Booches.nl

Connecting the world…

Blogging colleagues

I am not the only one from Ictivity spamming the Internet with my blog. Their are more Consultants, from different disciplines, who share their knowledge with other people. Let’s have a closer look at them.

Yellow Bricks
Recently my colleague Duncan Epping already introduced me on his personal blog. Duncan is Virtualization Consultant for Ictivity, who is specialized in VMWare. You can find his blog here.
A couple of outtakes:

Scott’s post pointed me out to the follow up of the VMotion vs Quick Migration post a week ago. I’ve already blogged about the previous articles so here my thoughts […]
Source

Today I received the following error at a customer site when applying patch via the Update Manager:”Metadata for patch missing.” After a close inspection I noticed VirtualCenter wasn’t running on port 80 but on 81 for some reason. Opening up the ESX Firewall and restarting the VMware […]
Source

Digipulse
Digipulse is maintained by Microsoft and Server Based Computing (SBC) Consultant Edwin Houben. A couple of outtakes of Edwin’s blog:

Citrix maintains a support article (Document ID: CTX107572) that contains a plethora of troubleshooting tools for your Citrix/Terminal Services environment. Most of the tools are targeted at Citrix […]
Source

1. Logon as local administrator.
2. Set the “Citrix Independent Management Architecture” service to disabled in services.
3. Delete all locally stored […]
Source

ThinStallGuru
The last know Ictivity Blogger is Edwin Friessen. Edwin is also Microsoft and SBC Consultant at Ictivity. A couple of outtakes from his blog:

possible to use drive letter L: for CD-rom one and drive letter L: for CD-rom two. Because the application runs in separated bubbles they cannot conflict each other. In this case you have to remind that the […]
Source

One of the key reasons VMware acquired Thinstall was because we saw a gap in the current marketplace around application virtualization. The market, frankly, seemed artificially inhibited. We intend on opening […]
Source

Port-channel configuration for VMWare

I received some e-mails from people asking for configuration examples for Cisco switch in conjunction with VMWare servers. That is why I post the configuration (I normally use) beneath. This configuration enables a 802.1Q trunk connection between the switch and the VMWare server. This configuration requires the VMWare server to use VLAN tagging. The Port-channel consist two physical GigabitEthernet interfaces.

Configuration Example:

port-channel load-balancing src-dst-ip
!
interface Port-channel1
description 802.1Q to VMWare
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/1
description Member Po1
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
no cdp enable
channel-group 1 mode on
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/1
description Member Po1
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
no cdp enable
channel-group 1 mode on
spanning-tree portfast trunk

CDP is the Cisco propriatery Cisco Discovery Protocol. CDP can be usefull when trying to discover attached network components. VMWare supports CDP, so it could be enabled on the interfaces. The usage of CDP can help to see which switch port connects who which NIC on the ESX server.

Exchange 2007 with ISA 2006

Today I have be working on publishing Microsoft Exchange Outlook WebAccess and Active Sync to the Internet. We had some discussions with some Microsoft Consultants about a secure way to publish Outlook Web Access to the Internet, especially the authentication part of such a solution.

Some people are talking about publishing OWA directly to the Internet. In my opinion, this results in a major security thread, because you directly publish a TCP/80 and TCP/443 connection from the Exchange server to the Internet. An vulnerability or exploit in these services could end up in an hacker who takes over the Exchange server.

A second solution is placing a front-end server in a DMZ segment, but making the server a domain member for authentication. In my opinion still a security leak, because somebody who hacks the DMZ server has maybe the ability to hack or corrupt the Active Directory.

The third solution, and the solution we advise, is using a Microsoft ISA 2006 server as a front-end server in the DMZ. We configure a RADIUS or LDAPS (if you would like the option to change the password) connection to a RADIUS server or a domain member on the internal LAN segment. This ensures a secure way of authenticating users and even if somebody hacks the ISA server, he still hasn’t hacked a domain member server or a vulnerability in TCP/80 or TCP/443 of the Exchange server.

I have had a lot of help of an article on isaserver.org from Thomas Shinder while configuring the solution. I had some problems with publishing Active Sync. Ended up with enabling Basic Authentication on the Active Sync virtual directory (Microsoft-Server-ActiveSync).

HP Blade Switch Development

Maybe old news for some of you, but HP has developed the Cisco switches for the HP Blade servers. The Cisco Catalyst Blade Switch 3120G and 3120X provide stacking functionality. This improves the functionality of the switches by creating a single switch from two physical switches.

Source: The Cisco Catalyst Blade Switch 3120 Series Switches are specifically designed to meet the rigors of the blade server based application infrastructure and provides HP BladeSystem customers with the ability to stack up to nine switches into a single virtual Switch.

The creation of a stack helps improving the availability and load-balancing of connections between the HP Blade environment and the physical network environment. More information about the new switches can be found here.

BGP Multihoming

Today I have been playing with configuring BGP and multihoming. I configured a simple test environment where one customer router (local AS 100) connects to two ISP routers from the same ISP (remote AS 200). I configure some kind of load-sharing amongst the two links to the ISP.

Important when configuring BGP is the concept to not becoming some kind of Transit AS for other BGP connections. It is also very important to secure your own router from accepting the whole routing table of the ISP. In this example I only accept a default route from the ISP.

I configured the following scenario:
BGP Multihoming
The next section show the significant configuration of the different network components in the scenario.

ICTIVITY

interface Loopback0
description INTERNAL NETWORK
ip address 172.16.100.1 255.255.254.0
!
interface FastEthernet0/0
description CONNECTION TO ISP-A
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION TO ISP-B
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
router bgp 100
no synchronization
bgp log-neighbor-changes
bgp dampening
network 172.16.100.0 mask 255.255.254.0
timers bgp 1 5
neighbor 192.168.1.2 remote-as 200
neighbor 192.168.1.2 prefix-list DEFAULT-ONLY in
neighbor 192.168.2.2 remote-as 200
neighbor 192.168.2.2 prefix-list DEFAULT-ONLY in
maximum-paths 2
no auto-summary
!
ip prefix-list DEFAULT-ONLY seq 10 permit 0.0.0.0/0

ISP-A

interface FastEthernet0/0
description CONNECTION TO ICTIVITY
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION TO DEFAULT GATEWAY
ip address 10.11.0.2 255.255.0.0
duplex auto
speed auto
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.11.0.0 mask 255.255.0.0
neighbor 192.168.2.1 remote-as 100
neighbor 192.168.2.1 default-originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.11.0.1

ISP-B

interface FastEthernet0/0
description CONNECTION TO ICTIVITY
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION TO DEFAULT GATEWAY
ip address 10.10.0.2 255.255.0.0
duplex auto
speed auto
!
router bgp 200
no synchronization
bgp log-neighbor-changes
network 10.10.0.0 mask 255.255.0.0
neighbor 192.168.2.1 remote-as 100
neighbor 192.168.2.1 default-originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.10.0.1

The above configuration is very basic, but yet very powerful. The command ip prefix-list DEFAULT-ONLY seq 10 permit 0.0.0.0/0 assures that only default routes are accepted from the ISP. The routing table of ICTIVITY has the following entries:

Gateway of last resort is 192.168.1.2 to network 0.0.0.0

172.16.0.0/23 is subnetted, 1 subnets
C 172.16.100.0 is directly connected, Loopback0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
B* 0.0.0.0/0 [20/0] via 192.168.1.2, 00:00:24
[20/0] via 192.168.2.2, 00:00:11

Looking at the routing table our router has two default routes for load-balancing and fail-over purposes.