Problem z wydajnością serwerów terminali podczas logowania użytkownika
Występował problem z wydajnością serwerów terminali podczas logowania użytkownika.
Podczas logowania proces msiexec.exe wysycał CPU, każde zalogowanie się usera powodowało dodanie wpisu do logów:
Product: 32 Bit HP CIO Components Installer -- Configuration completed successfully.
Zmianay w systemie :
+w katalogu
M:\WINDOWS\system32\spool\drivers\w32x86\3
podmieniłem plik instalatora cioum32.msi
na pusty plik . o tej samej nazwie - stary zachowany jako cioum32.msi.old
Po zastosowaniu zmian w logach brak informacj io instalacji
Product: 32 Bit HP CIO Components Installer -- Configuration completed successfully.
oraz widac mniejsze obciązenie systemu - brak procesu msiexec.exe
Źródło:
http://forums.citrix.com/thread.jspa?messageID=1383377
sobota, 26 grudnia 2009
Problem z Vmware ESX
I1ve checked the logs you sent us and here is the result of analysis:
The hostd log contain entries which shows the reason of the hung was causes=
by a process called Pegasus:
[2009-12-05 12:51:40.322 'Memory checker' 25045936 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:52:10.324 'Memory checker' 32680880 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:52:40.342 'Memory checker' 23989168 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:53:10.362 'Memory checker' 23722928 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:53:40.392 'Memory checker' 32680880 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:54:10.405 'Memory checker' 114621360 warning] Current value =
146908 exceeds soft limit 122880.
[2009-12-05 12:54:40.422 'Memory checker' 41872304 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:55:10.452 'Memory checker' 13888432 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:55:40.524 'Memory checker' 23989168 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:56:10.542 'Memory checker' 23722928 warning] Current value 1=
46908 exceeds soft limit 122880
I1ve checked the top output as well:
09:59:48 up 1 day, 55 min, 2 users, load average: 1.03, 0.27, 0.09
265 processes: 263 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 0.9% 0.0% 0.0% 0.0% 0.0% 72.5% 26.4%
Mem: 268572k av, 258860k used, 9712k free, 0k shrd, 16220k bu=
ff
185324k actv, 31500k in_d, 3040k in_c
Swap: 1052216k av, 46784k used, 1005432k free 74480k ca=
ched
As you can see as well, all of the physical memory is used already within 1=
day uptime, which indicates there is not enough memory assigned to the ser=
vice console.
I would have two suggestions to solve this issue:
- Increase the service console memory to 512MB with this procedure:
http://kb.vmware.com/kb/1003501
- Do an upgrade to ESX3.5 U5 which contains the patch for this issue:
https://www.vmware.com/mysupport/download/
In here select the 3.5 version and download the ESX Server 3.5.0 Update 5
The hostd log contain entries which shows the reason of the hung was causes=
by a process called Pegasus:
[2009-12-05 12:51:40.322 'Memory checker' 25045936 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:52:10.324 'Memory checker' 32680880 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:52:40.342 'Memory checker' 23989168 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:53:10.362 'Memory checker' 23722928 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:53:40.392 'Memory checker' 32680880 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:54:10.405 'Memory checker' 114621360 warning] Current value =
146908 exceeds soft limit 122880.
[2009-12-05 12:54:40.422 'Memory checker' 41872304 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:55:10.452 'Memory checker' 13888432 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:55:40.524 'Memory checker' 23989168 warning] Current value 1=
46908 exceeds soft limit 122880.
[2009-12-05 12:56:10.542 'Memory checker' 23722928 warning] Current value 1=
46908 exceeds soft limit 122880
I1ve checked the top output as well:
09:59:48 up 1 day, 55 min, 2 users, load average: 1.03, 0.27, 0.09
265 processes: 263 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 0.9% 0.0% 0.0% 0.0% 0.0% 72.5% 26.4%
Mem: 268572k av, 258860k used, 9712k free, 0k shrd, 16220k bu=
ff
185324k actv, 31500k in_d, 3040k in_c
Swap: 1052216k av, 46784k used, 1005432k free 74480k ca=
ched
As you can see as well, all of the physical memory is used already within 1=
day uptime, which indicates there is not enough memory assigned to the ser=
vice console.
I would have two suggestions to solve this issue:
- Increase the service console memory to 512MB with this procedure:
http://kb.vmware.com/kb/1003501
- Do an upgrade to ESX3.5 U5 which contains the patch for this issue:
https://www.vmware.com/mysupport/download/
In here select the 3.5 version and download the ESX Server 3.5.0 Update 5
Zarzadzanie konfiguracja Open Office
Strona o zarzadzaniu systemem OpenOffice
http://openofficetechnology.com/
Folder rederiction i problem z OO.
Przy zastosowaniu Folder rederiction dla %appdata%
następuje zwolnienie pracy aplikacji mocno wykorzystujacych
katalog "dane aplikacji" należy wykorzystywać katalog "dane aplikacji" w lokalnym systemie plików.
http://openofficetechnology.com/
Folder rederiction i problem z OO.
Przy zastosowaniu Folder rederiction dla %appdata%
następuje zwolnienie pracy aplikacji mocno wykorzystujacych
katalog "dane aplikacji" należy wykorzystywać katalog "dane aplikacji" w lokalnym systemie plików.
niedziela, 25 października 2009
Problem z instalacją oprogramowania zarządzalnego
Problem z jednym z komputerów podczas instalacji via GPO oprogramowaina zarządzalnego.
W logach były następujące wpisy:
Application Management:
Przypisanie aplikacji ... z zasad Testowa nie powiodło się. Wystąpił błąd: Ogólna struktura zasad grupy powinna wywołać rozszerzenie podczas synchronicznego, pierwszoplanowego odświeżania zasad.
Application Management:
Usunięcie przypisania aplikacji .... z zasad Testowa nie powiodło się. Wystąpił błąd: Ogólna struktura zasad grupy powinna wywołać rozszerzenie podczas synchronicznego, pierwszoplanowego odświeżania zasad.
Application Management:
Nie można zastosować zmian w ustawieniach instalacji oprogramowania. Zastosowanie zasad instalacji oprogramowania zostało odłożone do następnego logowania, ponieważ administrator włączył optymalizację logowania dla zasad grupy. Wystąpił błąd: Ogólna struktura zasad grupy powinna wywołać rozszerzenie podczas synchronicznego, pierwszoplanowego odświeżania zasad.
http://support.microsoft.com/kb/305293
http://wss.pl/frmThread.aspx?tid=37378
Rozwiązanie:
Ustawienia zasad:
Konfiguracja komputera\Szablony administracyjne\System\Logowanie\ Zawsze czekaj na sieć podczas uruchamiania komputera i logowania
W logach były następujące wpisy:
Application Management:
Przypisanie aplikacji ... z zasad Testowa nie powiodło się. Wystąpił błąd: Ogólna struktura zasad grupy powinna wywołać rozszerzenie podczas synchronicznego, pierwszoplanowego odświeżania zasad.
Application Management:
Usunięcie przypisania aplikacji .... z zasad Testowa nie powiodło się. Wystąpił błąd: Ogólna struktura zasad grupy powinna wywołać rozszerzenie podczas synchronicznego, pierwszoplanowego odświeżania zasad.
Application Management:
Nie można zastosować zmian w ustawieniach instalacji oprogramowania. Zastosowanie zasad instalacji oprogramowania zostało odłożone do następnego logowania, ponieważ administrator włączył optymalizację logowania dla zasad grupy. Wystąpił błąd: Ogólna struktura zasad grupy powinna wywołać rozszerzenie podczas synchronicznego, pierwszoplanowego odświeżania zasad.
http://support.microsoft.com/kb/305293
http://wss.pl/frmThread.aspx?tid=37378
Rozwiązanie:
Ustawienia zasad:
Konfiguracja komputera\Szablony administracyjne\System\Logowanie\ Zawsze czekaj na sieć podczas uruchamiania komputera i logowania
Problem z migracją share + offline files
znalazłem takie rozwiązanie
Hi Everyone,
We just lost our server called \\Files and the Faculty redirection was setup for there Desktop and My Documents to go to \\Files\Staff\Faculty\%USERNAME%\Desktop or My Documents.
We got a new server in while this one was down and named it \\Staff and the GPO is now updated for the redirection to \\Staff\Files\Faculty\%USERNAME%\Desktop and My Documents.
When a user logs in they get an error saying they don't have access to there Desktop located at \\Files\Staff\Faculty\%USERNAME%\Desktop
Its still looking at the old server! I changed the GPO and updated the profiles and Home Directories for these people. I also did a gpupdate /force to see if that would do anything but I have had no luck.
I figured just changed the GPO redirection to the new server would fix everything but I guess not.
Any ideas??
Thanks,
Dan
To the poster above,
I had the same problem you had; on the windows resource kit there is a tool called csccmd.exe that you can use:
csccmd.exe /MOVESHARE:\\oldserver\share \\newserver\share
csccmd.exe /RESID
that should fix the problem
Hi Everyone,
We just lost our server called \\Files and the Faculty redirection was setup for there Desktop and My Documents to go to \\Files\Staff\Faculty\%USERNAME%\Desktop or My Documents.
We got a new server in while this one was down and named it \\Staff and the GPO is now updated for the redirection to \\Staff\Files\Faculty\%USERNAME%\Desktop and My Documents.
When a user logs in they get an error saying they don't have access to there Desktop located at \\Files\Staff\Faculty\%USERNAME%\Desktop
Its still looking at the old server! I changed the GPO and updated the profiles and Home Directories for these people. I also did a gpupdate /force to see if that would do anything but I have had no luck.
I figured just changed the GPO redirection to the new server would fix everything but I guess not.
Any ideas??
Thanks,
Dan
To the poster above,
I had the same problem you had; on the windows resource kit there is a tool called csccmd.exe that you can use:
csccmd.exe /MOVESHARE:\\oldserver\share \\newserver\share
csccmd.exe /RESID
that should fix the problem
darmowy certyfikat niekwalifikowany
Dramowy certyfikat niekwalifikowany można otrzymać tu:
http://www.podpiselektroniczny.pl/
http://www.podpiselektroniczny.pl/
sobota, 10 października 2009
IPSec problem z citrix ICA
Po migracji z cisco PIX do routera cisco pojawiły się problemy z dostępem klientów citrixa do sesji ICA.
W sieci znalazłem działające rozwiązanie opisane poniżej:
To solve this I've change configuration on 1812 routers:
On internal interface - by turn off ip virtual-reassembly and set up ip tcp adjust-mss 1400 and on external interfece by turn off ip virtual-reassembly.
W sieci znalazłem działające rozwiązanie opisane poniżej:
To solve this I've change configuration on 1812 routers:
On internal interface - by turn off ip virtual-reassembly and set up ip tcp adjust-mss 1400 and on external interfece by turn off ip virtual-reassembly.
cisco problem z zrywającymi się połączeniami do zdalnego pulpitu citrix/rdp
problemem jest czas wygasnięcia SA
dla IPSec'a.
Należy ustawić Sa na maxymalny tzn 86400s
dla IPSec'a.
Należy ustawić Sa na maxymalny tzn 86400s
Switch FC McDATA 4416 - problem z certyfikatem
Podczas logowania do switcha FC występuje problem z certyfikatem.
Konieczne jest jego ponowne wygenerowanie.
Procedura:
- Logujemy się po ssh do przełącznika
- uruchamiamy tryb administracyjny
admin start
- generujemy nowy certyfikat
create certificate
- wyłanczamy tryb administracyjny
admin stop
i gotowe :)
Konieczne jest jego ponowne wygenerowanie.
Procedura:
- Logujemy się po ssh do przełącznika
- uruchamiamy tryb administracyjny
admin start
- generujemy nowy certyfikat
create certificate
- wyłanczamy tryb administracyjny
admin stop
i gotowe :)
niedziela, 26 lipca 2009
HSRP problem z ARP
W pracy miałem problem z konfiguracją HSRP.
Problem polegał na tym iż, w momencie gdy w tablicy ARP przełącznika catalyst nie było wpisu ARP o danym hoscie a host wcześniej nie zainicjował ruchu to z innej podsieci (VLANu ) nie było możliwości dobicia się do urządzenia - host docelowy nie odpowiada na pingi.
Okazało się, że problem leży w błędzie IOSa dla HSRP w v.2 i należy zmienić HSRP do wersji pierwszej.
no hsrp version 2
Po wykonaniu tej komendy dla każdego z interfejsów VLAN pracujących w HSRP problem rozwiązał się.
Błąd został usuniety w wersji ....
Problem polegał na tym iż, w momencie gdy w tablicy ARP przełącznika catalyst nie było wpisu ARP o danym hoscie a host wcześniej nie zainicjował ruchu to z innej podsieci (VLANu ) nie było możliwości dobicia się do urządzenia - host docelowy nie odpowiada na pingi.
Okazało się, że problem leży w błędzie IOSa dla HSRP w v.2 i należy zmienić HSRP do wersji pierwszej.
no hsrp version 2
Po wykonaniu tej komendy dla każdego z interfejsów VLAN pracujących w HSRP problem rozwiązał się.
Błąd został usuniety w wersji ....
poniedziałek, 11 maja 2009
OO numerowanie stron
W OpenOffice.org zmiana domyślnego sposobu numerowania stron graniczy z niemożliwością (od lat wisi zgłoszenie błędu): bardzo trudno zacząć numerację nie od pierwszej strony, pojawiają się dziwaczne błędy przy wstawianiu numerów itd.
Na szczęście, niedawno powstało rozwiązanie. Charles Brunet stworzył rozszerzenie Pagination, które radzi sobie z tym problemem. Po zainstalowaniu rozszerzenia pojawia się nowe polecenie w menu Wstaw: Numery stron. To polecenie powoduje wyświetlenie okna dialogowego, które pozwoli ustawić wszystkie potrzebne parametry. Okno dialogowe także spolszczyłem, ale z powodu błędu w OOo, będzie to widać dopiero w wersji 2.4 (błąd już w kodzie jest poprawiony). Pozostaje tylko zainstalować i używać.
Na szczęście, niedawno powstało rozwiązanie. Charles Brunet stworzył rozszerzenie Pagination, które radzi sobie z tym problemem. Po zainstalowaniu rozszerzenia pojawia się nowe polecenie w menu Wstaw: Numery stron. To polecenie powoduje wyświetlenie okna dialogowego, które pozwoli ustawić wszystkie potrzebne parametry. Okno dialogowe także spolszczyłem, ale z powodu błędu w OOo, będzie to widać dopiero w wersji 2.4 (błąd już w kodzie jest poprawiony). Pozostaje tylko zainstalować i używać.
środa, 6 maja 2009
Problem z autonegocjacją parametrów transmisji.
Problem z autonegocjacją parametrów transmisji.
Po podpięciu urządzenia CPD500W karta sieciowa oparta o chip RTL8201BL interfejs wstawał i padał.
W logach były jedynie informacje:
250251: May 6 11:10:27.596 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
250252: May 6 11:10:29.244 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to up
250253: May 6 11:10:56.669 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
250254: May 6 11:10:58.445 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to up
na interfejsie ustawiłem
spanning-tree portfast
co rozwiązało temat.
Po podpięciu urządzenia CPD500W karta sieciowa oparta o chip RTL8201BL interfejs wstawał i padał.
W logach były jedynie informacje:
250251: May 6 11:10:27.596 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
250252: May 6 11:10:29.244 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to up
250253: May 6 11:10:56.669 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to down
250254: May 6 11:10:58.445 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet5, changed state to up
na interfejsie ustawiłem
spanning-tree portfast
co rozwiązało temat.
czwartek, 2 kwietnia 2009
GNS3 - IPSec LAN2LAN LAB
Jest to proste laboratorium połączenia 2 routerów z wykorzystaniem IPSeca.
Za pomocą IPseca połączono 2 odległe sieci Lokalne lan z adresacjami 10.1.11.0/24 oraz 10.1.10.0/24.
Przyjęto następujące założenia do projektu:
W sieci oddziału sieć lokalna nadano adresację 10.1.11.0/24
W sieci lokalnej Centrali nadano adresację 10.1.10.0/24
Routery rOddzial oraz rCentrala posiadają następujące publiczne adresy IP
rOddzial – 83.16.251.98/29
rCentrala – 83.16.251.99/29
Cały ruch IP między siecią 10.1.11.0/24 a 10.1.10.0/24 jest dozwolony i szyfrowany
Cały ruch IP między siecią 10.1.10.0/24 a 10.1.11.0/24 jest dozwolony i szyfrowany
Poprawna konfiguracja urządzeń według przyjętych założeń wygląda następująco:
Router "PcCentrala"
PcCentrala#sh run
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PcCentrala
boot-start-marker
boot-end-marker
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
ip address 10.1.10.10 255.255.255.0
duplex auto
speed auto
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.10.254
line con 0
line aux 0
line vty 0 4
end
Router "PcOddzial"
PcOddzial#sh running-config
Building configuration...
Current configuration : 462 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PcOddzial
boot-start-marker
boot-end-marker
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
interface FastEthernet0/0
ip address 10.1.11.10 255.255.255.0
duplex auto
speed auto
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.11.254
line con 0
line aux 0
line vty 0 4
end
Router "rCentrala"
rCentrala#sh running-config
Building configuration...
Current configuration : 1489 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname rCentrala
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
memory-size iomem 5
ip cef
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key Mykey address 83.16.251.98 no-xauth
crypto ipsec transform-set SETstrong esp-3des esp-sha-hmac
crypto map toOddzial 15 ipsec-isakmp
set peer 83.16.251.98
set transform-set SETstrong
match address cryptomap_11
interface FastEthernet0/0
ip address 10.1.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map clearDF
duplex auto
speed auto
interface FastEthernet1/0
ip address 83.16.251.99 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map toOddzial
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
ip nat inside source route-map clearDF interface FastEthernet1/0 overload
ip access-list extended NotInCryptomap_11
deny ip 10.1.10.0 0.0.0.255 10.1.11.0 0.0.0.255
permit icmp 10.1.10.0 0.0.0.255 any
deny ip any any
ip access-list extended cryptomap_11
permit ip 10.1.10.0 0.0.0.255 10.1.11.0 0.0.0.255
route-map clearDF permit 15
match ip address nat NotInCryptomap_11
set ip df 0
control-plane
line con 0
line aux 0
line vty 0 4
end
Router "rOddzial"
rOddzial#sh running-config
Building configuration...
Current configuration : 1486 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname rOddzial
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
memory-size iomem 5
ip cef
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
crypto isakmp key Mykey address 83.16.251.99 no-xauth
crypto ipsec transform-set SETstrong esp-3des esp-sha-hmac
crypto map toCentrala 15 ipsec-isakmp
set peer 83.16.251.99
set transform-set SETstrong
match address cryptomap_10
interface FastEthernet0/0
ip address 10.1.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map clearDF
duplex auto
speed auto
interface FastEthernet1/0
ip address 83.16.251.98 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map toCentrala
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
ip nat inside source route-map clearDF interface FastEthernet1/0 overload
ip access-list extended NotInCryptomap_10
deny ip 10.1.11.0 0.0.0.255 10.1.10.0 0.0.0.255
permit icmp 10.1.11.0 0.0.0.255 any
deny ip any any
ip access-list extended cryptomap_10
permit ip 10.1.11.0 0.0.0.255 10.1.10.0 0.0.0.255
route-map clearDF permit 15
match ip address NotInCryptomap_10
set ip df 0
control-plane
line con 0
line aux 0
line vty 0 4
end
poniedziałek, 30 marca 2009
GNS3 - VLAN LAB
Laboratorium z sieci VLAN.
Listing z konfigów:
Router "CoreSwitch"
CoreSwitch#show run
Building configuration...
Current configuration : 1578 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreSwitch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
interface FastEthernet0/0
description "To PCKsiegowosc"
switchport access vlan 14
no ip address
!
interface FastEthernet0/1
description "To PCMarketing"
switchport access vlan 13
no ip address
!
interface FastEthernet0/2
description "To PcInformatyk"
switchport access vlan 12
no ip address
!
interface FastEthernet0/3
description "To Router"
switchport mode trunk
no ip address
!
interface FastEthernet0/4
description "To Srv11"
switchport access vlan 11
no ip address
!
interface FastEthernet0/5
description "To Srv 22"
switchport access vlan 22
no ip address
!
!
interface FastEthernet0/6
no ip address
shutdown
!
interface FastEthernet0/7
no ip address
shutdown
!
interface FastEthernet0/8
no ip address
shutdown
!
interface FastEthernet0/9
no ip address
shutdown
!
interface FastEthernet0/10
no ip address
shutdown
!
interface FastEthernet0/11
no ip address
shutdown
!
interface FastEthernet0/12
no ip address
shutdown
!
interface FastEthernet0/13
no ip address
shutdown
!
interface FastEthernet0/14
no ip address
shutdown
!
interface FastEthernet0/15
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip http server
no ip http secure-server
ip classless
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router "Router"
Router#show running-config
Building configuration...
Current configuration : 1604 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 10.1.11.254 255.255.255.0
!
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 10.1.12.254 255.255.255.0
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 10.1.13.254 255.255.255.0
ip access-group 113 in
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 10.1.14.254 255.255.255.0
ip access-group 114 in
!
interface FastEthernet0/0.22
encapsulation dot1Q 22
ip address 10.1.22.254 255.255.255.0
!
ip http server
no ip http secure-server
ip classless
!
access-list 113 permit ip 10.1.13.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 113 permit ip 10.1.13.0 0.0.0.255 10.1.22.0 0.0.0.255
access-list 113 remark ACL 113 dostep z sieci 10.1.13.0/24 (Marketing) do sieci 10.1.11.0/24 (Srv11) oraz 10.1.22.0/24 (Srv
access-list 113 remark ACL 113 dostep z sieci 10.1.13.0/24 (Marketing) do sieci 10.1.11.0/24 oraz 10.1.22.0/24
access-list 114 permit ip 10.1.14.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 114 permit ip 10.1.14.0 0.0.0.255 10.1.13.0 0.0.0.255
access-list 114 remark ACL z sieci VLAN 14 dostep do sieci 10.1.11.0/24 (SRV11) oraz 10.1.13.0/24 ( Marketing)
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router "PcKsiegowosc"
PcKsiegowosc#sh ru
Building configuration...
Current configuration : 535 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PcKsiegowosc
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.14.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.14.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Router "PcMarketing"
PcMarketing#sh ru
Building configuration...
Current configuration : 534 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PcMarketing
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.13.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.13.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router "Srv11"
Srv11#show running-config
Building configuration...
Current configuration : 528 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Srv11
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.11.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.11.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
!
end
Router "Srv22"
Srv22#sh ru
Building configuration...
Current configuration : 528 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Srv22
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.22.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.22.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Na routerach na których robi sie VLANy( "Router" oraz "CoreSwitch") w trybie enable wydajemy polecenia
vlan database
vlan 1
vlan 11
vlan 12
vlan 13
vlan 14
vlan 22
apply
exit
I wszystko powinno śmigać :)
do sprawdzenia aktywnych VLANów służy komenda
show vlan-switch
Listing z konfigów:
Router "CoreSwitch"
CoreSwitch#show run
Building configuration...
Current configuration : 1578 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CoreSwitch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
interface FastEthernet0/0
description "To PCKsiegowosc"
switchport access vlan 14
no ip address
!
interface FastEthernet0/1
description "To PCMarketing"
switchport access vlan 13
no ip address
!
interface FastEthernet0/2
description "To PcInformatyk"
switchport access vlan 12
no ip address
!
interface FastEthernet0/3
description "To Router"
switchport mode trunk
no ip address
!
interface FastEthernet0/4
description "To Srv11"
switchport access vlan 11
no ip address
!
interface FastEthernet0/5
description "To Srv 22"
switchport access vlan 22
no ip address
!
!
interface FastEthernet0/6
no ip address
shutdown
!
interface FastEthernet0/7
no ip address
shutdown
!
interface FastEthernet0/8
no ip address
shutdown
!
interface FastEthernet0/9
no ip address
shutdown
!
interface FastEthernet0/10
no ip address
shutdown
!
interface FastEthernet0/11
no ip address
shutdown
!
interface FastEthernet0/12
no ip address
shutdown
!
interface FastEthernet0/13
no ip address
shutdown
!
interface FastEthernet0/14
no ip address
shutdown
!
interface FastEthernet0/15
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip http server
no ip http secure-server
ip classless
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router "Router"
Router#show running-config
Building configuration...
Current configuration : 1604 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip audit po max-events 100
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.11
encapsulation dot1Q 11
ip address 10.1.11.254 255.255.255.0
!
interface FastEthernet0/0.12
encapsulation dot1Q 12
ip address 10.1.12.254 255.255.255.0
!
interface FastEthernet0/0.13
encapsulation dot1Q 13
ip address 10.1.13.254 255.255.255.0
ip access-group 113 in
!
interface FastEthernet0/0.14
encapsulation dot1Q 14
ip address 10.1.14.254 255.255.255.0
ip access-group 114 in
!
interface FastEthernet0/0.22
encapsulation dot1Q 22
ip address 10.1.22.254 255.255.255.0
!
ip http server
no ip http secure-server
ip classless
!
access-list 113 permit ip 10.1.13.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 113 permit ip 10.1.13.0 0.0.0.255 10.1.22.0 0.0.0.255
access-list 113 remark ACL 113 dostep z sieci 10.1.13.0/24 (Marketing) do sieci 10.1.11.0/24 (Srv11) oraz 10.1.22.0/24 (Srv
access-list 113 remark ACL 113 dostep z sieci 10.1.13.0/24 (Marketing) do sieci 10.1.11.0/24 oraz 10.1.22.0/24
access-list 114 permit ip 10.1.14.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 114 permit ip 10.1.14.0 0.0.0.255 10.1.13.0 0.0.0.255
access-list 114 remark ACL z sieci VLAN 14 dostep do sieci 10.1.11.0/24 (SRV11) oraz 10.1.13.0/24 ( Marketing)
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router "PcKsiegowosc"
PcKsiegowosc#sh ru
Building configuration...
Current configuration : 535 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PcKsiegowosc
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.14.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.14.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Router "PcMarketing"
PcMarketing#sh ru
Building configuration...
Current configuration : 534 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PcMarketing
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.13.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.13.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Router "Srv11"
Srv11#show running-config
Building configuration...
Current configuration : 528 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Srv11
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.11.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.11.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
!
end
Router "Srv22"
Srv22#sh ru
Building configuration...
Current configuration : 528 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Srv22
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface FastEthernet1/0
ip address 10.1.22.100 255.255.255.0
duplex auto
speed auto
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.22.254
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
Na routerach na których robi sie VLANy( "Router" oraz "CoreSwitch") w trybie enable wydajemy polecenia
vlan database
vlan 1
vlan 11
vlan 12
vlan 13
vlan 14
vlan 22
apply
exit
I wszystko powinno śmigać :)
do sprawdzenia aktywnych VLANów służy komenda
show vlan-switch
sobota, 21 marca 2009
VmwareTools - potrzeba instalacji
Krytyczną rzeczą po instalacji OS na maszynie wirtualnej jest instalacja VmTools na Guest OS-ie.
Brak zainstalowamych VmTools-ów nie pozwala przykładowo z poziomu esx-a na wyłączenie Guest OSa w przypadku natychmiastowej potrzeby.
źródło: http://vmetc.com/2008/08/30/why-do-i-need-to-install-vmware-tools/
It happens more frequently than I would ever imagine, but from time to time I find clients have not installed the VMware tools in their virtual machine’s (VM) operating system. I find it more often in Linux VMs than Windows, but I’ve discovered it for both types of guests none-the-less. Some times the tools install is overlooked or forgotten, but every once in a while I am told something like “Does Linux needed VMware tools?” or “what do the VMware tools do for me anyways?”.
Well, I do not have any unique insight or clever commentary to add, but I am providing the following cut and pastes from the VMware .pdf Basic System Administration Guide as a easy reference. At the very least this post will save me some time because I won’t have to dig this info out of the .pdf again when I am asked.
The following sections provide info on what you install when you install VMware tools as well as steps for installing the tools for both Windows and Linux VMs. The rest of this post is not my material but comes straight from the linked guide above - although not necessarily in the order it appears in the original document, however. Download and read the current version for yourself!
I will add one point that is not covered in the following information. VirtualCenter requires the VMware Tools in the guest in order to be able to monitor and send alerts on the VMs, and to also populate various information like the VM’s ip address in the VI Client session.
Installing and Upgrading VMware Tools
VMware Tools is a suite of utilities that enhances the performance of the virtual machine’s guest operating system and improves management of the virtual machine. Installing VMware Tools in the guest operating system is vital. Although the guest operating system can run without VMware Tools, you lose important functionality and convenience.
When you install VMware Tools, you install:
* The VMware Tools service (VMwareService.exe on Windows guests or vmware-guestd on Linux and Solaris guests). This service synchronizes the time in the guest operating system with the time in the host operating system. On Windows guests, it also controls grabbing and releasing the mouse cursor.
* A set of VMware device drivers, including an SVGA display driver, the vmxnet networking driver for some guest operating systems, the BusLogic SCSI driver for some guest operating systems, the memory control driver for efficient memory allocation between virtual machines, the sync driver to quiesce I/O for Consolidated Backup, and the VMware mouse driver.
* The VMware Tools control panel, which lets you modify settings, shrink virtual disks, and connect and disconnect virtual devices.
* A set of scripts that helps you to automate guest operating system operations. The scripts run when the virtual machine’s power state changes if you configure them to do so.
* The VMware user process (VMwareUser.exe on Windows guests or vmware-user on Linux and Solaris guests), which enables you to copy and paste text between the guest and managed host operating systems.
o On Linux and Solaris guests, this process controls grabbing and releaseing the mouse cursor when the SVGA driver is not installed.
o The VMware Tools user process is not installed on NetWare operating systems. Instead, the vmwtool program is installed. It controls the grabbing and releasing of the mouse cursor. It also allows you copy and paste text.
NOTE If you do not have VMware Tools installed in your virtual machine, you cannot
use the shutdown or restart options. You can use only the Power options. If you want
to shut down the guest operating system, shut it down from within the virtual machine
console before you power off the virtual machine.
To install or upgrade VMware Tools on a Windows Guest
1. Open a console to the virtual machine.
2. Power on the virtual machine.
3. After the guest operating system starts, right?click the virtual machine and choose Install VMware Tools.
4. From inside the virtual machine, click OK to confirm that you want to install VMware Tools and launch the InstallShield wizard.
* If you have autorun enabled in your guest operating system (the default setting for Windows operating systems), a dialog box appears.
* If autorun is not enabled, run the VMware Tools installer. Click Start > Run and enter D:\setup.exe, where D: is your first virtual CD?ROM drive.
5. Follow the onscreen instructions.
6. On Windows Server 2003, the SVGA driver is installed automatically, and the guest operating system uses it after it reboots.
7. After you install VMware Tools, Windows 2000 and Windows XP guest operating systems must be rebooted to use the new driver.
To install or upgrade VMware Tools on a Linux guest with the tar installer or
RPM installer
1. Open a console to the virtual machine.
2. Power on the virtual machine.
3. After the guest operating system starts, right?click the virtual machine and choose Install VMware Tools.
* The remaining steps take place inside the virtual machine.
1. As root (su -), mount the VMware Tools virtual CD?ROM image and change to a working directory (for example, /tmp), as follows.
2. Some Linux distributions use different device names or organize the /dev directory differently. Modify the following commands to reflect the conventions used by your distribution:
* mount /dev/cdrom /mnt/cdrom
* cd /tmp
* NOTE Some Linux distributions automatically mount CD?ROMs. If your distribution uses automounting, do not use the mount and umount commands described in this procedure. You still must untar the VMware Tools installer to /tmp.
* NOTE If you have a previous installation, delete the previous vmware-tools-distrib directory before installing. The default location of this directory is: /tmp/vmware-tools-distrib
3. Uncompress the installer and unmount the CD?ROM image.
4. Depending on whether you are using the tar installer or the RPM installer, do one of the following:
* For the tar installer, at the command prompt, enter:
*
o tar zxpf /mnt/cdrom/VMwareTools-5.0.0-.tar.gz
o umount /dev/cdrom
o Where is the build/revision number of the tools release.
* For the RPM installer, at the command prompt, enter:
*
o rpm -Uhv /mnt/cdrom/VMwareTools-5.0.0-.i386.rpm
o umount /dev/cdrom
o Where is the build/revision number of the tools release.
5. Depending on whether you are using the tar installer or the RPM installer, do one of the following:
* For the tar installer, run the VMware Tools tar installer:
*
o cd vmware-tools-distrib
o ./vmware-install.pl
o Respond to the configuration questions on the screen. Press Enter to accept the default value.
* For the RPM installer, configure VMware Tools:
*
o vmware-config-tools.pl
o Respond to the questions the installer displays on the screen. Press Enter to accept the default value.
6. Log off the root account. #exit
7. Start your graphical environment.
8. In an X terminal, open the VMware Tools Properties dialog box: #vmware-toolbox &
NOTE If you attempt to install an rpm installation over a tar installation—or the
reverse—the installer detects the previous installation and must convert the
installer database format before continuing.
Brak zainstalowamych VmTools-ów nie pozwala przykładowo z poziomu esx-a na wyłączenie Guest OSa w przypadku natychmiastowej potrzeby.
źródło: http://vmetc.com/2008/08/30/why-do-i-need-to-install-vmware-tools/
It happens more frequently than I would ever imagine, but from time to time I find clients have not installed the VMware tools in their virtual machine’s (VM) operating system. I find it more often in Linux VMs than Windows, but I’ve discovered it for both types of guests none-the-less. Some times the tools install is overlooked or forgotten, but every once in a while I am told something like “Does Linux needed VMware tools?” or “what do the VMware tools do for me anyways?”.
Well, I do not have any unique insight or clever commentary to add, but I am providing the following cut and pastes from the VMware .pdf Basic System Administration Guide as a easy reference. At the very least this post will save me some time because I won’t have to dig this info out of the .pdf again when I am asked.
The following sections provide info on what you install when you install VMware tools as well as steps for installing the tools for both Windows and Linux VMs. The rest of this post is not my material but comes straight from the linked guide above - although not necessarily in the order it appears in the original document, however. Download and read the current version for yourself!
I will add one point that is not covered in the following information. VirtualCenter requires the VMware Tools in the guest in order to be able to monitor and send alerts on the VMs, and to also populate various information like the VM’s ip address in the VI Client session.
Installing and Upgrading VMware Tools
VMware Tools is a suite of utilities that enhances the performance of the virtual machine’s guest operating system and improves management of the virtual machine. Installing VMware Tools in the guest operating system is vital. Although the guest operating system can run without VMware Tools, you lose important functionality and convenience.
When you install VMware Tools, you install:
* The VMware Tools service (VMwareService.exe on Windows guests or vmware-guestd on Linux and Solaris guests). This service synchronizes the time in the guest operating system with the time in the host operating system. On Windows guests, it also controls grabbing and releasing the mouse cursor.
* A set of VMware device drivers, including an SVGA display driver, the vmxnet networking driver for some guest operating systems, the BusLogic SCSI driver for some guest operating systems, the memory control driver for efficient memory allocation between virtual machines, the sync driver to quiesce I/O for Consolidated Backup, and the VMware mouse driver.
* The VMware Tools control panel, which lets you modify settings, shrink virtual disks, and connect and disconnect virtual devices.
* A set of scripts that helps you to automate guest operating system operations. The scripts run when the virtual machine’s power state changes if you configure them to do so.
* The VMware user process (VMwareUser.exe on Windows guests or vmware-user on Linux and Solaris guests), which enables you to copy and paste text between the guest and managed host operating systems.
o On Linux and Solaris guests, this process controls grabbing and releaseing the mouse cursor when the SVGA driver is not installed.
o The VMware Tools user process is not installed on NetWare operating systems. Instead, the vmwtool program is installed. It controls the grabbing and releasing of the mouse cursor. It also allows you copy and paste text.
NOTE If you do not have VMware Tools installed in your virtual machine, you cannot
use the shutdown or restart options. You can use only the Power options. If you want
to shut down the guest operating system, shut it down from within the virtual machine
console before you power off the virtual machine.
To install or upgrade VMware Tools on a Windows Guest
1. Open a console to the virtual machine.
2. Power on the virtual machine.
3. After the guest operating system starts, right?click the virtual machine and choose Install VMware Tools.
4. From inside the virtual machine, click OK to confirm that you want to install VMware Tools and launch the InstallShield wizard.
* If you have autorun enabled in your guest operating system (the default setting for Windows operating systems), a dialog box appears.
* If autorun is not enabled, run the VMware Tools installer. Click Start > Run and enter D:\setup.exe, where D: is your first virtual CD?ROM drive.
5. Follow the onscreen instructions.
6. On Windows Server 2003, the SVGA driver is installed automatically, and the guest operating system uses it after it reboots.
7. After you install VMware Tools, Windows 2000 and Windows XP guest operating systems must be rebooted to use the new driver.
To install or upgrade VMware Tools on a Linux guest with the tar installer or
RPM installer
1. Open a console to the virtual machine.
2. Power on the virtual machine.
3. After the guest operating system starts, right?click the virtual machine and choose Install VMware Tools.
* The remaining steps take place inside the virtual machine.
1. As root (su -), mount the VMware Tools virtual CD?ROM image and change to a working directory (for example, /tmp), as follows.
2. Some Linux distributions use different device names or organize the /dev directory differently. Modify the following commands to reflect the conventions used by your distribution:
* mount /dev/cdrom /mnt/cdrom
* cd /tmp
* NOTE Some Linux distributions automatically mount CD?ROMs. If your distribution uses automounting, do not use the mount and umount commands described in this procedure. You still must untar the VMware Tools installer to /tmp.
* NOTE If you have a previous installation, delete the previous vmware-tools-distrib directory before installing. The default location of this directory is: /tmp/vmware-tools-distrib
3. Uncompress the installer and unmount the CD?ROM image.
4. Depending on whether you are using the tar installer or the RPM installer, do one of the following:
* For the tar installer, at the command prompt, enter:
*
o tar zxpf /mnt/cdrom/VMwareTools-5.0.0-.tar.gz
o umount /dev/cdrom
o Where is the build/revision number of the tools release.
* For the RPM installer, at the command prompt, enter:
*
o rpm -Uhv /mnt/cdrom/VMwareTools-5.0.0-.i386.rpm
o umount /dev/cdrom
o Where is the build/revision number of the tools release.
5. Depending on whether you are using the tar installer or the RPM installer, do one of the following:
* For the tar installer, run the VMware Tools tar installer:
*
o cd vmware-tools-distrib
o ./vmware-install.pl
o Respond to the configuration questions on the screen. Press Enter to accept the default value.
* For the RPM installer, configure VMware Tools:
*
o vmware-config-tools.pl
o Respond to the questions the installer displays on the screen. Press Enter to accept the default value.
6. Log off the root account. #exit
7. Start your graphical environment.
8. In an X terminal, open the VMware Tools Properties dialog box: #vmware-toolbox &
NOTE If you attempt to install an rpm installation over a tar installation—or the
reverse—the installer detects the previous installation and must convert the
installer database format before continuing.
piątek, 20 marca 2009
defragmentacja dysków maszyn wirtualnych
Przed rozpoczęciem defragmentacji dysku na maszynie wirtualnej nalezy sprawdzić czy nie posiada aktualnie żadnego snapshota!
Snapshot na VM spowodowałby duży przyrost pliku delta ( snapshota).
Temat szczegółowo omówiono tu:
http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1311854,00.html
Snapshot na VM spowodowałby duży przyrost pliku delta ( snapshota).
Temat szczegółowo omówiono tu:
http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1311854,00.html
poniedziałek, 16 marca 2009
archiwizacja poczty starszej niż ....
Komendy wykonujemy w katalogu usera w podfolderze Maildir.
#archiwizujemy starsze pliki niż 1 rok
find cur/ -mtime +365 | xargs tar czvf kopaArchStarszychPlikowNizRok.tar.gz
# usuwamy starsze pliki niż 1 rok
find cur/ -mtime +365 | xargs rm -r
#archiwizujemy starsze pliki niż 1 rok
find cur/ -mtime +365 | xargs tar czvf kopaArchStarszychPlikowNizRok.tar.gz
# usuwamy starsze pliki niż 1 rok
find cur/ -mtime +365 | xargs rm -r
poniedziałek, 9 marca 2009
1Weryfikacja stanu macierzy za pomocą narzędzia navicli
Po instalacji klienta do macierzy na esx-ach jest dostępne narzędzie którym możemy zarządzać macierząo odpytywać ją o status. Aplikacja dostępna jest standardowo w lokalizacji:
/opt/Navisphere/bin/
Dostępne opcje o statusie macierzy:
./navicli -h adres.IP.StorageProcesora getagent – versja oprogramowania
./navicli -h adres.IP.StorageProcesora getcache – informacje o włączonym cache zapis/odczyt itp.
./navicli -h adres.IP.StorageProcesora getdisk – informacje o dyskach ( firmware, wielkość itp )
./navicli -h adres.IP.StorageProcesora getdisk | grep Errors – podaje czy na dyskach wystąpiły jakies błędy.
./navicli -h adres.IP.StorageProcesora getlun 1 -disk -busy – obciążenie poszczególnych dysków pracujących w storage grupie ( na wskazanym lunie)
./navicli -h adres.IP.StorageProcesora getsniffer 1 ( LUN ID) – pokazuje sumaryczne informacje o testach weryfikacji spójności wskazanego LUN-a ( adres odpytywanego SP musi być Current ownerem danego LUN ID !!)
[root@esx06 bin]# ./navicli -h adres.IP.StorageProcesora getsniffer 2
VERIFY RESULTS FOR UNIT 2
Sniffing state: ENABLED
Sniffing rate (100 ms/IO): 10
Background verify priority: ASAP
Historical Total of all Non-Volatile Recovery Verifies (0 passes)
-----------------------------------------------------------------
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
Currently Running Full Unit Verify
-----------------------------------------------------------------
Verify State: Sniff Running
Percent Complete: 76
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
Most Recently Completed Full Unit Verify
-----------------------------------------------------------------
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
Historical Total of All Full Unit Verifies (1 passes)
-----------------------------------------------------------------
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
/opt/Navisphere/bin/
Dostępne opcje o statusie macierzy:
./navicli -h adres.IP.StorageProcesora getagent – versja oprogramowania
./navicli -h adres.IP.StorageProcesora getcache – informacje o włączonym cache zapis/odczyt itp.
./navicli -h adres.IP.StorageProcesora getdisk – informacje o dyskach ( firmware, wielkość itp )
./navicli -h adres.IP.StorageProcesora getdisk | grep Errors – podaje czy na dyskach wystąpiły jakies błędy.
./navicli -h adres.IP.StorageProcesora getlun 1 -disk -busy – obciążenie poszczególnych dysków pracujących w storage grupie ( na wskazanym lunie)
./navicli -h adres.IP.StorageProcesora getsniffer 1 ( LUN ID) – pokazuje sumaryczne informacje o testach weryfikacji spójności wskazanego LUN-a ( adres odpytywanego SP musi być Current ownerem danego LUN ID !!)
[root@esx06 bin]# ./navicli -h adres.IP.StorageProcesora getsniffer 2
VERIFY RESULTS FOR UNIT 2
Sniffing state: ENABLED
Sniffing rate (100 ms/IO): 10
Background verify priority: ASAP
Historical Total of all Non-Volatile Recovery Verifies (0 passes)
-----------------------------------------------------------------
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
Currently Running Full Unit Verify
-----------------------------------------------------------------
Verify State: Sniff Running
Percent Complete: 76
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
Most Recently Completed Full Unit Verify
-----------------------------------------------------------------
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
Historical Total of All Full Unit Verifies (1 passes)
-----------------------------------------------------------------
Corrected Uncorrectable
Checksum errors 0 0
Write Stamp errors 0 0
Time Stamp errors 0 0
Shed Stamp errors 0 0
Coherency errors 0 0
czwartek, 5 marca 2009
IPSec Multi Home
W IOS od wersji 12.4 istneje możliwość stosowania technologii Reliable Static Routing.
Celem jest przy wykorzystaniu 2 ISP stworzenie tras zapasowych bez wykorzystania BGP.
Na tej podstawie sprawdzamy dostępność routera "next hope" lub innego docelowego.
W momencie jego niedostępności router przełącza nas na drugą domyślną ścieżkę.
Technologia opisana jest dokładniej na stronie: http://www.nil.com/ipcorner/SmallSiteMultiHoming/
------------------------------------------------------------------------------------------------
tekst źródłowy
------------------------------------------------------------------------------------------------
Small Site Multi-homing
by Ivan Pepelnjak, Damijan Markovič and Dragan Spasojevič
Unless your network operates under extreme security considerations or in places where the is no Internet access, your management has probably already asked you to lower the wide area network (WAN) costs by migrating from a traditional leased line or frame-relay-based network to an Internet- or MPLS VPN-based transport, while at the same time retaining or even increasing network reliability. This conflicting set of requirements might force you to make all your sites multi-homed (connected to more than one Internet Service Provider – ISP).
Multi-homing requirements aren’t new; for example, every decent e-commerce solution should be multi-homed. However, most solutions you’ll find with extensive help from Google require that you possess your own public IP prefix and an autonomous system number (both of them are scarce resources) and run Border Gateway Protocol (BGP) with all ISPs. Clearly, these requirements are completely unrealistic if you want to multi-home a small remote office.
In this article, you’ll learn how to:
connect a small remote site to more than one ISP;
detect failures in the ISP networks and adjust your routing accordingly;
increase overall availability of your sites with Service Level Agreement (SLA) monitoring;
log all relevant changes in the remote site connectivity.
Basic Small Site Multi-Homing
Connecting a small site to multiple service providers can be extremely easy – you get two upstream links and two provider-assigned (PA) IP addresses (either static or dynamically assigned). Since each ISP will give you only a single IP address, you have to use private IP addresses on the LAN side of the router (Figure 1).
Figure 1
IP addressing in small multi-homed site
As most ISPs will not be willing to run a dynamic routing protocol with small sites, you have to configure static default routing on your end. You would almost always prefer one provider over the other, resulting in a primary and a backup default route (Figure 2).
Note
With careful configuration, it’s also possible to achieve rudimentary load sharing with two equally-good default routes.
Figure 2
Static default routing
The router on the remote site would also have to perform two independent NAT translations, one for packets sent to ISP A (where local addresses get translated to the IP address assigned by ISP A) and another one for packets sent to ISP B (Figure 3).
Figure 3
NAT translation in small multi-homed site
One of the major issues in multi-homed site design is the proper handling of the return traffic. It’s not uncommon to experience performance problems if the outbound and return traffic flow over different links (also known as asymmetrical routing), while IP multicast and stateful packet inspection (part of IOS firewall feature set) almost always break under these conditions. Fortunately, asymmetrical routing is never a problem in a dual NAT design from Figure 3, as the source address of the outbound packet indicates the link that has been used to send it (see Figure 4).
Figure 4
Symmetrical routing with dual NAT
Configuring Small Multi-Homed Site
Configuring the gateway router in a small multi-homed site is very simple. You start by configuring the private and public IP addresses (Listing 1).
Listing 1
Initial router configuration
hostname GW
!
ip cef
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
interface FastEthernet0/0
description *** Inside LAN interface ***
ip address 192.168.0.1 255.255.255.0
!
interface Serial0/0/0
description *** Link to ISP 1 ***
ip address 172.16.1.1 255.255.255.252
!
interface Serial0/0/1 point-to-point
description *** Link to ISP 2 ***
ip address 172.17.3.1 255.255.255.252
NAT configuration is a bit more complex; you have to configure two NAT pools (one for each ISP), as displayed in Listing 2.
Listing 2
Network Address Translation configuration
interface FastEthernet0/0
ip nat inside
!
interface Serial0/0/0
ip nat outside
!
interface Serial0/0/1 point-to-point
ip nat outside
!
ip nat inside source route-map ISP_A interface Serial0/0/0 overload
ip nat inside source route-map ISP B interface Serial0/0/1 overload
!
route-map ISP_A permit 10
match interface Serial0/0/0
!
route-map ISP_B permit 10
match interface Serial0/0/1
Note
Having two route-maps matching outgoing interfaces (the match interface statement in a NAT route-map matches outgoing interface) is the only way to configure per-interface NAT pools in Cisco IOS.
As most ISPs will not be willing to run a dynamic routing protocol with small sites, you have to configure static default routing on your end. You would almost always prefer one provider over the other (therefore one default route would have a lower administrative distance) as shown in Listing 3, although it’s possible (with CEF switching using per-destination load sharing) to use two default routes in 1-to-1 load-balancing setup.
Listing 3
Basic multihomed default routing setup
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 251
The simplistic static routing in Listing 3 represents a major availability issue – if you cannot detect the link failure on the link toward ISP A reliably, the default static route toward ISP B will never be used. While you can almost always detect leased-line or cable failure (due to loss of carrier signal) and usually detect Frame-Relay failures through Local Management Interface (LMI) messages or end-to-end keepalives, it’s almost impossible to detect layer-2 failures in PPPoE (ADSL) or Metro Ethernet access layers. In these scenarios, the primary default route will never disappear (even though the next-hop router is no longer reachable), making static multi-homing impossible. This problem is solved, however, in Cisco IOS release 12.3(8)T (integrated in release 12.4) with static routes tied to IP SLA measurements.
Not-so-Very-Static Routes
Cisco IOS release 12.3(4)T introduced Enhanced Object Tracking, which together with Reliable Static Routing Using Object Tracking introduced in IOS release 12.3(8)T solves the problem. Enhanced Object Tracking introduces a generic track object that can track a state of an interface (layer-2 or layer-3 state), presence or metric of an IP route, state of an SLA measurement or even availability of Mobile IP home agent or GPRS nodes. Even more, you can combine various track objects (including weighing them) into a compound object.
The Reliable Static Routing Using Object Tracking feature ties a track object to a static route – whenever the track object’s state is down, the static route is removed from the routing table; exactly what you would need to support reliable multi-homing. To configure a static route based on the state of the next-hop router, you need to:
Configure an ip sla (previously known as Response Time Reporter – rtr) object pinging the next-hop router on primary Internet link (Listing 4). The polling frequency you specify (in seconds) depends on the reliability requirements, but anything below a few seconds would place unnecessary burden on the next-hop router (as you might not be the only one tracking its availability).
Listing 4
Pinging next-hop router
ip sla 100
icmp-echo 172.16.1.2 source-interface Serial0/0/0
timeout 500
frequency 3
ip sla schedule 100 life forever start-time now
Note
You cannot change the parameters of an SLA object once you’ve scheduled it. To change the target IP address, timeouts or polling frequency, you need to delete the SLA object and recreate it.
Create a track object monitoring the reachability of the SLA target (Listing 5). As you probably don’t want to respond to a single lost ICMP packet, you should use the delay option of the track object to specify how long the next-hop router should remain unreachable before it’s declared to be lost (the down delay should be approximately three times the SLA polling frequency and the up delay should be even longer).
Note
When calculating the up delay, remember that a router can temporarily respond to pings during the bootstrap process.
Listing 5
Tracking the state of the next-hop router
track 100 rtr 100 reachability
delay down 10 up 20
After configuring the track object, attach it to the primary static default route to ensure that the default route is removed if the next-hop router is not reachable (Listing 6).
Listing 6
Conditional static default route
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 100
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 251
You can check the proper operation of the reliable static routing with the show ip route command. Listing 7 displays the IP routing table on the GW router when the primary next-hop router is available, Listing 8 shows the routing table after primary next-hop router failure.
Listing 7
IP routing table with operational primary next-hop router
GW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.17.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.17.3.0 is directly connected, Serial0/0/1
172.16.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial0/0/0
C 192.168.0.0 255.255.255.0 is directly connected, FastEthernet0/0
S* 0.0.0.0 0.0.0.0 is directly connected, Serial0/0/0
Listing 8
IP routing table after the next-hop router failure
GW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.17.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.17.3.0 is directly connected, Serial0/0/1
172.16.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial0/0/0
C 192.168.0.0 255.255.255.0 is directly connected, FastEthernet0/0
S* 0.0.0.0 0.0.0.0 is directly connected, Serial0/0/1
Monitoring Reliable Static Routing
The reliable static routes silently appear or disappear from the IP routing table based on the state of the attached track object; the only means of monitoring their state is with the show ip route track-table command (Listing 9) or with the debug track command (Listing 10).
Listing 9
Show tracked routes
GW#show ip route track-table
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 name ISP_A track 100 state is [down]
Listing 10
Debug tracking
GW#debug track
06:49:44: Track: 100 Down change delayed for 10 secs
06:49:54: Track: 100 Down change delay expired
06:49:54: Track: 100 Change #26 rtr 100, reachability Up->Down
06:50:24: Track: 100 Up change delayed for 20 secs
06:50:34: Track: 100 Up change delay cancelled
06:58:59: Track: 100 Up change delayed for 20 secs
06:59:19: Track: 100 Up change delay expired
06:59:19: Track: 100 Change #25 rtr 100, reachability Down->Up
Note
The debugging printout in Listing 10 illustrates a real-life scenario where the next-hop router became temporarily reachable during the bootstrap process and disappeared a few seconds later (the change delay cancelled printout).
While the silent modification of the IP routing table might be acceptable in most situations (after all, you don’t get notified when a regular IP route disappears from the routing table either), you might want to know if your primary ISP is unreachable (similar to the interface up/down events you would get with traditional access methods like leased lines or Frame Relay access). The Embedded Event Manager 2.2 (introduced in IOS release 12.4(2)T) is the ideal solution, as you can trigger EEM applets (or TCL scripts) whenever a track object’s state changes with the event track configuration command.
To display the changes in a tracked object state, you can define two EEM applets, one triggered on the down change, another one triggered on the up change. If you only want to be notified that the state has changed, the only action you need to specify is the syslog msg action, but you can perform any number of actions you want (for example, send an e-mail to the network manager or even reconfigure the router). A sample EEM configuration is shown in Listing 11 and the printouts generated by it are included in Listing 12.
Listing 11
IOS EEM generates syslog messages on tracked object state change
event manager applet ISP_A_down
event track 100 state down
action 1.0 syslog msg "ping to 172.16.1.2 from Serial 0/0/0 failed"
event manager applet ISP_A_up
event track 100 state up
action 1.0 syslog msg "172.16.1.2 is reachable"
Listing 12
Sample EEM printouts
07:02:19: %HA_EM-6-LOG: ISP_A_down: ping to 172.16.1.2 from Serial 0/0/0 failed
07:03:19: %HA_EM-6-LOG: ISP_A_up: 172.16.1.1 is reachable
End-to-End Connectivity Test
After you’ve successfully implemented the tracking of the primary next-hop router’s availability, you might be tempted to improve the solution to track end-to-end connectivity through ISP A and switch to the backup ISP whenever your central site is not reachable through the primary ISP. In theory, the required configuration change should be minimal – you only have to change the destination IP address in the IP SLA definition (Listing 13).
Listing 13
Pinging a remote host
hostname GW
!
ip sla 100
icmp-echo 172.29.0.1 source-interface Serial0/0/0
timeout 200
frequency 10
ip sla schedule 100 life forever start-time now
In most cases, that’s all you have to do. As the ICMP echoes sent to the central site come from an IP address belonging to ISP A (the IP address configured on Serial 0/0/0 in the example), it’s highly unlikely that you would get a return packet if the ISP A has problems. However, the return packet might still reach your router under rare circumstances (misconfigured access lists or one-way connectivity in ISP A). The results are astonishing:
As the pings through ISP A (primary default route) fail, the router removes the primary default route and the backup default route through ISP B is installed.
Pings are now sent from an IP address belonging to ISP A on a path going through ISP B.
If there is a return path from the central site to the IP address sending the ICMP packets, the central site will yet again appear reachable and the primary default route will be reinstalled (resulting in connectivity loss).
Due to renewed connectivity loss, the router will oscillate between the two default routes (Listing 14).
Listing 14
Oscillating routing
GW#debug track
07:15:09: Track: 100 Change #32 rtr 100, reachability Up->Down
07:15:09: %HA_EM-6-LOG: ISP_1_down: ping to 172.29.0.1 from Serial 0/0/0 failed
07:15:19: Track: 100 Up change delayed for 20 secs
07:15:39: Track: 100 Up change delay expired
07:15:39: Track: 100 Change #33 rtr 100, reachability Down->Up
07:15:39: %HA_EM-6-LOG: ISP_1_up: 172.29.0.1 is reachable
07:15:49: Track: 100 Change #34 rtr 100, reachability Up->Down
07:15:49: %HA_EM-6-LOG: ISP_1_down: ping to 172.29.0.1 from Serial 0/0/0 failed
07:15:59: Track: 100 Up change delayed for 20 secs
To fix this (admittedly rare) problem you have to configure a local policy routing (as the ip sla packets originate within the router, they are only affected by the ip local policy) that matches ICMP packets being sent from the Serial0/0/0 interface (based on their IP address; the PingISP_A access list) and forces them to be sent out through the same interface with the set interface configuration command (Listing 15).
Listing 15
Fix the oscillating routing with local policy
ip local policy route-map LocalPolicy
!
ip access-list extended PingISP_A
permit icmp host 172.16.1.1 host 172.29.0.1
!
route-map LocalPolicy permit 10
match ip address PingISP_A
set interface Serial0/0/0
If you want to, you can extend the concepts presented in this section even further. For example, if the central site is not reachable through either ISP (it might be down), it could make more sense to retain ISP A as the primary ISP. You would thus need to track the central site’s availability through both ISPs and configure a reliable static default route for both of them (the backup one with a higher administrative distance, of course) with a third (last-resort) default route pointing to ISP A. The complete configuration is included in Listing 16 and its interpretation is left as an exercise for the reader.
Listing 16
GW router tracking central site availability through both ISPs
hostname GW
!
ip cef
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
ip sla 100
icmp-echo 172.29.0.1 source-interface Serial0/0/0
timeout 200
frequency 3
ip sla schedule 100 life forever start-time now
!
ip sla 101
icmp-echo 172.29.0.1 source-interface Serial0/0/1
timeout 500
frequency 3
ip sla schedule 101 life forever start-time now
!
track 100 rtr 100 reachability
delay down 10 up 20
!
track 101 rtr 101 reachability
delay down 10 up 20
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Serial0/0/0
description *** Link to ISP 1 ***
ip address 172.16.1.1 255.255.255.252
ip nat outside
!
interface Serial0/0/1
description *** Link to ISP 2 ***
ip address 172.17.3.1 255.255.255.252
ip nat outside
!
ip local policy route-map LocalPolicy
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 100
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 11 track 101
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 250
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 251
!
!
ip nat inside source route-map ISP_A interface Serial0/0/0 overload
ip nat inside source route-map ISP B interface Serial0/0/1 overload
!
ip access-list extended PingISP_A
permit icmp host 172.16.1.1 host 172.29.0.1
ip access-list extended PingISP_B
permit icmp host 172.17.3.1 host 172.29.0.1
!
route-map ISP_A permit 10
match interface Serial0/0/0
!
route-map ISP_B permit 10
match interface Serial0/0/1
!
route-map LocalPolicy permit 10
match ip address PingISP_A
set interface Serial0/0/0
!
route-map LocalPolicy permit 20
match ip address PingISP_B
set interface Serial0/0/1
!
!
event manager applet ISP_A_down
event track 100 state down
action 1.0 syslog msg "ping to central site from Serial 0/0/0 failed"
event manager applet ISP_A_up
event track 100 state up
action 1.0 syslog msg "central site is reachable"
event manager applet ISP_B_down
event track 101 state down
action 1.0 syslog msg "ping to central site from Serial 0/0/1 failed"
event manager applet ISP_B_up
event track 101 state up
action 1.0 syslog msg "central site is reachable"
!
end
Summary
With the ever faster replacement of traditional WAN networks with MPLS VPN- or Internet-based solutions, it’s increasingly important to have a good design and implementation strategy for small multi-homed sites. While it’s easy to implement multi-homed sites whenever you are able to run a routing protocol between the customer edge (CE) and provider edge (PE) router, as is the case with most MPLS VPN implementations, the static default routing imposed on most Internet customers by their ISPs make reliable multi-homing almost impossible in modern networks that are not able to signal loss of layer-2 connectivity reliably.
The Reliable Static Routing Using Object Tracking feature available in Cisco IOS release 12.4 allows you to tie static route viability to a tracked object (interface, another route …). If you track the state of the next-hop router, it’s possible to detect layer-3 failures reliably, triggering a reroute to the backup ISP. You can improve this design, track the end-to-end availability of the central site and reroute to the backup ISP whenever you cannot reach the central site through the primary ISP. Even more, you don’t have to rely on ICMP echo packets; IP SLA feature of Cisco IOS can track availability of a large number of applications (for example, your company’s central web server).
Celem jest przy wykorzystaniu 2 ISP stworzenie tras zapasowych bez wykorzystania BGP.
Na tej podstawie sprawdzamy dostępność routera "next hope" lub innego docelowego.
W momencie jego niedostępności router przełącza nas na drugą domyślną ścieżkę.
Technologia opisana jest dokładniej na stronie: http://www.nil.com/ipcorner/SmallSiteMultiHoming/
------------------------------------------------------------------------------------------------
tekst źródłowy
------------------------------------------------------------------------------------------------
Small Site Multi-homing
by Ivan Pepelnjak, Damijan Markovič and Dragan Spasojevič
Unless your network operates under extreme security considerations or in places where the is no Internet access, your management has probably already asked you to lower the wide area network (WAN) costs by migrating from a traditional leased line or frame-relay-based network to an Internet- or MPLS VPN-based transport, while at the same time retaining or even increasing network reliability. This conflicting set of requirements might force you to make all your sites multi-homed (connected to more than one Internet Service Provider – ISP).
Multi-homing requirements aren’t new; for example, every decent e-commerce solution should be multi-homed. However, most solutions you’ll find with extensive help from Google require that you possess your own public IP prefix and an autonomous system number (both of them are scarce resources) and run Border Gateway Protocol (BGP) with all ISPs. Clearly, these requirements are completely unrealistic if you want to multi-home a small remote office.
In this article, you’ll learn how to:
connect a small remote site to more than one ISP;
detect failures in the ISP networks and adjust your routing accordingly;
increase overall availability of your sites with Service Level Agreement (SLA) monitoring;
log all relevant changes in the remote site connectivity.
Basic Small Site Multi-Homing
Connecting a small site to multiple service providers can be extremely easy – you get two upstream links and two provider-assigned (PA) IP addresses (either static or dynamically assigned). Since each ISP will give you only a single IP address, you have to use private IP addresses on the LAN side of the router (Figure 1).
Figure 1
IP addressing in small multi-homed site
As most ISPs will not be willing to run a dynamic routing protocol with small sites, you have to configure static default routing on your end. You would almost always prefer one provider over the other, resulting in a primary and a backup default route (Figure 2).
Note
With careful configuration, it’s also possible to achieve rudimentary load sharing with two equally-good default routes.
Figure 2
Static default routing
The router on the remote site would also have to perform two independent NAT translations, one for packets sent to ISP A (where local addresses get translated to the IP address assigned by ISP A) and another one for packets sent to ISP B (Figure 3).
Figure 3
NAT translation in small multi-homed site
One of the major issues in multi-homed site design is the proper handling of the return traffic. It’s not uncommon to experience performance problems if the outbound and return traffic flow over different links (also known as asymmetrical routing), while IP multicast and stateful packet inspection (part of IOS firewall feature set) almost always break under these conditions. Fortunately, asymmetrical routing is never a problem in a dual NAT design from Figure 3, as the source address of the outbound packet indicates the link that has been used to send it (see Figure 4).
Figure 4
Symmetrical routing with dual NAT
Configuring Small Multi-Homed Site
Configuring the gateway router in a small multi-homed site is very simple. You start by configuring the private and public IP addresses (Listing 1).
Listing 1
Initial router configuration
hostname GW
!
ip cef
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
interface FastEthernet0/0
description *** Inside LAN interface ***
ip address 192.168.0.1 255.255.255.0
!
interface Serial0/0/0
description *** Link to ISP 1 ***
ip address 172.16.1.1 255.255.255.252
!
interface Serial0/0/1 point-to-point
description *** Link to ISP 2 ***
ip address 172.17.3.1 255.255.255.252
NAT configuration is a bit more complex; you have to configure two NAT pools (one for each ISP), as displayed in Listing 2.
Listing 2
Network Address Translation configuration
interface FastEthernet0/0
ip nat inside
!
interface Serial0/0/0
ip nat outside
!
interface Serial0/0/1 point-to-point
ip nat outside
!
ip nat inside source route-map ISP_A interface Serial0/0/0 overload
ip nat inside source route-map ISP B interface Serial0/0/1 overload
!
route-map ISP_A permit 10
match interface Serial0/0/0
!
route-map ISP_B permit 10
match interface Serial0/0/1
Note
Having two route-maps matching outgoing interfaces (the match interface statement in a NAT route-map matches outgoing interface) is the only way to configure per-interface NAT pools in Cisco IOS.
As most ISPs will not be willing to run a dynamic routing protocol with small sites, you have to configure static default routing on your end. You would almost always prefer one provider over the other (therefore one default route would have a lower administrative distance) as shown in Listing 3, although it’s possible (with CEF switching using per-destination load sharing) to use two default routes in 1-to-1 load-balancing setup.
Listing 3
Basic multihomed default routing setup
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 251
The simplistic static routing in Listing 3 represents a major availability issue – if you cannot detect the link failure on the link toward ISP A reliably, the default static route toward ISP B will never be used. While you can almost always detect leased-line or cable failure (due to loss of carrier signal) and usually detect Frame-Relay failures through Local Management Interface (LMI) messages or end-to-end keepalives, it’s almost impossible to detect layer-2 failures in PPPoE (ADSL) or Metro Ethernet access layers. In these scenarios, the primary default route will never disappear (even though the next-hop router is no longer reachable), making static multi-homing impossible. This problem is solved, however, in Cisco IOS release 12.3(8)T (integrated in release 12.4) with static routes tied to IP SLA measurements.
Not-so-Very-Static Routes
Cisco IOS release 12.3(4)T introduced Enhanced Object Tracking, which together with Reliable Static Routing Using Object Tracking introduced in IOS release 12.3(8)T solves the problem. Enhanced Object Tracking introduces a generic track object that can track a state of an interface (layer-2 or layer-3 state), presence or metric of an IP route, state of an SLA measurement or even availability of Mobile IP home agent or GPRS nodes. Even more, you can combine various track objects (including weighing them) into a compound object.
The Reliable Static Routing Using Object Tracking feature ties a track object to a static route – whenever the track object’s state is down, the static route is removed from the routing table; exactly what you would need to support reliable multi-homing. To configure a static route based on the state of the next-hop router, you need to:
Configure an ip sla (previously known as Response Time Reporter – rtr) object pinging the next-hop router on primary Internet link (Listing 4). The polling frequency you specify (in seconds) depends on the reliability requirements, but anything below a few seconds would place unnecessary burden on the next-hop router (as you might not be the only one tracking its availability).
Listing 4
Pinging next-hop router
ip sla 100
icmp-echo 172.16.1.2 source-interface Serial0/0/0
timeout 500
frequency 3
ip sla schedule 100 life forever start-time now
Note
You cannot change the parameters of an SLA object once you’ve scheduled it. To change the target IP address, timeouts or polling frequency, you need to delete the SLA object and recreate it.
Create a track object monitoring the reachability of the SLA target (Listing 5). As you probably don’t want to respond to a single lost ICMP packet, you should use the delay option of the track object to specify how long the next-hop router should remain unreachable before it’s declared to be lost (the down delay should be approximately three times the SLA polling frequency and the up delay should be even longer).
Note
When calculating the up delay, remember that a router can temporarily respond to pings during the bootstrap process.
Listing 5
Tracking the state of the next-hop router
track 100 rtr 100 reachability
delay down 10 up 20
After configuring the track object, attach it to the primary static default route to ensure that the default route is removed if the next-hop router is not reachable (Listing 6).
Listing 6
Conditional static default route
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 100
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 251
You can check the proper operation of the reliable static routing with the show ip route command. Listing 7 displays the IP routing table on the GW router when the primary next-hop router is available, Listing 8 shows the routing table after primary next-hop router failure.
Listing 7
IP routing table with operational primary next-hop router
GW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.17.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.17.3.0 is directly connected, Serial0/0/1
172.16.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial0/0/0
C 192.168.0.0 255.255.255.0 is directly connected, FastEthernet0/0
S* 0.0.0.0 0.0.0.0 is directly connected, Serial0/0/0
Listing 8
IP routing table after the next-hop router failure
GW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
172.17.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.17.3.0 is directly connected, Serial0/0/1
172.16.0.0 255.255.255.252 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, Serial0/0/0
C 192.168.0.0 255.255.255.0 is directly connected, FastEthernet0/0
S* 0.0.0.0 0.0.0.0 is directly connected, Serial0/0/1
Monitoring Reliable Static Routing
The reliable static routes silently appear or disappear from the IP routing table based on the state of the attached track object; the only means of monitoring their state is with the show ip route track-table command (Listing 9) or with the debug track command (Listing 10).
Listing 9
Show tracked routes
GW#show ip route track-table
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 name ISP_A track 100 state is [down]
Listing 10
Debug tracking
GW#debug track
06:49:44: Track: 100 Down change delayed for 10 secs
06:49:54: Track: 100 Down change delay expired
06:49:54: Track: 100 Change #26 rtr 100, reachability Up->Down
06:50:24: Track: 100 Up change delayed for 20 secs
06:50:34: Track: 100 Up change delay cancelled
06:58:59: Track: 100 Up change delayed for 20 secs
06:59:19: Track: 100 Up change delay expired
06:59:19: Track: 100 Change #25 rtr 100, reachability Down->Up
Note
The debugging printout in Listing 10 illustrates a real-life scenario where the next-hop router became temporarily reachable during the bootstrap process and disappeared a few seconds later (the change delay cancelled printout).
While the silent modification of the IP routing table might be acceptable in most situations (after all, you don’t get notified when a regular IP route disappears from the routing table either), you might want to know if your primary ISP is unreachable (similar to the interface up/down events you would get with traditional access methods like leased lines or Frame Relay access). The Embedded Event Manager 2.2 (introduced in IOS release 12.4(2)T) is the ideal solution, as you can trigger EEM applets (or TCL scripts) whenever a track object’s state changes with the event track configuration command.
To display the changes in a tracked object state, you can define two EEM applets, one triggered on the down change, another one triggered on the up change. If you only want to be notified that the state has changed, the only action you need to specify is the syslog msg action, but you can perform any number of actions you want (for example, send an e-mail to the network manager or even reconfigure the router). A sample EEM configuration is shown in Listing 11 and the printouts generated by it are included in Listing 12.
Listing 11
IOS EEM generates syslog messages on tracked object state change
event manager applet ISP_A_down
event track 100 state down
action 1.0 syslog msg "ping to 172.16.1.2 from Serial 0/0/0 failed"
event manager applet ISP_A_up
event track 100 state up
action 1.0 syslog msg "172.16.1.2 is reachable"
Listing 12
Sample EEM printouts
07:02:19: %HA_EM-6-LOG: ISP_A_down: ping to 172.16.1.2 from Serial 0/0/0 failed
07:03:19: %HA_EM-6-LOG: ISP_A_up: 172.16.1.1 is reachable
End-to-End Connectivity Test
After you’ve successfully implemented the tracking of the primary next-hop router’s availability, you might be tempted to improve the solution to track end-to-end connectivity through ISP A and switch to the backup ISP whenever your central site is not reachable through the primary ISP. In theory, the required configuration change should be minimal – you only have to change the destination IP address in the IP SLA definition (Listing 13).
Listing 13
Pinging a remote host
hostname GW
!
ip sla 100
icmp-echo 172.29.0.1 source-interface Serial0/0/0
timeout 200
frequency 10
ip sla schedule 100 life forever start-time now
In most cases, that’s all you have to do. As the ICMP echoes sent to the central site come from an IP address belonging to ISP A (the IP address configured on Serial 0/0/0 in the example), it’s highly unlikely that you would get a return packet if the ISP A has problems. However, the return packet might still reach your router under rare circumstances (misconfigured access lists or one-way connectivity in ISP A). The results are astonishing:
As the pings through ISP A (primary default route) fail, the router removes the primary default route and the backup default route through ISP B is installed.
Pings are now sent from an IP address belonging to ISP A on a path going through ISP B.
If there is a return path from the central site to the IP address sending the ICMP packets, the central site will yet again appear reachable and the primary default route will be reinstalled (resulting in connectivity loss).
Due to renewed connectivity loss, the router will oscillate between the two default routes (Listing 14).
Listing 14
Oscillating routing
GW#debug track
07:15:09: Track: 100 Change #32 rtr 100, reachability Up->Down
07:15:09: %HA_EM-6-LOG: ISP_1_down: ping to 172.29.0.1 from Serial 0/0/0 failed
07:15:19: Track: 100 Up change delayed for 20 secs
07:15:39: Track: 100 Up change delay expired
07:15:39: Track: 100 Change #33 rtr 100, reachability Down->Up
07:15:39: %HA_EM-6-LOG: ISP_1_up: 172.29.0.1 is reachable
07:15:49: Track: 100 Change #34 rtr 100, reachability Up->Down
07:15:49: %HA_EM-6-LOG: ISP_1_down: ping to 172.29.0.1 from Serial 0/0/0 failed
07:15:59: Track: 100 Up change delayed for 20 secs
To fix this (admittedly rare) problem you have to configure a local policy routing (as the ip sla packets originate within the router, they are only affected by the ip local policy) that matches ICMP packets being sent from the Serial0/0/0 interface (based on their IP address; the PingISP_A access list) and forces them to be sent out through the same interface with the set interface configuration command (Listing 15).
Listing 15
Fix the oscillating routing with local policy
ip local policy route-map LocalPolicy
!
ip access-list extended PingISP_A
permit icmp host 172.16.1.1 host 172.29.0.1
!
route-map LocalPolicy permit 10
match ip address PingISP_A
set interface Serial0/0/0
If you want to, you can extend the concepts presented in this section even further. For example, if the central site is not reachable through either ISP (it might be down), it could make more sense to retain ISP A as the primary ISP. You would thus need to track the central site’s availability through both ISPs and configure a reliable static default route for both of them (the backup one with a higher administrative distance, of course) with a third (last-resort) default route pointing to ISP A. The complete configuration is included in Listing 16 and its interpretation is left as an exercise for the reader.
Listing 16
GW router tracking central site availability through both ISPs
hostname GW
!
ip cef
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
ip sla 100
icmp-echo 172.29.0.1 source-interface Serial0/0/0
timeout 200
frequency 3
ip sla schedule 100 life forever start-time now
!
ip sla 101
icmp-echo 172.29.0.1 source-interface Serial0/0/1
timeout 500
frequency 3
ip sla schedule 101 life forever start-time now
!
track 100 rtr 100 reachability
delay down 10 up 20
!
track 101 rtr 101 reachability
delay down 10 up 20
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface Serial0/0/0
description *** Link to ISP 1 ***
ip address 172.16.1.1 255.255.255.252
ip nat outside
!
interface Serial0/0/1
description *** Link to ISP 2 ***
ip address 172.17.3.1 255.255.255.252
ip nat outside
!
ip local policy route-map LocalPolicy
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 10 track 100
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 11 track 101
ip route 0.0.0.0 0.0.0.0 Serial0/0/0 250
ip route 0.0.0.0 0.0.0.0 Serial0/0/1 251
!
!
ip nat inside source route-map ISP_A interface Serial0/0/0 overload
ip nat inside source route-map ISP B interface Serial0/0/1 overload
!
ip access-list extended PingISP_A
permit icmp host 172.16.1.1 host 172.29.0.1
ip access-list extended PingISP_B
permit icmp host 172.17.3.1 host 172.29.0.1
!
route-map ISP_A permit 10
match interface Serial0/0/0
!
route-map ISP_B permit 10
match interface Serial0/0/1
!
route-map LocalPolicy permit 10
match ip address PingISP_A
set interface Serial0/0/0
!
route-map LocalPolicy permit 20
match ip address PingISP_B
set interface Serial0/0/1
!
!
event manager applet ISP_A_down
event track 100 state down
action 1.0 syslog msg "ping to central site from Serial 0/0/0 failed"
event manager applet ISP_A_up
event track 100 state up
action 1.0 syslog msg "central site is reachable"
event manager applet ISP_B_down
event track 101 state down
action 1.0 syslog msg "ping to central site from Serial 0/0/1 failed"
event manager applet ISP_B_up
event track 101 state up
action 1.0 syslog msg "central site is reachable"
!
end
Summary
With the ever faster replacement of traditional WAN networks with MPLS VPN- or Internet-based solutions, it’s increasingly important to have a good design and implementation strategy for small multi-homed sites. While it’s easy to implement multi-homed sites whenever you are able to run a routing protocol between the customer edge (CE) and provider edge (PE) router, as is the case with most MPLS VPN implementations, the static default routing imposed on most Internet customers by their ISPs make reliable multi-homing almost impossible in modern networks that are not able to signal loss of layer-2 connectivity reliably.
The Reliable Static Routing Using Object Tracking feature available in Cisco IOS release 12.4 allows you to tie static route viability to a tracked object (interface, another route …). If you track the state of the next-hop router, it’s possible to detect layer-3 failures reliably, triggering a reroute to the backup ISP. You can improve this design, track the end-to-end availability of the central site and reroute to the backup ISP whenever you cannot reach the central site through the primary ISP. Even more, you don’t have to rely on ICMP echo packets; IP SLA feature of Cisco IOS can track availability of a large number of applications (for example, your company’s central web server).
wtorek, 3 marca 2009
vmware sVmotion
Wtyczka sVmotion służy do przenoszenia w locie lokalizacji dysków vmdk maszyn wirtualnych pomiędzy datastorami.
Dodatkowe informacje na temat technologii sVmotion znajdziemy pod adresami:
http://www.getyournerdon.com/chris/Lists/Posts/Post.aspx?ID=10
http://www.virtualizationadmin.com/articles-tutorials/vmware-esx-articles/vmotion-drs-high-availability/storage-vmotion-svmotion-vi-plugin.html
http://virtualization.com/news/2008/06/16/andrew-kutz-upgrades-vmware-infrastructure-plug-in-svmotion/
Plugin sVmotion jest do pobrania z strony :
http://code.google.com/p/akutz/downloads/list
Na stronie www.getyournerdon.com pod adresem podanym powyżej podana jest informacja o stronie z pluginami do viClienta gdzie między innymi jest dostępny plugin SVMotion.
Inne ciekawe pluginy do viClienta - http://lostcreations.com/
Dodatkowe informacje na temat technologii sVmotion znajdziemy pod adresami:
http://www.getyournerdon.com/chris/Lists/Posts/Post.aspx?ID=10
http://www.virtualizationadmin.com/articles-tutorials/vmware-esx-articles/vmotion-drs-high-availability/storage-vmotion-svmotion-vi-plugin.html
http://virtualization.com/news/2008/06/16/andrew-kutz-upgrades-vmware-infrastructure-plug-in-svmotion/
Plugin sVmotion jest do pobrania z strony :
http://code.google.com/p/akutz/downloads/list
Na stronie www.getyournerdon.com pod adresem podanym powyżej podana jest informacja o stronie z pluginami do viClienta gdzie między innymi jest dostępny plugin SVMotion.
Inne ciekawe pluginy do viClienta - http://lostcreations.com/
wtorek, 20 stycznia 2009
emulator routerów cisco
Paul Borghese wydał LiveCD z Dynamips/Dynagen oparte o Ubuntu, takiego LiveCD z Dynamips właśnie mi brakowało :). Projekt jest dostępny pod nazwą VirtualPod. Na stronie projektu można obejrzeć tutoriale, pokazujące jak załadować obraz IOSa, a później uruchomić samą aplikację. Są też gotowe pakiety do zainstalowania na działającym już Debianie/Ubuntu. Razem z VirtualPod przychodzi kilka gotowych labów, można oczywiście stworzyć własne i dorzucić do już istniejących. Założę się, że powstanie wielu nowych labów do VirtualPod, przygotowywanych przez ochotników będzie tylko kwestią czasu. :)
źródło
http://www.gns3.net/
źródło
http://www.gns3.net/
czwartek, 15 stycznia 2009
optymalizacja pracy maszyn VM
Zoptymalizowac prace mozna przez przeniesienie z zasobu SAN na lokalne dyski poszczególnych serwerów ESX pliki VMKernel swap. Pozwoli to na odciążenie SAN z operacji I/O oraz zwiększy szybkość pracy samych maszyn wirtualnych.
Trzeba sie tylko zastanowić co stanie sie jak ulegnie awarii system ESX- czy maszyny normalnie uruchomią się na pozostałych ESXach w klastrze ?
Trzeba sie tylko zastanowić co stanie sie jak ulegnie awarii system ESX- czy maszyny normalnie uruchomią się na pozostałych ESXach w klastrze ?
sobota, 3 stycznia 2009
darmowy packager msi
znalazłem oprogramowanie do robienia pakietów msi
http://nsis.sourceforge.net/Main_Page
http://nsis.sourceforge.net/Main_Page
Subskrybuj:
Komentarze (Atom)