How to catch broadcast storms on FoxGate switches

First of all, let’s look at the statistics of active traffic on ports:

show interface ethernet counter rate

Then we’ll look at the packet counters, especially pay attention to the BroadCast (pkts) column:

show interface ethernet counter packet

For a specific port, we will execute the command to view the statistics of the network interface several times:

show interface ethernet 1/25

And let’s pay attention to how the incoming and outgoing values of the broadcast packets change, if they do not change, then the broadcast packets do not go through this port, if the digit increases rapidly, then maybe there is a broadcast storm.

If necessary, we will enter the competing mode and set the limit of transmitted broadcast packets in kilobits (minimum value 1) for the required ports:

config
Interface Ethernet1/1
storm-control broadcast 50
Interface Ethernet1/2
storm-control broadcast 50
Interface Ethernet1/3
storm-control broadcast 50
...

Note that with a low broadcast bandwidth limit, DHCP broadcast requests from clients can also be blocked.

See also:
Block DHCP servers on FoxGate switches
Configuring the Foxgate S6224-S2 Switch

Dying gasp Alarm on Huawei OLT

Sometimes on Huawei OLT you can see Dying gasp Alarm (0x2e11a00b).

Since they often occur, most likely they can be seen by running the commands:

display alarm active alarmid 0x2e11a00b
display alarm history alarmid 0x2e11a00b

I will give an example:

ALARM 531377 FAULT MINOR 0x2e11a00b SERVICE QUALITY 2017-12-06 08:19:27+02:00
ALARM NAME : The dying-gasp of GPON ONTi (DGi) is generated
SRVEFF : SA
PARAMETERS : FrameID: 0, SlotID: 5, PortID: 6, ONT ID: 32, Equipment ID:
TL-GP110
DESCRIPTION : The ONT is power off
CAUSE : The power supply of the ONT is abnormal
ADVICE : Check the power supply of the ONT and ensure that the power
supply works in the normal state

These alarms occur when power is lost or the power cord is removed from the ONT, at this moment ONT manages to send the Dying gasp message to the OLT.
Dying gasp is also used on many other devices, for example, to correctly terminate the connection.

How to upgrade the Firmware of the ASUS RT-N12E Router

In order to update the firmware of the Asus RT-N12E router, you need to enter its settings by typing in the browser address http://192.168.0.1 and enter your login – admin, password – admin, see the firmware version that is installed, usually it is written at the very top, for example “Firmware version: 2.0.0.16”.

Check for a new version of the firmware on the official site and if it is there to download it:
http://www.asus.com/Networking/RTN12E/HelpDesk_Download

Next, open the menu “Administration“, select a tab “Firmware Upgrade“, press “Browse” and select the firmware file, click “Send” and wait for the update process to complete.

The configuration of the router remains unchanged.
If the update fails, the router can be restored using a utility that can also be downloaded from the link above.

Configuring graphs in Mikrotik

The graphs are an excellent tool for monitoring the device’s processor load, disk and RAM, voltage and temperature, and the amount of traffic transmitted through network interfaces.
Via Winbox or the web-based interface, the settings can be found in the “Tools” -> “Graphing” menu.

I will describe the following commands in order:

Frequency of recording of collected data (standard 5 minutes):

tool graphing set store-every 24hours|5min|hour

The refresh rate of the chart page (standard 300):

tool graphing set page-refresh integer|never

Graphing interface
The IP range from which graphs are allowed to be viewed (standard 0.0.0.0/0):

tool graphing interface allow-address ADDRESS

Description of the current record:

tool graphing interface comment TEXT

Determines whether the element is used:

tool graphing interface disabled yes|no

Determines which interface will be monitored (standard all):

tool graphing interface interface all|interface

Specifies whether to store collected information on the system disk (standard yes):

tool graphing interface store-on-disk yes|no

Graphing queue
The IP range from which graphs are allowed to be viewed (standard 0.0.0.0/0):

tool graphing queue allow-address ADDRESS

Whether to allow access to schedules from queue’s target-address (standard yes):

tool graphing queue allow-target yes|no

Description of the current record:

tool graphing queue comment TEXT

Determines whether the element is used:

tool graphing queue disabled yes|no

Which queues will be monitored (everything is standard):

tool graphing queue simple-queue all|NAME

Specifies whether to store collected information on the system disk (standard yes):

tool graphing queue store-on-disk yes|no

Graphing resource
The IP range from which graphs are allowed to be viewed (standard 0.0.0.0/0):

tool graphing resource allow-address ADDRESS

Description of the current record:

tool graphing resource comment TEXT

Determines whether the element is used:

tool graphing resource disabled yes|no

Specifies whether to store collected information on the system disk (standard yes):

tool graphing resource store-on-disk yes|no

You can see the graphs in the address bar of the browser http://ADDRESS/graphs/
If you reboot the router, the graphics will remain, if you update firmware, they will be deleted.

Configuring the D-Link DGS-3120 Switch

For example, take the DGS-3120-24SC with firmware 3.00.B026.

Configuring notifications from sensors:

config temperature threshold high 79
config temperature threshold low 11
config temperature trap state enable
config temperature log state enable
config fan trap state enable
config power trap state enable

Adding an administrator account:

create account admin NAME PASSWORD

Enabling password storage in encrypted form:

enable password encryption

Setting the auto exit when connected via the console port:

config serial_port auto_logout never

Enabling the web interface:

enable web 80

Enabling display of information in the console in pagination mode:

enable clipaging

Width of the console line:

config terminal width 80

Disable saving the history of the entered commands:

disable command logging

Enabling password recovery:

enable password_recovery

Disabling trap notification when manipulating the configuration:

config configuration trap save disable
config configuration trap upload disable
config configuration trap download disable

debug config state enable
debug config error_reboot enable

Configuring Traffic Control:

config traffic control 1:1-1:24 broadcast enable multicast disable unicast disable action drop broadcast_threshold 100 multicast_threshold 131072 unicast_threshold 131072 countdown 5 time_interval 5
config traffic control auto_recover_time 0
config traffic trap none
config traffic control log state enable

Enabling loop protection on ports other than the uplink ninth:

enable loopdetect
config loopdetect recover_timer 600 interval 10 mode port-based
config loopdetect log state enable
config loopdetect ports 1:1 state enable
config loopdetect ports 1:2 state enable
config loopdetect ports 1:3 state enable
config loopdetect ports 1:4 state enable
config loopdetect ports 1:5 state enable
config loopdetect ports 1:6 state enable
config loopdetect ports 1:7 state enable
config loopdetect ports 1:8 state enable
config loopdetect ports 1:9 state disable
config loopdetect ports 1:10 state enable
config loopdetect ports 1:11 state enable
config loopdetect ports 1:12 state enable
config loopdetect ports 1:13 state enable
config loopdetect ports 1:14 state enable
config loopdetect ports 1:15 state enable
config loopdetect ports 1:16 state enable
config loopdetect ports 1:17 state enable
config loopdetect ports 1:18 state enable
config loopdetect ports 1:19 state enable
config loopdetect ports 1:20 state enable
config loopdetect ports 1:21 state enable
config loopdetect ports 1:22 state enable
config loopdetect ports 1:23 state enable
config loopdetect ports 1:24 state enable
config loopdetect trap none

Disabling the traffic mirroring function:

disable mirror

Log settings:

config log_save_timing on_demand
disable syslog
config system_severity trap notice
config system_severity log information

Segmentation of traffic (prohibition of traffic between ports, uplink port is indicated ninth):

config traffic_segmentation 1:1-1:8,1:10-1:24 forward_list 1:9
config traffic_segmentation 1:9 forward_list 1:1-1:24

Permission to use large packages:

enable jumbo_frame

Example of port configuration:

config ports 1:1 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto description Kvartiru
config ports 1:1-1:8 medium_type fiber speed auto   flow_control disable learning enable state enable
config ports 1:2 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto description BAT
config ports 1:3-1:7 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto
config ports 1:8 medium_type copper speed auto  flow_control disable learning enable state enable mdix auto description Studentu
config ports 1:9 speed auto   flow_control disable learning enable state enable mdix auto description VHOD
config ports 1:10 speed auto   flow_control disable learning enable state enable mdix auto description Zheleznodorozhnaya
config ports 1:11-1:24 speed auto   flow_control disable learning enable state enable mdix auto

We only allow access to the switch from the specified addresses:

create trusted_host network 10.0.0.100/32 snmp telnet ssh http https ping
create trusted_host network 172.16.0.0/24 snmp telnet ssh http https ping

SNMP settings:

disable snmp traps
disable snmp authenticate_traps
disable snmp linkchange_traps
enable snmp
config snmp system_name DGS-3120-24SC
config snmp system_location текст
config snmp linkchange_traps ports 1:1-1:24 enable
config snmp coldstart_traps disable
config snmp warmstart_traps disable
config rmon trap rising_alarm enable
config rmon trap falling_alarm enable
delete snmp community public
delete snmp community private
create snmp community NEW view CommunityView read_only
disable community_encryption

Example of VLAN configuration:

disable pvid auto_assign
config vlan default delete 1:1-1:24
config vlan default advertisement enable
create vlan core tag 207
config vlan core add tagged 1:8-1:13,1:15-1:16,1:18-1:20,1:22-1:24
config vlan core add forbidden 1:1-1:7 advertisement disable
create vlan local_smart tag 226
config vlan local_smart add tagged 1:9-1:13,1:15-1:16,1:18-1:20,1:22-1:24
config vlan local_smart add untagged 1:1-1:7,1:14,1:17,1:21 advertisement disable
create vlan local_smart2 tag 227
config vlan local_smart2 add tagged 1:8-1:9 advertisement disable
create vlan hpna tag 228
config vlan hpna add tagged 1:9,1:12 advertisement disable
create vlan multicast tag 229
config vlan multicast advertisement disable
create vlan lift tag 300
config vlan lift add tagged 1:9,1:11,1:13 advertisement disable
disable gvrp
disable asymmetric_vlan
disable vlan_trunk
config port_vlan 1:1-1:7,1:9-1:24 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 226
config port_vlan 1:8 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 227

Standard settings for PORT_SECURITY:

config port_security system max_learning_addr no_limit
config port_security trap state disable
config port_security log state disable
config port_security ports 1:1-1:24 admin_state disable max_learning_addr 32 action drop lock_address_mode deleteonreset

Here is an example of blocking mac addresses through ACL rules:

create access_profile profile_id 1 profile_name tank34 ethernet source_mac FF-FF-FF-FF-FF-FF
config access_profile profile_id 1 add access_id 1 ethernet source_mac E8-9A-8F-BB-F8-44 vlan_based vlan_id 226 deny
config access_profile profile_id 1 add access_id auto_assign ethernet source_mac F8-1A-67-FE-E7-00 port 1:24 deny
config access_profile profile_id 1 add access_id auto_assign ethernet source_mac F8-1A-67-FE-E7-00 vlan_based vlan_id 226 deny

PowerSaving

config power_saving mode link_detection enable
config power_saving mode length_detection disable
config power_saving mode hibernation disable
config power_saving mode led disable
config power_saving mode port disable

LED-CTRL

config led state enable

MAC address storage time in the router table in seconds:

config fdb aging_time 300

Filtering NetBios (blocking access to the shared resources of users):

config filter netbios all state disable
config filter netbios 1:1-1:24 state enable
config filter extensive_netbios all state disable

Configuring protection against DoS attacks:

config dos_prevention dos_type land_attack action drop state enable
config dos_prevention dos_type blat_attack action drop state enable
config dos_prevention dos_type tcp_null_scan action drop state enable
config dos_prevention dos_type tcp_xmasscan action drop state enable
config dos_prevention dos_type tcp_synfin action drop state enable
config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state enable
config dos_prevention dos_type ping_death_attack action drop state enable
config dos_prevention dos_type tcp_tiny_frag_attack action drop state enable
config dos_prevention trap disable
config dos_prevention log disable

We resolve replies from DHCP servers only from the uplink port, thereby blocking the others:

config filter dhcp_server ports all state disable
config filter dhcp_server ports 1:1-1:8,1:10-1:24 state enable
config filter dhcp_server illegal_server_log_suppress_duration 30min
config filter dhcp_server trap disable
config filter dhcp_server log enable

Configuring BPDU protection:

enable bpdu_protection
config bpdu_protection recovery_timer 3000
config bpdu_protection log none
config bpdu_protection ports 1:1-1:8,1:10-1:24 state enable
config bpdu_protection ports 1:1-1:24 mode drop

Configuring the Switch Self-Protection “SAFEGUARD ENGINE”:

config safeguard_engine state enable utilization rising 100 falling 93 trap_log enable mode fuzzy

Standard SSH parameters:

config ssh algorithm 3DES enable
config ssh algorithm AES128 enable
config ssh algorithm AES192 enable
config ssh algorithm AES256 enable
config ssh algorithm arcfour enable
config ssh algorithm blowfish enable
config ssh algorithm cast128 enable
config ssh algorithm twofish128 enable
config ssh algorithm twofish192 enable
config ssh algorithm twofish256 enable
config ssh algorithm MD5 enable
config ssh algorithm SHA1 enable
config ssh algorithm RSA enable
config ssh algorithm DSA enable
config ssh authmode password enable
config ssh authmode publickey enable
config ssh authmode hostbased enable
config ssh server maxsession 8
config ssh server contimeout 120
config ssh server authfail 2
config ssh server rekey never
config ssh server port 22
config ssh user NAME authmode password
config ssh publickey bypass_login_screen state disable
disable ssh

Enabling telnet service:

enable telnet 23

SMTP

disable smtp
config smtp server_port 25

Configuring SNTP time parameters:

enable sntp
config time_zone operator + hour 2 min 0
config sntp primary 192.168.1.1 poll-interval 31720
config dst disable

LACP

config link_aggregation algorithm mac_source
config lacp_port 1:1-1:24 mode passive

IP

config ipif_mac_mapping ipif System mac_offset 0
config ipif System ipaddress 10.0.0.235/24 vlan core
config ipif System dhcpv6_client disable
config ipif System proxy_arp disable local disable
config ipif System dhcp_option12 state disable
disable autoconfig

Disabling DHCP Relay

disable dhcp_relay
disable dhcpv6_relay

ARP

config arp_aging time 20
config gratuitous_arp send ipif_status_up disable
config gratuitous_arp send dup_ip_detected disable
config gratuitous_arp learning disable

Setting the main route:

create iproute default 192.168.1.1 1 primary

Saving configuration:

save all

Firmware Update Dahua IPC-HFW1320S-W

For the test, I will update the firmware on the IP camera Dahua IPC-HFW1320S-W.

Let’s see what firmware is installed, open the web interface of the device, select the “Setting” tab, on the left the “Information” – “Version” menu.

In my case, the Russian version of the firmware was installed:

System Version 2.400.0001.11.R, Build Date: 2017-04-01
WEB Version 3.2.1.392220
ONVIF Version 2.42

Let’s see a new firmware on the official site and download it
https://www.dahuasecurity.com/products/productDetail/5631

The firmware file is usually in the archive, so unpack it.

In the web interface of the device, open the “Setting” tab, on the left in the “System” menu – “Upgrade”.
Press the “Browse…” button, select the file of the new firmware unpacked from the archive and press the “Upgrade” button to start the update process, which will last about 5 minutes, at this time you can not turn off the power of the device.

I was flashing with the English firmware, after the firmware in the “Information” – “Version” menu, the following was displayed:

System Version 2.400.0000000.16.R, Build Date: 2017-08-31
WEB Version 3.2.1.490211
ONVIF Version 16.12(V2.3.1.458331)

The solution of the error “Kernel failure” and “Out of memory” in Mikrotik

There was a problem, often began to reboot itself MikroTik CAS125-24G-1S-RM.
The firmware at that time was the last one – WebFig v6.9
The following information was displayed in the logs:

System rebooted because of kernel failure
Out of memory condition was detected
router was rebooted without proper shutdown

Having looked in “system” -> “resources” it was evident that the free memory of the device is constantly decreasing.
Then I began to recall what was involved and configured on the device.
Bumping into and looking “Cache Used” in “IP” -> “Web Proxy” it was evident that the size of the cache is constantly growing.
From here it was clear that when the device’s memory was running out and the kernel crashed.
Therefore, the solution to this problem was to restrict the proxy cache by specifying the maximum size in the “Max. Cache Size“.
Done.

Configuring Cloud in Mikrotik

Starting from the version of RouterOS v6.14, the Cloud function is added which allows using the Dynamic DNS name for a device that is automatically assigned and can be accessed by it even if the IP address is changed.

Example of switching through the console:

ip cloud set enabled=yes

Example of viewing parameters:

ip cloud print

Enable device time update with DDNS server time (if SNTP or NTP service is not configured):

ip cloud update-time yes/no

Immediate update of DDNS:

ip cloud force-update

View the DDNS name:

ip cloud dns-name

View the public IP address to which DDNS is bound:

ip cloud public-address

Binding DDNS to a local IP address instead of a public one, for example to 192.168.1.101, etc.)

ip cloud advanced use-local-address yes/no

View the current status of the Cloud (updated, updated, error, etc.):

ip cloud status

Through the graphical interface of the Cloud settings can be found in the menu “IP” – “Cloud”.