ESXi Hypervisor with VT-d on Sandy Bridge working?

I’ve just started my quest to get this working. It’s been difficult finding examples of success from others but I finally found a reference to a specific motherboard and CPU combo that has worked for others.

I’m using an Intel DQ67SWB3 motherboard with an i5-2400 CPU. Of course I had to get a separate Intel NIC since the onboard isn’t supported.

My plan is to use this for a number of servers including my CCTV security camera system. This is using a PV-149 PCI video capture card which would have to be passed through via VT-d for the VM Guest to see it. I’ve successfully installed ESXi 4.1 update 1 via a USB key and I’m in the process of adding some VM’s. A couple of issues have come up. First, I don’t have performance stats updating in vSphere client. I’m not sure if this is a driver issue with the “unsupported” motherboard or if it’s a problem with the ESXi install. I can see the overall utilization on the summary pages though so it’s not like I’m blind. Also, I’m able to add devices via VT-d but it’s not clear to me yet if I can pass-through multiple devices to a single Guest.

I’m installing XP in a Guest right now and as soon as that’s done patching (lot’s of patches) I’ll be working on getting that capture card visible.

I also plan on running PIAF (Asterisk) and SageTV in other VMs. I’m probably going to need a really basic DNS server as well. At some point I might try passing through the onboard NIC to a firewall VM, perhaps PFSense or Untangle. Not sure about that yet.

CCNP Routing and Switching Quick Reference review

It’s taken me a while but I finally have another review to provide. I was due for my CCNP recert so I decided to go for the Switching test, 642-813. I started with this book:

My focus was on the switching section so this review really only addresses that part. I’ve been taking Cisco tests for a while so the process was familiar to me. I also had a good foundation in switching technologies. The book does a good job of breaking down the separate areas that the test focuses on. You couldn’t use this book to study for the CCNP if you’re coming right from the CCNA. It’s strictly a refresher level of knowledge. What I found was that there were several parts of the test that were more obscure but were referenced in the book. It wasn’t verbatim of course, but it was familiar enough to help me pass.

Another thing I found relevant is that the distilled information in this book is good for reminding me of the little things that can be done to tweak a network. I think most of us are content to worry about HSRP priorities and STP roots. We don’t so much focus on the other loop prevention tools that Cisco’s made available. Thanks to the short and direct content in this book, you can quickly get a sense for the other technologies at your disposal.

And I passed. Highly recommended!

Cisco and Extreme interoperability – Part 2 – LACP

Wow…4+ years later and I’m finally posting part 2. Yep, the original config didn’t work quite right but I did get it working. Here’s the result:

On the Cisco switch:
interface Port-channel98
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet8/5
no ip address
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 98 mode on


On the Extreme switch:
enable sharing 1:1 grouping 1:1,1:2,1:3,1:4 algorithm port-based
configure vlan "out_of_band" ipaddress
configure vlan "out_of_band" add port 7:1 untagged
configure vlan "out_of_band" add port 1:1 tagged

out_of_band was used for testing. I put a PC on port 7:1 on the Extreme switch to make sure I could get to a PC on the Cisco switch.

Turns out I did full documentation on the test process and actually kept the doc! I was amazed! My notes suggest the only delay was when re-connecting ports that are part of the group they would not start forwarding for about 3 seconds. Otherwise it worked great!

More on the Nortel 1535

Got PIAF purple installed and patched over the weekend. Setting up two of the 1535s to register and do video calling was pretty trivial. There’s a little bit of lag in the video but it’s not too bad. I also called the test numbers and there was no problem with the audio quality. Nice and sharp without drops, latency or jitter. This is running in VirtualBox with the extensions installed on a Pentium dual core. I’ve assigned 1gb of ram to the VM.

To turn on the video capability you have to add the following to sip_extensions_custom in the asterisk directory:


Don’t forget to reload the configs!

Next up is getting Google Voice to work.

PIAF, VirtualBox and the Nortel 1535 phone

Wow, it’s been a while. I scored some of the Nortel IP 1535’s thanks to NerdVittles and this gives me a good opportunity to try to upgrade my Asterisk system to the latest and greatest version. Naturally I want to go with PIAF and they just patched to Asterisk 1.8. I’ve considered using the Incredible PBX build but I don’t think I need all that stuff so I’m going to try straight PIAF first and see if I can get the Google Voice parts working at least.

First up, I’ve installed it in VirtualBox. Now, I’m concerned that there might be a stuttering problem because it’s virtualized. No way to know until I get a phone online. I’m hoping this will help but I installed the VB additions. It was relatively painless following the steps at if (!1) 0 with the exception of changing the kernel version to match. Rebooted and it looks ok so far.

More to come as I get phones online.

Cisco ASA Standby device “copy TFTP” syntax

That’s a mouthful. I’ve been having a hard time figuring out how to successfully transfer images to the Standby ASA’s flash from the Active’s CLI. Finally figured it out. Here’s the syntax:

failover exec standby copy /noconfirm tftp://{ip address}/{file name} disk0:/{file name}

Without the /noconfirm it’ll fail. You also need a standby ip address on the interface facing the tftp server and I haven’t confirmed this but I think it might also need to be on the same subnet. I’m still having some trouble with a situation where the standby ASA would have to reach another subnet.

iPhone VPN and Cisco IOS, Part2

I previously posted about some luck I had getting IPSEC VPN to work from my iPhone to my IOS router/firewall. That post is now kind of useless because the source blog disappeared about a year ago. So, in order to make this useful again I’m posting my full IOS code (obfuscated for obvious reasons). Change the IP addresses and the group name and password and you should be good to go. This uses the new(ish) method in IOS of zone based firewall. It’s overly complex and really hard to parse for anything remotely complicated but it’s what I’m working with. You’ll notice I used the SDM for most of the config. Yep, I’m lame and I’m not afraid to admit it. All of that zone config typing would have been a pain in the butt! Also, be sure to use a pool that is different from your “inside” subnet. Won’t work otherwise. Also, it should be obvious but this config uses local users so you need to add at least one of those.

Keep in mind this will all change when iPhone OS4 comes out as it’s supposed to support SSL VPN’s. Finally. The IPSEC works perfectly fine for now though. I’ve not tested this on my iPad yet since I haven’t had it out of the house…and it’s not a 3G model. Don’t see why it wouldn’t work though.

And now the code:

aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_2 local

crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2

crypto isakmp client configuration group mygroupname
key something_goes_here
dns 192.168.x.x
pool SDM_POOL_2
crypto isakmp profile sdm-ike-profile-1
match identity group mygroupname
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2

crypto ipsec transform-set aes-transform esp-aes 256 esp-sha-hmac
crypto ipsec profile SDM_Profile1
set transform-set aes-transform
set isakmp-profile sdm-ike-profile-1

class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
class class-default

zone security ezvpn-zone

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip

interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1

ip local pool SDM_POOL_2 192.168.y.y 192.168.y.z

ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any

iPad…Nuff said

Yup…did it. In fact I’m typing this on the new iPad specific wordpress app and I love it!!! The keyboard in landscape mode is very nice and I can type very quickly. I think it might drive some bad habits with all of the autocorrection and not capitalizing first letters but I can get over that.

My first impression after unboxing was “this is a big iPhone”. After putting on some iPad specific apps, that made all the difference. The bigger format really is something special.

Now, anyone know if it would be possible to write a driver to allow a Bluetooth connection to the iogear bluetooth serial adapter? This would be great for data center work!!!

Cisco AnyConnect Essentials still crushing it

Seems my original post about the AnyConnect Essentials license is still quite popular. So why not capitalize on that! 🙂

The license does work as advertised. It’s a replacement for the IPSEC based client that Cisco seems to have stopped development on. I’ve been using it in numerous situations and it works great!

I just have a funny situation though where my client was exploring alternatives to Cisco. We got pricing for a couple of competitors including Sonicwall and Juniper and let me tell you…whoo-boy! I guess the others haven’t felt compelled to follow Cisco’s lead and they are still charging ridiculous sums for the SSL VPN clients. Of course there were howls of protest about how their clients did so much more and that if you wanted the same level of functionality you had to pay for Cisco’s full SSL VPN solution. All true, but who cares????

I want a simple client based SSL VPN to replace the IPSEC clients of old. I don’t need all the fancy clientless stuff. I suspect that’s true for a lot of customers. Cisco’s pricing strategy for the AnyConnect Essentials is smart not just because they don’t want to continue to develop the IPSEC client but because it drives business away from their competitors.

Cisco, your choice in focus these days mostly pisses me off but this is a real winner. A small bright spot in an otherwise dreary path you’ve taken. Now, if you could find a way to ship ASA’s before the summer I’d be happy.

Sweeping the Mental Dust Bunnies Under the Rug