Networking on The IT Hollow

Test Connections from an ESXi Host Using vmkping

Mon, 23 Jun 2014 16:19:10 +0000

If you’ve been in a situation where you need to test connectivity, you’ve probably used the ping command. But what do you do when you’re trying to test connectivity from an ESXi host? Luckily there is a command called vmkping that will allow you to test from the host.

The first thing that you need to do is to SSH into your ESXi host. Turn the SSH Service on from the Configuration –> Security Profile Tab. Then you can use your favorite ssh client and remote into your host.

HP v1910-24G CLI Goody

Tue, 27 May 2014 13:31:03 +0000

theITHollow.com lab suffered an outage to the core switch a few weeks ago (an aging Cisco 3750) and I was looking for a replacement that wouldn’t break the bank. Luckily I found the HP v1910-24G (JE006A) to be more than adequate. One of my main gripes with this switch was that the Command Line Interface was very limited. See for yourself. While the cli out of the box is nice, and I would say necessary, there isn’t a lot that can be done with it. For basic configuration tasks, you’ll be stuck with the Web GUI. But after digging through some HP discussion boards I found out that you can enable the Comware operating system commands.

vCNS Edge SSL VPN

Tue, 13 May 2014 14:00:14 +0000

A secured, remote connection to your data is a requirement for almost all network designs these days. Mobility, telecommuting and late night help desk calls have created an environment that needs to have access to the local network in a secure fashion. vCNS Edge can provide these services to your virtual infrastructure.

In previous posts, I’ve walked through installing vCNS Manager and installing vCNS Edge appliances. These are prerequisites to setting up SSL VPN on the VMware vCloud Network and Security appliance..

vCNS Edge Network Address Translation

Tue, 15 Apr 2014 14:43:12 +0000

VMware vCloud Networking and Security (vCNS) can provide Network Address Translation (NAT) services from the vCNS Edge appliance.

There are two types of NAT that the edge appliance can provide.

Destination NAT (DNAT) is used to provide access to a private IP Address from a (usually) public IP Address for incoming traffic.
Source NAT (SNAT) is used to translate a private IP Address into a (usually) public IP Address for outgoing traffic. This type of NAT can also be called “masquerading”. (It’s a subtle difference that we won’t go into in this post.)

vCNS Edge DHCP

Thu, 10 Apr 2014 13:38:41 +0000

One of the most basic tasks that happens on a network is assigning IP Addresses. Once a VMware vCNS Edge appliance has been deployed, you can now hand out IP address through Dynamic Host Control Protocol (DHCP).

In previous posts, I’ve walked through installing vCNS Manager and installing vCNS Edge appliances. These are prerequisites to setting up DHCP on the VMware vCloud Network and Security appliance.

vCNS Edge DHCP Setup

Log into your vShield Manager and click on the Datacenter. Click the “Network Virtualization” Tab where you’ll find the Edge appliance you’ve already deployed. Go to Actions and click “Manage”.

Deploy vCNS Edge

Mon, 07 Apr 2014 13:32:07 +0000

vCloud Networking and Security has the capabilities to provide edge services inside of your virtual environment. Edge firewalls, network address translation, DHCP, routing are all things that vCNS Edge can do for you. This post goes into the steps necessary to deploy vCNS Edge.

I should mention that vCNS and the previous name vShield may be used interchangeably in this article.

Logical Diagram

The picture below is a diagram of what our environment will look like when we’re done. We have production VMs as you might expect, and our new vCNS Edge VM. We’ve also got our new Edge network and a Shielded VM which will not be connected to the production vSwitch directly.

vShield Endpoint - Trend Micro Deep Security (Part 1)

Mon, 24 Mar 2014 13:03:24 +0000

If you’re a vSphere Administrator and have compliance regulations to deal with, vShield Endpoint might save you a lot of hassle. From my own experience with PCI-DSS, it was important to limit the cardholder data environment scope. The fewer devices that touch credit card data, the fewer items that had to be protected. In the same breath, it was important to have Anti-Virus, malware protection, firewall rules and file integrity monitoring. vShield Endpoint allows for all of these things to be handled in a single package. This post looks specifically at Trend Micro’s Deep Security Product.

vShield Endpoint - Trend Micro Deep Security (Part 2)

Mon, 24 Mar 2014 13:02:02 +0000

In the first post in this series, we deployed the vShield Endpoint host driver and installed the Trend Micro Deep Security Manager on a Windows VM.

Trend Micro Deep Security Appliance Deployment

First, we need to login to the Deep Security Manager which is conveniently accessed as a web page. Go the the DNS name of the Manager that you entered during the setup wizard in part 1 of this series. Log in with the username and password that you specified.

vShield Endpoint - Trend Micro Deep Security (Part 3)

Mon, 24 Mar 2014 13:01:49 +0000

The first parts of this series focused mainly on how to install the Trend Micro Deep Security product and how to prepare your environment. This post shows you a bit more of what can be accomplished with the product.

vShield Endpoint Part 1 vSheidl Endpoint Part 2

Policies

This is the guts of the product. All the configurations you’ve done up to this point have been leading up to a solution that can help secure your environment and possibly make it comply with a regulatory body.

Getting started with vCNS

Mon, 17 Mar 2014 14:07:03 +0000

VMware has a very nice solution for managing network access between virtual machines. In a physical environment, blocking access between servers would require routing network traffic through a firewall. This might mean several vlans, subnets and routes. Luckily now that many infrastructures are virtual we have an alternative. vCloud Networking and Security (vCNS) is a solution that can be used to block traffic between virtual machines.

vCNS can be a bit intimidating so this is a quick, getting started, guide on how you can test it out in your environment.

OPEN VPN for Home Labs

Mon, 10 Feb 2014 14:10:13 +0000

If you’ve got a home lab to play around in, it’s great to have remote access so that you can try things out from the road. This might mean purchasing an expensive firewall or VPN appliance but openvpn has a nice 2 user appliance that can be downloaded as an OVF file, right into your vSphere environment.

Installation

I mentioned that this is an OVF file, so you know the installation is going to be a snap. Download the bits from OpenVPN.net and deploy into your vSphere cluster. I’m not going to go through the entire OVF deployment, I think you’ll find it very simple even if you haven’t done it before.

Internetworking 101 series - Subnets

Mon, 12 Aug 2013 13:34:24 +0000

This is a series of posts designed to help readers understand how the Internet works. This specific post looks directly at how devices know what machines are on their network segment.

In previous posts, we looked at how machines communicate on the same network by utilizing frames, and how machines on different network segments use packets. The next logical question is, “How do machines know if these machines are on the same network or not?” The answer to this question is subnetting.

Internetworking 101 series – Collision Domains

Mon, 05 Aug 2013 13:19:54 +0000

This is a series of posts designed to help readers understand how the Internet works. This specific post looks directly at collision domains.

Ethernet uses a process called “Carrier Sense Multiple Access with Collision Detection” or CSMA/CD for short. This is a very long way of explaining the process of how network adapters can share the same media to communicate. Think about it if you have 10 machines on a network that are all sharing the same wires or devices, how can any of the devices understand anything with all those frames?

Internetworking 101 series - Packets (Network Layer)

Mon, 29 Jul 2013 15:21:22 +0000

This is a series of posts designed to help readers understand how the Internet works. This specific post looks directly at how machines on different network segments communicate.

In my previous post, we looked at how two machines on the same network segment exchange information by using frames. So what happens when two machines on different segments need to communicate?

Encapsulation

Before we get too involved in the discussion, we should take a peak at what an IP packet looks like. IP Packets relate to Ethernet frames much like one nesting doll relates to the rest in the set.

Internetworking 101 series - Frames (Data Link Layer)

Mon, 22 Jul 2013 13:03:21 +0000

This is a series of posts designed to help readers understand how the Internet works. This specific post looks directly at how machines on the same network segment communicate with each other.

We’ll look at the concept of a network segment in a future post, but for now all you need to think about is how two computers communicate on a Local Area Network.

MAC Addresses

Before we discuss how machines on the same LAN segment communicate, we need to understand what Media Access Control (MAC) addresses are. A MAC address is the physical address of a network adapter. These are 48 bit addresses that are expressed as 12 digit hexadecimal notation and are unique to each network adapter. Each manufacturer has an assigned range that they are to use for their first 24 bits, this is known as the Organizationally Unique Identifier (OUI). The second 24 bits are known as the Network Interface Controller (NIC) specific and must be unique within that vendor’s range. Keeping these ID’s unique is imperative for successful LAN communication.

An Overview of [VMware] Virtual Networks

Mon, 24 Jun 2013 13:18:45 +0000

This post was a direct result of a request from one of my readers. I hope that this post will explain VMware networks a bit more and how they fit into a production network.

To begin I’d like to review how a VMware ESXi server might have its virtual switches and port groups setup to connect to a physical switch. Here is a list of networks that we’ll be working with.

HP Virtual Connect Throughput

Wed, 05 Jun 2013 13:54:15 +0000

I want to address a concern that many HP Virtual Connect customers have had about monitoring their Blade Chassis. A question I’ve received was “How do I know if I have sufficient uplinks for my traffic?”

Depending on the size of the organization and their familiarity with their networking equipment, they could be monitoring the available metrics on their switches. If they are not necessarily that network savvy or don’t have the proper monitoring tools in place, they can use the throughput statistics tools within Virtual Connect. These tools only give a simplistic view to the amount of traffic that is going across your uplinks, and doesn’t show the traffic going out each blade but it does get you some great high level information.

Discovery Protocols

Tue, 28 May 2013 14:40:33 +0000

If you find yourself in an unfamiliar network and want to understand how the networks are connected, it would certainly be nice to be able to tell what is connected to each other. Luckily there are a couple of protocols that are responsible for just that.

Cisco Discovery Protocol (CDP)

As you can probably guess from the name, the Cisco Discovery Protocol is a proprietary protocol from Cisco Systems.

Flow Control Explained

Tue, 07 May 2013 13:58:26 +0000

Until recently, I never paid too much attention to flow control. I knew that it was used in networking, and that it was a setting that sometimes needed modified when I would puttyhyperterminal into a device, but that pretty much ended my knowledge of the matter.

As the name suggests, “Flow Control” will limit the amount of data across a network interface. It’s a pretty simple concept but typically we’re not trying to slow down our network, but rather speed it up. Flow control can be used to slow traffic down rather than dropping frames.

How should Network Cables be Labeled?

Thu, 21 Mar 2013 14:40:22 +0000

I’ve recently had to label more network cables than I care to discuss, but found my mind wondering over the best method to label these cables. I’ve come up with three different ways to label networking cables and wanted to get some thoughts from other Engineers about how they go about this.

Method 1: Same label on both sides

This method creates 2 labels that are identical and puts one label on each side of the cable. This give the advantage that if you’re running multiple batches of cables all at once, you can determine exactly which cable you’re working with.

HP Virtual Connect MAC Addresses and WWNs

Mon, 18 Mar 2013 14:32:34 +0000

One of the benefits of using HP Virtual Connect in C-class blade Chassis is the ability to have MAC Addresses and WWNs set on a server bay as opposed to the physical server. I’m sure you’re aware that each device that has a network card has a Media Access Control (MAC) address which is a burned in identifier that makes that NIC unique.

HP decided that it might be nice to control those MAC Addresses in their blade chassis. Before you setup any server profiles, you have the option to choose “Virtual Connect Assigned MAC Addresses”. These are addresses that are assigned to each server bay so that no matter what blade is put into the bay, the MAC addresses will stay the same. You might find this very useful in the case of a failed blade. If you receive a new blade from HP and throw it into the same bay, it will retain all of the same MAC Addresses and thus look the same to your switches.

NAT vs PAT

Tue, 05 Mar 2013 14:12:16 +0000

I often hear Port Address Translation (PAT)referred to as Network Address Translation (NAT). Its a pretty common to hear this and is really not a big deal because the two are similar and I know what is meant. But to clear things up I decided to put together a quick post.

Network Address Translation

NAT is the process of “translating” an IP Address in a router or firewall. This is most commonly done to present a private IP Address into a Public IP Address that is accessible on the Internet. For instance, you may want to have your E-mail server have a public address so that it can route mail.

When to use Cat 6a

Tue, 12 Feb 2013 14:20:15 +0000

Oh Noes! I sense lolcats in this post.

I’ve been seeing Category 6a cable if a few datacenters recently and thought it might be a good idea to review when and why we would use this type of cabling.

Wiring

The Category 6a cabling is wired the same as Category 5e at 1000BaseTX speeds. Note: that you can get away with splitting two sets of pairs off of Cat5e, but this only allows 100BaseT Ethernet.

Jumbo Frames

Tue, 11 Dec 2012 16:00:54 +0000

Jumbo frames can be useful to optimize IP networks, especially in storage networking. This post should help to explain why using jumbo frames can be useful.

I’m not Jumbo, I’m just big boned!

First, let’s define what we mean by the term jumbo frame. As you can imagine it’s bigger than a normal frame.

A Jumbo frame simply means any frame with an MTU larger than 1500 bytes. What exactly does that mean? To really understand that we need to look at an Ethernet frame. The diagram below shows a hastily thrown together Ethernet frame and most of the frame we’re not concerned with for this topic. Parts of the frame are used for determining where the frame is headed, where it came from and to make sure it arrived intact. The section we’re looking at is the “Data” or “Payload” section of the frame.

A Quick Thought on VXLANs

Mon, 03 Sep 2012 11:00:48 +0000

After attending VMworld this year, I decided I needed to try to understand VXLANs a little better. Based off of the basic concept that it stretches a layer two broadcast domain over layer three networks, I was worried that I knew how this was accomplished.

What is VXLAN?

VXLAN stands for Virtual Extensible LAN and is a fairly new method of making the datacenter network elastic. Suppose for example that you want to be able to move your virtual machines from your own server room to a co-location and then to a public cloud depending on what the load was on your environment. In order to do this without causing downtime, you’d need a way for your layer two ethernet frames to continue getting from your clients to your servers even, if a router is in that path.

HP Virtual Connect Networks

Tue, 14 Aug 2012 07:00:46 +0000

I gave an overview of how HP blades are mapped to Virtual Connect Interconnect Modules in my last post. /2012/08/09/hp-virtual-connect-basics This post focus more on understanding the networks created through HP Virtual Connect Manager.

In the last post I described out blade NICs map to the Interconnect Bays in the back of an HP C7000 Chassis using the downlinks. Now let’s talk about how those NICs can get added to a specific Network. HP calls these networks inside of a c7000 chassis “vNets”.

HP Virtual Connect Basics

Fri, 10 Aug 2012 01:00:15 +0000

HP Virtual Connect is a great way to handle network setup for an HP Blade Chassis. When I first started with Virtual Connect it was very confusing for me to understand where everything was, and how the blades connected to the interconnect bays. This really is fairly simple, but might be confusing to anyone that’s new to this technology. Hopefully this post will give newcomers the tools they need to get started.

NLB in vSphere (Unicast or Multicast)?

Tue, 08 May 2012 18:37:56 +0000

Suppose you have multiple virtual machines that you would like to distribute load across that are housed inside of your virtual environment. How do we go about setting up Network Load Balancing so that it will still work with things like DRS and VMotion?

Switch Refresher

In most networks we have switches that listen for MAC addresses and store them in their MAC Address Table for future use. If a switch receives a request and it knows which port the destination MAC address is associated with, it will forward that request out the single port. If a switch doesn’t know which port a MAC Address is associated with, it will basically send that frame out all of it’s ports (known as flooding) so that the destination can hopefully still receive it. This is why we’ve moved away from hubs and moved towards switches. Hubs will flood everything because they don’t keep track of the MAC Addresses. You can see how this extra traffic on the network is unwanted.

Virtual Routing for Bubble Networks

Wed, 18 Apr 2012 14:13:57 +0000

A question often comes up about what to do when you have a segmented virtual network that needs to be able to traverse subnets. This might happen if you’re doing some testing and don’t want the machines to contact the production network, or perhaps doing a test SRM failover and having the virtual machines in their own test network. Virtual machines in subnet (A) might need to contact other virtual machines in subnet (B) but don’t have access to the physical router any longer, so they can’t communicate. To solve this issue, how about we try a virtual router?

How to Broadcast Across Subnets

Sat, 07 Apr 2012 03:26:20 +0000

Many services such as DHCP or TFTP use broadcast packets to find a particular server. In the case of DHCP, a device when connecting to a network will send out a broadcast to find a DHCP server to get an IP address to use. But what if you have multiple subnets on your network? You could have a DHCP server on each of your subnets, but this seems a bit overkill.