I was asked by a colleague at work the other day, can we replace the Cisco firewalls with FortiGate firewalls for a client? As a business we are heading towards Forti, but before I said yes I wanted to know what the firewall was actually doing before I said yes. On closer inspection the firewall in question didn’t appear to be doing anything too scary, but I did notice that the LAN interface was sub-interfaced to the various internal VLANs. I didn’t know how FortiGate handled this, so I fired it up on the test bench to test FortiGate Sub Interfaces.
So I needed to create TWO sub interfaces on the FortiGate (on port3).
Creating FortiGate Sub Interfaces
Simply put, on a FortiGate if you want what a Cisco engineer would refer to as a ‘sub interface‘, then you simply add a VLAN interface to a physical interface. Like so, Network > Interfaces > {Physical Interface} > Create New > Interface.
Give the new interface a name (and alias if required) > Interface Type should be VLAN > Select the parent physical interface > Add the VLAN ID (Tag) and specify an IP address of the interface.
Just for testing I’ll allow PING, on the VLAN interface also > OK.
Repeat the procedure to add further sub interfaces (VLANs).
Remember this is just a ‘Router on a stick‘ configuration, to further allow traffic to the internet, (or between VLANs) you still need to add that traffic to the firewall policy to let the traffic through, (it is a firewall after all!)
Setting up Switches for FortiGate Sub Interfaces?
I’ve probably got this covered elsewhere on the site, but the core switch is Cisco so I just created a trunk port, and allowed ALL VLANs, (because I’m lazy, in production, you might want to lock that down a little!)
If you require a ‘Virtual Lab’ for testing patches or config changes, on copies of your live servers, or simply want to test the ‘integrity‘ of your backups, then this is the post for you!
Licence Requirements: SureBackup and On Demand Sandbox require Enterprise Plus Veeam Licensing.
Host Licences: Hosts that are only used for SureBackup/ On Demand Sandbox DO NOT NEED Licences, (in Veeam,) only hosts that you back up FROM need licences.
SureBackup and Virtual labs are built on vPower, which allows you to power on your ‘backup files’ in a test/sandbox environment. It’s actually the same technology that Veeam use for U-AIR recovery.
Three components make up a virtual lab;
1. Application Group: This is a group of VMs, and the ‘Order’ they need to be powered on, e.g. for Exchange server you would also need a DC (global catalog server,) and maybe your mail filter appliance to be in the same group.
2. Virtual Lab: Requires a ‘Host’, and a DataStore, (for redo logs only), this only needs to be 10% of the size of the VMs that are being powered on in the lab.
3. SureBackup: This is the process that ‘Tests backups‘, it will bring your backed up machines online, and perform some tests on them, some are simple like ‘ping’ tests others are specific to particular server roles, like additional tests for Domain Controllers, Exchange servers etc.
Here’s how it all ‘hangs together’. We are backing up a Domain Controller, and an Exchange Server, and we are going to use those backup files to power on a copy of the servers in our ‘Test-Lab’.
Note: I’m using VMware ESX, you can also use Microsoft Hyper-V.
These are presented though a ‘Veeam Proxy Appliance’, which presents them to the VEEAM server with a changed ‘octet’ in their IP address. (So by default any other machine needs a static mapping, {see below}).
Create a Veeam SureBackup Application Group
As mentioned above, make sure you have ‘Enterprise Plus‘ licences.
It should go without saying, but you will also need a ‘good’ backup of your servers.
Backup Infrastructure > SureBackup > Application Group > Add App Group > VMware.
Give the app group a name > Next > Add VM > From Backup > Select the VMs for the Lab > Add Next.
Put the server(s) in the correct order, i.e. the domain controllers at the top.
If you are just going to use SureBackup to check backups, then ‘Edit’ the servers, and change their ‘role’ so the correct tests get performed on them. If you are just wanting a Virtual Lab, don’t bother as you will be interacting with them directly anyway. Here are the settings for a Domain Controller.
Give the lab a name > Next > Choose > Select the ‘Target’ ESX Server to use > OK > Next > Choose > Select a datastore for the ‘redo’ logs, remember this needs to be about 10% of the size of the restored VMs. > OK > Next.
Next > ‘Advanced Single Host’ > Next > Add > Browse to the ‘Port Group’ your production VMs are in > Add > OK > Next.
Note: If you need to have your lab network on its own VLAN, this is where you need to specify that traffic to be ‘tagged’ accordingly.
Add > Specify the IP for the ‘inside’ of your Veeam Proxy Appliance, this MUST BE the same as the default gateway on the live network. Then select a sensible masquerade network address > OK > Next.
Veeam: What’s a Masquerade Address?
The proxy server basically will perform NAT from the test lab to the live network, (their actual IP addresses never change, that’s why the proxy appliance had the same IP as the default gateway on the live network. The Masquerade addresses simply change one ‘octet’ of the IP address so the Veeam server can speak directly to each sand-boxed, (Test lab) VM.
If required, Add a ‘Static Mapping‘ i.e if you want to be able to ‘speak’ to a test lab VM from the live network.
How Do Veeam Virtual Lab ‘Static Mappings’ Work?
Using the example, I used above, here if someone on the live network speaks to 192.168.100.21, they are actually talking to 192.168.100.196 in the test lab.
Apply > Finish.
Create a Veeam SureBackup Job
There are two ways of doing this, if you want to create a SureBackup job that just checks your backups, then you would schedule the job, and connect it to your backups, or if you just wanted to do some lab testing, you would create a ‘one off’ SureBackup job and leave the VMs powered on (I’ll point this out below).
Home > SureBackup Job > VMware > Give the job a name > Next.
Select the lab you created above > Next > Select the App Group you created above. (NOTE: If you want to leave your machines ‘powered on’ after the job, i.e. for performing upgrades, patch tests etc, then TICK the option indicated).
Link this job to the backup job for the VMs in question > Add > Select the backup Job > OK.
Note: The option at the bottom, specifies how many VMs are tested at a time in a standard SureBackup Job.
Next > Next.
Schedule the job (if required) > Apply > If you didn’t schedule, then you can click ‘Run the job when I click Finish‘ for ‘one-off’ jobs > Finish.
If you selected the option to leave the machines powered on, then there will ‘always’ be a job running and the job will stop at 99%. (You will need to manually stop the job to remove the test VMs). If you do continuous backups this will be a familiar sight anyway!
There’s my test VMs powered on, that I can interact with, update, patch, and change configurations, without it affecting my live servers.
Related Articles, References, Credits, or External Links
I’ve been rebuilding some Hyper-V hosts over the last few weeks, and one thing I learned rebuilding VMware ESX hosts is, ‘make sure you know what all the network cards are doing before you flatten it!’
The same is true of storage as well but here I’m just concentrating on networking.
List Network Cards and MAC Addresses
If you have these documented you can rename the network card correctly after the rebuild and the mac addresses ensure you have the right names assigned to the right NICs. (Without having to go and check all the cabling afterwards!)
From the names of the network connections above we can see we are using network teaming, but even if yours dont have sensible names, you can get the team names and the NICs that are a member of each team with the following command;
[box]Get-NetLbfoTeam[/box]
List NICs and IP addresses
To see what IP addresses are in use on which NICs, (physical or virtual) use the following;
In my scenario my Windows Server is a VMware virtual machine. To enable MPIO (Multipath I/O) I’m going to need two network cards, connected to the two iSCSI networks.
Above I’ve shown both iSCSI networks in different colours 192.168.51.0/24 and 192.168.50.0/24 in production I would also have these in their own VLANs, (or even separate physical networks).
This article is not about setting up your iSCSI Target/Storage, I’m assuming you have this up and running with the correct IP addresses connected to the correct networks ready to go.
Note: I’m also NOT using iSCSI authentication, and I’m also assuming you have allowed either the two IP addresses of the Windows server, (or more likely its iSCSI iqn address), access to the storage.
Solution
Firstly MPIO is NOT enabled or installed by default, you need to add it. Open Server Manager > Manage > Add Roles and Features > Follow the wizard all the way to ‘features’ > Enable Multipath I/O > Complete the Wizard.
Back in Server Manager > Tools > MPIO > Discover Multi-Paths > Add support for iSCSI devices > Yes > Let the server reboot.
After the reboot go back into the MPIO properties, and make sure iSCSI is now listed, (MSFT2005iSCSIBusType_0x9). You can close the MPIO properties now.
Now back in Server Manager > Tools > iSCSI Initiator.
First task is to add the TWO iSCSI Target IP’s (192.168.50.200 and 192.168.51.200) > Discovery > Discover Portal > Put in the first iSCSI Target IP > Advanced > Local Adapter = Microsoft iSCSI Initiator > Initiator IP = The Servers NIC that’s on the same iSCSI network as this target, (i.e. 192.168.50.6 or 192.168.51.6) > OK > OK > Apply > OK.
NOW REPEAT THE PROCEDURE FOR THE SECOND iSCSI TARGET
Assuming your iSCSI and networking setup are correctly, you should start to see the storage appearing on the ‘Targets’ tab. Select the first piece of storage you want to attach > Connect > Tick ‘Enable Multi-path’ > Advanced > Local Adapter = Initiator IP (either 192.168.50.6 or 192.168.51.6) > Target Portal IP = (The iSCSI Target IP that corresponds to the IP you have just set, either 192.168.50.200 or 192.168.51.200) > OK > OK > Apply > OK.
The status should change to connected.
NOW REPEAT THE PROCEDURE A ‘SECOND TIME’ FOR THE SAME PEICE OF STORAGE, BUT CONNECT TO IT FROM THE OTHER iSCSI IP ADDRESS, TO THE OTHER iSCSI TARGET IP. THERE YOU CONNECT TO EACH ONE ‘TWICE’ (ONCE OVER EACH iSCSI NETWORK).
If you now look in the properties of the storage, you will see it has two identifiers and two IPv4 Portal groups.
At this point you would need to go into ‘Disk Management’ (Server Manager > Tools > Computer Management > Disk Management). You will see the storage presented but ‘Offline’ you will need to bring the drive online > Create a partition on it, (if it does not already have one), and you can also assign a new drive letter. Note: Look in the Properties here, and you can prove MPIO is working and change the MPIO policy (if you require).
Related Articles, References, Credits, or External Links
I had been messing around with ports groups and VLANS, and afterwards when attempting to present a server some vNICs I got this error.
Solution Virtual Center Appliance
I have to completely restart the Virtual Center Appliance, before this error would clear!
Solution (Windows vCenter)
No matter what I did this error refused to budge, when this happens it’s usually because vCenter has got its knickers in a twist. On the vCenter server simply restart the VMware Virtual Center Server service and try again.
Related Articles, References, Credits, or External Links
Actually finding the answer to this question is far more challenging than it needs to be! As usual Cisco can change this on a whim so before you purchase any equipment it’s still a good policy to check on the feature navigator.
Solution
This is about the best reference I’ve found. Although anyone who can tell me what the correct Layer 2 differences between Enterprise Access and Complete Access are, please do so!
Related Articles, References, Credits, or External Links
If you have a complicated network, you can spend more time finding out how it’s configured, than actually doing any work on it!
Today I had a client that needed some changes made on their LAN, I knew their name, and their network address, and common sense told me which of the core switches they were connected to.
I was changing a clients LAN subnet this week, (dropping the mask from /24 to /16). When I attempted to change the management IP on the clients HP switches this happened;
[box]
HP2510-24G(config)# vlan 1
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0The IP address (or subnet) 10.0.0.250/16 already exists.
HP2510-24G(vlan-1)#
[/box]
At first I though the switch was complaining because the IP was remaining the same, I was just changing the mask, (which is a bit bobbins, but there you go). Turns out this is normal behaviour? Yes I could have got my console cable out, and walked to the comms room and done this;
[box]
HP2510-24G(config)# vlan 1
HP2510-24G(config)#no ip address 10.0.0.250 255.255.255.0
HP2510-24G(vlan-1)# ip address 10.0.0.250 255.255.0.0
HP2510-24G(vlan-1)#
[/box]
But that would mean getting off my lazy backside, and what if I was hundred of miles from the switch?
Solution
To solve the problem you need to enter the HP switch menu system, this will let you change the IP on the fly. Obviously if you change the IP, make sure you can connect to it’s old, (and new), IPs or you will lose remote management.
From CLI type ‘menu’ {Enter}, you may be asked if you want to save the config. Choose ‘Switch Configuration’.
IP Configuration.
Edit.
Use the cursor keys and navigate to the IP/Subnet mask, and change accordingly > {Enter}
Select Save > Reconnect to the new IP address.
Related Articles, References, Credits, or External Links
Cisco documentation calls this a ‘DHCP Relay’, and uses the command IP-Helper, and I usually call this DHCP Helper, just to confuse everyone. To be fair the term DHCP Relay is an industry standard, it’s not particular to Cisco (as you will see later when I Wireshark the traffic).
So If you are reading this you have a DHCP server and you want to use it to lease addresses to clients that are on a different network segment (layer 2, or layer3).
To do that you need an agent to be on the same network segment as the client listening for DHCP requests, when it receives one it talks to the DHCP server on the clients behalf and gets the correct address.
Solution
Example 1 Cisco Router
Here we need to lease two different DHCP scopes to two different network segments, R1 will act as the IP-Helper for both of those networks, R2 and R3 will get their IP addresses from the correct DHCP scope.
This works because each (client facing) interface on R1 has an IP-Helper address defined that points to the DHCP server.
So How Does It Know Which Scope To Lease From? This is because the Router supplies the IP address of a RELAY AGENT, which is just the IP address of the physical interface that intercepted the DHCP request. When it asks for an IP address from the DHCP server, the Server leases an address from the same range, (again I’ve tracked all this in Wireshark below).
IP-Helper Router Configuration
[box]
R1 Config
!
interface GigabitEthernet0/0
description Uplink to DHCP Server
ip address 10.2.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet2/0
description Uplink to 192_168_2_0
ip address 192.168.2.1 255.255.255.0
ip helper-address 10.2.2.10
negotiation auto
!
interface GigabitEthernet3/0
description Uplink to 192_168_3_0
ip address 192.168.3.1 255.255.255.0
ip helper-address 10.2.2.10
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 10.2.2.10
!
R2 Config
!
interface GigabitEthernet2/0
description Uplink to R1
ip address dhcp
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet2/0
!
R3 Config
!
interface GigabitEthernet3/0
description Uplink to R1
ip address dhcp
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet3/0
!
[/box]
You can see this works because the DHCP server has matching scopes for both network segments. (Yes one of my test servers is 2003, you’re going to see some Windows XP in a minute!
Well that’s fine for routers, but what about machines? They send a DHCP Discover just like any other client. I’ve replaced one of the routers with an actual machine.
With its network card set to DHCP you will again get a lease from the correct scope, because the Router brokered it for us.
Back on the DHCP server you can see the lease to the windows XP machine entered in the current scope leases, It knows the name of the client because (as you will see below) the relay agent (Router) passed that information (along with the MAC address of the client) to the DHCP server.
Example 2 Cisco Switches
OK, I did the routers first because I find it easier to explain things at layer 3. Not that you can’t create sub interfaces on the router, add those sub interfaces to VLANs, and run DHCP relays from them. But in most cases you will be setting up DHCP helpers on switches. Here the principle is the same but you define the ip-helper on the VLAN, (unless it’s routed port then treat it the same as a router interface). Let’s modern things up a bit, and use a 2012 R2 DHCP server, and some Windows 8 clients.
I need to lease addresses from my second scope to clients in VLAN 200, (the other client and server are in the same VLAN, so that will just work. (Remember a VLAN is a broadcast domain, and DHCP is using broadcasts).
Here’s the two scopes setup on the 2012 server;
And my client, (DHCP Client in VLAN 200) gets the correct IP.
IP-Helper Switch Configuration (VLANS)
[box]
SW1 Config
interface FastEthernet1/0/1
description Uplink to DHCP Server
switchport access vlan 100
switchport mode access
spanning-tree pordtfast
!
interface FastEthernet1/0/4
description Uplink 192_168_200_0
switchport access vlan 200
switchport mode access
spanning-tree pordtfast
!
interface FastEthernet1/0/5
description Uplink 192_168_100_0
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0ip helper-address 192.168.100.10
!
IF YOU HAVE MULTIPLE/FAILOVER IP-HELPERS OR SPLIT SCOPES YOU CAN ADD A SECOND
ADDRESSLIKE SO;
!
interface Vlan200
ip address 192.168.200.1 255.255.255.0ip helper-address 192.168.100.10ip helper-address 192.168.100.15
!
[/box]
Analysing (Packet-Sniffing) DHCP Relay Sequence with Wireshark
Other packet sniffers are available, but I’ve got a soft spot for Wireshark. To filter DHCP traffic you can use the following ‘filter’.
bootp.option.type == 53
DHCP works by using four messages, (which I remember using the acronym DORA: Discover, Offer, Request, Acknowledge). If you sniff the traffic on the DHCP server, you can watch this process being brokered by your DHCP Relay Agent.
Discover
Offer
Request
Acknowledge
And just to prove it’s not all ‘smoke and mirrors’, here’s the client with the leased address, showing a matching MAC address, and hostname.
Related Articles, References, Credits, or External Links
At work a client was having trouble with a NAS Drive (Buffalo Terastation). It was being used as a backup target and some of the servers were dropping connections. I knew the client had some Catalist 3750’s So I suggested going and creating an Ether Channel to the two NICs in the NAS box, to try and cure the problem.
However when I went onsite, I noticed the 3750 didn’t have any spare Gigabit ports only FastEthernet ones. So I thought I’d create a port channel on one of their Cisco Small Business Switches (SG500-52P). I mean how difficult can that be?
Solution
SG500 LAG Configuration
Note: Configure the switch FIRST.
Before you start, the ports you want to use MUST NOT be a member of a VLAN, and this needs to be done for EVERY VLAN, and saved each time. VLAN Management > Port to VLAN.
So the port should be a simple access port set as below, VLAN Management > Interface Settings.
Now you can create the Link Aggregate Group > Port Management > LAG Management > I set the global option to ‘IP/MAC Address’ > Then select the first free LAG > Edit.
Tick LACP BEFORE you add in the ports. If you don’t, it creates the LAG, but the LACP option is ‘greyed out’. (The only way to solve this, is remove all the ports, save the settings, add LACP, then add the ports back in again!)
At this point you need to add your LAG interface into the appropriate VLAN, or more likely set it as a Trunk.
Buffalo Terastation NAS Settings for LACP
For LACP to work both ends need to be configured, on the NAS box, bond the two networks cards together, then set the ‘Port Trunking’ mode to ‘Dynamic link aggregation’ > Accept.
Related Articles, References, Credits, or External Links