The Tech Blog of a Sysadmin.

Configuring VLT on a Dell S4148T-ON Switch

For those out there looking at replacing their ToR switches, the Dell S4148T-ON is a compelling choice. A quick look through the spec sheet reveals they are eminently capable, and available at a very competative rate when compared with equivalent switches available from Dells competitors.

One Quirk i discovered how ever after aquiring a pair of these switches with an OS10 license, was that stacking had been removed as a feature of the OS. VLT was available in OS9 alongside stacking, but in OS10 the OS requires the use of VLT if you would like to aggregate channel groups between switches in the same fashion as stacking.

There are a few important things to remember when configuring VLT in OS10, and there is plenty of literature and guides out there designed for OS9 that will lead you astray;

- OS10 chooses which VLANs traverse the VLT link between the switches via VLTi, do not add any VLANs to this link

- Ensure the spanning tree protocol used between switches and neighboring switches is identical

- Ensure VLT peers are running identical firmware revisions

- don't attempt to manually configure channel groups then add those to the VLTi link, instead add the physical interfaces


The commands are fairly straight forward once you have your base config down;


-  conf#vlt domain #

(creates domain, must be the same on the matching peer)

-  conf-vlt-# discovery-interface

(where you enter an interface or range of interfaces to be used for VLT)

-  conf-vlt-# backup x.x.x.x

(configure the IP for the backup interface, this is used for heartbeat backup timers and little else so i'd recommend using the management interface)

Now you create the port channel on each switch, and from the port channel menu issue the command;

-  conf-if-po-# vlt-port-channel

(This also has to correspond to the port channel number on the other switch to be part of the correct aggregration group)


I hope this run down proves useful to anyone who is using OS10 on the S series Dell switches and wishes to use VLT over stacking.








Creating a Windows Based Syslog Server Solution

Why Do I Need a Syslog Server?

An effective syslogging solution is not only a handy tool to have in a SysAdmin or Network Engineers arsenal, it is also in many countries a legal requirement. If you live in a country where the protection of private data is regulated, then there is a chance that your company could be in breach of regulatory standards and subject to financial penalties if you can not atleast give evidence of the time and date etc of any incident, so it is good practise to have a syslog server on your network. If in doubt, look up what standards you are expected to adhere to in your vicinity.

Microsoft or the Dark Side...

Which OS solution you choose for syslogging is often a contentious matter, I have found that a windows based system requires less of an investment in time to get going, whilst linux has the more powerful tools such as grep and awk for trawling the syslogs for data. With this in mind, I would choose the best of both worlds, and go with the syslogging software of your choice on a windows server, and SSH in to grep through the files using cygwin.

Choosing a Syslog Server Application

My personal preference is Kiwi, it is very simple to install, it really is a case of clicking next next next, and it will listen on port 514 udp which you will need to point all of your devices at. Kiwi will generate a new file everyday with that days date in the filename, but archiving is a paid for extra. These text files bloat fast in a production environment, so either purchase it or schedule some daily archiving powershell scripts which compress the files by calling on a freeware archiving executable such as 7zip for example. I won't give away exactly how to do this part as kiwi need to pay the bills to, but this should point you in the right direction if purchasing kiwi syslog server really isn't in the budget or this is for a home lab.

Getting SSH Access and Linux Tools

Somebody has already written a great article on getting windows ready for access via the secure shell, which you can find here. You will need an ssh client to dial into the console of the server, i recommend Putty. once in, navigate to the directory of your syslogs and you can grep to your hearts content.

A Tip on grep Syntax For Searching Syslogs

A basic command would be like this ;                                                                              

grep <word or phrase in quotes> <file location.txt>

You can expand on this by piping the output of the first command into a further filter;         

grep <word or phrase in quotes> <file location.txt> | grep <second word or phrase to find in output of first search>

I hope this article has been of use, and check back again soon for more vendor specific device side setup of centralised logging and authentication.

Dual ISP Failover on a Single Cisco ISR

A while back, a technical acquaintance requested some input on a particular problem that they had with failing over dual ISP's. The solution they had in place was fine back in the day when downtime measured in minutes was acceptable, but in todays world, a manual failover solution just doesn't cut the mustard. At my disposal, I had an ageing Cisco 2811 with an ADSL 1WIC, an ADSL line and a VDSL line (BT Infinity) with an accompanying Huawei modem.

The aim was to achieve a system that was as highly available as possible with the limited equipment to hand, and I set about configuring the networks as shown below;


The ADSL and VDSL were business lines, but only had one static IP each, which posed a problem. I had planned to perform NAT at the firewall so that any changes could be done in a GUI by the local support team, but this would have meant I could not use ICMP echo replys as my reachability tracking method. To get around this you must perform the port address translation on the router rather than the firewall, or get yourself some extra IP's. Tracking interfaces wasn't an option here either, as the external modem used for the VDSL line would have provided us zero visability from the 2811 for the service status.

The actual mechanism by which you fail over in my implementation is by IP SLA. These are a set of configurable options that the routers IOS will log if breached, and in turn are tracked with a track object. The track object in this instance is placed against the default route, and the secondary route would then come into play in the event of the track object returning a "Down" status code. The commands are fairly straight forward, but be aware that later revisions after IOS 12 require different terminology;


ip sla 100
 icmp-echo x.x.x.x source-interface Dialer1 (Where x.x.x.x = Primary ISP next hop)
 timeout 3000
 frequency 3
ip sla schedule 100 life forever start-time now

track 100 rtr 100 reachability

ip route Dialer1 track 100
ip route Dialer2 10


The next problem I came accross was that even if you could fail over the route, the existing NAT translations needed clearing in order for anyone to access the internet again after a failover, which is achieved with the event manager applet, which i configured as shown below;


event manager applet NAT-TRACK
 event track 100 state any
 action 0.1 cli command "enable"
 action 0.2 cli command "event timer countdown time 20"
 action 0.3 cli command "clear ip nat translation force"
 action 0.4 syslog msg "NAT translations cleared after track state change"


To conclude, it is of course possible to achieve better redundancy with more equipment allowing the use of HSRP, VRRP and GLBP, and perhaps even redundancy of inbound services would have been possible with the use of BGP with a pair of ISP's that would have supported it by advertising an owned range from each ISP, but this was never in the budget. The interesting part in this is that a year or so later my acquaintances customer no longer has any perceivable internet downtime, but the syslog messages reveal that there have been outages from time to time and that the fail overs have been seemless. I hope this has been informative for you.




Get instant updates via email

Simply enter your email address to subscribe for updates - 3SysAdmins will never share your details with any third parties.

FeedBurner Subscription