Multiple subnets with one VMware ESXi host

As we’ve moved more and more of our critical infrastructure at The Chapel to the virtual world, I’ve struggled on occasion with the issue of setting up network cards in VM’s to work on different subnets.

This became a real issue when we migrated from our Cisco phone system to our virtualized MiTel phone system. All was good until I needed to setup the “MiTel Boarder Gateway” which acts as a firewall and SIP gateway for the phone system. Since I had to get this up and running quickly I just installed another network card then mapped it to a virtual switch in VMware and mapped the second NIC in the VM to that virtual switch.

This approach however is not very efficient or redundant. It also takes up valuable NIC’s and switch ports. My plan is to update this configuration with what I’ve learned when setting up our print server to work with FingerPrint which I’m going to detail below.

How to setup Vlan tagging in VMware ESXi

1. First, you need to have a working ESXi host. The setup isn’t that hard but is more than I’m going to go into here.
2. Setup your switch port(s) that connect to the server as a “trunk” in Cisco speak with a “Native Vlan” set to what a majority of your servers use. That way you don’t have to setup tagging on every vNIC.
3. If your looking to have a server that needs to talk to two different subnets like a firewall or my print server running FingerPrint, add another Ethernet adapter to your VM and assign it to your default network. Mine is “VM Network”.
4. You need to check that the Virtual Network on your primary vSwitch allows all Vlans. By default it is set to “None(0)“.  Set it to “All(4095)” or just the ones you want.
    
   
5. Now, start up your VM and log in. Navigate to the Device Manager and select the network card you want to configure a different Vlan on.
   
6. Once you configure the tagging, make sure that you have the IP addresses setup correctly. For a firewall type VM, you will have different IP’s and gateways on different subnets. If you have a server connecting to two private networks, only set a default gateway on the “Primary” network. Windows doesn’t like it if you set different gateways to the same routed network.

That’s it. Now your servers can use different and special Vlans when needed and you don’t need to add another NIC or vSwitch each time. In my case, it allowed me to easily setup FingerPrint to communicate with our wireless network with the Bonjour protocol.

For my friends that are more versed in VMware than I, please post your comments and questions. I’m always interested in what others are doing or what the “Right” way is.

Apple AirPrint and FingerPrint

So you have a shiny iPad or iPhone and want to occasionally print. Sounds simple, right? Well Apple has your back and has come out with a great “New” feature called AirPrint that will fix all of that. That is if you have one of the few new printers that have AirPrint.

A lot of companies are seeing more iOS devices on our networks and more users who expect new features that Apple comes out with to just work. They have little patience for us or the market to align ourselves with the Apple way of doing it. We also have some expensive, high efficiency, and feature rich printers and copiers on our network that we can’t afford to just replace.

Our first solution was a hack program called “AirPrint Service for Windows” that worked well until iOS 5. Then it broke.

There were some other iOS apps that let you print to network printers but they cost money and you have to pay & install it on every device.

Earlier this month I found a program called “FingerPrint”. You can check it out at http://www.collobos.com/  They have a Windows and a Mac version and also provide a free one week trial. If you still like it after the trial, you can buy it for $10! I wondered just how well a $10 application could work but read on.

After running the quick install file and selecting the printers I wanted to share, I was up and running!

It also has a cool feature that I’ve yet to try that allows you to “Print to DropBox” where you can tie it to a DropBox folder. This could work on a personal computer but I don’t see it working on a network print server well.

Once things are installed and working, connect your iPad or iPhone to the wireless network (it has to be same subnet though. Stupid Bonjour!), and your printers will show up in the “Select Printer” dialog. 

That’s it. After the free trial I bought it. It’s working great so far. I’ve not tested this on multiple print servers on the same subnet yet so I’m not sure how that would work.

There is one civet though. Your print server has to be on the same subnet as your wireless. This poses a problem for most of us that have an enterprise wireless solution and have it on a different subnet. During the trial period, I setup a Linksys AP on the same subnet as the server and it worked fine. But it kind of defeats the ease of use I was going for when people have to connect to another wireless just to print.

I’ll address how I got around this limitation in my next blog post about connecting virtual servers in VMware to multiple subnets.

Read about it here.

Cisco Phones for Sale

We have finished our migration to our new MiTel phone system!  Through a mix up, we will be selling the Cisco gear ourselves. We do have a good amount of gear that we need to sell and it has been pulled from a working system running Call Manager 4.2

I have heard that most of this gear will work with SIP but I have not confirmed. It appears that you have to download the SIP firmware from Cisco (needing active support on the phone) and then flash the phone.

The servers themselves are also for sale.

Cisco Item	Qty.	Selling For
Server - MCS-7815-I1-UC1	1	Make Offer
Server - MCS-7815-I2-IPC1	1	Make Offer
Server - MCS-7825-H2-IPC1	2	Make Offer
7936 Conf. Phone	2	$          200.00
7960G	10	$            75.00
7941G	6	$            80.00
7040G	82 102	$            50.00
7920 Cordless	1	$            50.00
7014 Sidecar	2	$            50.00
7912G	41	$            35.00

For one of the 7936 Conference phones I have the additional microphones.

Buyer will pay shipping. Local pickups are welcome. PayPal preferred.

Our address is:

The Chapel
1200 American Way
Libertyville IL, 60048

If you are interested, please email ciscophones@chapel.org and I will get back to you as soon as I can. Thanks!

It's been a while!

I can't believe it's been a year since I updated my blog! This year has flown by way to fast. I've been really busy at work. In the last year, we went from 6 to 7 campuses, Setup point-to-point VPN to that campus, installed our Equallogic SAN, and we are almost done with our new phone system installation.

Also, on a personal level, my oldest child started pre-school, we found out that we are pregnant with our 3rd child, we're looking for a min-van and I've not been out running nearly as much as I had hoped this year.

I hope to do some more blog posts soon that will be helpful to others. Some ideas I have are:

• Setting up a P2P VPN with SonicWall and Comcast
• OSPF fail over on SonicWall firewall (there was a bug in the Firmware)
  
• Our MiTel phone conversion
• Ruckus Wireless VS Aruba Wireless
• Cisco Voice VS MiTel Voice

We'll see how far I get on that list. :-)

Bandwidth Management on SonicWall NSA 240

Recently, we expanded Public Wireless to all our campuses. We really hammer our network on the weekend when we push video across it and I didn’t want public Wi-Fi traffic to become a problem.  We have some access lists on our Cisco routers that do so time-of-day/week bandwidth throttling but it was kind of a pain to set up. So, I decided to see what I could do at the source.  I was surprised at how easy it was to implement Bandwidth Management on our public wireless using our SonicWall NSA 240.  Here’s how I did it. Your mileage may vary.

Step one. Log into your SonicWall. I know, it’s a big step.Step Two. Navigate to Network –> Address Objects and create an “Object” to match your Public Wireless Traffic. Click “Add…” under Address Objects.
 

I created an object called “PublicWiFi-Test” for this example and matched it to traffic on network 192.168.11.0/24 which is the IP address range of our Public Wi-Fi traffic.  You can match to a number of other identifiers as well.

Step Three.  Navigate to Firewall –> Access Rules.  Change the view style to “All Rules” and then click “Add”.
 

Now is when we actually tell the SonicWall what we want to do with the Public Wireless Traffic. In the window that comes up fill out the fields like I have below. What we are doing is telling the firewall to process traffic that is from the LAN to the WAN, from any Service, matching the PublicWiFi-Test object that we defined earlier, to any destination.On the “Advanced” tab, leave everything as the default, but check the “Create a reflexive rule” so that inbound traffic will be matched as well.
On the QoS tab, change the DSCP Marking Action to “Explicit”. Then change the “Explicit DSCP Value” to “0 – Best effort/Default”.  That way, if you have some other policies downstream that mark or generate traffic with a higher DSCP (like video) the PublicWiFi traffic won’t mess with your video feed.

Now, on the Ethernet BWM tab, you will actually configure the Bandwidth Management. Check the first box and then enter a percent or Kbps value for the Guaranteed bandwidth and the Maximum Bandwidth. This first section will apply your settings to “Outbound” traffic or in Internet terms, Upload Speed. One MB should be a good cap. You can also set the “Bandwidth Priority” to 7 which is the lowest. I’m not sure which takes precedence since you already set a value in the QoS tab. Now, click the next box and set the download values. At the bottom you can check the “Enable Tracking Bandwidth Usage” if it makes you happy. Click OK and your ready to go!

Step Four. You can now test your new policy out by going to a site like http://www.speakeasy.net/speedtest/ If you’ve done it right, your upload and download numbers should match the numbers you set in your policy. On my first try I had the values reversed.

So, that was easier than I thought it was going to be.  I took it one step further because we have multiple campuses with different IP schemas right now for wireless. I created more address objects and added them to an Address Group.  I then changed the setting in my policy to reference the Address Group instead of the single Address Object.  The issue I see with this is that all traffic that matches these limits will share that bandwidth cap. So, if I have 4 public clients, their bandwidth would be (2048 Kbps / 4) or 512 Kbps. I’ll have to play around with things and see how it goes. You can set the policy to a schedule so I might just have it be active on the weekends.

I hope this helps someone. If it does or you have questions, leave a comment.

Lock screen & start screensaver

Sounds like a simple task doesn’t it?  For years I have just pressed the Windows key + L and locked my computer.  But, like any proud father, I didn’t want to wait 15 minutes for the photo’s of my kids to start scrolling across my dual monitors (a great free photo screen saver for dual monitors is gPhotoShow.com). All I wanted to do was lock my computer and start my screen saver at the same time. After all, even OS X can do that with Exposé. To my surprise, there is no built in method to do that in Windows!  Even if you make a shortcut to the screen saver, when you move the mouse, it goes right back to your desktop.  So after some searching on different scripts, I came across a free app someone wrote that does the trick.  Download sslaunch.zip from this WindowsITPro.com article, extract it, and move the SaveScrn.exe file to your desktop. Now, all you have to do is double click it and your computer will lock and display your screensaver.

Enjoy!

Local Mac User to an AD User

Local Mac User to an AD User that has the same short nameOS X 10.5.8
(Other versions may differ)

Here is the scenario. Mac User has a local account and his “Short Name” is muser and his Home Directory is muser as well. The problem is that when we join this computer to Active Directory, and Mac User logs on, it will want to make a Home Directory for him with the name of muser.

So, we have to delete the local Mac User user, but preserve his Home Directory. Then we have to move it to the network Mac User user and assign the correct permissions.

Step One. Join computer to Active Directory. There are many guides out there on how to do this. Official Apple docs http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c7od44.html

Step Two. Log in as a different Local Admin account than the one you want to change. If one doesn’t exist, create one. If possible, back up the users Home Directory before proceeding just to be safe. Now go into System Preferences and then Accounts. Now, unlock things and then select “Mac User”. Now click the “-“ to remove him. You want to select the middle option on the next screen which is “Do not change the home folder (The home folder remains in the Users folder.)” Click “OK” and then log out.

Step Three. Click on the “Other” option at the Login screen and log in as the network Mac User account to create his profile. When you are asked to create a mobile account, click the “Create Now” button. Log out and log back in as the local Admin account you were using in step Two.

Step Four. Open the terminal and enter the following:
sudo rm –r /Users/muser
sudo mv /Users/”muser (Deleted)” /Users/muser
sudo chown –R muser /Users/muser

If this user should be a local admin, click the “Allow user to administer this computer” box under his profile. Log out.

Step Five. Log in as the network user and all your programs, data, and settings should be moved over to the new profile.

Step Six. You may have to fix the keychain. If there is an issue with getting prompted for the keychain password, go into utilities and then click on Keychain Access. Right click on the “Login” keychain and at the bottom of the list you will see “Change Password…” Once you click it, you will be prompted for the old password and then enter a new password.

Done. Now the Mac user will be able to change their network password, be prompted when it is about to change, and most importantly, be required to use one. Your mileage may very so test out these steps in the lab first.