Track an IP on your Network

Who has never received the following question from a colleague:
- Hey, the network guy, could you find where is this laptop for me ? I have only his IP address.

To resolve this, you start to follow the IP address by looking in the arp and mac-address table of your switchs, routers and firewall. I have finished this boring job by using the following open source tool:
http://netdbtracking.sourceforge.net/

Developpers have alreay preconfigured a VM:
http://sourceforge.net/projects/netdbtracking/files/vmware/

After 30 minutes of the VM installation and some hours (depending of the size of your network) of configuration to enter your different equipment, you can provide a webtools reachable from everybody to track an IP.

You will find below some examples of host configuration.

• HP Procurve (Layer 3)

hostname,devtype=procurvehpv2, arp

• HP Procurve (Layer 2):

On this example, I skipped uplinks interfaces (45 and 47). I have also limited to 2 mac address by interface.
hostname,devtype=procurvehpv2,skip_port=45,skip_port=47,use_trunks,max_macs=2

Configure PIM-sparse mode between Cisco and HP Procurve

This post explains how to configure PIM-sparse mode between a Cisco and HP Procurve environment. In our case, we have the following components:
- Cisco2 (Rendez-vous Point)
- Cisco1 (PIM router)
- HP1 (PIM router and IGMP edge router)

• Configuration

• Cisco2 (RP):

ip multicast-routing
ip pim rp-address 10.10.30.1 (we can filter group here with an ACL)
!
interface Gi1/0/1
 description *** TO Cisco1 ***
 ip address 10.10.20.2 255.255.255.0
 ip pim sparse-mode
!
interface Vlan100
 description *** VLAN Source ***
 ip address 10.10.30.1 255.255.255.0
 ip pim sparse-mode

• Cisco1:

ip multicast-routing
ip pim rp-address 10.10.30.1    
!

interface Gi1/0/1
 description *** TO Cisco2 ***
 ip address 10.10.20.1 255.255.255.0
 ip pim sparse-mode
!

interface Gi1/0/1
 description *** TO HP1 ***
 ip address 10.10.10.1 255.255.255.0
 ip pim sparse-mode

• HP1:

ip multicast-routing

!

router pim

   enable

   rp-address 10.10.30.1 224.0.0.0 240.0.0.0 (we can filter group here)

   exit

!

vlan 316

   name "To Cisco1"

   untagged A1

   ip address 10.10.10.2 255.255.255.0

   ip pim-sparse

      ip-addr any

      exit

!

vlan 200

   name "200-RECEIVER"

   untagged A1

   tagged A13-A15,B20,Trk1

   ip address 10.10.40.1 255.255.255.0

   ip igmp

   ip pim-sparse

      ip-addr any

      exit

• Validation

Check PIM neighbors adjacency on HP:

HP1# sho ip pim neighbor

 PIM Neighbors

  IP Address      VLAN Up Time (sec)      Expire Time (sec)
  --------------- ---- ------------------ ------------------
  10.10.10.1      316  2305990            103

The receiver is requesting traffic from the source (IGMP membership report):

HP1# sho ip igmp vlan 200

 IGMP Service Protocol Info

  Total VLANs with IGMP enabled                : 7
  Current count of multicast groups joined     : 1

  IGMP Filter Unknown Multicast: Disabled
  IGMP Filter Unknown Multicast Status: Disabled

  VLAN ID : 200
  VLAN Name : 200-RECEIVER
  IGMP version : 2
  Querier Address [this switch] : 10.10.40.1
  Querier Port :
  Querier UpTime : 129d 3h 48m 43s
  Querier Expiration Time : 0h 0m 58s

  Active Group Addresses Type       Expires         Ports      Reports Queries
  ---------------------- ---------- --------------- ---------- ------- -------
  239.1.1.1              Filter     0h 4m 19s       A1         3       0

HP1# sho ip igmp groups

 IGMP Group Address Information

  VLAN ID Group Address   Expires       UpTime        Last Reporter   | Type
  ------- --------------- ------------- ------------- --------------- + ------
  200     239.1.1.1       0h 3m 27s     0h 2m 4s      10.10.40.2    | Filter

Check mroute on HP and Cisco:

HP1# sho ip pim mroute

 IP Multicast Route Entries

  Total number of entries : 1

  Group Address   Source Address  Neighbor        VLAN

  --------------- --------------- --------------- ----

  239.1.1.1       10.10.30.2      10.10.10.1      316

Cisco2#show  ip mroute

IP Multicast Routing Table

...

(*, 239.1.1.1), 00:02:43/00:02:46, RP 10.10.30.1, flags: S

  Incoming interface: GigaEthernet1/0/2, RPF nbr 10.10.20.2

  Outgoing interface list:

    GigaEthernet1/0/1, Forward/Sparse, 00:02:43/00:02:46

(10.10.30.1, 239.1.1.1), 00:02:43/00:00:16, flags: T

  Incoming interface: GigaEthernet1/0/2, RPF nbr 10.10.20.2

  Outgoing interface list:

    Port-channel3, Forward/Sparse, 00:02:43/00:02:46

Configure Distributed Trunking on HP Procurve and MEC on Cisco VSS

Distributed Trunking is the 'equivalent' of the vPC on the Cisco Nexus Series. It's a link aggregation technique which can be used even if the host is connected on 2 differents switchs. The following design has been built between 2 HP 5400 and 2 Cisco 4500 in VSS mode.

• Configuration on the Cisco Switch:

interface Port-channel20
 description TO-HP-DT
 switchport
 switchport mode trunk

!

interface TenGigabitEthernet1/5/4

 description TO-HP-DT-1

 switchport mode trunk

 channel-group 20 mode active

!

interface TenGigabitEthernet2/5/4

 description TO-HP-DT-2

 switchport mode trunk

 channel-group 20 mode active

• Configuration of the HP 1:
• Configure ISC

trunk B7,E8 trk10 lacp

switch-interconnect trk10
vlan xxx
 tagged trk10
vlan xxx
 tagged trk10
...

• Configure the keepalive 

interface D20
   name "Keep-Alive"
   exit

vlan 900

   name "VLAN900"

   untagged D20

   ip address 192.168.100.1 255.255.255.0

   exit

distributed-trunking peer-keepalive vlan 900

distributed-trunking peer-keepalive destination 192.168.100.2

• Configure the dt-lacp between the VSS and the HP:

trunk A1,B1 trk1 dt-lacp

• Configuration of the HP 2:
• Configure ISC

trunk B7,E8 trk10 lacp

switch-interconnect trk10
vlan xxx
 tagged trk10
vlan xxx
 tagged trk10
...

• Configure the keepalive 

interface D20
   name "Keep-Alive"
   exit

vlan 900

   name "VLAN900"

   untagged D20

   ip address 192.168.100.2 255.255.255.0

   exit

distributed-trunking peer-keepalive vlan 900

distributed-trunking peer-keepalive destination 192.168.100.1

• Configure the dt-lacp between the VSS and the HP:

trunk A1,B1 trk1 dt-lacp

• Validation:

HP-1# show switch-interconnect

Port         : Trk10

Status       : Up

Active VLANs : 1,100,200,300

HP-1# show distributed-trunking statistics peer-keepalive

DT peer-keepalive Status : Up

HP-1# show  distributed-trunking consistency-parameters trunk trk1

Allowed VLANs on Local : 1,100,200,300

Allowed VLANs on Peer  : 1,100,200,300

HP-1# show  lacp distributed

                             Distributed LACP

Local Port Status:

       LACP    Trunk   Port            LACP    Admin  Oper

  Port Enabled Group   Status  Partner Status  Key    Key

  ---- ------- ------- ------- ------- ------- ------ ------

  A1   Active  Trk1    Up      Yes     Success 0      290

Remote Port Status:

          LACP      Trunk     Port                LACP      Oper

   Port   Enabled   Group     Status    Partner   Status    Key

   ----   -------   -------   -------   -------   -------   ------

   A1     Active    Trk1      Up        Yes       Success   20

C4510-VSS-Core#show  lacp 20 neighbor

Partner's information:

                  LACP port                        Admin  Oper   Port    Port

Port      Flags   Priority  Dev ID          Age    key    Key    Number  State

Te1/5/4   SA      0         40a8.f07b.a400   2s    0x0    0x0    0x271F  0x3D

Te2/5/4   SA      0         40a8.f07b.a400   4s    0x0    0x0    0x271A  0x3D

Some remarks:
- ISC is only supported in MST mode

Configure Network Equipment to use Radius for authentication

Following my recent article on 'How to configure install and configure Freeradius', you will find below several examples of 'How to configure network equipment to use Radius for authentication'.

Cisco Catalyst

aaa new-model
ip radius source-interface vlan XXX
radius-server host <IP_address_radius_server> auth-port <port-number> acct-port <port-number>
radius-server key SharedKey
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated => directly upgrade privilege to 'enable'
!
line vty 0 15
 login authentication default


Switch HP Procurve

radius-server host <IP_address_radius_server> key " SharedKey " acct-port <port-number> auth-port <port-number>
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication login privilege-mode

Switch Nexus

ip radius source-interface mgmt 0
 radius-server host <IP_address_radius_server> auth-port <port-number> acct-port<port-number>
 radius-server key SharedKey
!
aaa group server radius FREE-RADIUS
 server <IP_address_radius_server>
 use-vrf management
 source-interface mgmt 0
!
aaa authentication login default group FREE-RADIUS

Command Line Tricks for HP Procurve Switchs

Below some helpful commands.

• Display logs or debug on current session:
• terminal monitor (Cisco)
• debug destination session (HP Procurve)
• By default HP Procurve switch don't display packets drops by queue. You can enable the monitoring only on 1 interface with the command below:
• qos watch-queue xx out (where XX is the interface you want to monitor)
• Obtain 'show tech':
• copy command-output "show tech all" sftp user ftpuser 10.10.10.10 show-tech.txt
• Filter a 'show runnning' command:
• Like Cisco, it's possible to use '|' after the 'show running'

Switch# show running-config | include router

ip router-id 1.1.1.1

router ospf

router vrrp

Switch# show running-config | begin router

ip router-id 1.1.3.1