I have run into an issue before when migrating configuration parmeters from one Aruba Networks Wireless Controller to another. To view pre-shared keys unencrypted, enter the following commands while in enable mode:
#encrypt disable
#show running-config
To re-enable encryption once finished, enter the following command while in enable mode:
#encrypt enable
Monday, June 11, 2012
Friday, June 8, 2012
vSphere Client won't connect to vCenter?
I have run into this issue with multiple customers that have VMware vSphere 4+ and Microsoft SQL Server 2005 Express Edition. Many times when working with vSphere, rather than installing SQL Server Standard/Enterprise Edition, customers typically install SQL Server Express since it comes as an installable option with the vSphere .msi. Is this a good idea? NOPE. There is a 4GB limit to SQL Server Express Edition. This is a total pain because one day, without warning, you will attempt to log into vCenter via your vSphere client only to be greeted by an error stating that the vSphere client is unable to connect to the vCenter server. Looking in services.msc will reveal that the VMware VirtualCenter Server service has stopped, and attempting to restart the service fails.
There are multiple ways to free up space. Obviously, the best thing to do would be to migrate to Microsoft SQL Server Standard or Express Edition. However, if you are in a bind and just need to get into VMware vSphere, follow the steps below:
Check Database Size:
There are multiple ways to free up space. Obviously, the best thing to do would be to migrate to Microsoft SQL Server Standard or Express Edition. However, if you are in a bind and just need to get into VMware vSphere, follow the steps below:
Check Database Size:
- Login to the vCenter server.
- Stop all vCenter services.
- Launch Microsoft SQL Server Management Studio Express. You can download Management Studio if you do not have it.
- Under Server Name select the database that pertains to your vCenter instance. Chances are you are only using the server to host vCenter so there may only be one database to select.
- Under Authentication you can select Windows Authentication and click connect. Assuming you are logged in as an administrator you should be able to connect without issue.
- Click connect.
- Before you do anything, you want to verify that a full database is your issue. Right-click on VIM_VCDB and select properties. Under properties you will see how much space is in use.
- Expand the database as shown below until you see a table called dbo.VPX_PARAMETER.
- Right-click on dbo.VPX_PARAMETER and select Open Table
- Modify the following values:
- event.maxAge - By default this is set to 180 days. You can set this to whatever you desire. Obviously if you decrease the amount, the less will be retained.
- event.maxAgeEnabled - By default this is set to false, which means that by default your database saves all events. Make sure this is set to true.
- Do the same thing for the task.maxAge and task.maxAgeEnabled values.
- Expand the database as shown below until you see a table called dbo.cleanup_events_tasks_proc.
- Right-click on dbo.cleanup_events_tasks_proc and select Execute Stored Procedure.
- This will remove all the events and tasks that do not match the parameters specified in the dbo.VPX_PARAMETER table. This may take a few minutes.
- Once complete, open up the database properties again and check the database size. It should be substantially lower.
Sunday, May 20, 2012
Juniper Networks SRX Sample Configuration
Below is a sample remote site configuration of a Juniper SRX100 firewall along with explanations. I used this template configuration to deploy multiple firewalls in a multi-site, retail-type deployment. You will see 4 separate subnets/VLANs for voip, data, corporate wireless, and guest wireless. In this particular example, the VoIP deployment was ShoreTel, and the wireless technology used was that of Aruba Networks. You will also see a route-based VPN configuration bound to the untrust interface, allowing for communication between the HQ and remote site.
Note: You can view the configuration in the format below any time by issuing the command, "show | display set". I changed a bit of how it is displayed in order to better show what each line means.
(In the example above, the SRX is doing a relay from a centralized DHCP server at HQ.)
To configure routing options:
set routing-options static route 192.168.4.0/24 next-hop st0.0
(In the example above, the subnet for the VoIP VLAN is being routed over the VPN tunnel interface.)
To configure VLANs:
set vlans VOIP description "VOIP"
Note: You can view the configuration in the format below any time by issuing the command, "show | display set". I changed a bit of how it is displayed in order to better show what each line means.
To set the host name:
set system host-name
To set the root password:
set system root-authentication plain-text-password
To set the name server:
set system name-server
To set additional user names and passwords:
set system login user example uid 2000
set system login user example class super-user
set system login user example authentication plain-text-password
To allow different global services:
set system services ftp
set system services ssh
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.5
(vlan.5 allows web management from that logical interface only. You will see below that vlan.5 is also known as the data vlan)
To set other system policies:
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
(The settings above are actually there by default, but can be changed as needed.)
To configure interfaces:
set interfaces fe-0/0/0 description "WAN"
set interfaces fe-0/0/0 unit 0 family inet dhcp
(In this example, I am using interface fe-0/0/0 as the WAN interface.)
set interfaces fe-0/0/1 description "VOIP/DATA"
set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/1 unit 0 family ethernet-switching native-vlan-id 5
(Interface fe-0/0/1 is a trunk port for both the VOIP and DATA VLANs.)
set interfaces fe-0/0/2 disable
set interfaces fe-0/0/3 disable
set interfaces fe-0/0/4 disable
set interfaces fe-0/0/5 disable
set interfaces fe-0/0/6 disable
(The interfaces above are disabled since they are not in use in this example.)
set interfaces fe-0/0/7 description "CORP WIRELESS/GUEST WIRELESS"
set interfaces fe-0/0/7 unit 0 family ethernet-switching port-mode trunk
set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 6
(Interface fe-0/0/7 is a trunk port for both the CORP WIRELESS and GUEST WIRELESS VLANs.)
To configure an interface for route-based VPN:
set interfaces st0 unit 0 family inet next-hop-tunnel 10.10.10.254 ipsec-vpn routebasedvpn
set interfaces st0 unit 0 family inet address 10.10.10.5/24
(The 10.10.10.254 IP is the address of the HQ st0 interface. The 10.10.10.5 IP is the address of the local st0 interface)
To configure a gateway/subnet for each VLAN:
set interfaces vlan unit 1 family inet address 192.168.4.1/24
To configure a gateway/subnet for each VLAN:
set interfaces vlan unit 1 family inet address 192.168.4.1/24
set interfaces vlan unit 2 family inet address 192.168.5.1/24
set interfaces vlan unit 3 family inet address 192.168.6.1/24
set interfaces vlan unit 4 family inet address 192.168.7.1/24
To configure DHCP options:
To configure DHCP options:
set forwarding-options helpers bootp relay-agent-option
set forwarding-options helpers bootp description "DHCP SERVER"
set forwarding-options helpers bootp server 10.10.100.10
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp interface vlan.4
set forwarding-options helpers bootp interface vlan.5
set forwarding-options helpers bootp interface vlan.6
set forwarding-options helpers bootp interface vlan.7
(In the example above, the SRX is doing a relay from a centralized DHCP server at HQ.)
To configure routing options:
set routing-options static route 192.168.4.0/24 next-hop st0.0
(In the example above, the subnet for the VoIP VLAN is being routed over the VPN tunnel interface.)
To set protocols:
set protocols igmp interface vlan.4
set protocols igmp interface vlan.4
set protocols lldp interface all
set protocols lldp-med interface all
To configure IPSEC VPN:
To configure IPSEC VPN:
set security ike proposal phase1-prop authentication-method pre-shared-keys
set security ike proposal phase1-prop dh-group group2
set security ike proposal phase1-prop authentication-algorithm sha1
set security ike proposal phase1-prop encryption-algorithm 3des-cbc
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 proposal-set standard
set security ike policy ike-policy1 pre-shared-key ascii-text test1234
set security ike gateway ike-gateway1 ike-policy ike-policy1
set security ike gateway ike-gateway1 address 1.1.1.1
set security ike gateway ike-gateway1 external-interface fe-0/0/0.0
set security ipsec proposal phase2-prop protocol esp
set security ipsec proposal phase2-prop authentication-algorithm hmac-sha1-96
set security ipsec proposal phase2-prop encryption-algorithm 3des-cbc
set security ipsec policy ipsec-policy1 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy1 proposal-set standard
set security ipsec vpn routebasedvpn bind-interface st0.0
set security ipsec vpn routebasedvpn ike gateway ike-gateway1
set security ipsec vpn routebasedvpn ike ipsec-policy ipsec-policy1
set security ipsec vpn routebasedvpn establish-tunnels immediately
To configure NAT:
To configure NAT:
set security nat source rule-set voip-to-untrust from zone voip
set security nat source rule-set voip-to-untrust to zone untrust
set security nat source rule-set voip-to-untrust rule source-nat-rule1 match source-address 192.168.4.0/24
set security nat source rule-set voip-to-untrust rule source-nat-rule1 then source-nat interface
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule2 match source-address 192.168.5.0/24
set security nat source rule-set trust-to-untrust rule source-nat-rule2 then source-nat interface
set security nat source rule-set corp_wireless-to-untrust from zone corp_wireless
set security nat source rule-set corp_wireless-to-untrust to zone untrust
set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 match source-address 192.168.6.0/24
set security nat source rule-set corp_wireless-to-untrust rule source-nat-rule3 then source-nat interface
set security nat source rule-set guest_wireless-to-untrust from zone guest_wireless
set security nat source rule-set guest_wireless-to-untrust to zone untrust
set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 match source-address 181.168.7.0/24
set security nat source rule-set guest_wireless-to-untrust rule source-nat-rule3 then source-nat interface
To configure screen options:
To configure screen options:
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
To configure zones:
To configure zones:
set security zones security-zone voip host-inbound-traffic system-services all
set security zones security-zone voip host-inbound-traffic protocols all
set security zones security-zone voip interfaces vlan.4
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.5
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic protocols router-discovery
set security zones security-zone corp_wireless host-inbound-traffic system-services all
set security zones security-zone corp_wireless host-inbound-traffic protocols all
set security zones security-zone corp_wireless interfaces vlan.6
set security zones security-zone vpn address-book address hq_network 10.10.0.0/16
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all
set security zones security-zone guest_wireless host-inbound-traffic system-services all
set security zones security-zone guest_wireless host-inbound-traffic protocols all
set security zones security-zone guest_wireless interfaces vlan.7
To configure policies from zone to zone:
To configure policies from zone to zone:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit
set security policies from-zone trust to-zone vpn policy trust-to-vpn match source-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match destination-address any
set security policies from-zone trust to-zone vpn policy trust-to-vpn match application any
set security policies from-zone trust to-zone vpn policy trust-to-vpn then permit
set security policies from-zone vpn to-zone trust policy vpn-to-trust match source-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match destination-address any
set security policies from-zone vpn to-zone trust policy vpn-to-trust match application any
set security policies from-zone vpn to-zone trust policy vpn-to-trust then permit
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match source-address any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match destination-address any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust match application any
set security policies from-zone corp_wireless to-zone untrust policy corp_wireless-to-untrust then permit
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match source-address any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match destination-address any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn match application any
set security policies from-zone corp_wireless to-zone vpn policy corp_wireless-to-vpn then permit
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match source-address any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match destination-address any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless match application any
set security policies from-zone corp_wireless to-zone corp_wireless policy corp_wireless-to-corp_wireless then permit
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match source-address any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match destination-address any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust match application any
set security policies from-zone guest_wireless to-zone untrust policy guest_wireless-to-untrust then permit
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match source-address any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match destination-address any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless match application any
set security policies from-zone guest_wireless to-zone guest_wireless policy guest_wireless-to-guest_wireless then permit
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match source-address any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match destination-address any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless match application any
set security policies from-zone vpn to-zone corp_wireless policy vpn-to-corp_wireless then permit
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match source-address any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match destination-address any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless match application any
set security policies from-zone trust to-zone corp_wireless policy trust-to-corp_wireless then permit
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match source-address any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match destination-address any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust match application any
set security policies from-zone corp_wireless to-zone trust policy corp_wireless-to-trust then permit
set security flow tcp-mss ipsec-vpn mss 1350
To configure VLANs:
set vlans VOIP description "VOIP"
set vlans VOIP vlan-id 4
set vlans VOIP interface fe-0/0/1.0
set vlans VOIP l3-interface vlan.4
set vlans DATA description "DATA"
set vlans DATA vlan-id 5
set vlans DATA l3-interface vlan.5
set vlans CORP_WIRELESS description "CORP_WIRELESS"
set vlans CORP_WIRELESS vlan-id 6
set vlans CORP_WIRELESS l3-interface vlan.6
set vlans GUEST_WIRELESS description "GUEST_WIRELESS"
set vlans GUEST_WIRELESS vlan-id 7
set vlans GUEST_WIRELESS interface fe-0/0/7.0
set vlans GUEST_WIRELESS l3-interface vlan.7
(You will notice that interface fe-0/0/1.0 is bound to the VOIP VLAN. However, if you take a look at the "set interfaces" section again you will see that interface fe-0/0/1 has a native VLAN ID of 5. This means that both VLANs can exist on this interface, but that by default devices will receive an IP in VLAN 5 unless otherwise specified (i.e. In this example a custom DHCP option was created for the voip VLAN, assigning a VLAN ID of 4.).)
(You will notice that interface fe-0/0/1.0 is bound to the VOIP VLAN. However, if you take a look at the "set interfaces" section again you will see that interface fe-0/0/1 has a native VLAN ID of 5. This means that both VLANs can exist on this interface, but that by default devices will receive an IP in VLAN 5 unless otherwise specified (i.e. In this example a custom DHCP option was created for the voip VLAN, assigning a VLAN ID of 4.).)
Subscribe to:
Posts (Atom)