Cisco ASA 5515 VPN Tips

•    This shows the sessions currently on the system
    o    #show vpn-sessiondb
•    If you have static/standing connections on the system, you can use this command to force logoff all the sessions.
    o    #vpn-sessiondb logoff all
•    Show specific sessions running on the system:
    o    #show run telnet
    o    #show run http
    o    #show run ssh
•    Show user accounts listed on the ASA system
    o    #show run user
•    Show the SSH information configured in the system
    o    #show running-config ssh

Performing Ready Clone Option for Cisco HyperFlex through HyperFlex Connect

1.    First off, once you log in to the Cisco HyperFlex Connect system, you should see the Dashboard. You should first verify the Operational Status shows Online, the Resiliency Health is showing Healthy, and finally, Capacity is also green. This is just an overall basic check of the HyperFlex system.
2.    Now, you can click on the “Virtual Machines” tab in the bottom left of the screen:

3.    Next, you can click on the VM you wish to clone, then once it is checked, you can click on the “Ready Clones” tab in the top left.

4.    Now the next step has a lot going on but a brief explanation and then you can look at the screenshot to see the full process/example.
    a.    First you will select the number of clones you wish to create in the “Number of clones” box.
    b.    Then, in the “Resource Pool” box, you will select the Resource Pool from your vSphere you wish to deploy to.
    c.    Next you type in a prefix name for the VMs in the “VM Name Prefix” box.
    d.    Next you put in a starting number you want at the end of the VM clones name in the “Starting clone number” box (exampled, you want it to be testvm1, or you can start it at testvm50, up to you.
    e.    Next you can change the increment of the number if you wish. Usually the default of 1 is chosen.
    f.    Next, you can uncheck or check the “Use same name for Guest Name” box. I leave this checked since it simplifies your naming scheme, but you can uncheck and customize as you wish.
    g.    Now, getting close to the end here, you can preview your VMs going to deploy in the “Preview” pane.
    h.    Finally, you can choose wweather or not to power on the VMs immediately after they cloned, or uncheck the box to leave powered off. Then just hit the “Clone” button.

5.    Finally, you can verify the VMs have been created in the Resource Pool in your vSphere, or if you do not see them yet, can check and see they are being created in the “Tasks Pane” in your vSphere. Once you see them, you have your clones and are ready to go.

 

Adding Users to ASA for VPN Access

1.    Open the Cisco ASDM client.
2.    From the ASDM Home screen, click on the “Configuration” tab up in the top left corner.

3.    From here, click on “Remote Access VPN” tab.

4.    From this tab, navigate to “AAA/Local Users>Local Users”.

5.    Click on the “Add” button on the right side of the ASDM.

6.    For Engineers, you can give “Full Access(ASDM, SSH, Telnet, Console)” and then assign privilege levels accordingly. For basic user VPN access, click on the “No ASDM, SSH, Telnet or Console access” circle.

7.    Once you have the profile done, click on the VPN Policy tab. This tab will allow you to give them the VPN access policy. Once in the VPN Policy tab, uncheck the checkbox next to “Group Policy, Inherit”, and then select “VPN-Test” on the drop down. This is all you need to do here for the profile.

8.    You can now see your newly created profile in the “Local Users” section in the ASA. Now you just need to click “Apply”. This sends the commands to the ASA that creates this profile and settings.

 9.    A good rule of thumb I noticed is to navigate to a different tab on the left to ensure the Apply greys out. This will ensure it has been saved and is in the ASA configs.

Configure DHCP Scopes in Server 2016

1.    From Server Manager, select DHCP from the Tools menu icon in the top right of the Server Manager screen.

 2.    Expand your domain you wish to add scopes to. Once it is expanded, then expand the IPv4 section.

3.    Once expanded, identify and make sure your scope will not conflict with another. Once you have verified the scopes, right click on the IPv4 server icon and select New Scope.

 4.    On the pop-up, select next to continue with the scope creation.

5.    Next, you can type in the name of your scope, and then a good description of what the scope is for.

6.    On the next screen, type in your network range, we will use an 8.8.8.0 network for our testing. Type in the start of the network range, to the end of the network range you wish to work on. Next, put in your subnet masking for the network range.

7.    The next screen you put in your address you do not want the DHCP scope range to give out. Say you have 20-30 servers on your network and you want to manually assign/reserve addresses for these, you can block out a range of IPs this way. Like in the below example, IPs 1-50, and 200-254, will not be issued out.

8.    The next screen is your DHCP lease duration. This only means systems utilizing DHCP will only have that DHCP IP lease for this duration. The IP addresses given out in this scope will expire after 8 hours. After the 8 hour mark, systems will request a new lease time for this one, or request another IP address altogether. This will require some tweaking and does depend on the needs of your systems.

9.    The next screen you can select if you want to go ahead and configure basic options for the scopes. This includes default gateways, DNS servers, and WINS settings. We will select yes here.

10.    Next, is the Router address, or Default Gateway for the scope to go out of to talk to other networks. You can list multiple ones, or just one. List whatever your systems require. Click on add to add each one to the list, and then click Next to continue.

11.    On the next screen, you will put in your DNS settings. You can type in your domain, and also the DNS servers you want to be issued to the scope. Click next once you are done.

12.    Next, if you have WINS servers for converting NetBIOS names to IP addresses, you can list them here. For this test scope, we will not set this up, so just click next.

13.    Finally, you can choose whether to activate the scope now or keep it deactivated temporarily for an ASI window or when you are ready to move the relays/IP helpers in your Cisco/switching equipment.

14.    Finally, verify if the scope shows up in your IPv4 scopes. You can right click to activate and deactivate freely too if you are waiting activation.

Configure DHCP Failover for Windows Server 2016

1.    From Server Manager, click on the Tools menu in the top right corner, then click on DHCP to bring up the DHCP configuration console.

2.    From the DHCP console, expand your domain you wish to work on. After you expand your domain, right click on the scope you wish to configure failover for and click Configure Failover.

3.    On the pop-up, verify your scope is selected, then click Next.

4.    On the next screen, put in your secondary server on your network you want to failover to. The one requirement would be to already have DHCP service installed on the secondary server. Once you put in your secondary server (or select an existing server already configured with DHCP Failover settings), click on Next.

 5.    On the failover configuration screen, you can verify your server information on the top, then you can start making configuration settings. After you are done with the following options, click Next.
    a.    Maximum Client Lead Time: This is kind of finicky. I have read it is recommended to keep default for you put it too low, performance problems will occur, and if you put it too high, it could delay/cause issues for failover.
    b.    Mode: This is just selecting whether you want Hot standby or load balancing. For this setup, we will select the Hot standby option.
        i.    Hot Standby Configuration Role of Partner Server: Select Standby for the secondary server, or you can swap roles for it to be the Active server.
        ii.    Addresses reserved for standby server: This setting allots a percentage of addresses for the standby server so it has addresses available during a failover to issue out.
    c.    State Switchover Interval: This is how long until the server will try switching back over from what I understand. I will update accordingly after more testing.
    d.    Enable Message Authentication: This is the ability to use a Shared Secret for the servers to sync together.

6.    Finally, verify your information on the last screen and click Finish.

7.    Verify the next pop-up has no errors. If there are errors, go back troubleshoot and reconfigure accordingly.

8.    Finally, you still need to verify the secondary server sees the failover options and has added the new scope. Navigate to the secondary server, open the DHCP configuration screen and you might have to do a refresh if you do not see the scope. Click on Action in the top menu on the left, then click on refresh to perform this action.

9.    Finally, you should see your new failover scope pop-up in the new IPv4 drop down.

Configuring LACP EtherChannel on Cisco Switches

1.    First, identify which two interfaces on both devices you will be binding together. Our example we will do TenGigabit 5 and 6 on a Cisco 4500, and Ethernets 7 and 8 on a Nexus 5K.
2.    Once you identified your ports you wish to link together, then you can log into each of the switches you will be working on.
3.    Once you are logged in, first, shut down the interfaces you wish connect. This is Cisco best practice since EtherChannel can cause spanning tree loops if done incorrectly..
    a.    4500 Switch Commands
        i.    #conf t
        ii.    #int range tenGigabit 1/5-6
        iii.    #shut
    b.    Nexus 5K Commands
        i.    #conf t
        ii.    #int ethernet 1/7-8
        iii.    #shut
4.    Now that the interfaces are shut down, we can now continue with the configuration. First, we will do the Nexus 5K
    a.    #conf t (if not already there)
    b.    # int port-channel channel-number
    c.    #description TEST-EtherChannel
    d.    #exit
    e.    # int Ethernet 1/7-8
    f.    #switchport mode trunk
    g.    #(optional) switchport trunk allowed vlan vlan-number
    h.    #channel-group 11 mode active(it will attach to a port channel if already created and matching, if no port channel has been created previously, it will create one for you)
    i.    #exit
5.    Next, we will set up the same thing on the Catalyst 4500X. here, we will just jump straight to the interfaces and set up port-channel directly in the :
    a.    #conf t
    b.    #int range TenGigabit 1/5-6
    c.    #description test-EtherChannel
    d.    #switchport mode trunk
    e.    #channel-group 11 mode active
6.    Your Cisco switches now should be configured and ready to start linking. The last step is to turn on the interfaces. Remember, we shut them down first in order to protect the systems from spanning tree loops. This is especially true when you use the hard coding EtherChannel, but we shut them down anyways for Cisco best practice. Now go into each Cisco switch, select the interfaces in the EtherChannel again, and then turn on the interfaces. The following are the steps:
    a.    Cisco 4500X Example
        i.    #conf t
        ii.    #int range TenGig 1/5-6
        iii.    #no shut
    b.    Cisco Nexus 5K
        i.    #conf t
        ii.    #int Ethernet 1/7-8
        iii.    #no shut
7.    If you noticed, the Cisco Nexus you do not have to select a range for the interfaces. You can just select them. With the Catalayst, you must put in the range in order to select them.
8.    You should start seeing the connections come up. You can do the following to see the status:
    a.    Cisco Nexus 5K: #show interface status
    b.    Cisco Catalyst 4500X: #show ip interface status
   
References:

Cisco Nexus 5K
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5500/sw/interfaces/6x/b_5500_Interfaces_Config_Guide_Release_6x/b_5500_Interfaces_Config_Guide_Release_602N12_chapter_011.html

Cisco Catalyst 4500X
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/3-1-1SG/configuration/guide/config/channel.pdf

Configure MOTD Banner in Cisco Systems

1.    First, you log onto the device.
2.    Excalate up to config with configiure terminal command:
    a.    #conf t (or you can spell it completely out)
3.    Next, enter the following to start the banner editing:
    a.    #banner motd # (the percent sign can be any delimiter, but not recommended to use “ or % for white spaces won’t work.)
    b.    Next, the cursor should go to a new line and you can copy and paste in your banner, or type in a new one.
    c.    After your banner is there, you can hit enter a few more times for a line or two of space, but then you close your banner with using the same delimeter you used before, which would be pound sign for us #.
4.    You can copy run to start config to save your changes, or the write option.
5.    Finally, log out and log back into the system to verify your banner satisfies your requirements.


Reference: https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/banner-motd.html

Changing/Adding DHCP Relay Nexus 5K

1.    First, you want to verify the DHCP relays in the Nexus 5K with the following command:
    a.    #show ip DHCP relay
2.    Verify the relay address of the IP addresses.
3.    Escalate up to configuration terminal. Then select the interface/VLAN interface you wish to change the DHCP relay address for:
    a.    #conf t
    b.    #int vlan xxx
4.    Now you have the VLAN/interface selected. If the interface already has a DHCP relay, first, remove the old relay address with the no command:
    a.    #no ip dhcp relay address x.x.x.x
5.    Next, you can add the new DHCP relay address to the interface/VLAN:
    a.    #ip dhcp relay address x.x.x.x
6.    Finally, test your device to verify the systems on the network are receiving IPs.

PowerCLI Mass VM Port Group Change

1.    First off, you will have to declare your variables once you are logged into the vCenter server. You do this by the following:
    a.    You can declare your cluster variable with: $Cluster = “TestCluster”
    b.    You can then you can declare your old network with: $OldNetwork = “TestPG”
    c.    Finally, set the variable for the new network with: $NewNetwork = “NewTestPG”

2.    Now your variables are set and you can now pull them in the following script:
    a.    Get-Cluster $Cluster |Get-VM |Get-NetworkAdapter |Where {$_.NetworkName –eq $OldNetwork} |Set-NetworkAdapter –NetworkName $NewNetwork –Confirm:$false

3.    That is for clusters, if you just want to do all your VMs, you can do the following:
    a.    Declare your variables:
        i.    Set your variable for the old PortGroup: $OldNetwork = “TestPG”
        ii.    Set the variable for the new PortGroup: $NewNetwork = “NewTestPG”

4.    Now you set your variables for your port groups, you can go ahead and execute your script with the declared variables:
    a.    Get-VM |Get-NetworkAdapter |Where {$_.NetworkName –eq $OldNetwork} |Set-NetworkAdapter –NetworkName $NewNEtwork –Confirm:$false

5.    You should see the process go through in the PowerCLI area and also you should see it in vCenter.

Creating Local User Accounts in vSphere

1.    Log into your vSphere environment you wish to add a user to.
2.    Once you are logged in, click on the home icon in the top left of the screen and click on “Administration”

3.    From the “Administration Navigator”, click on “Users and Groups” under the “Single Sign-On” section. Once here, click on the green arrow for “New User”.

4.    On the “New User” pop-up, fill in all of the information required. The main sections required are of course the username and the password. Username, password, First name, and last name are recommended (my personal recommendations). A description is excellent to put in if the account is used for special purposes. Finally, click on once you are done.

5.    Finally, verify your new account pops up in the list in order to verify the account is usable.

Palo Alto Graceful Shutdown

Via GUI:

•    Click on Device tab > Setup link > Operations tab
•    Click on shutdown device under device operations on the right hand side
•    Click Yes on the confirmation pop-up
•    Wait a few minutes for the process to complete.

Via CLI

•    Issue the command: “request shutdown system”
    o    >request shutdown system
    o    Warning: executing this command will leave the system in a shutdown state. Power must be removed and reapplied for the system to restart. Do you want to continue? (y or n) y
•    Wait until “System Halted” is displayed on the console.