Configuring the D-Link DES-3028 Switch

Today, I configured the next switch D-Link DES-3028, the firmware was 2.94.B07.

And so, connect the console cable to the switch and add the vlan control (I have it 207, 25 port uplink):

create vlan core tag 207
config vlan core add tagged 25

Assign the switch IP address:

config ipif System vlan core ipaddress 192.168.1.2/24 state enable

Let’s specify the default route:

create iproute default 192.168.1.1 1

Add the admin account:

create account admin NAME

Add a client VLAN (I have it 226), specify PVID and remove the standard VLAN:

create vlan local_smart tag 226
config vlan local_smart add tagged 25
config vlan local_smart add untagged 1-24,26-28
disable gvrp
config gvrp 1-28 state disable ingress_checking enable acceptable_frame admit_all pvid 226
config vlan default delete 1-28

Let’s configure protection against broadcast flooding:

config traffic trap both
config traffic control 1-24,26-28 broadcast enable multicast disable unicast disable action drop threshold 64 countdown 5 time_interval 5

Let’s configure the loop protection:

enable loopdetect
config loopdetect recover_timer 3000
config loopdetect interval 10
config loopdetect trap none
config loopdetect port 1-24,26-28 state enabled
config loopdetect port 25 state disabled

Let’s configure traffic segmentation, if it is necessary that users within the switchboard do not see each other:

config traffic_segmentation 1-24 forward_list 25
config traffic_segmentation 25 forward_list 1-24,26-28

Set up the time zone and time synchronization:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 7000

Let’s specify from what IP the access to WEB, telnet and SNMP of the switch is allowed:

create trusted_host 192.168.1.1
create trusted_host 192.168.5.20

Let’s configure the protection from DOS:

disable dos_prevention trap_log
config dos_prevention dos_type land_attack action drop state enable
config dos_prevention dos_type blat_attack action drop state enable
config dos_prevention dos_type smurf_attack action drop state enable
config dos_prevention dos_type tcp_null_scan action drop state enable
config dos_prevention dos_type tcp_xmascan action drop state enable
config dos_prevention dos_type tcp_synfin action drop state enable
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state disable

For IP-MAC-Port Binding functions, we allow IP 0.0.0.0 (under it Windows tries to get IP):

config address_binding ip_mac ports 1-28 state disable allow_zeroip enable forward_dhcppkt enable

Configuring SNMP:

delete snmp community public
delete snmp community private
delete snmp user initial
create snmp community TEXT view CommunityView read_write
create snmp community TEXT view CommunityView read_only
config snmp system_name TEXT
config snmp system_location TEXT
config snmp system_contact TEXT

Let’s configure protection from third-party DHCP servers:

config filter dhcp_server ports 1-24,26-28 state enable
config filter dhcp_server trap_log enable
config filter dhcp_server illegal_server_log_suppress_duration 30min

From third-party DHCP servers can also be protected through ACL:

create access_profile ip udp src_port 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 port 25 permit
config access_profile profile_id 1 add access_id 2 ip udp src_port 67 port 1-24,26-28 deny

We will configure protection against BPDU of garbage:

config bpdu_protection ports 1-24,26-28 mode drop

Turn on the function SAFEGUARD_ENGINE, so you can go to the switch at 100% CPU utilization:

config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy

Fine-Tuning FDB:

config fdb aging_time 300
config multicast port_filtering_mode 1-28 filter_unregistered_groups
disable flood_fdb
config flood_fdb log disable trap disable

Other small settings:

config serial_port baud_rate 9600 auto_logout 10_minutes
enable password encryption
config terminal_line default
enable clipaging
disable command logging
enable password_recovery
enable syslog
config log_save_timing on_demand

Done.

Configuring the ZyXEL ES-2108 Switch

I recently configured the ZyXEL ES-2108 switch.
Standard IP 192.168.1.1, login – admin, password – 1234.

I will give below examples of commands.

Let’s review the current configuration:

show running-config
show system-information

Now go to the configuration mode:

configure

Change the administrator password:

admin-password PASSWORD
password PASSWORD

Turn on flood control and loop protection:

storm-control
loopguard

Let’s configure the VLAN to manage and assign the IP (I have a 207 vlan tag, 1 – uplink port):

vlan 207
  name core
  normal ""
  fixed 1
  forbidden 2-8
  untagged 2-8
  ip address default-management 192.168.1.20 255.255.255.0
  ip address default-gateway 192.168.1.1
exit

Let’s configure VLAN for users (comes without a tag):

vlan 226
  name users
  normal ""
  fixed 1-8
  untagged 1-8
exit

Configure the uplink port:

interface port-channel 1
  pvid 226
  vlan-trunking
exit

Configure the other client ports:

interface port-channel 2-8
bmstorm-limit
bmstorm-limit 128
loopguard
pvid 226
exit

Set the time parameters:

time timezone 200
timesync server 192.168.1.1
timesync ntp

Configuring SNMP:

snmp-server set-community NAME
snmp-server trap-community NAME
snmp-server contact admin location LOCATION

Configure the logs:

syslog
syslog type system
syslog type interface
syslog type switch
syslog type aaa
syslog type ip

Let’s specify which IPs are allowed to administer the switch:

remote-management 1
remote-management 2
remote-management 1 start-addr 192.168.1.1 end-addr 192.168.1.1 service telnet ftp http icmp snmp ssh https
remote-management 2 start-addr 192.168.1.5 end-addr 192.168.1.5 service telnet ftp http icmp snmp ssh https

Exit the configuration mode:

exit

To view mac-addresses, use the command:

show mac address-table

Save the settings:

write memory

Done.

Configuring Fasttrack on Mikrotik

FastTrack accelerates the processing of packets, started working on firmware from 6.29.

Setting example:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related

The added rules should be before the others.

Let’s see a list of rules:

/ip firewall filter print

We will move our two added to the top (I have them under ID 33 and 34):

/ip firewall filter move 33  destination=1
/ip firewall filter move 34  destination=2

How to restore the standard mac-addresses of MikroTik interfaces

Recently, I had to copy the settings of one MikroTik router to another one and after I saved the settings to a file and populated them on the second, I noticed that mac addresses were also copied.

Therefore, we had to reset them to standard ones.
First, let’s see what the interface numbers are (I have ether1 for 0, ether2 for 1, etc.):

interface ethernet print

And reset their mac-addresses:

interface ethernet reset-mac-address 0
interface ethernet reset-mac-address 1
interface ethernet reset-mac-address 2
interface ethernet reset-mac-address 3
interface ethernet reset-mac-address 4

If you need to reset the mac of the wireless interface, then save the wireless settings to the file:

interface wireless export file wifibackup

Look at the wireless interfaces (I have one at number 0):

interface wireless print

Reset all settings including the mac address:

interface wireless reset-configuration 0

Restore the settings from the previously saved file (mac-address in this case will remain standard):

import wifibackup.rsc

Done.

Limiting access to management of Huawei SmartAX MA5600

For example, to allow to connect to the Huawei SmartAX MA5600 series via telnet only to the specified IP address ranges 192.168.0.100-192.168.0.254 and 172.16.24.1-172.16.24.50 we will connect to the device and go into the configuration mode:

enable
config

And execute the following commands (for non-specified IP access is immediately prohibited):

sysman ip-access telnet 192.168.0.100 192.168.0.254
sysman ip-access telnet 172.16.24.1 172.16.24.50
sysman firewall telnet enable

Similarly for SSH:

sysman ip-access ssh 192.168.0.100 192.168.0.254
sysman firewall ssh enable

And SNMP for example for one IP:

sysman ip-access snmp 192.168.0.100 192.168.0.100
sysman firewall snmp enable

To deny access to the specified subnet, we specify ip-refuse instead of ip-access, for example:

sysman ip-refuse telnet 192.168.1.200 192.168.1.220
sysman firewall telnet enable

On the test, I performed the settings for Huawei SmartAX MA5683T, they are essentially the same for the entire MA5600 series.

Reason for messages “Failure: System is busy, please retry after a while” on Huawei OLT

Once when executing commands in the Huawei SmartAX console, the MA5683T began to notice often the message:

Failure: System is busy, please retry after a while

As it turned out, the reason in my case was Zabbix, which every hour received SNMP levels ONT and drew graphics. SNMP requests from him were packed with packets of 30-50, separately for each port. I solved the problem by increasing the timeout in the Zabbix server configuration and the verification period for more hours, because OLT was slowly issuing information, Zabbix was not available, considered it inaccessible, paused briefly and sent requests again.
Also, in the settings of the Zabbix node, you need to uncheck “Use bulk requests”.

Speed limit on Ubiquiti devices

Suppose we need to limit the speed on the client antenna.
Accordingly, it is in the station mode and is connected to the access point.

For restriction, we go to the web-based antenna management interface, open the Network tab, change the Configuration Mode: to Advanced, which will bring more parameters that you can configure .

At the very bottom, click on Traffic Shaping, check the Enable checkbox and specify the desired speed limit for WLAN0 or LAN0.
For example, you need to limit the reception speed to 5Mb/s and send up to 512Kbps, for reliability, we’ll specify a limit for both network interfaces, where Ingress is specified for WLAN0 5120, and for LAN0 512, respectively, for Egress, vice versa, WLAN0 – 512, and LAN0 – 5120, burst is left unchanged, that is, 0.

To apply the changes click below Change and then above Apply, after which the antenna configuration will reboot.

On the access point, alas, you can not limit the speed for each client, if you do the above settings (in reverse order), then the overall speed for all clients will be limited. In this case, you can cut the speed, for example billing, by turning on the Advanced tab Client Isolation in the Advanced tab so that clients do not see each other on the network and do not exchange traffic.

Done.

Configuring ACL on Ubiquiti devices

Let’s say we want to configure the ACL (access control list) on the Ubiquiti access point.

In the web interface of the device, open the tab “Wireless“.

At the very bottom opposite “MAC ACL:” tick the “Enable“.

And choose “Policy:“, on “Allow” (means that there will be devices on the list that are allowed to connect, all who are not registered – can not) or “Deny” (in the list of devices that can not be connected, and everyone else can).

By clicking on the button “ACL…“, in the opened window to add the device, in the first field we indicate its MAC, in the second one any desired description and click “Add“, later “Save“.
And the last stage is at the top click the button “Apply“, after which the changes are saved and applied without loss of communication with the device (without rebooting).