Airflow Direction for HP 5800 AF Switch

In case you get the following warning error on your terminal monitor, do not be troubled.

Fan 2 airflow direction is not preferred on slot 1, please check it.
Fan 1 airflow direction is not preferred on slot 1, please check it.

The reason is the following configuration item from the switch

fan prefer-direction slot slot-number {power-to-port | port-to-power }

Either change the configuration, or get a new reverse fan tray for your switch.


Symantec Network Access Control Overview

This is a little bit of info on the Symantec NAC control solution. I jot down these notes as I made myself familiar with the product, as I had to install one.

The notes are fairly generic, but can help you pin down where to look in the configuration manual; also, there’s no need to copy the documentation here. After all, you can only configure the product in so many ways.

Symantec Endpoint Protection Manager is comprised of

  • Symantec Endpoint Protection
    • Virus and Spyware Scanner
    • Sonar (heuristics)
    • Application Control (block programs, access to files/registry, loading of dlls)
    • Device Control (blocks devices by Windows Class ID)
    • Stateful Firewall (acts according to firewall policy)
    • Intrusion Prevention System (checks using signatures)

  • Symantec Network Access Control
    • Management
      • Symantec Endpoint Protection Manager (application)
      • Database (MSSQL or embedded)

    • Enforcement
      • Gateway Enforcer
      • Symantec Integrated DHCP Enforcer (as a plugin for Microsoft DHCP Server)
      • Symantec LAN Enforcer (appliance)

    • Endpoint
      • Symantec Network Access Control Client (application)

More on enforcers:
The Gateway Enforcer

is an inline appliance that segments networks into secure and insecure zones. If a client is either missing the client software, or is failing Host Integrity checks, he can be blocked or logged.

The DHCP Enforcer

is a plugin that performs DHCP Scope-based enforcement. Uses a quarantine subnet mask.

The LAN Enforcer

is an inline appliance that is 802.1x based and supports transparent and radius operation modes.

The Symantec Network Access Control Client

can also self-enforce and attempt to remediate the non-compliant host. For example, lock him out with a strict local firewall ruleset that allows communication only to known and trusted update sources, etc.

Symantec Network Access Control Starter Edition comprises

  • Symantec Endpoint Protection Manager
  • MS SQL
  • Gateway Enforcer
  • Endpoint Protection and Network Access Control Client software

How does the endpoint compliance process work

  1. (Discover) Access point discovers the Endpoint device that attaches to and accesses the network.
  2. (Enforce) The solution applies an integrity check at the Endpoint for the current security policy for each Host Integrity entry.
  3. (Remediate) If the check fails, the Endpoint is isolated in some way from the local network.
  4. (Monitor) The Host Integrity of the Endpoint is constantly monitored.

What are the built-in rules for Host Integrity Checks

  • Most antivirus, MS patches, MS Service Packs, firewalls.
  • Templates feature to integrate with other patch-based systems
  • Custom Requirements, which is conditional scripting based on file names, versions and “fingerprints” (hash values?)


BGP Path Selection on Cisco, HP and Juniper

I was curious to see whether Cisco and HP shared the same BGP path selection algorhythms.

Cisco HP

  1. Path with highest WEIGHT
  2. Path with highest LOCAL_PREF.
  3. Path originated by the local router1
  4. Path with shortest AS_PATH.
  5. Path with lowest origin type2
  6. Path with lowest MED
  7. Prefer eBGP over iBGP paths
  8. Path with lowest IGP metric to the BGP next hop.
  9. Determine if BGP multipath is needed
  10. Path that was received first (the oldest one)3
  11. Path that comes from the BGP router with the lowest router ID
  12. Path with the minimum cluster list length4
  13. Path that comes from the lowest IP address

  1. Path with highest Preferred_value (WEIGHT)
  2. Path with highest LOCAL_PREF
  3. Path originated by the local router1
  4. Path with shortest AS-PATH
  5. Path with lowest origin type2
  6. Path with lowest MED
  7. Prefer eBGP over iBGP paths
  8. Path with lowest IGP metric to the BGP next hop.
  9. Path with shortest CLUSTER_LIST
  10. Path with smallest ORIGINATOR_ID
  11. Path that comes from the BGP router with the lowest router ID
  12. N/A
  13. Path that comes from the lowest IP address


  1. Via a network or aggregate BGP subcommand or through redistribution from an IGP
  2. Origin types: IGP < EGP < Incomplete
  3. Only when the compared paths are external
  4. Only when the originator or router ID is the same for multiple paths

As you can expect, Juniper is a whole lot different, so I didn’t even put it in the comparison table.

  • Juniper Networking

  1. Prefer the path with highest local preference
  2. Prefer the path with shortest AS path
  3. Prefer the path with lowest origin
  4. Prefer the path with lowest MED value
  5. Strictly prefer external paths
  6. Prefer the path with lowest IGP route metric
  7. Prefer the path with maximum IGP next hops
  8. Prefer the path with shortest route reflection cluster list
  9. Prefer the path with lowest router ID
  10. Prefer the path with lowest peer IP address

DiffServ Per-Hop Behaviours (PHBs)

DiffServ, namely Differentiated Services, is the successor of IP Precedence. It specifies a scalable, robust and flexible architecture of manipulating traffic to your needs. Diffserv specifies common Per-Hop behaviours, which is basically how a device should handle the traffic passing through it.

  • Best Effort (BE) – No specific QoS treatment
  • Class Selector (CS) – Uses 8 levels, bigger is better. Backwards compatible with IP Precedence, while providing additional 8 levels of granularity for a total of 64 DSCP levels.
  • Assured Forwarding (AF) – Uses 4 levels of priority, and 3 levels of dropping probability. Higher drop rate means lower priority in the current subclass. Example AF41 > AF43 > AF11.
    • Queuing Mechanism ( x for AFXY)
    • Drop Threshold Mechanism (y for AFXY)

  • Expedited Forwarding (EF) – Provides a queue for low delay, jitter and loss reservation; plus a guaranteed amount of bandwidth.
    • Queuing Mechanism plus guaranteed amount of bandwidth
    • Traffic Policing on the EF queue

Queuing Mechanisms

While doing my studies for the CCIP certificastion, I’ll do a series of posts on Quality of Service. It is a matter that I’m not very familiart with, so by talking about it, I’ll be sure to learn it better, and hey – maybe somebody will find my explanations useful.

Today we talk about the possible queuing mechanisms.

  • Priority Queuing – Uses 4 queues. Always serves higher priority traffic first. May starvate(block) low priority traffic due to constant high-priority traffic getting serviced first.
  • Custom Queuing – Uses 16 static queues for traffic (+ queue number 0 for layer 2 control traffic). Includes Layer 2 headers into the PDU size. Sends frames from a queue, and adds the frame size to a counter until the counter size is bigger or equal to the queue threshold. If the counter is bigger than the threshold, the next time the queue starts from this additional value, instead of 0 (a.k.a. a penalty). The queue threshold is computed from the byte-count value (1500 default). The queue’s limit is the number of packets held in the memory of the router, before it starts dropping the inbound packets from the sender. If a lower priority queue has traffic to spare, higher priority queues can take advantage of it.
  • Weighted Fair Queuing – Uses flows (identified by source/destination address and port numbers, plus protocol type). Automatically schedules low-bandwidth, interactive traffic to the front of the queue, and never drops it from queuing1. The rest of the traffic is divided fairly between high-bandwidth flows. WFQ is enabled by default on all interfaces less than or equal to 2.048 Mbps (E1 line).
  • Class-based Weighted Fair Queuing – Classify traffic using class-maps, which can be handed a strict bandwidth, percentage, or the rest of the unclaimed by the other classess traffic (fair-queue). Each classmap can either use tail drop (default) or WRED (random-detect). The total amount of bandwidth allocated for all classes included in a policy map must not exceed 75 percent of the available bandwidth on the interface. The other 25 percent is used for control and routing traffic. (To override the 75 percent limitation, use the max-reserved bandwidth command.)
  • Low-Latency Queuing – brings strict Priority Queuing (PQ) to Class-Based Weighted Fair Queuing (CBWFQ), so that delay-sensitive traffic, such as data, can be serviced first, while the rest of the traffic is using CBWFQ. Set up by the priority [bandwidth] command line switch in policy-map->class-map view.


I just passed the troubleshooting exam and thus obtained my CCNP.

The exam was really something interesting after the route and switch ones. It almost felt like a puzzle, or a crime solving adventure – you’re on the hunt for the bad guy that’s ruining your stuff 🙂

The TSHOOT exam is rightfully the finish line of the CCNP course. It incorporates routing and switching issues, and luckily, not at the same time, as that would be CCIE material. Besides from feeling refreshing, the exam is not hard by itself, but you need to watch out for potential pitfalls. I’ve almost succumbed to one in particular: I was checking which access vlan was assigned to a switchport. Naturally, I issued a show vlan, and all ports appeared to be assigned to the native vlan 1. Then, just to be sure, I tried a show run, and bam! The ports were in access vlan 10.

So, in a nutshell, I don’t know whether this was a bug or not, but it really helps to use show run. However, it is always a good idea to learn to troubleshoot without the help of show run, due to the possible size of the config itself, or simply use the pipe (|) with the regular expressions begin, section, include etc.

HP ExpertONE Certifications Update

Since the 1st of November, HP did a couple of changes to its ExpertONE certifications portfolio.

The big change consists of two tracks of certifications, namely Carrer and Affiliate, with the latter being mainly about sales.

There are also changes to the certificate titles. Here’s a map:

  • Master level -> HP Master ASE
  • Expert level -> HP ASE (CSE)
  • Professional level -> HP ATP (CSA, AIS)
  • Associate level -> HP ATA

Not much to be excited about, except for the fact that these certifications will expire, unlike their old counterparts. Even the old certifications will expire, but HP will shed more light on this matter in 2012.

More information here.

Don’t forget to check out the pdf brochure as well.

all those routes and paths