ASA 5510 IOS 8.x ASDM firewall dashboard IOS commands

As of 8.x, the ASDM has some excellent features to allow you to track down top talkers and get a better view into your traffic flows, but each of these features (especially the Top 10 Services) uses a good bit of RAM. If you are running a 5510 or smaller, that can cause you to run out of RAM. While the ASDM gives you the option to enable these features, you need to disable them via command line.

Use the 'no' keyword in front of the commands below to disable those functions:

Top 10 Access-Lists
======================================
enable
threat-detection statistics access-list
disable
no threat-detection statistics access-list

Top 10 Services (Very Memory Intensive - use only when troubleshooting)
======================================
enable
threat-detection statistics port
threat-detection statistics protocol
disable
threat-detection statistics port
threat-detection statistics protocol

Top 10 Sources / Top 10 Destinations (same command)
======================================
enable
threat-detection statistics host
disable
threat-detection statistics host

Using the Apple iPad/iPhone Configuration Utility for VPN

For my VPN profile I will call it “com.tobiasvpn.profile”.

Select the “VPN” section and click “Configure” to configure our settings.

Here I’ll setup the specifics for my VPN connection.

“Connection Name”     Tobias’ Home VPN
“Connection Type”    L2TP
“Server”        myhouse.fatofthelan.com
“Account”        admin
“User Authentication”    Password
“Shared Secret”        mysooooperpassword
“Send All Traffic”    Checked

Now I have a very basic configuration that will automatically configure the VPN client on my iPhone to connect back to my house. Next I have to get it to my iPhone. The easiest way for me to get it on my iPhone is to email the profile to myself so I can install it. To do this click the “Share” button and you’ll be presented with the option to sign the profile before sending it. I just accepted the default option to “Sign Configuration Profile” and click “Share”. This should open up a new email message and attach the profile file to it, ready to email to myself. Send the email and look for it in your email on your iPhone.

When I check my email on my iPhone I see the profile as an attachment, I touch to begin the install of my newly created profile.

Now I’m taken to the “Install Profile” screen where I touch “Install”.

I get a notification that the profile is unverified and do I want to continue. Touch “Install Now”. Note you will be prompted for your PIN number if enabled.

Next I’m asked for the password for my account name. I enter it and touch “Next”.

And finally it’s finished installing.

Now to test it out. I touch “Settings” and see that there is a new menu item, “VPN”.

I touch the “VPN” switch to begin connecting.

It connects! You should see a little blue icon on the menu bar showing that it is connected.
From here I can get in to anything on my home network just like I was there.

Windows Live Writer Unable To Upload Posts To Google Blogger

Windows Live Writer really is a boon to a blogger. It gives a blogger the freedom to write a post without even connecting to the internet or logging in your Blog. Well, for those who don’t know what Windows Live Writer is, Live Writer is a free tool from Microsoft which comes bundled up with Windows Live Essentials. You can download all the tools or just the Writer.
Now back to the topic. After creating this blog(which is on Google Blogger), I wrote a post on Open ID using Windows Live Writer(WLW), then I hit the Publish Button, it started to upload the post, but after some time it gave an error message of timed out or sometimes an unexpected error. The Post contained many pictures. I searched the web for the solution of this problem and found out that it was a common problem suffered by many bloggers who use Google Blogger with WLW.

The Solution:

Later I found out that the error was because WLW tried to upload the images/pictures to a Windows Live Writer(which didn't exist)  album on my Picasa Web Album account. As you already be knowing, Google Blogger stores Blog’s images in Picasa Web Album of user. So solution to this widely spread problem is just an Album Name. All you have to do is create an Album named ‘Windows Live Writer’ in your Picasa Web Album(Note that you should be logged in with same Google account which you use to log in to Google Blogger).
You can now Publish Posts written using Windows Live Writer. And don’t misspell the albums name- ‘Windows Live Writer’ .

Border Gateway Protocol (BGP) Basics

 

Routing involves two basic activities: determination of optimal routing paths and the transport of information groups (typically called packets) through an internetwork. The transport of packets through an internetwork is relatively straightforward. Path determination, on the other hand, can be very complex. One protocol that addresses the task of path determination in today’s networks is the Border Gateway Protocol (BGP).

• It is a Exterior gateway protocol (EGP) used to connect b/w AS defined in RFC 1711
• BGP is a
  • Advanced distance vector routing protocol.
  • Path vector routing protocol.
  • Policy based routing protocol.
  • Inter domain routing protocol. (IDRP)
• It is a Classless routing protocol, hence supports VLSM, CIDR.
• Latest version of BGP is BGP 4.0
• BGP exchanges routing information by forming a unicast neighbor relationship with other devices running BGP. This connection is formed using the TCP protocol on port 179.
• BGP describes path by using Attributes which is similar to Metrics.
• BGP routes exchange network reach ability info called Path Vectors, made up of path attributes.
• BGP peers initially exchange their entire routing table and then only periodic updates as changes in the routing table.
• Timers
  • Route exchange Internal Peer: 5 seconds
  • Route exchange External Peer: 30 seconds
  • Keepalive: 60 seconds
  • Holdtime: 180 seconds
• BGP keeps a version of the routing table and it should be identical for all its peers. The version number changes whenever BGP updates its routing table due to some routing information changes. So if the version increases often there is a flapping issue.
• Two types of BGP
  • EBGP: Communication b/w two Autonomous system
  • IBGP: Communication b/w the same Autonomous system (Gotcha: BGP neighbors in the same autonomous system SHOULD be fully meshed)
• AD for BGP:
  • External BGP :20
  • Internal BGP: 200
• When to use BGP
  • Dual or Multi-homed
  • Providing partial or full internet routing to a downstream router
  • Anytime the AS path information is required

Disappearing SSL certificates from IIS 7.0 manager

“I install a SSL server certificate using the ‘Complete Certificate Request’ wizard in IIS manager and when I refresh the view the certificate disappears. “

I have heard that a couple of times and every time I used to go “What ?” Until someone showed it to me.

If you are one of those who are wondering about this read on.

The Server Certificates module in IIS manager displays a list of certificates from the Local Machine SSL store.

But it only lists the certificate if

1. The certificate has a private key (.pfx format)

2. The certificate is meant for Server Authentication

And this is where the disappearing act occurs.

The IIS Manager enumerates all the extensions of the certificate and checks if OID 2.5.29.37 (Extended Key Usage) exists. If it does the certificate Enhanced Key Usage section must contain 1.3.6.1.5.5.7.3.1  (Server Authentication).

Setup SSL Certificate on Cisco 3000 Series VPN Concentrator

In this case we went with a SSL Certificate from GoDaddy.com because of price. The problem arose from the fact that the CSR (Certificate Signing Request) wasn’t generated from the Cisco VPN Concentrator itself. However, in retrospect, this was probably the only way to do it properly because there doesn’t seem to be a way to export the private key from the Cisco. This would have posed a problem in our case because we purchased a Wildcard SSL Certificate (*.domain.tld) that can be installed on unlimited servers in our domain, and secure any host server within our domain.

Required Resources: The following software was used to complete this project:

• OpenSSL installed from cygwin
• Windows IIS Server
• Text Editor
• Web Browser

Resolution: These are the general steps necessary to set this up, and should work for most major Certificate Authorities (CAs):

1. Certificate Signing Request (CSR) generated on IIS Server. The CSR contains the Requested Public Key. The Private Key is left on the server.
2. CSR submitted to Certificate Authority (CA). They generate the SSL Certificate, and provide the Cert, along with their CA Cert and Intermediate Cert.
3. The CA Cert and Intermediate Cert are installed as CA Certs on the Cisco VPN Concentrator 3000.
4. Here’s the tricky part. The Cisco Concentrator requires the SSL Cert to be in PKCS8 format, and contain the Private key and SSL Cert.
5. I exported the Private/Public Key pair from the IIS Server, using the Windows Certificate Export Wizard; selecting to export both keys, and saving withOUT ‘high security’, and a password.
6. This generates an encrypted PKCS12 file.
7. At the unix command line (I used CYGWIN), I used OpenSSL (thanks to this site for OpenSSL basics)to first convert the PKCS12 file to standard format:
   

   openssl pkcs12 -in CERTIFICATE_NAME.pfx -out CERTIFICATE_NAME.pem

   The command prompts for the password used to export the key file from the IIS server. Then asks for a new password.
8. I then converted the standard file to PKCS8 format for the Cisco:
   

   openssl pkcs8 -in CERTIFICATE_NAME.pem -topk8 -out CERTIFICATE_NAME.pk8

   Again the command prompts for the ‘New Password’ from the last export, and asks again for a newer password.
9. Back on the Cisco Concentrator, I import a SSL certificate manually with Private Key for the Private Interface. Use the ‘copy and paste’ method.
10. One other issue we have is that our CA uses an ‘Intermediate Certificate’. Thus creating a ‘chain’ of 3 trusted certificates: Ours, the ‘intermediate’ CA and the ‘root’ CA.
11. In a text editor open both the CERTIFICATE_NAME.pk8 Private Key file you generated, along with the CERTIFICATE_NAME.cer SSL Certificate file provided to you by the CA.
12. Copy and paste the Private key into the text box on the concentrator.
13. Then immediately after, copy and paste the SSL Certifcate. Avoid any excess spaces, or blank lines.
14. Then copy and paste the Issuing certifacte after the SSL Certificate.
15. Finally copy and paste the Root Certificate at the end.
16. The whole thing should look something like this:
    

    -----BEGIN ENCRYPTED PRIVATE KEY-----
MIICiyuqweiSDuryiGquweryiDFuqweyGrqour

9bgt3ouiiDnmbweFmnriorGuweioruu8u=
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEZkjasdlkDFajljkFyasdf8kGlyysfklysk

asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEQkjasdlkDFajljkFyasdf8kGlyysfklysk

asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC5jasdlkDFajljkFyasdf8kGlyysfklysk

asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
-----END CERTIFICATE-----

17. Enter the same sequence of data again for the Public interface.

How To Backup ESXi Configuration – The Missing Piece

This came up on #VMware on Freenode this weekend. Basically the concern was “How do I Backup my ESXi USB Key?” Other than ripping the USB key out of a production machine… how was the user to do this? Well, vMA and the vCLI provide a method for this:

Backing up your ESXi Configuration:

To backup your ESXi configuration you’ll be using the vicfg-cfgbackup.pl command as follows:

• Download either the vMA or vCLI
• Launch vicfg-cfgbackup.pl:
  C:\Program Files\VMware\VMware vSphere CLI\bin>vicfg-cfgbackup.pl –save –server 192.168.15.253 –username root –password password backup.bak
• Note: The backup will be stored relative to your user “AppData” path:
  C:\Users\Username\AppData\Local\VirtualStore\

Restoring your ESXi Configuration:

Restoring your ESXi config can be done after you have the host up and responding over the network again by using the following:

C:\Program Files\VMware\VMware vSphere CLI\bin>vicfg-cfgbackup.pl –load –server 192.168.15.253 –username root –password password backup.bak

Note: You will be asked to reboot the host on restore.

Backing up multiple hosts! – There is a script to backup multiple ESXi hosts on the VMware communities site here. Also in PowerCLI here!

[Edit: Added link to backup multiple ESXi hosts from William in the comments. Thanks William!]
[Edit 2: Added PowerCLI link from NiTRo. Site is in French, PowerCLI is not]

ESXi and USB failure?

Interesting Article

In recent years, servers with embedded USB storage have become common practice. Today, all major hardware vendors deliver servers with embedded ESXi. Even in my home lab, servers are equipped with an onboard USB connector, USB stick and ESXi. Recently, on one host, the USB stick was moved to an external connector.  I was wondering, what would happen with an ESXi host with USB stick failure. Or even worse, pulling the USB stick.

So, after booting up my 2 node cluster, I made a fresh backup of a few important VMs and checked the vCenter Service Status. Now, it is time to remove the USB stick from one host. And this is what happened:

• VMs on the affected host are still running.
• Task & Events of the affected host shows this message “Lost connectivity to storage device mpx.vmhba32:C0:T0:L0. Path vmhba32:C0:T0:L0 is down. Affected datastores: “Hypervisor1”, “Hypervisor2”, “Hypervisor3”.”.
• Followed by 3 Alarms “Cannot connect to storage”.
• Another message in Tasks & Events is “Boot partition /bootbank cannot be found (0:02:33:03.304 cpu1:30722)”.
• Time for some testing, all these actions do work: Power On a VM, Migrate a VM, host in Maintenance Mode, Exit Maintenance Mode (HA Agent is configured correctly).
• Also the ESXi console is doing fine, System Customization is in place, and so are the System Logs.
• From time to time above messages are repeated and in some occasions while migrating VMs “The Operation is not allowed in the current state” messages are received.
• After 24 hours, the host is still running, and performing. So finally, I decided to enter the host in Maintenance Mode and shut it down. The power down took about 10 minutes ( less then 2 minutes is normal).
• After insertion of the USB stick, the host was powered on and was automatically reconnected to the cluster.

At this time, my tentative conclusion is that failure, or even an missing USB stick does not have much impact on a ESXi host. Thanks for reading and I’m very interested in your experience and opinions concerning this subject.

P.S. A few days after posting, I stumbled onto this post, written by Alan Renouf. In the first part it is explained why ESXi keeps running without USB boot device.

Script from Alan to backup ESXI host.

############################

$RootFolder = "C:\Support\"

Get-VMHost | Foreach {

Write-Host "Backing up state for $($_.Name)"

$Date = Get-Date -f yyyy-MM-dd

$Folder = $RootFolder + $Date + "\$($_.Name)\"

If (-not (Test-Path $Folder)) {

MD $Folder | Out-Null

}

$_ | Get-VMHostFirmware -BackupConfiguration -DestinationPath $RootFolder

# Next line is a workaround for -DestinationPath not working correctly

# with folder names with a - in them.

MV ($RootFolder + "*") $Folder -ErrorAction SilentlyContinue

########################################

To check the number of cores for a CPU in a virtual machine, you can use one of these utilities:

• Coreinfo
  Coreinfo is a Microsoft command-line utility, developed by Mark Russinovich. It displays the mapping between logical processors and the physical processor, NUMA node, and socket on which they reside. It also provides information on the cache assigned to each logical processor.
  
  To check the distribution of cores across socket, use the coreinfo -c -s command. To download and install coreinfo, click here.

• CPU-Z utility
  CPU-Z is a freeware application for Microsoft Windows operating systems and it provides information about CPU, Processor, Cache, Memory, System board, Graphics, and other hardware features. To download and install CPU-Z, see http://www.cpuid.com/.

In the figure below, the cpuid.coresPerSocket is set to 4 and, therefore, the number of cores per CPU is 4.

 

 

For information about setting the number of cores per socket in a virtual machine, see Setting the number of cores per CPU in a virtual machine (1010184).

Additional Information

• CPU – Is the portion of a computer system that performs the instructions of a computer program. It is the primary element that carries out the computer’s functions. 
• Core – Is a logical execution unit containing an L1 cache and functional units needed to execute programs. Cores can independently execute programs or threads. 
• Socket – Is a physical connector on a computer motherboard that accepts a single physical chip.

Setting the number of cores per CPU in a virtual machine

Some operating system SKUs are hard-limited to run on a fixed number of CPUs. For example, Windows Server 2003 Standard Edition is limited to run on up to 4 CPUs. If you install this operating system on an 8-socket physical box, it runs on only 4 of the CPUs. The operating system takes advantage of multi-core CPUs so if your CPUs are dual core, Windows Server 2003 SE runs on up to 8 cores, and if you have quad-core CPUs, it runs on up to 16 cores, and so on.

Virtual CPUs (vCPU) in VMware virtual machines appear to the operating system as single core CPUs. So, just like in the example above, if you create a virtual machine with 8 vCPUs (which you can do with vSphere) the operating system sees 8 single core CPUs. If the operating system is Windows 2003 SE (limited to 4 CPUs) it only runs on 4 vCPUs.

 

 

Note: Remember that 1 vCPU maps onto a physical core not a physical CPU, so the virtual machine is actually getting to run on 4 cores.

 

Considering that 1 vCPU is equal to 1 CPU is an assumption for the sake of simplification, since vCPUs are scheduled on logical CPUs which are hardware execution contexts. These tasks can take a while in the case of a single core CPU, CPUs that have only 1 thread per core, or could be just a thread in the case of a CPU that has hyperthreading.

Consider this scenario:

In the physical world you can run Windows 2003 SE on up to 8 cores (using a 2-socket quad-core box) but in a virtual machine they can only run on 4 cores because VMware tells the operating system that each CPU has only 1 core per socket.

VMware now has a setting which provides you control over the number of cores per CPU in a virtual machine.

This new setting, which you can add to the virtual machine configuration (.vmx) file, lets you set the number of cores per virtual socket in the virtual machine.

 

To implement this feature:

1. Power off the virtual machine.
2. Right-click on the virtual machine and click Edit Settings.
3. Click Hardware and select CPUs.
4. Choose the number of virtual processors.
5. Click the Options tab.
6. Click General, in the Advanced options section.
7. Click Configuration Parameters.
8. Include cpuid.coresPerSocket in the Name column.
9. Enter a value (try 2, 4, or 8) in the Value column.Note: Ensure that the number of vCPUs is divisible by the number of cpuid.coresPerSocket in the virtual machine. That is, when you divide the number of vCPUs by the number of cpuid.coresPerSocket, it must return an integer value. For example, if your virtual machine is created with 8 vCPUs, coresPerSocket can only be 1, 2, 4, or 8.
   
   The virtual machine now appears to the operating system as having multi-core CPUs with the number of cores per CPU given by the value that you provided in step 9.
   
10. Click OK.
11. Power on the virtual machine.

For example:

Create an 8 vCPU virtual machine and set cpuid.coresPerSocket = 2. Window Server 2003 SE running in this virtual machine now uses all 8 vCPUs. Under the covers, Windows sees 4 dual-core CPUs. The virtual machine is actually running on 8 physical cores.

 

Note:

• Only values of 1, 2, 4, 8 for the cpuid.coresPerSocket are supported for the multi-core vCPU feature in ESX 4.x.
• In ESX 4.0, if multi-core vCPU is used, hot-plug vCPU is not permitted, even if it is available in the UI.
• Only HV 7 virtual machines support the multi-core vCPU feature.

Important: When using cpuid.coresPerSocket, you should always ensure that you are in compliance with the requirements of your operating system EULA (Regarding the number of physical CPUs on which the operating system is actually running).

Difference between Plenum & Riser Cat5/Cat6 cable

Plenum vs. Riser

Cable Ratings

Plenum (CMP) Rated Cable
Complies with NFPA-262 and UL-910. Only cable allowed in spaces defined as air plenums such as raised flooring systems and air handling ducts. Plenum cables must self extinguish and not reignite. They also produce less smoke than traditional PVC cables. The smoke and fumes are toxic.

Riser (CMR) Rated Cable
Comples with UL-1666. Defined for usage in vertical tray applications such as cable runs between floors through cable risers or in elevator shafts. These spaces cannot be used for environmental air. These cables must self extinguish and must also prvent the flame from traveling up the cable in a vertical burn test.

Other Cable Ratings:

Low Smoke Zero Halogen (LSZH) Rated Cable
Used in shipboard applications and computer networking rooms where toxic or acidic smoke and fumes can injure people and/or equipment. Examples of Halogens include Fluorine, Chlorine, Bromine, and Iodine. These materials when burned produce acidic smoke that can harm people and computer equipment. Low Smoke means the cable does not produce the heavy black soot and smoke common with PVC cables. These cables will self extinguish but cannot pass UL-910 or UL-1666 for a plenum or riser rating. 

General Purpose (CM, CMG, CMx) Cable
Complies with UL-1581 testing. Will burn and partially self extinguish. Not for use between build floors or in air plenum spaces. Often these cables are used for workstation cables and patch cords.

Choosing a network adapter for your virtual machine

Network adapter choices depend on t he version number and guest operating system running on the virtual machine.

Available Network Adapters

Only those network adapters that are appropriate for the virtual machine you are creating, are available configuration options in the Choose Networks window.

• Vlance — An emulated version of the AMD 79C970 PCnet32 LANCE NIC, an older 10 Mbps NIC with drivers available in most 32bit guest operating systems except Windows Vista and later. A virtual machine configured with this network adapter can use its network immediately.
  
• VMXNET — The VMXNET virtual network adapter has no physical counterpart. VMXNET is optimized for performance in a virtual machine. Because operating system vendors do not provide built-in drivers for this card, you must install VMware Tools to have a driver for the VMXNET network adapter available.
  
• Flexible — The Flexible network adapter identifies itself as a Vlance adapter when a virtual machine boots, but initializes itself and functions as either a Vlance or a VMXNET adapter, depending on which driver initializes it. With VMware Tools installed, the VMXNET driver changes the Vlance adapter to the higher performance VMXNET adapter.
  
• E1000 — An emulated version of the Intel 82545EM Gigabit Ethernet NIC. A driver for this NIC is not included with all guest operating systems. Typically Linux versions 2.4.19 and later, Windows XP Professional x64 Edition and later, and Windows Server 2003 (32-bit) and later include the E1000 driver.
  
• VMXNET 2 (Enhanced) — The VMXNET 2 adapter is based on the VMXNET adapter but provides some high-performance features commonly used on modern networks, such as jumbo frames and hardware offloads. This virtual network adapter is available only for some guest operating systems on ESX/ESXi 3.5 and later.
  
  VMXNET 2 is supported only for a limited set of guest operating systems:
  • 32 and 64bit versions of Microsoft Windows 2003 (Enterprise and Datacenter Editions).
    
    Note: You can use enhanced VMXNET adapters with other versions of the Microsoft Windows 2003 operating system, but a workaround is required to enable the option in VMware Infrastructure (VI) Client or vSphere Client. See Enabling enhanced vmxnet adapters for Microsoft Windows Server 2003 (1007195) if Enhanced VMXNET is not offered as an option.
    
  • 32bit version of Microsoft Windows XP Professional
  • 32 and 64bit versions of Red Hat Enterprise Linux 5.0
  • 32 and 64bit versions of SUSE Linux Enterprise Server 10
  • 64bit versions of Red Hat Enterprise Linux 4.0
  • 64bit versions of Ubuntu Linux
    
• VMXNET 3 — The VMXNET 3 adapter is the next generation of a paravirtualized NIC designed for performance, and is not related to VMXNET or VMXNET 2. It offers all the features available in VMXNET 2, and adds several new features like multiqueue support (also known as Receive Side Scaling in Windows), IPv6 offloads, and MSI/MSI-X interrupt delivery.
  
  VMXNET 3 is supported only for virtual machines version 7 and later, with a limited set of guest operating systems:
  • 32 and 64bit versions of Microsoft Windows XP, 2003, 2003 R2, 2008,and 2008 R2.
  • 32 and 64bit versions of Red Hat Enterprise Linux 5.0 and later
  • 32 and 64bit versions of SUSE Linux Enterprise Server 10 and later
  • 32 and 64bit versions of Asianux 3 and later
  • 32 and 64bit versions of Debian 4
  • 32 and 64bit versions of Ubuntu 7.04 and later
  • 32 and 64bit versions of Sun Solaris 10 U4 and later

Notes:

• Jumbo frames are not supported in Solaris Guest OS with VMXNET 2 or VMXNET 3.
• Fault Tolerance is not supported on a virtual machine configured with a VMXNET 3 vNIC in vShpere 4.0, but is fully supported on vSphere 4.1.

Adapter Caveats

This section discusses some potential problems you might have.

• Migrating virtual machines that use enhanced vmxnet
  VMXNET 2 is new with ESX 3.5 virtual machines configured to have VMXNET 2 adapters cannot migrate to earlier ESX hosts, even though virtual machines can usually migrate freely between ESX 3.0 and ESX 3.0.x.
  
  If you must migrate a virtual machine between later and earlier hosts, do not choose VMXNET 2.
  
• Upgrading from ESX 2.x to ESX 3.x
  When a virtual hardware upgrade operation transforms a virtual machine created on an ESX 2.x host to an ESX 3.x host, Vlance adapters are automatically upgraded to Flexible. In contrast, VMXNET adapters are not upgraded automatically because most or all Linux guest operating system versions do not reliably preserve network settings when a network adapter is replaced. Because the guest operating system thinks a Flexible adapter is still Vlance, it retains the settings in that case. If the upgrade replace a VMXNET adapter with a Flexible adapter, the guest operating system erroneously discards the settings.
  After the virtual hardware upgrade, the network adapter is still VMXNET, without the fall back compatibility of the Flexible adapter. Just as on the original earlier host, if VMware Tools is uninstalled on the virtual machine, it cannot access its network adapters.
  
• Adding virtual disks
  Adding an existing earlier (ESX 2.x) virtual disk to an ESX 3.x virtual machine results in a de-facto downgrade of that virtual machine to ESX 2.x. If you are using ESX 3.x features, such as enhanced VMXNET or Flexible network adapters, the virtual machine becomes inconsistent. When you add an existing ESX 2.x virtual disk to an ESX 3.x machine, immediately use the Upgrade Virtual Hardware command to restore the virtual machine to the ESX 3 version. This problem does not arise when you add earlier virtual disks to an ESX/ESXi 4.0 virtual machine.
  
  Note: Executing Upgrade Virtual Hardware changes the ESX 2 virtual disk so that it is no longer usable on an ESX 2 virtual machine. Consider making a copy of the disk before you upgrade one of the two copies to ESX 3 format.

For more information on guest operating systems, search the VMware Compatibility Guide.

Standard ESX networking tasks from command line

As I was looking around in the command line interface (which is pretty new for me) I came around the esxcfg- command set. In particular the commands to manage the NIC’s (part 1) and the vSwitches (part 2) raised my interest. I decided to explore a bit further and write down how to do some standard actions. So here goes for NIC operations…

Listing all NIC’s

esxcfg-nics -l

This commands gives you a nice list of all the available NIC’s and all their properties. Those properties include name, link, speed, duplex and description.

Setting a specific link speed and duplexity of a NIC

The thing I want to do here is set my ‘vmnic3′ (the name I got from my previous command) to a speed of 100Mbps and I want to set it to full duplex. The command to do this is:

esxcfg-nics -s 100 -d full vmnic3

The ‘-s’ parameter defines the speed. This parameter can hold the values 10, 100, 1000 and 10000 respectively defining the speed to 10Mbps, 100Mbps, 1000Mbps and 10000Mbps.

The ‘-d’ parameter defines the duplexity. This parameter can hold the value ‘full’ for full duplex and ‘half’ for half duplex.

Setting link speed and duplexity of a NIC to automatic detection

To set my ‘vmnic3′ back to automatic detection I use the following command:

esxcfg-nics -a vmnic3

The ‘-a’ parameter simply sets the link speed and duplexity of the NIC back to automatic.

I hope this was useful to someone. At least I got better understanding and a little reminder for myself how to do these things. In part 2 I will cover some standard networking tasks considering virtual switches using the command esxcfg-vswitch.

Listing all virtual switches

esxcfg-vswitch -l

This commands gives you a list of all the configured virtual switches with their PortGroups and connected uplinks. Further more a lot of properties are shown about the vSwitches and PortGroups. For vSwitches it shows among other things the name, the uplinks, the number of used ports and the number of configured ports. For PortGroups it shows the PortGroup name, VLAN ID and uplinks.

Add a virtual switch called ‘TestSwitch1′

It’s really simple to add a virtual switch to an ESX server. You simply use the following command:

esxcfg-vswitch -a TestSwitch1

This creates a virtual switch with the name ‘TestSwitch1′. It still has no PortGroups and it has been set with the default amount of configured ports (64). To see all the properties use the command provided earlier to list the virtual switches. If you want to specify the number of configured ports you can use the following command:

esxcfg-vswitch -a TestSwitch1:16

This gives you a virtual switch named ‘TestSwitch1′ with 16 configured ports.

Add a PortGroup to a virtual switch called ‘TestPortGroup1′

Now we want to add a PortGroup to a virtual switch. The following command adds a PortGroup called ‘TestPortGroup1′ to our previously created virtual switch:

esxcfg-vswitch -A TestPortGroup1 TestSwitch1

This will create a PortGroup with VLAN ID 0. Notice that this time we used ‘-A’ to add the PortGroup since ‘-a’ is used for adding virtual switches. When we want to set the VLAN ID of the PortGroup we have to issue a second command. This command will set the VLAN ID of the PortGroup we just created to VLAN ID 2. The parameter ‘-p’ defines the PortGroup and ‘-v’ defines the VLAN ID you want to set it to.

esxcfg-vswitch -p TestPortGroup1 -v 2 TestSwitch1

Add an uplinkto the virtual switch and PortGroup

So now we got a virtual switch and a PortGroup. I guess we would like some connection to the outside world. So when we want to bind a physical NIC to the created PortGroup the thing to do is link the pNIC to the virtual switch and after that we automatically have the link to the PortGroup. First you need to find out what pNIC you want to bind to the virtual switch. You can check the names of the pNIC’s with the command esxcfg-nics -l. Now that we know the name we can bind it to the virtual switch. With the following command I will bind ‘vmnic4′ to the created virtual switch:

esxcfg-vswitch -L vmnic4 TestSwitch1

Notice that the l is a capital L, the normal l is already used for showing the list. Now we have configured the virtual switch correctly and we have a fully functional virtual switch with a virtual machine port group.

Remove a link from the PortGroup and virtual switch

Well first lets undo the links we just binded to the PortGroupand the virtual switch. It’s al pretty straightforward from here. If you managed to make the links it will be just as easy to undo them. The command for disconnecting the pNIC from the virtual switch is:

esxcfg-vswitch -U vmnic4 TestSwitch1

This will unlink ‘vmnic4′ from the virtual switch and the PortGroup. Notice that the ‘-U’ parameter is with a capital U just like the ‘-L’ for linking the pNIC.

Remove a PortGroup from the virtual switch

Removing the PortGroup is really simple. You just take the command you used to create the PortGroup, but instead of the ‘-A’ parameter you use the ‘-D” parameter (all capital). So the command to accomplish a deletion of the PortGroup ‘TestPortGroup1′ from virtual switch ‘TestSwitch1′ is:

esxcfg-vswitch -D TestPortGroup1 TestSwitch1

Now the virtual switch should be empty (if you didn’t do anything else to the virtual switch). There should be no PortGroups and no connected uplinks.

Removing a virtual switch

Now to set everything we have done back to the original state we have to delete the virtual switch we just made. Again this is really simple if you alter  the create command. Just replace the ‘-a’ parameter with ‘-d’. The same as with the PortGroup only this time no capital characters.

esxcfg-vswitch -d TestSwitch1

And now if you list all the virtual switches again this should give you the same picture as at the beginning.

Ofcourse there are lots of things more you can do from command line networking related, but I thought this was the most basic and standard stuff you would want to do. Scott Lowe wrote some articles about more advanced operations like Setting Load Balancing Policies and Modifying a PortGroup using the CLI. I hope this articles were useful for all of you. At least it has given me a nice reference for the future.