ip route 0.0.0.0/0 192.168.0.1to set a normal default gateway for the switch. Once that's done you're all set!
Tuesday, June 7, 2016
Set management IP on a VLAN on Dell Force10 S55 Switch Stack
While these switches do have dedicated management ethernet ports, it's often simpler and neater to set a management IP on the normal out of band / management VLAN that's already trunked on the uplink. For whatever reason the official Dell knowledge base article on the subject leaves out a crucial detail! It's necessary to set a default route before communication can commence. If you haven't set an IP on the management port you can't issue the management route command. Instead you need to issue the following:
Friday, April 8, 2016
VMCA Intermediate CA
In vCenter 6 (and maybe some earlier versions) it's possible to configure the vCenter server to act as a subordinate CA to your existing PKI and issue all certs as part of a trusted chain. There's lots of instructions on the VMware knowledge base, but there are at least two critical errors in the CLI guide.
On this page that describes the process of compiling the VMCA Chained Cert that includes your root (and any other intermediate certs) it clearly shows the order as:
But if you try this you will receive errors regarding an invalid cert chain. Specifically you will see:
That's because this is exactly backwards! The new cert needs to be at the top, followed by the intermediate, then the root. I learned that on a couple of different blogs. I was hesitant to believe it at first, but once I found it in multiple sources I gave it a shot and sure enough it worked.
The second error relates to the vpxd service not restarting in time, leading the certificate-manager to attempt to rollback the changes (which fails). This situation is described in this forum posting, but no answer is given. After many hours of testing, and digging through logs, etc, a possible solution was discovered on this only tangentially related forum thread: nowhere in the documentation is there any mention of required OU entries for any of the certificates, but this blog post states that as of 6.0u1b and 6.0u2 there are in fact distinct requirements. They are as follows
After changing these values the process ran through to completion.
My last headache was cause by my reading "stopping services" and "starting services" to mean that the services had been restarted. In fact it was necessary to restart all services (or the vcenter instance in my case) before all of the new certs took effect.
I hope this helps someone in the future avoid some of the pain I've experienced for the past two days.
On this page that describes the process of compiling the VMCA Chained Cert that includes your root (and any other intermediate certs) it clearly shows the order as:
-----BEGIN CERTIFICATE-----
Certificate of VMCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Certificate of intermediary CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Certificate of Root CA
-----END CERTIFICATE-----
But if you try this you will receive errors regarding an invalid cert chain. Specifically you will see:
Error Code : 70063
Error Message : Invalid Certificate Chain was gives as input
That's because this is exactly backwards! The new cert needs to be at the top, followed by the intermediate, then the root. I learned that on a couple of different blogs. I was hesitant to believe it at first, but once I found it in multiple sources I gave it a shot and sure enough it worked.
The second error relates to the vpxd service not restarting in time, leading the certificate-manager to attempt to rollback the changes (which fails). This situation is described in this forum posting, but no answer is given. After many hours of testing, and digging through logs, etc, a possible solution was discovered on this only tangentially related forum thread: nowhere in the documentation is there any mention of required OU entries for any of the certificates, but this blog post states that as of 6.0u1b and 6.0u2 there are in fact distinct requirements. They are as follows
For the MACHINE CSR use "Root" for Organizational Unit (OU)
For User Solution User Certificate CSRs:
For Machine, use "Machine" as OU
For vsphere-webclient, use "WebClient" as OU
For vpxd, use "VPXD" as OU
For vpxd-extension, use "VPXD-EXT" as OU
After changing these values the process ran through to completion.
My last headache was cause by my reading "stopping services" and "starting services" to mean that the services had been restarted. In fact it was necessary to restart all services (or the vcenter instance in my case) before all of the new certs took effect.
I hope this helps someone in the future avoid some of the pain I've experienced for the past two days.
Thursday, February 11, 2016
X-IO Technology ISE Bad Password Immediately After Reset
We installed a rack of X-IO ISE 200, and 800 series SAN shelves for POC testing purposes this week. A random password was generated to replace the default and stored in our password safe as is our procedure. Unfortunately immediately after setting this password we could no longer log in with the new one, nor the default! A bit of hammering led me to discover that this was caused by the random password containing a backslash character. As soon as I removed the backslash and attempted to log in the password worked again. Apparently the set password routine stripped the backslash (probably sanitizing input) and set the password, while the login routine treated it as a valid password character. Could that mean that the authentication fields are not sanitized at all? I hope little Bobby Tables doesn't try to log in...
Thursday, January 28, 2016
DIY Fiber Tester
Ever find yourself staring at a bundle of unknown fiber optic cables without your trusty (and expensive) Fiber Identifier? Fear not! As long as you're carrying your Android phone or iPhone you are in luck. Activate your LED flashlight and point one end directly into one strand of fiber. Check the fibers on the other end and you will see immediately which is which! I've uncovered a similar device on Instructables which would also be helpful but nothing beats the convenience of a device you're already carrying with you anyway.
Tuesday, January 5, 2016
Count all computer accounts in Active Directory
I needed to quickly get a count of how many computer objects:
gave me the info I was looking for!
Import-Module ActiveDirectory
Get-Adcomputer -Filter * | Measure-Object
gave me the info I was looking for!
Tuesday, November 4, 2014
Sudden mysterious spam increase with Exchange Online Protection
We've been using Exchange Online Protection and it's predecessor Forefront Online Protection for Exchange for about 5 years now. Somehow, suddenly, in the last couple of months we got a drastic increase in the amount of spam being delivered to users' mailboxes. I found, read, and even commented in this thread where other users were seemingly encountering the same issue.
Eventually I, with no support from MS, found the source of my issue though I'm not exactly sure how it came about.
We had always had our default content filter set to move spam and high confidence spam directly to the online quarantine. At some point this changed to what is now (and maybe always was) the default behavior of delivering the spam to the users' junk mail folder as described in this technet article. We did not have the necessary transport rules in place to actually cause the mail to go to junk email so it was just being delivered to the inbox.
I'm not clear if the default behavior changed, or if our rule had been modified and then subsequently reverted to default.
I can say that we signed up to demo Exchange Online so it's possible that reverted during the setup of our temporary "hybrid" demo situation. The timing seems about right but I can't say for certain this is the root cause of the issue.
Eventually I, with no support from MS, found the source of my issue though I'm not exactly sure how it came about.
We had always had our default content filter set to move spam and high confidence spam directly to the online quarantine. At some point this changed to what is now (and maybe always was) the default behavior of delivering the spam to the users' junk mail folder as described in this technet article. We did not have the necessary transport rules in place to actually cause the mail to go to junk email so it was just being delivered to the inbox.
I'm not clear if the default behavior changed, or if our rule had been modified and then subsequently reverted to default.
I can say that we signed up to demo Exchange Online so it's possible that reverted during the setup of our temporary "hybrid" demo situation. The timing seems about right but I can't say for certain this is the root cause of the issue.
Subscribe to:
Posts (Atom)