FortiGate Sub Interfaces (VLAN Trunking)

KB ID 0001772

Problem

I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.

So I needed to create TWO sub interfaces on the FortiGate (on port3).

Creating FortiGate Sub Interfaces

Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.

Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.

Just for testing I’ll allow PING, on the VLAN interface also > OK.

Repeat the procedure to add further sub interfaces (VLANs).

Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)

Setting up Switches for FortiGate Sub Interfaces?

I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)

[box]

!
interface Ethernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Ethernet0/1
 switchport access vlan 150
 switchport mode access
!
interface Ethernet0/2
 switchport access vlan 200
 switchport mode access
!
interface Ethernet0/3
 switchport access vlan 150
 switchport mode access
!
interface Ethernet1/0
 switchport access vlan 200
 switchport mode access
 no cdp enable
!

[/box]

My Switch isn’t Cisco it’s HP/Aruba! Then you simply TAG the VLANs required to the uplink see this article.

Related Articles, References, Credits, or External Links

NA

Veeam Virtual Labs & SureBackup

KB ID 0001572

Problem

If you require a ‘Virtual Lab’ for testing patches or config changes, on copies of your live servers, or simply want to test the ‘integrity‘ of your backups, then this is the post for you!

Licence Requirements: SureBackup and On Demand Sandbox require Enterprise Plus Veeam Licensing.

Host Licences: Hosts that are only used for SureBackup  / On Demand Sandbox DO NOT NEED Licences, (in Veeam,) only hosts that you back up FROM need licences.

SureBackup and Virtual labs are built on vPower, which allows you to power on your ‘backup files’ in a test/sandbox environment. It’s actually the same technology that Veeam use for U-AIR recovery.

Three components make up a virtual lab;

1. Application Group: This is a group of VMs, and the ‘Order’ they need to be powered on, e.g. for Exchange server you would also need a DC (global catalog server,) and maybe your mail filter appliance to be in the same group.

2. Virtual Lab: Requires a ‘Host’, and a DataStore, (for redo logs only), this only needs to be 10% of the size of the VMs that are being powered on in the lab.

3. SureBackup: This is the process that ‘Tests backups‘, it will bring your backed up machines online, and perform some tests on them, some are simple like ‘ping’ tests others are specific to particular server roles, like additional tests for Domain Controllers, Exchange servers etc.

Solution

Veeam Backup and Recovery Download

Here’s how it all ‘hangs together’. We are backing up a Domain Controller, and an Exchange Server, and we are going to use those backup files to power on a copy of the servers in our ‘Test-Lab’.

Note: I’m using VMware ESX, you can also use Microsoft Hyper-V.

These are presented though a ‘Veeam Proxy Appliance’, which presents them to the VEEAM server with a changed ‘octet’ in their IP address. (So by default any other machine needs a static mapping, {see below}).

Create a Veeam SureBackup Application Group

As mentioned above, make sure you have ‘Enterprise Plus‘ licences.

It should go without saying, but you will also need a ‘good’ backup of your servers.

Backup Infrastructure > SureBackup > Application Group > Add App Group > VMware.

Give the app group a name > Next > Add VM > From Backup > Select the VMs for the Lab > Add Next.

 

Put the server(s) in the correct order, i.e. the domain controllers at the top.

If you are just going to use SureBackup to check backups, then ‘Edit’ the servers, and change their ‘role’ so the correct tests get performed on them. If you are just wanting a Virtual Lab, don’t bother as you will be interacting with them directly anyway. Here are the settings for a Domain Controller.

And here for Exchange.

Next > Finish.

Create a Veeam SureBackup Virtual Lab

Backup Infrastructure > SureBackup > Virtual Labs > Add Virtual Lab > VMware.

Give the lab a name > Next > Choose > Select the ‘Target’ ESX Server to use > OK > Next > Choose > Select a datastore for the ‘redo’ logs, remember this needs to be about 10% of the size of the restored VMs. > OK > Next.

Next > ‘Advanced Single Host’ > Next > Add > Browse to the ‘Port Group’ your production VMs are in > Add > OK > Next.

Note: If you need to have your lab network on its own VLAN, this is where you need to specify that traffic to be ‘tagged’ accordingly.

Add > Specify the IP for the ‘inside’ of your Veeam Proxy Appliance, this MUST BE the same as the default gateway on the live network. Then select a sensible masquerade network address > OK > Next.

Veeam: What’s a Masquerade Address?

The proxy server basically will perform NAT from the test lab to the live network, (their actual IP addresses never change, that’s why the proxy appliance had the same IP as the default gateway on the live network. The Masquerade addresses simply change one ‘octet’ of the IP address so the Veeam server can speak directly to each sand-boxed, (Test lab) VM.

If required, Add a ‘Static Mapping‘ i.e if you want to be able to ‘speak’ to a test lab VM from the live network.

How Do Veeam Virtual Lab ‘Static Mappings’ Work?

Using the example, I used above, here if someone on the live network speaks to 192.168.100.21, they are actually talking to 192.168.100.196 in the test lab.

Apply > Finish.

Create a Veeam SureBackup Job

There are two ways of doing this, if you want to create a SureBackup job that just checks your backups, then you would schedule the job, and connect it to your backups, or if you just wanted to do some lab testing, you would create a ‘one off’ SureBackup job and leave the VMs powered on (I’ll point this out below).

Home > SureBackup Job > VMware > Give the job a name > Next.

Select the lab you created above > Next > Select the App Group you created above. (NOTE: If you want to leave your machines ‘powered on’ after the job, i.e. for performing upgrades, patch tests etc, then TICK the option indicated).

Link this job to the backup job for the VMs in question > Add > Select the backup Job > OK.

Note: The option at the bottom, specifies how many VMs are tested at a time in a standard SureBackup Job.

Next > Next.

Schedule the job (if required) > Apply > If you didn’t schedule, then you can click ‘Run the job when I click Finish‘ for ‘one-off’ jobs > Finish.

If you selected the option to leave the machines powered on, then there will ‘always’ be a job running and the job will stop at 99%. (You will need to manually stop the job to remove the test VMs). If you do continuous backups this will be a familiar sight anyway!

There’s my test VMs powered on, that I can interact with, update, patch, and change configurations, without it affecting my live servers.

Related Articles, References, Credits, or External Links

NA

PowerShell – Getting Server IP Address Information

KB ID 0001404

Problem

I’ve been rebuilding some Hyper-V hosts over the last few weeks, and one thing I learned rebuilding VMware ESX hosts is, ‘make sure you know what all the network cards are doing before you flatten it!’

The same is true of storage as well but here I’m just concentrating on networking.

List Network Cards and MAC Addresses

If you have these documented you can rename the network card correctly after the rebuild and the mac addresses ensure you have the right names assigned to the right NICs. (Without having to go and check all the cabling afterwards!)

[box]Get-NetAdapter | Select Name, MACAddress, vlanID[/box]

List Network Teams and Members

From the names of the network connections above we can see we are using network teaming, but even if yours dont have sensible names, you can get the team names and the NICs that are a member of each team with the following command;

[box]Get-NetLbfoTeam[/box]

List NICs and IP addresses

To see what IP addresses are in use on which NICs, (physical or virtual) use the following;

[box]Get-NetIPAddress -AddressState Preferred -AddressFamily IPv4 | Select Name, IPAddress, PrefixLength[/box]

Hyper-V: Get vSwitch and Virtual NIC info

As stated above, I’m rebuilding Hyper-V hosts, the following lists all the Management vSwitch(es) and vNICS, (and their names).

[box]Get-VMNetworkAdapter -ManagementOS[/box]

Hyper-V: Get vSwitch and Virtual NIC VLAN info

In addition to above, I also need to know the VLANs the vNICs are on.

[box]Get-VMNetworkAdapterVLAN -ManagementOS[/box]

Related Articles, References, Credits, or External Links

NA

Windows Server: Connecting to iSCSI Storage Using MPIO

KB ID 0001392

Problem

In my scenario my Windows Server is a VMware virtual machine. To enable MPIO (Multipath I/O) I’m going to need two network cards, connected to the two iSCSI networks. 

Above I’ve shown both iSCSI networks in  different colours 192.168.51.0/24 and 192.168.50.0/24 in production I would also have these in their own VLANs, (or even separate physical networks).

This article is not about setting up your iSCSI Target/Storage, I’m assuming you have this up and running with the correct IP addresses connected to the correct networks ready to go.

Note: I’m also NOT using iSCSI authentication, and I’m also assuming you have allowed either the two IP addresses of the Windows server, (or more likely its iSCSI iqn address), access to the storage.

Solution

Firstly MPIO is NOT enabled or installed by default, you need to add it. Open Server Manager > Manage > Add Roles and Features > Follow the wizard all the way to ‘features’ > Enable Multipath I/O > Complete the Wizard.

Back in Server Manager > Tools > MPIO > Discover  Multi-Paths > Add support for iSCSI devices > Yes  > Let the server reboot.

After the reboot go back into the MPIO properties, and make sure iSCSI is now listed, (MSFT2005iSCSIBusType_0x9). You can close the MPIO properties now.

Now back in Server Manager > Tools > iSCSI Initiator.

First task is to add the TWO iSCSI Target IP’s (192.168.50.200 and 192.168.51.200) > Discovery > Discover Portal > Put in the first iSCSI Target IP > Advanced > Local Adapter = Microsoft iSCSI Initiator > Initiator IP = The Servers NIC that’s on the same iSCSI network as this target, (i.e. 192.168.50.6 or 192.168.51.6) > OK > OK > Apply > OK.

NOW REPEAT THE PROCEDURE FOR THE SECOND iSCSI TARGET

Assuming your iSCSI and networking setup are correctly, you should start to see the storage appearing on the ‘Targets’ tab. Select the first piece of storage you want to attach > Connect > Tick ‘Enable Multi-path’ > Advanced > Local Adapter = Initiator IP (either 192.168.50.6 or 192.168.51.6)  > Target Portal IP  = (The iSCSI Target IP that corresponds to the IP you have just set, either 192.168.50.200 or 192.168.51.200) > OK > OK > Apply > OK.


The status should change to connected.

NOW REPEAT THE PROCEDURE A ‘SECOND TIME’ FOR THE SAME PEICE OF STORAGE, BUT CONNECT TO IT FROM THE OTHER iSCSI IP ADDRESS, TO THE OTHER iSCSI TARGET IP. THERE YOU CONNECT TO EACH ONE ‘TWICE’ (ONCE OVER EACH iSCSI NETWORK).

If you now look in the properties of the storage, you will see it has two identifiers and two IPv4 Portal groups.

At this point you would need to go into ‘Disk Management’ (Server Manager > Tools > Computer Management > Disk Management). You will see the storage presented but ‘Offline’ you will need to bring the drive online > Create a partition on it, (if it does not already have one),  and you can also assign a new drive letter. Note: Look in the Properties here, and you can prove MPIO is working and change the MPIO policy (if you require).

Related Articles, References, Credits, or External Links

NA

vSphere – ‘Cannot complete operation due to concurrent modification by another operation’

KB ID 0001069

Problem

I had been messing around with ports groups and VLANS, and afterwards when attempting to present a server some vNICs I got this error.

Solution Virtual Center Appliance

I have to completely restart the Virtual Center Appliance, before this error would clear!

Solution (Windows vCenter)

No matter what I did this error refused to budge, when this happens it’s usually because vCenter has got its knickers in a twist. On the vCenter server simply restart the VMware Virtual Center Server service and try again.

Related Articles, References, Credits, or External Links

NA

Cisco Licence Differences LAN-Lite / LAN Base / IP Base / IP Services

KB ID 0001270 

Problem

Actually finding the answer to this question is far more challenging than it needs to be! As usual Cisco can change this on a whim so before you purchase any equipment it’s still a good policy to check on the feature navigator.

Solution

This is about the best reference I’ve found. Although anyone who can tell me what the correct Layer 2 differences between Enterprise Access and Complete Access are, please do so!

Related Articles, References, Credits, or External Links

NA

Cisco IOS – How To Find VLAN IPs (SVI’s)

KB ID 0001258 

Problem

If you have a complicated network, you can spend more time finding out how it’s configured, than actually doing any work on it!

Today I had a client that needed some changes made on their LAN, I knew their name, and their network address, and common sense told me which of the core switches they were connected to.

Solution

A quick search on the client name told me what VRF they were in, and what VLAN they were in (3000), let’s have a look at that;

[box]

Petes-Core-SW#show run vlan 3000
Building configuration...

Current configuration:
!
vlan 3000
 name CORP:NET
end

[/box]

That doesn’t yield much more than I already know, so I can either do this and get a LOT of information;

[box]

Petes-Core-SW#show interfaces vlan 3000
Vlan3000 is up, line protocol is up
 Hardware is EtherSVI, address is c062.6be3.3000 (bia c062.6be3.9d40)
 Description: CORP:NET
 Internet address is 192.168.1.100/24
 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Keepalive not supported
 ARP type: ARPA, ARP Timeout 04:00:00
 Last input 00:00:00, output never, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/40 (size/max)
 5 minute input rate 254000 bits/sec, 115 packets/sec
 5 minute output rate 504000 bits/sec, 119 packets/sec
 L2 Switched: ucast: 22179333 pkt, 1561846492 bytes - mcast: 0 pkt, 0 bytes
 L3 in Switched: ucast: 471521755 pkt, 367932934560 bytes - mcast: 0 pkt, 0 bytes
 L3 out Switched: ucast: 493390206 pkt, 464908773459 bytes - mcast: 0 pkt, 0 bytes
 475554223 packets input, 366284328453 bytes, 0 no buffer
 Received 0 broadcasts (1116 IP multicasts)
 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 493591347 packets output, 462947525840 bytes, 0 underruns
 0 output errors, 0 interface resets
 0 output buffer failures, 0 output buffers swapped out

[/box]

Or a more sensible;

[box]

Petes-Core-SW#show run interface vlan 3000
Building configuration...



Current configuration : 160 bytes
!
interface Vlan3000
 description CORP:NET
 mac-address c062.6be3.3000
 vrf forwarding CORP:NET
 ip address 192.168.1.100 255.255.255.0
end

[/box]

Find What VLAN An IP Address Is In

If you have the opposite problem, i.e. you know the IP, (or a part of the IP). You can get the VLAN number like so;

[box]

Petes-Core-SW#show ip int br | incl 192.168.1.100
Vlan3000               192.168.1.100     YES NVRAM  up                    up

[/box]

 

Related Articles, References, Credits, or External Links

NA

HP – Switches The IP (or subnet) Already Exists

KB ID 0001176 

Problem

I was changing a clients LAN subnet this week, (dropping the mask from /24 to /16). When I attempted to change the management IP on the clients HP switches this happened;

[box]

HP2510-24G(config)# vlan 1
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0
The IP address (or subnet) 10.0.0.250/16 already exists.
HP2510-24G(vlan-1)#

[/box]

At first I though the switch was complaining because the IP was remaining the same, I was just changing the mask, (which is a bit bobbins, but there you go).  Turns out this is normal behaviour? Yes I could have got my console cable out, and walked to the comms room and done this;

[box]

HP2510-24G(config)# vlan 1
HP2510-24G(config)#no ip address 10.0.0.250 255.255.255.0
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0 
HP2510-24G(vlan-1)#

[/box]

But that would mean getting off my lazy backside, and what if I was hundred of miles from the switch?

 

Solution

To solve the problem you need to enter the HP switch menu system, this will let you change the IP on the fly. Obviously if you change the IP, make sure you can connect to it’s old, (and new), IPs or you will lose remote management.

From CLI type ‘menu’ {Enter}, you may be asked if you want to save the config. Choose ‘Switch Configuration’.

IP Configuration.

Edit.

Use the cursor keys and navigate to the IP/Subnet mask, and change accordingly > {Enter}

Select Save > Reconnect to the new IP address.

Related Articles, References, Credits, or External Links

HP Networking – Tracing Networks and Locating IP addresses

Cisco IOS – DHCP Helper (DHCP Relay) – IP-Helper Setup

KB ID 0001168 

Problem

Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic).

So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a different network segment (layer 2, or layer3).

To do that you need an agent to be on the same network segment as the client listening for DHCP requests, when it receives one it talks to the DHCP server on the clients behalf and gets the correct address.

Solution

Example 1 Cisco Router

Here we need to lease two different DHCP scopes to two different network segments, R1 will act as the IP-Helper for both of those networks, R2 and R3 will get their IP addresses from the correct DHCP scope.

This works because each (client facing) interface on R1 has an IP-Helper address defined that points to the DHCP server.

So How Does It Know Which Scope To Lease From? This is because the Router supplies the IP address of a RELAY AGENT, which is just the IP address of the physical interface that intercepted the DHCP request. When it asks for an IP address from the DHCP server, the Server leases an address from the same range, (again I’ve tracked all this in Wireshark below).

IP-Helper Router Configuration

[box]

R1 Config

!
interface GigabitEthernet0/0
 description Uplink to DHCP Server
 ip address 10.2.2.254 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 description Uplink to 192_168_2_0
 ip address 192.168.2.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
interface GigabitEthernet3/0
 description Uplink to 192_168_3_0
 ip address 192.168.3.1 255.255.255.0
 ip helper-address 10.2.2.10
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
!


R2 Config

!
interface GigabitEthernet2/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!

R3 Config

!
interface GigabitEthernet3/0
 description Uplink to R1
 ip address dhcp
 negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0
!

[/box]

You can see this works because the DHCP server has matching scopes for both network segments. (Yes one of my test servers is 2003, you’re going to see some Windows XP in a minute!

Well that’s fine for routers, but what about machines? They send a DHCP Discover just like any other client. I’ve replaced one of the routers with an actual machine.

With its network card set to DHCP you will again get a lease from the correct scope, because the Router brokered it for us.

Back on the DHCP server you can see the lease to the windows XP machine entered in the current scope leases, It knows the name of the client because (as you will see below) the relay agent (Router) passed that information (along with the MAC address of the client) to the DHCP server.

Example 2 Cisco Switches

OK, I did the routers first because I find it easier to explain things at layer 3. Not that you can’t create sub interfaces on the router, add those sub interfaces to VLANs, and run DHCP relays from them. But in most cases you will be setting up DHCP helpers on switches. Here the principle is the same but you define the ip-helper on the VLAN, (unless it’s routed port then treat it the same as a router interface). Let’s modern things up a bit, and use a 2012 R2 DHCP server, and some Windows 8 clients.

I need to lease addresses from my second scope to clients in VLAN 200, (the other client and server are in the same VLAN, so that will just work. (Remember a VLAN is a broadcast domain, and DHCP is using broadcasts).

Here’s the two scopes setup on the 2012 server;

And my client, (DHCP Client in VLAN 200) gets the correct IP.

IP-Helper Switch Configuration (VLANS)

[box]

SW1 Config

interface FastEthernet1/0/1
 description Uplink to DHCP Server
 switchport access vlan 100
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/4
 description Uplink 192_168_200_0
 switchport access vlan 200
 switchport mode access
 spanning-tree pordtfast
!
interface FastEthernet1/0/5
 description Uplink 192_168_100_0
 switchport access vlan 100
 switchport mode access
 spanning-tree portfast
!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
!

IF YOU HAVE MULTIPLE/FAILOVER IP-HELPERS OR SPLIT SCOPES YOU CAN ADD A SECOND 
ADDRESS LIKE SO;

!
interface Vlan200
 ip address 192.168.200.1 255.255.255.0
 ip helper-address 192.168.100.10
 ip helper-address 192.168.100.15
!

[/box]

Analysing (Packet-Sniffing) DHCP Relay Sequence with Wireshark

Other packet sniffers are available, but I’ve got a soft spot for Wireshark. To filter DHCP traffic you can use the following ‘filter’.

bootp.option.type == 53

DHCP works by using four messages, (which I remember using the acronym DORA: Discover, Offer, Request, Acknowledge). If you sniff the traffic on the DHCP server, you can watch this process being brokered by your DHCP Relay Agent.

Discover

Offer

Request

Acknowledge

And just to prove it’s not all ‘smoke and mirrors’, here’s the client with the leased address, showing a matching MAC address, and hostname.

Related Articles, References, Credits, or External Links

NA

Cisco Small Business (SG500) Link Aggregation (LAG) With LACP

KB ID 0001277 

Problem

At work a client was having trouble with a NAS Drive (Buffalo Terastation). It was being used as a backup target and some of the servers were dropping connections. I knew the client had some Catalist 3750’s So I suggested going and creating an Ether Channel to the two NICs in the NAS box, to try and cure the problem.

However when I went onsite, I noticed the 3750 didn’t have any spare Gigabit ports only FastEthernet ones. So I thought I’d create a port channel on one of their Cisco Small Business Switches (SG500-52P). I mean how difficult can that be?

Solution

SG500 LAG Configuration

Note: Configure the switch FIRST.

Before you start, the ports you want to use MUST NOT be a member of a VLAN, and this needs to be done for EVERY VLAN, and saved each time. VLAN Management  > Port to VLAN.

So the port should be a simple access port set as below, VLAN Management > Interface Settings.

Now you can create the Link Aggregate Group > Port Management > LAG Management > I set the global option to ‘IP/MAC Address’ > Then select the first free LAG  > Edit.

Tick LACP BEFORE you add in the ports. If you don’t, it creates the LAG, but the LACP option is ‘greyed out’. (The only way to solve this, is remove all the ports, save the settings, add LACP, then add the ports back in again!)

At this point you need to add your LAG interface into the appropriate VLAN, or more likely set it as a Trunk.

Buffalo Terastation NAS Settings for LACP

For LACP to work both ends need to be configured, on the NAS box, bond the two networks cards together, then set the ‘Port Trunking’ mode to ‘Dynamic link aggregation’ > Accept.

Related Articles, References, Credits, or External Links

NA