Simple NAT Rule for Cisco Router

1.    First off, you need to map out the following:
    a.    Your pool of NAT addresses.
    b.    Your pool of inside addressing going to be going through the NAT.
    c.    Your interface facing the inside of your network.
    d.    Your interface facing the outside that is going to the NAT.
2.    Once you have the information, you create a scope for your inside network with an Access-List:
    a.    #access-list 1 permit 10.x.x.x 0.255.255.255
3.    Next you need to create your NAT pool (you can do this before or after your access list but it works the same):
    a.    #ip nat pool TESTPOOL 100.x.x.x 102.x.x.x netmask 255.255.255.0
4.    Now, you link your access-list to the NAT pool you just created. This sends your access-list through the NAT pool and will be utilizing the addresses in this pool for the NAT.
    a.    #ip nat inside source list 1 pool TESTPOOL
5.    Finally, you apply NAT to your inside and outside interfaces:
    a.    #interface TenGigabitEthernet1/0
        i.    #ip nat inside
    b.    #interface TenGigabitEthernet2/0
        i.    #ip nat outside
    c.    #end
6.    You have now assigned a group of IP addresses on your inside network, to a NAT pool facing the outside network. Also, you indicated where the NAT is going on the inside and outside of your interfaces.


References: https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html

Enable a Routable/Switched Virtual Interface (SVI) for a Layer 3 Switch

1.    First off, if it is a brand-new switch with no routing interfaces already on the device (usually straight out of the box), then you need to enable IP routing on the switch. This enables the switch to do routing on the device itself.
    a.    #configure terminal
    b.    #ip routing
2.    Now that routing is enabled, we can create our SVI, or our vlan interface. This is creating a default gateway on the switch itself to allow inter-vlan routing within the switch. This eliminates the need for a router in between the switch and its separate networks/VLANs.
    a.    #configure terminal
    b.    #interface vlan 100
    c.    #ip address X.X.X.1 255.255.255.0
    d.    #no shut (don’t forget to do this since your SVI interfaces can be shut down by default. Just check to be sure)
3.    Now you can test your traffic and ensure it passes through.


References: https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

NTP Settings Cisco Router and Switch

• To show the current clock time
o #show clock
• Configure net NTP server:
o #ntp server IPAddressofNTPServer
• Show current NTP configurations:
o #show ntp associations
• Show current NTP synchronization status:
o #show ntp status


Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swadmin.html

Managing Disk in Cisco HyperFlex

List Disk in the HX Cluster
    •    Log into the storage controller through SSH CLI.
    •    To list the disk the following command:
        o    stcli disk list [-h] {--id ID | --name NAME} [--rescan]
                Syntax Description
                --id ID: ID of storage cluster node.
                --ip NAME: IP address of the storage cluster mode.
                --rescan: Rescan disks.
        o    example: stcli disk list --ip YourStorageControllerIP --rescan
       
Adding a New Disk to the HX Cluster
    •    Log into the storage controller through SSH CLI
    •    Use the steps above to list the disk and select the ID/Disk you wish to add.
    •    Oncec you get your disk, input the following syntax:
        o    stcli disk add [-h]{--id ID | --name NAME} --blacklisted-disk-ids [DISKIDS [DISKIDS...]]
                Syntax Description:
                --is ID: ID of storage cluster node
                --name NAME: Name of storage cluster node.
                --blacklisted-disk-ids [DISKIDS [DISKIDS…]]: Blacklisted disks to add to storage cluster. Separate multiple IDs with a space.
    •    stcli disk add --name HX1-TEST.TEST.ORG --blacklisted-disk-ids XXXXXXXXXXXXXXXXXXXXX

Reference:

Cisco HyperFLex Data Platform CLI Guide, 3.0: stcli disk Commands
https://www.cisco.com/c/en/us/td/docs/hyperconverged_systems/HyperFlex_HX_DataPlatformSoftware/CLIGuide/3_0/b_HyperFlexSystems_CLIReferenceGuide_3_0/b_HyperFlexSystems_CLIReferenceGuide_3_0_chapter_0110.html

Cisco HyperFLex Data Platform CLI Guide, 3.0: stcli datastore Commands
https://www.cisco.com/c/en/us/td/docs/hyperconverged_systems/HyperFlex_HX_DataPlatformSoftware/AdminGuide/3_0/b_HyperFlexSystems_AdministrationGuide_3_0/b_HyperFlexSystems_AdministrationGuide_3_0_chapter_01000.html

Deleting Old Snapshots

1.    First off, there are two ways to delete snapshots, you can delete individual ones you do not need, or you can delete all snapshots.
2.    First off, select the VM you wish to edit and then go to the Snapshots tab in vSphere. From here select the snapshot you wish to delete.

3.    Once you select the snapshot you wish to delete, select All Actions menu item and then select delete snapshot.

4.    On the popup, select Yes to confirm the deletion.

5.    Finally, you can delete all of the snapshots for the VM by clicking back on the All Actions menu.
6.    Select Delete All Snapshots in order to clear out and delete all the snapshots while consolidating all of them back into a single vmdk file.

7.    As before, just click yes on the Confirm Delete popup to confirm the delete snapshot action.

Create Cisco HyperFlex Snapshot

1.    First, you can still take your VMware snapshot on VMs running in Cisco HyperFlex, but you do not have the benefits of the HyperFlex snapshots such as:
    a.    Avoids errors with long chains of snapshots
    b.    Does not have errors with deletion of snapshots
    c.    Also saves in I/O penalties and disk consolidation time.
2.    Cisco HyperFlex snapshots are similar to VMware snapshots in how you create them. When you go through the vSphere GUI, the only difference is selecting the HyperFlex API plugin instead of the VMware snapshot selection.
3.    Log into your vSphere system and navigate to the VM you wish to create your snapshot with.
4.    Once you are on your VM you wish to snapshot, right click on the VM and then hover over the Cisco HyperFlex Platform section, and then click Snapshot Now.

5.    Type in the name of your snapshot and a brief description of it (can describe the state, or status of the VM, or whatever you wish to have in here). Once you’re done, click on OK.

6.    You should not select the Snapshot tab in vSphere for your selected VM and then verify the snapshot has been created.


Reference: https://www.cisco.com/c/en/us/td/docs/hyperconverged_systems/HyperFlex_HX_DataPlatformSoftware/AdminGuide/3_5/b_HyperFlexSystems_AdministrationGuide_3_5.pdf

VMware ESXi Hypervisor Free Edition Quick Specs

•    Cannot be integrated into vCenter for vSphere management.
•    Maximum of 2 physical CPUs only
•    Can support unlimited cores per physical CPU
•    Unlimited physical memory.
•    Limited to only 8 vCPUs per VM

Reference: https://www.vmware.com/products/vsphere-hypervisor.html

Take a VMware Snapshot

1.    First log into vSphere and locate the VM you wish to take a snapshot with.
2.    Once you are on the VM, right click on the VM, highlight Snapshots, then click on Take Snapshot.

3.    Next, fill in the following:
    a.    Type in a name for your Snapshot.
    b.    Then uncheck the “Snapshot the virtual machine’s memory” (this option will snapshot the system in its current state if you wish to keep the exact state of the machine).
    c.    Click OK

4.    Click on the VM to bring up the VM system in the vSphere and then go to the Snapshot tab.
5.    Verify your Snapshot is in the Snapshot menu.

Creating a New Datastore in Cisco HyperFlex Connect

1.    First log into your Cisco HyperFlex Connect.
2.    Once you have logged in, you will see your Dashboard and can check to make sure the cluster is healthy.

 3.    Once you have verified your cluster is healthy, click on the Datastores tab under the MANAGE section on the left hand side.

4.    Now that you are in the Datastore section, you can click on Create Datastore in the top left corner of the Datastore section.

5.    After you click this, a pop-up box will come up and you can type in the information for your datastore you wish to create.
    o    Datastore Name: You can name your datastore whatever you wish. This will be the name that shows up here, and in your vCenter, or other virtual manager device.
    o    Size: Also simple, you can choose the size of your datastore. This is going to be based on your requirements and available storage.
    o    Block Size: Have not had to mess with this, and I will provide more information once I read more into this. I keep default for now.
    o    Create Datastore: Click here to complete and finish your datastore.

6.    You should see your datastore show up in the HyperFlex Connect datastore list.

7.    Also, you can head over to vSphere and check the datastores in there to verify it also shows up there.

8.    You are finished and can now start adding systems and data to the datastore.

Upgrading the Firmware and IOS for Cisco 4500X

1.    First verify your firmware and your IOS are loaded into the bootflash by executing the following:
    a.    #dir
2.    Once you verified you have the proper files (if you do not, download the correct ones and follow my “Uploading IOS” guide), enter the following commands in order to keep the system from booting into the old IOS. We will do this to force it into the new firmware and IOS files:
    a.    #configure terminal
    b.    #no boot system flash bootflash:YourCurrentLoadedIOS
    c.    #exit
    d.    #write
3.    Next we are actually going to set the config-register and set the device up to load and boot from the files we uploaded into our flash.
    a.    #configure terminal
    b.    #boot system flash bootflash:YourFirmwareUpgradeFileName
    c.    #boot system flash bootflash:YourCiscoIOSFileName
    d.    #config-register 0x2102
    e.    #exit
    f.    #write
4.    Now you need to verify your boot parameters are correct and the system will boot up into your files you want to load:
    a.    #show bootvar
    b.    Look to make sure your BOOT variable is equal to your boot software you wish to boot. ENSURE you check this because I have had where it would load the files out of order, or not put one in. Just verify.
5.    Next you just need to reload the Cisco device and it should start performing the upgrade. It will take up to 5-20 minutes.
    a.    #reload
    b.    Proceed with reload? Confirm
    c.    Not to self and others, sometimes these switches will get stuck and might need to be power cycled. Have a console cable ready just in case troubleshooting is required to get it to boot back up.
6.    Once the switch has loaded up, verify your software has been upgraded with:
    a.    #show version
7.    Next, you need to reset your boot parameters to only load the new IOS and not the firmware file and change back the config-register for proper boot functionality and order:
    a.    #configure terminal
    b.    #no boot system flash bootflash:YourFirmwareFile
    c.    #config-register 0x0102
    d.    #exit
    e.    #write
8.    Finally, you can clean up the files on the system by using the delete command to delete the firmware file. If you have the space and even though you backed up your IOS (you did backup your IOS right?.....), you might still want to keep the old IOS on there just in case you have issues.
    a.    #delete bootflash:YourFirmwareFileName
    b.    Delete filename? Confirm
9.    You have now completed the firmware and IOS upgrade for your system.

Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_24829.html#96288

Uploading IOS to Cisco 4500 Device

1.    First, download the appropriate software for your Cisco device.
2.    Once you have the file downloaded, then copy the IOS to the correct folder where your TFTP will pull from.
3.    Now you are ready to upload the file to the bootflash (this is similar to other Cisco devices, but 4500Xs store it in the bootflash).
4.    Next, perform the following commands to perform the upload:
    a.    #copy tftp: bootflash:
    b.    Address or name of remote host? Input_Your_TFTP_IP
    c.    Destination filename? YouCanChangeOrLeaveDefault
    d.    Now you await for the upload to finish.
5.    After your upload has finished, you can now verify the upload has been completed and your file is showing:
    a.    #dir
   
Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_24829.html#96288

Backup Cisco IOS on 4500X

1.    First, log into the Cisco device you wish to upgrade.
2.    Perform the following command to verify which IOS version you are currently running:
    a.    #show version
    b.    Scroll up and look for system image file, will say something like “bootflash:cat4500….” or something like this talking about the booting on flash.
3.    Depending on the version or type of switch, you can do either of the following commands to check the directory to verify how much space and what images are loaded on the Cisco system.
    a.    #dir
    b.    #dir flash:/
4.    So once you find the version IOS you are running, and the name of the config file in the directory, you can copy the original IOS to your TFTP server/client by typing in the following, (again, this is to back up the currently running IOS in case any issues arise with the new IOS. If there are any issues, you can easily re-upload this file back into the Cisco system and recover).
    a.    #copy flash tftp
    b.    #Source filename[]?YourCurrentRunningIOS
    c.    #Address or name of remote host[]?YourIPAddressOfSystemToSendIOS
    d.    Then just wait for the copy to transfer to the backup destination.
    e.    You can check the file location you have your TFTP set to download to in order to verify the IOS has been downloaded.

Reference:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_24829.html#96288

Linux Firewall Tips

•    Disable the firewall:
    o    >systemctl disable firewalld
•    Install the iptables-service:
    o    >yum install iptables-services
•    Enable iptables
    o    >systemctl enable iptables
    o    Now you can save iptables:
            >service iptables save
•    To stop the firewall:
    o    >systemctl stop firewalld
•    Check status of the firewall:
    o    >systemctl status firewalld
•    To start the firewall:
    o    >systemctl firewall start
•    To enable the firewall:
    o    >systemctl enable firewall

Cisco ASA 5515 VPN Tips

•    This shows the sessions currently on the system
    o    #show vpn-sessiondb
•    If you have static/standing connections on the system, you can use this command to force logoff all the sessions.
    o    #vpn-sessiondb logoff all
•    Show specific sessions running on the system:
    o    #show run telnet
    o    #show run http
    o    #show run ssh
•    Show user accounts listed on the ASA system
    o    #show run user
•    Show the SSH information configured in the system
    o    #show running-config ssh

Performing Ready Clone Option for Cisco HyperFlex through HyperFlex Connect

1.    First off, once you log in to the Cisco HyperFlex Connect system, you should see the Dashboard. You should first verify the Operational Status shows Online, the Resiliency Health is showing Healthy, and finally, Capacity is also green. This is just an overall basic check of the HyperFlex system.
2.    Now, you can click on the “Virtual Machines” tab in the bottom left of the screen:

3.    Next, you can click on the VM you wish to clone, then once it is checked, you can click on the “Ready Clones” tab in the top left.

4.    Now the next step has a lot going on but a brief explanation and then you can look at the screenshot to see the full process/example.
    a.    First you will select the number of clones you wish to create in the “Number of clones” box.
    b.    Then, in the “Resource Pool” box, you will select the Resource Pool from your vSphere you wish to deploy to.
    c.    Next you type in a prefix name for the VMs in the “VM Name Prefix” box.
    d.    Next you put in a starting number you want at the end of the VM clones name in the “Starting clone number” box (exampled, you want it to be testvm1, or you can start it at testvm50, up to you.
    e.    Next you can change the increment of the number if you wish. Usually the default of 1 is chosen.
    f.    Next, you can uncheck or check the “Use same name for Guest Name” box. I leave this checked since it simplifies your naming scheme, but you can uncheck and customize as you wish.
    g.    Now, getting close to the end here, you can preview your VMs going to deploy in the “Preview” pane.
    h.    Finally, you can choose wweather or not to power on the VMs immediately after they cloned, or uncheck the box to leave powered off. Then just hit the “Clone” button.

5.    Finally, you can verify the VMs have been created in the Resource Pool in your vSphere, or if you do not see them yet, can check and see they are being created in the “Tasks Pane” in your vSphere. Once you see them, you have your clones and are ready to go.

 

Adding Users to ASA for VPN Access

1.    Open the Cisco ASDM client.
2.    From the ASDM Home screen, click on the “Configuration” tab up in the top left corner.

3.    From here, click on “Remote Access VPN” tab.

4.    From this tab, navigate to “AAA/Local Users>Local Users”.

5.    Click on the “Add” button on the right side of the ASDM.

6.    For Engineers, you can give “Full Access(ASDM, SSH, Telnet, Console)” and then assign privilege levels accordingly. For basic user VPN access, click on the “No ASDM, SSH, Telnet or Console access” circle.

7.    Once you have the profile done, click on the VPN Policy tab. This tab will allow you to give them the VPN access policy. Once in the VPN Policy tab, uncheck the checkbox next to “Group Policy, Inherit”, and then select “VPN-Test” on the drop down. This is all you need to do here for the profile.

8.    You can now see your newly created profile in the “Local Users” section in the ASA. Now you just need to click “Apply”. This sends the commands to the ASA that creates this profile and settings.

 9.    A good rule of thumb I noticed is to navigate to a different tab on the left to ensure the Apply greys out. This will ensure it has been saved and is in the ASA configs.

Configure DHCP Scopes in Server 2016

1.    From Server Manager, select DHCP from the Tools menu icon in the top right of the Server Manager screen.

 2.    Expand your domain you wish to add scopes to. Once it is expanded, then expand the IPv4 section.

3.    Once expanded, identify and make sure your scope will not conflict with another. Once you have verified the scopes, right click on the IPv4 server icon and select New Scope.

 4.    On the pop-up, select next to continue with the scope creation.

5.    Next, you can type in the name of your scope, and then a good description of what the scope is for.

6.    On the next screen, type in your network range, we will use an 8.8.8.0 network for our testing. Type in the start of the network range, to the end of the network range you wish to work on. Next, put in your subnet masking for the network range.

7.    The next screen you put in your address you do not want the DHCP scope range to give out. Say you have 20-30 servers on your network and you want to manually assign/reserve addresses for these, you can block out a range of IPs this way. Like in the below example, IPs 1-50, and 200-254, will not be issued out.

8.    The next screen is your DHCP lease duration. This only means systems utilizing DHCP will only have that DHCP IP lease for this duration. The IP addresses given out in this scope will expire after 8 hours. After the 8 hour mark, systems will request a new lease time for this one, or request another IP address altogether. This will require some tweaking and does depend on the needs of your systems.

9.    The next screen you can select if you want to go ahead and configure basic options for the scopes. This includes default gateways, DNS servers, and WINS settings. We will select yes here.

10.    Next, is the Router address, or Default Gateway for the scope to go out of to talk to other networks. You can list multiple ones, or just one. List whatever your systems require. Click on add to add each one to the list, and then click Next to continue.

11.    On the next screen, you will put in your DNS settings. You can type in your domain, and also the DNS servers you want to be issued to the scope. Click next once you are done.

12.    Next, if you have WINS servers for converting NetBIOS names to IP addresses, you can list them here. For this test scope, we will not set this up, so just click next.

13.    Finally, you can choose whether to activate the scope now or keep it deactivated temporarily for an ASI window or when you are ready to move the relays/IP helpers in your Cisco/switching equipment.

14.    Finally, verify if the scope shows up in your IPv4 scopes. You can right click to activate and deactivate freely too if you are waiting activation.

Configure DHCP Failover for Windows Server 2016

1.    From Server Manager, click on the Tools menu in the top right corner, then click on DHCP to bring up the DHCP configuration console.

2.    From the DHCP console, expand your domain you wish to work on. After you expand your domain, right click on the scope you wish to configure failover for and click Configure Failover.

3.    On the pop-up, verify your scope is selected, then click Next.

4.    On the next screen, put in your secondary server on your network you want to failover to. The one requirement would be to already have DHCP service installed on the secondary server. Once you put in your secondary server (or select an existing server already configured with DHCP Failover settings), click on Next.

 5.    On the failover configuration screen, you can verify your server information on the top, then you can start making configuration settings. After you are done with the following options, click Next.
    a.    Maximum Client Lead Time: This is kind of finicky. I have read it is recommended to keep default for you put it too low, performance problems will occur, and if you put it too high, it could delay/cause issues for failover.
    b.    Mode: This is just selecting whether you want Hot standby or load balancing. For this setup, we will select the Hot standby option.
        i.    Hot Standby Configuration Role of Partner Server: Select Standby for the secondary server, or you can swap roles for it to be the Active server.
        ii.    Addresses reserved for standby server: This setting allots a percentage of addresses for the standby server so it has addresses available during a failover to issue out.
    c.    State Switchover Interval: This is how long until the server will try switching back over from what I understand. I will update accordingly after more testing.
    d.    Enable Message Authentication: This is the ability to use a Shared Secret for the servers to sync together.

6.    Finally, verify your information on the last screen and click Finish.

7.    Verify the next pop-up has no errors. If there are errors, go back troubleshoot and reconfigure accordingly.

8.    Finally, you still need to verify the secondary server sees the failover options and has added the new scope. Navigate to the secondary server, open the DHCP configuration screen and you might have to do a refresh if you do not see the scope. Click on Action in the top menu on the left, then click on refresh to perform this action.

9.    Finally, you should see your new failover scope pop-up in the new IPv4 drop down.