I had a segment a network recently into a few Vlans. This meant the new Vlan was on a different subnet to the WDS server so machines were not getting the PXE Traffic.

  1. Make sure the WDS is routable from the Vlan ( Create a route enable firewall) 
  2. Enable a second IP Helper Address with the WDS server. You might already have an IP Address if your DHCP server is on a different Subnet, but you can have multiple.

PXE does not come with a dedicated boot protocol. It is simply DHCP packets extended with additional DHCP options. It’s formerly known as the bootstrap protocol. If a PXE-enabled network card sends out an DHCP discover package, it will add DHCP option 60, which includes the string “PXEClient:Arch:xxxxx:UNDI:yyyzzz”. Then it waits for DHCP offers.

It will only respond if it gets a DHCP offer including option 60 which means: I am PXE capable and able to send out boot server and boot file information.

The DHCP offer can be splitted into two independent packages, coming from different servers. The DHCP server can send out the DHCP offer containing the clients IP address and the PXE server can send out the DHCP offer containing the option 60.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently I had to tag some Access points to a new Vlan on a Cisco switch , the cisco support website is the worst readability so notes for future reference

Find the Port of the Access point by getting the Mac address then listing all the Macs on the switch via

show mac address-table

Tagging port

Ok next we change the port from an access port on the default Vlan ( 1 ) to a trunk to it can carry multiple Vlans in this case 1,5. Warning this will drop the network device for a few pings

conf t

int gi1/0/21

Switchport mode trunk
Switchport trunk allowed vlan 1,5 

If it doesn’t work you can always wipe the config via

default interface gi1/0/21

To untag a port on vlan 5

 switchport access vlan 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

To access the Secondary unit without changing HA Primary unit , which I would advise against if you are not sure of the VPN status run the following

execute ha manage 1

Login with the credentials

Then run 

diagnose vpn ike gateway

Lists all the current VPNS

diagnose vpn tunnel stat

Check how many are up

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
configure mstp revision 3
##Sets STPD Mode (MSTP)
configure stpd s0 mode mstp cist
##Binds all Vlans to STPD
enable s0 auto-bind vlan 1-4094
##Enable below for all ports APART from Uplinks
configure s0 ports auto-edge on #<ports>
##Enables STPD
enable stpd s0
##SAVE config
save config primary
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

The unit was an Elitedesk 800 G3

Download the driver bundle from here : http://ftp.hp.com/pub/caps-softpaq/cmit/HP_Driverpack_Matrix_x64.html

Extract the Drivers then Import them into Out of Box Drivers on your MDT Share

Once done Update Deployment Share

Once done , replace image on the Microsoft Deployment Services

WIM’s will be installed to 

C:\DeploymentShare\Boot

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Fortigate

Create a new Interface under a port or an existing virtual switch where the Aruba switch uplinks to 

Enter Vlan ID and Interface IP

 

Next you will need to setup Allow Policies to allow traffic from the Vlan to the normal lan as well as internet

Aruba

Create a New Vlan with the Same ID

Add a trunk to the Uplink

Tag all the Ports with Vlan 2 that will have a phone plugged into them, Including the Trunk

Untag any ports the phone system or VOIP card might use

Attach the “voice” to the Vlan which will assign the right vlans for the phones that use LLDP 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Meraki MX Router

Enable Vlans

Go to Security Appliance then Addressing & VLANs

Next setup the Subnet ID ( Number ) for your Vlans and the Address of the Router in each Vlan 

Next Change the Uplink to the Switch to a VLAN and set the Native Vlan ( this is the default usually 1 ) and the other Vlans which will pass down this trunk. The Native VLAN will need to be the same on both sides of Meraki and Cisco Switch

DHCP

Go to Security Appliance then DHCP

What device will be the DHCP on this new Subnet? You can set the Meraki or if its a Windows Network point the IP Helper to your main DHCP server

Cisco Switch

Uplink

On the uplink of your switch to the Meraki set e.g. GigabitEthernet1/0/1

 

conf t
int gi1/0/1
switchport trunk native vlan 1
switchport trunk allowed vlan 1,5
switchport mode trunk
end

You might see the native vlan 1 not showing in the config , this is because 1 is always the native vlan

UnTag Port on new Vlan

This changes the port to use Vlan 5

conf t
int gi1/0/2
switchport acccess vlan 5
switchport mode access
end
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

When trying to Setup Citrix SAML , on redirect , the Netscaler showed

Matching policy not found while trying to process Assertion; Please contact your administrator

Navigate to your Virtual Server

Add a new Authentication

Choose SAML and Primary

Leave Priority as 100
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: -1 (from 1 vote)

Finding issues in wireless networks can be hard , however there are some tools you can use before you get the Spectrum Analyser in! 

Auditing

Download and install inSSIDer Home

Great way to visualise SSID strength and channels, just to note when you run this , your Pings will go up!

Ekahau

Great Heatmapping software and paid for software for scanning

How to check to DeAuths 

Once you identify the channel, launch https://www.wireshark.org/ on that channel and listen for a minute or two.

First, apply this filter:

wlan.fc.type_subtype == 0xc

This will show you all the deauthentication frames that have been sent out.

Deauth Flood

Apply this filter next:

wlan.fc.type_subtype == 0x8 && wlan.sa == <BSSID of the SSID you are inspecting>

This will display beacon frames from your AP. Check the signal strength. In this case, we’ve got a good strong signal because we’re right next to the AP (right around -40 dBm on average).

Our Beacons

Next, apply this filter:

wlan.fc.type_subtype == 0xc && wlan.sa == <BSSID of the SSID you are inspecting>

This shows deauthentication frames from your AP. Note the signal strength on the far right…

Spoofed Deauths

The deauthentication frames are coming in much weaker than the valid beacon frames. This indicates strongly that another AP is spoofing your system.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Recently we found a Fortigate Router not listening locally 

Login to Console via Serial Cable ( Putty ) 

config system interface
edit wan1
set allowaccess ping http https
end


config system admin
edit admin
set trusthost1 %publicip%/32
set trusthost2 %localIprange%/24
end
VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)