait……………………………………. Done.

Configuring GigabitEthernet1/0/10……………………………………. Done.

Configuring GigabitEthernet1/0/11……………………………………. Done.

Configuring GigabitEthernet2/0/10……………………………………. Done.

Configuring GigabitEthernet2/0/11……………………………………. Done.

#if all is ok the flag will be ACDEF on comware on partner’d on procurve

#Verify trunk and LACP

[TT-SWCR-1]display link-aggregation verbose

Loadsharing Type: Shar — Loadsharing, NonS — Non-Loadsharing

Port Status: S — Selected, U — Unselected

Flags: A — LACP_Activity, B — LACP_Timeout, C — Aggregation,

D — Synchronization, E — Collecting, F — Distributing,

G — Defaulted, H — Expired

Aggregation Interface: Bridge-Aggregation10

Aggregation Mode: Dynamic

Loadsharing Type: Shar

System ID: 0x8000, 7848-5952-8f88

Local:

Port             Status Priority Oper-Key Flag

——————————————————————————–

GE1/0/10         S       32768   1         {ACDEF}

GE1/0/11         S       32768   1         {ACDEF}

GE2/0/10         S       32768   1         {ACDEF}

GE2/0/11         S       32768   1         {ACDEF}

Remote:

Actor           Partner Priority Oper-Key SystemID               Flag

——————————————————————————–

GE1/0/10         217     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE1/0/11         219     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE2/0/10         218     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE2/0/11         220     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

tor_sw1-5412zl(config)# show lacp

LACP

LACP     Trunk     Port               LACP     Admin   Oper

Port   Enabled   Group     Status   Partner   Status   Key     Key

—-   ——-   ——-   ——-   ——-   ——-   —— ——

A23   Active   Trk5     Up       Yes       Success   0       294

A24   Active   Trk5     Up       Yes       Success   0       294

J1     Active   Trk60     Up       Yes       Success   0       349

J2     Active   Trk60     Up       Yes       Success   0       349

J3     Active   Trk60     Up       Yes       Success   0       349

J4     Active   Trk60     Up       Yes       Success   0       349

#verify trunks

[TT-SWCR-1]dis port trunk

Interface               PVID VLAN passing

BAGG10                   1     1, 99-100,

XGE1/0/29               1     1, 99-100,

XGE1/0/30               1     1, 99-100,

XGE2/0/29               1     1, 99-100,

XGE2/0/30               1     1, 99-100,

#info on lacp

[TT-SWCR-1]dis interface Bridge-Aggregation

Bridge-Aggregation10 current state: DOWN

IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 7848-5952-8f88

Description: LACP to old Core

Unknown-speed mode, unknown-duplex mode

Link speed type is autonegotiation, link duplex type is autonegotiation

PVID: 1

Port link-type: trunk

VLAN passing : 1(default vlan), 99-100

VLAN permitted: 1(default vlan), 2-4094

Trunk port encapsulation: IEEE 802.1q

Last clearing of counters: Never

Last 300 seconds input: 0 packets/sec 0 bytes/sec   -%

Last 300 seconds output: 0 packets/sec 0 bytes/sec   -%

Input (total): 0 packets, 0 bytes

0 unicasts, 0 broadcasts, 0 multicasts

Input (normal): 0 packets, – bytes

0 unicasts, 0 broadcasts, 0 multicasts

Input: 0 input errors, 0 runts, 0 giants, 0 throttles

0 CRC, 0 frame, – overruns, 0 aborts

– ignored, – parity errors

Output (total): 0 packets, 0 bytes

0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

Output (normal): 0 packets, – bytes

0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

Output: 0 output errors, – underruns, – buffer failures

0 aborts, 0 deferred, 0 collisions, 0 late collisions

0 lost carrier, – no carrier

#note for PVID 1

#As per 802.1q, the PVID cannot be tagged so I arbitrarily set the PVID of all port trunk to port trunk pvid vlan 77 so that there are tagged for vlan 1 (yet untagged for vlan 77)

#For instance on this trunk link

#

interface Ten-GigabitEthernet1/0/29

port link-mode bridge

port link-type trunk

port trunk permit vlan all

port trunk pvid vlan 77

#

#so now it is tagged on VID1

[TT-SWCR-1]dis vlan 1

VLAN ID: 1

VLAN Type: static

Route Interface: not configured

Description: VLAN 0001

Name: leg-1-mgmt

Tagged   Ports:

Bridge-Aggregation10

GigabitEthernet1/0/10   GigabitEthernet1/0/11   GigabitEthernet2/0/10

GigabitEthernet2/0/11

Ten-GigabitEthernet1/0/29

Ten-GigabitEthernet1/0/30

Ten-GigabitEthernet2/0/29

Ten-GigabitEthernet2/0/30

Untagged Ports:

GigabitEthernet1/0/1     GigabitEthernet1/0/2     GigabitEthernet1/0/3

GigabitEthernet1/0/4     GigabitEthernet1/0/5     GigabitEthernet1/0/6

GigabitEthernet1/0/7     GigabitEthernet1/0/8     GigabitEthernet1/0/9

GigabitEthernet1/0/12   GigabitEthernet1/0/13   GigabitEthernet1/0/14

GigabitEthernet1/0/15   GigabitEthernet1/0/16   GigabitEthernet1/0/17

GigabitEthernet1/0/18   GigabitEthernet1/0/19   GigabitEthernet1/0/20

GigabitEthernet1/0/21   GigabitEthernet1/0/22   GigabitEthernet1/0/23

GigabitEthernet1/0/24   GigabitEthernet1/0/25   GigabitEthernet1/0/26

GigabitEthernet1/0/27   GigabitEthernet1/0/28   GigabitEthernet2/0/1

GigabitEthernet2/0/2     GigabitEthernet2/0/3     GigabitEthernet2/0/4

GigabitEthernet2/0/5     GigabitEthernet2/0/6     GigabitEthernet2/0/7

GigabitEthernet2/0/8     GigabitEthernet2/0/9     GigabitEthernet2/0/12

GigabitEthernet2/0/13   GigabitEthernet2/0/14   GigabitEthernet2/0/15

GigabitEthernet2/0/16   GigabitEthernet2/0/17   GigabitEthernet2/0/18

GigabitEthernet2/0/19   GigabitEthernet2/0/20   GigabitEthernet2/0/21

GigabitEthernet2/0/22   GigabitEthernet2/0/23   GigabitEthernet2/0/24

GigabitEthernet2/0/25   GigabitEthernet2/0/26   GigabitEthernet2/0/27

GigabitEthernet2/0/28

graylog2 server not listening on ports 514 and 12201

I have managed to get the graylog2 server  v1.2.2 running with their virtual appliance.

Everything seems to work just fine, except that the graylog server instance
was not listening on the ports defined in graylog2.conf.

In netstat I see the graylog java process associated to the ports 12201 and
514, yet they are not in state LISTEN, and any log messages i send to my
machine on 12201 as gelf via udp are not picked up.

I read the getting started documentation for the setup from bottom up again but could not find anything.

Message inputs are the Graylog parts responsible for accepting log messages. They are launched from the web interface (or the REST API) in the System -> Inputs section and are launched and configured without the need to restart any part of the system.

I added those from the System>Input screen – boom – it started listening.

Oh well.

Looking for a good tutorial to setup graylog? have a look there.

Brocade Zoning using the CLI

Because Java sucks, something your brocade GUI becomes ineffective.

For instance HBA1 (B1) and HBA2 (B2) are

Pcatt-esx02_hba1 is 20:01:F8:BC:12:D2:CE:29

Pcatt-esx02_hba2 is 20:02:F8:BC:12:D2:CE:29

Login to the first fabric.

Use alishow to display the already created alias.

Use zoneshow to show the already created zones.

Use copy/paste to avoid typos

Create an alias for the server HBA

PCATT-BLD2BRC1:root> alicreate “pcattesx02_hba1”, “20:01:F8:BC:12:D2:CE:29”

Create the new zone for the server and VNX SPA

Pcattesx02_A1 is the name of the new zone

PCATT-BLD2BRC1:root> zonecreate “pcattesx02_A1″,”pcattesx02_hba1;EMCVNX_SPA1”

Find the configuration name with cfgshow

PCATT-BLD2BRC1:root> cfgshow

Defined configuration:

cfg:   FABRIC_A

CAS2115_A1; Poseidon_A1; PTBTTGOHV_A1; TBS2155_A1

[…]

Here the config name is FABRIC_A

Add the new zone to the existing configuration

PCATT-BLD2BRC1:root> cfgadd “FABRIC_A”,”pcattesx02_A1″

Save the config and enable it.

PCATT-BLD2BRC1:root> cfgsave

WARNING!!!

The changes you are attempting to save will render the

Effective configuration and the Defined configuration

inconsistent. The inconsistency will result in different

Effective Zoning configurations for switches in the fabric if

a zone merge or HA failover happens. To avoid inconsistency

it is recommended to commit the configurations using the

‘cfgenable’ command.

Do you want to proceed with saving the Defined

zoning configuration only? (yes, y, no, n): [no] y

Updating flash …

PCATT-BLD2BRC1:root> cfgenable “FABRIC_A”

You are about to enable a new zoning configuration.

This action will replace the old zoning configuration with the

current configuration selected. If the update includes changes

to one or more traffic isolation zones, the update may result in

localized disruption to traffic on ports associated with

the traffic isolation zone changes

Do you want to enable ‘FABRIC_A’ configuration (yes, y, no, n): [no] y

zone config “FABRIC_A” is in effect

Updating flash …

PCATT-BLD2BRC1:root>

Do the same for the other fabric

PCATT-BLD2BRC2:root> alishow

Defined configuration:

cfg:   FABRIC_B

CAS2115_B2; Poseidon_B2; PTBTTGOHV_B2; TBS2155_B2

zone: CAS2115_B2

CAS2115_HBA2; EMCVNX_SPB2

zone: PTBTTGOHV_B2

EMCVNX_SPB2; PTBTTGOHV_HBA2

zone: Poseidon_B2

EMCVNX_SPB2; Poseidon_HBA2

zone: TBS2155_B2

EMCVNX_SPB2; TBS2155_HBA2

alias: CAS2115_HBA2

20:00:f8:bc:12:d2:cd:f5

alias: EMCVNX_SPB2

50:06:01:60:88:60:2f:d1

alias: PTBTTGOHV_HBA2

20:00:f8:bc:12:d2:ce:02

alias: Poseidon_HBA2

20:02:f8:bc:12:d2:ce:0f

alias: TBS2155_HBA2

20:00:f8:bc:12:d2:ce:1c

Effective configuration:

cfg:   FABRIC_B

zone: CAS2115_B2

20:00:f8:bc:12:d2:cd:f5

50:06:01:60:88:60:2f:d1

zone: PTBTTGOHV_B2

50:06:01:60:88:60:2f:d1

20:00:f8:bc:12:d2:ce:02

zone: Poseidon_B2

50:06:01:60:88:60:2f:d1

20:02:f8:bc:12:d2:ce:0f

zone: TBS2155_B2

50:06:01:60:88:60:2f:d1

20:00:f8:bc:12:d2:ce:1c

PCATT-BLD2BRC2:root> alicreate “pcattesx02_hba2″,”20:02:F8:BC:12:D2:CE:29”

PCATT-BLD2BRC2:root> zonecreate “pcattesx02_B2″,”pcattesx02_hba2;EMCVNX_SPB2”

PCATT-BLD2BRC2:root> alishow

Defined configuration:

cfg:   FABRIC_B

CAS2115_B2; Poseidon_B2; PTBTTGOHV_B2; TBS2155_B2

zone: CAS2115_B2

CAS2115_HBA2; EMCVNX_SPB2

zone: PTBTTGOHV_B2

EMCVNX_SPB2; PTBTTGOHV_HBA2

zone: Poseidon_B2

EMCVNX_SPB2; Poseidon_HBA2

zone: TBS2155_B2

EMCVNX_SPB2; TBS2155_HBA2

zone: pcattesx02_B2

pcattesx02_hba2; EMCVNX_SPB2

alias: CAS2115_HBA2

20:00:f8:bc:12:d2:cd:f5

alias: EMCVNX_SPB2

50:06:01:60:88:60:2f:d1

alias: PTBTTGOHV_HBA2

20:00:f8:bc:12:d2:ce:02

alias: Poseidon_HBA2

20:02:f8:bc:12:d2:ce:0f

alias: TBS2155_HBA2

20:00:f8:bc:12:d2:ce:1c

alias: pcattesx02_hba2

20:02:f8:bc:12:d2:ce:29

Effective configuration:

cfg:   FABRIC_B

zone: CAS2115_B2

20:00:f8:bc:12:d2:cd:f5

50:06:01:60:88:60:2f:d1

zone: PTBTTGOHV_B2

50:06:01:60:88:60:2f:d1

20:00:f8:bc:12:d2:ce:02

zone: Poseidon_B2

50:06:01:60:88:60:2f:d1

20:02:f8:bc:12:d2:ce:0f

zone: TBS2155_B2

50:06:01:60:88:60:2f:d1

20:00:f8:bc:12:d2:ce:1c

PCATT-BLD2BRC2:root> cfgadd “FABRIC_B”,”pcattesx02_B2″

PCATT-BLD2BRC2:root> cfgsave

WARNING!!!

The changes you are attempting to save will render the

Effective configuration and the Defined configuration

inconsistent. The inconsistency will result in different

Effective Zoning configurations for switches in the fabric if

a zone merge or HA failover happens. To avoid inconsistency

it is recommended to commit the configurations using the

‘cfgenable’ command.

Do you want to proceed with saving the Defined

zoning configuration only? (yes, y, no, n): [no] y

Updating flash …

PCATT-BLD2BRC2:root> cfgenable “FABRIC_B”

You are about to enable a new zoning configuration.

This action will replace the old zoning configuration with the

current configuration selected. If the update includes changes

to one or more traffic isolation zones, the update may result in

localized disruption to traffic on ports associated with

the traffic isolation zone changes

Do you want to enable ‘FABRIC_B’ configuration (yes, y, no, n): [no] y

zone config “FABRIC_B” is in effect

Updating flash …

PCATT-BLD2BRC2:root>

HP/Comware IRF Configuration

This client is updating its HP based network infrastructure from the Procurve line to the Comware line (HP E-series is it? oh well let’s call it Comware!). To be more accurate it is going to be mix between the cheaper Procurve series and the E series.

I am reusing the content summarized here.
IRF (Intelligent Resilient Framework) is a (Comware) HP technology that allows multiple switches to act as a stacked switch, without the requirement of any special stacking modules or cables.
Switches that are interconnected with IRF allow for a simplified topology and management, multi-switch link aggregation, and 1:N redundancy to protect against switch failure.

Let’s start with the configuration of the new Core made up 2 HP Comware 5500. I suppose there will be more to follow as I configure those.

!When you begin configuring IRF, the switches should NOT be cabled together!

Switch Assignment

By default, all switches out of the box are numbered as switch 1 in relation to IRF. To configure IRF, each switch will need to have their own member number. This can be done with the following commands.

system-view
irf member 1 renumber 2
save
quit
reboot

We first enter system-view which allows for configuration of the switch. The second command will renumber the switch to number two. You will need to repeat this step for any additional switches incrementing the switch number. We then save the configuration and reboot. Renumbering does NOT take effect until the switch has been rebooted.

Stacking Switches

We now need to choose the ports that you wish to use to connect the switches with. Here I am create a 20GB LAG, we will use ports ten 1/1/1 and ten 1/1/2 .
On Switch 1

system-view
int ten 1/1/1
shut
int ten 1/1/2
shut
quit

irf-port 1/1
port group int ten 1/1/1
quit

irf-port 1/2
port group int ten 1/1/2
quit

int ten 1/1/1
undo shut
int ten 1/1/2
undo shut
quit

save

irf-portconfiguration active

Switch 2

system-view
int ten 2/1/1
shut
int ten 2/1/2
shut
quit

irf-port 2/1
port group int ten 2/1/1
quit

irf-port 2/2
port group int ten 2/1/2
quit

int ten 2/1/1
undo shut
int ten 2/1/2
undo shut
quit

save

irf-portconfiguration active

The slave switch then restarts!

The first thing that needs to be done is to shutdown the interfaces we would like to add to the IRF group. Next we great new IRF ports. Each interface will be assigned to an IRF port. You can configure this 1 interface for each IRF port or you can use multiple interfaces for each IRF port for even more redundancy. Once all prots have been assigned to an IRF port, we can then enable the interfaces again. We then use the irf-portconfiguration active command to activate the new IRF configuration and save the configuration.

Notice that on switch 2, the interfaces now begin with 2 instead of 1. This is based on the switch number we chose when we renumbered the switch in the first phase.

Cabling/Connecting

When connecting the switches after configuration, you must connect The interfaces in IRF port 1 to the interfaces in IRF port 2 on the second switch. This is critical. If you connect IRF port 1 to IRF port 1 on the second switch, IRF will not function.

Additional information and more detailed configuration information can be found in the IRF Configuration Guide.

Verify the configuration

Just a couple of command to help visualize the setup from the cli

>dis irf
Switch Role Priority CPU-Mac Description
*+1 Master 1 7848-5952-8fbb TT-SWCR-1-Master
2 Slave 1 7848-5962-15c3 -----
--------------------------------------------------

* indicates the device is the master.
+ indicates the device through which the user logs in.

The Bridge MAC of the IRF is: 7848-5952-8f88
Auto upgrade : yes
Mac persistent : 6 min
Domain ID : 0

>dis irf configuration
MemberID NewID IRF-Port1 IRF-Port2
1 1 Ten-GigabitEthernet1/1/1 Ten-GigabitEthernet1/1/2
2 2 Ten-GigabitEthernet2/1/1 Ten-GigabitEthernet2/1/2

>dis irf topology
Topology Info
-------------------------------------------------------------------------
IRF-Port1 IRF-Port2
Switch Link neighbor Link neighbor Belong To
1 UP 2 UP 2 7848-5952-8fbb
2 UP 1 UP 1 7848-5952-8fbb

>dis irf-port load-sharing mode irf-port
irf-port1/1 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

irf-port1/2 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

irf-port2/1 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

irf-port2/2 Load-Sharing Mode:
Layer 2 traffic: packet type-based sharing
Layer 3 traffic: packet type-based sharing

While the stack now acts as one switch, you can still connect to the slave using this command:

irf switch-to member #

How to change the default DNS Servers on a Thomson Router ST546

As a new year resolution,I am trying to get away as much as possible from the big G and so instead of the very easy to remember 8.8.8.8 and 8.8.4.4 I decided to use OpenDNS.I left the one from my ISP but in second place thereby setting the priority as you want it. You could, of course, use any numbers you wish and as long as they are less than 10 they will have a higher priority than the automatic ones.

Step by Step Guide

Open DOS window

Type telnet 192.168.1.254

Username Administrator

Password blank (unless you have changed it)

Note: the Username and Password to use depends on the router you are using. Please see the guide that came with your router for the appropriate ones to use.

You should then see something like this

Username : Administrator
 Password :
------------------------------------------------------------------------

                             ______  SpeedTouch 5x6
                         ___/_____/\
                        /         /\  7.4.3.2
                  _____/__       /  \
                _/       /\_____/___ \  Copyright (c) 1999-2007, THOMSON
               //       /  \       /\ \
       _______//_______/    \     / _\/______
      /      / \       \    /    / /        /\
   __/      /   \       \  /    / /        / _\__
  / /      /     \_______\/    / /        / /   /\
 /_/______/___________________/ /________/ /___/  \
 \ \      \    ___________    \ \        \ \   \  /
  \_\      \  /          /\    \ \        \ \___\/
     \      \/          /  \    \ \        \  /
      \_____/          /    \    \ \________\/
           /__________/      \    \  /
           \   _____  \      /_____\/
            \ /    /\  \    /___\/
             /____/  \  \  /
             \    \  /___\/
              \____\/

-----------------------------------------------------------------------
{Administrator}=>dns server route list
DNS Server Entries:
 DNS Server     Source                Label              Metric Intf         State  Domain
 D 206.248.154.22                                          10     Internet      UP      *
 D 206.248.154.170                                         10     Internet      UP      *
{Administrator}=>dns server route add dns=208.67.220.220 metric=1 intf=Internet
 {Administrator}=>dns server route add dns=208.67.222.222 metric=2 intf=Internet
{Administrator}=>dns server route list
 DNS Server Entries:
 DNS Server     Source                Label              Metric Intf         State  Domain
 S 208.67.220.220                                          1      Internet      UP      *
 S 208.67.222.222                                          2      Internet      UP      *
 D 206.248.154.22                                          10     Internet      UP      *
 D 206.248.154.170                                         10     Internet      UP      *
{Administrator}=>dns server route delete dns=206.248.154.22
 {Administrator}=>dns server route delete dns=206.248.154.170
{Administrator}=>saveall
 {Administrator}=>

add a permanent rule on firewalld

Just started with using centos 7 and they adopted the fedora firewall instead of iptables.

Get the default zone, this is usually “public”:

firewall-cmd --get-active-zones

List services on that zone:

firewall-cmd --zone=public --list-all

Add required TCP ports (let’s do port 80):

firewall-cmd --permanent --zone=public --add-port=80/tcp

You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.

Restart firewall:

systemctl restart firewalld.service

You can also specify services, rather than ports if you like.

sudo firewall-cmd --permanent --zone=public --add-service=http

You’re done!