The Tech Blog of a Sysadmin.

Configuring VLT on a Dell S4148T-ON Switch

For those out there looking at replacing their ToR switches, the Dell S4148T-ON is a compelling choice. A quick look through the spec sheet reveals they are eminently capable, and available at a very competative rate when compared with equivalent switches available from Dells competitors.

One Quirk i discovered how ever after aquiring a pair of these switches with an OS10 license, was that stacking had been removed as a feature of the OS. VLT was available in OS9 alongside stacking, but in OS10 the OS requires the use of VLT if you would like to aggregate channel groups between switches in the same fashion as stacking.

There are a few important things to remember when configuring VLT in OS10, and there is plenty of literature and guides out there designed for OS9 that will lead you astray;

- OS10 chooses which VLANs traverse the VLT link between the switches via VLTi, do not add any VLANs to this link

- Ensure the spanning tree protocol used between switches and neighboring switches is identical

- Ensure VLT peers are running identical firmware revisions

- don't attempt to manually configure channel groups then add those to the VLTi link, instead add the physical interfaces


The commands are fairly straight forward once you have your base config down;


-  conf#vlt domain #

(creates domain, must be the same on the matching peer)

-  conf-vlt-# discovery-interface

(where you enter an interface or range of interfaces to be used for VLT)

-  conf-vlt-# backup x.x.x.x

(configure the IP for the backup interface, this is used for heartbeat backup timers and little else so i'd recommend using the management interface)

Now you create the port channel on each switch, and from the port channel menu issue the command;

-  conf-if-po-# vlt-port-channel

(This also has to correspond to the port channel number on the other switch to be part of the correct aggregration group)


I hope this run down proves useful to anyone who is using OS10 on the S series Dell switches and wishes to use VLT over stacking.








Certificate Infrastructure for Hyper-V SSL Secure Replication

In this blog post I will go through the steps necessary to secure your traffic between Hyper-v servers via SSL, so that your replication traffic cannot be interpreted by a third party if intercepted. This is particularly useful where off-site replication is desirable, and can be achieved on a budget where required with your own internal Certificate Services infrastructure. This avoids the cost of purchasing a certificate from a trusted vendor, which can be quite expensive.

For the purpose of this example, we are going to assume that you already have the certificate services role installed on one of your servers with a GUI, and that if you are using Hyper-V server and not server 2012, that you have the Hyper-v management console installed on a management machine and remote management enabled on the hypervisor. There are of course other ways of generating a certificate and trusting it, but most environments will have these tools to hand. The type of certificate that you will require will not be enabled out of the box in certificate services, so our first job is to go and enable this under templates.


To enable this template, from your CA go to;

-   Certificate Services > Right click Templates > Manage > Right click Workstation Authentication > Select Duplicate Template

-   Give the new template a name and add client and server authentication as properties to the application policies template.

-   Change the subject name option to supply in request

-  Spin up an MMC console on the Hyper-v box and make a request


At this point you can go through into Hyper-v Manager and select the transport method for replication to be SSL, and your new certificate should be present in the list of available certificates for this purpose. I hope this has been informative or helpful to someone, feel free to leave me a comment with your thoughts.


Creating a Windows Based Syslog Server Solution

Why Do I Need a Syslog Server?

An effective syslogging solution is not only a handy tool to have in a SysAdmin or Network Engineers arsenal, it is also in many countries a legal requirement. If you live in a country where the protection of private data is regulated, then there is a chance that your company could be in breach of regulatory standards and subject to financial penalties if you can not atleast give evidence of the time and date etc of any incident, so it is good practise to have a syslog server on your network. If in doubt, look up what standards you are expected to adhere to in your vicinity.

Microsoft or the Dark Side...

Which OS solution you choose for syslogging is often a contentious matter, I have found that a windows based system requires less of an investment in time to get going, whilst linux has the more powerful tools such as grep and awk for trawling the syslogs for data. With this in mind, I would choose the best of both worlds, and go with the syslogging software of your choice on a windows server, and SSH in to grep through the files using cygwin.

Choosing a Syslog Server Application

My personal preference is Kiwi, it is very simple to install, it really is a case of clicking next next next, and it will listen on port 514 udp which you will need to point all of your devices at. Kiwi will generate a new file everyday with that days date in the filename, but archiving is a paid for extra. These text files bloat fast in a production environment, so either purchase it or schedule some daily archiving powershell scripts which compress the files by calling on a freeware archiving executable such as 7zip for example. I won't give away exactly how to do this part as kiwi need to pay the bills to, but this should point you in the right direction if purchasing kiwi syslog server really isn't in the budget or this is for a home lab.

Getting SSH Access and Linux Tools

Somebody has already written a great article on getting windows ready for access via the secure shell, which you can find here. You will need an ssh client to dial into the console of the server, i recommend Putty. once in, navigate to the directory of your syslogs and you can grep to your hearts content.

A Tip on grep Syntax For Searching Syslogs

A basic command would be like this ;                                                                              

grep <word or phrase in quotes> <file location.txt>

You can expand on this by piping the output of the first command into a further filter;         

grep <word or phrase in quotes> <file location.txt> | grep <second word or phrase to find in output of first search>

I hope this article has been of use, and check back again soon for more vendor specific device side setup of centralised logging and authentication.

Remote Administration of Hyper-V Server 2012R2

One of the first things you will want to do once you have installed your copy of Hyper-V Server 2012 is to disconnect the monitor and configure the rest from a workstation. This is easier said than done, but by following these few steps you should be up and running in no time. The easiest way to be able to perform the rest of the config from a workstation is to enable remote desktop. There are two steps to getting this working.

Enable RDP Connections to the Server

  •  Firstly, enable remote desktop in sconfig
  •  Run "netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes" to open up the firewall
  •  Use powershell, netsh or sconfig to apply a static IP (sconfig requiring least effort)

You should now be able to dial in. Which steps are required next now depends on whether this deployment is going to be in a domain or workgroup environment.

Enable Remote Management from a Domain Joined Computer;

  • From your windows 8 workstation or server 2012 machine add the Hyper-V Manager tools
  • Make sure the workstation and Server are registered in DNS
  • From Sconfig on the Hyper-V server run the enable remote management option
  • Run winrm quickconfig on the client machine
  • Run the command "netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes" on the client machine to open up remote managment.

Enable Remote Management from a Workgroup Joined Computer;

All the steps above need configuring as well as;

  • Run "winrm set winrm/config/client @{TrustedHosts="SERVER NAME"}" on the client changeing the Server Name to suit, this adds the server to the list of trusted hosts for remote management connections on the workstation.
  • You may need to add host files in place of DNS names as well in this scenario.

Other things I have come across in my time with Hyper-V server include checking the winrm service is running on the server side, and that is that it is entirely possible to use the tools within windows 10, but it is quite a convoluted task in a workgroup test lab environment if you already have access to windows 8 or server 2012. This is because unless you can leverage kerberos, you also need to enable https as the transport method and provide a suitable cert. All of this i intend to cover in a later post, and remember also that it is not possible to connect in remotely from the Hyper-V RSAT tools for windows 7.

I hope this has been helpful to anyone who has stumbled across the article.


Hyper-v Server 2012 - An Introduction

This is a piece of software that rarely seems to be given much air time, so I thought i would blog about some of it's capabilities. Firstly, do not get this confused with windows server 2012 with the hyper-v role installed, but If you're looking for a free of charge hypervisor, capable of integrating with your existing Microsoft infrastructure then this product is well worth a look to see if it fits the bill. With the advent of 2012, Microsoft have been pushing Admins back towards the shell, and if you've been following their latest certification paths then administering this shouldn't be a problem, despite it being cut down to the bare shell. 

I aim to cover getting the remote administration down via RSAT, RDP and Power Shell in a further post, so let's go over some of it's capabilities and possible use cases. Many parallels can be drawn here between it's paid for counterpart - the Hyper-v role on server 2012. Integration with servers with a GUI is possible, as is cluster support.

Other than that, you can expect pretty much anything that can be done from the paid for counterpart to be attainable on this free edition including technologies such as VLAN tagging, NIC teaming, and extended replication. I have some upcoming articles on the latter in the near future including securing your traffic with SSL and the underlying CA infrastructure (if you don't already have it in place) for some off-site replication of key services for small businesses on a budget, so check back soon for more on this. Expect to get down and dirty with some power shell in some of my follow up posts, and kudos to Microsoft for a great piece of software made available to the community.

Dual ISP Failover on a Single Cisco ISR

A while back, a technical acquaintance requested some input on a particular problem that they had with failing over dual ISP's. The solution they had in place was fine back in the day when downtime measured in minutes was acceptable, but in todays world, a manual failover solution just doesn't cut the mustard. At my disposal, I had an ageing Cisco 2811 with an ADSL 1WIC, an ADSL line and a VDSL line (BT Infinity) with an accompanying Huawei modem.

The aim was to achieve a system that was as highly available as possible with the limited equipment to hand, and I set about configuring the networks as shown below;


The ADSL and VDSL were business lines, but only had one static IP each, which posed a problem. I had planned to perform NAT at the firewall so that any changes could be done in a GUI by the local support team, but this would have meant I could not use ICMP echo replys as my reachability tracking method. To get around this you must perform the port address translation on the router rather than the firewall, or get yourself some extra IP's. Tracking interfaces wasn't an option here either, as the external modem used for the VDSL line would have provided us zero visability from the 2811 for the service status.

The actual mechanism by which you fail over in my implementation is by IP SLA. These are a set of configurable options that the routers IOS will log if breached, and in turn are tracked with a track object. The track object in this instance is placed against the default route, and the secondary route would then come into play in the event of the track object returning a "Down" status code. The commands are fairly straight forward, but be aware that later revisions after IOS 12 require different terminology;


ip sla 100
 icmp-echo x.x.x.x source-interface Dialer1 (Where x.x.x.x = Primary ISP next hop)
 timeout 3000
 frequency 3
ip sla schedule 100 life forever start-time now

track 100 rtr 100 reachability

ip route Dialer1 track 100
ip route Dialer2 10


The next problem I came accross was that even if you could fail over the route, the existing NAT translations needed clearing in order for anyone to access the internet again after a failover, which is achieved with the event manager applet, which i configured as shown below;


event manager applet NAT-TRACK
 event track 100 state any
 action 0.1 cli command "enable"
 action 0.2 cli command "event timer countdown time 20"
 action 0.3 cli command "clear ip nat translation force"
 action 0.4 syslog msg "NAT translations cleared after track state change"


To conclude, it is of course possible to achieve better redundancy with more equipment allowing the use of HSRP, VRRP and GLBP, and perhaps even redundancy of inbound services would have been possible with the use of BGP with a pair of ISP's that would have supported it by advertising an owned range from each ISP, but this was never in the budget. The interesting part in this is that a year or so later my acquaintances customer no longer has any perceivable internet downtime, but the syslog messages reveal that there have been outages from time to time and that the fail overs have been seemless. I hope this has been informative for you.




Get instant updates via email

Simply enter your email address to subscribe for updates - 3SysAdmins will never share your details with any third parties.

FeedBurner Subscription