Roggy

Some Revision - EIGRP offset lists

2012-01-25T04:44:00.000-08:00

Every so often when reading around the internet you come across a post/email with a network related problem that makes you think "hmmmm i've never had to do that" or "that sounds like an interesting problem" - I'll lab it and see if I can find the answer.

Combine that with an area that I do not normally need to work in (EIGRP) and there you go a blog post in the making!

So here is the scenrio:

You are a network admin that looks after three sites, one main site where your offices are and two datacentres.

You have 2x100mbit links to each datacentre and the databcentres have 1x1Gbit link.

The problem:

Traffic to a certain network/host at datacentre 2 is overloading the link so we as the network admins have been asked if we can use the excess capacity on the link to datacentre 1 to spread the traffic.

First we setup the lab:

R1


interface Loopback0
 ip address 192.168.101.1 255.255.255.0
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.13.1 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 100
 network 192.168.12.0
 network 192.168.13.0
 network 192.168.101.0
 no auto-summary
!


interface Loopback0
 ip address 10.100.10.1 255.255.255.0
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.23.2 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 100
 network 10.100.10.0 0.0.0.255
 network 192.168.12.0
 network 192.168.23.0
 no auto-summary
!


interface Loopback0
 ip address 10.200.10.1 255.255.255.0
!
interface Loopback3
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.13.3 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.23.3 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 100
 network 3.3.3.3 0.0.0.0
 network 10.200.10.0 0.0.0.255
 network 192.168.13.0
 network 192.168.23.0
 no auto-summary
!

Now the offset lists:
R1


ip access-list standard LOOPBACK
 permit 3.3.3.3

router eigrp 100
offset-list LOOPBACK in 4000 FastEthernet0/1

Confirming...

R1


R1#sh ip route 
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.12.0/24 is directly connected, FastEthernet0/0
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback1
C    192.168.13.0/24 is directly connected, FastEthernet0/1
     3.0.0.0/32 is subnetted, 1 subnets
D       3.3.3.3 [90/158720] via 192.168.12.2, 00:03:14, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
D       10.100.10.0 [90/156160] via 192.168.12.2, 00:05:48, FastEthernet0/0
D       10.200.10.0 [90/156160] via 192.168.13.3, 00:05:48, FastEthernet0/1
D    192.168.23.0/24 [90/30720] via 192.168.13.3, 00:05:48, FastEthernet0/1
                     [90/30720] via 192.168.12.2, 00:05:48, FastEthernet0/0
C    192.168.101.0/24 is directly connected, Loopback0

Note this bit:

3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/158720] via 192.168.12.2, 00:03:14, FastEthernet0/0

The succesor route is from 192.168.12.2 without the offset list it would be 192.168.13.3.

Here is the output from sh ip eigrp topology all-links


R1#sh ip eigrp topology all-links 
IP-EIGRP Topology Table for AS(100)/ID(192.168.101.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status 

P 3.3.3.3/32, 1 successors, FD is 158720, serno 9
         via 192.168.12.2 (158720/156160), FastEthernet0/0
         via 192.168.13.3 (160160/132256), FastEthernet0/1
P 192.168.101.0/24, 1 successors, FD is 128256, serno 3
         via Connected, Loopback0
P 10.100.10.0/24, 1 successors, FD is 156160, serno 6
         via 192.168.12.2 (156160/128256), FastEthernet0/0
         via 192.168.13.3 (158720/156160), FastEthernet0/1
P 192.168.12.0/24, 1 successors, FD is 28160, serno 1
         via Connected, FastEthernet0/0
P 192.168.13.0/24, 1 successors, FD is 28160, serno 2
         via Connected, FastEthernet0/1
P 192.168.23.0/24, 2 successors, FD is 30720, serno 7
         via 192.168.12.2 (30720/28160), FastEthernet0/0
         via 192.168.13.3 (30720/28160), FastEthernet0/1
P 10.200.10.0/24, 1 successors, FD is 156160, serno 4
         via 192.168.13.3 (156160/128256), FastEthernet0/1
         via 192.168.12.2 (158720/156160), FastEthernet0/0

Problem solved :)

Vyatta - Hub And Spoke - OSPF over GRE over IPSEC

2011-07-13T06:58:00.000-07:00

So my planned more frequent updates to my blog did not exactly go to plan.

Oh well :) I'm posting today with a good one.

Today we are once again playing the role of a Managed Service Provider who is providing a Managed Cloud Service + Firewall the customer however has two Cisco 3745 routers.

We have two Hubs MSP-R1 and MSP-R2 both Vyatta and R1,R2 both IOS.

Here is a picture:

MSP-R1 - Set Up Interfaces:


interfaces {
    ethernet eth0 {
        address 213.111.222.1/24
        description INTERNET
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name VYATTA_IN
            }
        }
        hw-id 08:00:27:a2:7a:a9
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.45.1/24
        description TRMSPTED
        duplex auto
        hw-id 08:00:27:03:40:e0
        ip {
            ospf {
                dead-interval 40
                hello-interval 10
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        duplex auto
        hw-id 08:00:27:68:d2:71
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 1.1.1.1/32
    }
    tunnel tun0 {
        address 10.10.45.1/30
        description Linkto R2
        encapsulation gre
        ip {
            ospf {
                dead-interval 6
                hello-interval 2
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        local-ip 1.1.1.1
        multicast disable
        remote-ip 2.2.2.2
        ttl 255
    }
    tunnel tun1 {
        address 10.10.45.5/30
        description Linkto R2
        encapsulation gre
        ip {
            ospf {
                dead-interval 6
                hello-interval 2
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        local-ip 1.1.1.1
        multicast disable
        remote-ip 3.3.3.3
        ttl 255
    }
}

MSP-R2 - Set Up Interfaces:


interfaces {
    ethernet eth0 {
        address 213.111.222.10/24
        description INTERNET
        duplex auto
        hw-id 08:00:27:31:80:53
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.45.1/24
        duplex auto
        hw-id 08:00:27:40:cd:1e
        ip {
            ospf {
                dead-interval 40
                hello-interval 10
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 10.10.10.10/32
    }
    tunnel tun0 {
        address 10.10.45.9/30
        description Linkto R1
        encapsulation gre
        ip {
            ospf {
                dead-interval 6
                hello-interval 2
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        local-ip 10.10.10.10
        multicast disable
        remote-ip 2.2.2.2
        ttl 255
    }
    tunnel tun1 {
        address 10.10.45.13/30
        description LinkTo R2
        encapsulation gre
        ip {
            ospf {
                dead-interval 6
                hello-interval 2
                priority 1
                retransmit-interval 5
                transmit-delay 1
            }
        }
        local-ip 10.10.10.10
        multicast disable
        remote-ip 3.3.3.3
        ttl 255
    }
}

R1 - Spoke set up interfaces:


interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface Tunnel0
 ip address 10.10.45.2 255.255.255.252
 ip ospf hello-interval 2
 ip ospf dead-interval 6
 tunnel source Loopback0
 tunnel destination 1.1.1.1
!
interface Tunnel1
 ip address 10.10.45.10 255.255.255.252
 ip ospf hello-interval 2
 ip ospf dead-interval 6
 tunnel source Loopback0
 tunnel destination 10.10.10.10
!
interface FastEthernet0/0
 ip address 76.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map MSP-MAP
!
interface FastEthernet0/1
 ip address 10.101.0.1 255.255.255.0
 duplex auto
 speed auto
!

R2 - Spoke set up interfaces:


interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
 ip address 10.10.45.6 255.255.255.252
 ip ospf hello-interval 2
 ip ospf dead-interval 6
 tunnel source Loopback0
 tunnel destination 1.1.1.1
!
interface Tunnel1
 ip address 10.10.45.14 255.255.255.252
 ip ospf hello-interval 2
 ip ospf dead-interval 6
 tunnel source Loopback0
 tunnel destination 10.10.10.10
!
interface FastEthernet0/0
 ip address 76.2.2.2 255.255.255.0
 duplex auto
 speed auto
 no cdp enable
 crypto map MSP-MAP
!
interface FastEthernet0/1
 ip address 10.202.0.1 255.255.255.0
 duplex auto
 speed auto
!

MSP-R1 Set up VPN:


vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ike-group IKE-1W {
            dead-peer-detection {
                action restart
                interval 30
                timeout 30
            }
            lifetime 28800
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
                exclude 192.168.45.0/24
            }
        }
        nat-traversal enable
        site-to-site {
            peer 76.1.1.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret letmein
                }
                ike-group IKE-1W
                local-ip 213.111.222.1
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local-subnet 1.1.1.1/32
                    remote-subnet 2.2.2.2/32
                }
            }
            peer 76.2.2.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret letmein
                }
                ike-group IKE-1W
                local-ip 213.111.222.1
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local-subnet 1.1.1.1/32
                    remote-subnet 3.3.3.3/32
                }
            }
        }
    }
}

MSP-R2 Set up VPN:


vpn {
    ipsec {
        esp-group ESP-1W {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ike-group IKE-1W {
            dead-peer-detection {
                action restart
                interval 30
                timeout 30
            }
            lifetime 28800
            proposal 1 {
                encryption 3des
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
                exclude 192.168.45.0/24
            }
        }
        nat-traversal enable
        site-to-site {
            peer 76.1.1.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret letmein
                }
                ike-group IKE-1W
                local-ip 213.111.222.10
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local-subnet 10.10.10.10/32
                    remote-subnet 2.2.2.2/32
                }
            }
            peer 76.2.2.2 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret letmein
                }
                ike-group IKE-1W
                local-ip 213.111.222.10
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group ESP-1W
                    local-subnet 10.10.10.10/32
                    remote-subnet 3.3.3.3/32
                }
            }
        }
    }
}

R1 Set up VPN:


!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac 
!
crypto map MSP-MAP 10 ipsec-isakmp 
 set peer 213.111.222.1
 set transform-set MSP-TRANSFORM 
 match address 101
crypto map MSP-MAP 20 ipsec-isakmp 
 set peer 213.111.222.10
 set transform-set MSP-TRANSFORM 
 match address 102
!
!
access-list 101 permit 0 host 2.2.2.2 host 1.1.1.1
access-list 102 permit 0 host 2.2.2.2 host 10.10.10.10
!

R2 Set up VPN:


crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key letmein address 213.111.222.1
crypto isakmp key letmein address 213.111.222.10
!
!
crypto ipsec transform-set MSP-TRANSFORM esp-3des esp-sha-hmac 
!
crypto map MSP-MAP 10 ipsec-isakmp 
 set peer 213.111.222.1
 set transform-set MSP-TRANSFORM 
 match address 101
crypto map MSP-MAP 20 ipsec-isakmp 
 set peer 213.111.222.10
 set transform-set MSP-TRANSFORM 
 match address 102
!
!
access-list 101 permit 0 host 3.3.3.3 host 1.1.1.1
access-list 102 permit 0 host 3.3.3.3 host 10.10.10.10
!

MSP-R1 - OSPF setup


protocols {
    ospf {
        area 0 {
            network 10.10.45.0/30
            network 192.168.45.0/24
            network 10.10.45.4/30
        }
        parameters {
            abr-type cisco
            router-id 1.1.1.1
        }
    }

MSP-R2 - OSPF setup


protocols {
    ospf {
        area 0 {
            network 192.168.45.0/24
            network 10.10.45.8/30
            network 10.10.45.12/30
        }
        parameters {
            abr-type cisco
            router-id 10.10.10.10
        }
    }

R1 - OSPF setup


router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 10.10.45.0 0.0.0.3 area 0
 network 10.10.45.8 0.0.0.3 area 0
 network 10.101.0.0 0.0.0.255 area 0
 maximum-paths 6
!

R2 - OSPF setup


router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 10.10.45.4 0.0.0.3 area 0
 network 10.10.45.12 0.0.0.3 area 0
 network 10.202.0.0 0.0.0.255 area 0
 maximum-paths 6
!

Proof is in the pudding -

Routing Tables

R1:


Gateway of last resort is 76.1.1.1 to network 0.0.0.0

     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
O    192.168.43.0/24 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
                     [110/11121] via 10.10.43.1, 00:00:01, Tunnel0
     76.0.0.0/24 is subnetted, 1 subnets
C       76.1.1.0 is directly connected, FastEthernet0/0
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C       10.10.43.8/30 is directly connected, Tunnel1
O       10.10.43.12/30 [110/11121] via 10.10.43.9, 00:00:01, Tunnel1
C       10.10.43.0/30 is directly connected, Tunnel0
O       10.10.43.4/30 [110/11121] via 10.10.43.1, 00:00:01, Tunnel0
C       10.101.0.0/24 is directly connected, FastEthernet0/1
O       10.202.0.0/24 [110/11122] via 10.10.43.1, 00:00:01, Tunnel0
                      [110/11122] via 10.10.43.9, 00:00:01, Tunnel1
S*   0.0.0.0/0 [1/0] via 76.1.1.1

R2:


Gateway of last resort is 76.2.2.1 to network 0.0.0.0

     3.0.0.0/32 is subnetted, 1 subnets
C       3.3.3.3 is directly connected, Loopback0
O    192.168.43.0/24 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
                     [110/11121] via 10.10.43.13, 00:01:29, Tunnel1
     76.0.0.0/24 is subnetted, 1 subnets
C       76.2.2.0 is directly connected, FastEthernet0/0
     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O       10.10.43.8/30 [110/11121] via 10.10.43.13, 00:01:29, Tunnel1
C       10.10.43.12/30 is directly connected, Tunnel1
O       10.10.43.0/30 [110/11121] via 10.10.43.5, 00:01:29, Tunnel0
C       10.10.43.4/30 is directly connected, Tunnel0
O       10.101.0.0/24 [110/11122] via 10.10.43.5, 00:01:29, Tunnel0
                      [110/11122] via 10.10.43.13, 00:01:29, Tunnel1

Vyatta to Cisco - Tunneling from ASA to Vyatta Using VMware and GNS

2010-11-13T10:12:00.001-08:00

Its been a while since my last article/lab apologies for that, hopefully I will get back to my once a week schedule (fingers crossed)

So that lab today is for connecting a Vyatta router to a Cisco ASA/PIX and creating a Lan to Lan Tunnel with some one to one src/dst NAT thrown in for good measure :)

Here is the lab:

Here is the proof that is works:

Vyatta to Cisco - Tunneling from ASA to Vyatta Using VMware and GNS from Roggy on Vimeo.

Vyatta config:

interfaces {
ethernet eth0 {
address 10.0.19.1/24
address 10.0.19.10/24
duplex auto
hw-id 00:0c:29:5d:91:c6
smp_affinity auto
speed auto
}
ethernet eth1 {
address 192.168.10.1/24
duplex auto
hw-id 00:0c:29:5d:91:d0
smp_affinity auto
speed auto
}
ethernet eth2 {
duplex auto
hw-id 00:0c:29:5d:91:da
smp_affinity auto
speed auto
}
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 10.0.19.9 {
}
}
}
}
service {
nat {
rule 5 {
destination {
address 10.20.0.0/24
}
exclude
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
rule 100 {
outbound-interface eth0
outside-address {
address 10.0.19.10
}
source {
address 192.168.10.10
}
type source
}
rule 110 {
destination {
address 10.0.19.10
}
inbound-interface eth0
inside-address {
address 192.168.10.10
}
protocol tcp
type destination
}
rule 900 {
outbound-interface eth0
source {
address 192.168.10.0/24
}
type masquerade
}
}
ssh {
allow-root
port 22
protocol-version v2
}
}
system {
host-name R1
login {
user vyatta {
authentication {
encrypted-password $1$Oxg1L7oM$v4Vi.4pW3Ai/fPFIzpDzC0
}
level admin
}
}
ntp-server 0.vyatta.pool.ntp.org
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone GMT
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 3600
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
lifetime 86400
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 10.0.29.2 {
authentication {
mode pre-shared-secret
pre-shared-secret letmein
}
ike-group IKE-1W
local-ip 10.0.19.1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP-1W
local-subnet 192.168.10.0/24
remote-subnet 10.20.0.0/24
}
}
}
}
}

/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "webgui@1:dhcp-server@4:conntrack-sync@1:firewall@3:qos@1:webproxy@1:vrrp@1:nat@3:ipsec@2:wanloadbalance@2:cluster@1:system@3:quagga@2:dhcp-relay@1" === */

Pix Config:

!
PIX Version 8.0(2)
!
hostname FW1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 10.0.29.2 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.20.0.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list icmp extended permit icmp any any
access-list NO-NAT extended permit ip 10.20.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 10.20.0.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group icmp in interface outside
access-group icmp out interface outside
access-group icmp in interface inside
access-group icmp out interface inside
route outside 0.0.0.0 0.0.0.0 10.0.29.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.19.1
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto map FW1 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 10.0.19.1 type ipsec-l2l
tunnel-group 10.0.19.1 ipsec-attributes
pre-shared-key letmein
prompt hostname context

Enjoy!

Vyatta - Remote Access VPN with L2TP and PPTP

2010-08-23T14:10:00.000-07:00

Hi,

I have done a remote access VPN lab before - with OpenVPN. This one is with the more widely accepted L2TP and PPTP. So accepted infact that both the iphone and ipad like it too.

So here we go how to configure a VM to allow remote access from iPhone,iPad and Windows Xp.

Part1:
Introduction
Setup

Vyatta - Remote Access VPN - L2TP,PPTP -Part1 from Roggy on Vimeo.

Part2:
Setup Continued

Vyatta - Remote Access VPN - L2TP,PPTP -Part2 from Roggy on Vimeo.

Part3:
Actually Configuring L2TP and PPTP

Vyatta - Remote Access VPN - L2TP,PPTP -Part3 from Roggy on Vimeo.

Part4:
Settting up Firewall

Vyatta - Remote Access VPN - L2TP,PPTP -Part4 from Roggy on Vimeo.

Vyatta - Final 6.0 with updated VMtools for vSphere 4.1

2010-07-29T10:13:00.000-07:00

So its been a busy few weeks with all the news and related blog articles on vSphere 4.1
I finally got around to extracting vmtools 8.3.x and intergrating it into the Vyatta Appliance.

There is also something different with this release, the source code for vmtools has been modified to prevent Large Recieve Offload.LRO is defined as:

In computer networking, large receive offload is a technique for increasing inbound throughput of high-bandwidth network connections by reducing CPU overhead. It works by aggregating multiple incoming packets from a single stream into a larger buffer before they are passed higher up the networking stack, thus reducing the number of packets that have to be processed. In Linux, it is generally used in conjunction with the New API (NAPI) to also reduce the number of interrupts.

There have been a few users reporting an issue with LRO and others requesting the intergration of the latest version of VMtools..so here you go:

Download Vyatta VC 6 with LRO patch and the latest VMtools

I would like a few people to test this release and let mw know how it goes before making it live on the VAM.

References:
http://www.vyatta.org/forum/viewtopic.php?t=3030&postdays=0&postorder=asc&start=105
http://nwsmith.blogspot.com/2010/07/patching-vmxnet-to-disable-lro.html
http://en.wikipedia.org/wiki/Large_receive_offload

vSphere 4.1 and KB1011292

2010-07-20T01:05:00.000-07:00

Hi everyone,

So I have been trying to get together some hands on 4.1 videos for you guys (and girls)
however KB1011292 has been my main reason for not upgrading.

What is KB1011292 I here you ask?:
"VMware View Composer 2.0.x is not supported in a vSphere vCenter Server 4.1 managed environment as vSphere vCenter Server 4.1 requires a 64 bit operating system and VMware View Composer does not support 64 bit operating systems.

VMware View 4.0.x customers who use View Composer should not upgrade to vSphere vCenter Server 4.1 at this time. Our upcoming VMware View 4.5 will be supported on VMware vSphere 4.1."

As you know the supported way of upgrading your vSphere enviroment is like this:
1) Upgrade vCenter
2) Upgrade ESX hosts
3) Upgrade vmware tools
4) Upggrade vm hardware version.

Therefore if you run VMware View 4 with composer your trip into 4.1 greatness is going to come grinding to a halt with step 1.

Having VDI is great however it makes upgrading a pain...so roll on VMware View 4.5 with your 64bit composer.

And for those not tide to VDI here is the Vsphere upgrade guide:
Upgrade Guide

vSphere 4.1!

2010-07-13T05:00:00.000-07:00

OK, so vSphere 4.1 is out! and now the embargo is lifted I can finally share some of the awesome new features in 4.1.

Now lets be honest there are so many new and cool features in 4.1 that most other companies would probably release it as a version 5.0!But VMware release it as a point release...and that's cool.

Enough of the chit chat you did not come here to hear how great VMware is, its more about what are these new features? Is it worth upgrading to? and are they worth all the fuss?

So the features:

and here is a summary of the features that I think really count and why:

1)Storage I/O control
Prioritized use of storage (similar to how compute is prioritized with vSphere)
this means you can now make sure that your "VIV"s or Very Important VMs get the IO they need when you have IO congestion. This is done via the I/O Shares within the VM properties.

2)Network I/O Control
Set different levels of service per Storage Flow type.
virtual machine, vMotion, FT, and IP storage traffic.
This means you can make iSCSI or NFS take priority over vMotion.
But there is a gotcha:
Enabled with Distributed Switch only and therefore Enterprise Plus only

3)Memory Compression
Slower than real memory but much faster than swapping to disk.
Improves the performance for the VM when under contention as far less memory is swapped to disk.

4)vMotion Performance Increases and Scale Increases
Allows up to 4 on a 1Gbps network and 8 on a 10Gbps network.

5) Storage vMotion Scale Increases
Allows up to 128 (both VMFS and NFS)

6) DRS Host affinity
Allows you set set rules on where your VMs vMotion to when DRS needs to move them.
e.g. VM W2003-DC1 only goes to DRS Group 1, however VM W2003-Exchange only goes to DRS Group 2.

Here is where you create the rules:

7)vStorage API for Array Integration
This is another great feature (if supported by your SAN),
essentially this means vSphere can interact directly with your SAN.
Therefore instead of copying the files from one datastore to another, it instructs the SAN to move the blocks for you! Increasing the performance for Storage vMotion and Provisioning VMs etc

Also noteworthy:
4.1 will be the last release for ESX (ESX Classic) from now on there will only be ESXi releases

The binaries are avalible now so go grab them!

References:
Thanks for John Toyer@vmware

Download my videos!

2010-07-09T02:27:00.000-07:00

Hi Everyone,

I noticed last night (and was messaged by a few people) that some of my latest videos seem to have been encoded in a lower resolution, therefore I have reencoded, reupped and reembedded these videos.

However I wanted to take this opportunity to let you know that one of the reasons I chose Vimeo is that you can download my videos for free!
Registration is much quicker than most, you can download all my videos and then play them back any time.

Once you register you will see a "Download Video" option on the right hand side.

Here are some links to get you started:
Vyatta Internet Gateway
Vyatta Remote Access OpenVPN lab with NAT and Firewall setup
Vsphere within VMware Workstation 7 Part 1
Samba Cluster with GFS 2, Centos 5, iSCSI and Openfiler - Part 1
Router on a Stick within vSphere using Vyatta and Optimizing for 1Gbps Routing - Part 1

Enjoy (offline!)

Setting up Windows 2008 Network LoadBalancing with vSphere

2010-07-04T13:09:00.000-07:00

So I came across a few posts recently during my travels where a couple of
people were having issues with setting up Windows Network Load Balancing within
vSphere and in particular with Distributed vSwitches.

So here we go - how to setup NLB with IIS:

And here is the video:
1)Setting up NLB
2)Going through setup of vSphere Enviroment
3)Installing IIS
4)Testing for Failure
5)Going Through the vDS settings

Setting up Windows Network Load Balancing within vSphere from Roggy on Vimeo.

Enjoy!

Roggyblog on Twitter!

2010-06-20T15:25:00.000-07:00

If you have a question/suggestions tweet me:
@roggyblog

New Vyatta Appliance!

2010-06-20T14:59:00.000-07:00

This is the most up to version of the VC6.0 release (June 01, 2010)
with VMware tools installed and ready to go.

Here is the download from VMware:
http://www.vmware.com/appliances/directory/383813

and the direct link:
here

VMware View 4 - Tour!

2010-06-20T14:46:00.000-07:00

Hey Everyone,

This is a long overdue video however it should be worth it :)

Hopefully this video will help those of you trying to get to griping with VDI/VMware View and answers questions like:

1) What is the composer? What does it do?
2) What is the agent? How do I fix "waiting for agent"?
3) What is PCoIP?
etc..

Reference Diagram:

Part 1:
Tour of VMware View 4
Components Required
Where to install components
What each bit does

VMware View 4 - Part 1 from Roggy on Vimeo.

Part 2:
Using the VMware View Manager
Desktop pools
Entitlement
Playing 720p video within VMware View Client with PCoIP

VMware View 4 - Part 2 from Roggy on Vimeo.

Enjoy!

Sources:
Picture taken from here (ty!):
http://www.ntpro.nl/blog/uploads/

Multipathing and Multiple Connections Per Session - Two sides of the same iSCSI coin?

2010-06-13T07:53:00.000-07:00

One again a record breaking title for a post! lets hope my google-fu is not
effected by long titles...or I'm in real trouble ;)

So I was working today on something that envolved me testing iSCSI functionality with Windows Server 2008.
While I was waiting for the VM to come up, I set about testing the iSCSI initiator within Windows 7.

What interested me most was a feature called "MCS" which stands for Multiple Connections Per Session and is defined within RFC-3720 and as such a a protocol level feature that allows features we have previously seen with MPIO.

Here is how to get there:

Load the iscsi software from Control Panel->Administative Tools->iSCSI Initiator:
Pic1:

Select the Target from the list click "properties"
Pic2:

Select the MCS policy you wish to have, I selected "fail over only" which is the same
as "fixed" in MPIO world.

Pic3:

You probably will only have one session at the moment, therfore click "add"
Dont click "connect"!
Pic4:

Click "Advanced"
Here is where you pick the other iSCSI target portal.
Pic5:

And thats great! we have a redundant path to our iSCSI targets..but notice this button:
Pic6:

Hmm MPIO is not avalible within Windows 7, which is fine as MCS pretty much gets us to the same place (Inface some say MCS is better) however with Windows Server 2008 we have the option of MPIO so lets give it a go!

First thing to remember is that MPIO is a driver thing so if you have an EMC,3par,netapp,Dell etc device they all have MPIO driver for Windows 2008 so you need to follow their instructions (and look for DSM instructions), here we are using Windows 2008 Software iSCSI Initiator and Windows Server 2008 native MPIO driver.

When you install/start iscsi on windows server 2008 it asks you to install MPIO, if you said no..or just forgot install MPIO like this:

From the "Add features Wizard"
Pic1:

Once installed select MPIO from Control Panel click "Add support for iSCSI devices"
then reboot (p.s. here is where you would add the 3rd Party DSM drive btw)
Pic2:

Go Back to the iscsi Initiator (within Administrative tools)
Pic3:

Select the target click properties
Pic4:

Highlight the sessions click "Devices..."
Pic5:

Click MPIO and select the Policy you want
Pic6:

Hope that helps someone out there!

Sources:
http://www.ietf.org/rfc/rfc3720.txt

http://www.windowsitpro.com/article/virtualization2/Q-With-iSCSI-what-s-the-difference-between-Multipath-I-O-MPIO-and-multiple-connections-per-session-MCS-.aspx

Thank You VMware - vExpert for Roggy!

2010-06-06T03:12:00.000-07:00

A certain sense of disbelief hit me when I received the email from John Troyer letting me know that I had become a vExpert 2010.
It is an honour to be given this award especially considering the company I am in and the sites they have created:
Duncan Epping Yellow Bricks
Edwin Friesen Thinstall Guru
Eric Sloof NTPRO.NL
These sites are not only unique but also technically outstanding and if you have not bookmarked them already I suggest you do!
So thank you VMware and thank you John Troyer for making giving back to the community so easy

Basic BGP - Path Selection with Vyatta

2010-06-04T04:29:00.000-07:00

There is actually very little BGP documentation out there on Vyatta, which is strange as if there is one real strength of Vyatta it is BGP.
This set of videos is all about BGP and if it proves popular I will do some more with some more advanced features.

Here is the Picture:

Basic BGP - Path Selection with Vyatta -Part 1
General Setup

Basic BGP - Path Selection with Vyatta -Part 1 from Roggy on Vimeo.

Basic BGP - Path Selection with Vyatta -Part 2
Checking BGP peering
Adding Next-hop-self

Basic BGP - Path Selection with Vyatta -Part 2 from Roggy on Vimeo.

Basic BGP - Path Selection with Vyatta -Part 3
Creating ACLs
Creating Prefix Lists
Creating Route-maps
Setting Local Pref
Setting Med
Clearing a Peer

Basic BGP - Path Selection with Vyatta -Part 3 from Roggy on Vimeo.

Although it can seem a little boring, I always like to include the full configs:
R1


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 172.12.123.1/24
        description R1-R2-R3
        duplex auto
        hw-id 00:0c:29:fe:17:2d
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        duplex auto
        hw-id 00:0c:29:fe:17:37
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        duplex auto
        hw-id 00:0c:29:fe:17:41
        smp_affinity auto
        speed auto
    }
    loopback lo {
        address 5.5.5.5/24
        address 6.6.6.6/24
        address 7.7.7.7/24
        address 8.8.8.8/24
    }
}
policy {
}
protocols {
    bgp 1 {
        neighbor 172.12.123.2 {
            remote-as 234
        }
        neighbor 172.12.123.3 {
            remote-as 234
        }
        redistribute {
            connected {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
}
system {
    host-name R1
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
        repository VC6 {
            components main
            distribution VC6.0
            password ""
            url http://packages.vyatta.com/vyatta/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 172.12.123.2/24
        description R1-R2-R3
        duplex auto
        hw-id 00:0c:29:fa:84:8d
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 172.12.234.2/24
        description Inside
        duplex auto
        hw-id 00:0c:29:fa:84:97
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description DMZ
        duplex auto
        hw-id 00:0c:29:fa:84:a1
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
policy {
    access-list 100 {
        rule 10 {
            action permit
            destination {
                any
            }
            source {
                any
            }
        }
    }
    access-list 150 {
        rule 10 {
            action permit
            destination {
                any
            }
            source {
                inverse-mask 0.0.0.255
                network 172.12.234.0
            }
        }
    }
    route-map SET-LOCAL-PREF {
        rule 10 {
            action permit
            match {
                ip {
                    address {
                        access-list 100
                    }
                }
            }
            set {
                local-preference 301
            }
        }
    }
    route-map SET-MED {
        rule 10 {
            action permit
            match {
                ip {
                    address {
                        access-list 150
                    }
                }
            }
            set {
                metric 201
            }
        }
        rule 20 {
            action permit
            match {
                ip {
                    address {
                        access-list 100
                    }
                }
            }
        }
    }
}
protocols {
    bgp 234 {
        neighbor 172.12.123.1 {
            remote-as 1
            route-map {
                export SET-MED
            }
        }
        neighbor 172.12.234.4 {
            nexthop-self
            remote-as 234
            route-map {
                export SET-LOCAL-PREF
            }
        }
        redistribute {
            connected {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
}
system {
    host-name R2
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
        repository VC6 {
            components main
            distribution VC6.0
            password ""
            url http://packages.vyatta.com/vyatta/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 172.12.123.3/24
        description R1-R2-R3
        duplex auto
        hw-id 00:0c:29:21:bd:6f
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 172.12.234.3/24
        description R2-R3-R4
        duplex auto
        hw-id 00:0c:29:21:bd:79
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description DMZ
        duplex auto
        hw-id 00:0c:29:21:bd:83
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
policy {
    access-list 150 {
        rule 10 {
            action permit
            destination {
                any
            }
            source {
                inverse-mask 0.0.0.255
                network 172.12.234.0
            }
        }
    }
    prefix-list ALL-ROUTES {
        rule 10 {
            action permit
            le 32
            prefix 0.0.0.0/0
        }
    }
    route-map SET-LOCAL-PREF {
        rule 10 {
            action permit
            match {
                ip {
                    address {
                        prefix-list ALL-ROUTES
                    }
                }
            }
            set {
                local-preference 201
            }
        }
    }
    route-map SET-MED {
        rule 10 {
            action permit
            match {
                ip {
                    address {
                        access-list 150
                    }
                }
            }
            set {
                metric 101
            }
        }
        rule 20 {
            action permit
            match {
                ip {
                    address {
                        prefix-list ALL-ROUTES
                    }
                }
            }
        }
    }
}
protocols {
    bgp 234 {
        neighbor 172.12.123.1 {
            remote-as 1
            route-map {
                export SET-MED
            }
        }
        neighbor 172.12.234.4 {
            nexthop-self
            remote-as 234
            route-map {
                export SET-LOCAL-PREF
            }
        }
        redistribute {
            connected {
            }
        }
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
}
system {
    host-name R3
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
        repository VC6 {
            components main
            distribution VC6.0
            password ""
            url http://packages.vyatta.com/vyatta/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 172.12.234.4/24
        duplex auto
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address dhcp
        duplex auto
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
protocols {
    bgp 234 {
        neighbor 172.12.234.2 {
            remote-as 234
        }
        neighbor 172.12.234.3 {
            remote-as 234
        }
        redistribute {
            connected {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name POOL1 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name Vyatta.local
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
}
system {
    host-name R4
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
        repository VC6 {
            components main
            distribution VC6.0
            password ""
            url http://packages.vyatta.com/vyatta/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */

VMware Storage Alphabet Soup and Making the Most of VMwares Multipathing

2010-05-16T12:22:00.000-07:00

Having recently moved into an enviroment where the storage is a little alien to me, I thought would be helpful to buff up on some storage knowledge and thought it might help some readers too.
Here is a diagram of a midrange san:

(Thanks Virtualgeek for this picture)

See the two items list as "Data Processor(head) A" and "Data Processor(head) B"?
Traditionally if you are using Active/Active Processor array you should use "Fixed" as the Multipathing method and In an Active/Passive array use "MRU".

However this changed with:
ALUA:Symmetric Logical Unit Access
Essentially in midrange san enviroments (EMC Clariion etc), this allows an unoptimized and an optimized path to a lun through different heads.

ESX(4) the HBA is aware of optimized and unoptimized paths as it knows which head has control of the LUN!
Suddenly we can use MRU with Active/Active heads.

MRU Most recently used:Use the Optimized Path unless it is not avalible then use the Unoptimized path (ESX 4.0/vSphere only)

Fixed: Always use this LUN unless it is unavalible.

NMP:Native MultiPath Driver:

MMP:Multipath Plugin (EMC Powerpath)

Round Robin: Within ESX server's iSCSI HBA it sends 4000 IO blocks down one path then moves to the next path.

Custom Policy:
Use the following commmand to tweak the iSCSI HBA
esxcfg-mpath --lun vmhba32:0:8 --policy custom --custom-hba-policy any --custom-max-blocks 1024 --custom-max-commands 50 --custom-target-policy any

References:
http://www.vmware.com/pdf/vi3_35/esx_3/r35/vi3_35_25_iscsi_san_cfg.pdf
http://www.vmware.com/pdf/vi3_35_25_roundrobin.pdf
http://virtualgeek.typepad.com/virtual_geek/2009/09/a-couple-important-alua-and-srm-notes.html
http://virtualgeek.typepad.com/virtual_geek/2008/08/celerra-virtual.html

Having problems connecting Outlook 2007 to Exchange 2003? SPN might be to blame

2010-05-16T12:10:00.000-07:00

Afternoon,

I was having some problems today connection Outlook 2007 to an Exchange 2003 SP2 box today.

Here is the Error message that was being recieved:


The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

After a couple of hours playing around I managed to narrow this down to Outlook 2007 now authenticating with kerberos and not being able to find the Service Prinical Name for the global catalog server.

Authentication via Outlook 2003 (NTLM) was perfect, as was HTTPS (OWA) this was just affecting Kerberos.

Here is how I fixed it:
1) Install Windows Server 2003 Support tools:SUPPTOOLS.MSI
2)Run setspn -L ExchangeServerName you will see something like this:


Registered ServicePrincipalNames for CN=,CN=Computers,DC=example,DC=com:
   exchangeAB/
   exchangeAB/.example.com
   exchangeMDB/
   exchangeMDB/.example.com
   exchangeRFR/
   exchangeRFR/.example.com
   SMTPSVC/
   SMTPSVC/.example.com
   HOST/
   HOST/.example.com

exchangeAB/
exchangeAB/.example.com

The above line is the one we are interested in. We need to change it:


setspn -D exchangeAB/ExchangeServerName ExchangeServerName
setspn -D exchangeAB/ExchangeServerName.example.com ExchangeServerName

Then re-add the details:


setspn -A exchangeAB/GlobalCatalogServerName GlobalCatalogServerName 
setspn -A exchangeAB/GlobalCatalogServerName.example.com GlobalCatalogServerName

The output from setspn should now be:


Registered ServicePrincipalNames for CN=,CN=Computers,DC=example,DC=com:
   exchangeMDB/
   exchangeMDB/.example.com
   exchangeRFR/
   exchangeRFR/.example.com
   SMTPSVC/
   SMTPSVC/.example.com
   HOST/
   HOST/.example.com

Note the ExchangeAB SPNs are gone as they are now pointing to the domain controller (GC)

Reference List:
http://support.microsoft.com/kb/927612/en-us

Using VMware View with Network cards as Removeable Devices

2010-05-06T14:00:00.000-07:00

This is only going to be a quick on hopefully :)

For those that do not know vmware presents most of their nics as removeable/USB devices PCNET(Vlance),Intel e1000 and vmxnet,vmxnet2,vmxnet3 this is to allow the feature of "hot add" which is a great way off adding hardware to a VM without powering the machine off.

Today whilst playing around it was highlighted to me that some "adventurous" VM View users that had USB enabled used that oppurtunity to disable the network card. Forcing the intervention of the admin from the cloud to re-add the vnic

Heres a couple of ways around it:

1) Use the configuration options to add "devices.hotplug" = "false" like this:

*Also does not affect cpu/mem hotplug

2) Edit the *.vmx file and add:


devices.hotplug = "false"

3) Hide the "safelty remove hardware option" like this:

4) Use the "NoDisplayClass" to customize the driver *yuck!

Hope that helps someone out there!

Source:http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1012225&sliceId=1&docTypeID=DT_KB_1_1&dialogID=64244650&stateId=0%200%2067543541
*NB:Using VMXnet3 does not disable hot plug as indicated in the KB

Using HSRP,CARP and VRRP within VMware

2010-05-05T15:23:00.000-07:00

Hi all,

Just a quick note incase it helps anyone else out there.

I was recently in a lab moving from a vSS (Virtual Standard Switch) over to a vDS (Virtual distributed switch) when I came across and issue with a Pfsense box.

I had two VMs using CARP (which is like HSRP or VRRP) to push about a highly avalible IP address.
Now most vm admins out there will work out that for VRRP or CARP to work you need to enable "Promiscuous Mode" within the vSS or within the port group.

The issue I came across was with Promiscuous Mode and one uplink port (vDS or vSS) CARP was working perfectly however on adding the second uplink port to the vDS, pings to the CARP address were dropping.

Therefore - lesson learned was: When load balaning across multiple nics (or uplink ports in vDS terminology) you need to also be using the load balancing method of "Route Based on IP hash" (with accompanying switch config) if you plan to use CARP or VRRP else it will not work!

Vyatta VC 6 - Final with VMware Tools Included

2010-04-13T10:30:00.000-07:00

Hi Everyone,

Vyatta Released VC 6.0 late last month and although it did include OpenVM-tools which is great, there are a few people out there (myself included) who really want a VM to come already included with VMware tools and VMxnet3 especially performance matters at all to you :)

Sorry for the delay in getting this out, however compiling VMware tools for the Vyatta 2.6.31 custom kernel was not as easy as I had planned.

Here is the listing with VMware:
http://www.vmware.com/appliances/directory/383813

and here is the direct link:
VyattaVC6-Final.zip

And once you have downloaded it, why not give one of my labs ago here

Enjoy!

Router on a Stick within vSphere using Vyatta and Optimizing for 1Gbps Routing

2010-04-13T08:01:00.000-07:00

Vyatta have released VC6.0 final so I thought I would modify it a little by removing Openvm-tools and replace it with VMware tools, configure it with vmxnet 3 then bring it all together within vSphere for some iPerf benching.

So here we have the "Router on a stick" where we use a Vyatta VM to route between two VM networks with VLAN Trunk then optimize with Jumbo Frames (MTU 9000) on the vnics,vswitch and changing adapter types.

Part 1

Lab Setup
Configuration of Vyatta
Configuration of vSphere (VLAN Trunk)
Configure Routing
Benchmark using iPerf

Router on a Stick within vSphere using Vyatta and Optimizing for 1Gbps Routing - Part 1 from Richard Vimeo on Vimeo.

Part 2
Configuring Jumbo frame on guests
Configuring Jumbo frame on vSwitch
Changing vNic type
Benchmark with iPerf

Router on a Stick within vSphere using Vyatta and Optimizing for 1Gbps Routing - Part 2 from Richard Vimeo on Vimeo.

Here is the KB relating to why Windows XP (32bit) and Windows Server (32bit) come up with a 1.4Gbps link speed for 10Gbps drivers/adapters.
http://support.microsoft.com/kb/931857

And for those that cannot wait for the VMware Appliance here is the link to:
Vyatta VC 6.0 - Final with VMware Tools

Vyatta Config


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Outside
        duplex auto
        firewall {
            in {
                name ALLOW_ESTABLISHED
            }
            local {
                name ALLOW_ESTABLISHED
            }
        }
        hw-id 00:50:56:83:39:3e
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
  MTU 9000
        description Inside
        duplex auto
        hw-id 00:50:56:83:70:c3
        smp_affinity auto
        speed auto
        vif 10 {
            address 192.168.10.1/24
            description VLAN-10
        }
        vif 20 {
            address 192.168.20.1/24
            description VLAN-20
        }
    }
    ethernet eth2 {
        description DMZ
        duplex auto
        hw-id 00:50:56:83:51:b7
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name POOL1 {
            authoritative disable
            description VLAN10
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name Vyatta.local
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.200
                }
            }
        }
        shared-network-name POOL2 {
            authoritative disable
            description VLAN20
            subnet 192.168.20.0/24 {
                default-router 192.168.20.1
                dns-server 192.168.20.1
                domain-name vyatta.local
                lease 86400
                start 192.168.20.10 {
                    stop 192.168.20.240
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1.10
            listen-on eth1.20
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
        rule 20 {
            outbound-interface eth0
            source {
                address 192.168.20.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root
        port 22
        protocol-version v2
    }
}
system {
    host-name vyatta
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
        repository VC6 {
            components main
            distribution VC6.0
            password ""
            url http://packages.vyatta.com/vyatta/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@2:nat@3:quagga@1:system@3:vrrp@1:wanloadbalance@2:webgui@1:webproxy@1" === */
/* Release version: VC6.0-2010.03.22 */

Enjoy!

Managed Service Provider using Vyatta (OpenVPN Client Specific Subnets) and PRTG to monitor Customers

2010-03-31T09:01:00.000-07:00

Possibly my longest title ever?
As the intro says this is a bit of roleplay for us, we are setting up the lab as a Managed Service Provider (MSP) who wishes to have a way to tunnel in (or in this case have the client tunnel out) to HQ where we can monitor all the goodies that PRTG can monitor remotely.

Heres the diagram:

Intro Video and lab setup:

Managed Service Provider using Vyatta (OpenVPN) and PRTG to monitor Customers - Part 1 from Richard Vimeo on Vimeo.

Part 2
Setup of connectivity
Setup OpenVPN Server with client specific info
Setup OpenVPN Client
Using Easy-RSA to generate certificates and keys
Securing interfaces with Firewall
Securing vtun0 interface with firewall

Managed Service Provider using Vyatta (OpenVPN) and PRTG to monitor Customers - Part 2 from Richard Vimeo on Vimeo.

Enjoy!

Network Monitoring/Sniffing using vSphere and PRTG Redux

2010-03-24T05:14:00.000-07:00

Hi,

As ever I try and bring you guys (and girls?) something a little different :)
After completing this video here and being in contact directly with PRTG it came to my attention that the version I was using "PRTG Traffic Grapher V6" was EOL and the new version "PRTG Network Monitor" is the successor.
Network Monitor does have alot of cool new features including an iPhone app (cant wait for a droid version) and the best bit...they were kind enough to provide me with a copy of PRTG Network Monitor V7 for this video.

Part1
A cool tour of some of the features of PRTG Network Monitor V7 and how we use our virtual machine to monitor our voice network

Network Monitoring/Sniffing using vSphere and PRTG Ver 2 - Part 1 from Richard Vimeo on Vimeo.

Part2
This video actually shows you how we set the whole thing up!

Network Monitoring/Sniffing using vSphere and PRTG Ver 2 - Part 2 from Richard Vimeo on Vimeo.

Windows 2003 Clustering with EMC Celerra VM

2010-03-22T15:01:00.000-07:00

So its almost coming up for a year since I really gave this blogging thing ago, it reminded me of my first videos, back when I was using VMware's built in tools to record video (which actually are not that bad!) however on my travels I bumped into this article here

And in most of previous labs that required clustered storage Ive used Openfiler, which is great, however when I try and do lab I like to do an Open and a Closed Source version like here
Testing Vyatta with QoS and Asterisk(Elastix)
where I used an Opensource router and PBX
then here a closed version
Testing QoS with Cisco Call Manager and SIP,RTP

So in that vain here we go:

Windows 2003 Clustering with EMC Celerra VM -Intro
A tour of a Windows 2003 cluster with clustered File Share using EMC Celerra as the iSCSI target.

Windows 2003 Clustering with EMC Celerra VM -Intro from Richard Vimeo on Vimeo.

Windows 2003 Clustering with EMC Celerra VM -Part1
In this video we do the majority of the setting up from domain controller to iSCSI LUN masking, its all here!


Some Commands you might find handy:
Change hostname /etc/host - new ip address hostname
/etc/sysconfig/network - domainname=cookie.local
   
hostname=cel1
service network restart


export NAS_DB=/nas
(root - ssl trust)
/nas/sbin/rootnas_cel -list
/nas/sbin/rootnas_cel -update id=0
/nas/sbin/nas_config -ssl
/nas/sbin/js_fresh_restart
nas_license -init

/opt/blackbird/tools init_storageID

Windows 2003 Clustering with EMC Celerra VM -Part1 from Richard Vimeo on Vimeo.

Windows 2003 Clustering with EMC Celerra VM -Part2
Using "cluster administrator" to create our new cluster and add a new node..

Windows 2003 Clustering with EMC Celerra VM -Part2 from Richard Vimeo on Vimeo.

Windows 2003 Clustering with EMC Celerra VM -Part3
Testing!

Windows 2003 Clustering with EMC Celerra VM -Part3 from Richard Vimeo on Vimeo.

Sources:
http://virtualgeek.typepad.com/virtual_geek/2008/08/celerra-virtual.html

Network Monitoring/Sniffing using vSphere and PRTG

2010-03-11T14:46:00.000-08:00

Hopefully this is an interesting video, as it combines using a vSphere infrastructure to get visibility of both your virtual and non-virtual networks.

Part 1
Quick tour of the Network Monitoring setup

Network Monitoring/Sniffing using vSphere and PRTG - Part 1 from Richard Vimeo on Vimeo.

Part 2
Setup VM
Setup Switch
Setup Vlan trunk (switch,port group,vSwitch)
Installing PRTG

Network Monitoring/Sniffing using vSphere and PRTG - Part 2 from Richard Vimeo on Vimeo.

Samba Cluster with GFS 2, Centos 5, iSCSI and Openfiler

2010-03-09T12:23:00.000-08:00

Another awesome lab/demo for you today ;)

But seriously, after finding the general documentation to be a bit lacking regarding clustering (especially with regards to the extra quorum vote)

Heres hoping that this lab will allow you to work out how clusters work and implement it within your company.

A diagram for your viewing pleasure:

Part1
VMware Lab Setup
Node Setup
iSCSI setup
Quorum Setup
Helpful Commands:


system-config-network
edit /etc/hosts
service network restart
yum groupinstall "Clustering"
yum groupinstall "Cluster Storage"
yum groupinstall "Windows File Server"
chkconfig --del smb
yum install iscsi-initiator-utils
service iscsi start
iscsiadm -m discovery -t sendtargets -p 192.168.1.3
service iscsi restart
fdisk -l
mkqdisk -c /dev/sdb -l quorum
luci_admin init

Samba Cluster with GFS 2, Centos 5, iSCSI and Openfiler - Part 1 from Richard Vimeo on Vimeo.

Part2
GFS2 Setup
Configuring using Luci
Quorum setup cont
Helpful Commands:


mkfs.gfs2 -p lock_dlm -t cluster1:sanvol1 -j 4 /dev/sdc
mkdir /san
mkdir /san/sanvol1
service ricci restart
service qdiskd restart
chkconfig luci on
chkconfig qdiskd on
(do node2)

use luci to create cluster


Quorum parameters:
interval=1
votes=1
tko=10
min score=1
heuristics=ping -c2 -t1 192.168.1.3

mount /dev/sdc /san/sanvol1
gfs2_tool  list
gfs2_tool df 
umount /san/sanvol1

cman_tool status

Samba Cluster with GFS 2, Centos 5, iSCSI and Openfiler - Part 2 from Richard Vimeo on Vimeo.

Part 3
Configuring Fencing, Failover Domain, Resources
and Services.
Helpful Commands:


Configure Resources:
IP
GFS
Samba

Configure failover Domains

Configure Shared Fencing Device (then nodes)

Add Services

workgroup = cookie
        server string = Samba Server Version %v
        bind interfaces only = yes
        interfaces = 10.0.1.100
        netbios name = cluster1
        local master = no
 domain master = no
 preferred master = no
 password server = None
 guest ok = yes
 guest account = root
 security = SHARE
 dns proxy = no




[sanvol]
        comment = High Availability Samba Service
        browsable = yes
        writable = yes
        public = yes
        path = /san/sanvol1
        guest ok=yes
        create mask=0777

smbpasswd -a root

scp /etc/samba/smb.conf.cluster1 node2:/etc/samba/

restart smb

redo services - ip-GFS-samba

soft reboot

Samba Cluster with GFS 2, Centos 5, iSCSI and Openfiler - Part 3 from Richard Vimeo on Vimeo.

Part 4
Testing!

Samba Cluster with GFS 2, Centos 5, iSCSI and Openfiler - Part 4 from Richard Vimeo on Vimeo.

Enjoy!

Wired 802.1x Port Authentication with Certificate Auto Enrolment

2010-03-03T06:34:00.000-08:00

As we all know compliance is one of the biggest issues facing companies at the moment leading some IT departments to take a look at 802.1x as a way of controlling and securing access to their wired networks.

The main reason for this post is there are a few articles out there that have mis-truths and incorrect facts within them, often due to them having not implemented the technologies themselves.

Here is the lab:

So here we go:
Part1
GNS Setup
VMware Workstation Setup
Domain Controller Setup

Wired 802.1x Port Authentication with Certificate Auto Enrolment Part1 from Richard Vimeo on Vimeo.

Part 2
Certificate Service Setup
Certifcate Templates
Switch Setup
IAS/Radius install
Auto Enrolment

Wired 802.1x Port Authentication with Certificate Auto Enrolment Part2 from Richard Vimeo on Vimeo.

Part 3
IAS Setup
Extra Switch Config
Flicking the Switch! (on the switch)
Testing
Event Log Messages

Wired 802.1x Port Authentication with Certificate Auto Enrolment Part3 from Richard Vimeo on Vimeo.

PFN_LIST_CORRUPT - International Update your VMwareTemplates Day!

2010-02-09T07:16:00.000-08:00

Ok perhaps it isnt "International Update your VMware Templates Day"
However as VMware admin it is too easily left of the upgrade list.

Normally when moving from, for example ESX 4 to ESX 4U1, the procedure is this:

1) Update VCenter
2) Update ESX hosts
3) Update VMs (vmware-tools)..then VM/HW version

But do not for get templates!

I recently bumped into a case where an old version of vmware tools (from ESX 3U3) was causing issues being deployed. It started with a Blue screen of death "PFN_LIST_CORRUPT" then programs crashing/not responding.

It was tracked back to an old VDI Windows XP 32bit image using a very old version of vmware tools.

Once the Template was upgraded the issue was fixed!

p.s. if you want to upgrade vmware tools on multiple hosts without rebooting your production boxes..look here

3 Way Load Balancing With DMZ Exceptions

2010-02-09T07:01:00.001-08:00

Here is the lab:

Here is the how to:
3 Way Load Balancing With DMZ Exception -Part1
Setup of the Lab in VMware
Setup of Basic BGP

3 Way Load Balancing With DMZ Exception -Part1 from Richard Vimeo on Vimeo.

3 Way Load Balancing With DMZ Exception -Part2

Set up of R1
NAT setup
Setup of Load Balancing
Installing IPtraf

3 Way Load Balancing With DMZ Exception -Part2 from Richard Vimeo on Vimeo.

3 Way Load Balancing With DMZ Exception -Part3
Correcting Some errors
Destination Nat for DMZ
Firewall Setup

3 Way Load Balancing With DMZ Exception -Part3 from Richard Vimeo on Vimeo.

3 Way Load Balancing With DMZ Exception -Part4
Testing Loadbalancing with speedtest.net
Round up

3 Way Load Balancing With DMZ Exception -Part4 from Richard Vimeo on Vimeo.

Vyatta - Load Balancing with Exceptions

2010-02-04T11:43:00.000-08:00

Currently working on this lab:

VMware and Active Directory Replication

2010-01-27T02:25:00.001-08:00

Just thought I would drop a note for those that use VMware for tier 2 server roles (most people) and probably are using snapshots/clone etc.

I have been troubleshooting a vMotion issue with a client recently where One particular VM (a domain controller) would Vmotion fine, yet after a fine hours would BSOD, however all the other VMs hosted on this host were fine.

After a couple of days troubleshooting we managed to work out the issue was a faulty bank of RAM when going over 8GB+.
This meant that if you close a few VMs bring over a new VM, as long as total utilization was under 8GB you were fine, however once you went over 8GB with a VM, that VM was the one to suffer!

During the troubleshooting process this particular VM was migrated in various ways storage then host, then storage and host in one go,cloned,snapshoted etc etc only once the VM was stable and the RAM replaced the fun with AD then started.

The troubleshooting within VMware had caused a little issue with AD.
Here is the main message (amongst a fair few):


Event Type: Error
Event Source: NTDS General
Event Category: Service Control 
Event ID: 2103
Date:  26/01/2010
Time:  20:37:18
User:  NT AUTHORITY\ANONYMOUS LOGON
Computer: DCV2
Description:
The Active Directory database has been restored using an unsupported restoration procedure. 
 
Active Directory will be unable to log on users while this condition persists. As a result, the Net Logon service has paused. 
 
User Action 
See previous event logs for details.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And for those that like pictures :)

MS knows this as a "USN rollback condition" and talks about it endlessly here

So what was the fix?
Well the VM did have some FSMOs roles, so after "Seizing the roles" ran this command on the DC I was getting the above eventids on:


repadmin /options DC_Name -disable_inbound_repl -disable_outbound_repl

then ran dcpromo (to demote the controller) rebooted and ran dcpromo again (to promote the controller)and all was back to normal.

Although this issue was not directly related to vmware (could of just as easily happened with SAN snapshots or norton ghost) it is something to look out for when snapshoting/cloning and troubleshooting VM issues where the VM is looking after a tier 2 distributed app.

Vyatta - Example of OpenVPN infront of Microsoft ISA Server

2010-01-21T11:57:00.001-08:00

Another day another lab :)

This scenrio was given to me by someone who stopped by the blog and wondered if it was possible to swap out some of the kit infront of his ISA box with Vyatta...the answer of course was yes!
Here is the diagram:

Here are the videos:
Part1:
Initial Setup and Testing

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 1 from Richard Vimeo on Vimeo.

Part2:
Second part of the lab setup

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 2 from Richard Vimeo on Vimeo.

Part 3
Load Balancing
Certificate Setup
OpenVPN Site to Site setup

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 3 from Richard Vimeo on Vimeo.

Part 4:
Certificate Setup/signing/installing etc
OpenVPN Site to Site setup continued..
OpenVPN Remote Access setup (+Client)

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 4 from Richard Vimeo on Vimeo.

Part 5
DMZ Setup
DMZ Routing & NAT
Testing!

Vyatta - Example of OpenVPN infront of Microsoft ISA Server - Part 5 from Richard Vimeo on Vimeo.

Configs!
R1


/**********************************************************************\
firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 98.63.88.81/29
        address 98.63.88.82/29
        address 98.63.88.83/29
        address 98.63.88.84/29
        address 98.63.88.85/29
        description ISP1
        duplex auto
        hw-id 00:0c:29:7f:b2:7d
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 75.93.91.193/29
        address 75.93.91.194/29
        address 75.93.91.195/29
        address 75.93.91.196/29
        description ISP2
        duplex auto
        hw-id 00:0c:29:7f:b2:87
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        address 10.0.12.1/24
        description R1-ISA
        duplex auto
        hw-id 00:0c:29:7f:b2:91
        smp_affinity auto
        speed auto
    }
    ethernet eth3 {
        address 10.0.2.1/24
        description R1-DMZ
        duplex auto
        hw-id 00:0c:29:7f:b2:9b
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        local-host 98.63.88.81
        mode server
        replace-default-route {
        }
        server {
            subnet 10.1.8.0/24
        }
        tls {
            ca-cert-file /etc/openvpn/ca.crt
            cert-file /etc/openvpn/r1.crt
            dh-file /etc/openvpn/dh1024.pem
            key-file /etc/openvpn/r1.key
        }
    }
    openvpn vtun1 {
        local-address 10.1.9.1
        local-host 75.93.91.193
        mode site-to-site
        remote-address 10.1.9.2
        remote-host 213.123.123.10
        tls {
            ca-cert-file /etc/openvpn/ca.crt
            cert-file /etc/openvpn/r1.crt
            dh-file /etc/openvpn/dh1024.pem
            key-file /etc/openvpn/r1.key
            role passive
        }
    }
}
load-balancing {
    wan {
        flush-connections
        interface-health eth0 {
            failure-count 2
            nexthop 98.63.88.86
            success-count 1
            test 10 {
                ping
                resp-time 5
                target 98.63.88.86
            }
        }
        interface-health eth1 {
            failure-count 1
            nexthop 75.93.91.198
            success-count 1
            test 10 {
                ping
                resp-time 5
                target 75.93.91.198
            }
        }
        rule 10 {
            destination {
                address !10.0.0.0/16
            }
            inbound-interface eth2
            interface eth0 {
                weight 1
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
        rule 20 {
            destination {
                address !10.0.0.0/16
            }
            inbound-interface eth3
            interface eth0 {
                weight 1
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
        rule 30 {
            destination {
                address !10.0.0.0/16
            }
            inbound-interface vtun0
            interface eth0 {
                weight 1
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
    }
}
protocols {
    static {
        interface-route 10.0.10.0/24 {
            next-hop-interface vtun1 {
            }
        }
        route 0.0.0.0/0 {
            next-hop 75.93.91.198 {
            }
            next-hop 98.63.88.86 {
            }
        }
        route 10.0.0.0/24 {
            next-hop 10.0.12.2 {
            }
        }
        route 10.0.1.0/24 {
            blackhole {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name POOL1 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name Vyatta.local
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth2
            listen-on eth3
            listen-on vtun0
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            destination {
                address 75.93.91.194
                port 25
            }
            inbound-interface eth1
            inside-address {
                address 10.0.2.10
                port 25
            }
            protocol tcp
            type destination
        }
    }
    ssh {
        allow-root true
        port 22
        protocol-version v2
    }
}
system {
    host-name R1
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository kenwood {
            components main
            distribution kenwood
            password ""
            url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */




/**********************************************************************\


/**********************************************************************\
firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 213.123.123.10/24
        description Outside
        duplex auto
        hw-id 00:0c:29:f5:c1:84
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 10.0.10.1/24
        description Inside
        duplex auto
        hw-id 00:0c:29:f5:c1:8e
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        description DMZ
        duplex auto
        hw-id 00:0c:29:f5:c1:98
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun1 {
        local-address 10.1.9.2
        mode site-to-site
        remote-address 10.1.9.1
        remote-host 75.93.91.193
        tls {
            ca-cert-file /etc/openvpn/ca.crt
            cert-file /etc/openvpn/r2.crt
            key-file /etc/openvpn/r2.key
            role active
        }
    }
}
protocols {
    static {
        interface-route 10.0.0.0/24 {
            next-hop-interface vtun1 {
            }
        }
        interface-route 10.0.2.0/24 {
            next-hop-interface vtun1 {
            }
        }
        interface-route 10.0.12.0/24 {
            next-hop-interface vtun1 {
            }
        }
        route 0.0.0.0/0 {
            next-hop 213.123.123.1 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name POOL1 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name Vyatta.local
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            destination {
                address !10.0.0.0/16
            }
            outbound-interface eth0
            source {
                address 10.0.10.0/24
            }
            type masquerade
        }
    }
    ssh {
        allow-root true
        port 22
        protocol-version v2
    }
}
system {
    host-name R2
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository kenwood {
            components main
            distribution kenwood
            password ""
            url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */

/**********************************************************************\

ISA Screenshots:

Enjoy!

Latest article on Networking-Forum..by me!

2010-01-14T10:45:00.000-08:00

My latest article is as a guest blogger here:
http://networking-forum.com/blog/?p=371

Enjoy!

PIX/ASA - Failover, Lan to Lan IPsec VPN, Remote Access VPN + Extras

2010-01-11T05:09:00.000-08:00

Working on an article for networking forum atm - here is a diagram:

Vyatta as an Internet Gateway

2009-12-24T08:09:00.000-08:00

Here is the lab:

In this video we use Vyatta to setup an Internet Gateway.
We set it up with the following features:
Firewall
DHCP Server
DNS forwarding+Cache
NAT
Web Cache
Web Filtering
Reverse NAT (Port Forwarding)

Vyatta Internet Gateway from Richard Vimeo on Vimeo.

As requested here is the config for the router in the video:


firewall {
    all-ping enable
    broadcast-ping disable
    conntrack-table-size 32768
    conntrack-tcp-loose enable
    ip-src-route disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    log-martians enable
    name ALLOW_ESTABLISHED {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        rule 10 {
            action accept
            destination {
                address 192.168.10.10
                port 80
            }
            log enable
            protocol tcp
        }
        rule 20 {
            action accept
            destination {
                address 192.168.10.10
                port 3389
            }
            log enable
            protocol tcp
        }
        rule 30 {
            action accept
            destination {
                address 192.168.10.0/24
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Outside
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name ALLOW_ESTABLISHED
            }
        }
        hw-id 00:0c:29:7b:1a:29
        smp_affinity auto
        speed auto
    }
    ethernet eth1 {
        address 192.168.10.1/24
        description Inside
        duplex auto
        hw-id 00:0c:29:7b:1a:33
        smp_affinity auto
        speed auto
    }
    ethernet eth2 {
        description DMZ
        duplex auto
        hw-id 00:0c:29:7b:1a:3d
        smp_affinity auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dhcp-server {
        disabled false
        shared-network-name POOL1 {
            authoritative disable
            subnet 192.168.10.0/24 {
                default-router 192.168.10.1
                dns-server 192.168.10.1
                domain-name Vyatta.local
                lease 86400
                start 192.168.10.10 {
                    stop 192.168.10.200
                }
            }
        }
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            name-server 208.67.222.222
            name-server 208.67.220.220
        }
    }
    nat {
        rule 10 {
            outbound-interface eth0
            source {
                address 192.168.10.0/24
            }
            type masquerade
        }
        rule 20 {
            destination {
                address 192.168.0.84
                port 80
            }
            inbound-interface eth0
            inside-address {
                address 192.168.10.10
                port 80
            }
            protocol tcp
            type destination
        }
        rule 30 {
            destination {
                address 192.168.0.84
                port 3389
            }
            inbound-interface eth0
            inside-address {
                address 192.168.10.10
                port 3389
            }
            protocol tcp
            type destination
        }
    }
    ssh {
        allow-root true
        port 22
        protocol-version v2
    }
    webproxy {
        cache-size 200
        default-port 3128
        listen-address 192.168.10.1 {
        }
        url-filtering {
            squidguard {
                auto-update daily
                block-category malware
                block-category porn
                block-category warez
                block-category proxy
                default-action allow
                local-block facebook.com
                redirect-url http://www.google.com
            }
        }
    }
}
system {
    host-name vyatta
    login {
        user root {
            authentication {
                encrypted-password $1$ORKO400D$9GoL/vifapZLo3p.sLkUs/
                plaintext-password ""
            }
            level admin
        }
        user vyatta {
            authentication {
                encrypted-password $1$Z9oMjC/m$r.T2vNILnVuZnIwkKhg58.
            }
            level admin
        }
    }
    ntp-server 0.vyatta.pool.ntp.org
    package {
        auto-sync 1
        repository community {
            components main
            distribution stable
            password ""
            url http://packages.vyatta.com/vyatta
            username ""
        }
        repository kenwood {
            components main
            distribution kenwood
            password ""
            url http://packages.vyatta.com/vyatta-dev/kenwood/unstable/
            username ""
        }
        repository lenny {
            components main
            distribution lenny
            password ""
            url http://packages.vyatta.com/debian/
            username ""
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone GMT
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "cluster@1:dhcp-relay@1:dhcp-server@4:firewall@3:ipsec@1:nat@3:quagga@1:system@1:vrrp@1:wanloadbalance@1:webgui@1" === */
/* Release version: VC6_a2 */

Microsoft ISA Server - Workgroup Array Setup

2009-12-24T07:50:00.000-08:00

This is the practical of this lab here

Part 1 covers setting up the ISA server, creating and setting up the digital certificates as well as installing Configuration Storage Server and the first ISA Server within the workgroup array.

Microsoft ISA Server Array - Workgroup - Part1 from Richard Vimeo on Vimeo.

Part 2 Covers the installation of a second ISA Server, Service Pack 1 Install and running the BPA

Microsoft ISA Server - Workgroup Array - Part2 from Richard Vimeo on Vimeo.

Microsoft ISA Server - Workgroup Arrays

2009-12-22T10:38:00.000-08:00

Here is the Next lab im going to be playing with:

Setting up a Vyatta Cluster with VRRP and IPSec Site to Site VPN

2009-12-06T16:16:00.000-08:00

Well seeing as we have done this with the closed source alternative (PIX here)
It was time to do the decent thing and do an open source version...so here we go..

Diagram of the lab:

Basic setup of the lab:

Vyatta Cluster Part 1 - Basic Setup from Richard Vimeo on Vimeo.

Part two of the setup:

Vyatta Cluster Part 2 - Basic Setup from Richard Vimeo on Vimeo.

This is the juicy bit, where we setup VRRP, then Clustering and finally, IPsec site to site VPN. (There is some NAT in there too!:)

Vyatta Cluster Part 3 - VRRP, Clustering,VPN etc from Richard Vimeo on Vimeo.

This is where I try and break it!

Vyatta Cluster Part 3 - Testing from Richard Vimeo on Vimeo.

As ever enjoy! and let me know what you think :)

VMware VDR Appliance

2009-12-02T14:23:00.000-08:00

VMware Data Recovery Appliance - What is it? How do I use it? How do I install it?!

Well with VMware's marketing refresh alot of their products seem a little well, redundant! (But they arent honestly!) and here we have VDR...a product that sits somewhere between VCB and vRanger Pro.

Anywho here is a nice little video I did to show you around:

VMware VDR from Richard Vimeo on Vimeo.

My Appliance Now on VMware Appliances

2009-11-30T12:07:00.000-08:00

VMware Have just published my appliance on the VMware Appliance Marketplace...

http://www.vmware.com/appliances/directory/383813

Enjoy!

Google Chrome OS on USB

2009-11-26T18:23:00.000-08:00

***Link removed as it is no longer actively maintained***
Download it here:

Link removed

This one has been rolled by myself, use winimage (or tool of your choice) to image this on to your thumb drive...Enjoy!

If Security Is Obscurity...

2009-11-24T09:39:00.000-08:00

Then these companies need help:

http://shodan.surtri.com/?q=cisco-IOS

Shodan is a cool new search engine that takes google-hacking to the next level.

Windows Server 2008 R2

2009-11-24T08:17:00.000-08:00

For those out there playing around with (or supporting) Windows 2008
have a read of this ebook:
MS Press Windows 2008 R2

Then once your done have ago at my labs here:

How to Setup Small Windows 2008 R2 Lab

and here:

Setting up File and Folder Permissions and Automagically Mapping Network Drives

Enjoy!

Vyatta VC 6 VMware Appliance!

2009-11-22T11:23:00.001-08:00

**This is now outdated check here for new appliance**

Hi all,

Vyatta hasnt yet released a VMware Appliance for VC6 therefore...

VyattaVC6-Alpha.zip

It comes complete with VMware Tools not open-vm tools and is ready to be dropped into ESX!

VMware are in the process of approving this appliance, so until then grab it from the above link.

Enjoy

Vyatta VC 6 Netflow and Solarwinds

2009-11-19T05:06:00.001-08:00

Quick demo of Netflow with Vyatta

Vyatta VC 6 Netflow from Richard Vimeo on Vimeo.

VMware ESXi on USB

2009-11-16T12:03:00.001-08:00

My quickest video yet:

How to place VMware's ESXi on to a USB drive:

VMware ESXi on USB from Richard Vimeo on Vimeo.

Load Balancing with Vyatta VC 6

2009-11-16T11:18:00.000-08:00

Here is a diagram of the setup, we are dealing with the router to the far left of the diagram "R10" : diagram

This is the video of me configuring load balancing and testing it:

Vyatta Load Balancing from Richard Vimeo on Vimeo.

Here is the configuration:
Setting up the interfaces:
R10:


interfaces {
    ethernet eth0 {
        address 10.0.0.27/24
        description ISP1
    }
    ethernet eth1 {
        address 192.168.0.181/24
        description ISP2
    }
    ethernet eth2 {
        address 10.0.10.10/24
        description R10TOR1
    }
    loopback lo {
        address 10.10.10.10/32
    }

Setting up the IGP:


protocols {
    ospf {
        area 10 {
            network 10.0.10.0/24
            network 10.10.10.10/32
        }
        default-information {
            originate {
                always
                metric-type 2
            }
        }
    }

Setting up Load Balancing


static {
        route 0.0.0.0/0 {
            next-hop 10.0.0.126 {
            }
            next-hop 192.168.0.1 {
            }
        }
    }

load-balancing {
    wan {
        flush-connections
        interface-health eth0 {
            failure-count 2
            nexthop 10.0.0.126
            success-count 1
            test 10 {
                ping
                resp-time 5
                target 192.168.0.1
            }
        }
        interface-health eth1 {
            failure-count 2
            nexthop 192.168.0.1
            success-count 1
            test 10 {
                ping
                resp-time 5
                target 192.168.0.1
            }
        }
        rule 10 {
            inbound-interface eth2
            interface eth0 {
                weight 1
            }
            interface eth1 {
                weight 1
            }
            protocol all
        }
    }
}

Good luck and Enjoy!

Testing Vyatta with QoS and Asterisk(Elastix) - Howto

2009-11-16T10:43:00.000-08:00

The Setup:

First setting up the Interfaces:
R1:


interfaces {
    ethernet eth0 {
        address 10.0.12.1/24
        description R1TOR2
    }
    ethernet eth1 {
        address 192.168.10.254/24
        description LAN1
    }
    ethernet eth2 {
        address 10.0.10.1/24
        description R1TOR10
    }
    ethernet eth3 {
        address 10.0.13.1/24
        description R1TOR3
    }
    loopback lo {
        address 1.1.1.1/32
    }

R2:


interfaces {
    ethernet eth0 {
        address 10.0.12.2/24
        description R1TOR2
    }
    ethernet eth1 {
        address 192.168.2.254/24
        description LAN2
    }
    loopback lo {
        address 2.2.2.2/32
    }


interfaces {
    ethernet eth0 {
        address 10.0.13.3/24
        description R1TOR3
        speed auto
    }
    ethernet eth1 {
        address 192.168.3.254/24
        description LAN3
     
    }
    loopback lo {
        address 3.3.3.3/32
    }
}

Setting up the IGP:
R1:


protocols {
    ospf {
        area 0 {
            network 10.0.12.0/24
            network 10.0.13.0/24
        }
        area 1 {
            network 1.1.1.1/32
            network 192.168.10.0/24
        }
        area 10 {
            network 10.0.10.0/24
        }
        parameters {
            router-id 1.1.1.1
        }
    }

R2:


protocols {
    ospf {
        area 0 {
            network 10.0.12.0/24
        }
        area 2 {
            network 2.2.2.2/32
            network 192.168.2.0/24
        }
        parameters {
            router-id 2.2.2.2
        }
    }
}

R3:


protocols {
    ospf {
        area 0 {
            network 10.0.13.0/24
        }
        area 3 {
            network 192.168.3.0/24
            network 3.3.3.3/32
        }
    }
}

Setting up the QoS Policy:
R1:


qos-policy {
    traffic-shaper SITE1 {
        bandwidth 125kbit
        class 10 {
            bandwidth 85Kbit
            match VOIP-RTP {
                ip {
                    dscp 46
                }
            }
        }
        class 20 {
            bandwidth 15kbit
            match VOIP-CONTROL {
                ip {
                    protocol udp
                    source {
                        port 5060
                    }
                }
            }
        }
        class 30 {
            bandwidth 10kbit
            match OSPF {
                ip {
                    protocol ospf
                }
            }
            queue-type fair-queue
        }
        default {
            bandwidth 10kbit
        }
        description QOS_for_SITE1
    }

The applying it:
R1:


interfaces {
    ethernet eth0 {
        address 10.0.12.1/24
        description R1TOR2
        qos-policy {
            out SITE1
        }

Here is the video where I configure and test it:

Testing Quality Of Service (QOS) with Vyatta and Asterisk from Richard Vimeo on Vimeo.

Testing Vyatta with QoS and Asterisk(Elastix)

2009-11-13T06:49:00.000-08:00

Well, we have done something every simular here

However this time we are going all opensource :)

VMware Vsphere Lab-How to Part 3

2009-11-13T06:45:00.000-08:00

Part 3 covers:
1)OpenFiler Setup for ESX server
2)iSCSI HBA setup (ESX)
3)Vconverter
4)Vmotion setup
5)Live Vmotion!

Vsphere within VMware Workstation 7 Part 3 from Richard Vimeo on Vimeo.

VMware Vsphere Lab-How to Part 2

2009-11-13T06:43:00.000-08:00

Part 2 covers:
1)Installing a Second ESX server
2)Installing VCenter Server
3)Installing Openfiler
4)Setup DataCenter
5)Adding ESX Hosts

Vsphere within VMware Workstation 7 Part 2 from Richard Vimeo on Vimeo.

VMware Vsphere Lab-How to Part 1

2009-11-13T06:41:00.000-08:00

Vsphere within VMware Workstation 7 Part 1 from Richard Vimeo on Vimeo.

This video includes intial Lab Setup,installing ESX 4 and installing VSphere Client.

Here are the links from the presentation:
DotNet 2.0 SP1
XML Shared
DotNet 3.0
DotNet 3.0 SP1

VMware Vsphere Lab

2009-11-13T06:36:00.000-08:00

I like to mix things up a little :)

So here is a VMware lab using the new VMware Workstation 7:

This lab will go through pretty much everything, to setup a working Vsphere enviroment for your lab.

Testing QoS with Cisco Call Manager and SIP,RTP - How To

2009-11-09T05:16:00.000-08:00

This is the practical to this lab: here

Setting up basic IP connectivity:
R1


!
interface FastEthernet0/0
 description ToLan
 ip address 192.168.10.254 255.255.255.0
 duplex auto
 speed auto
!
!
interface Serial0/0.123 multipoint
 bandwidth 110
 ip address 192.168.0.1 255.255.255.0
 ip ospf network point-to-multipoint
 snmp trap link-status
 frame-relay map ip 192.168.0.2 122 broadcast
 frame-relay map ip 192.168.0.3 123 broadcast
 no frame-relay inverse-arp
!
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 1
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 1
!


!
interface FastEthernet0/0
 description ToLan
 ip address 192.168.10.254 255.255.255.0
 duplex auto
 speed auto
!
!
interface Serial0/0.123 multipoint
 bandwidth 110
 ip address 192.168.0.1 255.255.255.0
 ip ospf network point-to-multipoint
 snmp trap link-status
 frame-relay map ip 192.168.0.2 122 broadcast
 frame-relay map ip 192.168.0.3 123 broadcast
 no frame-relay inverse-arp
!
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 1
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.10.0 0.0.0.255 area 1
!


!
interface FastEthernet0/0
 ip address 192.168.3.254 255.255.255.0
 duplex auto
 speed auto
!
!
interface Serial0/0.321 multipoint
 bandwidth 110
 ip address 192.168.0.3 255.255.255.0
 ip ospf network point-to-multipoint
 frame-relay map ip 192.168.0.1 321 broadcast
 frame-relay map ip 192.168.0.2 321 broadcast
!
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 3
 network 192.168.0.0 0.0.0.255 area 0
 network 192.168.3.0 0.0.0.255 area 3
!

Set up DHCP for Call Manager/TFTP
R1


ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.100
ip dhcp excluded-address 192.168.10.254
!
ip dhcp pool POOL1
   network 192.168.10.0 255.255.255.0
   option 66 ip 192.168.10.100 
   default-router 192.168.10.254 
!

(Pretty much the same on each router)

Now the important Stuff - QoS for SIP and RTP...

First the ACLs:


!
!Control is for SIP messages
ip access-list extended VOIP-CONTROL-ACL
 permit tcp any any eq 5060
 permit tcp any eq 5060 any
 permit tcp any any eq 6970
 permit tcp any eq 6970 any
! RTP is for the actual voices going down the line
ip access-list extended VOIP-RTP-ACL
 permit udp any any eq 5060
 permit udp any eq 5060 any
 permit udp any any range 16384 32767
 permit ip any any dscp ef
!

Now the Class Maps:


!
class-map match-any VOIP-CONTROL-CLASS
 match access-group name VOIP-CONTROL-ACL
class-map match-any VOIP-RTP-CLASS
 match access-group name VOIP-RTP-ACL
!

Now the Policy Maps:


!
policy-map VOIP
 class VOIP-RTP-CLASS
  priority 70
 class VOIP-CONTROL-CLASS
  bandwidth 8
 class class-default
  fair-queue
!

Map Class - Frame Relay:


!
map-class frame-relay FRAME-CLASS
!Provided by ISP
 frame-relay cir 110000
!Set Tc to 10ms or 0.01 sec
 frame-relay bc 1100
 frame-relay be 0
!If you get a BECN set to this rate
 frame-relay mincir 110000
!Remember to place this on both ends
 frame-relay fragment 120
!Policy map
 service-policy output VOIP
!

A few little extras(needed):


!
interface Serial0/0
 bandwidth 400
 no ip address
 encapsulation frame-relay
 frame-relay traffic-shaping
 no frame-relay inverse-arp
 frame-relay ip rtp header-compression 
!
!
interface Serial0/0.123 multipoint
 bandwidth 110
 ip address 192.168.0.1 255.255.255.0
 ip ospf network point-to-multipoint
 snmp trap link-status
 frame-relay class FRAME-CLASS
 frame-relay map ip 192.168.0.2 122 broadcast
 frame-relay map ip 192.168.0.3 123 broadcast
 no frame-relay inverse-arp
!

Here is a video of the lab set up and me trying to break it!

Testing Quality of Service with Cisco Call Manager,VoIP from Richard Vimeo on Vimeo.

Here are the iPerf options I am using:
Server UDP:


iperf.exe -us -n 128m -i5

Client UDP:


iperf.exe -uc 192.168.2.3 -b256k -n 1G -i5 -d

*Remember if you wish to test DSCP tags try the "-s" options to tag the packets for example: "-s ef"

Testing QoS with Cisco Call Manager and SIP,RTP

2009-11-08T13:22:00.001-08:00

Hello again all,

Created a nice little lab here:

I plan to not only get up QoS but really stress test it using iperf to see if it works!

Multicast Lab with VLC - Howto

2009-10-30T06:19:00.000-07:00

This is the how to for this lab: here

R1


!
ip multicast-routing 
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip pim sparse-mode
!
interface FastEthernet1/0
 description wan
 ip address 10.0.12.1 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!
interface FastEthernet2/0
 description lan
 ip address 192.168.1.1 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 1.1.1.1 0.0.0.0 area 1
 network 10.0.12.0 0.0.0.255 area 0
 network 10.0.13.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 1
!
!Define this router as a RP
ip pim rp-candidate Loopback0
!


ip multicast-routing 
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip pim sparse-mode
!
!
interface FastEthernet1/0
 description wan
 ip address 10.0.12.2 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!
interface FastEthernet1/1
 description lan
 ip address 192.168.2.2 255.255.255.0
 ip pim sparse-mode
 duplex auto
 speed auto
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 2
 network 10.0.12.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 2
!
!Define router as a Bootstrap Router Candidate
ip pim bsr-candidate Loopback0 0
!

Note:
ip pim bsr-candidate and ip pim rp-candidate can both be added to the same router if you wish. Therefore in this lab we could of defines both on R1 and left R2 with only ip pim sparse on its interfaces.

Here are the batch files used in VLC:
StartMulticast.bat:


"C:\Program Files\VideoLAN\VLC\vlc.exe" -vvv test.m4v :sout=#transcode{vcodec=h264,vb=800,scale=1,acodec=mp4a,ab=128,channels=2,samplerate=44100}:std{access=udp,mux=ts,dst=239.0.0.1:1234} --ttl 12

StartVideo.bat


call "C:\Program Files\VideoLAN\VLC\vlc.exe" -vvv udp://@239.0.0.1:1234

Here is a video of it all working:

Multicast - Streaming Demo from Richard Vimeo on Vimeo.

Multicast Lab with VLC

2009-10-27T06:35:00.000-07:00

Here is the lab that I will be showing off:

The cool thing about this lab, is that after setting it up I will be using VLC to multicast a video across the routers.

The movie is called Big Buck Bunny and you can get it: here

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets - Howto

2009-10-27T06:08:00.000-07:00

This is the how to for this lab: here

Ok here we go...

Basic Setup:

FW1


!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 142.100.123.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
!For Testing Allow pings/ICMP through
access-list WAN_IN extended permit icmp any any
access-group WAN_IN in interface outside
!
!NAT
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
!
!Default Route
route outside 0.0.0.0 0.0.0.0 142.100.123.99
!

FW2


!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 208.69.34.2 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
access-list WAN_IN extended permit icmp any any
access-group WAN_IN in interface outside
!
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 208.69.34.99 1
!

Now the interesting part, we want a user at site 1 to ping 192.168.102.100 and it reach 192.168.1.100 (at site 2) and a user at site 2 to ping 192.168.101.100 and it reach 192.168.1.100 (at site1).

Here is how:

FW1


!ACL defining traffic for static nat
access-list site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.102.0 255.255.255.0
!ACL for the IPSec Tunnel
access-list IPSEC-TUN extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0
! Static NAT
static (inside,outside) 192.168.101.0  access-list site2

Now the tunnel itself


crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-md5-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 208.69.34.2
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto map FW1 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 208.69.34.2 type ipsec-l2l
tunnel-group 208.69.34.2 ipsec-attributes
 pre-shared-key letmein

FW2


access-list site1 extended permit ip 192.168.1.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
!
static (inside,outside) 192.168.102.0  access-list site1
!
crypto ipsec transform-set FW2-TRANSFORM esp-3des esp-md5-hmac
crypto map FW2 10 match address IPSEC-TUN
crypto map FW2 10 set peer 142.100.123.1
crypto map FW2 10 set transform-set FW2-TRANSFORM
crypto map FW2 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
tunnel-group 142.100.123.1 type ipsec-l2l
tunnel-group 142.100.123.1 ipsec-attributes
 pre-shared-key letmein
!

All done!

PIX/ASA Site-to-Site (L2L) VPN with Duplicate/Same Subnets

2009-10-27T05:52:00.000-07:00

Here is another lab where we have the same subnet at each site, and we want to be able to establish a Lan to Lan VPN between them.

Here is the lab:

Windows Server 2008 - Setting up File and Folder Permissions and Automagically Mapping Network Drives

2009-10-27T05:10:00.000-07:00

Possibly the longest title ever for a blog post? :)

Anyway here is a long-ish video of me setting up Windows Server 2008 to be a file server:

Windows Server 2008 - File/Folder Permissions and Mapping Network Drives from Richard Vimeo on Vimeo.

Hmmmm Cookies ;)

DMVPN - Dual Hub and Dual Spoke with HSRP - Howto

2009-10-27T04:20:00.000-07:00

Hi again,

This is the practical to this lab: here

First the boring stuff, setting up IP connectivity:

R1


interface FastEthernet1/0
description WAN
 ip address 10.0.1.1 255.255.255.0
interface FastEthernet1/1
!
 description LAN
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 10.0.1.99
!


interface FastEthernet1/1
 description lan
 ip address 192.168.1.2 255.255.255.0
!
interface FastEthernet1/0
 description wan
 ip address 10.0.2.2 255.255.255.0
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
ip route 0.0.0.0 0.0.0.0 10.0.2.99
!

R10


!
interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
!
interface FastEthernet1/0
 description wan
 ip address 10.0.10.10 255.255.255.0
!
interface FastEthernet1/1
 description lan
 ip address 192.168.2.10 255.255.255.0
delay 1000
!

R11


interface Loopback0
 ip address 11.11.11.11 255.255.255.255
!
interface FastEthernet1/0
 description wan
 ip address 10.0.11.11 255.255.255.0
!
interface FastEthernet1/1
 description lan
 ip address 192.168.2.11 255.255.255.0
 delay 1050
!
ip route 0.0.0.0 0.0.0.0 10.0.11.99
!

R20


!
interface Loopback0
 ip address 20.20.20.20 255.255.255.255
!
interface FastEthernet1/0
 description wan
 ip address 10.0.20.20 255.255.255.0
!
interface FastEthernet1/1
 description lan
 ip address 192.168.3.20 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.20.99
!

Let start with HSRP on Hubs:

R1


interface FastEthernet1/1
 description LAN
 ip address 192.168.1.1 255.255.255.0
 delay 1000
 duplex full
 speed auto

!virtual ip
 standby 1 ip 192.168.1.254
!Virtual set priority for this router higher than R2
 standby 1 priority 20
!If R1 has a highier priority become the active router
 standby 1 preempt
 standby 1 name HAGroup
!If Fa1/0 fails R1 is useless and needs to become standby
 standby 1 track FastEthernet1/0
!


interface FastEthernet1/1
 description lan
 ip address 192.168.1.2 255.255.255.0
 delay 1050
 duplex auto
 speed auto
 standby 1 ip 192.168.1.254
 standby 1 priority 19
 standby 1 preempt
 standby 1 name HAGroup
 standby 1 track FastEthernet1/0
!

The above setup is almost identical at Site2 (the other site with HSRP)

Now on to the Tunnels and the DMVPN networks itself. Here is the basic layout of the network:

As you can see, we are infact running two DMVPN networks, and each spoke as an interface to each network.

Lets do the Hubs first:

R1


interface Tunnel0
!IP of tunnel interface
 ip address 172.12.123.1 255.255.255.0
!Stop IP from taking "shortcuts"
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
!Unique to the network, same number on each hub,spoke
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
!Needed for EIGRP
 no ip split-horizon eigrp 100
!Tweak EIGRP metrics to prefer this router
 delay 1000
!Tunnels out interface
 tunnel source FastEthernet1/0
!Set tunnel mode
 tunnel mode gre multipoint
!Each tunnel has its own "password"
 tunnel key 100000
!Add IPSec
 tunnel protection ipsec profile TUN-PROFILE

Notice that R1 is the Hub spoke for 172.12.123.0/24 network

R2


!
interface Tunnel0
 ip address 172.12.124.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
 ip nhrp network-id 2
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
 no ip split-horizon eigrp 100
!tweak EIGRP metric so that R1 is preferred
 delay 1050
 tunnel source FastEthernet1/0
 tunnel mode gre multipoint
!Password 
 tunnel key 100001
 tunnel protection ipsec profile TUN-PROFILE
!

Now R20

First tunnel to join network 1


interface Tunnel0
 ip address 172.12.123.20 255.255.255.0
 ip mtu 1400
 ip nhrp map 172.12.123.1 10.0.1.1
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip nhrp nhs 172.12.123.1
 ip tcp adjust-mss 1360
 tunnel source FastEthernet1/0
 tunnel destination 10.0.1.1
 tunnel key 100000
 tunnel protection ipsec profile TUN-PROFILE
!

Second Tunnel to join network 2


!
interface Tunnel1
 ip address 172.12.124.20 255.255.255.0
 ip mtu 1400
 ip nhrp map 172.12.124.2 10.0.2.2
 ip nhrp network-id 2
 ip nhrp holdtime 450
 ip nhrp nhs 172.12.124.2
 ip tcp adjust-mss 1360
 tunnel source FastEthernet1/0
 tunnel destination 10.0.2.2
 tunnel key 100001
 tunnel protection ipsec profile TUN-PROFILE
!

Now R10


!network 1 -->
interface Tunnel0
 ip address 172.12.123.10 255.255.255.0
 ip mtu 1400
 ip nhrp map 172.12.123.1 10.0.1.1
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip nhrp nhs 172.12.123.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source FastEthernet1/0
 tunnel destination 10.0.1.1
 tunnel key 100000
 tunnel protection ipsec profile TUN-PROFILE
!
!
!Network 2 ----->
interface Tunnel1
 ip address 172.12.124.10 255.255.255.0
 ip mtu 1400
 ip nhrp map 172.12.124.2 10.0.2.2
 ip nhrp network-id 2
 ip nhrp holdtime 450
 ip nhrp nhs 172.12.124.2
 ip tcp adjust-mss 1360
 tunnel source FastEthernet1/0
 tunnel destination 10.0.2.2
 tunnel key 100001
 tunnel protection ipsec profile TUN-PROFILE
!

R11


!Network 1 --->
interface Tunnel0
 ip address 172.12.123.11 255.255.255.0
 ip mtu 1400
 ip nhrp map 172.12.123.1 10.0.1.1
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip nhrp nhs 172.12.123.1
 ip tcp adjust-mss 1360
 delay 1050
 tunnel source FastEthernet1/0
 tunnel destination 10.0.1.1
 tunnel key 100000
 tunnel protection ipsec profile TUN-PROFILE
!Network 2--->
interface Tunnel1
 ip address 172.12.124.11 255.255.255.0
 ip mtu 1400
 ip nhrp map 172.12.124.2 10.0.2.2
 ip nhrp network-id 2
 ip nhrp holdtime 450
 ip nhrp nhs 172.12.124.2
 ip tcp adjust-mss 1360
 tunnel source FastEthernet1/0
 tunnel destination 10.0.2.2
 tunnel key 100001
 tunnel protection ipsec profile TUN-PROFILE
!

Now EIGRP network configuration, notice how we do not bring in the WAN network:
R1


router eigrp 100
 network 1.1.1.1 0.0.0.0
 network 172.12.123.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!


router eigrp 100
 network 2.2.2.2 0.0.0.0
 network 172.12.124.0 0.0.0.255
 network 192.168.1.0
 no auto-summary
!

R20


router eigrp 100
 network 20.20.20.20 0.0.0.0
 network 172.12.123.0 0.0.0.255
 network 172.12.124.0 0.0.0.255
 network 192.168.3.0
 no auto-summary
!

R10


!
router eigrp 100
 network 10.10.10.10 0.0.0.0
 network 172.12.123.0 0.0.0.255
 network 172.12.124.0 0.0.0.255
 network 192.168.2.0
 no auto-summary
!

R11


!
router eigrp 100
 network 11.11.11.11 0.0.0.0
 network 172.12.123.0 0.0.0.255
 network 172.12.124.0 0.0.0.255
 network 192.168.2.0
 no auto-summary
!

IPSec Configuration is almost identical for each router so here is just one example:


!
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TUN-TRANSFORM esp-aes esp-sha-hmac 
!
crypto ipsec profile TUN-PROFILE
 set transform-set TUN-TRANSFORM 
!

And that should be it!

Here is a video of me with the lab,trying to break it!

DMVPN - High Availability - Testing Failure from Richard Vimeo on Vimeo.

Enjoy!

DMVPN - Dual Hub and Dual Spoke with HSRP

2009-10-22T15:56:00.000-07:00

After a short break I have some unique labs coming up. This is the first:

PIX/ASA Remote Access VPN with L2L VPN and Failover - How to

2009-09-30T05:12:00.000-07:00

This is the practical for this lab:
here

There are a few things that we have already covered in other labs, Lan to Lan (or site to site) VPNs, NAT etc. However the main reason for this lab is three fold.

1) Setting up Active/Standby Failover
2) Setting up remote access IPSec VPN (in combination with L2L VPN)
3) Allowing the Remote User access to the Spoke Via Split Tunneling

When setting up failover, you should setup the first "unit" with a basic configuration, then use the LAN failover interface to sync the two up.

So here the basic config on FW1 (Primary unit):

Setting up the Interfaces:


interface Ethernet0
 nameif Outside
 security-level 0
 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Ethernet1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
interface Ethernet2
 description trunk for failovers
!
interface Ethernet2.200
 description LAN Failover Interface
 vlan 200
!
interface Ethernet2.300
 description STATE Failover Interface
 vlan 300
!

Note: The failover interfaces cannot be on a shared interface.

Diagnostic ACL for pings etc:


access-list WAN_IN extended permit icmp any any

NAT


global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0

Default Gateway:


route Outside 0.0.0.0 0.0.0.0 10.0.0.4

Failover Config (Primary):


failover lan unit primary
failover lan interface lan-fo Ethernet2.200
failover polltime unit msec 200 holdtime msec 800
failover key letmeinfo
failover link state-fo Ethernet2.300
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover interface ip state-fo 192.168.30.1 255.255.255.0 standby 192.168.30.2
failover lan enable
failover

Failover Config (Secondary):
This unit up until now had a blank configuration.


interface Ethernet2
 description trunk for failovers
!
interface Ethernet2.200
 description LAN Failover Interface
 vlan 200
!
failover lan unit secondary
failover lan interface lan-fo Ethernet2.200
failover key letmeinfo
failover interface ip lan-fo 192.168.20.1 255.255.255.0 standby 192.168.20.2
failover lan enable
failover

At this point you should wait until the two configurations are synced up and the primary has taken the "active" role.

Setting up L2L VPN:


access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (Inside) 0 access-list NO-NAT
crypto ipsec transform-set FW1-TRANSFORM esp-3des esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.34.3
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
tunnel-group 10.0.34.3 type ipsec-l2l
tunnel-group 10.0.34.3 ipsec-attributes
 pre-shared-key letmeinl2l

Setting up the other end (FW3):
Basic setup:


!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.0.34.3 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!

VPN and ACLs:


access-list WAN_IN extended permit icmp any any
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group WAN_IN in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.34.4 1
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
pre-shared-key letmeinl2l

Now, as it stands we should have an "Hub" and a "Spoke" set up with L2L vpn between the sites as well as their own wan (internet) traffic going out untouched.

Now Remote Access VPN:
Obviously LAN= 192.168.1.0/24 and VPN=10.1.1.0/24


access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq www
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq ftp
access-list 101 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq telnet
access-list 101 extended permit icmp any any
aaa-server acs protocol radius
aaa-server acs (Outside) host 192.168.0.45
 timeout 5
 key letmein
ip local pool VPN-POOL 10.1.1.1-10.1.1.254
crypto ipsec transform-set VPN-TRANSFORM esp-3des esp-sha-hmac
crypto dynamic-map DYNA-MAP 1 set transform-set VPN-TRANSFORM
crypto dynamic-map DYNA-MAP 1 set security-association lifetime seconds 288000
crypto dynamic-map DYNA-MAP 1 set reverse-route
crypto map FW1 20 ipsec-isakmp dynamic DYNA-MAP
group-policy VPN-REMOTE internal
group-policy VPN-REMOTE attributes
 dns-server value 208.67.222.222
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 default-domain value cookie.local
tunnel-group VPN-REMOTE type remote-access
tunnel-group VPN-REMOTE general-attributes
 address-pool VPN-POOL
 authentication-server-group acs
 default-group-policy VPN-REMOTE
tunnel-group VPN-REMOTE ipsec-attributes
 pre-shared-key cisco123

Now the Split Tunnel and IPsec access to the Spoke:
FW-3:


access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0

FW1:


same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list IPSEC-TUN extended permit ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list splittunnel standard permit 192.168.2.0 255.255.255.0
group-policy VPN-REMOTE attributes
 dns-server value 208.67.222.222
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel

And that is it! :P

If you need any info as to how to setup the client look here:
Setup VPN Client
The "group name" is VPN-REMOTE and the password is cisco123

Screenshot of it all working:

PIX/ASA Remote Access VPN with L2L VPN and Failover

2009-09-29T10:45:00.000-07:00

Well I was going to do a nice multiple context PIX/ASA lab, but after playing around with GNS for a while and a good few hours into the lab I came to a brick wall.

The brick wall being that if you use multiple contexts you cannot use VPNs:
(http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1116132)

So I created this lab instead:

If I get time ill upload the config tonight.

Load Balancing With HSRP

2009-09-28T08:53:00.000-07:00

Got a nice simple lab for you today, load balancing with Hot Standby Routing Protocol.

HSRP is designed to increase the redundancy in LAN gateways. It does this by creating a Virtual MAC address and Virtual IP address.
One router of the "group" is elected as the "active" and the other the "standby", therefore once the "active" router, say for example gets accidentally turned off, the "standby" takes over.

Here is the picture of the lab:

Here is the important configuration:
R2


interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
!This is the virtual ip group 1
 standby 1 ip 10.0.0.253
!I want this router to be the active router
 standby 1 priority 12
!Take over active when your priority is higher
 standby 1 preempt
!Any name here
 standby 1 name Load1
!When this interface goes down, decrease my priority by 10
 standby 1 track Serial0/0

!This is the virtual ip group 2
 standby 2 ip 10.0.0.254
!I want this router to be the standby router
 standby 2 priority 11
!Take over active when your priority is higher
 standby 2 preempt
!Any name here
 standby 2 name Load2
!When this interface goes down, decrease my priority by 10
 standby 2 track Serial0/0


interface FastEthernet0/0
 ip address 10.0.0.3 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 10.0.0.253
 standby 1 priority 11
 standby 1 preempt
 standby 1 name Load1
 standby 1 track Serial0/0
 standby 2 ip 10.0.0.254
 standby 2 priority 12
 standby 2 preempt
 standby 2 name Load2
 standby 2 track Serial0/0

Note that for the load balancing to work 50% of the devices have 10.0.0.253 as their default gateway and the other 50% have 10.0.0.254.

Enjoy :)

How to Setup a Small Windows 2008 Lab

2009-09-16T09:03:00.001-07:00

Here is how:
Part 1

Windows 2008 Server Setup Part 1 from Richard Vimeo on Vimeo.

Part 2

Windows 2008 Server Setup Part 2 from Richard Vimeo on Vimeo.

Part 3

Windows 2008 Server Setup Part 3 from Richard Vimeo on Vimeo.

Then on to testing the new Active Directory Recycle Bin:

Windows Server 2008 Enabling The AD Recycle Bin Part 1 from Richard Vimeo on Vimeo.

And recovering an OU and all Child Objects:

Windows Server 2008 Enabling The AD Recycle Bin Part 1 from Richard Vimeo on Vimeo.

Then finally password settings Objects:

Windows Server 2008 Password Settings Objects (PSOs) from Richard Vimeo on Vimeo.

Enjoy

MPLS VPNs On Networking-Forum.com

2009-09-14T06:17:00.000-07:00

My latest blog post is on Networking-forum.com
Check it out: here

MPLS VPN with MP-BGP

2009-09-09T10:15:00.000-07:00

Currently working on a new lab, here is the setup:

More to follow...

Vyatta - Remote Access VPN Lab

2009-09-07T15:24:00.000-07:00

Hi again this is the setup:

This lab details setting up NAT on vyatta routers, OpenVPN with TLS authentication, basic firewall setup and all the steps inbetween.

Here is the video:

Vyatta Remote Access OpenVPN lab with NAT and Firewall setup from Richard Vimeo on Vimeo.

Enjoy!

Vyatta Vmware Lab

2009-09-01T16:24:00.000-07:00

Hi again,

Just to spice things up a little I thought I would do a lab on vyatta, so I dug out part of an old lab, and presto - A Vyatta based OSPF 3 site lab:

and this is how I did it:

Part 1:

Vyatta Vmware Lab Part1 from Richard Vimeo on Vimeo.

Part2

Vyatta Vmware Lab Part2 from Richard Vimeo on Vimeo.

Enjoy!

PIX/ASA Site-to-Site (L2L) VPN with DMZ-Howto

2009-08-31T11:38:00.000-07:00

Ok this the how to for this lab: here

So lets start from the Remote Office "FW2"

First we need to set up ASA:
FW2


!
interface Ethernet0
 nameif Outside
 security-level 0
 ip address 10.0.2.2 255.255.255.0
!
interface Ethernet1
 nameif DMZ
 security-level 50
 ip address 192.168.20.2 255.255.255.0
!
interface Ethernet2
 nameif Inside
 security-level 100
 ip address 192.168.2.2 255.255.255.0
!

Now NAT:


nat (Inside) 1 0.0.0.0 0.0.0.0
!Most people might like global (Outside) 1 interface instead
global (Outside) 1 10.0.2.50

Notice the "1" above, that ties the entrys together essentially saying on "these people on the inside (0.0.0.0) (everyone) are translated to this address "10.0.2.50" on the outside.

Now for testing we want to allow ICMP to the firewall


access-list WAN_IN extended permit icmp any any

Then assign it to an interface:


access-group WAN_IN in interface Outside

Add a default route:


route Outside 0.0.0.0 0.0.0.0 10.0.2.10 1

Ok we now have "internet access"

Next we need to setup the web server(192.168.20.100) with 1-to-1 nat:


nat (DMZ) 2 0.0.0.0 0.0.0.0
global (Outside) 2 10.0.2.100
static (DMZ,Outside) 10.0.2.100 192.168.20.100 netmask 255.255.255.255

Now NAT is setup, we actually need to let something through:


access-list WAN_IN extended permit tcp any host 10.0.2.100 eq telnet
access-list WAN_IN extended permit tcp any host 10.0.2.100 eq http

ok that was easy :)

Now for the HQ site:
First setup the pix:
FW1


interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!

Now NAT for FW1:


nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

Ok now the tough part, actually this should be the easy part as we have done IPSec to death so far on the blog, and although the syntax looks different, actually typing it is pretty much the same as IOS.

One FW2
Set up an ISAKMP Policy:


crypto isakmp policy 100
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

Then a Transform Set:


crypto ipsec transform-set FW1-TRANSFORM esp-aes esp-sha-hmac

Specify the traffic we dont want NAT applied too:


access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NO-NAT

The 0 indicates "dont NAT this"

Bring it all together with a crypto map:


access-list IPSEC-TUN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.2.2
crypto map FW1 10 set transform-set FW1-TRANSFORM

Enable it on an interface:


crypto map FW1 interface outside

Add a tunnel group (if it is not already done for you)


tunnel-group 10.0.2.2 type ipsec-l2l
tunnel-group 10.0.2.2 ipsec-attributes
 pre-shared-key letmein

Actually allow ISAKMP to connect to the outside interface:


crypto isakmp enable outside

Then the reverse/same on FW1:


access-list IPSEC-TUN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NO-NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
crypto ipsec transform-set FW1-TRANSFORM esp-aes esp-sha-hmac
crypto map FW1 10 match address IPSEC-TUN
crypto map FW1 10 set peer 10.0.2.2
crypto map FW1 10 set transform-set FW1-TRANSFORM
crypto map FW1 interface outside
crypto isakmp enable outside
crypto isakmp policy 100
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
tunnel-group 10.0.2.2 type ipsec-l2l
tunnel-group 10.0.2.2 ipsec-attributes
 pre-shared-key *
prompt hostname context

Done!

Pix/ASA does alot for you in l2l ipsec vpns..and they still dont call it "easy vpn" :)

PIX/ASA Site-to-Site (L2L) VPN with DMZ

2009-08-27T14:11:00.000-07:00

Something a little different PIX!

Heres the lab I've done and I will up the configs tomorrow.

First in GNS:

Then Opendraw:

L2TPv3 over IPSec with VLANS-How to

2009-08-27T02:21:00.000-07:00

This is the practical of this lab: here

The idea of this lab is to bridge the local lan across the internet or another network you do not control to another lan, matching lan.

In this example we have 3 sites. Site 1 (which is the head office) with a server for each site (server 2 and server 3). L2TPv3 works by taking the frame recieved on its lan interface wraps it up int L2TP goodness and off it goes.

Again what makes this cool is that the workstations (PC2 and PC3) have no idea that the Servers are at another site.

Ok now your up to speed...:

First each router has a default route to R0
R2:


ip route 0.0.0.0 0.0.0.0 10.0.20.10

R3:


ip route 0.0.0.0 0.0.0.0 10.0.30.10

R1:


ip route 0.0.0.0 0.0.0.0 10.0.10.10

Ok now to the Layer 2 setup, as GNS can not do Switches (well properly anyway) you have to use a Cisco 3725 with a 16 port Ethernet Switch card.

So firstly the trunks on R1, R2 and R3

R1


!
interface FastEthernet1/1.200
 encapsulation dot1Q 200
!
interface FastEthernet1/1.300
 encapsulation dot1Q 300
 
!


!
interface FastEthernet1/1.200
 encapsulation dot1Q 200
!


!
interface FastEthernet1/1.300
 encapsulation dot1Q 300
!

Then setting up the switch:
Switch1


interface FastEthernet1/1
 switchport mode trunk
!
interface FastEthernet1/2
 switchport access vlan 200
!
interface FastEthernet1/3
 switchport access vlan 300
!

Switch2


!
interface FastEthernet1/1
 switchport mode trunk
!
interface FastEthernet1/2
 switchport access vlan 200
!

Switch3


!
interface FastEthernet1/1
 switchport mode trunk
!
interface FastEthernet1/2
 switchport access vlan 300
!

I'll leave the setting up of the IP addresses to you :)

Ok now to the fun stuff the L2TPv3 setup:

R1


l2tp-class l2tp-defaults
 retransmit initial retries 30
 cookie size 8
!
!
pseudowire-class VLANS
 encapsulation l2tpv3
 protocol none
 ip local interface FastEthernet1/0
!


l2tp-class l2tp-defaults
 retransmit initial retries 30
 cookie size 8
!
!
pseudowire-class VLAN200
 encapsulation l2tpv3
 protocol none
 ip local interface FastEthernet1/0
!


l2tp-class l2tp-defaults
 retransmit initial retries 30
 cookie size 8
!
pseudowire-class VLAN300
 encapsulation l2tpv3
 protocol none
 ip local interface FastEthernet1/0
!

Now part two of the setup, which is the actual pseudeowire!
R1


!
interface FastEthernet1/1.200
 encapsulation dot1Q 200
! The vc 200 here is not used...call it anything you like!
 xconnect 10.0.20.2 200 encapsulation l2tpv3 manual pw-class VLANS
! This id is important 102 and 202 must be swaped on the other end
  l2tp id 102 202
! "remote" is data sent
! "local" is data expected to be recieved.
! Therefore 221200 is Router 2 2 Router 1 VLAN 200 (R22R1VLAN200)
! Just makes it easier for you, but you can do any number as long as
! it is flipped
  l2tp cookie local 4 221200
  l2tp cookie remote 4 122200
  l2tp hello l2tp-defaults
!
interface FastEthernet1/1.300
 encapsulation dot1Q 300
 xconnect 10.0.30.3 300 encapsulation l2tpv3 manual pw-class VLANS
  l2tp id 103 303
  l2tp cookie local 4 321300
  l2tp cookie remote 4 123300
  l2tp hello l2tp-defaults
!

Then the spokes:
R2


!
interface FastEthernet1/1.200
 encapsulation dot1Q 200
 ip virtual-reassembly
 xconnect 10.0.10.1 200 encapsulation l2tpv3 manual pw-class VLAN200
  l2tp id 202 102
  l2tp cookie local 4 122200
  l2tp cookie remote 4 221200
  l2tp hello l2tp-defaults
!


interface FastEthernet1/1.300
 encapsulation dot1Q 300
 ip virtual-reassembly
 xconnect 10.0.10.1 300 encapsulation l2tpv3 manual pw-class VLAN300
  l2tp id 303 103
  l2tp cookie local 4 123300
  l2tp cookie remote 4 321300
  l2tp hello l2tp-defaults
!

You can now test that it works, however at the moment it is all unencrypted!

Therefore encryption;
R1


!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R1-TRANSFORM esp-3des esp-sha-hmac 
!
crypto map R12R2R3 100 ipsec-isakmp 
 set peer 10.0.30.3
 set transform-set R1-TRANSFORM 
 match address 110
crypto map R12R2R3 200 ipsec-isakmp 
 set peer 10.0.20.2
 set transform-set R1-TRANSFORM 
 match address 100
!
access-list 100 permit ip host 10.0.10.1 host 10.0.20.2
access-list 110 permit ip host 10.0.10.1 host 10.0.30.3
!
!
interface FastEthernet1/0
 ip address 10.0.10.1 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map R12R2R3
!


!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R2-TRANSFORM esp-3des esp-sha-hmac 
!
crypto map R22R1 100 ipsec-isakmp 
 set peer 10.0.10.1
 set transform-set R2-TRANSFORM 
 match address 100
!
!
access-list 100 permit ip host 10.0.20.2 host 10.0.10.1
!
!
interface FastEthernet1/0
 ip address 10.0.20.2 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map R22R1
!


!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R3-TRANSFORM esp-3des esp-sha-hmac 
!
crypto map R32R1 100 ipsec-isakmp 
 set peer 10.0.10.1
 set transform-set R3-TRANSFORM 
 match address 100
!
access-list 100 permit ip host 10.0.30.3 host 10.0.10.1
!
!
interface FastEthernet1/0
 ip address 10.0.30.3 255.255.255.0
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map R32R1
!

Bit of a sledgehammer approach to encryption as everything will be wrapped up in ESP, however if you wish to do this for just L2TP then an ACL for UDP 1701 will do the job nicely.

Done!

L2TPv3 over IPSec with VLANS

2009-08-26T13:40:00.000-07:00

Here is the Lab:
From GNS:

Then from Opendraw:

Not sure which I prefer yet, the Cisco-ish one is pretty but GNS is functional..hmm

DMVPN - How to

2009-08-26T13:13:00.000-07:00

After seeing a few requests for this, I thought it would be good to do a "Dynamic Multipoint Virtual Private Network".

Which is a nice TLA for Multipoint GRE(Tunnel), NHRP(Next Hop Routing Protocol) and IPSEC.

So here is the lab:

Very boring compared to the MPLS L2 lab however there are some important techs to get used to.

For the purposes of the lab, R1 is not under our control.

Therefore all the spoke routers have a default route to the R1 and that is it.
It is up to the DMVPN to fill in the gaps.

Here is R10 which is the HQ or "Hub" router.


interface Tunnel0
!All the tunnels have to be in the same subnet
 ip address 10.0.234.10 255.255.255.0
 no ip redirects
 ip mtu 1400
!Dynamically map to the spokes
 ip nhrp map multicast dynamic
!Network-id has to be the same on all routers
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
!This is needed as OSPF auto-configs a "tunnel int" as point-to-point which is wrong !here
 ip ospf network point-to-multipoint
!Exit interface
 tunnel source FastEthernet1/0
!Tunnel mode
 tunnel mode gre multipoint


interface Tunnel0
 ip address 10.0.234.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast 10.0.110.10
 ip nhrp map 10.0.234.10 10.0.110.10
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip nhrp nhs 10.0.234.10
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet1/0
 tunnel mode gre multipoint


!
interface Tunnel0
 ip address 10.0.234.3 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast 10.0.110.10
 ip nhrp map 10.0.234.10 10.0.110.10
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip nhrp nhs 10.0.234.10
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet1/0
 tunnel mode gre multipoint


interface Tunnel0
 ip address 10.0.234.4 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast 10.0.234.10
 ip nhrp map 10.0.234.10 10.0.110.10
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip nhrp nhs 10.0.234.10
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet1/0
 tunnel mode gre multipoint

That should be the tunnel up. At this point you can test the tunnel by ping the Hub tunnel address 10.0.234.10 from each of the spokes.

Now encryption:
R10


crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TUN-TRANSFORM esp-aes esp-sha-hmac 
!
crypto ipsec profile TUN-PROFILE
 set transform-set TUN-TRANSFORM

Then applied to the Tunnel inteface:


interface Tunnel0
 ip address 10.0.234.10 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp holdtime 450
 ip tcp adjust-mss 1360
 ip ospf network point-to-multipoint
 tunnel source FastEthernet1/0
 tunnel mode gre multipoint
 tunnel protection ipsec profile TUN-PROFILE
!

then the same for R2,R3,R4:


crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TUN-TRANSFORM esp-aes esp-sha-hmac 
!
crypto ipsec profile TUN-PROFILE
 set transform-set TUN-TRANSFORM 
!

~Under the Tunnel0 interface:


!
tunnel protection ipsec profile TUN-PROFILE
!

This is identicial for each spoke.

Then an example OSPF config on R2:


!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 0
 network 10.0.234.0 0.0.0.255 area 0
 network 192.168.2.0 0.0.0.255 area 2
!

Done!

MPLS L2VPN with 2 Customers-How to

2009-08-26T09:38:00.000-07:00

Well its been a couple of weeks since my last post, partly due to a weeks holiday in Wales:

And although I didnt live under a bridge for a week like some sort of troll, I did go walking my dog near where this picture was taken, and this church:

Anyway..enough about my holiday and on to MPLS L2VPNs.

Diagram here

First thing to say about L2VPNs is that they are sometimes called "pseudowire". This bascially means that the idea of the L2VPN be it over MPLS (or L2TPv3) is to bridge the ethernet frame arriving on the PE interface over the MPLS network to the exiting
PE router.

So from the diagram the ethernet packet arrives at R1 int f2/1 and leaves R7 int f2/0.

Once you have set up the Provider IGP which in this case is OSPF, make sure that each router has a loopback with a 32bit mask and that loopback is brought into OSPF area 0
like this for R6:


!
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!

!
router ospf 1
 router-id 6.6.6.6
 log-adjacency-changes
 network 6.6.6.6 0.0.0.0 area 0
 network 10.0.36.0 0.0.0.255 area 0
 network 10.0.46.0 0.0.0.255 area 0
 network 10.0.56.0 0.0.0.255 area 0
 network 10.0.67.0 0.0.0.255 area 0
 network 10.0.68.0 0.0.0.255 area 0
!

Then each interface which you want to run MPLS on has it enabled:
(again from R6)
(obviously this will need to be done on each provider router (interface) in the MPLS network)


!
interface FastEthernet1/0
 ip address 10.0.46.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet1/1
 ip address 10.0.36.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet2/0
 ip address 10.0.56.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet2/1
 ip address 10.0.67.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet3/0
 ip address 10.0.68.6 255.255.255.0
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet3/1
 no ip address
 shutdown
 duplex auto
 speed auto
!

Once the IGP is fully functional and you can for example ping from 1.1.1.1 to 7.7.7.7
you have a LSP (Label Switched Path) you can confirm its using MPLS (LFIB) by doing a
trace 7.7.7.7 and you will see it taking the LSP.

So how do I do this L2VPN then...well its so simply once you have the provider network up:
R1


interface FastEthernet2/0
 description Customer1-R11
 no ip address
 duplex auto
 speed auto
 xconnect 8.8.8.8 101 encapsulation mpls
!

8.8.8.8 is the exit router

then on 8.8.8.8 (R8)


interface FastEthernet2/0
 no ip address
 duplex auto
 speed auto
 xconnect 1.1.1.1 101 encapsulation mpls
!

1.1.1.1 being the router on the other end.
Notice that the VC "101" is identicial as this is label within a label that follows the packet within the MPLS network.

...now for the fun bit!

High Avaliablity with Psuedowire is done via the "backup" command when in the "xconnect" context.

Here is how:
(This is for the Customer 2 (R21-R22)

R2


interface FastEthernet2/0
 no ip address
 duplex auto
 speed auto
 xconnect 7.7.7.7 301 encapsulation mpls
  backup peer 8.8.8.8 302
!


interface FastEthernet2/1
 no ip address
 duplex auto
 speed auto
 xconnect 8.8.8.8 201 encapsulation mpls
  backup peer 7.7.7.7 202
!


interface FastEthernet2/0
 no ip address
 duplex auto
 speed auto
 xconnect 2.2.2.2 301 encapsulation mpls
  backup peer 1.1.1.1 202
!


interface FastEthernet1/1
 no ip address
 duplex auto
 speed auto
 xconnect 1.1.1.1 201 encapsulation mpls
  backup peer 2.2.2.2 302
!

One thing is that interesting is that without extra configuration the PE router will not switch to the backup peer unless the LSP is detected as being dead.

As so with this amount of redundency you maybe left with the situation where
the 10.0.12.0 network is plugged into the 10.0.21.0 network which would require the customer to make a config change before service would return.

MPLS L2VPN with 2 Customers

2009-08-14T10:44:00.000-07:00

Here is a cool lab that I will be explaining:

Bit of humour

2009-08-14T06:41:00.000-07:00

Genius:

Unequal Traffic Sharing with OSPF

2009-08-14T05:21:00.000-07:00

Another day another lab :)

Now typically when you say to someone "hi i'm doing unequal traffic sharing with OSPF"
they will often say "no no you fool, thats not possible EIGRP is the only one to do unequal traffic"....but they would be wrong.

Using MPLS OSPF-Traffic Engineering you can indeed do Unequal Traffic Sharing.

And here is how:

As you can see this follows on directly from here

The only changes are to R2 and R5.

So R2:


!
interface Tunnel2
 ip unnumbered Loopback1
 mpls traffic-eng tunnels
 tunnel destination 50.50.50.50
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng autoroute announce
 tunnel mpls traffic-eng priority 2 2
 tunnel mpls traffic-eng bandwidth 512
 tunnel mpls traffic-eng path-option 1 explicit name R2-R4-R5
 no routing dynamic
!

and R5


interface Tunnel2
 ip unnumbered Loopback1
 mpls traffic-eng tunnels
 tunnel destination 20.20.20.20
 tunnel mode mpls traffic-eng
 tunnel mpls traffic-eng autoroute announce
 tunnel mpls traffic-eng priority 2 2
 tunnel mpls traffic-eng bandwidth 512
 tunnel mpls traffic-eng path-option 1 explicit name R5-R4-R2
 no routing dynamic
!

Notice the command:
tunnel mpls traffic-eng bandwidth 512

The ensures that packets are sent in the ratio 2:1 down the two tunnels (Tunnel 1 and Tunnel 2)

Now to prove it:


R2#sh ip route 50.50.50.50
Routing entry for 50.50.50.50/32
  Known via "ospf 1", distance 110, metric 3, type intra area
  Last update from 50.50.50.50 on Tunnel2, 00:20:05 ago
  Routing Descriptor Blocks:
  * 50.50.50.50, from 5.5.5.5, 00:20:05 ago, via Tunnel2
      Route metric is 3, traffic share count is 2
    50.50.50.50, from 5.5.5.5, 00:20:05 ago, via Tunnel1
      Route metric is 3, traffic share count is 1

and from R5


R5#sh ip route 20.20.20.20
Routing entry for 20.20.20.20/32
  Known via "ospf 1", distance 110, metric 3, type intra area
  Last update from 20.20.20.20 on Tunnel2, 00:20:57 ago
  Routing Descriptor Blocks:
  * 20.20.20.20, from 2.2.2.2, 00:20:57 ago, via Tunnel1
      Route metric is 3, traffic share count is 1
    20.20.20.20, from 2.2.2.2, 00:20:57 ago, via Tunnel2
      Route metric is 3, traffic share count is 2

Looks good but what about debugs?
From R5 to R2:


R5#trace 20.20.20.20

Type escape sequence to abort.
Tracing the route to 20.20.20.20

  1 10.0.35.3 [MPLS: Label 25 Exp 0] 48 msec
    10.0.45.4 [MPLS: Label 25 Exp 0] 44 msec 8 msec
  2 10.0.23.2 32 msec
    10.0.24.2 36 msec *

and debugs from R4 and R3:
R4


R4#
*Aug 14 13:50:04.199: MPLS turbo: Fa1/1: rx: Len 60 Stack {25 0 1} - ipv4 data
*Aug 14 13:50:04.219: MPLS turbo: Fa1/0: rx: Len 186 Stack {17 6 253} - ipv4 data
*Aug 14 13:50:04.227: MPLS turbo: Fa1/1: rx: Len 60 Stack {25 0 1} - ipv4 data
*Aug 14 13:50:04.231: MPLS turbo: Fa1/0: rx: Len 186 Stack {17 6 253} - ipv4 data
*Aug 14 13:50:04.271: MPLS turbo: Fa1/1: rx: Len 60 Stack {25 0 2} - ipv4 data
*Aug 14 13:50:04.295: MPLS turbo: Fa1/0: rx: Len 74 Stack {17 6 255} - ipv4 data
*Aug 14 13:50:04.311: MPLS turbo: Fa1/1: rx: Len 60 Stack {25 0 2} - ipv4 data

and R3:


R3#
*Aug 14 13:50:04.035: MPLS turbo: Fa1/1: rx: Len 60 Stack {25 0 1} - ipv4 data
*Aug 14 13:50:04.051: MPLS turbo: Fa1/0: rx: Len 186 Stack {17 6 253} - ipv4 data
*Aug 14 13:50:04.127: MPLS turbo: Fa1/1: rx: Len 60 Stack {25 0 2} - ipv4 data
*Aug 14 13:50:04.159: MPLS turbo: Fa1/0: rx: Len 74 Stack {17 6 255} - ipv4 data

A ratio of 7:4..pretty good! :)

My First MPLS blog

2009-08-12T10:54:00.001-07:00

I have a feeling ill be doing a few of these, MPLS is such a huge topic that simply doing a few labs does not seem to do it justice, however its better than doing none at all!

After playing around with my real lab a little I decided to virtualise this one, not to be confused with a router simulator, GNS is a great tool for knocking up a lab and playing around with ideas.

In light of that this is my latest idea:

One of the fun this that this lab was able to do was to separate the OSPF router ID from the MPLS traffic engineering router ID, this was done to hopefully better show which error/events were MPLS related those that were OSPF related and those that were a result of OSPF-TE.

I would kinda of expect you to be able to setup ip connectivity between the routers by now, after all this is basically CCIE stuff :)

Most of the below is fairly standard OSPF, however it is important to note the areas that I place the OSPF-TE router-ID and the OSPF router ID.

Setting up OSPF:
R2:


router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 2
 network 10.0.23.0 0.0.0.255 area 0
 network 10.0.24.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 12


router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 3
 network 10.0.23.0 0.0.0.255 area 0
 network 10.0.35.0 0.0.0.255 area 0
!


router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 network 4.4.4.4 0.0.0.0 area 4
 network 10.0.24.0 0.0.0.255 area 0
 network 10.0.45.0 0.0.0.255 area 0
!


router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 passive-interface FastEthernet2/0
 network 5.5.5.5 0.0.0.0 area 5
 network 10.0.35.0 0.0.0.255 area 0
 network 10.0.45.0 0.0.0.255 area 0
 network 192.168.56.0 0.0.0.255 area 56
!

Ok thats ospf done.

Now MPLS, first step is to setup another loopback for MPLS and bring it into MPLS.

R2


! global
mpls traffic-eng tunnels
!
interface Loopback1
 ip address 20.20.20.20 255.255.255.255
!
router ospf 1
 mpls traffic-eng router-id Loopback1
 mpls traffic-eng area 0
 router-id 2.2.2.2
 log-adjacency-changes
 network 2.2.2.2 0.0.0.0 area 2
 network 10.0.23.0 0.0.0.255 area 0
 network 10.0.24.0 0.0.0.255 area 0
 network 20.20.20.20 0.0.0.0 area 0
 network 192.168.12.0 0.0.0.255 area 12
!

Now we could cheat and use "mpls ldp autoconfig area 0" here to enable LDP on all the area 0 interfaces however I like to do it manually.
While we're in the interface mode we might as well configure RSVP too :)


interface FastEthernet1/1
 ip address 10.0.23.2 255.255.255.0
 duplex auto
 speed auto
 mpls traffic-eng tunnels
 mpls ip
 ip rsvp bandwidth 75000 75000
!
interface FastEthernet2/0
 ip address 10.0.24.2 255.255.255.0
 duplex auto
 speed auto
 mpls traffic-eng tunnels
 mpls ip
 ip rsvp bandwidth 75000 75000
!


mpls traffic-eng tunnels
interface Loopback1
 ip address 30.30.30.30 255.255.255.255
!
interface FastEthernet1/0
 ip address 10.0.23.3 255.255.255.0
 duplex auto
 speed auto
 mpls traffic-eng tunnels
 mpls ip
 ip rsvp bandwidth 75000 75000
!
interface FastEthernet1/1
 ip address 10.0.35.3 255.255.255.0
 duplex auto
 speed auto
 mpls traffic-eng tunnels
 mpls ip
 ip rsvp bandwidth 75000 75000
!
router ospf 1
 mpls traffic-eng router-id Loopback1
 mpls traffic-eng area 0
 router-id 3.3.3.3
 log-adjacency-changes
 network 3.3.3.3 0.0.0.0 area 3
 network 10.0.23.0 0.0.0.255 area 0
 network 10.0.35.0 0.0.0.255 area 0
 network 30.30.30.30 0.0.0.0 area 0
!

R4
!
mpls traffic-eng tunnels
!
!
interface Loopback1
ip address 40.40.40.40 255.255.255.255
!
interface FastEthernet1/0
ip address 10.0.24.4 255.255.255.0
duplex auto
speed auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 75000 75000
!
interface FastEthernet1/1
ip address 10.0.45.4 255.255.255.0
duplex auto
speed auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 75000 75000
!
router ospf 1
mpls traffic-eng router-id Loopback1
mpls traffic-eng area 0
router-id 4.4.4.4
log-adjacency-changes
network 4.4.4.4 0.0.0.0 area 4
network 10.0.24.0 0.0.0.255 area 0
network 10.0.45.0 0.0.0.255 area 0
network 40.40.40.40 0.0.0.0 area 0
!

R5
mpls traffic-eng tunnels
!
interface Loopback1
ip address 50.50.50.50 255.255.255.255
!
!
interface FastEthernet1/0
ip address 10.0.35.5 255.255.255.0
duplex auto
speed auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 75000 75000
!
interface FastEthernet1/1
ip address 10.0.45.5 255.255.255.0
duplex auto
speed auto
mpls traffic-eng tunnels
mpls ip
ip rsvp bandwidth 75000 75000
!
!
router ospf 1
mpls traffic-eng router-id Loopback1
mpls traffic-eng area 0
router-id 5.5.5.5
log-adjacency-changes
passive-interface FastEthernet2/0
network 5.5.5.5 0.0.0.0 area 5
network 10.0.35.0 0.0.0.255 area 0
network 10.0.45.0 0.0.0.255 area 0
network 50.50.50.50 0.0.0.0 area 0
network 192.168.56.0 0.0.0.255 area 56
!

Now the actual Tunnels!
As they are uni-directional we need one from R2-R5 and another from R5-R2

R2-R5
interface Tunnel1
ip unnumbered Loopback1
mpls traffic-eng tunnels
tunnel destination 50.50.50.50
tunnel mode mpls traffic-eng
tunnel mpls traffic-eng autoroute announce
tunnel mpls traffic-eng priority 1 1
tunnel mpls traffic-eng bandwidth 256
tunnel mpls traffic-eng path-option 1 explicit name R2-R3-R5
!
ip explicit-path name R2-R3-R5 enable
next-address 10.0.23.3
next-address 10.0.35.5
!

and R5-R2:
!
ip explicit-path name R5-R3-R2 enable
next-address 10.0.35.3
next-address 10.0.23.2
!

Proving it works!......



R6#ping 192.168.12.1 repeat 2

Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 192.168.12.1, timeout is 2 seconds:
!!
Success rate is 100 percent (2/2), round-trip min/avg/max = 44/48/52 ms

Results of an "debug mpls packet" from R3:


R3#
*Aug 12 20:23:59.407: MPLS turbo: Fa1/1: rx: Len 118 Stack {23 0 254} - ipv4 data
*Aug 12 20:23:59.427: MPLS turbo: Fa1/0: rx: Len 118 Stack {22 0 254} - ipv4 data
*Aug 12 20:23:59.459: MPLS turbo: Fa1/1: rx: Len 118 Stack {23 0 254} - ipv4 data
*Aug 12 20:23:59.491: MPLS turbo: Fa1/0: rx: Len 118 Stack {22 0 254} - ipv4 data

Note all 4 packets using the same route and all MPLS switched.
..and one final test:


R6#trace 192.168.12.1

Type escape sequence to abort.
Tracing the route to 192.168.12.1

  1 192.168.56.5 28 msec 16 msec 4 msec
  2 10.0.35.3 [MPLS: Label 23 Exp 0] 28 msec 12 msec 12 msec
  3 10.0.23.2 28 msec 32 msec 12 msec
  4 192.168.12.1 32 msec

Done!

NAT with VLANs, ACLs and PAT & Passive FTP

2009-08-06T06:07:00.000-07:00

Another day another blog post...oh wait thats not right...doing too many blog posts this week.

Ok here is the setup for you;

You have been asked to setup two servers in a DMZ of sorts, One HTTP server and One FTP server. However they must be in two separate VLANS and the router must stop communication between them.

Here is the lab:

Start by setting up the VLAN on FA0/0:
Vlan 200:


!
 interface FastEthernet0.200
 encapsulation dot1Q 200
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
!

Vlan 300


!
interface FastEthernet0.300
 encapsulation dot1Q 300
 ip address 172.16.0.1 255.255.255.252
 ip nat inside
!

/*********************************************************************/
Next define the traffic that will be NAT'ed for each VLAN:
VLAN200:


access-list 1 permit 192.168.1.0 0.0.0.255

VLAN300


access-list 105 permit ip 172.16.0.0 0.0.0.3 any

/*********************************************************************/
The NAT rules:
VLAN200


ip nat inside source list 1 interface Dialer1 overload

VLAN300


ip nat inside source list 105 interface Dialer1 overload

/*********************************************************************/
Finally on the Dialer0 interface:


interface Dialer1
 ip nat outside

/*********************************************************************/
Now ACL to prevent intervan traffic:


interface FastEthernet0.300
 encapsulation dot1Q 300
 ip address 172.16.0.1 255.255.255.252
 ip access-group FTP_IN in
!
!
ip access-list extended FTP_IN
 deny   ip any 192.168.1.0 0.0.0.255
 permit ip any any

I could configure a simular one on fa0/0.200 but consider that homework :)

Now on to what the rest of the world calls "port forwarding" but cisco calls "inside local to outside global PAT"

This bit is in two sections HTTP and FTP.

First HTTP PAT.

1) Allow remote users to connect to your firewall/router on port 80 and 443:


access-list 101 remark SSL Web access to forum
access-list 101 permit tcp any any eq 443
access-list 101 remark Web access to forum
access-list 101 permit tcp any any eq www

2) Setup PAT/Port Forwarding:


ip nat inside source static tcp 192.168.1.151 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.151 80 interface Dialer1 80

Done (for HTTP)
/*********************************************************************/
Now FTP:

1) Allow remote users to connect to your firewall/router on port 21 and 20:


access-list 101 remark FTP_IN
access-list 101 permit tcp any host 207.46.197.32 eq ftp log
access-list 101 remark FTP_IN_ACTIVE
access-list 101 permit tcp any host 207.46.197.32 eq ftp-data

2) Setup PAT/Port Forwarding:


ip nat inside source static tcp 172.16.0.2 20 207.46.197.32 20 extendable
ip nat inside source static tcp 172.16.0.2 21 207.46.197.32 21 extendable

3) Setup an Inspect Policy for the Incoming FTP traffic:


ip inspect name OUTSIDE_IN ftp

4)Add inspect policy to Dialer0


ip inspect OUTSIDE_IN in

/*********************************************************************/

Finially:

Add ACL 101 to Dialer0:


 ip access-group 101 in

Notes:
Replace 207.46.197.32 with your IP
Inspect requires an IOS with the Firewall feature set (K9 normally)

done!

IPSec Tunnel..with a difference Part 2

2009-08-06T05:07:00.000-07:00

Another Part2 ! This one you seen alot in production enviroments and that is "Floating Statics" or as I like to call them "Backup Floaters" :)

Here is the lab:

As we have already tackled most of the config here I wont waste your time by going through it again.

Therefore the configuration below is only concerned with the ISDN link.

BB2:


isdn switch-type basic-ni
!
interface BRI0/0
 ip address 192.168.2.2 255.255.255.0
 encapsulation hdlc
 dialer map ip 192.168.2.1 broadcast 21
 dialer-group 1
 isdn switch-type basic-ni
 isdn point-to-point-setup
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1 200 name BackupFloater

Core:


interface BRI0/0
 ip address 192.168.2.1 255.255.255.0
 dialer map ip 192.168.2.2 broadcast 11
 dialer-group 1
 isdn switch-type basic-ni
!
ip route 0.0.0.0 0.0.0.0 192.168.2.2 200 name BackupFloater

Then as R1 does not know about the 192.168.2.0 network:
R1


ip route 0.0.0.0 0.0.0.0 192.168.4.2 200 name BackupFloater

Done!

Notes:
I set the AD to 200 so that if in the future a dynamic routing protocol is used the default static floater will not get in the way.
The ISDN connection here does not use any sort of authentication, if that is important to you and it should be in production! look here