The musings of an IT Consultant


May 23, 2009  1:20 AM

How to connect to the Brocade SAN Switch Interconnect in the HP C7000 BladeSystem

Raj Perumal Raj Perumal Profile: Raj Perumal

So you’ve just bought your new HP C7000 BladeSystem and you have some Brocade SAN switches plugged into the interconnect bays in the back. You’ve already racked the BladeSystem and now you’re ready to configure things.

You go to the back to find a console port to connect to but notice that there’s nothing there. Now how the heck do you connect to the switches? Through the Onboard Administrator of course! HP’s Onboard Administrator (OA) manages everything to do with your BladeSystem. By connecting to the OA you can connect to the SAN switch to manage it.

Here’s how you do it:

First, open up a command prompt window and then telnet to the IP address of the OA. Login with your username and password and that should take you to the command line of the OA. Then type in “connect interconnect 3″ (if the bay number your SAN switch in is 3, put in whatever bay number you have your interconnect plugged into). At this point it will connect you through to the SAN switch.

Then you can login to the SAN switch with the default username and password and then use the command IPADDRSET to set the ip address for the switch to respond to. Then you can connect to the switch via the web interface on that IP to further continue your configuration.

-RP

May 22, 2009  4:44 PM

Onboard Administrator failing in HP BladeSystem

Raj Perumal Raj Perumal Profile: Raj Perumal

So here’s a little issue you might run into with an HP C7000 BladeSystem. In this scenario you have two Onboard Administrators which manage the Blade enclosure and all of it’s components. One is an active OA (Onboard Administrator) and one is passive.

You try to power on one of the blades and you get a power error and the red light flashes on front of the blade. You login to the OA and you see that everything is not good. There is a critical error with the power subsystem. You then check the enclosure info on the LCD and it tells you the other OA is the active one. Now that’s strange because the one you’re connected to thinks it’s the active one. How do you fix this?

Pull the bad OA, and call HP support and have it replaced. When you put the new OA in everything should go back to normal. Basically I had a bad OA that thought the power subsystem was not working but that wasn’t the case, it was the OA that was the issue.

Once the OA was replaced, all the blades powered up fine. Hope this helps!

-Cheers, RP


April 29, 2009  4:46 PM

Regarding Bandwidth Caps

Raj Perumal Raj Perumal Profile: Raj Perumal

So here’s a common thing you guys would have seen over the past few years. ISPs enforcing bandwidth caps. This is becoming more and more prevalent in industry despite the fact that customers are requiring more and more data. Now I’m not referring to the speed (although that is an issue for some as well) so much as I’m referring to the amount of data.

For example a lot of ISPs limit their customers to X amount of gigabytes uploaded/downloaded per month. The thing is with today’s day and age, we are transferring so much data that these caps are so low and don’t match the data inflation rate we are seeing in industry. We live in a media rich world along with a push for more and more data replication for disaster recovery purposes. How in the heck are we supposed to keep up with these requirements if ISPs won’t remove their limits?

Realistically we have no way to force them to since they are the big companies that control it all and really don’t like listening to the little guy. What needs to happen is that these companies need to get with the times and start upgrading their networks to support the services that the world as a whole needs. Basically the ISPs need to get with the times and smarten up.

One such ISP called Cablevision has heeded customers requests and is offering a 101 Mbps service with unlimited data. They are able to accomplish this using the DOCSIS 3.0 standard. My hat is off to them for a job well done! The telcos better watch out because once cable companies across the world start implementing this, it will quickly replace the use of the current popular WAN links. DOCSIS 3.0 is fast and affordable and is here to stay!

-Raj


April 29, 2009  3:52 PM

Cisco ASA Firewall dropping packets sporadically

Raj Perumal Raj Perumal Profile: Raj Perumal

So here’s an interesting issue I ran into with my Cisco ASA at home. It was working fine for quite sometime and then one day my wife told me that our Internet “was down”. I was on my wireless connection via my laptop at the time, and my wife was using one of our desktop computers. My Internet access was working perfectly but my connection goes out through a different firewall on my network. My wife was browsing through the Cisco ASA.

I went over to my wife’s desktop computer and I did all the normal Internet connectivity tests. I could communicate with the Cisco ASA fine, but I couldn’t ping outside of my network past the Cisco ASA Device. I then ran a recurring ping and I found that every few pings that I would get a successful ping but then the rest would time out. To me that says something was wrong on the external interface.

I went into my server room and checked on the connections because I have multiple firewalls hitting a switch which splits my Internet between them. Turns out the port the Cisco ASA was plugged into was faulty and dropping lots of packets. Bingo, problem solved!

-RP


April 29, 2009  3:45 PM

Cisco SSL VPN for the ASA

Raj Perumal Raj Perumal Profile: Raj Perumal

So you have probably heard about SSL VPN by now if you are a network administrator. This is the ability to use SSL to make a VPN connection between you and your corporate network. SSL VPN has been around for a long time but I still find that a lot of people haven’t embraced it up here in Winnipeg.

I still see customers using IPSEC VPN for the most part and then when they are on the road travelling with their laptop they have issues connecting back to their corporate network because whichever Internet cafe or airport they are in is blocking the ports required to make the connection. Well there is one port that you can pretty much guarantee will always be left open in an Internet cafe or other public access point and that’s port 443 which is what SSL VPN  uses.

With the Cisco ASA, you get 2 free licenses of SSL VPN. It is extremely easy to configure and offers many plugins for VNC, SSH, and even RDP. You basically launch a web browser and connect to your domain name, for example “ssl.yourdomainhere.com” and then you can login using your credentials which can be either local or even active directory authenticated and connect to your network. From there you are given a launch web page with a few options on what you would like to connect to. As the administrator you can pre-populate this web page with bookmarks to RDP to servers, or to even SSH into a server. You can even browse the web through the SSL VPN connection to get access to web sites you normally couldn’t access through this connection instead of through your normal one.

If you own a Cisco ASA, I urge you to try out the SSL VPN functionality, if you like it you can purchase extra licenses for all your users.

-RP


April 29, 2009  3:27 PM

Twitter for your BlackBerry!

Raj Perumal Raj Perumal Profile: Raj Perumal

So with Twitter getting more and more popular I finally caved in and decided to try it out. My honest opinion? It’s like Facebook without all the extra stuff. Basically like doing Facebook updates. Having said that, I have tons of friends on Twitter so I finally decided to use it. Also their are many web sites out there that publish RSS feeds through Twitter as well and it’s a neat way to keep up to date.

So where am I going with this? BlackBerries of course! There is an application for Blackberries called TwitterBerry and it’s quite easy to use! Just download the application from here directly from your BlackBerry and install it and then when you launch it enter your username and password.

From there you can update your Twitter status on the fly right from your BlackBerry without having to browse to the Twitter web page. You can also get your friends list updates and see what all your buddies are doing. A very small but convenient app for the BlackBerry!

Now if only someone would make an application that crosses over your Facebook and Twitter so if you update one it auto updates the other and syncs the status. That would be great!

-Cheers, RP


April 29, 2009  3:16 PM

WAN Optimization

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks, here’s something that I think we should all pay more attention to…WAN Optimization! There are numerous products on the market for WAN optimization and acceleration, and they do cost a little bit of money but when compared to the long term cost savings of monthly WAN link costs you can start to see the value.

In most cities the telcos also have IT divisons that come in and consult and tell you that you need more bandwidth when you find that data isn’t moving from point A to point B fast enough. Now in some cases this might be very true, but a lot of the time I see people getting recommended to buy bigger/better/faster lines to address their bandwidth issues when more often than not the issues could be solved with proper configuration of QoS and the use of WAN acceleration/optimization.

I encourage network administrators to look into the myriad of products out there in this space, from Citrix, F5, and Cisco to name a few. Usually the telcos don’t like it when you suggest products like this because it takes away from their bottom line. :)

-RP


April 29, 2009  3:07 PM

Rules not working in Cisco ASA as you thought they should

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks, as you know I’ve been doing a lot of work with the Cisco ASA firewall products lately and I wanted to address an issue I’ve seen a few administrators run into when setting up a new ASA.

Often when you setup an ASA you are not just setting up inside out external access but you might also want to set some incoming rules for some of your servers such as web servers or mail servers. The problem I see administrators run into is that after they setup these rules they still can’t get access to the servers from the outside world.

If you take a look at the rules closely, at first look it seems like everything was configured ok and everything should be working. What I’ve found in these situations is that someone specified an inside interface outgoing rule, or an outside interface outgoing rule. By doing that you’re implicity allowing that one rule and automatically denying all else. In order to fix this, create a specific rule for the device to allow it out or just remove all the outgoing rules altogether and then the Cisco ASA will allow it by default. Which way you chose will depend on how you want to secure your network of course. Hope this helps!

-Cheers, RP


April 28, 2009  4:15 PM

Overlapping Static NAT and Cisco ASA Firewalls

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks, I just wanted to discuss a key difference in some firewalls. One of the things you might find yourself doing, especially in a hosting scenario is creating static NAT entries. The entries are a one-to-one relationship between an external public IP address and an internal private IP address on your local or dmz network.

In some firewalls you can assign multiple public IP addresses to your external interface and in some firewalls you can’t. For the ones that you can, you can easily create multiple static NAT entries for the same internal IP. So one local IP address, but multiple public IP addresses on the same port. For example a web server that listens on port 80 for multiple public IPs.

But for firewalls that don’t bind the IP to the external interface such as the Cisco ASA, you cannot do this. If you try and do this you will get a static overlapping NAT error. How do you fix this?

You have to assign multiple internal IP addresses to your internal web server as well and then map each internal IP to an external IP. This will fix your problem!

-Cheers, RP


April 23, 2009  5:42 PM

vSphere Announced!

Raj Perumal Raj Perumal Profile: Raj Perumal

Hi folks, so the vSphere annoucement is now out and we have a ton of cool new features to look forward to! The announcement was all the buzz on Tuesday!

The virtual machines themselves seem beefed up with access to more RAM and CPU, and VMware is capable of more IOPS now as well. Backup is made easy with vSphere, as well as more security features introduced into the product. A more refined networking strategy was also introduced with the concept of Cisco’s virtual switch embedded in vSphere.

The editions available now are:

  • Essentials
  • Essentials Plus
  • Standard
  • Advanced
  • Enterprise
  • Enterprise Plus

VMware has given the customer a lot more choice and flexibility with these options and every size business should be easily able to find the right product to fit their needs.

If you own a current version of VMware with support, you will be eligible for the upgrade the moment it is released. Even though the announcement was on Tuesday, the actual software will only be available within little less than a month. I’m assuming after that happens we will see a rush for individuals to download and get quickly upgraded. Just remember to leave some older VMware servers lying around in case your upgrades don’t go as smooth as you’d like so you have somewhere to roll back. This is just part of good patching practice!

-Cheers, RP


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: