NETWORKING - VIRTUALIZATION

Windows 10 legacy BIOS boot change UEFI - without OS reinstall

If you are, like me, using Win10 with legacy BOOT option and would like to start playing with newest Windows 11 version - first problem probably will be TPM (Trusted Platform Module) chip... which can be easily added to VM - if it runs UEFI based boot firmware. Change, without proper existing disk preparation, could went wrong in terms of non-bootable machine etc.

Summary - it can be done without OS reinstall and here are proposed steps that worked for me:

- of course - some kind of backup/snapshot should be there, just in case ;)

- run command "Get-Disk" which should give you output that Partition style is MBR;

- before actual conversion you can run validation with command "MBR2GPT.exe /validate /allowFullOS" - using variable "allowFullOS" inside running VM;

- after successful validation - actual conversion is done by using command "MBR2GPT.exe /convert /allowFullOS";

- shut down VM after conversion is done and change to UEFI boot option - Fusion example below:

VMware Fusion change VM UEFI settings

- after change and powering VM up - "Get-Disk" should show GPT as Partition style like this:

Disk Partition style as GPT

- at the end you can easily add new device - TPM module to VM - again with shut downed Win10 environment :)

NSX Advanced Load Balancer (ex AVI Networks) Lets Encrypt script integration

I would like to share very useful setup for VMware NSX ALB (ex Avi solution) in terms of usage freely available Lets Encrypt certificate management solution. Basically, provided script gives you automation inside NSX ALB environment, without the need for some external tools or systems. Putting it summary these are the required steps:

- create appropriate virtual service (VS) which you will use for SSL setup with Lets Encrypt cert - this can be standalone service or SNI (Service Name Identifier) based (Parent/Child) if needed. Initially you can select "System-Default" SSL cert during the VS setup;

- create appropriate DNS records for new service in place - out of scope of NSX ALB most of the times. NSX ALB Controllers should have access to Lets Encrypt public servers for successfull ACME based HTTP-01 certificate generation/renewal;

- Download required script from HERE

- Follow rest of required configuration steps on this NSX-ALB-Lets-Encrypt-SETUP - in terms of user creation/script adding/CSR...

- I would like to give you an special attention in case you have split DNS scenario from VS and Controller perspective - last step during certificate generate/renewal process with script is verification of received Token using ACME HTTP-01 check, which will FAIL in case you have this type of DNS scenario (ie "Error from certificate management service: Wrote file, but Avi couldn't verify token at http://<URL>/.well-known/acme-challenge/<token-code>..."). Bellow image gives you an option to resolve this type of setup by using special, script integrated, variable:

NSX ALB Lets Encrypt split DNS verification bypass variable

After successfull certificate generation - you just need it to assign it to appropriate virtual service (created at beginning or existing one) and after that renewal process will be automated per default NSX ALB (Avi) policy on 30, 7 and 1 day before expiration.

Cisco IOS-XE Top N Talkers config

In case you need TopN talkers usefull output on Cisco IOS-XE you can try customized config like this one:

flow record TOP-N

match ipv4 source address

match ipv4 destination address

collect interface input

collect interface output

collect counter bytes long

collect counter packets long

 

Then create appropriate monitor:

flow monitor TOP-N

record TOP-N

 

On WAN side implement new flow record:

ip flow monitor TOP-N input

 

For showing appropriate results you need quite a long show command:

show flow monitor TOP-N cache sort highest counter packets...

 

HTH,

Dragan

SIP over NAT configuration in Cisco IOS/IOS-XE

As you maybe know SIP doesn't like NAT :)... especially for IOS/IOS-XE Cisco based devices (ASA for example handle that much, much better). For that reason you need straight config to make it work - for control and audio part of communication. These are required steps in UC CME environment with public SIP account for trunk PSTN access:

- define 1 ACL for udp SIP traffic (port 5060) and RTP audio port match - very probably high value ports:

ip access-list extended UDP_RTP permit udp any any range 8000 65000 permit udp any any eq 5060

- define 1 route-map (for NAT) that uses previosly created ACL:

route-map SIP_NAT permit 10 match ip address UDP_RTP

- define STATIC NAT translation for your inside SIP voice interface (this example uses 192.168.12.x for that purpose):

ip nat inside source static 192.168.12.x [YOUR-PUBLIC-IP] route-map SIP_NAT

Adequate ACL for WAN access and SIP secure communication should be in place if you're using public SIP trunk account of course.

CME voice register global (or telephony service) configuration should be as always - and your SIP trunk should work just fine ;)

 

 

Cisco ASDM unable to launch device...

In case you have problem accessing ASA through ASDM manager which gives you error like "Unable to launch device..." and you already configured everything by the book for ASDM access, then you should check JAVA policies - especially with Java 1.8 - and you can upgrade them so they allow you to use more strict FIPS standard or high ciphers inside your ASA device.

You can download required files from HERE (for Java 1.8) and upload them, instead of existing one, in your Java install folder --> lib --> security.

After that ASDM with enabled strong SSL ciphers should work fine...

Cisco UCS performance manager stops responding!

Occasionally Cisco UCS performance manager (based on Zenoss 5) may stop responding with main serviced daemon inactive - which leads to unresponsive web access and all features...version on which I founded this was 2.0 (but 2.0.1 and 2.0.2 are also the same) of UCS performance manager. Because of that I created small script to check status of service and do an restart - until something better and official came out:

#!/bin/bash

service=serviced

if (( $(ps aux | grep -v grep| grep -v "$0" | grep serviced| wc -l) > 0 ))

then

echo "$service is running!!!"

else

service $service restart

fi

Give it executable rights - chmod +x [name of script] - and schedule it through standard cron job.

Until something better this should do it...

Zimbra mail server check for spammer account

Useful cmd for quick checking compromised account in case of internal spam:

cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n

Accont with much difference in sent mails is the one to inspect...

Zimbra open source collaboration mail server installation requirements

These are install requirements that I personally use when I'm playing with lab/production Zimbra open source mail servers:

- CentOS OS (minimal ISO) - base OS for Zimbra installation from https://www.centos.org/download/

- 8GB+ RAM, 10GB+ HDD, 2+ vCPU

Zimbra installation:

DISABLE POSTFIX FROM BASE CENTOS INSTALL WHICH COMES BY DEFAULT - systemctl stop postfix / systemctl remove postfix

disable iptables firewall - assumes you have some other firewall at public side for your mail server

set selinux adequately at /etc/sysconfig/selinux

setup local DNS adequately at /etc/hosts - you must resolve domain names which you are going to use in mail server so that system successfully works - even installer checks for resolvable hostname via DNS

tar xzvf [zcsfilename.tgz] - unpack previosly downloaded file from https://www.zimbra.com/try/zimbra-collaboration-open-source/

cd [zcsfilename]

./install.sh - begin installation process and follow required steps

type X to see complete main menu and additionaly configure items with asterisks (****) - ie admin password!

Admin URL - https://[hostname.example.com]:7071

setup adequate DNS checks in Global settins --> MTA tab!

setup volumes for storing mails in Configure-->Servers-->Volumes - you don't want to use default /opt/zimbra folder!

Useful settings:

- zmcontrol status - all zimbra services display (su - zimbra - so that you execute this cmd as zimbra user)

- zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes

- zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes

- zmprov ms [mtaserver.com] zimbraMtaLmtpHostLookup native - check for attribute inside zimbra ldap

- zmprov mcf zimbraMtaLmtpHostLookup native - in case of single server change in global config also required

- zmmtactl restart

- zmconfigdctl restart

- install webmin, htop tools for quick system support...

Create user accounts and publish A/MX records of your new mail system - it's gonna work...

 

Vicibox contact center installation requirements

These are recommended installation requirements if you need to play with Vicibox open source scalable contact center solution:

- DB server (for up to 150 agents) - 8GB RAM, 240GB+ SSD - ALWAYS INSTALL FIRST IN CLUSTER SETUP FOLLOWING WITH ARCHIVE, WEB AND LAST TELEPHONY SERVER!

- Archive server - 2GB+ RAM, 1TB HDD

- Web server - 4GB+ RAM, 160GB HDD

- Telephony server - 4GB+ RAM, 160GB HDD

OS installation notes (assumes you already downloaded ISO from http://download.vicidial.com/iso/vicibox/server/):

root / vicidial - default login

os-install - Suse OS installation

yast lan - setup properly network and DNS properties

yast firewall - setup properly firewall inside OS

zypper up -y - install updates and reboot after that

yast timezone - setup properly timezone

Vicibox express installation:

vicibox-express - complete express setup

Vicibox cluster installation:

vicibox-install - install required component and reboot after that

Default username / password for accessing vicibox configuration - 6666 / 1234 - CHANGE AFTER INITIAL LOGIN!

Vicibox upgrade procedure:

vicibox-upgrade - start with DB following Web and Telephony server - ALWAY MAKE BACKUP FIRST!

Handy tools after complete setup for OS control:

install webmin - http://www.webmin.com/rpm.html

install htop - zypper in htop

 

vDP 6.1 vcenter web client connection problem

If you have problem connecting newest vDP 6.1.2 appliance with vsphere web client in following circumstances:

- you are using vDS (Nexus 1kV also)

- you migrate everything to standard vswitch and it works like it shoud - THEN

please follow procedure from link below:

http://www.virtuallypeculiar.com/2016/05/unable-to-connect-vdp-61-to-web-client.html

Unable to connect to vCenter appliance with winSCP - please change SFTP environment protocol options in advanced settings to "shell /usr/lib64/ssh/sftp-server" and enable SSH, Shell access in web Admin settings.

It should work like charm...