Feed on
Posts
Comments

http://flickrstream.webzardry.com/?home

It worked on the 7500+ photos I have up there, but did them in chunks of 100, which took quite a while…

These instructions will be similar (if not identical) for core versions of server 2012 and 2008R2, but don’t quote me:

  1. Download (http://downloadcenter.intel.com) and install (http://www.intel.com/support/network/sb/cs-016040.htm) the latest drivers for your particular NIC from Intel.
  2. On each host, identify the indices of the adapters you want to include in the team (c:\progra~1\intel\dmix\cl\prosetcl.exe Adapter_Enumerate) – assuming 2 and 3 for further steps.
  3. Create the team (c:\progra~1\intel\dmix\cl\prosetcl.exe Team_Create 2,3 Team1 802.3AD (there are other choices for the type of team – review c:\progra~1\intel\dmix\cl\prosetcl.txt for documentation).
  4. Use sconfig to assign IP configs

Done and done!  Obviously, you need to have your switch configured appropriately for your type of team – LACP for 802.3AD…

I’m using a CentOS 6 box for HA NFS storage behind a cluster of VMware ESXi boxes. I want to make sure those ESXi hosts aren’t fighting over a single 1Gbps Ethernet interface.  Bonding 6 interfaces (3 x Intel Pro Dual-NICs) should do the trick…

On 3750x:

  • Configure switch ports (for me, that’s gi1/0/25 – 30
    interface range gi1/0/25-30
    switchport mode access
    spanning-tree portfast
    channel-group 1 mode active
    channel-protocol lacp
    no shut
    end
    copy run start

On CentOS:

  • Configure alias for kernel module
    Create /etc/modprobe.d/bonding.conf with the following contents:
    alias bond0 bonding
  • Create bond0 interface config
    Create /etc/sysconfig/network-scripts/ifcfg-bond0 with the following contents:
    DEVICE=bond0
    BONDING_OPTS="mode=4 miimon=500"
    BOOTPROTO=none
    ONBOOT=yes
    NETWORK=192.168.0.0
    NETMASK=255.255.255.0
    IPADDR=192.168.0.15
    USERCTL=no
  • Modify the configuration for the interfaces you want to bond.  Keep the top 3 lines in each configuration file, which should be:
    DEVICE=XXXX
    HWADDR=XX:XX:XX:XX:XX:XX
    TYPE=EthernetReplace everything below those 3 lines with:
    ONBOOT=yes
    NM_CONTROLLED=no
    BOOTPROTO=none
    MASTER=bond0
    SLAVE=yes
    USERCTL=no
  • Reboot

Done and done…

First Thing First

  1. Get your WCCP-capable Cisco device setup as your internet router – I’m using a C3825 ISR running 15.1(4)M6…if you’re not using the same, your mileage may vary…

Configure CentOS

    1. Deploy CentOS (6.4 at the time of writing) using the method of your choice – I used the minimal install, which is very nearly sufficient…
      * optional: disable selinux (if you don’t do this, then you’ll need to hassle with selinux) and ip6tables (doubtful you’re running ipv6 – if you are, then you know how to manage it)…
    2. Squid needs to be configured with –enable-linux-netfilter and –enable-wccpv2, so let’s install squid via yum and ensure it has those config options:
      yum install squid
      squid -v | grep enable-linux-netfilter | grep enable-wccpv2
      * If you see any output, then those config options were found and you should be good to go!  If you don’t see any output, then make sure there are no typos (copy/paste the command) and try again.  If you still don’t see any output, then you’ll have to build squid from source – yippee for you! But, the package for CentOS 6 does include those config options, so I’m moving right along!
    3. Start squid to make sure everything works at defaults
      service squid start
      cat /var/log/squid/squid.out

      * No errors? -> Good stuff! … Errors? -> Happy troubleshooting!
    4. Once squid is running error free and you can successfully use it by manually configuring your browser to point at it, let’s make sure it’s set to boot in chkconfig:
      chkconfig squid on
    5. Now let’s make some squid config (/etc/squid/squid.conf) changes – comment the line “http_port 3128” and copy/paste the following below it (note: my router’s internal IP is 192.168.0.1, yours might be different):

# Transparent proxy via WCCPv2
http_port 3128 intercept
wccp2_router 192.168.0.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

  • Create the GRE tunnel interface to be used for the wccp redirects from the router:
    vi /etc/sysconfig/network-scripts/ifcfg-gre0
    Paste the following contents (*note – I’m using 10.0.0.2 as the local IP for the GRE tunnel, but you should choose any IP address that’s not in use elsewhere on your network):
    DEVICE=gre0
    BOOTPROTO=static
    IPADDR=10.0.0.2
    NETMASK=255.255.255.252
    ONBOOT=yes
    IPV6INIT=no
  • Modify sysctl.conf to enable forwarding and disable route path filtering:
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.gre0.rp_filter = 0
    net.ipv4.conf.eth0.rp_filter = 0
  • Modify iptables to redirect packets coming in via the GRE tunnel with a destination port of 80 and NOT destined for the local network:
    iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -i gre0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
  • Now restart squid and check /var/log/squid/squid.out for errors and resolve any that you find.

 

Configure WCCPv2 on 3825

  1. Set WCCP to version 2
    ip wccp version 2
  2. Create an access list to define the proxy server(s) on your network:
    access-list 2 permit 192.168.0.2
  3. Create another access list to define which hosts are subject to proxy and which hosts are denied/bypass (the proxy server(s) and any other clients you want to access the Internet w/o proxy.
    access-list 102 remark ACL for WCCP proxy
    access-list 102 remark Squid proxies bypass WCCP
    access-list 102 deny ip host 192.168.0.2 any
    access-list 102 remark Clients to proxy
    access-list 102 permit tcp 192.168.0.0 0.0.0.255 any eq 80
    access-list 102 remark All others bypass WCCP
    access-list 102 deny ip any any
  4. Apply the ACLs to WCCP
    ip wccp web-cache redirect-list 102 group-list 2
  5. Verify configuration:
    sh ip wccp
    you should see output similar to this:
    Global WCCP information: Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: web-cache
    Number of Service Group Clients: 0
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    CEF: 0
    Service mode: Open
    Service Access-list: -none-
    Total Packets Dropped Closed: 0
    Redirect Access-list: 102
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 0
    Group Access-list: 2
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total GRE Bypassed Packets Received: 0

    * Note: Redirect Access-list and Group Access-list…
  6. …TO BE CONTINUED…

  1. Open ~/.config/Terminal/terminalrc in your favorite editor
  2. Modify the line starting with MiscDefaultGeometry. For example:
    MiscDefaultGeometry=160x60+120+120
    which sets the window to 160 characters wide and 60 characters high with the top left corner at 120 pixels to the right and down from the top left corner of the screen.

I just ran into this and thought it prudent to post something here in case I ever run into similar strange behavior in the future.  I decided to evaluate Windows Server 2012.  In doing so, I created 2 domain controllers – each running the AD bits, DNS and DHCP (btw, DHCP failover config in Server 2012 is painless and takes just 3 clicks).  I adjusted my network gear with the ip helper addresses for the domain controllers (away from my linux server that was previously handling DHCP and DNS) and changed the DHCP scope and static IP assignments to point at the new DNS servers.  I quickly noticed very slow DNS resolutions and in some instances complete DNS resolution failures.  I dug into my linux host to see if there were machines attempting to access named, but there were none – furthermore, dhcpd and named services were stopped and turned off in chkconfig.  I then took a look in /var/log/messages and found insanely frequent NAT create/delete events being logged from my internet router via syslog.  So, I took a look at the rsyslog flags in /etc/sysconfig/rsyslog and I only had “-c 5” which simply sets the compatibility mode to 5.  So I thought – hmmmm, maybe rsyslog is trying to do lookups…dug into rsyslog options or “syslogd_options” and found -x, which disables lookups.  Bounced rsyslog and viola!  No more crazy DNS traffic from the syslog server…  whew…

This is a highly abbreviated how-to guide to build your own VMware vSphere lab very quickly:

  • Acquire/build a computer with more than 16GB of RAM that will allow virtualization pass-thru (if you don’t already know, then research this before you proceed)
  • Install your choice of operating system and virtualization package (I use VirtualBox on CentOS)
  • Create a VM and install your choice of linux operating system
    Bring up NFS and any other network services (DHCP, DNS, etc.) on that box that you want to use in your lab (forget Active Directory in the lab environment; it’s not necessary)
  • Create an account with VMware and start your evaluation of vSphere – download all the things you want to evaluate (ESXi, vCenter Server Appliance, etc.)
  • Create 2+ identical VMs running ESXi (create one, then create a clone of it) – make sure to provide at least 2 cores and 2096 MB RAM
  • Import the vCenter Server Appliance OVF – in VirtualBox (File -> Import Appliance)
  • Start the vCSA you just imported. Once it’s up, it will give you a URL to visit to complete the setup – follow the instructions to get a “default” setup of vCSA.
  • Point your vSphere Client at your new vCSA or point the browser of your choice to https://<name or IP of vCSA>/vsphere-client and you’re off!

If you find yourself unable to load a new software image onto your ASA via all standard methods, then you can load a new image from rommon (ROM monitor mode) using TFTP. To enter into rommon:

  1. Connect a console cable to the console port of the ASA
  2. Power cycle or power on the ASA
  3. As the appliance is starting, press the Escape key to enter rommon

To load an image onto your ASA via rommon:

  1. Connect Eth0/0 to your network
  2. Assign IP address config to your ASA:
    rommon #1> ADDRESS=192.168.0.201
    rommon #2> SERVER=192.168.0.21
    rommon #3> GATEWAY=192.168.0.1
    rommon #4> IMAGE=asa911-k8.bin
    rommon #5> PORT=Ethernet0/0
  3. Then issue the tftp command
    rommon #6> tftp
  4. The ASA will then transfer the image and boot from it
  5. After the firewall boots, login and check (show version)

Just figured I’d put this here for future reference if I find myself needing to push an IOS  + Web-Based Dev Mgr to a device via TFTP in the future:

  1. Please the IOS + Web-Base Dev Mgr file in the root of the TFTP server
  2. Connect to device and hop into enable mode
  3. Issue the following command:
    archive tar /xtract tftp://<ip of tftp server>/<filename> flash:
    e.g. archive tar /xtract tftp://192.168.0.21/c2960-lanbasek9-tar.150-2.SE1.tar flash:
  4. The device will extract the contents of the tar file to flash: (if you don’t have enough space, you’ll need to delete some files/directories – probably old IOS files)
  5. Once finished, hop into configure mode (conf t), then issue the following command to tell the switch which IOS image to boot:
    boot system flash:/<directory created in step 3>/<IOS image file extracted in step 3>
    e.g. boot system flash:/c2960-lanbasek9-mz.150-2.SE1/c2960-lanbasek9-mz.150-2.SE1.bin
  6. Then hop out of configure mod (end), then issue the reload command and viola!

To renew the trial status of an existing ESXi 5.1 install:

  1. Perform a fresh install of ESXi 5.1 in a virtual machine (choose your poison for hypervisor – I use VirtualBox)
  2. Copy the /etc/vmware/license.cfg and /etc/vmware/vmware.lic files or contents of the files from the fresh install you just performed to the existing ESXi 5.1 host
  3. /sbin/services.sh restart vpxa
  4. Viola!

To renew the trial status of an existing vCenter Server Appliance (VCSA):

  1. Backup DB:
    service vmware-vpxd stop
    mkdir /tmp/bakup
    chown db2inst1: /tmp/bakup
    su – db2inst1
    db2 force applications all
    db2 backup db vcdb to /tmp/bakup
  2. Copy the file locally (winscp from /tmp/bakup)
  3. Remove the VCSA VM and rename the folder to something like VCSA.old
  4. Re-import the appliance from scratch via OVF, sys and data disks
  5. Reduce the vRAM from 8GB to 4GB and start the new VCSA VM
  6. Configure the IP address and time settings
  7. Connect to https://<IP address of VCSA>:5480
  8. Accept the EULA and login (user: root, pass: vmware)
  9. Configure DB
  10. Restore DB
    service vmware-vpxd stop
    mkdir /tmp/bakup
    chown db2inst1:/tmp/bakup
    Copy file to new VCSA (winscp to /tmp/bakup)
    chown db2inst1:/tmp/bakup/VCDB*
    su – db2inst1
    db2 restore db vcdb from /tmp/bakup replace existing
    exit
    service vmware-vpxd start
  11. Connect to new VCSA via vSphere client
  12. Reconnect to each ESXi server by right clicking on each in the VCSA inventory

Disclaimer: I haven’t read the full trial licensing agreement for vSphere 5.1 and don’t condone the use of this information to break that or any licensing agreement… ever… for any reason… nuff said…

« Newer Posts - Older Posts »