Resetting the iLO password via hponcfg on HP servers

On the test, I change the iLO password to the standard Administrator user on the HP ProLiant DL380 G7 server, the password is generated randomly from the manufacturer and installed in the BIOS, it can also be seen on the pull-out ribbon and attached to the server.

Therefore, in order not to restart the server to change the password, create a file with the name reset_password.xml for example and add content to it:

<RIBCL VERSION="2.0">
<LOGIN USER_LOGIN="Administrator" PASSWORD="password">
<USER_INFO MODE="write">
<MOD_USER USER_LOGIN="Administrator">
<PASSWORD value="password specify here only"/>
</MOD_USER>
</USER_INFO>
</LOGIN>
</RIBCL>

Where Administrator, this is the user name, password – do not touch, there can be any text, but only indicate the desired password to the user in the PASSWORD value.

We export the file:

sudo hponcfg -f reset_password.xml

In case of an error, you can output the report to the log.txt file with the command:

sudo hponcfg -f reset_password.xml -l log.txt

See also:
Configuring iLO through hponcfg

SNMP OID List for iLO4

I made a template for Zabbix today to monitor iLO 4 on the HP DL380p G8 server and had to investigate several OIDs.

You can check the OID from Linux with the command:
snmpwalk 192.168.1.5 -c КОМЬЮНИТИ -v 2c OID

Below is a list and description for OID coolers, processors, temperature sensors, logical drives (RAID), hard disks, network controller iLO, RAM.

Fans:
.1.3.6.1.4.1.232.6.2.6.7.1.2.0 (Fan Index)
.1.3.6.1.4.1.232.6.2.6.7.1.3.0 (Fan Locale (1=other, 2=unknown, 3=system, 4=systemBoard, 5=ioBoard, 6=cpu, 7=memory, 8=storage, 9=removable media, 10=power supply, 11=ambent, 12=chassis, 13=bridge card, 14=management board, 15=backplane, 16=network slot, 17=blade slot, 18=virtual)
.1.3.6.1.4.1.232.6.2.6.7.1.4.0 (Fan Present (1=other, 2=absent, 3=present)
.1.3.6.1.4.1.232.6.2.6.7.1.5.0 (Fan Present (1=other, 2=tachOutput, 3=spinDetect)
.1.3.6.1.4.1.232.6.2.6.7.1.6.0 (Fan Speed (1=other, 2=normal, 3=high)
.1.3.6.1.4.1.232.6.2.6.7.1.9.0 (Fan Condition (1=other, 2=ok, 3=degraded, 4=failed)

Temperature:
.1.3.6.1.4.1.232.6.2.6.8.1.2.0 (Temperature Sensor Index)
.1.3.6.1.4.1.232.6.2.6.8.1.3.0 (Temperature Sensor Locale (1=other, 2=unknown, 3=system, 4=systemBoard, 5=ioBoard, 6=cpu, 7=memory, 8=storage, 9=removable media, 10=power supply, 11=ambent, 12=chassis, 13=bridge card)
.1.3.6.1.4.1.232.6.2.6.8.1.7.0 (Threshold Type (1=other, 5=blowout, 9=caution, 15=critical, 16=noreaction)
.1.3.6.1.4.1.232.6.2.6.8.1.4.0 (Temperature Celsius)
.1.3.6.1.4.1.232.6.2.6.8.1.5.0 (TemperatureThreshold)
.1.3.6.1.4.1.232.6.2.6.8.1.6.0 (TemperatureCondition)

CPU:
.1.3.6.1.4.1.232.1.2.2.1.1.1 (CPU Index)
.1.3.6.1.4.1.232.1.2.2.1.1.3 (CPU Name)
.1.3.6.1.4.1.232.1.2.2.1.1.4 (CPU Speed in MHz)
.1.3.6.1.4.1.232.1.2.2.1.1.5 (CPU Step)
.1.3.6.1.4.1.232.1.2.2.1.1.6 (CPU status (1=unknown, 2=ok, 3=degraded, 4=failed, 5=disabled)
.1.3.6.1.4.1.232.1.2.2.1.1.15 (Number of enabled CPU cores)
.1.3.6.1.4.1.232.1.2.2.1.1.25 (Number of available CPU threads)
.1.3.6.1.4.1.232.1.2.2.1.1.26 (CPU power status (1=unknown, 2=Low Powered, 3=Normal Powered, 4=High Powered)

Logical Drives:
.1.3.6.1.4.1.232.3.2.3.1.1.2.0 (Logical Drive Index)
.1.3.6.1.4.1.232.3.2.3.1.1.1.0 (Logical Drive Controller)
.1.3.6.1.4.1.232.3.2.3.1.1.3.0 (Logical Drive Fault Tolerance (1=other, 2=none, 3=RAID 1/RAID 1+0 (Mirroring), 4=RAID 4 (Data Guard), 5=RAID 5 (Distributed Data Guard), 7=RAID 6 (Advanced Data Guarding), 8=RAID 50, 9=RAID 60, 10=RAID 1 ADM (Advanced Data Mirroring), 11=RAID 10 ADM (Advanced Data Mirroring with Striping))
.1.3.6.1.4.1.232.3.2.3.1.1.9.0 (Logical Drive Size in Mb)
.1.3.6.1.4.1.232.3.2.3.1.1.4.0 (Logical Drive Status (1=other, 2=ok, 3=Failed, 4=Unconfigured, 5=Recovering, 6=Ready Rebuild, 7=Rebuilding, 8=Wrong Drive, 9=Bad Connect, 10=Overheating, 11=Shutdown, 12=Expanding, 13=Not Available, 14=Queued For Expansion, 15=Multi-path Access Degraded, 16=Erasing, 17=Predictive Spare Rebuild Ready, 18=Rapid Parity Initialization In Progress, 19=Rapid Parity Initialization Pending, 20=No Access – Encrypted with No Controller Key, 21=Unencrypted to Encrypted Transformation in Progress, 22=New Logical Drive Key Rekey in Progress, 23=No Access – Encrypted with Controller Encryption Not Enabled, 24=Unencrypted To Encrypted Transformation Not Started, 25=New Logical Drive Key Rekey Request Received)
.1.3.6.1.4.1.232.3.2.3.1.1.11.0 (Logical Drive Condition (1=other, 2=ok, 3=degraded, 4=failed)

Drives:
.1.3.6.1.4.1.232.3.2.5.1.1.2.0 (Drive Index)
.1.3.6.1.4.1.232.3.2.5.1.1.5.0 (Drive Bay)
.1.3.6.1.4.1.232.3.2.5.1.1.64.0 (Drive Location)
.1.3.6.1.4.1.232.3.2.5.1.1.3.0 (Drive Vendor)
.1.3.6.1.4.1.232.3.2.5.1.1.51.0 (Drive Serial Number)
.1.3.6.1.4.1.232.3.2.5.1.1.45.0 (Drive Size in Mb)
.1.3.6.1.4.1.232.3.2.5.1.1.65.0 (Drive Link Rate (1=other, 2=1.5Gbps, 3=3.0Gbps, 4=6.0Gbps, 5=12.0Gbps))
.1.3.6.1.4.1.232.3.2.5.1.1.70.0 (Drive Current Temperature)
.1.3.6.1.4.1.232.3.2.5.1.1.71.0 (Drive Temperature Threshold)
.1.3.6.1.4.1.232.3.2.5.1.1.72.0 (Drive Maximum Temperature)
.1.3.6.1.4.1.232.3.2.5.1.1.6.0 (Drive Status (1=Other, 2=Ok, 3=Failed, 4=Predictive Failure, 5=Erasing, 6=Erase Done, 7=Erase Queued, 8=SSD Wear Out, 9=Not Authenticated)
.1.3.6.1.4.1.232.3.2.5.1.1.37.0 (Drive Condition (1=other, 2=ok, 3=degraded, 4=failed)
.1.3.6.1.4.1.232.3.2.5.1.1.9.0 (Drive Reference Time in hours)

iLO NIC:
.1.3.6.1.4.1.232.9.2.5.2.1.1 (iLO location)
.1.3.6.1.4.1.232.9.2.5.1.1.2 (iLO NIC model)
.1.3.6.1.4.1.232.9.2.5.1.1.4 (iLO NIC MAC)
.1.3.6.1.4.1.232.9.2.5.1.1.5 (iLO NIC IPv4)
.1.3.6.1.4.1.232.9.2.5.1.1.9 (iLO NIC speed)
.1.3.6.1.4.1.232.9.2.5.1.1.14 (iLO NIC FQDN)
.1.3.6.1.4.1.232.9.2.5.2.1.2 (Tx bytes)
.1.3.6.1.4.1.232.9.2.5.2.1.3 (Tx packets)
.1.3.6.1.4.1.232.9.2.5.2.1.6 (Tx discard packets)
.1.3.6.1.4.1.232.9.2.5.2.1.7 (Tx error packets)
.1.3.6.1.4.1.232.9.2.5.2.1.9 (Rx bytes)
.1.3.6.1.4.1.232.9.2.5.2.1.10 (Rx packets)
.1.3.6.1.4.1.232.9.2.5.2.1.13 (Rx discard packets)
.1.3.6.1.4.1.232.9.2.5.2.1.14 (Rx error packets)
.1.3.6.1.4.1.232.9.2.5.2.1.15 (Rx unknown packets)

Memory:
.1.3.6.1.4.1.232.6.2.14.13.1.1 (Memory Index)
.1.3.6.1.4.1.232.6.2.14.13.1.13 (Location)
.1.3.6.1.4.1.232.6.2.14.13.1.9 (Manufacturer)
.1.3.6.1.4.1.232.6.2.14.13.1.10 (Part Number)
.1.3.6.1.4.1.232.6.2.14.13.1.6 (Size in Kbytes)
.1.3.6.1.4.1.232.6.2.14.13.1.8 (Memory Technology)
.1.3.6.1.4.1.232.6.2.14.13.1.7 (Memory Type)
.1.3.6.1.4.1.232.6.2.14.13.1.19 (Memory status (1=other, 2=notPresent, 3=present, 4=good, 5=add, 6=upgrade, 7=missing, 8=doesNotMatch, 9=notSupported, 10=badConfig, 11=degraded, 12=spare, 13=partial)
.1.3.6.1.4.1.232.6.2.14.13.1.20 (Memory condition (1=other, 2=ok, 3=degraded, 4=degradedModuleIndexUnknown)

Configuring Protected Ports on Cisco

On the test, I will configure the Cisco Catalyst WS-C3750-48TS-S.

And so, all ports are configured as access, except for the first Gigabit uplink port, it is configured as a trunk and the Internet on the client vlan with the tag comes to it.
We need all the ports on this switch to not see each other and see only the first gigabit ulink port.

To do this, connect to the switch and go into the configuration mode:

enable
configure terminal

Then, we issue the switchport protected command for all access ports:

interface range fastEthernet 1/0/1-48
switchport protected
interface range gigabitEthernet 1/0/2-4
switchport protected
exit
exit

Save the configuration:

write

Apparently interface gigabitEthernet 1/0/1 we did not touch.
Now the ports on which the switchport protected command is registered do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case the first gigabit ulink port, and it sees all the ports with the command and without.

Information about ports can be viewed by the command:

show interfaces NAME switchport

View full configuration:

show running-config

See also:
Port isolation on Huawei switches
Port isolation on the ZyXEL MES-3528 switch

Port isolation on the ZyXEL MES-3528 switch

On the test, I isolate the ports from each other, allowing traffic to go only to uplink (the port from which the Internet comes), I have it 25.

Let’s connect to the switch and see the current configuration:

show running-config

Now go into the configuration mode:

configure

Isolate the necessary ports, except the uplink port:

interface port-channel 1-24,26-28
vlan1q port-isolation
exit
exit

Save the configuration:

write memory

The ports on which the vlan1q port-isolation command is written do not see other ports with the same command, but see the ports without it and the switch CPU. Ports without the command vlan1q port-isolation see the ports with it and without it.

See also:
Port isolation on Huawei switches
Configuring Protected Ports on Cisco

Port isolation on Huawei switches

On the test I’ll take the Huawei Quidway S2326TP-EI and Huawei Quidway S3928P-EI switches, in which the uplink Gigabit Ethernet port 0/0/1 (the Internet comes to it), all other ports are in the same VLAN and you need to prevent them from seeing each other. To do this, execute the port-isolate enable command for each interface (port), except uplink GigabitEthernet 0/0/1.

We connect to the switch through the console or telnet and switch to the mode of elevated privileges:

system-view

We execute the command for interfaces:

interface Ethernet 0/0/1
port-isolate enable
interface Ethernet 0/0/2
port-isolate enable
interface Ethernet 0/0/3
port-isolate enable
etc.
interface Ethernet 0/0/24
port-isolate enable
quit
interface GigabitEthernet 0/0/2
port-isolate enable

For Huawei Quidway S3928P-EI there will be other commands:

interface Ethernet1/0/1
port isolate
interface Ethernet1/0/2
port isolate
...
interface GigabitEthernet 1/1/2
port isolate
interface GigabitEthernet 1/1/3
port isolate
interface GigabitEthernet 1/1/4
port isolate

Leave the interface setup mode:

quit

Let’s leave the regime of elevated privileges:

quit

Save the configuration:

save

Now the ports on which the port-isolate enable command is written do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case uplink port GigabitEthernet 0/0/1, and it, as on It does not have this command, it sees all the ports with the command and without.

See also:
Configuring the Huawei Quidway Switch S2326TP-EI
Configuring Port isolation on Cisco
Port isolation on the ZyXEL switch

How to view the configuration of MikroTik

Recently I configured the next MikroTik and I had to share the configuration, so, to see it in the terminal, execute the command:

/export compact

To save the configuration to a file, execute the command:

/export compact file=config

After saving the file will be in the device’s memory, you can see it and download it from the Files menu via the web interface or winbox, ftp, smb, sftp.

Configuring the VPN IPSec / L2TP server on Mikrotik

Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.

1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:

ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15

2) Add a profile to “PPP” – “Profiles
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:

ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool

3) Add a user to “PPP” – “Secrets
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:

ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp

4) Enable the server in “PPP” – “Interface” – “L2TP Server
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:

interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes

5)IP” – “IPSec” – “Peers
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:

ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY

6)IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:

ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des

7)Firewall” – “Add New
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:

ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500
ip firewall filter add chain=input action=accept protocol=ipsec-esp

The rules should be at the top of the list.

This completes the configuration, you can connect.

See also:
Configuring Remote Access in Mikrotik Router

Blocking social networks on Cisco

On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.

First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.

And create an extended ACL for example with the name BLOCKSOCIAL:

ip access-list extended BLOCKSOCIAL
deny ip any 87.240.128.0 0.0.63.255
deny ip any 93.186.224.0 0.0.7.255
deny ip any 93.186.232.0 0.0.7.255
deny ip any 95.142.192.0 0.0.15.255
deny ip any 95.213.0.0 0.0.63.255
deny ip any 185.29.130.0 0.0.0.255
deny ip any 185.32.248.0 0.0.3.255
permit ip any any
exit

The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:

deny ip host 192.168.5.1 host 192.168.11.54

The line “permit ip any any” should be necessary at the end.

Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255

If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.

Apply the created ACL to the port looking towards the clients:

interface GigabitEthernet1/1
ip access-group BLOCKSOCIAL in

Or, to write less only to the server’s server port on the Internet, if there is one:

interface TenGigabitEthernet3/2
ip access-group BLOCKSOCIAL in

You can cancel the ACL interface as follows:

no ip access-group BLOCKSOCIAL in

Delete the ACL like this:

no ip access-list extended BLOCKSOCIAL

If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:

ip access-list extended BLOCKSOCIAL
deny ip 87.240.128.0 0.0.63.255 any
deny ip 93.186.224.0 0.0.7.255 any
deny ip 93.186.232.0 0.0.7.255 any
deny ip 95.142.192.0 0.0.15.255 any
deny ip 95.213.0.0 0.0.63.255 any
deny ip 185.29.130.0 0.0.0.255 any
deny ip 185.32.248.0 0.0.3.255 any
deny ip host 192.168.5.1 any
permit ip any any
exit

See also my articles:
Blocking social networks on Mikrotik routers
Blocking social networks using iptables