Skip to content

Archive

Category: HP

AAA-1

Before diving into configuration let me first describe what AAA is all about.

AAA stands  for authentication, authorization and accounting, a system in IP-based networking to control what computer resources (routers,switches, firewalls, wireless access points, WLC, WCS)  users have access to and to keep track of the activity of users over a network.

Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.
Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user’s authorization level.
Accounting is the process of keeping track of a user’s activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.

AAA services often require a server that is dedicated to providing the three services. RADIUS, TACACs are an example of an AAA service. In my post i am using 2 ACS box running in high availability in Global Data Center for AAA and using Microsoft Active Directory as a database for end user authentication.

Now lets dig into configuration.

AAA for Telnet users by an HWTACACS server on HP A Series Switches
==========================================================================
Local-user unetadmin    –>This sets the local user, in case ACS server fails.
password simple icewater
service-type ssh telnet terminal
authorization-attribute level 3   –>Level 3 is the highest level in HP A series, like privilege 15 in cisco devices.
!
super password level 3 cipher rainwater   –>This is like Enable password in cisco.

!
User-interface vty 0 15
Authentication-mode scheme    –>It means we are using AAA scheme.
user privilege level 3                    –>If authentication by AAA user will be directed to privilege 3.
quit
!
hwtacacs scheme acs      –>We need to define a scheme first.
primary authentication x.x.x.x   –>Where x.x.x.x is primary ACS server.
secondary authentication y.y.y.y   –>Where y.y.y.y is secondary ACS server.
primary authorization x.x.x.x
secondary authorization y.y.y.y
primary accounting x.x.x.x
secondary accounting y.y.y.y
!
key authentication HP_ASeries  –>Key should match with the key configured in ACS box. Note:- This is case -sensitive.
key authorization HP_ASeries
key accounting HP_ASeries
user-name-format without-domain
nas-ip z.z.z.z     –> This is the source of the AAA conversation from the device to the ACS box, either it should be management interface or the ip that is configured on the ACS box for this particular device.

quit
!
domain upm_acs   –>Configured “scheme” should be embedded into a “Domain” to define the hierarchy for AAA.
authentication default hwtacacs-scheme acs local  –>This means the AAA will first try ACS primary then secondary and if both fails then local.
authorization default hwtacacs-scheme acs local
accounting default hwtacacs-scheme acs local
authentication login hwtacacs-scheme acs local
authorization login hwtacacs-scheme acs local
accounting login hwtacacs-scheme acs local
access-limit disable
state active
idle-cut disable
self-service-url disable
user-group upm_acs    –>We need to define user-group as same as Domain name.
domain default enable upm_acs  –>This is the main command to enable the domain for AAA, in case if we have multiple domain configured, like one for TACACS, other for Radius.

AAA for HP E Series Switches:
================================

# Configure the switch to use AAA for Telnet users.

password manager user-name   –>Manager is highest level of access in HP E series.

password manager user-name unetadmin

password: icewater

confirm : icewater

aaa authentication login privilege-mode  –>Login straight into Manager mode, no need to type “Enable” after successful login.
aaa authentication telnet login radius local –>This means for telnet AAA will first try ACS primary then secondary and if both fails then local.
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local –>This is for SSH.
aaa authentication ssh enable radius local
aaa accounting exec start-stop radius

!
radius-server host x.x.x.x key HP_ESeries  –>Define primary Radius server host and the key.
radius-server host y.y.y.y key HP_ESeries  –>Define secondary Radius server host and the key.

ip source-interface radius z.z.z.z  –>This is the source of the AAA conversation from the device to the ACS box, either it should be management interface or the ip that is configured on the ACS box for this particular device.

 

HP Switch IRF

Apr 20

IRF:- IRF stands for Intelligent Redundant Framework. It is similar technology like cisco uses in 6500 series product named as VSS (Virtual Switching System) or Juniper QFabric. Intelligent Resilient Framework (IRF) is an advanced technology that allows  to aggregate 2 or more switches into a single switching and routing system also known as a “virtual switch”. IRF virtualization technology offers processing power, interaction, unified management and uninterrupted maintenance of multiple switches.

IRF delivers the following benefits:-
• Simplified topology and streamlined management. An IRF fabric appears as one node on the
network. We can log in at any member switch to manage all members of the IRF fabric.
• High availability and reliability. The member switches in an IRF fabric work in 1:N redundancy.
One member switch works as the master to manage and maintain the entire IRF fabric, and all other member switches process services and provide backup. If the master fails, all other member switches elect a new master among them to prevent service interruption. We can perform link aggregation not only for IRF links but also for physical links between the IRF fabric and its upper or
lower layer devices for link redundancy.
• Network scalability and resiliency. We can increase ports, network bandwidth, and processing capability of an IRF fabric simply by adding member switches.

Basic concepts of IRF:-

  • IRF member switch roles

IRF uses two member switch roles: master and slave.
When switches form an IRF fabric, they elect a master to manage the IRF fabric, and all other switches back up the master. When the master switch fails, the other switches automatically elect a new master from among them to avoid service interruption.

  • IRF port

An IRF port is a logical interface for the internal connection between IRF member switches. Each IRF member switch has two IRF ports: IRF-port 1 and IRF-port 2. An IRF port is activated when we bind a physical port to it.

  • Physical IRF port

Physical IRF ports are physical ports bound to an IRF port. They connect IRF member switches and forward IRF protocol packets and data packets between IRF member switches. We can configure a GE Ethernet port or a GE SFP port as a physical IRF port.

  • IRF partition

IRF partition occurs when an IRF fabric splits into two or more IRF fabrics because of IRF link failures, as shown in Figure below. The partitioned IRF fabrics operate with the same IP address and cause routing and forwarding problems on the network.

  • IRF merge

IRF merge occurs when two partitioned IRF fabrics re-unite or when you configure and connect two independent IRF fabrics to be one IRF fabric, as shown in Figure below.

  • Member priority

Member priority determines the role that a member switch during the master election process. A member with a higher priority is more likely to be a master.
The priority of a switch defaults to 1. We can modify the priority at the command line interface (CLI).

 
IRF Virtual Device Configuration Procedure List
We will configure IRF in below flowchart fashion as recommended by HP.

Hardware Used :-
(Switch) 2 x JG236A HP 5120-24G-POE+ EI SWITCH W/2 INTF SLTS

(Module) 2 x JD360B HP 5500 2-port 10GbE Loc Connect Module

(Cable) 2 x JD363B HP X230 Local Connect 50cm CX4 Cable

Below IRF Configuration for HP A series Stackable switches (A5120/5500/5800/5820)
  • Login onto the switch using the console port
  • <H3C>system-view (Enter system view aka config mode)
  • [H3C]show version (Ensure that both switches are running the same software version)
  • [H3C]reset saved-configuration (Reset the config)
  • [H3C]irf member 1 renumber 1 (Assign an IRF member number to the first switch)
  • [H3C]irf member 1 renumber 2 (Assign an IRF member number to the second switch)
  • [H3C]quit (Quit to user view)
  • <H3C>save (Save the config)
  • <H3C>reboot (Reboot the switches)
  • <H3C>system-view (Enter system view aka config mode)
  • [H3C]irf mac-address persistent always (Enable MAC address persistance)
  • [H3C]irf member 1 priority 32 (Set the highest priority on the first member/switch aka Master)
  • [H3C]irf member 2 priority 30 (Set the second highest priority on the second member/switch aka Slave)
  • [H3C]int GigabitEthernet 1/0/51
  • shut
  • [H3C]int GigabitEthernet 1/0/52
  • shut
  • [H3C]int GigabitEhternet 2/0/51
  • shut
  • [H3C]int GigabitEthernet 2/0/52
  • shut (shutdown all interfaces you want to use for IRF on both switches)
  • [H3C]irf port 1/1 (Create IRF port 1/1 on the first member)
  • [H3C]port group interface GigabitEthernet 1/0/51 (add the switch port to the IRF port)
  • [H3C]quit
  • [H3C]irf port 1/2 (Create IRF port 1/2 on the first member)
  • [H3C]port group interface GigabitEthernet 1/0/52 (add the switch port to the IRF port)
  • [H3C]quit
  • [H3C]irf port 2/1 (Create IRF port 2/1 on the second member)
  • [H3C]port group interface GigabitEthernet 2/0/51 (add the switch port to the IRF port)
  • [H3C]quit
  • [H3C]irf port 2/2 (Create IRF port 2/2 on the second member)
  • [H3C]port group interface GigabitEthernet 2/0/52 (add the switch port to the IRF port)
  • [H3C]quit
  • [H3C]save (Save config)
  • [H3C]interface GigabitEthernet 1/0/51
  • [H3C]undo shut
  • interface GigabitEthernet 1/0/52
  • [H3C]undo shut
  • [H3C]interface GigabitEthernet 2/0/51
  • [H3C]undo shut
  • [H3C]interface GigabitEthernet 2/0/52
  • [H3C]undo shut (enable all interfaces you want to use for IRF on both switches)
  • [H3C]irf-port-configuration active (Activate the IRF config on BOTH switches)
  • Now we connect our fiber CROSSWISE, so 1/0/51 to 2/0/52 and 1/0/52 to 2/0/51
  • ATTENTION: The second IRF member will reboot! Wait for it to get back up. We will see the switches negotiate for about 30 seconds before the IRF becomes active.
  • If all works well;
  • [H3C]quit
  • <H3C>save
  • <H3C>reboot
  • <H3C>system-view
  • [H3C]display irf (Display the IRF setup)
  • [H3C]display irf topology (Display the IRF Topology)
  • [H3C]display irf configuration
  • [H3C]display devices
  • Both irf port should be up. If one is DOWN or DIS(abled), something went wrong.
  • Check the IRF priority of the First member. It should be 32.
  • Check the IRF priority of the second member. It should be 30.

In the last i want to mention limitations of IRF:-

  • Only devices of the same series can form an IRF :- Same like other Vendors Cisco or Juniper.
  • The devices would have same software code running else they will not form IRF.
  • One device in the IRF is the master, others are slaves. No load distribution or Active/Active scenario. Same as Cisco’s VSS.
  • Numerous stackable switches can form an IRF.
  • IRF partition is detected through proprietarily modified LACP or BFD. Same as Cisco’s VSS.