network | Steve Dolphin

Quick: VLAN on Cisco PIX (6.3) – Public Wifi access?

There is a shelf in the store room that’s full of old and unused Cisco PIXs – they used to be essential when site-to-site VPNs were handled internally, but now they’re only used to protect the network internet intruders via the ADSL line we use as an internet breakout.

In a couple of offices it would be really helpful to offer public wifi to guests, but the problem is there’s no secure default gateway that the guests can use – which means unless you buy a separate ADSL line for guest access (probably a waste of money), you’re stuck.

That is, until I remembered that some of the PIXs we have support VLANning… A quick “show ver” will tell if you can:
... Maximum Physical Interfaces: 2 Maximum Interfaces: 4 ...

Ah ha, only two NICs but the ability to have four interfaces – sounds like we can VLAN here, here’s the code:

interface ethernet0 auto interface ethernet1 auto interface ethernet1 vlan1 physical interface ethernet1 vlan3 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan3 wifi security4 ...

And then, for added ease, why not use dhcp on that interface?

dhcpd address 192.168.15.100-192.168.15.200 wifi dhcpd dns 194.72.0.114 62.6.40.178 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd enable wifi
ip address wifi 192.168.15.1 255.255.255.0

Simples. Switch just needs to be set to recognise VLAN tagging on the port that ethernet 1 will use and Robert is your father’s brother.

Quick: Installing APC Network Shutdown (PCNS) on VMWare ESXi 4.1

This is actually documented in APC Answer ID 11144 but I couldn’t find the link without actually e-mailling APC and asking for it, so hopefully by posting it here with a more sensible title others might stumble across it.

Since ESXi 4.1 was released the automatic-shutdown of hosts using PowerChute Network Shutdown (PCNS) no longer works and needs patching, to do this you must firstly completely uninstall the existing installation of network shutdown by running the uninstall script, mine is located here:

sudo /opt/APC/PowerChute/uninstall

Download the new version from the APC website (the username and password is embedded on that page, but at time of writing it’s ftp://apcftp.apc.com and then, despite what the instructions say, I didn’t rename install_en.sh to install.sh I just ran it:

Download the above file and extract it, giving you five (5) files including the README.txt
Copy these files into /tmp along with the original installation files
Run sudo /tmp/install_en.sh
Follow the on-screen instructions
As per the APC Answer file, copy the shutdown and uninstall commands over, mine looked like this: cp /tmp/shutdown /opt/APC/PowerChute/group1/bin/shutdown and cp /tmp/uninstall /opt/APC/PowerChute/uninstall

(Screenshot showing list of files before installation)

This felt quite a bit better to me, it actually requested an IP for the ESXi host it was supposed to be controlling as well as registering with the management interface on the UPS correctly – this is more than I got when I used the version for ESXi 4.0 – I have tested this by issuing PowerChute shutdown command from the UPS and both of my ESXi boxes shut down correctly.

Remember that you’ll need to have configured the Low Battery Duration to at least 5 minutes under the UPS web interface for this to be effective and worth having.

Using Network Access Quarantine for VPN Clients

The Scenario

Migrating machines from physical installations to virtual installations can be a chore, but it can also give you an opportunity to roll out new features and test new setups.

Having previously used a Microsoft Server 2003 installation to provide a free-of-charge and easy-to-maintain VPN system for employees I wanted to tighten up the security and be more specific about which users were able to connect to the VPN and what access they were allowed.

Two levels of access had already been decided upon, although not implemented in the current build of the VPN server (using Routing and Remote Access in 2003) and these were:

Provide unlimited network access for company staff on company equipment
Provide limited access for company staff using their personal home equipment

The intention here is that anyone with permission would be able to use any computer on the internet to connect in and perform certain functions, but to be able to browse all the data drives and have unlimited network access you would need to use a company laptop which in turn would be considerably more likely to have antivirus software on it and be up-to-date.

The upgrade

The upgrade to Server 2008 R2 gave an ideal time to test and implement the specific features that were required: two servers were being used side-by-side, the current 2003 box sat on an old 2mbps line and served all the current clients; the new 2008R2 box was on the new 25mbps line and was only serving the test clients until testing had been completed.

Despite the existence of the Microsft Server Migration tool I was unable to successfully migrate the settings from 2003 to 2008 and so had to manual re-create the VPN server in RRAS and create two policies which mirrored the above settings.

The settings
Continue Reading →

Why I chose a bandwidth upgrade and not Riverbed

How would you spend £30,000 of a company’s money? To get this blog post started I’ll just entertain you with the stats, this is a bit like giving you the punchline before telling you the entire joke, but at the same time those of you that want a short answer will now get it.

This compares an existing managed 2mb/sec line with nothing on it; the same line with a Riverbed Steelhead installed and then the new line which was installed as a result of this entire project.

Data transfer speeds – a 600mb file transferred between two sites:

Before any changes: 1 hour and 10 minutes, 1.14mb on the 2mb/sec pipe
With Riverbed (first time): 51 minutes, 1.57mb/sec on the 2mb/sec pipe
With Riverbed (second time): 9 minutes, 8.89mb/sec on the 2mb/sec pipe
With 25mbps upgrade: 4.5 minutes, 18mb/sec on 25mb/sec pipe.

Now, the detail…

Continue Reading →

Jumbo Frames and Flow Control on HP Procurve 5406zl

Following on from the external network audit that was ordered an HP Procurve 5406zl was purchased. I was assured by the auditor that this would handle future iSCSI requirements as well as the current network size and traffic.

Imagine my horror when I read that I could only utilise Flow Control or Jumbo Frames. I want both for an iSCSI implementation! Worse still, I couldn’t even find the option to turn Jumbo Frames off and on!

After a few hours of flicking backwards and forwards through the various configuration pages available on the web interface I finally did that thing that people like me use as a last resort and RTFM. I found my answer (below) and now everything works perfectly – you can have both on the 5406 and I imagine on a few other model numbers too, there is a note in one of the firmware releases which explains that it was incorrectly published in some previous document.

How to do it:

Continue Reading →

WAN Optimisation and Review

Many companies utilise some way of connecting their offices together, these Wide Area Networks can be national or international and they can be dedicated fibre optics between buildings or they can be home-user-broadband connections utilising some sort of VPN. Regardless of which system your company uses it’s worth revisiting it every now and then and making sure you’re getting the best out of it.

Businesses have cropped up over the last few years offering optimisation of these sorts of networks, people like Riverbed, GlobalScape WAFS and DBAM have been selling products for a few years now which allow you to get more out of your existing bandwidth, and many of them suggest that their products are more efficient and more economic than simply upgrading your existing link speeds. The latest version of Windows Server 2008 (R2) even has a facility built in which does something similar called BranchCache.

During the course of this project I will evaluate a few of these hardware and software solutions and establish whether or not they actually deliver and whether or not they really are better than just buying bandwidth.

Continue Reading →

Quick: Helpful list of netsh commands for your Windows Server Core 2008R2 Installation

As I’m now configuring all my new virtual servers, many of which are Core installations, I need a helpful list of netsh commands which allow me to configure network interfaces and so on, this is a handy guide for me as much as anyone else:

Change an interface’s name:
netsh interface set interface name="Local Area Connection" newname="LAN"
Change an interface’s MTU (for jumbo frames etc):
netsh interface ipv4 set subinterface "LAN" mtu=WHATEVER store=persistent
List IP4 interfaces:
netsh interface ipv4 show interfaces
Set IP4 address:
netsh interface ipv4 set address name="ID" source=static address=StaticIP mask=SubnetMask gateway=DefaultGateway
Add some DNS Servers:
netsh interface ipv4 add dnsserver name="ID" address=DNSIP
Set back to DHCP:
netsh interface ipv4 set address name="ID" source=dhcp

Network Audit and Refresh

Before investigating the servers and the storage options that would build the final solution I first started with an audit of the existing network infrastructure – the cables and switches that make up the network currently.

Background Information
The office has about 120 employees in it, spread over 5 studios, with each studio containing 20-40 people, the employees use 2D and 3D CAD and BIM software to perform architectural work, there are also users of heavy Graphical Editing packages such as Adobe Creative Suite.
Continue Reading →