For the test, I perform a reset on the BDCOM P3310C-2AC, and similarly can be reset on other BDCOM P3310 revisions.
Continue reading “BDCOM P3310 Reset Configuration”Category Archives: Hardware
Configuring the D-Link DES-3528 Switch
Today I configured the next switch D-Link DES-3528.
I will lay out the configuration below and briefly describe it.
When typing commands, you can use the TAB key so that the switch offers options, and after any command through a space, you can write a question mark “?” and see possible subcommands.
To view the current switch configuration, use the command:
show config current_config
Let’s get started.
We connect to the switch with a console cable at the speed of 9600 or at the standard IP address 10.90.90.90 and add the administrator (initially the login without login and password):
create account admin admin
Enable password encryption so that it is not stored in the config file open:
enable password encryption
Add vlan for management and for users (I have 207 core for management, 226 for users, 25 use port as uplink):
create vlan core tag 207 config vlan core add tagged 25 create vlan local_smart tag 226 config vlan local_smart add untagged 1-28 config port_vlan 1-28 acceptable_frame admit_all pvid 226 config vlan default delete 1-28
Change the IP address of the switch and specify the gateway:
config ipif System ipaddress 192.168.0.50/24 vlan core create iproute default 192.168.0.1 1 primary
Let’s enable the restriction of broadcast traffic on client ports:
config traffic control 1-24,26-28 broadcast enable action drop broadcast_threshold 100 countdown 0 time_interval 5
Enable loop protection on client ports:
enable loopdetect config loopdetect recover_timer 300 interval 10 mode port-based config loopdetect log state enable config loopdetect ports 1-24,26-28 state enable config loopdetect trap loop_detected
Enable traffic segmentation so that clients do not see each other:
config traffic_segmentation 1-24,26-28 forward_list 25 config traffic_segmentation 25 forward_list 1-24,26-28
We will enable DHCP server locks on the client side so that they do not distribute IP:
config filter dhcp_server ports 1-24,26-28 state enable config filter dhcp_server illegal_server_log_suppress_duration 30min config filter dhcp_server trap_log enable
Let’s specify which IPs are allowed to log on to the switch (so that users do not see it):
create trusted_host network 192.168.0.2/32 snmp telnet ssh http https ping create trusted_host network 192.168.1.5/32 snmp telnet ssh http https ping
Set up SNMP if you need it:
enable snmp delete snmp community public delete snmp community private delete snmp user initial create snmp community NAME view CommunityView read_only
Turn on the protection against BPDU flood:
enable bpdu_protection config bpdu_protection recovery_timer 2400 config bpdu_protection log none config bpdu_protection ports 1-24,26-28 state enable config bpdu_protection ports 1-28 mode drop
Enable switch protection so that if the processor is fully loaded, you can go to it:
config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy
If necessary, configure the time synchronization with the NTP server:
enable sntp config time_zone operator + hour 2 min 0 config sntp primary 10.0.0.18 poll-interval 5000
This completes the basic configuration of the D-Link DES-3528 switch.
SNMP OIDs for BDCOM OLT
Today wrote a Zabbix template for the BDCOM P3310B so that it was convenient to monitor it and to explore a few necessary OIDs.
To test an OID from a Linux terminal, for example, use the command:
SNMP MIBs and OIDs for Ubiquiti PowerBeam 5AC
I wrote a template for Ubiquiti PowerBeam 5AC for Zabbix and explored several basic SNMP OIDs for which you need to draw graphics.
OID tested for devices that are configured in Station mode and with firmware v7.1.4 (XC).
You can check the OID from a Linux command, for example:
snmpwalk -v 1 -c public 192.168.1.20 .1
First of all, I looked at what interfaces there are (if you add VLAN, etc. on the device, their number can be shifted):
snmpwalk -v 1 -c public 192.168.1.20 ifDescr
The next MIBs can read incoming and outgoing traffic (I have LAN eth0 under index 4, WLAN ath0 under 10), for example for LAN traffic:
ifInOctets.4 ifOutOctets.4
Average CPU usage per 1min / 5min / 15min:
1.3.6.1.4.1.10002.1.1.1.4.2.1.3.1 1.3.6.1.4.1.10002.1.1.1.4.2.1.3.2 1.3.6.1.4.1.10002.1.1.1.4.2.1.3.3
TX and RX AP in kilobytes can be found by the following OID:
1.3.6.1.4.1.41112.1.4.7.1.17.1.4.24.214 1.3.6.1.4.1.41112.1.4.7.1.18.1.4.24.214
OID noise can be found by:
1.3.6.1.4.1.41112.1.4.7.1.4.1.4.24.214
Signal strength: 1.3.6.1.4.1.41112.1.4.5.1.5.1
Frequency: 1.3.6.1.4.1.41112.1.4.1.1.4.1
SSID: 1.3.6.1.4.1.41112.1.4.5.1.2.1
Uptime: 1.3.6.1.2.1.1.3.0
Free memory: 1.3.6.1.4.1.10002.1.1.1.1.2.0
Total Memory: 1.3.6.1.4.1.10002.1.1.1.1.1.0
MAC address of the access point to which the device is connected: 1.3.6.1.4.1.41112.1.4.5.1.4.1
The IP address of the access point to which the device is connected: 1.3.6.1.4.1.41112.1.4.7.1.10.1.4.24.214.232.12.159
Antenna type: 1.3.6.1.4.1.41112.1.4.1.1.9.1
See also:
SNMP OID and MIB for interfaces
How to hard reset LG L80 Dual D380
Recently did a hard reset on the LG L80 Dual D380 as it worked slowly and the battery was quickly discharged.
I will describe the order of actions:
1) We’ll turn off the phone.
2) Press the volume down and the power button, when the picture appears holding the volume button, release the power button and back press.
3) The reset menu appears with the volume buttons selected “YES” and the power button confirm “OK”, the second question similarly select “YES” and “OK”.
The phone will reboot and the user data will be cleared and reset to the factory settings, you will have to wait a little, done.
Configuring the D-Link DES-3028 Switch
Today, I configured the next switch D-Link DES-3028, the firmware was 2.94.B07.
And so, connect the console cable to the switch and add the vlan control (I have it 207, 25 port uplink):
create vlan core tag 207 config vlan core add tagged 25
Assign the switch IP address:
config ipif System vlan core ipaddress 192.168.1.2/24 state enable
Let’s specify the default route:
create iproute default 192.168.1.1 1
Add the admin account:
create account admin NAME
Add a client VLAN (I have it 226), specify PVID and remove the standard VLAN:
create vlan local_smart tag 226 config vlan local_smart add tagged 25 config vlan local_smart add untagged 1-24,26-28 disable gvrp config gvrp 1-28 state disable ingress_checking enable acceptable_frame admit_all pvid 226 config vlan default delete 1-28
Let’s configure protection against broadcast flooding:
config traffic trap both config traffic control 1-24,26-28 broadcast enable multicast disable unicast disable action drop threshold 64 countdown 5 time_interval 5
Let’s configure the loop protection:
enable loopdetect config loopdetect recover_timer 3000 config loopdetect interval 10 config loopdetect trap none config loopdetect port 1-24,26-28 state enabled config loopdetect port 25 state disabled
Let’s configure traffic segmentation, if it is necessary that users within the switchboard do not see each other:
config traffic_segmentation 1-24 forward_list 25 config traffic_segmentation 25 forward_list 1-24,26-28
Set up the time zone and time synchronization:
enable sntp config time_zone operator + hour 2 min 0 config sntp primary 192.168.1.1 secondary 0.0.0.0 poll-interval 7000
Let’s specify from what IP the access to WEB, telnet and SNMP of the switch is allowed:
create trusted_host 192.168.1.1 create trusted_host 192.168.5.20
Let’s configure the protection from DOS:
disable dos_prevention trap_log config dos_prevention dos_type land_attack action drop state enable config dos_prevention dos_type blat_attack action drop state enable config dos_prevention dos_type smurf_attack action drop state enable config dos_prevention dos_type tcp_null_scan action drop state enable config dos_prevention dos_type tcp_xmascan action drop state enable config dos_prevention dos_type tcp_synfin action drop state enable config dos_prevention dos_type tcp_syn_srcport_less_1024 action drop state disable
For IP-MAC-Port Binding functions, we allow IP 0.0.0.0 (under it Windows tries to get IP):
config address_binding ip_mac ports 1-28 state disable allow_zeroip enable forward_dhcppkt enable
Configuring SNMP:
delete snmp community public delete snmp community private delete snmp user initial create snmp community TEXT view CommunityView read_write create snmp community TEXT view CommunityView read_only config snmp system_name TEXT config snmp system_location TEXT config snmp system_contact TEXT
Let’s configure protection from third-party DHCP servers:
config filter dhcp_server ports 1-24,26-28 state enable config filter dhcp_server trap_log enable config filter dhcp_server illegal_server_log_suppress_duration 30min
From third-party DHCP servers can also be protected through ACL:
create access_profile ip udp src_port 0xFFFF profile_id 1 config access_profile profile_id 1 add access_id 1 ip udp src_port 67 port 25 permit config access_profile profile_id 1 add access_id 2 ip udp src_port 67 port 1-24,26-28 deny
We will configure protection against BPDU of garbage:
config bpdu_protection ports 1-24,26-28 mode drop
Turn on the function SAFEGUARD_ENGINE, so you can go to the switch at 100% CPU utilization:
config safeguard_engine state enable utilization rising 100 falling 95 trap_log enable mode fuzzy
Fine-Tuning FDB:
config fdb aging_time 300 config multicast port_filtering_mode 1-28 filter_unregistered_groups disable flood_fdb config flood_fdb log disable trap disable
Other small settings:
config serial_port baud_rate 9600 auto_logout 10_minutes enable password encryption config terminal_line default enable clipaging disable command logging enable password_recovery enable syslog config log_save_timing on_demand
Done.
Configuring the ZyXEL ES-2108 Switch
I recently configured the ZyXEL ES-2108 switch.
Standard IP 192.168.1.1, login – admin, password – 1234.
I will give below examples of commands.
Let’s review the current configuration:
show running-config show system-information
Now go to the configuration mode:
configure
Change the administrator password:
admin-password PASSWORD password PASSWORD
Turn on flood control and loop protection:
storm-control loopguard
Let’s configure the VLAN to manage and assign the IP (I have a 207 vlan tag, 1 – uplink port):
vlan 207 name core normal "" fixed 1 forbidden 2-8 untagged 2-8 ip address default-management 192.168.1.20 255.255.255.0 ip address default-gateway 192.168.1.1 exit
Let’s configure VLAN for users (comes without a tag):
vlan 226 name users normal "" fixed 1-8 untagged 1-8 exit
Configure the uplink port:
interface port-channel 1 pvid 226 vlan-trunking exit
Configure the other client ports:
interface port-channel 2-8 bmstorm-limit bmstorm-limit 128 loopguard pvid 226 exit
Set the time parameters:
time timezone 200 timesync server 192.168.1.1 timesync ntp
Configuring SNMP:
snmp-server set-community NAME snmp-server trap-community NAME snmp-server contact admin location LOCATION
Configure the logs:
syslog syslog type system syslog type interface syslog type switch syslog type aaa syslog type ip
Let’s specify which IPs are allowed to administer the switch:
remote-management 1 remote-management 2 remote-management 1 start-addr 192.168.1.1 end-addr 192.168.1.1 service telnet ftp http icmp snmp ssh https remote-management 2 start-addr 192.168.1.5 end-addr 192.168.1.5 service telnet ftp http icmp snmp ssh https
Exit the configuration mode:
exit
To view mac-addresses, use the command:
show mac address-table
Save the settings:
write memory
Done.
Configuring Fasttrack on Mikrotik
FastTrack accelerates the processing of packets, started working on firmware from 6.29.
Continue reading “Configuring Fasttrack on Mikrotik”How to restore the standard mac-addresses of MikroTik interfaces
Recently, I had to copy the settings of one MikroTik router to another one and after I saved the settings to a file and populated them on the second, I noticed that mac addresses were also copied.
Therefore, we had to reset them to standard ones.
First, let’s see what the interface numbers are (I have ether1 for 0, ether2 for 1, etc.):
interface ethernet print
And reset their mac-addresses:
interface ethernet reset-mac-address 0 interface ethernet reset-mac-address 1 interface ethernet reset-mac-address 2 interface ethernet reset-mac-address 3 interface ethernet reset-mac-address 4
If you need to reset the mac of the wireless interface, then save the wireless settings to the file:
interface wireless export file wifibackup
Look at the wireless interfaces (I have one at number 0):
interface wireless print
Reset all settings including the mac address:
interface wireless reset-configuration 0
Restore the settings from the previously saved file (mac-address in this case will remain standard):
import wifibackup.rsc
Done.
Limiting access to management of Huawei SmartAX MA5600
For example, to allow to connect to the Huawei SmartAX MA5600 series via telnet only to the specified IP address ranges 192.168.0.100-192.168.0.254 and 172.16.24.1-172.16.24.50 we will connect to the device and go into the configuration mode:
enable config
And execute the following commands (for non-specified IP access is immediately prohibited):
sysman ip-access telnet 192.168.0.100 192.168.0.254 sysman ip-access telnet 172.16.24.1 172.16.24.50 sysman firewall telnet enable
Similarly for SSH:
sysman ip-access ssh 192.168.0.100 192.168.0.254 sysman firewall ssh enable
And SNMP for example for one IP:
sysman ip-access snmp 192.168.0.100 192.168.0.100 sysman firewall snmp enable
To deny access to the specified subnet, we specify ip-refuse instead of ip-access, for example:
sysman ip-refuse telnet 192.168.1.200 192.168.1.220 sysman firewall telnet enable
On the test, I performed the settings for Huawei SmartAX MA5683T, they are essentially the same for the entire MA5600 series.