Latest Posts

Portable home lab virtualization server + gaming

I have a few PC’s that I use for testing, gaming, and other side projects. I wanted to pare down on a few systems, so I started looking into a portable VM home lab server setup that could potentially be used for testing at least four different VM’s and also allow for some decent gaming performance utilizing VM hardware GPU passthrough.

I first pondered on the Intel NUC Skull Canyon. It’s pretty portable, tough looking, and powerful, but it lacked the ability to easily install an external GPU and the ability to easily install a hypervisor when it first launched. It’s also pretty expensive and I was trying to stay around the $500-$600 range. I started looking at a few mini ITX cases and remembered coming across the ASRock M8 Mini ITX design in the past.

asrockm8portableserver

asrock m8 side view

I ended up finding the case, but it was a barebones only bundle that already included an older motherboard that didn’t support the type of passthrough that I was looking to utilize. The case reminded me of the old G4/5 Apple cases with the handles on each corner of the case. The handles on the corners make it a lot easier to carry.  I ended finding a discount open box from Newegg that made the purchase a little more bearable.

Here’s the home lab setup specifications and costs:

Case: ASRock M8 Mini ITX (included LGA 1150 mobo w/pwr supply) open box $186.69
Memory: G.SKILL Aegis 16GB (2 x 8GB) 288-Pin DDR4 SDRAM DDR4 2133 $52.42
CPU: Intel Xeon E3-1225 v5 SkyLake 3.3 GHz 8MB L3 Cache LGA 1151 $234.99
Motherboard: ASRock Server/Workstation MB-C236WSI $213.00

Total

$687.10

I ditched the 1150 motherboard and installed the Intel c236 chipset based LGA 1151 motherboard along with a Xeon Skylake based processor. My first attempt at installing Vmware exsi 6.0 was a failed attempt due to my inability to get anything working with passthrough. I tried multiple versions of Esxi, but I still couldn’t get my ATI 6770, usb, or sound passthrough working. I tried a few other graphics cards, but without sound, I threw the Esxi hypervisor out of the picture. I then decided to try an installation of Xenserver 7 and to my surprise, I was able to pass through all of my components. I did have to manually run some commands to get things going, but in the end I ended up with a VM that could possibly do some decent gaming.

ASrock MB-C236WSI asrock m8 with MB-C236WSI skylake xeon motherboardasrock m8 rear with MB-C236WSI skylake xeon motherboard

In order to get all the passthrough devices working, you may have to do some work within the CLI. I didn’t have to worry about setting up the GPU within the CLI as it was already listed as a passthrough device in the Xenserver GUI management interface.

In order to add other devices, first find your VM UUID once provisioned through the GUI manager. Then run the following command within the Xenserver CLI interface:

lspci -k | more

Find your pci devices. I was specifically looking for USB and sound. If you want to add multiple passthrough devices, you will have to run the next command once with both your pci devices listed within the command along with your VM UUID

xe vm-param-set other-config:pci=0/000:00:1f.3,0/000:00:14.0 uuid=a4f084ae-e8cf-144a-ac31-7bf456e333b5

Continue reading »

Why NetDevOps/NetOps will become important for Network Admins

Being a network administrator/engineer typically requires typing in ssh consoles to get things going. At some point, being able to automate tasks or being able to manipulate configurations based on a certain outcome will become necessary. I’ve gathered a few thoughts on real world views to network automation. The buzzword floating around for this topic is NetDevOps.

NetOps/NetDevOps(my definition): Network automation using code to run commands that would normally have to be typed in manually into each device. Example: Run code that can parse or write through configs, logs, and snmp values in order to take action on a specific outcome.

I won’t go into the details of the ins and outs of NetOps/NetDevOps and how to get started with coding. I’ve provided a list of links with information that other really smart people came up with.

Detailed Definitions:
https://cumulusnetworks.com/blog/netdevops-networking-methods-with-a-devops-mindset/
http://packetpushers.net/pull-my-strings-im-your-puppet-juniper-bringing-devops-to-networking/
Some examples:
https://www.nanog.org/sites/default/files/Carr_What_S_Netdevops_Why.pdf
Getting Started with coding:
https://www.nanog.org/sites/default/files/Swafford_Netops_Coding_101.pdf

Ok, now what can NetDevOps actually do for you now? I started to create a list of items that NetDevOps could put a dent in. I don’t feel that you require a google or facebook sized infrastructure to take advantage of NetDevOps. My team and I currently manage around 120 switching/routing devices and we’re headed to add lots more. That’s no google, so here’s my list:

  • Changing admin passwords for devices when staffing changes can be very time consuming. Running some code that can SSH into switches and routers to update passwords and privileges  could be a very useful feature to have.
  • If you have routers that maintain the same ACLs or route maps, having to make changes can be a daunting task even if it’s only a dozen routers. Using code to automatically upload new changes to duplicate ACL’s and route maps across your routers will reduce time and human input errors.
  • I also have a few ideas about gathering wireless user data and plotting details on a google map to indicate AP’s that have a large volume of user connectivity. The map would provide visual information in real time that can help determine if you’re having a sticky client situation. You could also make some automated config changes to your AP’s power levels or with minimum basic rates to help the situation out.
  • You could manage bandwidth available across network links and trigger an automatic response to apply route maps to redirect traffic or apply QOS rules to your programming hearts content.

I’m sure there’s lots of other examples out there, please post others that you may have. I know this last one is heading down the openflow rabbit hole, but hey if you could do these types of things with your current equipment using a NetDevOps approach, why not?

Continue reading »

What does a Network Administrator do?

I wanted to share what a network administrator’s daily job duties, functions, and tasks may entail on a daily basis. For those new out there to the realm of IT, a network administrator typically interacts with the hardware/software components that transfer data to and from devices over a physical distance through some type of medium. Some of these devices include: personal computers, laptops, tablets, servers, switches, routers, firewalls, load balancers, wireless access points, and any other devices that rely on transmitting data. The components that are typically managed daily by a network administrator are switches, routers, wireless access points, DHCP/DNS servers, IP address provisioning, documenting/diagraming the network, monitoring bandwidth usage, and maintaining copper/fiber cable plants.

What does a network administrator do daily

Network Admin replacing Enterasys E1 switches.

The scope of what network administrators manage on a day to day basis typically depends on the IT organizational business structure. Organizations that are small or depend on a small IT work force may expect the network administrator to handle more than some of the items listed above. You may be the person who also manages/deploys servers, email systems, desktops, and a host of other things. This typically gives you a plethora of never ending projects that will keep you busy, which will hopefully make you a master of all disciplines. I don’t necessarily see this as a bad thing, but you may not have enough time in the day to architect the network the way you want it or in the best way it could be.

organized cat5 patch cords

Completed fresh installation of Extreme Networks C5k stack.

Some organizations may lump other responsibilities onto the Network Administrator. Telecom and networking is a combination I have seen before. Expect to work with telephony devices and services like VoIP, mass messaging, and voicemail services. Another combination is security and networking which would entail working on the network along with security devices/appliances and coming up with strategies on protecting data. Some networking devices have security features and functions embedded into them such as firewall/routing devices that perform IPS (Intrusion prevention system), IDS (intrusion detection system), spam filtering, and URL filtering/blocking which make networking and security devices easier to manage. I’m not promoting that organizations follow these models, but do expect to see some businesses operate in this fashion.

Larger IT organizations sometimes have the network administrator work specifically with networking devices/appliances. In this environment, you will have the opportunity to thrive by sharpening your skill set into becoming a master of networking. Mostly everything touches a network in today’s world, so always expect to be able to troubleshoot issues that can help other areas solve problems. Your mission should you choose to accept it, is to keep the network up and running efficiently. Just don’t forget to have fun and follow your passion. If you also have thoughts about obtaining certificates,check out this article by network guru Shane Killen, or check out my article on certificates. Please feel free to add other responsibilities that you may have heard that a network administrator does on a daily basis in the comments below.

Continue reading »

Checkpoint VPN MEP by default…

I started having issues that required the use of deploying another checkpoint VPN gateway. My team setup the new VM, installed Checkpoint Gaia, and completed the configuration for VPN. I created a new site in my windows checkpoint endpoint security client that pointed to the new DNS entry and off I went. I started to have issues being able to connect to the new VPN gateway after a few days, so I enabled logging in the checkpoint endpoint client. I discovered that my client was trying to connect to one of my original VPN gateways even though I didn’t have the original gateway defined in the VPN client. After a quick call to support, we found out that MEP (multiple entry point) was enabled by default on checkpoint VPN gateway’s that used the same encryption domain. I had to disable MEP, but couldn’t find any settings in the GUI.  The following KB article gives directions on how to disable MEP:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk78180

MEP wasn’t the desired configuration, but I could see its benefit of being enabled for a redundant VPN gateway setup. I may enable MEP in the future. Only time will tell.

Continue reading »

F5 Forwarding IP VS fun…

I have been recently spending lots of time with our F5 Big IP 2000s. We have been working on deploying a new private network behind the F5 with nodes that admin’s would like to directly access from their secure admin workstations. Our current setup has the nodes behind the load balancers using basic Virtual servers that forward the traffic from external routable IP’s to internal non-routable IP’s. Therefore I would need to create multiple VS’s per each node that admins wanted to access. That would be a lot of VS’s.

There are a few other clever ways to get around this, well maybe not necessarily clever. The first is using a jump server. The admins would access one VS that would forward to one pool member with one node in it. Then they could then access the other private nodes from this “jump” server. The other option would be adding another NIC to the admin workstations and put that NIC on the same VLAN that the private nodes sit on. Both of these are not the greatest ideas.

I therefore convened with an F5 tech guru and passed this idea by him. Could I have a router with a routed interface within the F5 private VLAN that has the F5 private nodes? I could then take the private non-routable network and make it routable protected by an ACL on the router. The nodes would still point to the F5 for the default gateway. When an admin workstation would communicate to the node, it would send the traffic through the router; the router would then forward packets to the node. The issue then lies with the node sending the traffic back to the F5 because it’s the default gateway and that creates issues. I found out from the tech that there’s a way to get this to work by using an IP forwarding VS that listens on the F5 private VLAN.

You will first need to make sure that your current nodes are not in an SNAT, as SNATs along with an IP forwarding VS configured on the same interface don’t work, as the SNAT listens over the IP forwarding VS. Within the VS, the source network would be the private node network and the destination would be the network where the secure admin workstations sit, which would be accessible across the router that I placed on the private node VLAN. Now, in order to get the F5 to forward to the router on the private node VLAN instead of using its routing table, you have to create an iRule as the Forwarding (IP) resource within the VS. Here’s the iRule syntax:

when CLIENT_ACCEPTED {

if { [IP::addr [IP::client_addr] equals 10.1.1.0/24] }   {

nexthop internalvlannum 10.1.1.254

}

}

The 10.1.1.0/24 is the internal private node network that sits on the F5. The 10.1.1.254 address is the gateway of the router that’s sitting on the F5 private node network. This iRule forwards the traffic to the router instead of using the F5 to forward the traffic. You also have to assign a protocol profile (client)  Fast L4 profile to the forwarding (IP) VS as well with Loose initiate and loose close enabled to allow the tcp packets to flow correctly.

Continue reading »

What happens in Mexico, saves Mexico

I just had an opportunity to go on my first mission’s trip to Playa Del Carmen in Mexico for a week with seven members of the church I attend. We were invited and led by Mission Explosion International. We planned to visit and help out a local Church of Christ in Playa Del Carmen. Our goals consisted of going out in the neighborhood to promote a clinic check that would be hosted in the local Church building. The clinic sessions included checking blood pressure and sugar levels along with hosting VBS (vacation bible school) days as well. We also planned to hand out Spanish Mission soccer balls.

mexico-mission-3

We ended up doing 3 days of clinic work, 2 days of children outreach, one day of men’s and women’s bible study, and our Evangelical guide preached on Sunday. The trip was amazing. We had lots of fellowship, outreach, teaching, and preaching going on all lead by God and His spirit. If you ever have an opportunity to go on a mission’s trip, please pray diligently and seek God’s guidance in the matter. I found out that I was way more capable through Christ than I ever imagined. In the end, the culture, language, and the income levels may be different, but the people are no different than us in the fact that they need God and Jesus Christ just like we do.

mexico-mission-2

Thank you to Rusty, Audrey, Jordan, and Kylee!!! I will never forget my first mission’s trip to Mexico.

@javi_isolis

Continue reading »

Cisco UC on UCS

One of our latest projects at work is moving from centrex to Cisco Unified Communications (UC). I was assigned to complete quite a few tasks for this project. One of the first tasks was getting our two UCS c240 rack mount servers going. Our purchase was part of a larger order, so our UCS rack mount servers are bare metal servers. No esxi or UC components were pre-installed. I originally wanted to install esxi on the cisco flexflash SD card, but then found out that UC on UCS doesn’t recommend that configuration. I also found out that Cisco recommends that 2 RAID 5 arrays should be created across the 16 drives that we have in our c240’s.

ucs 2u c240 server

If you want to stay on a Cisco tested reference configuration TRC, then I would recommend that you check out this Cisco page for reference:

http://docwiki.cisco.com/wiki/UC_Virtualization_Supported_Hardware

Continue reading »

Cisco Virtual Internet Routing Lab – Up and Running…

I was finally able to fix the issue that I described having in my earlier Cisco VIRL article. My original bare metal box only had 3 NICs. VIRL requires that you have at least 5 NICs. If you don’t have 5 NIC’s, then you have to modify the /etc/virl.ini file with dummy interfaces. I did this earlier, but must have had a mistake in the config. I double checked the config and also ran the VIRL-rehost script that’s on the desktop when you login to VIRL. Running the script wasn’t in the VIRL doc steps, so I didn’t do this before. Running the script after modifying the virl.ini file with the dummy interfaces finally fixed my issue. The script modified the /etc/network/interfaces with the correct dummy interfaces. Here’s an example of what the script changed:

iface dummy1 inet static

address 172.16.3.254/24

netmask 255.255.255.0

post-up ip link set dummy1 promisc on

I setup an IOSv router and connected it to an L2 External (flat) network which connects back through one of my physical NICs. That connection then goes into a real cisco ws-c3560x 24 port switch. That switch is connected to my network and I assigned my PC another IP address on the 172.16.1.x network. I can now ssh into the IOSv router directly from my desktop.

virl flat network

 

Now that I have worked out all the bugs, I’m pretty impressed with the functionality that VIRL provides. Now I’m going to see how many routers I can throw at this box.

Ping you later,

@javi_isolis

Continue reading »

Cisco VIRL setup

In my last post, I spoke about getting a cisco virl (virtual internet routing lab) server going. I started with a hyper-V installation, which wasn’t listed as being supported. I gave it a try anyways. What I came to find out is that hyper-V would not work with my setup because I couldn’t do nested virtualization. Cisco Virl runs KVM under the hood which needs native VT-d. I couldn’t get hyper-v to pass VT-d to the host, so that was a no go. I decided to wipe the drive and load the iso version of cisco virl directly on my box. After a few failed attempts, I finally got virl to run without giving an error when trying to license the software. You have to follow the virl install guide to the T. I accidentally didn’t put in the correct hostname that the guide said to use. That caused the initial installation of virl to give an error every time I tried to run the user workspace manager. After following the exact directions, I was able to get virl to load.

Now I’m running into one last error message:

state changed from BUILD to ERROR with message: No valid host was found. Exceeded max scheduling attempts 3 for instance

cisco virl

I’m digging into the logs in order to figure out what the issue is, I’m really close. Hopefully my next post will be an in depth review of cisco virl.

Continue reading »

occupied, time to setup Cisco VIRL

I’ve been occupied with many other things going on lately especially with the holidays. Family, work, etc. I haven’t been able to sit and write, but I ran into something pretty cool that I wanted to share. Those of you who are always looking to expand your knowledge in networking, cisco just released VIRL or virtual internet routing lab. This is Cisco’s newest virtualization lab simulation tool. It reasonably priced as well.

I saw this as a perfect opportunity to build a homebrew cisco VIRL hyper-v server. Unfortunately hyper-v isn’t supported, but that didn’t stop me. I recently found a dell studio 435 with an i7-920 processor in the garbage down the street. The only issue it had was a dying power supply.

cisco VIRL home server

Once that was fixed, I started to install hyper-v 2012. To my dismay, I couldn’t get hyper-v loaded without the installation crashing. All settings looked to be good. Virtualization was enabled in the bios and all other recommended settings were set. I then realized that the bios version was pretty old and figured I try to do an update. Low and behold a bios firmware fixed the crashing issue. I slapped another broadcom pci-e nic and finished the install. Now I’m having issues getting the broadcom nic and the onboard nic to load correctly. After searching the Internet, I figured out how to manually add drivers in hyper-v core mode. I’m still running into some issues with NIC detection, so I think I may run esxi on another partition of the drive just to get VIRL running. Stay tuned….

You can now follow up on my cisco bare metal home build here.

 

Continue reading »
1 2 3 5