Step-by-step Guide to Installing Cisco Nexus 1000v in VMware Workstation on ESXi Virtual Hosts.

This is a work in progress. I have yet to add pictures. However, any feedback is welcome.

This instructable  is based on a guide by Robert Burns

1               Pre-Requisites

• Download ESXi ISO from VMware and save to a directory accessible from your Workstation. This tutorial is using VMware-VMvisor-Installer-5.5.0.update02-2068190.x86_64.iso
• Download vCenter Server Appliance OVA file and save to a directory accessible from your Workstation. This tutorial is using VMware-vCenter-Server-Appliance-5.5.0.10000-1624811_OVF10.ova
• Download the Nexus 1000v software from Cisco.com and extract to a folder on your computer (this tutorial is using Nexus1000v.4.2.1.SV2.2.3)

2               Install ESXi Virtual Machines

Launch VMware workstation

File > New Virtual Machine…

Select Custom (advanced)

Click Next

Set Hardware compatibility to Workstation 10.0

Click Next

Choose Install from: Installer disc image file (iso):

Browse to the directory where you saved the ESXi ISO. It should state “VMware ESXi 5 detected”.

Click Next.

Name the new Virtual Machine (e.g. ESX01)

Specify the Location where you wish to save the virtual machine files

Click Next

Specify 2 Processors with 2 Cores per processor (you can select just one core if you can not spare the resources).

Click Next

Set the memory as 6GB (6144 MB). This is required in case you want to test running both VSMs on the same ESX host. Specify less RAM if you do not have enough resources.

Click Next

Select “Use host-only networking” to create a LAN segment for all your VMs that is also accessible from your Workstation PC.

Click Next

Select SCSI Controller: LSI Logic (Recommended) I/O Controller Type

Click Next

Select SCSI (Recommended) disk type.

Click Next

Select “Create a new virtual disk”

Click Next

Leave default allocation of 40 GB disk capacity and select Split virtual  disk into multiple files. You can specify more disk space if you intend installing many VMs on the ESX local disk store.

Click Next.

Specify the name for the Disk File e.g. ESX01.vmdk

Click Next.

Click Finish.

NOTE:In previous attempts, I selected “Customize Hardware…” and added an additional 3 Network Adapters. However, these additional NICs were not recognised and so will be added later. YMMV.

Power on the virtual machine (if it doesn’t start automatically).

Press Enter to continue

Press F11 to accept and continue

Press Enter to continue

Use the arrow keys to highlight the correct keyboard layout, then press Enter to continue

Enter your password on each line ensuring they match, then press Enter to continue

Press F11 to install

Wait for it to install. My installation took extra long at 28%.

Press Enter to reboot.

Install completed.

Right-click ESX01 > Power > Shutdown Guest

Repeat to create ESX02, ESX03 and ESX04.

3               Install VMware vCenter Server Appliance

File > Open…

Browse to VMware-vCenter-Server-Appliance-5.5.0.10000-1624811_OVF10.ova and click Open

Click Import

After Install, right-click the VM and choose Settings

Change the Network Adapter from Bridged to Host Only and click OK

Power on the VCSA and wait until install is completed and you see this screen (note: install can take quite a while, as can each boot up of this appliance).

Open a browser to https://192.168.63.137:5480

username: root

password: vmware

Click Login.

Review the EULA (lol), tick “Accept license agreement” and click Next.

Wait for the VCSA to be happy (huh?)…

Specify “Configure with default settings” and click Next.

Review the configuration and click Start.

Be prepared for the “Configuring SSO” stage to take a very long time:

Wait until all four configuration items get green check marks, then click Close.

Have a poke around the VMware vCenter Server Appliance configuration GUI. Note, this is just the appliance admin GUI not the vsphere web client GUI which you will see next.

Use the link on the top right of the screen to Logout.user root.

3.1          Configure VMware Datacenter

Connect to the vSphere Web Gui by browsing to https://192.168.63.137/vsphere-client

Login as root (password = vmware) – wait a while for login to complete

From the VMware vSphere Web Client Home page, go to vCenter > Hosts and Clusters > localhost > Create Datacenter.

Enter a name for the Datacenter e.g. Lab DC

Wait for the client to validate the input.

Go to Localhost > Lab DC > Create a Cluster

Specify the name for the cluster e.g. 1000v-Cluster

Go to Localhost > Lab DC > 1000v-Cluster > Add a host

Enter the IP address of your first ESXi host e.g. 192.168.63.133

Enter the username and password for the host.

Note the Security Alert (this can be ignored in a lab environment) and click Yes to connect to the host.

Review the Host Summary and click next

As we are using trial licenses, select (No License Key) and click Next

Do not enable lockdown mode. Click Next.

Review the final summary and click Finish.

Repeat to add ESX02 to 1000v-Cluster

Repeat to create a new Cluster named “vSwitch-Cluster” in the “Lab DC” datacentre and add ESX03 and ESX04 to it. Your vSphere Datacenter and its clusters should look something like this…

4               Install Nexus 1000v VSM

From the directory you unzipped the Nexus 1000v files to, go to the VSM\Installer_App directory and launch  Nexus1000V-install_CNX.jar

Select Cisco Nexus 1000V Complete Installation and choose Custom (you may have to wait a few seconds once you have selected Custom)

Read all of the Pre-Requisites as it contains very useful information:

Click Next.

Enter the IP address of the VCSA appliance, leave the port as 443 and enter the username and password details.

Username: root

Password: vmware

Click Next.

Enter the details as shown above. If you only want to use a single Host for the primary and secondary VSM, you can enter the same host details twice. Choose Layer 2 connectivity mode and specify the Domain ID to something memorable e.g. 100. Leave all the Port Groups assigned to “VM Network”. You may wish to save this configuration before clicking Next as this will save a bit of time if you have to ever repeat this step. Once you are happy, click Next.

Review the details and click Next.

Wait for the install to complete. This could take a while.

Once completed, click Finish.

Next, select Virtual Ethernet Module Installation.

Review the pre-requisites and click Next.

Enter the vCenter Server credentials as before and click Next.

Enter the VSM credentials and click next.

Select “Install VEM and add module to Nexus 1000v” and specify the management VLAN as 1.

Click Next.

Use the CTRL key to select both the hosts from the 1000v-Cluster and click Next.

Review the details and click Finish.

Review the final Summary page and click Close.

Log into https://192.168.63.137:9443/vsphere-client/#

Go vCenter > Hosts and Clusters

Note that there will be an alarm against each of the hosts on which the Nexus 1000v VEM is installed stating that connection has been lost. This is a historical alarm and can be cleared (click on Reset to Green).

SSH into your VSM

Verify all modules are correctly installed by issuing the ‘show module’ command

Verify the high availability status of the active and standby VSMs by issuing the ‘show redundancy status’ command:

Let’s look at the networking for the Standard vSwitch Cluster.

Log into the Web Client and go to vCenter > Hosts and Clusters > localhost > Lab DC > vSwitch-Cluster. Select one of the hosts and go to the Networking > Virtual switches

Setting SSH on a Cisco IOS Router or Switch

asasa

conf t
! You must set a hostname unless you want to accept the default
hostname <insert router hostname>
! you must set a local user (unless you want to use RADIUS or TACACS which is not covered here)
username <insert username> privilege 15 secret <insert password>
! Optionally, you can specify an access list that will restrict where SSH connections can be established from
access-list 1 permit <insert network address e.g. 192.168.1.0> <insert inverse subnet mask e.g. 0.0.0.255>
! Optionally define your domain name
ip domain-name <insert domain name e.g. lab.local>
! You must generate keys foe SSH to work
crypto key generate rsa

When prompted, enter a modulus, e.g. 1024

! Go to the line config
line vty 0 4
! Specify you are using local login
login local
! specify the only allowed connection method is SSH - this will disable telnet
transport input ssh
! Optionally specify the length of idle time before the session disconnects
 exec-timeout 5
! Specify the access-list which will be used to restrict SSH access
access-class 1 in
! Optionally choose to use SSH version 2
ip ssh version 2

Ensuring Cisco Logs Include Timestamp with Local Time

Use the following commands to ensure timestamps use the local time accounting for daylight savings:

conf t
ntp server
ntp update-calendar
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone


Cisco IP Phone Network Loop [UNRESOLVED]

Problem
6509-E Edge switch runs 802.1X and PoE for Cisco IP Phones (7945G). If a user connects two wall jacks to the phone, it causes a network loop which affects everyone on that switch. I would like to know how to mitigate against this problem from a technical perspective. I know users can be educated but mistakes are bound to happen.

Details / Evidence
The edge switch runs 802.1X port security and IP phones so there are three vlans at play:
1111 Trusted VLAN (Authenicated users)
2222 Guest VLAN (Unauthenticated users)
3333 Voice VLAN

The edge switch runs BPDU Guard which was implemented to prevent this very scenario.

Logs are not available for the edge switch but the logs from the upsrtream switch are as follows:

Aug 2 10:54:09.634: %SPANTREE-SW1_SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1111 on Port-channel6 VLAN2222.
Aug 2 10:54:09.634: %SPANTREE-SW1_SP-2-BLOCK_PVID_PEER: Blocking Port-channel6 on VLAN1111. Inconsistent peer vlan.
Aug 2 10:54:09.634: %SPANTREE-SW1_SP-2-BLOCK_PVID_LOCAL: Blocking Port-channel6 on VLAN2222. Inconsistent local vlan.

Aug 2 10:54:09.898: %LINK-3-UPDOWN: Interface Vlan1111, changed state to down
Aug 2 10:54:09.902: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1111, changed state to down

Aug 2 10:54:36.629: %SPANTREE-SW1_SP-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel6 on VLAN1111. Port consistency restored.
Aug 2 10:54:36.633: %SPANTREE-SW1_SP-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel6 on VLAN2222. Port consistency restored.

Aug 2 10:54:41.707: %SPANTREE-SW1_SP-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1111 on Port-channel6 VLAN2222.
Aug 2 10:54:41.707: %SPANTREE-SW1_SP-2-BLOCK_PVID_PEER: Blocking Port-channel6 on VLAN1111. Inconsistent peer vlan.
Aug 2 10:54:41.707: %SPANTREE-SW1_SP-2-BLOCK_PVID_LOCAL: Blocking Port-channel6 on VLAN2222. Inconsistent local vlan.

Aug 2 11:13:03.980: %SPANTREE-SW1_SP-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel6 on VLAN1111. Port consistency restored.
Aug 2 11:13:03.980: %SPANTREE-SW1_SP-2-UNBLOCK_CONSIST_PORT: Unblocking Port-channel6 on VLAN2222. Port consistency restored.

Aug 2 11:13:34.272: %LINK-3-UPDOWN: Interface Vlan1111, changed state to up
Aug 2 11:13:34.280: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1111, changed state to up


Conclusions
This is unresolved so this is only conjecture at this point.

More to follow….

Backing Up Cisco Switch Configuration

Backup the running configuration:
copy run tftp
specify the server tftp address and the destination filename

backup the VLAN database
copy const_nvram: tftp
specify the source filename, tftp server address and the destination filename

Cisco Unity 7 – Error when adding Subscriber

Version: Cisco Unity 7.0 Build 7.0(2) 

Error fetching MailStore list (for server EMAIL).

hr=0x8004010F (0x8004010f)
Check that the AVDSGlobalCatalog is registered and running.

Please see your Cisco Unity system administrator for more details.

Configuring an IBM Baseboard Management Controller (BMC)

From http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/index.jsp?topic=/rzahq/configurebmc.htm

These steps are required only for System x products that do not also have a Remote Supervisor II (RSA II) service processor installed.

Refer to worksheet item XSP1 in the iSCSI Network Planning Worksheets to determine which type of service professor is installed.

1. From the main setup menu, highlight Advanced Setup using the up or down arrow keys and press Enter to select.
2. Look for RSA II Settings.
   • If RSA II Settings exist, this indicates RSA II hardware is installed and the Baseboard Management Controller does not need to be configured. In this case, skip to the last step of this procedure.
   • If there are no RSA II Settings, RSA II hardware is not installed and you must continue with this procedure to configure the Baseboard Management Controller.
3. Highlight Baseboard Management Controller (BMC) Settings using the up or down arrow keys and press Enter.
4. Highlight BMC Network Configuration using the up or down arrow keys and press Enter to select.
5. Highlight Static IP Address (worksheet item XSP4) using the up or down arrow keys and use the backspace key to position the cursor for entry of the IP address from the iSCSI Network Planning Worksheets.
6. Highlight Subnet Mask (worksheet item XSP5) using the up or down arrow keys and use the backspace key to position the cursor for entry of the subnet mask from the iSCSI Network Planning Worksheets.
7. Highlight Gateway (worksheet item XSP6) using the up or down arrow keys and use the backspace key to position the cursor for entry of the gateway address from the iSCSI Network Planning Worksheets.
8. Highlight Save Network Settings in BMC using the up or down arrow keys and press Enter to select and perform the action. This will bring up the BMC Settings saved! screen.
9. Press Enter to return to the Baseboard Management Controller (BMC) Settings menu.
10. Highlight User Account Settings using the up or down arrow keys and press Enter.
11. Highlight UserID 2 using the up or down arrow keys and press Enter.
12. On the UserID 2 Account Settings screen, highlight UserID 2 using the up or down arrow keys and use the left or right arrow keys to change the value to Enabled.
13. Highlight Username using the up or down arrow keys. Using the backspace key to position the cursor, fill in the field using the information from worksheet item XSP7 in the iSCSI Network Planning Worksheets.
14. Highlight Password using the up or down arrow keys. Using the backspace key to position the cursor, fill in the field using the information from worksheet item XSP8 in the iSCSI Network Planning Worksheets.
15. Highlight Confirm Password using the up or down arrow keys. Using the backspace key to position the cursor, fill in the same password as above.
16. Highlight Privileged Limit using the up or down arrow keys and use the left or right arrow keys to change the value toAdministrator.
17. Highlight Save User Account Settings to BMC using the up or down arrow keys and press Enter.
18. The BMC User Account Settings Saved! Screen will be displayed. Press Enter to return to the User Account Settingsmenu.
19. Press Esc to return to the Baseboard Management Controller (BMC) Settings menu.
20. Press Esc to return to the Advanced Setup menu.
21. Press Esc to return to the main setup menu.

Ciscoworks Password recovery

How to recover (reset) admin password when locked out of Ciscoworks web GUI

The following has been clipped from http://www.techoh.com/2040-not-able-to-login-to-the-ciscoworks/

Problem: Sometimes, you are unable to login to the CiscoWorks in Windows platform.
Solutions: To fix this issue, recover the password using below steps:

1) Login to the OS with the privilege user, i.e. login with “Root” as username on Solaris and “Administrator” as username on Windows.

2) Now, open the Command Prompt in Windows and run the below command:
C:\net stop crmdmgtd
For other OS:
Solaris: #/etc/init.d/dmgtd stop
HP-UX: #/sbin/init.d/dmgtd stop
IBM AIX: #/etc/rc.dmgtd stop

3) Now, go to the file containing the admin password and then rename the “cwpass”file to “cwpass.old”:
On Windows:
C:\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\servlet\cwpass
On Solaris:
/opt/CSCOpx/lib/classpath/com/cisco/nm/cmf/servlet/cwpass

4) Go to the original admin password file and copy the file:
On Windows:
C:\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\servlet\orig\cwpass
On Solaris:
/opt/CSCOpx/lib/classpath/com/cisco/nm/cmf/servlet/orig/cwpass

5) After copying, paste the file in the below path:
On Windows:
C:\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\servlet\cwpass
On Solaris:
/opt/CSCOpx/lib/classpath/com/cisco/nm/cmf/servlet/cwpass

6) Then, restart all the Daemon Processes which you have stopped in the Step 2 using below commands:
Windows: C:\net start crmdmgtd
Solaris: #/etc/init.d/dmgtd start
HP-UX: #/sbin/init.d/dmgtd start
IBM AIX: #/etc/rc.dmgtd start

Now, administrator password has been reset to its factory default. So, use the factory default password to login and later change it.

Cisco WCS Password Recovery

Uh oh! You’ve locked yourself out of your Cisco Wireless Control Server because you’ve forgotten your password. Fear not! This is how you can perform a password recovery to gain access via the root account.

WCS Version 6.0.181.0

C:\Program Files\WCS6.0.181.0\bin>StopWCS

A separate pop-up will appear with the following text….

Stopping WCS
Health Monitor is stopped.
WCS is stopped.
Shutting down database server …
Database server successfully shutdown.
Apache server is stopped.
WCS successfully shutdown.

C:\Program Files\WCS6.0.181.0\bin>passwd root-user
Starting database server …
Database server is running.
Initializing…
Updating root password.
This may take a few minutes…
Successfully updated root user
Shutting down database server …
Database server successfully shutdown.

C:\Program Files\WCS6.0.181.0\bin>StartWCS

A separate pop-up will appear with the following text…

Starting WCS
WCS started successfully.

Close this dialogue and the command prompt. You should now have access to WCS via username root.

Cisco WLC: Installing a 3rd Party SSL Certificate for Web Admin

Many admins are happy to self-sign their SSL web admin page certificates but if you prefer that extra bit of assurance, or your Corporate Security Policy dictates they must be signed by your corporate Certificate Authority, this instruction is for you.

The following instructions are largely based on the following article:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

===Generate a CSR using OpenSSL===

1. Install OpenSSL from here:
http://downloads.sourceforge.net/project/gnuwin32/openssl/0.9.8h-1/openssl-0.9.8h-1-setup.exe?use_mirror=voxel

2. Open a command prompt and go to C:\openssl\bin and execute openssl.exe

C:\>cd openssl
C:\OpenSSL>cd bin
C:\OpenSSL\bin>openssl
3. Generate a 1024 bit CSR (For Web Auth, it must be 2048 if requiring an Extended Validation certificate)

OpenSSL> req -new -newkey rsa:1024 -nodes -keyout wlcadmin-key.pem -out wlcadmin-csr.pem
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
………………+++
……………………………………………………….+++
writing new private key to ‘wlcadmin-key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) []:Department
Common Name (eg, YOUR name) []:wlcadmin
Email Address []:email@address.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
OpenSSL>

You will now have one csr file and one key file generated in the C:\openssl\bin directory:
wlcadmin-csr.pem
wlcadmin-key.pem

===Sign the CSR file using your Corporate CA===
At this point, we sent it to our Microsoft Certificate Services administrator who signed the certificate using the standard Web Server certificate template and returned a wlcadmin-signed.cer certificate file.

===Combine the signed certificate with the Private Key then Convert to a PEM File===
OpenSSL> pkcs12 -export -in wlcadmin-signed.cer -inkey wlcadmin-key.pem -out wlcadmin-signed.p12 -clcerts -passin pass:check123 -passout pass:check123
Loading ‘screen’ into random state – done
OpenSSL> pkcs12 -in wlcadmin-signed.p12 -out wlcadmin-final.pem -passin pass:check123 -passout pass:check123
MAC verified OK
OpenSSL>

===Upload Signed Certificate to wlcadmin===
Place certificate in a TFTP accessible location
Go to wlcadmin > Management > HTTP
On the HTTP Configuration page, check the Download SSL Certificate check box and complete the following fields:
Server IP Address = TFTP server IP address
Maximum Retries = 10
Timeout = 6
Certificate File Path = /
Certificate File Name = wlcadmin-final.cer
Certificate Password = check123 (this is the same as the -passout parameter in the final OpenSSL command)
Click Apply to commit your changes.
A pop up will appear saying “Are you sure you want to download Certificates from the specified Server?”. Click OK
At the bottom of the screen it says “File transfer operation started”
After a few seconds, it then says “File transfer operation completed successfully. For Certificates to take effect and SSL to work, you need to reboot system. Click Here to get redirected to reboot page”
To reboot the controller for your changes to take effect, choose Commands > Reboot > Reboot > Save and Reboot.
Now log in and verify the certificate is presented correctly!