I recently found a feature that allows you to quickly migrate the management network from a Distributed Virtual Switch (dvSwitch) to a vStandard Switch (vSwitch). It’s really simple actually. Just log on to a host physically or via iLO, not through the vSphere Client, and select “Restore Standard Switch”.
I’ve been running a vSphere lab of my since ESX 2.x. Over the years, I’ve used both local and NAS based storage with varying degrees of satisfaction with the results. In the case of NAS storage, which is required since I can’t afford a SAN, I looked at Synology devices over the last year trying to gain the motivation to make the investment.
Needless to say, I dove in with both feet, and maxed out a Synology DS1511+ with 3TB drives. I purchased my Synology DS1511+ from SimplyNas with the drives included, including their burn-in testing, and I haven’t looked back. The device has been up and running since October 2011.
I check my site logs pretty often to find out how people are arriving at this blog and have seen an increase in traffic that points to an exchange I had with a visitor about Vyatta blocking email attachment downloads. I wanted to post this quick entry so that people looking for a quick fix could get to this without running through the complete conversation on the other post: http://d3planet.com/rtfb/2009/11/02/vyatta-firewall-basics-and-configuration/
Here’s the quick and dirty solution:
Problem: Vyatta is blocking download of email attachments. This solution only applies if your implementation is using the web proxy and squidguard URL filtering.
Solution: Use the following command to get Vyatta to allow IP addresses to be called directly.
set service webproxy url-filtering squidguard allow-ipaddr-url
set service webproxy url-filtering squidguard rule XX allow-ipaddr-url
Keep reading for more info on the issue…
Vyatta is a powerful enterprise class software router that has some really incredible features. It has a CLI (command line interface) as well as a web interface. I’ve gotten a few requests about configuring it as a front system but until now have only really worked with Vyatta as a pure routing appliance internal to my network. It has been my traffic cop between my lab subnet, user subnet, and server subnet but now I’ll try to configure it as a front end based on an exchange I had on another thread.
This should be able to give you some examples with getting started using Vyatta as a front firewall.
If you don’t have the software, you can download a free version, called Vyatta Core, from Vyatta’s website. You have to register, but don’t worry, they won’t spam you and they have extensive documentation on the product that you can pull down after registering. It’s an excellent resource to learn and practice your routing skills, especially since you can stand up the product on random hardware or in a virtual machine. Vyatta even has downloads specific to VMware implementations. Check it out and come back if you’re interested in seeing this post through. http://www.vyatta.com.
And now for the good part.
This applies to virtual switches that have already been created.
I was trying to do this earlier this evening and found a few articles that talked about various methods to enable jumbo frame support on a vSwitch. After reading some of the ‘hacks’ that are being used, I decided to dig into PowerCLI. Amazingly enough, the solution is so simple that maybe it’ll get some of the people working with vSphere to move into PowerCLI further. Here’s the 30 second or less solution to the issue. As I wrote above, this applies for a vSwitch that’s already been created, but you can create a vSwitch with all the specifications you need from PowerCLI as well just the New-VirtualSwitch commandlet.
> $vs = Get-VirtualSwitch –name vSwitchX
> Set-VirtualSwitch –VirtualSwitch $vs –mtu 9000
> Get-VirtualSwitch –name vSwitchX
If you’re not familiar with PowerShell, get familiar with it. 🙂 It’s an excellent product and is expandable so many IT products are moving toward a PowerShell interface for its ease of use.
For a post that is a little more advanced, try this one: Create a Router With Front Firewall Using Vyatta on VMware Workstation.
Otherwise… read on. 🙂
A few weeks ago, I installed Vyatta Open Source as a router internal to my network to see how it handled traffic between multiple subnets. To put it plainly, it worked like a champ! I put the router in place, assigned IP addresses to the NICs (network interface cards), and let the system do its thing. It now connects traffic between my physical network, my production virtual network, and my virtual lab running on ESX 3.5. I can easily manage most firewalls and routers that have a GUI but Vyatta presented a new challenge to me. In the case of this system, for some tasks it’s a lot easier to use the command line interface (CLI).
So without further ado, here’s the basics of Vyatta’s firewall.
Windows 7, along with Windows Vista, both have issues interacting with Buffalo Terastation and similar Buffalo products. This is due to updated NTLM security settings in both Windows 7 and Vista. The un-patched behavior is continued prompts to log in / authenticate to the NAS.
Buffalo has released a registry patch that allows Windows 7 and Vista to connect to their Terastation NAS products, by lowering the security level to Windows XP compatible NTLM security. This is a downgrade, but I have thus far had no problem with it. Check out the readme below that’s included in the download:
This registry patch files enables Windows(R) Vista(TM) PCs to
work with Buffalo NAS products. This patch is installed
directly onto Windows Vista PCs.
WARNING: This file is only for use on Vista PCs, it is NOT
required or supported on any other operating system.
This patch is only required when using one of the following
Buffalo NAS products:- LinkStation (HD-HLAN)
– Gigabit LinkStation (HG-HGLAN)
– LinkStation Home Server (HS-DGL)
– TeraStation (HD-DTGL/R5)
– TeraStation Home Server (HS-DTGL/R5)
– TeraStation Pro (TS-TGL/R5)
1) Double click on the Buffalo_NAS_Vista_Support.reg file
2) Press the ‘Yes’ button when prompted.
3) Press the ‘OK’ button to exit the patch file.
4) Restart your Vista computer.
Applying this patch lowers the NTLM authentication
level to be compatible with some of Buffalo’s NAS products.
This NTLM authentication level is equivalent to the level
used in Windows XP.
I’ve been running multiple subnets in my lab, and been dealing with the pain of having to VPN into each separate subnet when needing to make a change, test something, or deploy something. It’s been a learning experience and I’ve configured both OpenVPN and ISA Server 2006 VPN’s and successfully bounced around the various networks as necessary, but it’s been a real pain to have to VPN into one network, grab files, and then VPN into a different network to test and deploy those files, as an example. So I began a hunt for an open source router that would give me more control than Untangle, which is an excellent open source routing and firewall tool. Simply put, I wanted finer grained control than Untangle is designed to supply. As an example, I wanted to be able to filter network traffic based on mac addresses instead of IP addresses.
In my search, I came across Vyatta, which is an open source networking package that likes to compare itself to Cisco in functionality and control. I decided to check out their site and found that they offer a free ‘Community Edition’. I looked at the features of the community edition, then checked the VMware Appliances site and found that Vyatta has a pre-built VMware appliance. NICE! I filled out a short registration form, downloaded the appliance and all the documentation, which is thick to say the least, and fired up the appliance in VMware Workstation.
A few years ago, I wanted to try out a free network and system monitoring package so I decided to download and try to setup Nagios. Since I’m no Linux guru, though working with Linux has started to change lately, it took me quite a while to get Nagios setup and configured. After doing so, I finally realized that I had to manually edit text files on the environment, Linux, to configure host monitoring. What a monumental pain! Learning to use VI, then realizing that nano is much easier to use, but still, it took over an hour for me to figure out how to setup monitoring of a single host. As I’ve been running VMware virtualization for years now, setting up and tearing down servers is almost part of my daily life. Configuring monitoring of these servers immediately became a burden I wasn’t willing to undertake.
Then I discovered Groundwork Open Source (GWOS). What a cool package! Not to mention, they have a virtual appliance already setup and configured for free (the community edition).
Host Headers are the answer!
YES! IIS can manage multiple web sites on the same port (properly port 80) without having to do extraneous configuring. This can even be done with MOSS and WSS implementations.
I’ve always considered it to be common knowledge that ‘host headers’ could be used to allow IIS to handle multiple web sites on the same IP and port. Lately I’m finding out that some very smart people are completely unaware of this fact, so I decided to blog about it.
Configuring it for basic site usage:
– Open IIS (Start > Run > inetmgr).
– Expand the <server> node, and expand the Web Sites node.
– Right-Click on the web site that you want to edit and choose Properties.
– On the Web Site tab in the Web site identification area, click on Advanced.
– The top area titled ‘Multiple identities for this Web site’ will allow you to add host headers, modify IP address usage within IIS, and modify the non-SSL ports.
The host header value will cause IIS to route requests that are directed to the specific host header to that specific web site.
You can and should use this to facilitate development and production deployments within IIS. If host headers are not used, then the only other way to assign multiple sites using the same port (80) to a single web server is to assign multiple IP addresses. There is no reason to do that. A single IP address can be used to route your sites and to state once more, this can be used with MOSS and WSS web applications.
For MOSS deployments, when creating a web application you can assign a host header and MOSS will configure IIS accordingly. If your web applications are already created and you want to host them on a new port (80) using host headers, you should be able to make the changes directly within IIS to manage this. Make sure you leave the original entries in IIS so that no URL’s break, but you should now be able to route through IIS on port 80 to your web application. Please post any environment specific questions and I’ll answer as I can.
Hope this helps some people out.
And please note, this does not apply for SSL (HTTPS) sites. SSL does not support multiple sites on the same port and IP address due to the way encryption and certificates are managed.