Author Archives: Brian Landers

VCAP-DCA or Bust!

Posted on by
8

Who Needs Sleep?

Because I clearly don’t ever want to sleep again, I’ve decided to attack the goal of becoming a VCAP-DCA (VMware Certified Advanced Professional – Data Center Administration).  I’ll be documenting my progress, along with my study notes and whatever tips I come across.

VCP

A prerequisite for the VCAP-DCA certification is first becoming a VCP on vSphere 4.  This requires taking an official VMware training course and passing a standard question/answer-based exam administered by Pearson VUE.  Since I do a fair amount of VMware work at $DAYJOB, I’m reasonably far along in my preparation already and just need to fill in the gaps.  The study material I’ll be using includes:

  • VMware vSphere: Fast Track [V4] course.  Already attended earlier this year via online classroom. Will be reviewing the class slides and my own notes.
  • Mastering VMware vSphere 4 by Scott Lowe.  While not an official certification guide, this book is very well-written and covers all of the major topics on the VCP4 blueprint.
  • VCP VMware Certified Professional on vSphere 4 Study Guide from Sybex.  Written specifically to cover the exam blueprint, and not (IMHO) as good as Scott’s book, but it never hurts to have a second source.
  • Configuration Maximums for VMware vSphere 4.1 (PDF) and ESX/vCenter Server Installation Guide (PDF)- there’s some debate about whether the current VCP exam covers details unique to 4.1, so it’s best not to take chances.  It’s all information that’s good to know eventually, anyway.
    • Note: VMware has stated on the forums that they are not testing new features from 4.1 (e.g. NIOC and SIOC), but they haven’t come out and explicitly said they’re not updating things like min/max and hardware requirements. They do explicitly say several times “when preparing, use the docs for the latest version.”

VCAP-DCA

This is a 3-4 hour “practical” exam similar in spirit to the CCIE lab, consisting of 40 “live lab activities” (each with multiple tasks) and a brief pre-exam survey.  The blueprint is extensive and covers just about anything you’d ever be expected to do in a VMware environment in the real world.

In terms of preparation materials, everything from the above VCP list along with documentation, documentation, and more documentation.  Kendrick Coleman has put together an extensive list of links to both VMware and 3rd party materials covering each section of the blueprint.  It’s now my browser home page.

The Home Lab

The most important step to becoming a VCAP-DCA is to have extensive hands-on experience with the blueprint topics.  For that, you need a lab environment.  Fortunately, ESX and ESXi run quite nicely on inexpensive “white box” hardware, and can themselves be virtualized.  This allows a quite large lab environment for not a lot of investment.  My lab is based heavily on the BabyDragon from Phillip Jaenke and the vTARDIS from Simon Gallagher.

Server #1

  • Supermicro X8SIL-F motherboard
  • Intel Xeon X3450 Retail (2.53GHz, 4 Cores, 8 Threads)
  • Kingston 12gb (3x4gb) DDR3 1066 ECC Registered memory
  • WD SiliconEdge Blue 128gb SSD
  • WD VelociRaptor 300gb 10,000rpm HD
  • Lian-Li V352A MicroATX case
  • Seasonic X Series 400W power supply
  • VMware ESX 4.1

Update: I ended up getting two of the above servers. Rough cost from NewEgg was about $1,300 each (I already had the VelociRaptors from another project). Could probably have done a little better by shopping around, but with shipping it probably averages out.

    Server #2 / Workstation

    • Apple iMac 27″
    • Intel Core i7 (2.8ghz, 4 cores, 8 Threads)
    • 16gb RAM
    • WD VelociRaptor 300gb 10,000rpm HD (via Firewire 800)
    • VMware Fusion 3.0

    Storage

    • Iomega (EMC) IX4-200d NAS, 4 x 1TB RAID 5
    • EMC Celerra “Uber VSA” virtual NAS, 100gb allocated
    • Netapp Simulate ONTAP 8.0 7-Mode virtual filer

    Some of the above is still with my friends at UPS on its way from Newegg, so I can’t start playing quite yet. At the moment I’m working on setting up the Celerra VSA and Netapp sim, along with building a Windows 2008 R2 domain controller VM.

    More to come!

    Cisco ACE: SSL Offload

    Posted on by
    3

    SSL offload (or SSL termination) is when your load balancer handles SSL connections from clients and then hands off unencrypted connections to the backend servers. This lessens the CPU load on the servers and can dramatically increase application performance, since the load balancer frequently has dedicated hardware to handle the encryption/decryption of traffic.

    These are the basic steps to configure SSL offload on the Cisco ACE. This assumes you already have an existing HTTP load balancer configuration. See my Basic Load Balancing post for details.

    (option one) Import an existing SSL certificate and private RSA key. 

    crypto import tftp 192.168.1.100 mykey.pem mykey.pem
crypto import tftp 192.168.1.100 mycert.pem mycert.pem

    (option two) Generate a new SSL certificate signing request (CSR) and key.

    ! should NOT be marked "non-exportable" if you're running an HA pair
crypto generate key 2048 mykey.pem

crypto csr-params MY_PARAMS
  common-name myservice.example.com
  country US
  state Georgia
  locality Atlanta
  organization-name My Company
  organization-unit IT Operations

crypto generate csr MY_PARAMS mycsr.pem

    Once you receive the signed certificate from your CA, you’ll need to import it.

    crypto import sftp 1.1.1.1 mysftpuser /home/user/cert.pem mycert.pem
  OR
crypto import terminal mycert.pem

    Create the SSL Proxy service

    ssl-proxy service MY_SSL_OFFLOAD
  key mykey.pem
  cert mycert.pem
!

    Create a VIP to handle HTTPS traffic

    class-map match-all HTTPS_VIP
  2 match virtual-address 10.210.7.10 tcp eq https
!

    Update your load balancing policy map to apply the SSL service to the new VIP

    policy-map multi-match VIPs
  class HTTPS_VIP
    ssl-proxy MY_SSL_OFFLOAD
    sticky-serverfarm HTTP_FARM
!

    CCIE Security — DMVPN Phase 1

    Posted on by
    Reply

    Notes

    • Tunnel network: 172.16.1.0 / 24
    • NBMA network: 8.7.6.0 / 24
    • No spoke-to-spoke tunnels in DMVPN Phase 1

    Hub

    crypto isakmp key 0 cisco address 8.7.6.0 255.255.255.0
!
crypto isakmp policy 100
  encryption aes 256
  hash sha
  authentication pre-share
!
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
  mode transport
!
crypto ipsec profile DMVPN
  set transform-set AES256_SHA
!
interface serial0/0
  ip address 8.7.6.100 255.255.255.0
!
interface Tunnel100
  ip address 172.16.1.100 255.255.255.0
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  tunnel source Serial0/0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel protection ipsec profile DMVPN
  no ip split-horizon eigrp 100
  no ip next-hop-self eigrp 100
!
router eigrp 100
  network 172.16.1.100 0.0.0.0
  no auto-summary
!

    Spoke

    crypto isakmp key 0 cisco address 8.7.6.1
!
crypto isakmp policy 100
  encryption aes 256
  hash sha
  authentication pre-share
!
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
  mode transport
!
crypto ipsec profile DMVPN
  set transform-set AES256_SHA
!
interface Serial0/0
  ip address 8.7.6.50 255.255.255.0
!
interface Tunnel100
  ip address 172.16.1.50 255.255.255.0
  ip nhrp map multicast 8.7.6.100
  ip nhrp map 172.16.1.100 8.7.6.100
  ip nhrp server 172.16.1.100
  ip nhrp network-id 1
  tunnel source Serial0/0
  tunnel destination 8.7.6.100
  tunnel key 1
  tunnel protection ipsec profile DMVPN
!
router eigrp 100
  network 172.16.1.50 0.0.0.0
  no auto-summary
!

    CCIE Security Notes — EzVPN with Radius

    Posted on by
    Reply
    • Group attributes:
      • [006] Service-Type = Outbound
      • [064] Tunnel-Type (1) = ESP
      • [069] Tunnel-Password = my_group_key
    • Need to create an ACS user “GROUP_NAME” with password “cisco” in addition to actual users. Both should be in the group in which you set the above attributes.
    • AV-Pairs for EzVPN: 
      ipsec:tunnel-type=ESP
ipsec:key-exchange=IKE
ipsec:inacl=MY_SPLIT_ACL
ipsec:save-password=1
ipsec:addr-pool=MY_POOL

    IOS EzVPN Client with VTI

    Posted on by
    Reply 
    crypto ipsec client ezvpn EZCLIENT
 connect manual
 group REMOTE key cisco
 mode client
 peer 1.2.3.4
 virtual-interface 2
 username cisco password cisco
 xauth userid mode local
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/1
 tunnel mode ipsec ipv4
!
interface Fast0/1
  crypto ipsec client ezvpn EZCLIENT outside
!
interface Fast0/0
  crypto ipsec client ezvpn EZCLIENT inside
!

    IOS EzVPN Server with RSA Certificates and VTI

    Posted on by
    Reply
    • EzVPN clients will get addresses on the 2.0.0.0/24 network
    • EzVPN clients will have access to only the 3.0.0.0/24 network
    • The server will accept clients with certificates from the CA on host 1.2.3.4
    • The server will allow users with OU=EZVPN
    aaa new-model
aaa authentication login EZ_AUTHEN local
aaa authorization network EZ_AUTHOR local
!
username cisco password cisco1234
!
clock timezone GMT 0
ntp server 1.2.3.4
!
crypto pki trustpoint CA
  enrollment url http://1.2.3.4
  subject-name ROUTER.example.com
  revocation-check none
!
crypto pki authenticate CA
crypto pki enroll CA
!
crypto isakmp policy 1
  encryption 3DES
  hash SHA
  authentication rsa-sig
  group 2
!
crypto isakmp identity dn
!
ip local pool EZ_POOL 2.0.0.1 2.0.0.254
!
ip access-list extended EZ_ROUTES
  permit 3.0.0.0 0.0.0.255
!
crypto isakmp client configuration group EZVPN
  pool EZ_POOL
  acl EZ_ROUTES
!
crypto isakmp profile EZ_PROFILE
  match identity group EZVPN
  client authentication list EZ_AUTHEN
  isakmp authorization list EZ_AUTHOR
  client configuration address respond
  virtual-template 1
!
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile EZ_IPSEC_PROFILE
  set transform-set 3DES_SHA
  set isakmp-profile EZ_PROFILE
!
interface Virtual-Template 1 type tunnel
  ip unnumbered FastEthernet0/1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile EZ_IPSEC_PROFILE
!

    IOS 12.4T: Management-Plane Protection

    Posted on by
    2

    While working through a CCIE Security practice lab, I came across a task that read (in essence): “Only allow SSH and SNMP access to the router through interface Gig0/1.  Do not use an interface or VTY ACL to accomplish this.”   A search through the IOS configuration guides and command references was unhelpful, including the last-resort tactic of “go to the Master Index and use Ctrl-F to search for likely keywords.”  Finally, I resorted to asking on GroupStudy.  Within minutes, the answer came back:  use management-plane protection.  What on earth is that?  To quote Cisco:

    The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device.

    http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html

    This feature was added in 12.4(6)T but only seems to be documented under Feature Guides, not in the main IOS command reference or configuration guides.  Gee, thanks Cisco!

    A configuration example (based on the practice lab task above):

    control-plane host
  management-interface GigabitEthernet0/1 allow ssh snmp
end

    When this configuration is applied to the router (assuming SSH has been previously configured), remote SSH and SNMP connections to the router will only be accepted when entering through Gi0/1.  This is based on the interface, not on the IP address.  SSH and SNMP connections to Gi0/1′s IP address entering through other interfaces will fail.  In addition, other management traffic (telnet, etc.) entering through Gi0/1 will also fail.  The complete list of what IOS considers management traffic is:

    • SSH v1 and v2
    • telnet
    • HTTP / HTTPS
    • FTP
    • SNMP (all version)
    • TFTP
    • BEEP (Blocks Extensible Exchange Protocol)

    Note that other traffic destined for the router (such as routing protocols and ARP) are not affected, nor is traffic routed through the management interface.  This is different from the management-interface functionality on an ASA, where the designated port can only be used for management traffic.

    In summary, it is quite annoying that Cisco doesn’t seem to have actually documented this feature properly, since it has the potential to be a very useful tool in the network administrator’s toolbox.  Depending on the network design, enabling MPP makes it less likely that a management protocol becomes accessible on an interface connected to a hostile network, while simplifying interface ACLs needed to properly secure the device.