networking

ESXi VM need to manually change MAC Address

Today, I had to deal with a FlexLM Licensing server issue which resulted from a VM which had it's NIC configured for the SAN's VLAN rather than for the production VLAN which caused the server to have some considerable amounts of downtime. I will talk about the setting up my SAN on a different VLAN from the rest of my production network in another post. In VMWare ESXi vSphere console for the VM host server which my guest VM was hosted on I attempted to change the MAC address of a specific NIC so the license server would work correctly. Well I was able to force this in ESXi in a previous version of ESXi 3.5 which allowed me to use any MAC address that I wanted to use. Well in ESXi 4.1 you can't do that anymore as it forces you to only modify the last 6 digits of the MAC address rather than the whole set. My work around evolved below:

As you notice in the above figure, the MAC Address is a random address given by my ESXi server. I need to bypass this and force a MAC Address from a NIC that I am not using anymore on an old server that I needed to move my FlexLM Licensing from. To accomplish this I went into the NIC's Advanced configuration in the driver settings:

This allowed me to set the MAC Address for the NIC and forces this address over the one set by ESXi.

NOTE: I have confirmed that this setup works with FlexLM on both Windows Server 2003 and Server 2008. I have not yet tested on Windows Server 2012.

Also make note that: You can never fire up that NIC ever again on your old server. Even if you plan to re-purpose it unless you are able to change it's MAC Address manually or install a new NIC as firing up that NIC will cause the above setup to fail miserably as you will have tons of trouble connecting to the new server from the old one.

Why you should change your default passwords

So you bought that shiny new wireless router or your ISP gave you a new one after signing on to a new contract with them. The very first things many people do is personalize the SSIDs on the device so that they can distinguish their wireless network from their neighbor's wireless but forget to overlook a major security concern. In the article presented by Sophos, over 4.5 million DSL subsribers who got new modems from the dominant ISP in Brazil got duped because they didn't bother to change the default password on the device, however Sophos goes further in-depth in the situation by detailing the process the attackers used to change the DNS servers to malicious DNS servers which then points to malicious sites even though the site is legitimate. In the article it details that the DNS record for google in Brazil is google.com.br which is the legitimate domain name for the Brazilian version of Google. The hackers changed the DNS records by simply gaining access to all of the modems and the website looks legitimate when visiting it, however it asked users to download a file which the real Google never does. Moral of the story is to change your network device passwords as soon as you set them up because if they get modified without your knowledge you can be on the hook for something much more serious than simply changing your DNS to malicious DNS. Story from Sophos: source

Update Dell PowerConnect Firmware via SSH and SFTP

You can use PuTTY to telnet into your Dell PowerConnect 62xx switches to configure them and install new firmware. The CLI is much more powerful than the web interface of the 62xx series switches. This setup is not limited to stacking modules but in my example I am using multiple switches in a stack configuration so it only shows up as 1 switch in my configuration panel.

Download the Dell Switch Firmware from http://support.dell.com and enter the service tag of your switch to get the specific firmware for the model.

Download TFTP64server from here: http://tftpd32.jounin.net/tftpd32_download.html

Setup TFTP64server

Create a directory in C:\ root of your computer then make the following directories:

C:\switches\firmware  

Copy the dell firmware files to the firmware directory.
Commands for Telnet on 62xx switches:

Open Putty in Telnet mode to IP address of your Power Connect switch

THIS SYSTEM IS PROPERTY OF XXXXX COMPANY XXXXX INFORMATION TECHNOLOGY DEPARTMENT. UNAUTHORIZED USE OF THIS DEVICE IS NOT PERMITTED UNDER THE TERMS OF THE ACCEPTABLE USE POLICY.Press 'y' to continue (within 30 seconds) (y/n) y  
User:admin  
Password:*********  
SW-ENG>en  
SW-ENG#show version  
Image Descriptions  
image1 : default image  
image2 :

Images currently available on Flash  
--------------------------------------------------------------------
unit image1 image2 current-active next-active  
--------------------------------------------------------------------
1 3.2.0.7 3.2.1.3 image1 image1  
2 3.2.0.7 3.2.1.3 image1 image1  
SW-ENG#copy tftp://<yourTFTPserverIP>/<firmwareName>.stk imageMode...........................................  
TFTPSet TFTP Server IP............................. <yourTFTPserverIP>TFTP Path...................................... ./  
TFTP Filename.................................. <firmwareName>.stk  
Data Type...................................... Code  
Destination Filename........................... image

Management access will be blocked for the duration of the transferAre you sure you want to start? (y/n) y

TFTP code transfer starting9718796 bytes transferredFile reception completeVerifying file...File contents are valid.

Distributing the code to the members of the stack!File transfer operation completed successfully.

SW-ENG#show version

Image Descriptions  
image1 : default image  
image2 :

Images currently available on Flash  
--------------------------------------------------------------------
unit image1 image2 current-active next-active  
--------------------------------------------------------------------
1 3.2.0.7 3.3.4.1 image1 image1  
2 3.2.0.7 3.3.4.1 image1 image1

SW-ENG#boot system image2  
Activating image image2 ..  
SW-ENG#update bootcode  
Update bootcode and reset (Y/N)? Y

Issuing boot code update command...  

After hitting the 'Y' key on the Update bootcode and reset, the switch should be rebooted into the latest firmware. To confirm you can show version

Dell PowerConnect Switches Packet Loss Issues

  I upgraded many Dell 6248 switches to the latest and greatest firmware over the weekend.  I have been experiencing more packet loss than I would ever want to see on an internal LAN.  Connecting from the servers on the same switch would yield a periodic lost packet for no apparent reason.  There were some clues on the switch with logged “spanning tree topology changes” in the log file.  During this log event, I would drop packets not only on the local switch, but other connecting switches as well.  All of these switches are configured with Rapid STP, LAG groups between them, and two VLANs. Reading up on the dell site, I saw some good advice entailing turning on “Port Fast” on every port that isn’t an edge link between switches, namely ports connected to switches and servers.  This advice appears to be valid.  With the latest firmware I could go to Global STP settings and simply enable Port Fast.  It was smart enough to not turn it on for the LAG groups and switch interconnects with multi-vlans on them.  So far so good…over the past few hours I haven’t had any dropped packets.

Guest Services on Sonicwall with 3rd Party AP's

  Problem:  We are using an old D-Link hotspot to allow guest access in our building.  This D-Link feed a VLan that is distributed to 7 D-Link access points.  These APs support multiple SSIDs on different VLAN making them very convenient for distributing multiple wireless networks around the facility.  The new Sonicwall has Guest Services, but how can we make it all work together?  It seems like Sonicwall wants us to use their own proprietary (and expensive) access points. In our server room we have a port dedicated to feeding the VLAN through the building.  I connected that port to X5 on our Sonicwall TZ210.  Now the configuration on the SW. First, let’s add a new Zone and call it Guest.  For initial testing I am leaving the security settings turned off.   Now let’s configure port X5 to be in our Guest zone with a static IP address of 192.168.1.1 on a standard Class C subnet.  Do this from Interfaces.  I have enabled management and ping plus user logins on this interface.  After testing I will disable the management except for Ping.  Make sure you enable login so your users can actually log in! Verify a firewall rule exists for traffic from the GUEST to WAN zones.  With my firmware, this was automatically created.  I enabled some bandwidth limiting on it as well. Now turn on the DHCP server for this interface with the appropriate settings.  Note that it is configured for interface X5.  Make sure the DHCP server is actually enabled in the top check box.  I forgot this part the first time around. Anyone that connects to the VLAN or physical network on X5 should now receive a DHCP address in your range and be greeted in a web browser with the Sonicwall Login page. Adding users is very easy!  Just head down to Users|Guest Accounts and you can have them automatically generated for you or create your own.  You can also specify how long they are active for.  You can also click on Guest Status to see your logged in guests!