RSS

Oracle Ravello Blogger Day, 2017

Attending Oracle Ravello Blogger Day last month provided me deep insight into two products I knew little about before attending, Oracle Cloud and Ravello.  After the excellent deep dive provided and the basic melting of my brain on all things hypervisor, virtualization, and cloud, crafting an intelligible post seems a formidable challenge. But here we go:

Oracle has a cloud?! Yup. And they are pretty serious about where they are taking this. Over the last three years, there’s been a serious commitment to time and resources to build this thing and to build it right. Clay Magouyrk, VP of Oracle Cloud Infrastructure, jokingly commented one best things about being late to the cloud game is learning from other peoples mistakes.  Cloud isn’t new and watching what is working for the market leaders and avoiding their pitfalls is practically industry tradition.  But there’s differentiation here as well, with Oracle touting non over-subscription, predictable latency, bare metal access, and competitive pricing.  The Oracle cloud still has construction work to be done – only two US regions (think availability zones) are available at this time, but a European region is soon to be established.

Ravello, what is is? Ravello uses nested virtualization to allow you to bring your VMware based applications into the cloud without changing anything about them.  It reads the metadata of your virtual machines, sets up your virtual networking for you, and presto! You have your VMware environment running on cloud infrastructure.  Why is this handy?  Well, lots of vExperts have already leveraged this for their studies and lab environments.  Being able to test large scale scenarios without laying out great big wads of cash into your own virtual infrastructure is huge. For you networkers, this reminds me of Forward Networks where you basically have an accurate running copy of your network that you can break as you will. My favorite case study presented at Oracle Ravello Blogger Day was a network security company whose Ravello template, comprised of hundreds of endpoints and servers, is used to train engineers using true-to-life malware incidents.

Why Ravello and Oracle Cloud together? Ravello has in the past been cloud agnostic and still plans to stay that way, but there will be added benefits if you chose to run Ravello on Oracle cloud – those benefits stemming from the ability of Ravello developers to tap into the underlying infrastructure and eek out that extra bit of performance.  I would try to explain the hypervisor intricacies that allow this dark magic to happen, but I would quickly resort to words like abracadabra and shibboleet.

Fortunately, many of my vExpert friends have already blogged on the finer details of Oracle Cloud and the Ravello announcements and I highly encourage you to check these out:

Chris Wahl (@chriswahl): Getting Nerdy on the Oracle Ravello Cloud Service

Ather Beg (@atherbeg): Oracle Ravello Blogger Day – Part 1: Oracle Cloud Oracle Ravello Blogger Day – Part 2: Ravello

Gareth Edwards (@garethedwards86): Ravello 2017 Bloggers Conference – Opening Post #RBD1

Max Mortillaro (@darkkavenger): RT1 – Oracle Cloud Strategy: Part 1 – Oracle Ravello Cloud Service

Matt Leib (@MBLeib): Ravello Systems Changing the Game

James Green (@jdgreen): Can Oracle Build a Viable Public Cloud

Keith Townsend (@CTOAdvisor): Oracle’s Cloud Investment is Real

Tim Smith (@tsmith_co): Ravello and the Oracle Cloud Journey

 

Disclaimer: While Mark Troyer and the awesome folks at Teck Reckoning were very generous to invite me to this fantastic event which was awesome, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

 

Published 06/02/2017

 

 

Advertisements
 
1 Comment

Posted by on 2017/06/02 in Oracle Ravello Blogger Day

 

Tags: , ,

Enforcing wireless SSID policy using CounterACT NAC and Airwatch MDM module

Recently, I tested out policy enforcement on corporate iPads using Forescout’s CounterACT and its optional Airwatch integration module*.  I’ll be sharing a few things I learned along the way, especially since documentation of this setup is rather sparse (read practically non-existent).

To get this setup, I installed the Airwatch module, downloaded from the Forescout site. You’ll need a valid login, but once you’ve downloaded the file, you can install the module from the CounterACT client by going to Tools -> Options -> Plugins.  After installing the module, there’s a few pieces of integration information that can be found in the Airwatch portal itself.  In the CounterACT client, you can right-click the AirWatch MDM plug-in, click Configure, and enter the required information.

Once you’ve completed the integration information, be sure to start the AirWatch MDM Plugin – it doesn’t automagically start and results are particularity disappointing unless it’s running, as I experienced myself.

At this point it is a good idea to use the Test option for the Plugin and confirm you see a Test Passed in your output.

You can also double click the MDM Integration Module and you should see some happy little Airwatch managed devices listed.

Now it’s time to set up a couple of policies. My first policy matched on Network Function – Mobile Device and Airwatch Enrollment Status – Enrolled.  If CounterACT finds these two criteria to be true, it should drop the tablet into my Corporate Hosts group I designated – a group which is allowed the appropriate network access for a corporate managed device.

My second policy was designed to match unmanaged tablets and phones – those not enrolled in Airwatch. The policy checks if the Device Function is Mobile Device, and has an action of WLAN Block.

I thought this would be it and victory would be mine, but alas the WLAN block wasn’t working.

I received increasingly annoying errors about not being able to reach the wireless controller to enforce the policy.  After testing the wireless controller under Plugins, I could see I was failing on WLAN Role and on Write Permissions.   In an act of sheer grasping at straws, I removed the wireless controller, which had been added as it’s VIP (HA) address, and instead added the wireless controller as its “real” IP address. That did the trick. All tests passed, victory dance cued up.

But then I discovered the extremely disturbing flaw in my perfect policy plan.  Once a device was identified as not managed and very successfully blocked, it became blocked from all SSIDs. Meaning no employee network AND no guest network for the device. The controller wouldn’t accept the device as a client. Period. Cue sad trombone instead.

Reworking the policy logic, I instead implemented the WLAN Role change instead of the WLAN Block action.

I selected a guest role configured in the Aruba controller that locks the user down, blocking access to corporate resources.  You can see below the successful policy enforcement.

Later, my awesome coworker was able to set up an HTTP notification action for the policy so that the users see a web page informing them of the error of their ways and instructing them to change SSIDs to the guest wireless network to be redeemed.

 

Now about that victory dance…

 

Published 05/26/2017

*Anyone who has had to deal with 802.1X certificate enrollment for iPads knows what a PITA the experience is – the setup being tested here allowed for PEAPv0 (EAP-MSCHAPv2) authentication using Microsoft NPM, with the goal that any non-corporate device would have no access to corporate resources. There are other ways to skin this ugly iPad certificate cat, and if you’d like to list the ones you’ve had the most success with in the comments, I am sure others would appreciate the insight.

 

 

 
Leave a comment

Posted by on 2017/05/26 in NAC, Tools, Wireless

 

Tags: , , , , , , ,

Capturing 802.11 management frames on Windows using Acrylic WiFi Pro

Studying for CWAP, I embarked on a mission to capture 802.11 management frames using my Windows laptop. For those with MacBooks that do this natively, read no further, just keep on perfecting that smug look of disdain with a slight hint of pity for the rest of us Microsoft peasants.

For those whose laptops aren’t fruit branded, but you still want to capture 802.11 frames in promiscuous mode, this is the post for you.  Especially if you can’t quite justify the cost an AirPcap adapter for study purposes.

While researching alternatives to pricey AirPcap adapters, I came across this Acrylic WiFi Professional post on their option for an NDIS driver. This driver allows you to capture in promiscuous mode, so you can capture all that management frame goodness, but without the AirPcap adapter.  I checked out the supported USB wireless options, ordered one off the list from Amazon (I picked the NETGEAR A6200), and downloaded a free trial of Acrylic WiFi Pro to get started.

The installation of Acrylic Pro is straightforward, as is turning on Monitor Mode when you know where to look. By default, Monitor Mode is turned off and the NDIS driver is not installed.  Just click the menu in the right corner, and select Change to get to the Monitor Mode settings.

mode

 

Select Monitor Mode On and select Install the NDIS driver.  You’ll get a warning message that you might crash your system and you’ll need to acknowledge that you are completely okay with this*.

NDIS warning message

 

Once the driver is installed you can swap over to the Packet Viewer using the icon in the top tool bar or by clicking Packet Viewer from the menu.  You will also see that you are in Monitor Mode and can select to change out of Monitor Mode if so desired.

Packet Viewer Window

 

While all of this is really super cool, I was extremely  interested in capturing these frames inside of my most familiar tool of packet sniffing choice, Wireshark.

Unfortunately, I didn’t see the NDIS driver as an available capture interface when I launched the Wireshark application. This post by Acrylic reminded me why. I needed to launch Wireshark with Run As Administrator, even though I am a local administrator on the laptop**.   Once I did this, I could select the Acrylic NDIS NETGEAR A6200 WiFi Adapter and start capturing wireless management frames.

Wireshark Capture Interfaces

 

I could also select the Wireless Toolbar in Wireshark and see that the NDIS driver emulating an AirPcap adapter.

wiresharkwirelessmenu

wiresharkwirelesstoolbar

 

Unfortunately, I still had one tiny problem at this point.  Every time I launched the Wireshark application, my built-in wireless card immediately quit passing all traffic. Not exactly ideal for productivity.

Easy fix, though, if you encounter this issue.  Head over to the settings for the Network Adapter, uncheck the Tarlogic NDIS Monitor Driver for the built-in adapter, and the problem is solved.

Change Adapter Settings

I would be remiss not to point out that there are limitations to this NDIS driver. For instance, there is no support for 40 or 80 MHz channels at this time.  But for my CWAP study purposes, this is working quite well and saves me a bit of cash.  Also, Ben Miller did a great write up on this very same subject, which, of course, I found just AFTER I went through this process and drafted this post. The universe has quite the sense of humor like that.

 

Published 2/7/2017

*Do this at your own risk, please don’t blame me for your system crash, there’s a good chance I’ll just point and laugh…

**If you need to know how to set a program to always run as administrator in Windows 10, look here.

 

 

Tags: , , , , , , , , , , ,

Shiny New NetPath Services

With network visibility being all the rage now, any tool that expands insight into what packets are doing is a beautiful thing. Netpath, new in Solarwinds NPM 12, does just that.

Watching the beginning of the presentation at NFD13, you might start to think this is just traceroute with pretty pictures – but that’s not all there is to this story.  The probes that Solarwinds uses aren’t just your standard run-of-the-mill icmp traceroute packets. Instead, these probes behave like the “real” network traffic you are trying to track, meaning they are less likely to be dropped by firewalls and other devices along the path.

It’s worth noting that NetPath is for TCP traffic only now, but assuming it’s TCP paths you want to investigate, you can assign a poller from your Solarwinds server or you can even install a polling agent on a Windows machine located closest to the source of the traffic that you want to investigate. Say you have a remote site that intermittently reports slowness with certain websites, with Netpath you can now observe traffic behavior from the site in question, giving you valuable information in resolving those vague and highly detestable “the network is slow” complaints.

Out of the box- or for me, after the upgrade of NPM to 12, you have a preconfigured poller for Google that looks something like this:

googleservice1

Which, when activated results in a path diagram that looks something like this:

googlepath

 

From there, it’s pretty easy to set up other pollers for your traffic of interest.

Last, but certainly not least, if you happen to own the NCM product as well, NetPath will also let you know if there have been any recent config changes to nodes NCM manages. Being able to correlate poor performance to a recent config change to a node along the path is to me is icing on the delicious networking visibility cake. Mmmmm, cake…

Jody Lemoine wrote an excellent post on Packet Pushers on NetPath services,I highly recommend checking it out for more details on this network monitoring goodness. Check out all the videos from Solarwinds at Network Field Day 13 here. Chris O’Brien does a really good job of explaining some of the magic behind the sauce used for these probes in this video if you are interested in details of the probe secret sauce –  loads of nerdy networking awesomeness.

Published 12/5/2016

Disclaimer: While Networking Field Day, which is sponsored by the companies that present, was very generous to invite me to this fantastic event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way

 

 

Tags: , , , , , , , , , , ,

Forward Networks – go ahead, break it.

When you’re tasked with planning for data center failover testing, you spend an awful lot of time reviewing configurations and scenarios, scrutinizing every detail to ensure that when the plug is pulled – both figuratively, and in some cases, literally, that all will go according to plan.  If you are someone lucky enough to have a lab environment at your job, it’s usually only a partial reconstruction of the network at best. In many cases, the luxury of a lab is simply non-existent in the workplace. I tend to exist in that latter world…

Watching Forward Networks present at Network Field Day 13, I couldn’t help but think how great this solution would be for exactly these types of scenarios.  Sure, you can plow through configurations manually and predict with some certainty that your routing is resilient. However, what if you could run through failover scenarios and network changes in advance, actually see the impacts in a lab that faithfully reconstructed your entire network?  The confidence in the DR testing plan skyrockets, and the reliance on anti-anxiety meds and lucky rabbit feet plummets.

The Forward Networks solution allows you to do just that by basically pulling all your configurations from your production gear, building your network, and then letting you break it. You could also just evaluate the network as well, if you’re not feeling particularly destructive. Forward Networks has several built in checks for elements that are commonly misconfigured, such as port channels, vlans, and port duplex settings, pretty much letting the lab network point out your previously overlooked mistakes.

You can also use Forward Networks to determine the complete path of certain traffic using their rather snazzy UI, which allows for some intuitive queries formed in human-speak, not SQL-I-don’t-know-the-right-table-name-please-just-show-me-my-data format.

Forward looking at the Forward Networks solution (see what I did there?) – I do wonder if price will be an obstacle for small to medium enterprise, as several products in this space are reassuringly expensive.*

I love that there is already a long list of vendors whose gear is supported in the product, but keeping pace with new vendors and OS versions will be a certainly be a challenge – one Forward Networks sounds excited to take on.

Definitely check out David Varnum’s post on Forward Networks as well, he goes into some detail on the company, the APIs of the product, and configuration checks Forward Networks is capable of in it’s current release. He’s also included some nice screen shots of the UI.

All of the videos from NFD13 from Forward Networks are a good watch, but if you only pick one, don’t miss the simulated outage demo.  You’ll laugh, you’ll cry, you’ll be totally impressed by how much fun watching a pretend network failure can be.

 

 

*reassuringly expensive: a term I credit to the one and only Greg Ferro and a term that I make frequent use of in networking.

Published: 11/28/2016

Disclaimer: While Networking Field Day, which is sponsored by the companies that present, was very generous to invite me to this fantastic event and I am very grateful for it, my opinions are totally my own, as all redheads are far too stubborn to have it any other way.

 

 

Tags: , , , , , , , ,

Bye, bye 2800s…

At the end of this month, the long beloved 2800 series voice gateways go end of support.  If you find yourself finally getting around to replacing these boxes with the 4000 series voice gateways, you’ll be happy to hear that transitioning PRIs from one to the other is relatively painless for voice work*.

I found it did take me a few minutes to hone in on the shiny new syntax for the clocking commands, so here’s a quick overview of what you’ll need to know.

We’re all pretty used to the standard “network clock participate, blah, blah, blah…” command paired with the “network clock select something-or-other…” command to keep those slip seconds on the T1 controller away.**

With the 4Ks, you need something similar, but of course, they couldn’t just leave the syntax the same. Instead you need to use something like this, of course using the slot numbers that your T1 card is installed in:

network-clock synchronization automatic
no network-clock synchronization participate 0/1

a previous version of this post had these commands:

network-clock input-source 1 controller t1 0/1/0
network-clock sync participate 0/1

but a very smart TAC engineer alerted me to bug ID CSCvb01800 which has to do with how the NIM is included, or rather, not included in the clocking. This changes the configuration in two important ways – one, forget the input-source command. Secondly, enter the no network-clock synchronization participate 0/1 command even though you don’t see network-clock synchronization participate 0/1 in the configuration.  This command is the default and not visible, even in the show run all.  If you followed my previous version of this post’s commands, you simply need to do a no network-clock input-source 1 controller t1 0/1/0 and a no network-clock sync participate 0/1.

And don’t forget to add “clock source line primary” on the controller port – you didn’t typically need to explicitly set this on the 2800s/2900s, but apparently the 4Ks need more hand holding and direct instructions.

controller T1 0/1/0
 framing esf
 clock source line primary
 linecode b8zs
 cablelength long 0db
 pri-group timeslots 1-24

When you get this right, you should see some good news similar to this scroll across the screen – feel free to do a little happy dance:

*Sep 9 21:11:01.139: %NETCLK-6-SRC_ADD: Synchronization source T1 0/1/0 is added to T0 selection process.

And you can check your T1 clocking information when you bring the circuit up with this handy little command:

#show network-clock sync
Symbols:     En – Enable, Dis – Disable, Adis – Admin Disable
             NA – Not Applicable
             *  – Synchronization source selected
             #  – Synchronization source force selected
             &  – Synchronization source manually switched

Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Disable
ESMC : Disabled
SSM Option : 1
T0 : T1 0/1/0
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms
Revertive : No

Nominated Interfaces

 Interface            SigType     Mode/QL      Prio  QL_IN  ESMC Tx  ESMC Rx
 Internal             NA          NA/Dis       251   QL-SEC    NA        NA       
*T1 0/1/0             NA          NA/Dis       1     QL-SEC    NA        NA

My apologies for a messy looking post, but due to the bug ID mentioned before, the verifications I mentioned in the previous version of this post change. For now, I am leaving the prior text in with strike-through, so anyone who read the previous post can see the changes.  

Using the commands adjusted for the bug ID, you see this instead:

#show network-clock sync
Symbols: En – Enable, Dis – Disable, Adis – Admin Disable
NA – Not Applicable
* – Synchronization source selected
# – Synchronization source force selected
& – Synchronization source manually switched

Automatic selection process : Enable
Equipment Clock : 2048 (EEC-Option1)
Clock Mode : QL-Disable
ESMC : Disabled
SSM Option : 1
T0 : Internal
Hold-off (global) : 300 ms
Wait-to-restore (global) : 300 sec
Tsm Delay : 180 ms
Revertive : No

Nominated Interfaces

Interface SigType Mode/QL Prio QL_IN ESMC Tx ESMC Rx
*Internal NA NA/Dis 251 QL-SEC NA NA

After cutting over to the new gateway, you can check for slip seconds on the line using the old standard “show controller T1 0/1/0” – but be sure you clear the counters after plugging in the circuit, since there are always a few slip seconds reported when first plugging in the circuit.

After resetting the counters, check that the slips stay at zero.

#show controller t1 0/1/0
T1 0/1/0 is up.
  Applique type is Channelized T1
  Cablelength is long gain36 0db
  No alarms detected.
  alarm-trigger is not set
  Soaking time: 3, Clearance time: 10
  AIS State:Clear  LOS State:Clear  LOF State:Clear
  Framing is ESF, Line Code is B8ZS, Clock Source is Line Primary.
  Data in current interval (566 seconds elapsed):
     0 Line Code Violations, 0 Path Code Violations
     0 Slip Secs, 0 Fr Loss Secs, 0 Line Err Secs, 0 Degraded Mins
     0 Errored Secs, 0 Bursty Err Secs, 0 Severely Err Secs, 0 Unavail Secs

[output truncated]

Bonus material – the other strange syntax issue I hit with the 4Ks was bug ID CSCup86596 and the command “isdn incoming-voice voice” command wouldn’t take under the signaling channel configuration – the workaround is epic in its vagueness, noting that “the functionality is there and will work” even though you cannot enter the command.  So, yeah, typical voice shenanigans…

More bonus material – I was made aware by the previously mentioned very smart TAC engineer, that if you are looking into RTP-NTE (RFC 2833) DTMF issues on a 4K, you are going to need packet captures, the debug voip rtp sess name doesn’t do the trick.  I haven’t had to face this one yet, but hopefully that little bit of information will save you some time if you do.

 

*voice is pain, any one who tells you otherwise is trying to sell you something   😉

**to set clocking for PRIs on 2800s/2900s, typically you use something like these two commands, depending on which slot the WIC card is plugged into. If you are seeing slip errors, you should check for these commands: 

network-clock-participate wic 1
network-clock-select 1 T1 0/1/0

Published 10/21/2016

 

 

 

 

Tags: , , , , , , , , , , ,

Upgrading UCCX 9.0(2) to 10.6(1)

If you’re wondering about upgrading UCCX from 9.0(2)SU2 to 10.6(1)SU2, and would like that information with a side of snark, then this is the post for you.

Fair warning, this is one of those your-mileage-may-vary entries, definitely do not take my notes as gospel because I promise *I* won’t be the one restoring your UCCX server from backup at 3am.  Always read the release notes and upgrade guides in their entirety, skipping pages earns you nothing but (more) pain and suffering.

That being said, there’s a few important compatibility matrices you will want to check for this upgrade.

Pay close attention to whether your UCS can handle later versions of ESXi without UCS upgrades. For instance, 10.6 no longer supports ESXi 4.X, so you might have some pre-upgrade UCS work to be done before the real party gets started. If you are unsure about your UCS/ESXi version compatibility, try this link for checking.

UCCX 10.6 upgrade from 9.0(2) does require a .cop file, I used ciscouccx.refresh_upgrade_v1.9.cop.sgn.

Before beginning this process, I highly suggest taking a screenshot of your licensing, sacrificing a couple of chickens, and making sure you have ordered your upgrade license through the PUT tool. Voice engineering breeds much in the way of paranoia, so I also recommend downloading the scripts and prompts, just in case you get the additional fun of rebuilding the server from scratch. It should go without saying, but I’ll say it anyway, be sure to check that your backups have been running AND that they have been running successfully.

The order of operations goes something like this for an HA setup, note that there is no Finesse deployed in my setup, strictly CAD.

  • Confirm the primary is active and all services show IN SERVICE – don’t skip this, I’ve never tried to upgrade in an active failed over state, but I imagine it’s like crossing the streams and would end in much badness.
  • Install .cop file on the primary, reboot, grab coffee, wait for services to come back up
  • Install .cop file on the secondary, reboot, grab moar coffee, wait for services to come back up
  • Install upgrade file to primary, drive to a different county to get coffee, don’t panic when the server reboots during the installation, and do not reboot after install.
  • Install upgrade file to secondary, switch to vodka. Question life choices to get involved in voice engineering.  Do not reboot after install.
  • Switch versions on the primary. There’s more than enough time at this stage to continue questioning your life choices. All of them.
  • Server (finally) boots to new version. Wait for services to start. The docs say this could take up to 30 minutes. Shouting profanities at the server will not shorten this interval significantly, but you’ll likely try anyway.
  • Log into the server, install license file, note the error message about OVA template issues. Shut down the server because seriously, who needs that kind of negativity in life? Or shutdown because you need to make changes to the OVA. Whichever…
  • Modify OVA template for RAM, OS, and vNIC changes*
  • Power on server, wait for services. Yes, again.
  • Switch versions on the secondary, repeat the process above, pour another glass of whatever is left.
  • Once the primary and secondary are both online with all services show IN SERVICE, check that replication status is good. 
  • Run the client configuration tool and test your queues.  Buy a lottery ticket if you haven’t had to call TAC,by this point.**

The above list is strictly an overview, but gives you a reasonable idea of what to expect during the upgrade. A whole lot of proper planning will result is a whole lot of waiting for things to happen, but not much else.  An uneventful voice upgrade is an awesome voice upgrade.

 

*Things got interesting with this. During the planning stages, TAC sent me a link to the procedure for altering the OVA, related to Bug ID CSCut04158. This detailed the process to change the vNIC to vmxnet3. When I presented the process to my virtualization guru, he concluded it would not work for our configuration, we would have to use some PowerCLI magic instead. And by we, I mean he. He used PowerCLI magic, I just threw another chicken onto the alter. The code went something like get-vm MyServerName | get-networkadapter | set-networkadapter -type “vmxnet3” – use this suggestion at your own risk, I am not a virtualization expert, nor do I play one on TV. 

**I will point out that in the upgrade guide, an error about unaligned partitions is called out as a potential issue – it sounded like a whole lot of no fun resulting in rebuilding from backup, and I was quite relieved I didn’t hit that one. Did I mention read the docs?  Definitely do that…

Published 08/16/2016

 

 

 

 

 

 

 

 

 

 
6 Comments

Posted by on 2016/08/16 in UCCX, Upgrades, Upgrades

 

Tags: , , , , ,