HPE Comware MSR router source/destination VRF-aware NAT

In the following post I will show how to configure source and destination NAT with VRF-aware on HPE MSR router series.

I'm going to use the following topology:

Now let's define the goals – Let's say the we have an internal LAN (192.168.22.0/24) which need to reach some services/servers on remote network (192.168.12.0/24) and, for some reason, we can't install the remote network on our routing table in our LAN, and all of course with VRF-aware.

So here I'm using a virtual IP address 2.2.2.2/32, which will represent remote network server IP address (192.168.12.1 – SW12), so all clients from LAN network (192.168.22.1 – SW22) will be pointed to 2.2.2.2.

IP Address	NAT Translation	NAT Direction
2.2.2.2/32	192.168.12.1	Inbound
192.168.22.0/24	10.20.0.2	Outbound

So, whenever a client, from the internal LAN (192.168.22.0/24), will send packet to IP address 2.2.2.2, his source IP address will be translated to 10.20.0.2 (RTR2 WAN interface) and the destination will be translated to 192.168.12.1 (SW12).

And again, all configuration will be VRF-aware perspective.

RTR2 Basic Configuration:

sysname RTR2 # ip vpn-instance V20  route-distinguisher 1:20 # interface GigabitEthernet0/0  port link-mode route  combo enable copper # interface GigabitEthernet0/0.20  ip binding vpn-instance V20  ip address 10.20.0.2 255.255.255.252  vlan-type dot1q vid 20 # interface GigabitEthernet0/2  port link-mode route  combo enable copper  ip binding vpn-instance V20  ip address 192.168.22.254 255.255.255.0 # ip route-static vpn-instance V20 0.0.0.0 0 GigabitEthernet0/0.20 10.20.0.1

Here we will need to use inbound NAT in order to translate the destination IP address and outbound NAT in order to translate the source IP address.

Configure basic ACL for outbound NAT:

acl basic 2000  rule 0 permit vpn-instance V20 source 192.168.22.0 0.0.0.255

Configure advanced ACL for inbound NAT:

acl advanced 3000  rule 10 permit icmp vpn-instance V20 source 192.168.22.0 0.0.0.255 destination 2.2.2.2 0  rule 15 permit ip vpn-instance V20 source 192.168.22.0 0.0.0.255 destination 2.2.2.2 0

Note that on advanced ACL we need to specify the protocol.

Next configure NAT address group:

nat address-group 1  address 10.20.0.2 10.20.0.2

NAT address group is single or range of IP's that we set as NAT result (source or destination).

On interface GigabitEthernet0/0.20 (RTR2 WAN interface) we will configure the outbound NAT, where internal LAN IP address (192.168.22.0/24) will be translated to 10.20.0.2:

interface GigabitEthernet0/0.20  ip binding vpn-instance V20  ip address 10.20.0.2 255.255.255.252  nat outbound 2000 address-group 1 vpn-instance V20  vlan-type dot1q vid 20

On interface GigabitEthernet0/2 (RTR2 LAN interface) we will configure the inbound NAT, where internal remote IP address (2.2.2.2) will be translated to real outside remote IP address (192.168.12.1):

interface GigabitEthernet0/2  port link-mode route  combo enable copper  ip binding vpn-instance V20  ip address 192.168.22.254 255.255.255.0  nat server global 3000 inside 192.168.12.1 vpn-instance V20

Each packet, with source IP address 192.168.22.0/24, which destinated to 2.2.2.2 (refer to ACL 3000 configuration) will be translated to 192.168.12.1.

Last step is to configure static route for the virtual IP address (2.2.2.2):

ip route-static vpn-instance V20 2.2.2.2 32 GigabitEthernet0/0.20 10.20.0.1

Sending ping, from SW22 to SW12 will have the following result:

This is a packet capture on RTR1 – interface GigabitEthernet0/0

ClearPass API E-mail notifications

In the following post I will explain how to create an e-mail message from the ClearPass system for successful authentication (Authentication notification) or for failed authentication (Authentication alert).

First let's create our actions, for sending emails, using ClearPass API and JSON,

Go to Administration » Dictionaries » Context Server Actions, and click Add:

 

For Authentication Notification message:

And here is the content of the JSON:

{             "to": ["jhon@dow.com"],             "subject": "Succesful Authentication Connection",             "message": "The following user has been authenticated at: \n%{Date:Date-Time} \nMAC Address: %{Connection:Client-Mac-Address-Colon} \nUser Name: %{Radius:IETF:User-Name} \nNAS-Identifier: %{Radius:IETF:NAS-Identifier} \nNAS-IP Address: %{Connection:NAD-IP-Address}, \nPort: %{Radius:IETF:NAS-Port-Id}, \nDevice Type: %{Authorization:[Endpoints Repository]:Device Name}" }

Replace the To email address for relevant address, also note that you can add any information, from the RADIUS request, the this message.

In the end click Save.

For Authentication Alert message:

Next thing is to make sure that your ClearPass system is configured with messaging services, go to Administration » External Servers » Messaging Setup and fill the required information:

Note that in my lab I'm using Gmail for mail delivery (and how to configure Gmail is out of the scope for this post).

Now go to Configuration » Enforcement » Profiles and click Add:

  

Configure a new enforcement profile using HTTP Based Enforcement template, name it and enter some description:

On Target server select localhost and as action select the relevant endpoint context server that you have created earlier:

Click Save

Now use this enforcement profile for any service/enforcement policy you like in order to notify, via email, about an event

For example, for my secure wireless connection, where I'm using EAP-TLS/EAP-PEAP I have added the following notifications:

Were as the authentication status match user or machine, I'm sending authentication notification and where the authentication status is none, failed or authentication source is unavailable I'm sending failed authentication notification.

Email example:

The following user has been authenticated at:

2019-02-13 19:22:25

MAC Address: 00:35:44:31:74:2a

User Name: talm

NAS-Identifier: MLAB ArubaMC-VA-01

NAS-IP Address: 10.100.110.201,

Port: %{Radius:IETF:NAS-Port-Id},

Device Type: xiaomi NE-520G

There are plenty of e-mail messages you can configure for different scenarios using the following method.

Great thanks to Derin Mellor, from Aruba Networks, for the right guidance on this one.

HPE Comware packet capture

How to activate and use built-in packet capture on HPE Comware switches

In every firmware upgrade file, you probably found a feature image package:

After upgrading to the required image version, login into the switch and run the following command:

install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1

You should see the following output:

<HPE-5130-EI>install activate feature flash:/5130ei-cmw710-packet-capture-r3208p10.bin slot 1 Verifying the file flash:/5130ei-cmw710-packet-capture-r3208p10.bin on slot 1.....Done. Identifying the upgrade methods....Done. Upgrade summary according to following table: flash:/5130ei-cmw710-packet-capture-r3208p10.bin   Running Version             New Version           None                        Release 3208P10      Slot                        Upgrade Way          1                           Service Upgrade    Upgrading software images to compatible versions. Continue? [Y/N]:y This operation might take several minutes, please wait..................Done.

Then do install commit:

<HPE-5130-EI>install commit This operation will take several minutes, please wait........................Done.

Check that the feature package is activated:

<HPE-5130-EI>show install active Active packages on slot 1:   flash:/5130ei-cmw710-boot-r3208p10.bin   flash:/5130ei-cmw710-system-r3208p10.bin   flash:/5130ei-cmw710-packet-capture-r3208p10.bin

Then reboot the switch:

<HPE-5130-EI>reboot Start to check configuration with next startup configuration file, please wait.........DONE! This command will reboot the device. Continue? [Y/N]:y

After the switch reloads, you can start using the built-in packet capture:

<HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52 ?   autostop               Specify the autostop criteria for packet capture   brief                  Brief information   capture-filter         Specify a filter rule for packet capture   capture-ring-buffer    Specify the criteria for saving captured frames to a                          new capture file   display-filter         Specify a filter rule for displaying captured frames   limit-captured-frames  Specify the maximum number of captured frames   limit-frame-size       Specify the maximum size of a frame to be captured   raw                    Display the packet data in hexadecimal format   verbose                Detailed information   write                  Specify the directory for saving captured frames   <cr>                   <HPE-5130-EI>packet-capture interface Ten-GigabitEthernet 1/0/52

pfSense DHCP option 43 for Aruba Networks

Here is a quick post for configuring DHCP option 43 and option 60 for Aruba Networks AP's on pfSense.

DHCP option 43 tells the AP the IP address of the master controller, hence when an AP first boots up he needs to connect to the master controller in order to get his first configuration (AP name, group, LMS/Backup LMS). There are several ways to instruct the AP who is the master controller, DHCP option 43 is one of them.

DHCP option 60 helps the server to identify the client specific vendor.

Log in into pfSense web GUI, go to Services / DHCP Server and the interface which serves the AP's.

Scroll down to Additional BOOTP/DHCP Options, and add the following options:

Note that option 43 should be expressed in HEX, but we convert ASCII text and not numbers!

So, in my example I need to convert the master controller IP: 10.100.110.200, we can use the following URL to ease the conversion: https://www.asciitohex.com/

In the end click save and let the AP boot up

Here is the pcap result:

Aruba Remote AP (RAP) Configuration step-by-step

Aruba OS version: 6.5.4.5 build 63925

This guide will take you through step-by-step to configure Aruba Remote AP (RAP)

I will use the following topology:

Device/Host	IP Address	Description
Aruba MC	192.168.99.1	Internal address used as master IP address
Campus AP	192.168.99.2	Internal IP
FW #1	192.168.99.254	Internal IP
	10.0.0.1	External IP
FW #2	172.16.0.254	Internal IP
	10.0.0.2	External IP
Remote AP	172.16.0.5	Internal IP

The Aruba MC and the remote AP are behind firewalls which using NAT when accessing the internet.

     1.    Log in into the MC

     2.    Go to Configuration -> Advanced Services -> VPN Services -> IPSEC

     3.    Under Address Pools click Add

     4.    Configure address pool for remote AP's:

     5.    Click Done

     6.    Under NAT-T Check Enable NAT-T:

     7.    Scroll down and click Apply

     8.    Next go to Configuration -> Wireless -> AP Configuration and create new group for remote AP's

     9.    In the group (KS-RAP in this example) go to AP -> AP system profile and create new profile for this group:

     10.  In this profile make sure that the LMS IP address is the MC external IP:

 

     11.  Now go to Configuration -> Wireless -> AP Installation -> Whitelist, click on Remote AP and then click on Entries:

     12.  Insert the MAC address of the remote AP to the MC localdb and choose the newly created AP group (KS-RAP) and click Add:

      13.  Click the Save Configuration on the MC to save all changes.

Next let's configure the remote AP, connect to the RAP using console cable

     1.    Click Enter to stop the autoboot process

     2.    Type setenv remote_ap 1

     3.    Type setenv master 10.0.0.1

     4.    Type setenv serverip 10.0.0.1

     5.    Type saveenv

     6.    Type boot

NAT Traversal

Because the firewalls are doing NAT we will have to use NAT traversal (UDP port 4500) to allow traffic between the MC and the RAP.

On firewall #1 we will need to configure static NAT with port forwarding and to allow UDP port 4500 to the MC (outside to inside), while on FW #2 we will need to configure policy to allow the remote AP access to UDP port 4500 outside.

Each firewall/router configuration is different and it's not part of the scope of this post.

Remote AP Authentication

In the following example I'm using certificate-based authentication where the RAP using factory-based certificate and the MC authenticate the RAP MAC address using the localdb. In this way we can configure pre-provision AP which never was connected to the MC before.

We can also use IPSec PSK but this requires the RAP to be connected to the MC as campus AP prior to conversion to RAP