Monday, March 7, 2011

Repurposing an old Cisco PIX to provide secure public WiFi on a corporate LAN

I am in the planning stages of a fun little project, whereby the clients goal is to provide secure wireless access to guests over a ADSL link dedicated to this purpose.  Simple enough, but this traffic will travel over the same edge to core switches that carry business traffic, so we will have to set up some VLAN’s.

This client recently retired their ageing PIX firewall and replaced it with new Cisco ASA’s.  So instead of chucking the PIX we will press it into service as the secure gateway / firewall for the public ADSL Internet breakout.

The PIX in this case has two physical interfaces named ethernet0 and ethernet1.  ethernet0 will be connected to the ADSL and ethernet1 to the LAN.  ethernet1 will be configured in a VLAN, and the switch ports to which the guest AP’s connect will be configured to do the appropriate VLAN tagging.

Here is how to configure the PIX

  1. interface ethernet0 auto
  2. interface ethernet1 auto
  3. interface ethernet1 vlan1 physical
  4. interface ethernet1 vlan10 logical
  5. nameif ethernet0 outside security0
  6. nameif ethernet1 inside security100
  7. nameif vlan10 guest_wifi security10

Most client devices nowadays expect DHCP and since they don’t logically touch the corporate network we’ll have to make do with running DHCP off the PIX:

  1. dhcpd address guest_wifi
  2. dhcpd dns (substitute this with your ISP’s DNS Server)
  3. dhcpd lease 3600
  4. dhcpd ping_timeout 50
  5. dhcpd enable guest_wifi
  6. ip address wifi

And that should work rather brilliantly – I will know for sure in about a weeks time when I implement.

Friday, March 4, 2011

Creating a Hyper-V Cluster after the fact, or, how to preserve and add existing VMs to a Cluster.

I was faced with an interesting challenge recently. a Client was running two standalone Hyper-V hosts with about 4 VMs each running on a Storage Area Network(SAN).  I installed the SAN previously to provide increased IO performance for their SCADA (Citect, for those taking notes) system. 

This was essentially a very effective proof of concept as far as the client was concerned and they wished to take advantage of the more advanced features offered by Clustered Hyper-V (stuff like live migration etc.).

This posed a challenge, because we needed to convert the LUNs occupied by the VM’s to highly available Cluster Shared Volumes (CSV’s).  In Hyper-V, a VM needs to be hosted on a CSV in order to be made highly-available.  So off I went trying to figure out a non disruptive way to convert all my LUNs to CSV, without losing any data.  This is what I came up with.

  1. Shut down your VM(s)
  2. Open Disk Management on your Hyper-V host and remove drive letter from LUN hosting the VM
  3. Open Failover Cluster Manager (FCM) –> Storage –> Add Disk –> Select Disk from Step 2 –> Click OK
  4. Still in FCM - Go to Cluster Shared Volume - Add Storage – select the disk you added in Step 3
  5. Open up Hyper-V Manager on the same host (notice the VM status is critical because you removed the drive letter).  Remove the VM
  6. Create a new VM, opt to store it under the %systemdrive%\ClusterStorage folder which was created automatically when you performed Step 4.  VERY IMPORTANT – Do not add any disks to the VM!
  7. Right click the VM you created in Step 6 and choose Edit Settings.  Add the original VM’s disks (boot drive to be added to IDE controller 0).  The existing VHD’s will be found in %systemdrive%\ClusterStorage
  8. Open FCM – Go to Services and Applications – in the Action pane select Configure a Service or Application –> select Virtual Machine –> Check the VM created in Step 6 –> Complete Wizard
  9. Ensure that the VM is connected to the correct network in Hyper-V Manager
  10. Because we are connecting a new NIC to the VM you will have to re-specify the IP address inside the VM once the VM has started up

Rinse and repeat for all existing VMs you want to make highly available.  The Microsoft way would be to export the VM’s and import it again.  Nothing wrong with that, apart from the fact that it takes a lot of time and storage to do, depending on the size of the VM.  My way is quick and easy and it works!